Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Searchbar edit filter does not populate with prebuilt rules #209518

Open
Tracked by #201502
dplumlee opened this issue Feb 4, 2025 · 4 comments
Open
Tracked by #201502

[Security Solution] Searchbar edit filter does not populate with prebuilt rules #209518

dplumlee opened this issue Feb 4, 2025 · 4 comments
Assignees
@dplumlee
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0

Comments

@dplumlee
Copy link
Contributor

dplumlee commented Feb 4, 2025
edited
Loading

Epic: #174168

Summary

Related to:

When filters are edited from non-customized prebuilt rules, the filter modal does not populate correctly and the user is forced to select a data view. This is fixed when a filter or index pattern field is changed and the rule is saved but all other filters in the filters field have an added meta .index field added to them which is causing prebuilt rule upgrade previews to have unexpected results (seen here).

To reproduce

  • Install prebuilt rules
  • Open a rule that contains filters (for example Threat Intel Hash Indicator Match)
  • Attempt to edit a filter

Expected Result:

The data view selector is not shown and the filter edit component correctly populates with the filter details

Actual Result:

The data view selector is shown and no fields are populated in the component

Image

Note:

If a rule filter is deleted/added, upon saving the rule in the UI, the filters field will have a meta.index field added to each filter which solves this issue (code introduced here). This fix was only implemented before prebuilt rules were allowed to be edited and out of the box they don't contain this meta.index field the Searchbar filters component requires to function properly. These meta.index fields show up as customizations in the upgrade/_review workflow as they are not shipped in the TRADE prebuilt rule packages and could be confusing to users.

Image
@dplumlee dplumlee added bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed labels Feb 4, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@dplumlee dplumlee mentioned this issue Feb 4, 2025
Merged
1 task
@banderror banderror added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team:Detection Rule Management Security Detection Rule Management Team 8.18 candidate v8.18.0 and removed triage_needed labels Feb 4, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror mentioned this issue Feb 4, 2025
Open
@banderror
Copy link
Contributor

@dplumlee @maximpn Thanks for catching this one. It's pretty bad and we should fix it when we release Milestone 3 in ESS in v8.18.0, but I'm not sure if we should consider this a blocker for the first release in Serverless. I'd say probably not. Let's try to fix it by Feb 13th, but if we can't that's ok.

This was referenced Feb 6, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@banderror @elasticmachine @dplumlee