[Security Solution] Warning is shown for updated Prebuilt rule with filter containing "AND" or "OR" condition #203615
Open
Description
Follow-up to: #178908
Summary
When updating a Prebuilt rule which has a filter with AND or OR condition, in the Rule Update Flyout there is a Warning displayed in the "Custom query" field.
Steps to reproduce
- Launch a clean Kibana + ES environment.
- Create some valid indices with source events. Locally, one easy way to do this would be using the resolver_generator script that generates fake endpoint events (events generated by Endpoint Security aka Elastic Defend): node x-pack/plugins/security_solution/scripts/endpoint/resolver_generator.js --node http://elastic:changeme@127.0.0.1:9200 --kibana http://elastic:changeme@0.0.0.0:5601/kbn --numHosts=5 --numDocs=2.
- Install at least one predefined rule, e.g. "Malware - Detected - Elastic Endgame".
- Using Kibana API create an earlier version of the rule, adding a filter containing "AND" condition (see the curl command below).
- A new tab "Rules Updates" will appear in the Rules page. Click it.
- Click the updated rule.
- Expand the "KQL query" tab. In the "Filters" there should be no issue with the Warning.
- Click "Edit" button. The filters displayed in the "Custom query" field will display a Warning. See the screenshot and recording below.
Expected behavior: There should be no Warning flashing in the "Custom query" field.
Screenshots
Screen.Recording.2024-12-10.at.13.58.34.mov
More details
Curl command to trigger rule update:
curl --location --request PATCH 'http://localhost:5601/kbn/api/detection_engine/rules' \
--header 'kbn-xsrf: 123' \
--header 'Content-Type: application/json' \
--header 'elastic-api-version: 2023-10-31' \
--header 'Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==' \
--data '{
"rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de",
"version": 102,
"tags": [
"test"
],
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"type": "combined",
"relation": "AND",
"params": [
{
"query": {
"match_phrase": {
"host.name": "Host-1rt0y8ynu8"
}
},
"meta": {
"negate": false,
"index": "logs-*",
"key": "host.name",
"field": "host.name",
"params": {
"query": "Host-1rt0y8ynu8"
},
"type": "phrase",
"disabled": false,
"alias": null
}
},
{
"meta": {
"negate": false,
"index": "logs-*",
"key": "host.os.family",
"field": "host.os.family",
"params": {
"query": "windows"
},
"type": "phrase",
"disabled": false,
"alias": null
},
"query": {
"match_phrase": {
"host.os.family": "windows"
}
}
}
],
"index": "logs-*",
"disabled": false,
"negate": false,
"alias": null
},
"query": {}
}
]
}'
Metadata
Assignees
Labels
Security Solution Prebuilt Detection Rules areaSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Security Detection Rule Management TeamSecurity Detection Response TeamFixes for quality problems that affect the customer experienceAddressing this issue will have a medium level of impact on the quality/strength of our product.