Skip to content

[9.0] [Security Solution] Fix time duration normalization at rule schedule for day units (#224083)#226388

Merged
maximpn merged 1 commit intoelastic:9.0from
maximpn:backport/9.0/pr-224083
Jul 3, 2025
Merged

[9.0] [Security Solution] Fix time duration normalization at rule schedule for day units (#224083)#226388
maximpn merged 1 commit intoelastic:9.0from
maximpn:backport/9.0/pr-224083

Conversation

@maximpn
Copy link
Copy Markdown
Contributor

@maximpn maximpn commented Jul 3, 2025

Backport

This will backport the following commits from main to 9.0:

Questions ?

Please refer to the Backport tool documentation

@maximpn
[Security Solution] Fix time duration normalization at rule schedule …
ec59f59 
…for day units (elastic#224083)

**Addresses:** elastic#223446

## Summary

This PR fixes an issue when time duration normalized to day(s) is shown as 0 seconds. The fix is performed by allowing using days time unit at rule schedule.

## Details

The issue happens when rule schedule's look-back gets normalized to day(s). The reason is that look-backs input doesn't support Days time unit. It leads to inability to parse the value and displaying the default value which is 0 seconds.

Rule schedule is shown to the users as rule `interval` and `look-back` while rule's SO saves the schedule by using three fields `interval`, `from` and `to`. Where `look-back` represents a logical value calculated as `lookback` = `to` - `from` - `interval`. Taking that into account it's becomes harder to maintain the original time duration unit value during prebuilt rules upgrade workflow (See elastic#204317 for more details).

The easiest way to fix this issue is to allow Days time unit in rule schedule inputs. On top of that 24 hours are always 1 day making hours the largest simply convertible time unit. The PR allows hours in rule schedule.

**Before:**

https://github.com/user-attachments/assets/4f2038f1-4a6a-4a88-b86e-381a5b717605

**After:**

https://github.com/user-attachments/assets/74875bf2-9341-425f-a35f-c8b088c1ef6a
(cherry picked from commit a013929)
@maximpn maximpn requested a review from kibanamachine as a code owner July 3, 2025 10:49
@maximpn maximpn added the backport This PR is a backport of another PR label Jul 3, 2025
@maximpn maximpn enabled auto-merge (squash) July 3, 2025 10:49
@maximpn maximpn mentioned this pull request Jul 3, 2025
Merged
jkelas
jkelas approved these changes Jul 3, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@jkelas jkelas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I confirm the changes are identical to the original PR.
I am approving.

@maximpn maximpn merged commit e43180f into elastic:9.0 Jul 3, 2025
12 checks passed
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 3, 2025

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 8.9MB 8.9MB +4.0B

@maximpn maximpn deleted the backport/9.0/pr-224083 branch July 3, 2025 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

1 more reviewer

@jkelas jkelas jkelas approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maximpn @elasticmachine @jkelas