[BUG] Security Analytics Findings page breaks after deletion of active Custom Detection Rule in OpenSearch

[rafaelma]

What is the bug?

Deleting a custom detection rule that has produced active findings and is part of an active detector results in a broken 'Security Analytics Findings' page within OpenSearch. Upon deletion of the rule, the Findings page fails to display any results and presents a blank area instead of the expected findings list.

How can one reproduce the bug?

Steps to reproduce the behavior:

1. Create a custom detection rule within the OpenSearch Dashboard.
2. Set up a detector and incorporate the created custom detection rule into its configuration.
3. Activate the detector.
4. Simulate conditions that would trigger the custom detection rule, thereby generating findings.
5. Verify that findings are visible and that the links'Security Analytics' -> 'Findings' and 'Security Analytics' -> 'Recent findings' -> 'View all findings' operate as intended.
6. Delete the custom detection rule previously created.
7. Attempt to access findings via the 'Security Analytics' -> 'Findings' and'Security Analytics' -> 'Recent findings' -> 'View all findings' links.

What is the expected behavior?

Upon deletion of the custom detection rule, the 'Findings' page should continue to display existing findings, retaining functionality for the user to view and manage other findings.

Actual Result: After the rule deletion, the 'Findings' page becomes inaccessible. Instead of displaying a list of findings, the page shows a blank side, and it becomes impossible to view any findings within the system.

Workaround: In order to regain access to the 'Findings' page after encountering this issue, the user must delete the entire detector that included the deleted custom detection rule.

What is your host/environment?

• OS: Red Hat Enterprise Linux release 9.4
• Version Opensearch 2.14
• Plugins

  # /usr/share/opensearch/bin/opensearch-plugin list
  opensearch-alerting
  opensearch-anomaly-detection
  opensearch-asynchronous-search
  opensearch-cross-cluster-replication
  opensearch-custom-codecs
  opensearch-flow-framework
  opensearch-geospatial
  opensearch-index-management
  opensearch-job-scheduler
  opensearch-knn
  opensearch-ml
  opensearch-neural-search
  opensearch-notifications
  opensearch-notifications-core
  opensearch-observability
  opensearch-performance-analyzer
  opensearch-reports-scheduler
  opensearch-security
  opensearch-security-analytics
  opensearch-skills
  opensearch-sql

Do you have any screenshots?

The main Security Analytics->Overview page shows this under "Recent Findings". The findings from the deleted custom detection rule have empty values in the Rule name and Rule severity columns.

The Findings page is just an empty page.

Do you have any additional context?

This bug suggests there may be a lack of graceful handling of rule deletions with associated findings. The expected behavior would involve retaining the integrity of the Findings Page and handling the absence of deleted rules without disrupting the overall findings management functionality. It's critical to ensure that the UI appropriately reflects the system's state, even when components such as detection rules are removed.