[Security Solution] is_customized Flag is Set to True When Reverting Changes to Prebuilt Rules #203151
Comments
pborgonovi
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
|
@pborgonovi Very interesting! Thank you for catching this one 👍 @dplumlee Could you please look into this? I'm not sure if it's the same as #201631 and #202575 or a different one. |
|
This is happening because the original vs Technically this means the diff algorithm is correctly marking it as modified but I do agree this is weird from the UI point of view, especially since you can't just add back a new line character from the rule edit form. I think there's an easy way to solve this that wouldn't be too invasive with the existing diff algorithm where we "trim" the strings before comparison. So any whitespace before or after non-whitespace characters wouldn't be included in the comparison but any whitespace characters in the query itself would still be diffed upon. For instance: and would show as equal to one another. But and would be unequal. Just so formatting is still addressed in the algorithms. To address what I think would be the obvious follow-up question of why not remove all whitespace characters, we could probably do that as well, I'm just not sure if that would start to interfere with the queries themselves (do we have whitespace characters in the query for substantive reasons) and what it would take to write a regex against those cases. Plus, if we do end up adding the logic for multi-line query diffs, it might conflict with that. @banderror @xcrzx @jpdjere any thoughts on this approach? |
|
Trimming strings before comparing them seems fine to me, but removing newlines within a multiline string is more problematic. We'd need to ensure that the newlines don't carry any semantic meaning, or handle escaped newlines, etc. There could be edge cases we're not aware of. So, I lean towards the simpler approach of trimming only the start and end of a string. Also, a multiline merge wouldn’t work if we were to remove newlines. |
|
@banderror this would be done either in the diff algorithm itself or the normalization we do for fields prior to the diff algorithm |
@dplumlee I think this is the right option. I think diff algorithms should have a single responsibility. Also, probably out of the scope of this issue, but something we could consider in the future. Maybe some normalization like trimming strings etc should be done even before that - every time we create or update a rule in Elasticsearch. |
++ It's a common practice embedding some simple data normalization in request schemaa, like using |
|
Hey @banderror @dplumlee @xcrzx I just tested changing data source and related integrations fields values and observed that: Reverting data source value causes the rule to return to its non-customized state: Screen.Recording.2024-12-06.at.9.30.00.AM.movReverting related integrations causes the rule to be kept as customized: Screen.Recording.2024-12-06.at.9.31.41.AM.movWould it also have same newline character root cause? Interesting thing is that, as 203011 and 202613, this issue happens ONLY if the rule has an available update. Check this: There is no update available: reverting query value sets is_customized=false Screen.Recording.2024-12-06.at.9.44.05.AM.mp4There is available update: reverting query value keeps is_customized=true Screen.Recording.2024-12-06.at.9.53.40.AM.mov |
|
@pborgonovi it looks like the version field is different ( |
|
@dplumlee thanks for noticing! That's the situation with related integrations. When reverted version to 8.2.0 the rule is set back to non-customized correctly. So let's just consider my last observation from previous comment:
|
|
@pborgonovi the original issue for this bug should be fixed by #203482, the missing base version I would consider it's own error at this point |
… algorithm comparison (elastic#203482) ## Summary Fixes elastic#203151 Adds a normalization for the `kql_query`, `eql_query`, and `esql_query` fields that trims the whitespace from the beginning and end of query strings for a more robust comparison in the diff algorithms. Since whitespace before or after the query string is purely a formatting choice and doesn't impact the query itself, we discard the excess whitespace characters before the direct string comparison. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed (cherry picked from commit 0294838)
|
Retested with latest changes and fix looks good. Screen.Recording.2024-12-13.at.9.03.22.AM.mov |
Describe the bug:
If a user adds a new value to a previously empty field, saves the rule, and then removes the value to return it to its original state, the rule correctly reverts to is_customized: false. However, if a user modifies an existing value and then reverts the change, the rule remains marked as “Customized.”
Kibana/Elasticsearch Stack version:
8.x
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Prebuilt Rules
Pre requisites:
prebuiltRulesCustomizationEnabledFeature Flag is enabledSteps to reproduce:
Current behavior:
Scenario 1: When modifying and reverting an existing value:
The rule remains marked as Customized, even though the change is undone, and the rule matches its original state.
Scenario 2: When adding and removing a new value:
The rule is correctly reverted to not Customized (is_customized: false) after the value is removed.
Expected behavior:
In both scenarios, when a user undoes all changes to a prebuilt rule, the rule should return to its original state and be marked as not Customized (is_customized: false).
Screenshots (if relevant):
Modifying an existing value:
Screen.Recording.2024-12-05.at.9.05.26.AM.mov
Adding new value:
Screen.Recording.2024-12-05.at.9.07.53.AM.mov
The text was updated successfully, but these errors were encountered: