elastic · dplumlee · Apr 3, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
@@ -35,7 +35,6 @@ export interface PrebuiltRulesStatusStats {
   /** Total number of prebuilt rules available in package (including already installed) */
   num_prebuilt_rules_total_in_package: number;
 
-  // In the future we could add more stats such as:
-  // - number of installed prebuilt rules which were deprecated
-  // - number of installed prebuilt rules which are not compatible with the current version of Kibana
+  /** Number of deprecated prebuilt rules in the current package */
+  num_prebuilt_rules_deprecated: number;
 }
@@ -25,3 +25,4 @@ export * from './model/diff/three_way_diff/three_way_merge_outcome';
 export * from './common/prebuilt_rules_filter';
 export * from './revert_prebuilt_rule/revert_prebuilt_rule_route';
 export * from './get_prebuilt_rule_base_version/get_prebuilt_rule_base_version_route';
+export * from './review_rule_deprecation/review_rule_deprecation_route';
@@ -0,0 +1,39 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { z } from '@kbn/zod/v4';
+
+/**
+ * Max number of deprecated rules returned per request. Conservative limit
+ * to protect against unexpected package size.
+ */
+export const MAX_DEPRECATED_RULES_TO_RETURN = 200;
+
+export type ReviewRuleDeprecationRequestBody = z.infer<typeof ReviewRuleDeprecationRequestBody>;
+export const ReviewRuleDeprecationRequestBody = z
+  .object({
+    /**
+     * Optional list of saved-object IDs to filter by.
+     * Uses SO IDs instead of rule_ids to avoid ambiguity from duplicate rule_ids.
+     */
+    ids: z.array(z.string()).optional(),
+  })
+  .nullable();
+
+export interface DeprecatedRuleForReview {
+  /** Installed rule saved object ID */
+  id: string;
+  /** Rule signature ID */
+  rule_id: string;
+  /** Installed rule name */
+  name: string;
+  deprecated_reason?: string;
+}
+
+export interface ReviewRuleDeprecationResponseBody {
+  rules: DeprecatedRuleForReview[];
+}
@@ -24,3 +24,4 @@ export const PERFORM_RULE_UPGRADE_URL = `${BASE_URL}/upgrade/_perform` as const;
 export const REVIEW_RULE_INSTALLATION_URL = `${BASE_URL}/installation/_review` as const;
 export const PERFORM_RULE_INSTALLATION_URL = `${BASE_URL}/installation/_perform` as const;
 export const REVERT_PREBUILT_RULES_URL = `${BASE_URL}/revert` as const;
+export const REVIEW_RULE_DEPRECATION_URL = `${BASE_URL}/deprecation/_review` as const;
@@ -251,6 +251,12 @@ export const allowedExperimentalValues = Object.freeze({
    * Uses entity store v2 for entity analytics skill
    */
   entityAnalyticsEntityStoreV2: false,
+
+  /**
+   * Enables the deprecated prebuilt rules UI
+   * Release: 9.4
+   */
+  prebuiltRulesDeprecationUIEnabled: false,
 });
 
 type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;

@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { renderHook } from '@testing-library/react';
+import { useTimedDismissal } from './use_timed_dismissal';
+
+const STORAGE_KEY = 'test.dismissal';
+
+describe('useTimedDismissal', () => {
+  let getItemSpy: jest.SpyInstance;
+
+  beforeEach(() => {
+    localStorage.clear();
+    getItemSpy = jest.spyOn(Storage.prototype, 'getItem');
+    jest.useFakeTimers();
+  });
+
+  afterEach(() => {
+    jest.useRealTimers();
+    jest.restoreAllMocks();
+  });
+
+  it('returns not dismissed when nothing is in localStorage', () => {
+    const { result } = renderHook(() => useTimedDismissal(STORAGE_KEY));
+
+    expect(result.current[0]).toBe(false);
+    expect(getItemSpy).toHaveBeenCalledWith(STORAGE_KEY);
+  });
+
+  it('returns dismissed when the dismissal has not expired', () => {
+    const oneHourMs = 60 * 60 * 1000;
+    const fiftyMinutesAgo = Date.now() - 50 * 60 * 1000;
+    localStorage.setItem(STORAGE_KEY, String(fiftyMinutesAgo));
+
+    const { result } = renderHook(() => useTimedDismissal(STORAGE_KEY, oneHourMs));
+
+    expect(result.current[0]).toBe(true);
+  });
+
+  it('returns not dismissed when the dismissal has expired', () => {
+    const oneHourMs = 60 * 60 * 1000;
+    const twoHoursAgo = Date.now() - 2 * oneHourMs;
+    localStorage.setItem(STORAGE_KEY, String(twoHoursAgo));
+
+    const { result } = renderHook(() => useTimedDismissal(STORAGE_KEY, oneHourMs));
+
+    expect(result.current[0]).toBe(false);
+  });
+});
@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useCallback, useState } from 'react';
+
+const SEVEN_DAYS_MS = 7 * 24 * 60 * 60 * 1000;
+
+/**
+ * Hook that provides a dismissal state persisted to localStorage with an
+ * automatic reappearance after a configurable duration. Use for callouts
+ * or other components that need to reappear after a set amount of time.
+ *
+ * @param storageKey - Unique localStorage key for this dismissal
+ * @param reappearAfterMs - Duration in ms before the dismissal expires (default: 7 days)
+ * @returns A tuple of [isDismissed, dismiss]
+ */
+export const useTimedDismissal = (
+  storageKey: string,
+  reappearAfterMs: number = SEVEN_DAYS_MS
+): [boolean, () => void] => {
+  const [isDismissed, setIsDismissed] = useState(() => {
+    try {
+      const dismissedAt = localStorage.getItem(storageKey);
+      if (!dismissedAt) {
+        return false;
+      }
+      return Date.now() - Number(dismissedAt) < reappearAfterMs;
+    } catch {
+      return false;
+    }
+  });
+
+  const dismiss = useCallback(() => {
+    try {
+      localStorage.setItem(storageKey, String(Date.now()));
+    } catch {
+      // localStorage may be unavailable (e.g. private browsing quota exceeded)
+    }
+    setIsDismissed(true);
+  }, [storageKey]);
+
+  return [isDismissed, dismiss];
+};
@@ -157,6 +157,7 @@ import { useLegacyUrlRedirect } from './use_redirect_legacy_url';
 import { RuleDetailTabs, useRuleDetailsTabs } from './use_rule_details_tabs';
 import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
 import { useRuleUpdateCallout } from '../../../rule_management/hooks/use_rule_update_callout';
+import { useDeprecatedRuleDetailsCallout } from '../../../rule_management/components/rule_deprecation';
 import { useUserPrivileges } from '../../../../common/components/user_privileges';
 import { CpsMlRuleCallout } from '../../../rule_management_ui/components/cps_ml_rule_callout/callout';
 import { useAlertsPrivileges } from '../../../../detections/containers/detection_engine/alerts/use_alerts_privileges';
@@ -600,6 +601,12 @@ export const RuleDetailsPage = connector(
       confirmRuleDuplication,
     } = useBulkDuplicateExceptionsConfirmation();
 
+    const deprecationCallout = useDeprecatedRuleDetailsCallout({
+      rule,
+      confirmDeletion,
+      showBulkDuplicateExceptionsConfirmation: showBulkDuplicateConfirmation,
+    });
+
     const {
       isManualRuleRunConfirmationVisible,
       showManualRuleRunConfirmation,
@@ -650,6 +657,7 @@ export const RuleDetailsPage = connector(
         <MissingDetectionsPrivilegesCallOut />
         {isMlRule(rule?.type) && <CpsMlRuleCallout />}
         {upgradeCallout}
+        {deprecationCallout}
         {isBulkDuplicateConfirmationVisible && (
           <BulkActionDuplicateExceptionsConfirmation
             onCancel={cancelRuleDuplication}

@@ -23,6 +23,8 @@ import type {
   PerformRuleInstallationResponseBody,
   PerformRuleUpgradeRequestBody,
   PerformRuleUpgradeResponseBody,
+  ReviewRuleDeprecationRequestBody,
+  ReviewRuleDeprecationResponseBody,
   RevertPrebuiltRulesRequest,
   RevertPrebuiltRulesResponseBody,
   ReviewRuleInstallationRequestBody,
@@ -38,6 +40,7 @@ import {
   PERFORM_RULE_UPGRADE_URL,
   PREBUILT_RULES_STATUS_URL,
   REVERT_PREBUILT_RULES_URL,
+  REVIEW_RULE_DEPRECATION_URL,
   REVIEW_RULE_INSTALLATION_URL,
   REVIEW_RULE_UPGRADE_URL,
 } from '../../../../common/api/detection_engine/prebuilt_rules';
@@ -672,6 +675,27 @@ export const getPrebuiltRulesStatus = async ({
     }
   );
 
+/**
+ * Review deprecated prebuilt rules
+ *
+ * @param signal AbortSignal for cancelling request
+ *
+ * @throws An error if response is not OK
+ */
+export const reviewRuleDeprecation = async ({
+  signal,
+  request,
+}: {
+  signal: AbortSignal | undefined;
+  request: ReviewRuleDeprecationRequestBody;
+}): Promise<ReviewRuleDeprecationResponseBody> =>
+  KibanaServices.get().http.fetch<ReviewRuleDeprecationResponseBody>(REVIEW_RULE_DEPRECATION_URL, {
+    method: 'POST',
+    version: '1',
+    signal,
+    body: JSON.stringify(request),
+  });
+
 /**
  * Review prebuilt rules upgrade
  *

@@ -15,6 +15,7 @@ import { useInvalidateFetchPrebuiltRulesStatusQuery } from './use_fetch_prebuilt
 import { useInvalidateFetchPrebuiltRulesUpgradeReviewQuery } from './use_fetch_prebuilt_rules_upgrade_review_query';
 import { useInvalidateFindRulesQuery } from '../use_find_rules_query';
 import { useInvalidateFetchPrebuiltRuleBaseVersionQuery } from './use_fetch_prebuilt_rule_base_version_query';
+import { useInvalidateFetchPrebuiltRulesDeprecationReviewQuery } from './use_fetch_prebuilt_rules_deprecation_review_query';
 
 export const BOOTSTRAP_PREBUILT_RULES_KEY = ['POST', BOOTSTRAP_PREBUILT_RULES_URL];
 
@@ -26,6 +27,8 @@ export const useBootstrapPrebuiltRulesMutation = (
   const invalidatePrebuiltRulesUpdateReview = useInvalidateFetchPrebuiltRulesUpgradeReviewQuery();
   const invalidateFindRulesQuery = useInvalidateFindRulesQuery();
   const invalidateFetchPrebuiltRuleBaseVerison = useInvalidateFetchPrebuiltRuleBaseVersionQuery();
+  const invalidateFetchPrebuiltRulesDeprecationReview =
+    useInvalidateFetchPrebuiltRulesDeprecationReviewQuery();
 
   return useMutation(() => bootstrapPrebuiltRules(), {
     ...options,
@@ -45,6 +48,7 @@ export const useBootstrapPrebuiltRulesMutation = (
         invalidatePrebuiltRulesInstallReview();
         invalidatePrebuiltRulesUpdateReview();
         invalidateFetchPrebuiltRuleBaseVerison();
+        invalidateFetchPrebuiltRulesDeprecationReview();
       }
 
       const hasRuleUpdates =

@@ -0,0 +1,45 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { useCallback } from 'react';
+import type { UseQueryOptions } from '@kbn/react-query';
+import { useQuery, useQueryClient } from '@kbn/react-query';
+import { reviewRuleDeprecation } from '../../api';
+import { REVIEW_RULE_DEPRECATION_URL } from '../../../../../../common/api/detection_engine/prebuilt_rules/urls';
+import type {
+  ReviewRuleDeprecationRequestBody,
+  ReviewRuleDeprecationResponseBody,
+} from '../../../../../../common/api/detection_engine/prebuilt_rules';
+import { DEFAULT_QUERY_OPTIONS } from '../constants';
+
+export const REVIEW_RULE_DEPRECATION_QUERY_KEY = ['POST', REVIEW_RULE_DEPRECATION_URL];
+
+export const useFetchPrebuiltRulesDeprecationReviewQuery = (
+  request: ReviewRuleDeprecationRequestBody,
+  options?: UseQueryOptions<ReviewRuleDeprecationResponseBody>
+) => {
+  return useQuery<ReviewRuleDeprecationResponseBody>(
+    [...REVIEW_RULE_DEPRECATION_QUERY_KEY, request],
+    async ({ signal }) => {
+      const response = await reviewRuleDeprecation({ signal, request });
+      return response;
+    },
+    {
+      ...DEFAULT_QUERY_OPTIONS,
+      ...options,
+    }
+  );
+};
+
+export const useInvalidateFetchPrebuiltRulesDeprecationReviewQuery = () => {
+  const queryClient = useQueryClient();
+
+  return useCallback(() => {
+    queryClient.invalidateQueries(REVIEW_RULE_DEPRECATION_QUERY_KEY, {
+      refetchType: 'active',
+    });
+  }, [queryClient]);
+};
@@ -16,6 +16,7 @@ import { useInvalidateFindRulesQuery } from '../use_find_rules_query';
 import { retryOnRateLimitedError } from './retry_on_rate_limited_error';
 import { useInvalidateFetchPrebuiltRulesInstallReviewQuery } from './use_fetch_prebuilt_rules_install_review_query';
 import { useInvalidateFetchPrebuiltRulesStatusQuery } from './use_fetch_prebuilt_rules_status_query';
+import { useInvalidateFetchPrebuiltRulesDeprecationReviewQuery } from './use_fetch_prebuilt_rules_deprecation_review_query';
 import { cappedExponentialBackoff } from './capped_exponential_backoff';
 
 export const PERFORM_ALL_RULES_INSTALLATION_KEY = [
@@ -34,6 +35,8 @@ export const usePerformAllRulesInstallMutation = (
     useInvalidateFetchPrebuiltRulesInstallReviewQuery();
   const invalidateRuleStatus = useInvalidateFetchPrebuiltRulesStatusQuery();
   const invalidateFetchCoverageOverviewQuery = useInvalidateFetchCoverageOverviewQuery();
+  const invalidateFetchPrebuiltRulesDeprecationReview =
+    useInvalidateFetchPrebuiltRulesDeprecationReviewQuery();
 
   return useMutation<PerformRuleInstallationResponseBody>(() => performInstallAllRules(), {
     ...options,
@@ -46,6 +49,7 @@ export const usePerformAllRulesInstallMutation = (
       invalidateFetchPrebuiltRulesInstallReview();
       invalidateRuleStatus();
       invalidateFetchCoverageOverviewQuery();
+      invalidateFetchPrebuiltRulesDeprecationReview();
 
       if (options?.onSettled) {
         options.onSettled(...args);

@@ -21,6 +21,7 @@ import { useInvalidateFindRulesQuery } from '../use_find_rules_query';
 import { retryOnRateLimitedError } from './retry_on_rate_limited_error';
 import { useInvalidateFetchPrebuiltRulesInstallReviewQuery } from './use_fetch_prebuilt_rules_install_review_query';
 import { useInvalidateFetchPrebuiltRulesStatusQuery } from './use_fetch_prebuilt_rules_status_query';
+import { useInvalidateFetchPrebuiltRulesDeprecationReviewQuery } from './use_fetch_prebuilt_rules_deprecation_review_query';
 import { cappedExponentialBackoff } from './capped_exponential_backoff';
 
 export const PERFORM_SPECIFIC_RULES_INSTALLATION_KEY = [
@@ -49,6 +50,8 @@ export const usePerformSpecificRulesInstallMutation = (
     useInvalidateFetchPrebuiltRulesInstallReviewQuery();
   const invalidateRuleStatus = useInvalidateFetchPrebuiltRulesStatusQuery();
   const invalidateFetchCoverageOverviewQuery = useInvalidateFetchCoverageOverviewQuery();
+  const invalidateFetchPrebuiltRulesDeprecationReview =
+    useInvalidateFetchPrebuiltRulesDeprecationReviewQuery();
   const { mutateAsync } = useBulkActionMutation();
 
   return useMutation<
@@ -70,6 +73,7 @@ export const usePerformSpecificRulesInstallMutation = (
         invalidateFetchPrebuiltRulesInstallReview();
         invalidateRuleStatus();
         invalidateFetchCoverageOverviewQuery();
+        invalidateFetchPrebuiltRulesDeprecationReview();
 
         const [response, , { enable }] = args;
 

@@ -23,6 +23,7 @@ import { useInvalidateFetchPrebuiltRulesUpgradeReviewQuery } from './prebuilt_ru
 import { useInvalidateFetchPrebuiltRulesInstallReviewQuery } from './prebuilt_rules/use_fetch_prebuilt_rules_install_review_query';
 import { useInvalidateFetchCoverageOverviewQuery } from './use_fetch_coverage_overview_query';
 import { useInvalidateFetchPrebuiltRuleBaseVersionQuery } from './prebuilt_rules/use_fetch_prebuilt_rule_base_version_query';
+import { useInvalidateFetchPrebuiltRulesDeprecationReviewQuery } from './prebuilt_rules/use_fetch_prebuilt_rules_deprecation_review_query';
 
 export const BULK_ACTION_MUTATION_KEY = ['POST', DETECTION_ENGINE_RULES_BULK_ACTION];
 
@@ -43,6 +44,8 @@ export const useBulkActionMutation = (
     useInvalidateFetchPrebuiltRulesUpgradeReviewQuery();
   const invalidateFetchCoverageOverviewQuery = useInvalidateFetchCoverageOverviewQuery();
   const invalidateFetchPrebuiltRuleBaseVerison = useInvalidateFetchPrebuiltRuleBaseVersionQuery();
+  const invalidateFetchPrebuiltRulesDeprecationReview =
+    useInvalidateFetchPrebuiltRulesDeprecationReviewQuery();
   const updateRulesCache = useUpdateRulesCache();
 
   return useMutation<
@@ -87,6 +90,7 @@ export const useBulkActionMutation = (
           invalidateFetchPrebuiltRulesUpgradeReviewQuery();
           invalidateFetchCoverageOverviewQuery();
           invalidateFetchPrebuiltRuleBaseVerison();
+          invalidateFetchPrebuiltRulesDeprecationReview();
           break;
         case BulkActionTypeEnum.duplicate:
           invalidateFindRulesQuery();