[Security Solution] Add threshold, machine_learning_job_id and anomaly_threshold editable fields

[nikitaindik]

Partially addresses: #171520

Summary

Changes in this PR:

• threshold and machine_learning_job_id, anomaly_threshold are now editable in the Rule Upgrade flyout

Testing

• Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled.
• To simulate the availability of prebuilt rule upgrades, downgrade a currently installed prebuilt rule using the PATCH api/detection_engine/rules API.
  • Set version: 1 in the request body to downgrade it to version 1.
  • Modify other rule fields in the request body as needed to test the changes.

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[nikitaindik]

@xcrzx I've addressed the feedback. Feel free to take another look!

[xcrzx]

Thanks for the fixes! I did another round of review, and the validation regression spotted earlier has been resolved.

[rylnd]

Excellent work here, @nikitaindik !

I first verified that the existing create/update rule flows work as expected, since those were modified here as well. Things look good there, besides a potential bug with threshold fields (showing more fields than we should); I'm going to ping @vitaliidm since he has more familiarity with threshold rules and that area was more significantly modified. ML rules changes look good, though.

There might be some cleanup around the forms here, now; I had one comment about whether empty schema definitions were required. Have you discussed this style of refactor with @sebelga at all? He may have thoughts on how best to factor/place things as we shift more toward this "field-first" approach to our forms.

I was also able to validate that the missing validations that @xcrzx referenced are now there, at least for the ML fields that I was exercising.

One small UX note: on the upgrade page it's not obvious that clicking the rule's name will bring up the "review" flow; I was expecting there to be a "review" button instead of (or in addition to) the disabled "upgrade rule" button.

All minor things in the broader context, here, so approving in the meantime. Hopefully @vitaliidm can confirm the threshold changes before this is merged.

[rylnd]

Curious if

 - ${euiThemeVars.euiSizeL} - ${euiThemeVars.euiSizeL} 

is preferred over

 - (${euiThemeVars.euiSizeL} * 2)

? And if so, why?

[nikitaindik]

euiThemeVars.euiSizeL is actually a string with px at the end. 24px in this case, so I can't multiply it.

[rylnd]

Magic number? Should we be referencing a theme variable instead?

[nikitaindik]

We need 20px here to make the button flush with the dropdown. euiSizeM is 16px, euiSizeL is 24px.

But now as you pointed this out, I think the margin should live outside of this component since it's related to an external thing.

[rylnd]

Using indexPattern.fields instead of the filtered aggFields means we're now showing non-aggregatable fields in the threshold field select, right?

[nikitaindik]

That's a great catch, Ryland! I somehow missed it.

[nikitaindik]

Pushed the fix

[nikitaindik]

@rylnd

One small UX note: on the upgrade page it's not obvious that clicking the rule's name will bring up the "review" flow; I was expecting there to be a "review" button instead of (or in addition to) the disabled "upgrade rule" button.

Will add to this to feedback to share this with Kseniia and Alex.

[vitaliidm]

@rylnd

Things look good there, besides a potential bug with threshold fields (showing more fields than we should); I'm going to ping @vitaliidm since he has more familiarity with threshold rules and that area was more significantly modified

can you give me more details on this one?

Meanwhile I tested PR a bit (did not review code, since Ryland already did this)

1. UI has changed. Width of threshold elements in particularly. Number inputs become very narrow, even on a wide screen.
   Was this changed approved? Or side effect of refactoring?

old UI

new UI

2. As side effect of UI change, error message looks very crumbled and >= is not aligned in a middle of input components anymore. but gets dragged lower

new UI

old UI

[nikitaindik]

Hey, everyone! Thanks for reviewing and testing. There's still a minor issue with form element sizing that need to be addressed, but I urgently need to switch to high-priority Rule Customization tickets. So, I've set this PR to draft. I will reopen it and ping those who haven't approved it yet once I resolve the issues.

[rylnd]

can you give me more details on this one?

@vitaliidm I was referring to this comment about passing a wider set of fields to the threshold input. @nikitaindik said a fix was incoming but I've not yet seen it on this branch.

[vitaliidm]

@vitaliidm I was referring to this comment about passing a wider set of fields to the threshold input. @nikitaindik said a fix was incoming but I've not yet seen it on this branch.

Agree, fields should be filtered, only aggregatable ones should show up in threshold control

@nikitaindik , I also noticed, Suppress alerts checkbox label does not show selected field.
Refer to my screenshots #200323 (comment)

[nikitaindik]

@vitaliidm

UI has changed. Width of threshold elements in particularly. Number inputs become very narrow, even on a wide screen.

Thanks for catching this! Actually, the width of the number inputs is similar to what’s on main at 1280px. I’ve attached a screenshot for reference: the left side shows this branch, and the right side shows main. I think that it’s helpful to give more space to field names since they can be quite long, whereas number values are usually short. What do you think about this approach?

As side effect of UI change, error message looks very crumbled and >= is not aligned in a middle of input components anymore. but gets dragged lower

Great observation, thanks for pointing this out! I’ve adjusted the margin to ensure that the >= operator stays properly aligned, even when more fields are added or an error message appears.

I also noticed, Suppress alerts checkbox label does not show selected field.
Refer to my screenshots #200323 (comment)

Indeed, there was a bug. Thanks! I've pushed a commit with the fix.

With all your feedback addressed, the PR is ready for another review. 😊

[elasticmachine]

⏳ Build in-progress, with failures

• Buildkite Build
• Commit: db6e424
• Cloud Deployment
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-200323-db6e424903d3
• Security Deployment

Failed CI Steps

• Jest Tests #6
• FTR Configs #113
• FTR Configs #113
• Serverless AI Assistant - Security Solution Cypress Tests #1
• AI Assistant - Security Solution Cypress Tests #1

Test Failures

• [job] [logs] Jest Tests #6 / AgentBasedPackagePoliciesTable renders the table with package policies
• [job] [logs] Serverless AI Assistant - Security Solution Cypress Tests / AI Assistant Conversations Changing conversations Correctly creates and titles new conversations, and allows title updates Correctly creates and titles new conversations, and allows title updates
• [job] [logs] AI Assistant - Security Solution Cypress Tests / AI Assistant Conversations Changing conversations Correctly creates and titles new conversations, and allows title updates Correctly creates and titles new conversations, and allows title updates
• [job] [logs] FTR Configs #113 / Upgrade Assistant Elasticsearch deprecation logs GET /api/upgrade_assistant/deprecation_logging /count should filter out the deprecation from Elastic products
• [job] [logs] FTR Configs #113 / Upgrade Assistant Elasticsearch deprecation logs GET /api/upgrade_assistant/deprecation_logging /count should filter out the deprecation from Elastic products

History

• 💚 Build #256919 succeeded 0933e39
• 💚 Build #256481 succeeded 72b195a
• 💚 Build #255780 succeeded f4907b4
• 💚 Build #255779 succeeded a2b3c53

cc @nikitaindik