[Defend Workflows]Newly Added Defend Integration Policy RAV Settings is Disabled Instead of Syncing with Malware Protection Level

[sukhwindersingh-qasource]

Describe the bug:

• Newly Added Defend Integration Policy RAV Settings is Disabled Instead of Syncing with Malware Protection Level

Build Details:

VERSION: 8.16.0
BUILD: 77679
COMMIT: 6b091fe3b410eaae9d4805c0a3c0ea6168bf66b0

Login Credentials https://p.elstc.co/paste/lDrf5NTS#u-zff3/Cj2T9laJWLsTIOlSzVViJHTB8zIJ8TWKNkV5

Preconditions

• Kibana should be running.
• Policy should be present under fleet tab.

Steps to Reproduce

• Navigate to the policy details tab
• Click on Add Integration
• Select Elastic Defend Integration
• Click on Add Elastic Defend
• Click on Install Elastic Agent
• Install the desired elastic agent (Linux, Mac, Windows) on your Endpoint
• Wait for the Agent to be installed.
• Now click on Add the integration
• Click on confirm incoming data
• Click on view assets
• Click on Integration policies section and scroll down
• Observe that the Newly Added Defend Integration Policy RAV Settings is Disabled Instead of Syncing with Malware Protection Level

Actual result

• Newly Added Defend Integration Policy RAV Settings is Disabled Instead of Syncing with Malware Protection Level

Expected Result

• When a Defend integration is added via the Install Agent process, the newly created policy's RAV settings should automatically sync with the malware protection level, rather than being disabled by default

Whats working

• It is working fine when we add policy after installing agent

Additional Information

• Also we observed that all the toggle are off and recommended settings are only for OS event Collections

Screen-cast

https://github.com/user-attachments/assets/c8c9c7f8-ffb0-41f5-aecc-f7e91d175dda

Logs

• N/A

AC

• [ ] Register as AV is set to sync as default value. Same as when creating a Defend integration policy.
• [ ] Protections are still disabled (no changes on the current behaviour).

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[sukhwindersingh-qasource]

@muskangulati-qasource Kindly review this

Thanks!

[muskangulati-qasource]

Reviewed and assigned to @dasansol92

[dasansol92]

Thanks for sharing this @sukhwindersingh-qasource About the disabled protections by default:

Also we observed that all the toggle are off and recommended settings are only for OS event Collections

is this also happening in older versions of Kibana like 8.14?

Thanks!

[sukhwindersingh-qasource]

Hi @dasansol92 ,

We have observed the same behavior is present on the 8.14.0 as well

Screen Cast :

https://github.com/user-attachments/assets/9821a7f8-6ddd-41d0-9f26-4cdab07e4e6b

Please Let us Know if anything else is required from our end.

Thanks!