Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Known Issue] Prebuilt rule upgrade diff shows unrelated properties #4614

Closed
nikitaindik opened this issue Jan 16, 2024 · 1 comment
Closed

[Known Issue] Prebuilt rule upgrade diff shows unrelated properties #4614

nikitaindik opened this issue Jan 16, 2024 · 1 comment
Assignees
@joepeeples
Labels
known-issue release-notes v8.12.0

Comments

@nikitaindik
Copy link
Contributor

nikitaindik commented Jan 16, 2024
edited
Loading

Description

Related issue: elastic/kibana#174844
PR with the fix: elastic/kibana#174789

There's a bug in the JSON diff view that's shown in the "Upgrade" tab of the prebuilt rule flyout. In certain situations some technical or irrelevant properties might be displayed there. It can be confusing for our users.

What the user might see (in the worst scenario)
Scherm­afbeelding 2024-01-16 om 13 50 00

What the user should see
Scherm­afbeelding 2024-01-16 om 13 50 36

Below is a somewhat detailed description of what's wrong. Feel free to condense it to a couple sentences if it makes sense. The first two points are important, the others are more of "if you see some unrelated info - just ignore it".

Situations:

  1. Most important. Let's say a user has defined actions or an exception list for an installed prebuilt rule, and there's an upgrade available for this rule. Then, if the user opens the "Diff" tab, it'll show actions, response_actions or exceptions_list as if an upgrade will remove them. It's not correct - actions and the exception list will be retained.
  2. Most important "Enabled" property of the rule will not be affected by the incoming rule update.
  3. If a user has enabled a prebuilt rule and executed it at least once, then the "Diff" tab would show execution_summary property as removed. Irrelevant to the user.
  4. If a user went into the "edit" page for an installed prebuilt rule and "saved" the changes (even if there were no actual changes), he will see these properties in the diff: timestamp_override_fallback_disabled, meta and filters. Also the from property would be displayed as if the value was converted from seconds to hours or minutes. These changes are also irrelevant and confusing.
  5. Also, updated_at timestamp in the "Update" half of the diff has a generated value and doesn't represent anything.
  6. output_index and note properties might have value equal to an empty string. Irrelevant for the user.

Area/Engineering team

Detections & Response - Rule Management team

Which documentation set does this known issue impact?

ESS and serverless

Affected versions

v8.12.0 and current Serverless

Fix version

  • ESS v8.12.1 scheduled for Jan 30th
  • Serverless, next release on Jan 22nd

Workaround

No response
@joepeeples joepeeples self-assigned this Jan 16, 2024
@joepeeples joepeeples mentioned this issue Jan 16, 2024
Closed
10 tasks
@joepeeples
Copy link
Contributor

Closing this issue; we documented the known issue in 8.12.0 release notes: #4469.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joepeeples joepeeples

Labels
known-issue release-notes v8.12.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nikitaindik @joepeeples