[Security Solution][Detections] Rule context.results_link can become stale with no clear way to update #92344
Comments
spong
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
MadameSheema
added
the
impact:medium
peluja1012
added
the
Team:Detection Rule Management
|
I have this issue. |
peluja1012
added
Team:Detection Alerts
yctercero
added
Team:Detection Engine
|
I have this issue |
|
@banderror was this field addressed as part of the prebuilt rule customization effort? Wondering if it is now exposed? |
|
@yctercero I don't think we've touched the |
|
Hi @yctercero and @banderror We haven't done any changes to this field, it can still be updated by our PATCH and PUT endpoints. Also, it has been left out of the upgrade workflow: the field is not part of the APIs to upgrade a rule - during upgrade it will be always be forcefully "updated" to whatever the current value for the field is. |
|
Thanks @jpdjere ! What would be the effort to surface it in the UI? It seems to be an issue a number of users hit. cc @approksiu |
|
@yctercero I don't think it's possible to give a good answer to the question "What would be the effort to surface it in the UI?" without first discussing it with the product/UX team in order to understand what we'd like to have in that UI. |
It's been reported that the
context.results_linkwithin Rule Actions can become stale and there is no clear or documented way for users to update it, resulting in broken links within actions.The
context.results_linkfield is stored in{meta: {kibana_siem_app_url: "url}}on individual rules, and is only updated when a rule is edited. This field is not exposed to the user in the UI, and so it is not clear that this action will update theresults_linkfield.This is especially problematic for a deployment changing domains, as the only way via the UI to ensure all their rules are using the updated
results_linkis to manually edit each rule. Alternatively, this could be automated via the API or performed as a bulk find/replace by exporting, editing, and re-importing all the rules.The text was updated successfully, but these errors were encountered: