[Security Solution]Rule Failure after deleting Data view having index pattern

[ghost]

Describe the bug
Rule Failure after deleting Data view in rule having index pattern + data view

Build Details:

Version:8.4.0-SNAPSHOT
Commit:f94d5ff26bf1f14f9992e426d9a56ac6c5d48fb0
Build:54194

Steps

• create a data view

• create a rule with above data view
• perform bulk index pattern update operations
• add any index pattern ( make sure given index pattern have data inside it , you add logs-* )
• Bulk index add operation with 'Apply changes to rules configured with data views' checkbox

• Bulk index add operation succeed and now index pattern logs-* and data view of first step both will show
• Now delete that data view and go back to rule details
• Rule fails even though we have index pattern logs-* exists and data present in it

Screen-Cast

Rules.-.Kibana.Mozilla.Firefox.2022-07-11.11-29-51.mp4

Rule Failure
Check for indices to search failed Error: Saved object [index-pattern/773e65b4-d074-4be5-834a-18890c8660f5] not found name: "Rule With Data View" id: "f624c250-00dd-11ed-bec2-cfedf9beef5b" rule id: "7723aafa-6870-49ee-89e3-21bf642b6c7e" execution id: "68ad362c-52b0-43d9-a4c8-b8c4833c5dce" space ID: "default

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[MadameSheema]

@dhurley14 @yctercero looks like after the bulk update the rule is set with both, data views and index patterns what is wrong.

[MadameSheema]

@dhurley14 @yctercero with latest main (e348f74) I was able to do the following:

1. Create a rule with a data view
2. On rules page select the rule
3. With bulk actions add an index pattern WITHOUT selecting any of the current options
4. Click on Save

I ended up with a rule with both, Index patterns and Data View

[dhurley14]

@MadameSheema I can update this to only display the data view id 👍 would that work?

[MadameSheema]

@karanbirsingh-qasource please validate this one on BC2, thanks 😊

[ghost]

Hi @MadameSheema

we have validated this issue of bulk delete index delete on rule created with data view with 2 index pattern and issue is occuring.

Build Details:

Version:8.4.0 BC2
Commit:9e9e0d6a685cbc2858a85a357f93dcb76259fdee
Build:55166

Screen-Cast:

Rules.-.Kibana.Mozilla.Firefox.2022-08-08.13-30-54.mp4

[MadameSheema]

@dhurley14 @vitaliidm can you please take a look at the above? thanks!

[dhurley14]

The errors reported here #136081 (comment) and here #136081 (comment) seem to be resolved. I think this most recent error #136081 (comment) is expected behavior now, correct @vitaliidm ?

[vitaliidm]

we have validated this issue of bulk delete index delete on rule created with data view with 2 index pattern and issue is occuring.

Bulk edit delete for index patterns fix was merged yesterday: #137585

@dhurley14, I believe the current issue should be addressed in scope of #138383.
There are situations when rule can have both index patterns and dateViewId. Which leads to multiple issues.
Once, addresssed, it should resolve current issue as well.

[ghost]

Hi @dhurley14

we have validated this issue and is fixed as now outcome of add index operation on rule with data view got changed and hence issue is fixed ✔️

Build Details:

Version:8.4.0 BC3
Commit:e42c547d7ab545472fd978383c2c43fa203a5b06

Screen-Cast:

• Now on adding the index in rule with data view the rule got converted to only index patter not both index pattern + data view which removes the scenario of delete data and check rule status

ksingh.-.ec2-54-172-240-11.compute-1.amazonaws.com.-.Remote.Desktop.Connection.2022-08-11.10-50-25.mp4