[Security Solution] Auto-merge ignores incoming rule changes for rule query fields #202185
Comments
xcrzx
added
8.18 candidate
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
xcrzx
added
the
impact:high
banderror
changed the title
|
This ticket was discussed at out product meeting and it was decided to make the following in Milestone 3 scope
Solution for Milestone 4 would require more elaborated approach. Rule query diff algorithm should be changed to merge rule query changes made by users with update from Elastic. In general case it might be really tricky when changes are made to the same lines. It'd require producing AST Trees and merging them together. We should start with a simpler option merging changes made to different lines. Though result query may be invalid. We can run query validation to make sure the result query is valid. In case the algorithm is unable to merge or the result query is incorrect it should fallback to the current value. As a potential pitfall such changes may cause performance degradation. It should be verified such changes won't reduce |
Summary
When rule customization is enabled, during a rule upgrade, incoming changes to a field are ignored if the same field has been modified in the current version.
Steps to Reproduce
Expected Result
The merge algorithm should respect incoming changes for the rule field. The proposed version should include both local and remote changes. For example:
There’s no actual conflict, as different lines were touched. Both edits should be preset in the final version:
Actual Result
The change introduced by Elastic is missing in the final version:
The text was updated successfully, but these errors were encountered: