Skip to content

[Security Solution] Inconsistent Behavior When Saving Additional Look-Back Time #206494

New issue
New issue
Open
Bug
Open
[Security Solution] Inconsistent Behavior When Saving Additional Look-Back Time#206494
Bug
Labels
Feature:Rule CreationSecurity Solution Detection Rule Creation workflowFeature:Rule EditSecurity Solution Detection Rule Editing workflowTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection EngineSecurity Solution Detection Engine AreaTeam:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response TeambugFixes for quality problems that affect the customer experienceeffort:lowimpact:lowAddressing this issue will have a low level of impact on the quality/strength of our product.value:low
@pborgonovi

Description

@pborgonovi
pborgonovi
opened on Jan 13, 2025 · edited by banderror
Contributor

Epic: #179907
Related to: #204317, #223446

Summary

Description:

When updating the Additional look-back time field in a prebuilt rule’s schedule settings, the system exhibits inconsistent behavior when saving the value depending on whether the input can be fully converted to minutes.
Same behavior is observed when creating/editing a custom rule.

Kibana/Elasticsearch Stack version:

VERSION: 9.0.0
BUILD: 82496
COMMIT: a90a9fc92a469656ba16ad54bd36b2375b386137

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Prebuilt Rules

Pre requisites:

  1. prebuiltRulesCustomizationEnabled flag is enabled
  2. Prebuilt rules are available

Steps to reproduce:

  1. Open a prebuilt rule where the Schedule interval is set to “Runs every 5 minutes” and Additional look-back time is set to “4 minutes”.
  2. Update the Runs every 5 minutes interval to:
  • 300 seconds → Save works correctly, and the value is displayed as “300 seconds”.
  • Any other valid time format (e.g. 10 minutes, 20 seconds, etc.) → Save works correctly, and the value is displayed as entered.
  1. Update the Additional look-back time to:
  • A value that cannot be fully converted to minutes (e.g. 350 seconds) → Save works correctly, but the value is saved and displayed as seconds.
  • A value that can be fully converted to minutes (e.g. 360 seconds, which equals 6 minutes) → Save works, but the system automatically converts and displays the value in minutes instead of seconds.

Current behavior:

  • If the Additional look-back time cannot be fully converted to minutes, it is saved and displayed as seconds.
  • If the Additional look-back time can be fully converted to minutes, the system converts it and displays it as minutes, even if it was initially saved as seconds.

Expected behavior:

  • The Additional look-back time should always be saved and displayed in the exact format entered by the user (seconds, minutes, or hours) without automatic conversion.
  • Consistency should be maintained in how time values are displayed, ensuring that users see the format they selected during rule editing.

Screenshots

Screen.Recording.2025-01-13.at.11.22.20.AM.mov
Screen.Recording.2025-01-13.at.11.33.58.AM.mov
Screen.Recording.2025-01-13.at.11.34.47.AM.mov

Activity

pborgonovi
added
bugFixes for quality problems that affect the customer experience
Feature:Rule CreationSecurity Solution Detection Rule Creation workflow
Feature:Rule EditSecurity Solution Detection Rule Editing workflow
impact:lowAddressing this issue will have a low level of impact on the quality/strength of our product.
Team: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Detection Rule ManagementSecurity Detection Rule Management Team
Team:Detections and RespSecurity Detection Response Team
triage_needed
on Jan 13, 2025
pborgonovi
assigned
banderror
on Jan 13, 2025
elasticmachine

elasticmachine commented on Jan 13, 2025

@elasticmachine
elasticmachine
on Jan 13, 2025
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine

elasticmachine commented on Jan 13, 2025

@elasticmachine
elasticmachine
on Jan 13, 2025
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elasticmachine

elasticmachine commented on Jan 13, 2025

@elasticmachine
elasticmachine
on Jan 13, 2025
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

banderror
added
Team:Detection EngineSecurity Solution Detection Engine Area
and removed
triage_needed
on Jan 24, 2025
elasticmachine

elasticmachine commented on Jan 24, 2025

@elasticmachine
elasticmachine
on Jan 24, 2025
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

banderror
removed their assignment
on Jan 24, 2025
banderror
mentioned this on Jan 24, 2025
banderror
mentioned this on Mar 17, 2025
predogma

predogma commented on Jun 10, 2025

@predogma
predogma
on Jun 10, 2025 · edited by predogma

Edit rule settings for Schedule only lists (pull down) options for sec, min, hours. It is only when the number of hours is a multiple of 24 resulting in a day count representation on the rule's overview page.

For example all these convert to a day representation in the rule's overview schedule panel
24, 48, 168, 192, 432

Any count of hours not divisible by 24 renders as hours in the overview. For example 300 hours.

When you go back to Edit Rule settings to the Schedule tab, to the Additional look-back time, it can not render the value as it only renders sec, min, hours (not days). Resulting in a 0 seconds rendered and fails to indicate what the original setting was in hours.

yctercero
added
effort:low
value:low
on Jun 11, 2025
maximpn
self-assigned this
on Jun 11, 2025
yctercero

yctercero commented on Jun 11, 2025

@yctercero
yctercero
on Jun 11, 2025
Contributor

@maximpn happy to coordinate here if we can help. It seems to cross domains of rule edit/rule details.

predogma

predogma commented on Jun 12, 2025

@predogma
predogma
on Jun 12, 2025

#223446

maximpn
assigned
banderror
and unassigned
maximpn
on Jun 24, 2025
banderror
removed their assignment
on Jun 24, 2025
banderror

banderror commented on Jun 24, 2025

@banderror
banderror
on Jun 24, 2025
Contributor

This one is not planned for work on the Rule Management team at this point. cc @yctercero

banderror
mentioned this on Jun 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Feature:Rule CreationSecurity Solution Detection Rule Creation workflowFeature:Rule EditSecurity Solution Detection Rule Editing workflowTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection EngineSecurity Solution Detection Engine AreaTeam:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response TeambugFixes for quality problems that affect the customer experienceeffort:lowimpact:lowAddressing this issue will have a low level of impact on the quality/strength of our product.value:low

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @maximpn@predogma@banderror@yctercero@elasticmachine

        Issue actions
          [Security Solution] Inconsistent Behavior When Saving Additional Look-Back Time · Issue #206494 · elastic/kibana