[Fleet]: On auto creation of "Security solution" tag, the "[Elastic Security] Detection rule monitoring" saved object gets removed from the custom named tag.

[harshitgupta-qasource]

Kibana Build details:

VERSION: 8.10.0 SNAPSHOT
BUILD: 65668
COMMIT: 872f011e77aa6b58272193cddd467e26fb516159

Host OS and Browser version: All, All

Preconditions:

1. 8.10 SNAPSHOT Kibana cloud environment should be available.
2. Agent should be installed.
3. Elastic Defend integration should be added to agent policy.

Steps to reproduce:

1. Select the Stack Management tab from the menu.
2. Open the Tags tab.
3. Create a new custom tag and assign [Elastic Security] Detection rule monitoring saved object.
4. Navigate to the Endpoints tab.
5. Again, open the Tags tab from Stack management.
6. Observe that on auto-creation of the "Security solution" tag, the "[Elastic Security] Detection rule monitoring" saved object gets removed from the custom named tag.

Expected:

After adding the default "Security solution" tag, the "[Elastic Security] Detection rule monitoring" saved object should not get removed from the custom named tag.

Note:

• Saved object can be set to various tags, so it shouldn't be removed from the existing tags.

Screenshot

Screencast:

https://github.com/elastic/kibana/assets/101545338/a05ba18b-5ba3-4fe8-8853-5d250b9bfe72

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[harshitgupta-qasource]

@amolnater-qasource Kindly review

[amolnater-qasource]

Secondary review for this ticket is Done

[jlind23]

@criamico could this be related to the recent changes you did on the security tags?

[criamico]

@jlind23 I'm not sure, the ticket describes one behavior but the video is showing another.

Just to clarify, my changes allow adding tags directly from Fleet UI when the integration has specified tags inside the kibana/tag.yml file, if those tags are not present the functionality remains as it was prior to 8.10 (only creates "Managed" and package name based tags). So, manually creating or deleting a tag from the Tags page is not impacted by my changes, neither it is installing a regular integration that doesn't have tags specified in kibana/tag.yml .

[jlind23]

@harshitgupta-qasource Could you please try it out also with 8.9 in order to see if this is a newly introduced bug?

[harshitgupta-qasource]

Hi @jlind23

Thanks for the looking into this issue.

We have re-validated this issue on 8.9.1 Kibana released build and and found it also reproducible there.

Observations:

• [Elastic Security] Detection rule monitoring saved object gets removed from the custom named tag on adding auto-creation of the "Security solution" tag

Screen-cast:

https://github.com/elastic/kibana/assets/101545338/70fb7d4a-0c1e-4a8a-9c18-510e3083b7f6

Build details: VERSION: 8.9.1 BUILD: 64802 COMMIT: 6c664aeb22673e6eb42348ea50b5a098509f7deb

Please let us know if anything else is required from our end.

Thanks!

[jlind23]

Thank you @harshitgupta-qasource

[criamico]

@jlind23 isn't that page owned by one of the security teams? as the bug was already present in 8.9 I think we should let them know

[jlind23]

@smith @weltenwort am I correct when I say that your team is owning the stack management part? If yes, then I believe this is probably a bug that belongs to your area right?

[smith]

@jlind23 I think you may be thinking of Stack Monitoring not Stack Management. From looking at the code where the tag management page lives I think it's @elastic/appex-sharedux .

[jlind23]

Thanks @smith an sorry for the ping then. @elastic/appex-sharedux shall I transfer this to you?