investigationFields
rule params breaking change
#165987
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
It looks like security detection rules added a new
investigationFields
param in #163235 as a string array and then changed the type in #164133 to an object. In this new serverless world, this is a breaking change and is a ZDT upgrade issue.We can see this show up as errors in serverless logs:
We believe these are detection rules created prior to the change in params schema that can no longer run because of the destructive schema change.
For ZDT, we only support additive changes to rule type params so the appropriate mitigation would be to change
investigationParams
to support both a string array field and an objectTo recreate locally:
xpack.task_manager.requeue_invalid_tasks.enabled: true
in your kibana configa772ab7fa8facdb92ad35408ae17f489bc5ca595
and create a detection rulemain
and see that the rule you created is now failing.The text was updated successfully, but these errors were encountered: