-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Prebuilt Rule Marked as Customized By Just Clicking "Edit rule settings" And Clicking Save Without Any Changes #203315
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
@dplumlee Could you please check this one too? |
Do you happen to know what rule package you have installed for this @pborgonovi? Going through these tickets, I'm pretty sure the bug is coming from this line of code when a rule doesn't have a base version to compare against. That's why it's only happening for certain rules - I'm not certain it's just due to the rule having an update. Some rules have updates AND the base version exists and this bug doesn't occur. @banderror @xcrzx any thoughts on how to solve this? I would imagine it gets fixed when the full package history is implemented but maybe having our fallback be labeling the rule as modified needs additional edge cases? Still thinking through it. |
@dplumlee When I ran these tests I had package version |
@dplumlee Do we have evidence for this? Can we reliably reproduce this bug for such rules? Can we reliably see that it doesn't occur for the other group? We need to know for sure. Also, we have a test |
@banderror yeah that's what I was using to get to this conclusion. The bug is definitely happening when rules don't have the base version, I've done some more thorough testing this morning. But when I take the following steps
I am unable to find a rule that gets marked as "Modified". If I go from, say, package version |
@dplumlee The new release package with historical versions for Kibana 8.17.0 is going to be released very soon, probably today. This should fix this bug, in general. But I would like us to also revisit this logic. Even when we have historical versions for all rules in general, what if for some reason (such as a bug in the package build process, or reaching the historical versions limit) some rule won't have a base version. Then, if user edits it as described in this ticket, or adds actions to it, it will be marked as customized, which IMO looks very confusing. @jpdjere @xcrzx @maximpn What do you think about it? Should we change this logic to be marking rules as not customized when base version is missing? Should we mark them as customized only in some cases, but not when the user edits a rule? Or should we keep it as is? The original reasoning from the RFC was: |
We can try to mitigate this issue. Rule's SO has My suggestion is extending |
This approach wouldn’t work in the general case. When the rule is not customized, we can determine its status as customized the first time it’s saved by comparing it to itself. However, in subsequent cases, such as saving it a second time after customization, calculating |
This is a good point. There's a few options I can think of for how to deal with this:
I'm leaning towards option 1 as it would take no work and I wasn't able to reproduce this bug at all in some, admittedly cursory, testing with the beta rule package. If @xcrzx isn't able to find any missing versions problems in his package testing I think I'd categorize it as an extremely niche edge case. I'm not sure if there's a better fallback option for the UI in this case short of also showing that the base version is missing which I don't think we'd want to expose to the user |
@approksiu I'd be interested in your opinion on the 3 options above. |
I am supporting option 1 considering the new package with ~ all rule versions is available. We should track the cases of missing base rule versions in telemetry to reconsider in the future. cc @dplumlee @banderror |
During the previous package testing, I found quite many (thousands) missing rule versions. However, I expect this will be resolved by the TRADE team before we release the customization feature. There are two tickets to track the progress:
So, assuming we release a package with the complete rule history this time, I’m inclined to stick with the current behavior (option 1) for now. |
@approksiu Good idea, added it to the ticket 👍 |
@dplumlee I'd assume we're sticking to option 1: leave the logic as is? @pborgonovi The latest package with prebuilt rules ( Could we please try to reproduce it again? The bug will be fully fixed when these are resolved: |
I've retested this scenario upgrading to 8.17.1 package with a rule containing base version and the issue is not reproducible: Screen.Recording.2025-01-07.at.10.23.29.AM.mov@banderror Considering we are going with option 1 and keeping logic as is, are we ok to proceed and close this bug? |
@pborgonovi Yes, thanks for checking! |
Describe the bug:
When editing a prebuilt rule which has an update available through the Edit Rule Settings option without making any changes and clicking Save, the rule is incorrectly marked as “Customized.”
PS: Issue just happens when the rule has an update available
Kibana/Elasticsearch Stack version:
8.x
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Prebuilt Rules
Pre requisites:
prebuiltRulesCustomizationEnabled
flag is enabledSteps to reproduce:
Current behavior:
Expected behavior:
Evidences:
Rule has an update available: incorrectly set as is_customized=true
Screen.Recording.2024-12-06.at.10.29.50.AM.mov
Rule doesn't have an update available: correctly kept as is_customized=false
Screen.Recording.2024-12-06.at.10.30.48.AM.mov
The text was updated successfully, but these errors were encountered: