Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Incorrect Rule Status Displayed in Details Flyout After Reinstalling a Prebuilt Rule #203005

Open
pborgonovi opened this issue Dec 4, 2024 · 5 comments
Assignees
Labels
bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@pborgonovi
Copy link
Contributor

pborgonovi commented Dec 4, 2024

Describe the bug:

When a prebuilt rule is deleted and then reinstalled, clicking View Details shows the correct status in the Flyout. However, clicking the rule name in the Alerts table incorrectly shows the rule as “deleted” in the Details flyout.

Kibana/Elasticsearch Stack version:

8.17

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Alerts table

Steps to reproduce:

  1. Navigate to Rules Management and identify a prebuilt rule that has generated alerts.
  2. Delete the rule.
  3. Reinstall the same rule.
  4. Go to the Alerts tab and locate alerts generated by the reinstalled rule.
  5. Perform the following actions:
  • Click View Details.
  • Click the rule name directly from the Alerts table.

Current behavior:

  • Clicking View Details correctly shows the rule status.
  • Clicking the rule name directly in the Alerts table causes the View Details flyout to incorrectly display the rule as “deleted.”

Expected behavior:

  • The View Details flyout should not display the rule as “deleted” if it has been reinstalled.

Screenshots (if relevant):

Screen.Recording.2024-12-04.at.10.54.20.AM.mov
@pborgonovi pborgonovi added bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team triage_needed labels Dec 4, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@pborgonovi pborgonovi changed the title [Security Solution] Incorrect Rule Status Displayed in View Details Flyout After Reinstalling a Prebuilt Rule [Security Solution] Incorrect Rule Status Displayed in Details Flyout After Reinstalling a Prebuilt Rule Dec 4, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@yctercero
Copy link
Contributor

Hey @pborgonovi - I think this would be @elastic/security-detection-rule-management

@yctercero yctercero assigned banderror and unassigned yctercero Dec 4, 2024
@yctercero yctercero added Team:Detection Rule Management Security Detection Rule Management Team and removed Team:Detection Engine Security Solution Detection Engine Area labels Dec 4, 2024
@banderror
Copy link
Contributor

@pborgonovi We don't own this flyout either 🙂

It looks like the flyout references rules by their object ids. When you reinstall it, the id changes, and you technically get a new rule, not the same one. That said, the UX could be improved for prebuilt rules.

I'll reassign to @elastic/security-threat-hunting-investigations.

@banderror banderror added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Investigations Security Solution Investigations Team and removed Team:Detections and Resp Security Detection Response Team Team:Detection Rule Management Security Detection Rule Management Team labels Dec 5, 2024
@banderror banderror assigned asnehalb and PhilippeOberti and unassigned banderror Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Development

No branches or pull requests

6 participants