[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)

maximpn · maximpn · commit ec59f5996f75 · 2025-07-03T12:48:46.000+02:00
**Addresses:** #223446 ## Summary This PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule. ## Details The issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds. Rule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details). The easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule. **Before:** https://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605 **After:** https://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a (cherry picked from commit a013929)
diff --git a/x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/time_duration.ts b/x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/time_duration.ts
@@ -12,6 +12,7 @@
  * - 5s
  * - 3m
  * - 7h
+ * - 9d
  */
 export class TimeDuration {
   /**
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.tsx
@@ -168,7 +168,7 @@ export function ScheduleItemField({
   );
 }
 
-const DEFAULT_TIME_DURATION_UNITS = ['s', 'm', 'h'];
+const DEFAULT_TIME_DURATION_UNITS = ['s', 'm', 'h', 'd'];
 
 function saturate(input: number, minValue: number, maxValue: number): number {
   return Math.max(minValue, Math.min(input, maxValue));

-Original file line number
+Diff line change
  * - 5s
  * - 3m
  * - 7h
 + * - 9d
  */
 export class TimeDuration {
   /**
Original file line number	Diff line number	Diff line change
`@@ -168,7 +168,7 @@ export function ScheduleItemField({`
`168`	`168`	`);`
`169`	`169`	`}`
`170`	`170`
`171`		`-const DEFAULT_TIME_DURATION_UNITS = ['s', 'm', 'h'];`
	`171`	`+const DEFAULT_TIME_DURATION_UNITS = ['s', 'm', 'h', 'd'];`
`172`	`172`
`173`	`173`	`function saturate(input: number, minValue: number, maxValue: number): number {`
`174`	`174`	`return Math.max(minValue, Math.min(input, maxValue));`