[Security Solution] Getting `[request params]: Invalid value "undefined" supplied to "id" (400)` for adding rule exception to Alert after importing rule.

[arvindersingh-qasource]

Describe the bug Getting [request params]: Invalid value "undefined" supplied to "id" (400) for adding rule exception to Alert after importing rule.

Build Details

VERSION: 8.15.0
BUILD: 76360
COMMIT: 8aa0b59da12c996e3048d8875446667ee6e15c7f

Browser Details This issue is occurring on all browsers.

Preconditions

1. Kibana build lower the v8.15 must be available.
2. Few Rules and Alerts must be created on the build.
3. Upgrade the build to latest Kibana v8.15 build.

Steps to Reproduce

1. Navigate to Security -> Rules -> Detection Rule (SIEM)
2. Export the custom created pre requisite rule.
3. Delete the custom created pre requisite rule.
4. Import the custom created pre requisite rule which was exported in step-2.
5. Navigate to Security -> Alerts.
6. Click on ... option for the Alert respective to the pre requisite Alert.
7. Select Add rule exception option.
8. Add Exception Name and Click on Add rule exception.
9. Observe that there will be an error [request params]: Invalid value "undefined" supplied to "id" (400).

Actual Result Getting [request params]: Invalid value "undefined" supplied to "id" (400) for adding rule exception to Alert after importing rule.

Expected Result There should be no error while adding Rule Exception.

What's Working

• Issue is not occrring for Indicator Match Alert

What's Not Working

• issue is occuring for Event Correlation , Custom Query , Threshold Alerts

Screenshot

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[arvindersingh-qasource]

@karanbirsingh-qasource Please review this ticket.

Thanks.

[MadameSheema]

@arvindersingh-qasource is this happening just for imported rules? You exported the rule after the upgrade was done, correct? Can you please also provide the output of one of the exported rules? Thanks! :)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Detection Engine)

[arvindersingh-qasource]

Hi @MadameSheema

is this happening just for imported rules?

Yes Glo for the imported ones ( using the export file from 8.15 only )

Observation for Existing Rule ( ones which are created on 8.12)

• Custom Query : Not able to add exception
• Threshold : Not able to add exception
• Event Correlation : Not able to add exception
• Indicator Match : Able to add exception

Observation for new rule created after upgrade ( ones which are created on BC6)

• Custom Query : Able to add exception
• Threshold : Able to add exception
• Event Correlation : Able to add exception
• Indicator Match : Able to add exception

You exported the rule after the upgrade was done, correct?

Yes after the build got upgrade from 8.12 , we exported all the rule on 8.15 then deleted those same rule and imported them back

Can you please also provide the output of one of the exported rules?

yes here is the exported copy of rule which consist of 3 rules

• rules_export (2).zip

Please let us know if anything else is required from our end.

Thanks.