[Security Solution] [Detection Engine] System Action is duplicated when using bulk actions to add rule actions

[pborgonovi]

Describe the bug: System Action is duplicated when using bulk actions to add rule actions

Kibana/Elasticsearch Stack version: 8.16 SNAPSHOT

Server OS version:

Browser and Browser OS versions:

Elastic Endpoint version:

Original install method (e.g. download page, yum, from source, etc.):

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Pre conditions:

1. Have more than 1 rule
2. Have at least 1 rule configured with System Action

Steps to reproduce:

1. Bulk actions to add rule actions
2. Select Case option
3. Add the system action
4. Validate the rules actions

Current behavior: System Action is duplicated when using bulk actions to add rule actions

Expected behavior: System Action should not be duplicated

Screenshots (if relevant):

https://github.com/user-attachments/assets/1267500c-40c7-45e6-ae61-393d3ea11a05

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Detection Engine)

[dhurley14]

It seems that similar behavior can be replicated with other connectors. Also, I believe in your video you highlight a possible use case where one case connector is set to close after 1 day, and the second connector is set to close after 7 days. Seems to be a feature, not a bug since other connector types display this behavior. I was able to replicate this with the slack connector too. Might be worth opening a more general issue to determine if this functionality is intentional or if we want to change it. I will close this one out though.

[pborgonovi]

Hi @dhurley14 Thanks for the analysis.

Yes, it works for other connectors indeed. Actually, when creating or editing a rule the user is allowed to add multiple instances of other connectors, like Slack. However, there's a requirement in the epic that explicitly says the user should not be allowed to add more than 1 instance of same system action.

When creating or editing a rule, the behavior matches this condition once the Case connector gets disabled when an instance has already been added.

I believe the behavior should be consistent within the application and while adding it via bulk actions this action should be blocked as well.

Maybe we should have @approksiu input here?

[pborgonovi]

@dhurley14

Regarding the closing days, I've retested bulk actions with same closing day already existent in both rules (1 day) and the system action was added as duplicated

[dhurley14]

Oh thank you for pointing out that line from response ops. Seems like we will need to change the functionality of the bulk add actions functionality in the rules management page. I will reopen this issue so we can track that.

[dhurley14]

My initial feeling is to exempt the cases action from the bulk add action feature on the rules management page. That would be the most straightforward. But it also might be confusing to customers as to why we would disallow bulk adding the cases action. I'm wondering what the reasoning was for limiting the cases action to one per rule. @cnasikas could you provide some background on that decision? This would help us determine how to move forward. Thanks!

[cnasikas]

Hey @dhurley14 @pborgonovi! Indeed we do not allow having more than one system action on a rule. The reason is performance. We do not want heavy system actions to run multiple times per rule. Also, users cannot configure system actions to run differently per alert status (recovered, etc) and they always run for an alert summarization. Having two system actions with the same running execution behavior may create issues. For example, two case actions trying to create the same case and attach the same alerts to that case. Our alerting client should throw an error. Do you use the alerting client to update the rule's actions? If yes we may have a bug in our code.

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)