Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Bulk actions partially fail when several prebuilt and custom rules are selected together when under Platinum license #209888

Open
Tracked by #201502
pborgonovi opened this issue Feb 5, 2025 · 7 comments · Fixed by #209992
Open
Tracked by #201502

[Security Solution] Bulk actions partially fail when several prebuilt and custom rules are selected together when under Platinum license #209888

pborgonovi opened this issue Feb 5, 2025 · 7 comments · Fixed by #209992
Assignees
@xcrzx
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Rule Management Security Solution Detection Rule Management area fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0

Comments

@pborgonovi
Copy link
Contributor

pborgonovi commented Feb 5, 2025
edited
Loading

Description:

When performing bulk actions under Platinum license, such as adding tags or index patterns, on a mix of prebuilt and custom rules, the custom rules are updated successfully. However, the prebuilt rules fail to update, and an error message is displayed stating: “Elastic rule can’t be edited.” The error details indicate a partial failure of the bulk action.

Kibana/Elasticsearch Stack version:

8.18 BC1

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Security Rules Bulk Actions

Pre requisites:

  1. prebuiltRulesCustomizationEnabled feature flag is enabled
  2. Cloud deployment is available with Platinum license
  3. A high volume of prebuilt rules are available
  4. At least 1 custom rule is available

Steps to reproduce:

  1. Navigate to the Rules Management page in Kibana.
  2. Ensure the environment has high volume of prebuilt rules and at least 1 custom rule
  3. Select all rules using the checkbox.
  4. Click on “Bulk actions.”
  5. Select an action, such as adding tags or index patterns.
  6. Execute the action.

Current behavior:

  • The custom rules are updated successfully.
  • The prebuilt rules fail to update with the following error message: “Elastic rule can’t be edited.”

Expected behavior:

  • The custom rules are updated successfully.
  • The prebuilt rules should be skipped.

Evidences:

Platinum license with prebuiltRulesCustomizationEnabled enabled:

Screen.Recording.2025-02-05.at.11.27.53.AM.mov

Image

Enterprise license with prebuiltRulesCustomizationEnabled disabled:

Screen.Recording.2025-02-05.at.11.49.43.AM.mov
@pborgonovi pborgonovi added bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team triage_needed labels Feb 5, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@pborgonovi pborgonovi changed the title [Security Solution] Bulk actions partially fail when several prebuilt and custom rules are selected together [Security Solution] Bulk actions partially fail when several prebuilt and custom rules are selected together when under Platinum license Feb 5, 2025
@banderror banderror added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. 8.18 candidate v8.18.0 and removed triage_needed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. labels Feb 6, 2025
@banderror banderror mentioned this issue Feb 6, 2025
Open
@banderror banderror assigned xcrzx and unassigned banderror Feb 6, 2025
@banderror banderror added Feature:Rule Management Security Solution Detection Rule Management area Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area and removed Feature:Detection Rules Security Solution rules and Detection Engine labels Feb 6, 2025
@banderror
Copy link
Contributor

Hey @xcrzx, this looks like a regression of the current behavior of the bulk editing API and/or UI. I think this is a blocker for release because we can expect users to frequently bulk edit a mixture of prebuilt and custom rules, and while the bug is not "dangerous" it looks a bit embarrassing. Let's prioritize fixing it together with https://github.com/elastic/security-team/issues/11502.

@banderror
Copy link
Contributor

@pborgonovi I'm wondering if it's also broken in main with the feature flag turned off. Could you please test?

@xcrzx xcrzx mentioned this issue Feb 6, 2025
Merged
@pborgonovi
Copy link
Contributor Author

@banderror
I've tested in main branch with feature flag disabled and it works just fine. Here's one example:

Screen.Recording.2025-02-06.at.10.19.24.AM.mov

xcrzx added a commit that referenced this issue Feb 12, 2025
@xcrzx
[Security Solution] Fix prebuilt rules exclusion on bulk edit (#209992)
376754a 
**Resolves: #209888

## Summary

Resolves an issue when prebuilt rules were not excluded from bulk
operations when the license tier is not sufficient to customize prebuilt
rules.

See the attached issue for reproduction steps.

**Before**


https://github.com/user-attachments/assets/0f791c4d-f98c-4b97-867d-d8da566eb3a3

**After**


https://github.com/user-attachments/assets/8ed2a1e4-d298-4173-95ca-565e0c280c21
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Feb 12, 2025
@xcrzx
[Security Solution] Fix prebuilt rules exclusion on bulk edit (elasti…
ea23feb 
…c#209992)

**Resolves: elastic#209888

## Summary

Resolves an issue when prebuilt rules were not excluded from bulk
operations when the license tier is not sufficient to customize prebuilt
rules.

See the attached issue for reproduction steps.

**Before**

https://github.com/user-attachments/assets/0f791c4d-f98c-4b97-867d-d8da566eb3a3

**After**

https://github.com/user-attachments/assets/8ed2a1e4-d298-4173-95ca-565e0c280c21
(cherry picked from commit 376754a)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Feb 12, 2025
@xcrzx
[Security Solution] Fix prebuilt rules exclusion on bulk edit (elasti…
57d40ff 
…c#209992)

**Resolves: elastic#209888

## Summary

Resolves an issue when prebuilt rules were not excluded from bulk
operations when the license tier is not sufficient to customize prebuilt
rules.

See the attached issue for reproduction steps.

**Before**

https://github.com/user-attachments/assets/0f791c4d-f98c-4b97-867d-d8da566eb3a3

**After**

https://github.com/user-attachments/assets/8ed2a1e4-d298-4173-95ca-565e0c280c21
(cherry picked from commit 376754a)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Feb 12, 2025
@xcrzx
[Security Solution] Fix prebuilt rules exclusion on bulk edit (elasti…
3fe1710 
…c#209992)

**Resolves: elastic#209888

## Summary

Resolves an issue when prebuilt rules were not excluded from bulk
operations when the license tier is not sufficient to customize prebuilt
rules.

See the attached issue for reproduction steps.

**Before**

https://github.com/user-attachments/assets/0f791c4d-f98c-4b97-867d-d8da566eb3a3

**After**

https://github.com/user-attachments/assets/8ed2a1e4-d298-4173-95ca-565e0c280c21
(cherry picked from commit 376754a)
@banderror
Copy link
Contributor

@pborgonovi The bug has been fixed in #209992 and backported to the 8.18 branch. Could you please validate?

@banderror banderror reopened this Feb 12, 2025
@pborgonovi pborgonovi reopened this Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xcrzx xcrzx

Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Rule Management Security Solution Detection Rule Management area fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Fix prebuilt rules exclusion on bulk edit xcrzx/kibana
4 participants
@xcrzx @banderror @elasticmachine @pborgonovi