Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Incorrect “my changes” statement displayed in update flyout for fields with no final column changes #206666

Closed
Tracked by #201502
pborgonovi opened this issue Jan 14, 2025 · 8 comments
Closed
Tracked by #201502

[Security Solution] Incorrect “my changes” statement displayed in update flyout for fields with no final column changes #206666

pborgonovi opened this issue Jan 14, 2025 · 8 comments
Assignees
@nikitaindik
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0

Comments

@pborgonovi
Copy link
Contributor

Description:

In the Rule Update Flyout, the diff view shows different options based on the type of changes applied to the field:

  • My changes: Displays what the user has changed in their installed rule and the Final Update section (this should only be shown if the user made changes in the flyout’s Final column after opening it).
  • Update from Elastic: Displays the changes provided by Elastic in the latest update for the field.

Diff view tooltip:

Image

However, in this case, when opening the flyout for a rule where previous changes were made directly to the query field in the installed rule (before opening the flyout), the field is automatically shown in edit mode, and the diff view incorrectly displays the statement:
“My changes - view what you have changed in your installed rule and in the Final update section”
This is inaccurate because no changes have been made in the Final column during this session.

Kibana/Elasticsearch Stack version:

VERSION: 9.0.0
BUILD: 82604
COMMIT: 6ec7c37

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Rules Update

Pre requisites:

  1. prebuiltRulesCustomizationEnabled flag is enabled
  2. Prebuilt rules are available
  3. Rules updates are available
  4. At least one rule has updates for Query field

Steps to reproduce:

  1. Modify the Query field of an installed prebuilt rule directly (without using the update flyout).
  2. Open the Update Flyout for the rule.
  3. Observe the Query field’s state and the displayed diff options.

Current behavior:

The diff view incorrectly displays “My changes - view what you have changed in your installed rule and in the Final update section”, even though no changes were applied in the Final column of the flyout.

Expected behavior:

Since no changes were applied in the Final column during the current session, the diff view should display:
“My original changes - view what you have changed in your installed rule. Doesn’t include changes made in the Final update section.”

Screenshots:

Screen.Recording.2025-01-14.at.10.58.46.AM.mov
@pborgonovi pborgonovi added bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team triage_needed labels Jan 14, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@pborgonovi pborgonovi mentioned this issue Jan 15, 2025
Open
@banderror banderror added 8.18 candidate v8.18.0 impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. and removed triage_needed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. labels Jan 17, 2025
@banderror banderror assigned nikitaindik and unassigned banderror Jan 17, 2025
@banderror
Copy link
Contributor

banderror commented Jan 17, 2025
edited
Loading

@pborgonovi The diff is correct:

  • It shows the user's customization made to a rule field, if there is one.
  • Additionally, if the user edits this field in the Rule Upgrade flyout, it will reflect this change too.

Perhaps we could come up with a better copy/explanation text. Here's the ticket for UI copy review: elastic/security-docs#6238. Feel free to suggest a better copy for this specific issue there, or contribute any other UI copy suggestions.

@nikitaindik Please help answer any further questions that Paula might have about this issue.

If there are no further questions, let's close the ticket.

@banderror banderror mentioned this issue Jan 17, 2025
Open
74 tasks
@nikitaindik
Copy link
Contributor

The purpose of "My changes" is to display any user-made changes, whether they were made via the rule editing page / API or in the upgrade flyout.

@pborgonovi, do you think this needs to be clarified further with improved wording?

@pborgonovi
Copy link
Contributor Author

Hey @nikitaindik I see there is some difference between the UI and the implementation:

My screenshot:

Image

UI ticket:

Image

But my biggest concern in this case was that I haven't applied any change in the Update Flyout - this rule had only the customizations previously made. When I open the update flyout, 'My changes" statement mention "what you changed in your installed rule and in the Final update section". I was wondering if it shouldn't be "Original changes" instead. Is that clear?

@nikitaindik
Copy link
Contributor

@pborgonovi Thanks for the explanation! It makes sense to me now.

I think it's indeed an issue with wording. Perhaps we could reword the description for My changes to something like "view what you have changed in your installed rule or in the Final update section".

I'd say let's wait until the docs folks review all UI copy (ticket). Maybe they'll come up with something clearer. I'm going to mention this comment in the docs ticket, so that they can a look.

I believe we can close this issue now, since there's probably going to be another issue to improve UI copy once the Docs review UI text.

@nikitaindik nikitaindik mentioned this issue Jan 21, 2025
Closed
@pborgonovi
Copy link
Contributor Author

Thanks @nikitaindik
I agree with closing this for now. I'll keep an eye on it once the UI improvement is implemented.

@pborgonovi pborgonovi closed this as not planned Won't fix, can't repro, duplicate, stale Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikitaindik nikitaindik

Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@banderror @elasticmachine @nikitaindik @pborgonovi