Open maximpn opened 14 hours ago
Pinging @elastic/security-solution (Team: SecuritySolution)
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)
Summary
Query bar for editing KQL/Lucene query allows to manage query filters. Some prebuilt rules have such filters. Saving query bar with filters leads to extra fields like
alias: null
appearing.Steps to reproduce:
Threat Intel Hash Indicator Match
rule in rule update preview flyoutExpected behavior: There is NO diff in query filters
Actual behavior: There is diff in query filters
Screenshots (if relevant):
Setup the environment
Ensure the
prebuiltRulesCustomizationEnabled
feature flag is enabledAllow internal APIs via adding
server.restrictInternalApis: false
tokibana.dev.yaml
Clear Elasticsearch data
Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
Install an outdated version of the
security_detection_engine
Fleet packageInstall prebuilt rules
Open a
threat_match
rule for editing. For exampleThreat Intel Hash Indicator Match
with rule_idaab184d3-72b3-4639-b242-6597c99d8bca
.