elastic/kibana

[Security Solution] Inconsistent Behavior When Saving Additional Look-Back Time

Open

#206494 opened on Jan 13, 2025

View on GitHub
 (8 comments) (0 reactions) (0 assignees)TypeScript (19,065 stars) (8,021 forks)batch import
Feature:Rule CreationFeature:Rule EditTeam: SecuritySolutionTeam:Detection EngineTeam:Detection Rule ManagementTeam:Detections and Respbugeffort:lowgood first issueimpact:lowvalue:low

Description

Epic: https://github.com/elastic/kibana/issues/179907 Related to: https://github.com/elastic/kibana/pull/204317, https://github.com/elastic/kibana/issues/223446

Summary

Description:

When updating the Additional look-back time field in a prebuilt rule’s schedule settings, the system exhibits inconsistent behavior when saving the value depending on whether the input can be fully converted to minutes. Same behavior is observed when creating/editing a custom rule.

Kibana/Elasticsearch Stack version:

VERSION: 9.0.0 BUILD: 82496 COMMIT: a90a9fc92a469656ba16ad54bd36b2375b386137

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Prebuilt Rules

Pre requisites:

  1. prebuiltRulesCustomizationEnabled flag is enabled
  2. Prebuilt rules are available

Steps to reproduce:

  1. Open a prebuilt rule where the Schedule interval is set to “Runs every 5 minutes” and Additional look-back time is set to “4 minutes”.
  2. Update the Runs every 5 minutes interval to:
  • 300 seconds → Save works correctly, and the value is displayed as “300 seconds”.
  • Any other valid time format (e.g. 10 minutes, 20 seconds, etc.) → Save works correctly, and the value is displayed as entered.
  1. Update the Additional look-back time to:
  • A value that cannot be fully converted to minutes (e.g. 350 seconds) → Save works correctly, but the value is saved and displayed as seconds.
  • A value that can be fully converted to minutes (e.g. 360 seconds, which equals 6 minutes) → Save works, but the system automatically converts and displays the value in minutes instead of seconds.

Current behavior:

  • If the Additional look-back time cannot be fully converted to minutes, it is saved and displayed as seconds.
  • If the Additional look-back time can be fully converted to minutes, the system converts it and displays it as minutes, even if it was initially saved as seconds.

Expected behavior:

  • The Additional look-back time should always be saved and displayed in the exact format entered by the user (seconds, minutes, or hours) without automatic conversion.
  • Consistency should be maintained in how time values are displayed, ensuring that users see the format they selected during rule editing.

Screenshots

https://github.com/user-attachments/assets/23227b9c-759c-429e-a707-43563a969520

https://github.com/user-attachments/assets/b7658fcb-f724-4cab-9aa6-b99c861d06f8

https://github.com/user-attachments/assets/78378ba2-9bce-49ca-8e79-149735cd07ff

Contributor guide

Tech stack
typescriptreactnodejs
Domain
full stacksecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
TypeScriptReactKibana security solution basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate the prebuilt rules schedule settings UI component. Look for the Additional look back time input field and its conversion logic, likely in x pack/plugins/security solution/public/detections/components/rules/schedule/. Review related PRs (https://github.com/elastic/kibana/pull/204317) and the epic (#179907) to understand expected behavior. The fix should preserve the user's input format without automatic conversion.