[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg#251164
Merged
maximpn merged 5 commits intoelastic:mainfrom Feb 3, 2026
Conversation
8fd1c82 to
6936213
Compare
6936213 to
0cac49c
Compare
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
pmuellr
approved these changes
Feb 2, 2026
Contributor
pmuellr
left a comment
There was a problem hiding this comment.
Changes LGTM, but I'm slightly surprised more "soft migrations" aren't needed, like on reads ...
Contributor
Author
|
@pmuellr Thanks for the review 🙏 Yeah, I agree these migrations make the implementation much more obscure. However this PR just patches the gap introduced due to architectural limitations. And technically it's migration or write mirroring this migration on read piece of code. I'd say it's better to have some fix and find a better way to find a better way to address all that migration issues in Alerting Framework in comfortable pace than rushing to fix it via migration. |
Contributor
|
Starting backport for target branches: 8.19, 9.1, 9.2, 9.3 |
Contributor
💚 Build Succeeded
Metrics [docs]
History
cc @maximpn |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 3, 2026
…astRun.outcomeMsg (elastic#251164) **Addresses:** elastic#177852 ## Summary This PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. This PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object. Looking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field. (cherry picked from commit 3a2f3fd)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 3, 2026
…astRun.outcomeMsg (elastic#251164) **Addresses:** elastic#177852 ## Summary This PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. This PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object. Looking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field. (cherry picked from commit 3a2f3fd)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 3, 2026
…astRun.outcomeMsg (elastic#251164) **Addresses:** elastic#177852 ## Summary This PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. This PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object. Looking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field. (cherry picked from commit 3a2f3fd)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 3, 2026
…astRun.outcomeMsg (elastic#251164) **Addresses:** elastic#177852 ## Summary This PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. This PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object. Looking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field. (cherry picked from commit 3a2f3fd)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Feb 3, 2026
…ated lastRun.outcomeMsg (#251164) (#251393) # Backport This will backport the following commits from `main` to `9.2`: - [[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)](#251164) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-02-03T08:18:04Z","message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","backport:version","v9.4.0","v9.2.5","v8.19.11","v9.1.11","v9.3.1"],"title":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg","number":251164,"url":"https://github.com/elastic/kibana/pull/251164","mergeCommit":{"message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad"}},"sourceBranch":"main","suggestedTargetBranches":["9.2","8.19","9.1","9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/251164","number":251164,"mergeCommit":{"message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad"}},{"branch":"9.2","label":"v9.2.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.11","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.1","label":"v9.1.11","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Feb 3, 2026
…ated lastRun.outcomeMsg (#251164) (#251392) # Backport This will backport the following commits from `main` to `9.1`: - [[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)](#251164) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-02-03T08:18:04Z","message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","backport:version","v9.4.0","v9.2.5","v8.19.11","v9.1.11","v9.3.1"],"title":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg","number":251164,"url":"https://github.com/elastic/kibana/pull/251164","mergeCommit":{"message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad"}},"sourceBranch":"main","suggestedTargetBranches":["9.2","8.19","9.1","9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/251164","number":251164,"mergeCommit":{"message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad"}},{"branch":"9.2","label":"v9.2.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.11","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.1","label":"v9.1.11","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Feb 3, 2026
…ated lastRun.outcomeMsg (#251164) (#251394) # Backport This will backport the following commits from `main` to `9.3`: - [[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)](#251164) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-02-03T08:18:04Z","message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","backport:version","v9.4.0","v9.2.5","v8.19.11","v9.1.11","v9.3.1"],"title":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg","number":251164,"url":"https://github.com/elastic/kibana/pull/251164","mergeCommit":{"message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad"}},"sourceBranch":"main","suggestedTargetBranches":["9.2","8.19","9.1","9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/251164","number":251164,"mergeCommit":{"message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad"}},{"branch":"9.2","label":"v9.2.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.11","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.1","label":"v9.1.11","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Feb 3, 2026
…cated lastRun.outcomeMsg (#251164) (#251391) # Backport This will backport the following commits from `main` to `8.19`: - [[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)](#251164) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-02-03T08:18:04Z","message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","backport:version","v9.4.0","v9.2.5","v8.19.11","v9.1.11","v9.3.1"],"title":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg","number":251164,"url":"https://github.com/elastic/kibana/pull/251164","mergeCommit":{"message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad"}},"sourceBranch":"main","suggestedTargetBranches":["9.2","8.19","9.1","9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/251164","number":251164,"mergeCommit":{"message":"[Security Solution] Unlock prebuilt rules upgrade due to deprecated lastRun.outcomeMsg (#251164)\n\n**Addresses:** https://github.com/elastic/kibana/issues/177852\n\n## Summary\n\nThis PR introduces `lastRun.outcomeMsg` from `string` to `string[]` migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nThis PR makes change only to `rulesClient.update()` method to migrate `lastRun.outcomeMsg` before it gets written to the new saved object.\n\nLooking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over `lastRun` field.","sha":"3a2f3fd8f43fb610418a1790eba806675f3742ad"}},{"branch":"9.2","label":"v9.2.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.11","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.1","label":"v9.1.11","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
maximpn
added a commit
that referenced
this pull request
Mar 25, 2026
…ated lastRun.outcomeMsg (#258105) **Resolves: #177852 **Relates to: #251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. #251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 25, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details> (cherry picked from commit b48ac09)
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Mar 25, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details> (cherry picked from commit b48ac09) # Conflicts: # x-pack/platform/plugins/shared/alerting/server/application/rule/methods/bulk_enable/bulk_enable_rules.test.ts
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Mar 25, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details> (cherry picked from commit b48ac09) # Conflicts: # x-pack/platform/plugins/shared/alerting/server/application/rule/methods/bulk_enable/bulk_enable_rules.test.ts
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details>
kibanamachine
added a commit
that referenced
this pull request
Mar 27, 2026
…n-migrated lastRun.outcomeMsg (#258105) (#259592) # Backport This will backport the following commits from `main` to `9.3`: - [[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)](#258105) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-03-25T14:45:55Z","message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","QA:Validated","Feature:Rule Management","Team:Detection Rule Management","backport:version","v9.4.0","v8.19.13","v9.2.7","v9.3.2"],"title":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg","number":258105,"url":"https://github.com/elastic/kibana/pull/258105","mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","9.2","9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258105","number":258105,"mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},{"branch":"8.19","label":"v8.19.13","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
maximpn
added a commit
that referenced
this pull request
Mar 27, 2026
…n-migrated lastRun.outcomeMsg (#258105) (#259661) # Backport This will backport the following commits from `main` to `9.2`: - [[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)](#258105) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-03-25T14:45:55Z","message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","QA:Validated","Feature:Rule Management","Team:Detection Rule Management","backport:version","v9.4.0","v8.19.13","v9.2.7","v9.3.2"],"title":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg","number":258105,"url":"https://github.com/elastic/kibana/pull/258105","mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","9.2"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258105","number":258105,"mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},{"branch":"8.19","label":"v8.19.13","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/259592","number":259592,"state":"OPEN"}]}] BACKPORT-->
maximpn
added a commit
that referenced
this pull request
Mar 27, 2026
…on-migrated lastRun.outcomeMsg (#258105) (#259662) # Backport This will backport the following commits from `main` to `8.19`: - [[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)](#258105) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-03-25T14:45:55Z","message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","QA:Validated","Feature:Rule Management","Team:Detection Rule Management","backport:version","v9.4.0","v8.19.13","v9.2.7","v9.3.2"],"title":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg","number":258105,"url":"https://github.com/elastic/kibana/pull/258105","mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","9.2"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258105","number":258105,"mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},{"branch":"8.19","label":"v8.19.13","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/259592","number":259592,"state":"OPEN"}]}] BACKPORT-->
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details>
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses: #177852
Summary
This PR introduces
lastRun.outcomeMsgfromstringtostring[]migration on rule update in Alerting Framework. It unlocking prebuilt rule upgrade workflow for customers migrated from 7.x stack version.Details
Some time ago Alerting Framework migrated
lastRun.outcomeMsgfromstringtostring[]. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from7.xstack version and having something written tolastRun.outcomeMsg.This PR makes change only to
rulesClient.update()method to migratelastRun.outcomeMsgbefore it gets written to the new saved object.Looking through the code it seems another methods aren't impacted. For example, rule duplication doesn't copy over
lastRunfield.