[Security Solution] Handle negative lookback in rule upgrade flyout

[maximpn]

Fixes: #202715
Fixes: #204714

Summary

This PR makes inconsistent/wrong rule's look-back duration prominent for a user. It falls back to a default 1 minute value in rule upgrade workflow.

Details

Negative/wrong lookback problem

There is a difference between rule schedule value in a saved object and value represented to users

• Saved object (and rule management API) has interval, from and to fields representing rule schedule. interval shows how often a rule runs in task runner. from and to stored in date math format like now-10m represent a date time range used to fetch source events. Task manager strives to run rules exactly every interval but it's not always possible due to multiple reasons like system load and various delays. To avoid any gaps to appear from point in time usually stands earlier than current time minus interval, for example interval is 10 minutes and from is now-12m meaning rule will analyze events starting from 12 minutes old. to represents the latest point in time source events will be analyzed.
• Diffable rule and UI represent rule schedule as interval and lookback. Where interval is the same as above and lookback and a time duration before current time minus interval. For example interval is 10 minutes and lookback is 2 minutes it means a rule will analyzing events starting with 12 minutes old until the current moment in time.

Literally interval, from and to mean a rule runs every interval and analyzes events starting from from until to. Technically from and to may not have any correlation with interval, for example a rule may analyze one year old events. While it's reasonable for manual rule runs and gap remediation the same approach doesn't work well for usual rule schedule. Transformation between interval/from/to and interval/lookback works only when to is equal the current moment in time i.e. now.

Rule management APIs allow to set any from and to values resulting in inconsistent rule schedule. Transformed interval/lookback value won't represent real time interval used to fetch source events for analysis. On top of that negative lookback value may puzzle users on the meaning of the negative sign.

Prebuilt rules with interval/from/to resulting in negative lookback

Some prebuilt rules have such interval, from and to field values thatnegative lookback is expected, for example Multiple Okta Sessions Detected for a Single User. It runs every 60 minutes but has from field set to now-30m and to equals now. In the end we have lookback equals to - from - interval = 30 minutes - 60 minutes = -30 minutes.

Our UI doesn't handle negative lookback values. It simply discards a negative sign and substitutes the rest for editing. In the case above 30 minutes will be suggested for editing. Saving the form will result in changing from to now-90m

Changes in this PR

This PR mitigates rule schedule inconsistencies caused by to fields not using the current point in time i.e. now. The following was done

• DIffableRule's rule_schedule was changed to have interval, from and to fields instead of interval and lookback
• _perform rule upgrade API endpoint was adapted to the new DIffableRule's rule_schedule
• Rule upgrade flyout calculates and shows interval and lookback in Diff View, readonly view and field form when lookback is non-negative and to equals now
• Rule upgrade flyout shows interval, from and to in Diff View, readonly view and field form when to isn't equal now or calculated lookback is negative
• Rule upgrade flyout shows a warning when to isn't equal now or calculated lookback is negative
• Rule upgrade flyout's JSON Diff shows interval and lookback when lookback is non-negative and to equals now and shows interval, from and to in any other case
• Rule details page shows interval, from and to in Diff View, readonly view and field form when to isn't equal now or calculated lookback is negative

Screenshots

• Rule upgrade workflow (negative look-back)

• Rule upgrade workflow (positive look-back)

• JSON view

• Rule details page

How to test?

• Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
• Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
• Clear Elasticsearch data
• Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
• Install an outdated version of the security_detection_engine Fleet package

curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1

• Install prebuilt rules

curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform

• Set "inconsistent" rule schedule for Suspicious File Creation via Kworker rule by running a query below

curl -X PATCH --user elastic:changeme -H "Content-Type: application/json" -H "elastic-api-version: 2023-10-31" -H "kbn-xsrf: 123" -d '{"rule_id":"ae343298-97bc-47bc-9ea2-5f2ad831c16e","interval":"10m","from":"now-5m","to":"now-2m"}' http://localhost:5601/kbn/api/detection_engine/rules

• Open rule upgrade flyout for Suspicious File Creation via Kworker rule

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[rylnd]

@maximpn when I follow your instructions and attempt to open the upgrade flyout for the modified rule, I receive the following error, which looks to have been thrown by parseDuration:

The above error occurred in ErrorBoundary:

    at ErrorBoundary (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:173844:7)
    at DragDropContext (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:182244:23)
    at DragDropContextWrapperComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:123797:3)
    at TourContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:125963:3)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.10.js:3132:3
    at div
    at P (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:416847:19797)
    at HomePageComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:119685:3)
    at FilesContext (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cases/1.0.0/cases.plugin.js:4051:3)
    at QueryClientProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:201457:3)
    at CasesProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cases/1.0.0/cases.plugin.js:12930:3)
    at Suspense
    at CasesProviderLazyWrapper (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cases/1.0.0/cases.plugin.js:10620:3)
    at CasesProviderLazyWrapperWithRegistry (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cases/1.0.0/cases.plugin.js:10648:5)
    at Route (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:365980:29)
    at Route (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:52215:3)
    at Switch (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:366182:29)
    at Routes (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:52349:3)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:124866:3
    at RenderedRoute (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:364147:5)
    at Routes (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:364708:5)
    at Router (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:364646:15)
    at CompatRouter (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:362673:5)
    at Router (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:365599:30)
    at Router (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:52305:3)
    at ManageRoutesSpyComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:141727:3)
    at PageRouterComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:119811:3)
    at AssistantProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:89064:3)
    at AssistantProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:121929:3)
    at DiscoverInTimelineContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:123268:86)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:135727:3
    at CellActionsProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.7.js:8148:3)
    at QueryClientProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:201457:3)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.default~lazy_app_links.js:593:3
    at NavigationProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.plugin.js:762:3)
    at ManageUserInfo (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:146394:3)
    at UserPrivilegesProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:135990:3)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:131967:3
    at Le (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:416847:17442)
    at KibanaStyledComponentsThemeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/kibanaReact/1.0.0/kibanaReact.plugin.js:2009:3)
    at Provider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:359229:20)
    at ManageGlobalToaster (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.0.js:884:3)
    at ErrorBoundaryInternal (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:63384:5)
    at KibanaErrorBoundary (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:63445:110)
    at KibanaErrorBoundaryProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:63205:3)
    at EuiContext (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:71325:24)
    at IntlProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:237142:47)
    at I18nProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:57310:3)
    at I18nContext (http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js:21999:9)
    at EuiComponentDefaultsProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127252:36)
    at CurrentEuiBreakpointProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:152993:23)
    at ThemeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:164284:63)
    at EuiEmotionThemeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:158268:23)
    at EuiThemeMemoizedStylesProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:158743:23)
    at EuiThemeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:158537:22)
    at EuiSystemColorModeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127579:23)
    at EuiCacheProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127173:20)
    at EuiProviderNestedCheck (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127405:23)
    at EuiProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127465:25)
    at KibanaEuiProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:51630:3)
    at KibanaRootContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:51751:3)
    at KibanaRenderContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:51528:3)
    at StartAppComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:119310:3)
    at CloudContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cloud/1.0.0/cloud.plugin.js:599:7)
    at Provider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/kibanaReact/1.0.0/kibanaReact.plugin.js:2813:15)
    at SecurityAppComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:119342:3)
    ```
  </details>

[maximpn]

Hi @rylnd,

are you sure you pulled the latest PR changes? I double checked and it works for me locally as described in the PR description. Could you try removing the branch and pull the latest changes?

[maximpn]

@banderror

I like the idea proposed in #204714 (comment)

Perhaps there's a relatively inexpensive way to do this:

• Make interval, to, and from part of DiffableRule - instead of interval and lookback - as Maxim proposed above:
  Since precise conversion between interval/from/to and interval/lookback isn't possible we should expose interval/from/to fields in diffable rule. We could convert to look-back at UI and falback to original values when it possible.
• If to == "now" and lookback can be parsed to a positive value, we show our existing regular UI with the interval and lookback form inputs. Otherwise, we show a fallback UI that allows to edit the interval, from and to fields directly.
• This would allow to keep the existing Creation and Editing pages unchanged at this stage.

I updated the PR accordingly

• Made interval, from and to part of DiffableRule
• Added SimpleRuleSchedule schema and type
• Added toSimpleRuleSchedule and corresponding time duration and date math utilities to have a streamlined way handling rule schedule
• Tweaked Rule Upgrade Flyout functionality to show simple rule schedule (interval and lookback) when lookback >= 0 and show full rule schedule (interval, from and to) when to != now or lookback is negative

[maximpn]

Files by Code Owner

elastic/kibana-localization

• x-pack/platform/plugins/private/translations/translations/fr-FR.json
• x-pack/platform/plugins/private/translations/translations/ja-JP.json
• x-pack/platform/plugins/private/translations/translations/zh-CN.json

elastic/security-detection-engine

• x-pack/solutions/security/packages/kbn-securitysolution-utils/date_math.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/kibana.jsonc
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/calc_date_math_diff.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/calc_date_math_diff.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/index.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/normalize_date_math.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/normalize_date_math.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/parse_date_math.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/parse_date_math.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/convert_time_duration_to_ms.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/convert_time_duration_to_ms.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/index.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/parse_time_duration.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/parse_time_duration.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/to_largest_time_duration.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/to_largest_time_duration.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/time_duration.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/tsconfig.json
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/simple_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/history_window_start_edit/history_window_start_edit.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/notification_action.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/rule_preview/use_preview_invocation_count.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_schedule_rule/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.test.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts

elastic/security-detection-rule-management

• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/simple_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_field_types.ts
• x-pack/solutions/security/plugins/security_solution/common/detection_engine/rule_management/to_simple_rule_schedule.test.ts
• x-pack/solutions/security/plugins/security_solution/common/detection_engine/rule_management/to_simple_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/json_diff/json_diff.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/per_field_diff/get_field_diffs_for_grouped_fields.test.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/per_field_diff/get_field_diffs_for_grouped_fields.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_diff_tab.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_schedule_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/comparison_side/get_subfield_changes/rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/full_rule_schedule_adapter.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/full_rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/index.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/simple_rule_schedule_adapter.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/simple_rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/utils/to_date_math.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/utils/to_signed.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/utils/to_time_duration.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/rule_schedule.stories.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/rule_schedule.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/storybook/mocks.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/forms/schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
• x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts
• x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts

elastic/security-engineering-productivity

• x-pack/test/security_solution_cypress/cypress/screens/alerts_detection_rules.ts
• x-pack/test/security_solution_cypress/cypress/tasks/prebuilt_rules_preview.ts
• x-pack/test/security_solution_cypress/cypress/tsconfig.json

elastic/security-solution

• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/simple_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_field_types.ts
• x-pack/solutions/security/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts
• x-pack/solutions/security/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/common/detection_engine/rule_management/to_simple_rule_schedule.test.ts
• x-pack/solutions/security/plugins/security_solution/common/detection_engine/rule_management/to_simple_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/history_window_start_edit/history_window_start_edit.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/notification_action.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/rule_preview/use_preview_invocation_count.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_schedule_rule/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.test.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/json_diff/json_diff.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/per_field_diff/get_field_diffs_for_grouped_fields.test.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/per_field_diff/get_field_diffs_for_grouped_fields.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_diff_tab.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_schedule_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/comparison_side/get_subfield_changes/rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/full_rule_schedule_adapter.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/full_rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/index.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/simple_rule_schedule_adapter.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/simple_rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/utils/to_date_math.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/utils/to_signed.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/utils/to_time_duration.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/rule_schedule.stories.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/rule_schedule.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/storybook/mocks.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/forms/schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
• x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts
• x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts
• x-pack/solutions/security/plugins/security_solution/tsconfig.json

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: e40bbf7
• Storybooks Preview

Failed CI Steps

• FTR Configs #96

Test Failures

• [job] [logs] FTR Configs #96 / Observability AI Assistant API tests knowledge_base/knowledge_base_user_instructions.spec.ts Knowledge base user instructions when a user instruction exists and a conversation is created does not add the instruction conversation for other users

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	6523	6544	+21

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	22.1MB	22.2MB	+12.6KB

History

• 💛 Build #263858 was flaky f75c3eb
• 💔 Build #263681 failed 2db83cc
• 💔 Build #263546 failed d9dd5a8
• 💔 Build #263543 failed b4bf2a1
• 💚 Build #263530 succeeded e63a9e5
• 💔 Build #263500 failed 5ebec94

cc @maximpn

[banderror]

@maximpn I started tested the bugfix locally and will be posting issues as soon as I find them in separate comments.

First thing is I can confirm that the PR fixes #204714 👍

[banderror]

It would be nice to use the same font size across the field values. Currently, the size used for the "warning" schedule is larger than the default size.

Rule Details page:

Rule Upgrade flyout:

[banderror]

The UI shows positive offsets from now in the readonly mode:

But doesn't allow to keep positive offsets in the editing mode; it resets them to 0:

Why do we even show them as offsets and add additional restriction? Since the API allows to specify any datemath, I think we should let the user edit raw datemath expressions for the from and to fields. In other words, in the inputs there should be now+1m and now+2m.

[banderror]

The tooltip is irrelevant in this case. There won't be any gaps since the rule won't be querying any data at all (unless there are "future events"):

Same here. The API allows to set from > to, in which case the rule will run but won't find any source events. We shouldn't show a tooltip that says that the rule may run with gaps.

Another case when the tooltip and the warning are incorrect and misleading:

Let's simplify it and remove the tooltip at this point. Let's also remove the warning icon and the yellow color. We can improve this later.

[banderror]

The upgrade itself worked for non-regular from and to values, and this is how it looks on the Rule Details page after upgrade:

[banderror]

Nit: There's an issue with responsiveness. I think it should be all a single inline string, no blocks.

[banderror]

@maximpn I'm going to review the code tomorrow. Feel free to ping me if you'd want to discuss the comments above.