[Security Solution] Fix time duration normalization at rule schedule for day units#224083
Merged
maximpn merged 2 commits intoelastic:mainfrom Jun 20, 2025
Merged
Conversation
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
jkelas
approved these changes
Jun 18, 2025
Contributor
jkelas
left a comment
There was a problem hiding this comment.
I reviewed the changes and confirm they are OK.
I verified that the functionality is improved vs main branch. Below are the screenshots.
I am approving the PR.
denar50
approved these changes
Jun 18, 2025
Contributor
denar50
left a comment
There was a problem hiding this comment.
LGTM! I have tested this locally and confirmed that the bug is indeed fixed.
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
cc @maximpn |
Contributor
|
Starting backport for target branches: 8.19 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jun 20, 2025
…for day units (elastic#224083) **Addresses:** elastic#223446 ## Summary This PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule. ## Details The issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds. Rule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See elastic#204317 for more details). The easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule. **Before:** https://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605 **After:** https://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a (cherry picked from commit a013929)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jun 20, 2025
…hedule for day units (#224083) (#224716) # Backport This will backport the following commits from `main` to `8.19`: - [[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)](#224083) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2025-06-20T14:42:42Z","message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Feature:Detection Rules","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","backport:version","v9.1.0","v8.19.0"],"title":"[Security Solution] Fix time duration normalization at rule schedule for day units","number":224083,"url":"https://github.com/elastic/kibana/pull/224083","mergeCommit":{"message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224083","number":224083,"mergeCommit":{"message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
Jun 25, 2025
…for day units (elastic#224083) **Addresses:** elastic#223446 ## Summary This PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule. ## Details The issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds. Rule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See elastic#204317 for more details). The easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule. **Before:** https://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605 **After:** https://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Jun 26, 2025
…for day units (elastic#224083) **Addresses:** elastic#223446 ## Summary This PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule. ## Details The issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds. Rule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See elastic#204317 for more details). The easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule. **Before:** https://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605 **After:** https://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a (cherry picked from commit a013929)
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Jul 3, 2025
…for day units (elastic#224083) **Addresses:** elastic#223446 ## Summary This PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule. ## Details The issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds. Rule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See elastic#204317 for more details). The easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule. **Before:** https://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605 **After:** https://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a (cherry picked from commit a013929)
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
maximpn
added a commit
that referenced
this pull request
Jul 3, 2025
…hedule for day units (#224083) (#225424) # Backport This will backport the following commits from `main` to `8.18`: - [[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)](#224083) <!--- Backport version: 10.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2025-06-20T14:42:42Z","message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Rule Creation","Feature:Rule Edit","backport:version","v9.1.0","v8.19.0"],"title":"[Security Solution] Fix time duration normalization at rule schedule for day units","number":224083,"url":"https://github.com/elastic/kibana/pull/224083","mergeCommit":{"message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224083","number":224083,"mergeCommit":{"message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/224716","number":224716,"state":"MERGED","mergeCommit":{"sha":"0163914af918d1ee0181d731224f00e14cadc4db","message":"[8.19] [Security Solution] Fix time duration normalization at rule schedule for day units (#224083) (#224716)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.19`:\n- [[Security Solution] Fix time duration normalization at rule schedule\nfor day units (#224083)](https://github.com/elastic/kibana/pull/224083)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by: Maxim Palenov <maxim.palenov@elastic.co>"}}]}] BACKPORT-->
Contributor
|
Starting backport for target branches: 8.18, 8.19, 9.1 |
Contributor
|
Starting backport for target branches: 8.18, 8.19, 9.1 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
1 similar comment
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
maximpn
added a commit
that referenced
this pull request
Jul 3, 2025
…edule for day units (#224083) (#226388) # Backport This will backport the following commits from `main` to `9.0`: - [[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)](#224083) <!--- Backport version: 10.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2025-06-20T14:42:42Z","message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Rule Creation","Feature:Rule Edit","backport:version","v9.1.0","v8.19.0"],"title":"[Security Solution] Fix time duration normalization at rule schedule for day units","number":224083,"url":"https://github.com/elastic/kibana/pull/224083","mergeCommit":{"message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224083","number":224083,"mergeCommit":{"message":"[Security Solution] Fix time duration normalization at rule schedule for day units (#224083)\n\n**Addresses:** https://github.com/elastic/kibana/issues/223446\n\n## Summary\n\nThis PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.\n\n## Details\n\nThe issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.\n\nRule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).\n\nThe easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.\n\n**Before:**\n\nhttps://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605\n\n**After:**\n\nhttps://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a","sha":"a013929fda4dbae08b52d8258c37cb4c144a83f5"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/224716","number":224716,"state":"MERGED","mergeCommit":{"sha":"0163914af918d1ee0181d731224f00e14cadc4db","message":"[8.19] [Security Solution] Fix time duration normalization at rule schedule for day units (#224083) (#224716)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.19`:\n- [[Security Solution] Fix time duration normalization at rule schedule\nfor day units (#224083)](https://github.com/elastic/kibana/pull/224083)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by: Maxim Palenov <maxim.palenov@elastic.co>"}},{"url":"https://github.com/elastic/kibana/pull/225424","number":225424,"branch":"8.18","state":"OPEN"}]}] BACKPORT-->
Contributor
|
Starting backport for target branches: 8.18, 8.19, 9.0, 9.1 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
21 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #223446
Summary
This PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.
Details
The issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.
Rule schedule is shown to the users as rule
intervalandlook-backwhile rule's SO saves the schedule by using three fieldsinterval,fromandto. Wherelook-backrepresents a logical value calculated aslookback=to-from-interval. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See #204317 for more details).The easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.
Before:
Screen.Recording.2025-06-16.at.19.55.10.mov
After:
Screen.Recording.2025-06-16.at.19.53.10.mov