[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg#258105
Merged
maximpn merged 3 commits intoelastic:mainfrom Mar 25, 2026
Merged
Conversation
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
|
Hi @maximpn We attempted to set up the PR with the local Kibana environment. At our end, the setup completes without errors, but the UI does not load in the browser. Below are the details for reference:Kibana Configuration (kibana.yml): Terminal Output: Screenshot: Could you please help us identify if anything is missing or misconfigured, or suggest any additional steps to troubleshoot this issue? Thanks cc @pborgonovi |
Contributor
Author
|
I've added labels to create a ECH deployment. You may use this one for testing. Alternatively you may test it locally. In that case you should have When the dependencies are installed to run Kibana may perform the following steps
yarn kbn bootstrap && node scripts/build_kibana_platform_plugins
yarn es snapshot --license trial -E xpack.security.authc.api_key.enabled=true
yarn start |
|
Hi @maximpn Thanks for sharing the ECH deployment. We have successfully validated the issue using it, and it was very helpful. We have validated this issue on 9.4.0 snapshot build and verified that issue is fixed there 🟢 Please find below the testing details:Build detailsObservations:
ES.command.to.put.a.non-migrated.rule.-.enable.disable.mp4Role Description{
"system_indices_superuser": {
"cluster": [],
"indices": [
{
"names": [
".kibana_*",
".security*",
".alerts-*"
],
"privileges": [
"all"
],
"allow_restricted_indices": true
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}
elastic.rule.enable.1.mp4elastic.rule.enable.disable.mp4elastic.rule.enable.disable.2.mp4Hence, marking this ticket as QA validated. Thanks! cc @pborgonovi |
pmuellr
requested changes
Mar 24, 2026
Contributor
pmuellr
left a comment
There was a problem hiding this comment.
Code looks fine, but there should be jest tests and FTs.
Contributor
💚 Build Succeeded
Metrics [docs]
History
cc @maximpn |
Contributor
|
Starting backport for target branches: 8.19, 9.2, 9.3 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 25, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details> (cherry picked from commit b48ac09)
Contributor
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Mar 25, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details> (cherry picked from commit b48ac09) # Conflicts: # x-pack/platform/plugins/shared/alerting/server/application/rule/methods/bulk_enable/bulk_enable_rules.test.ts
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Mar 25, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details> (cherry picked from commit b48ac09) # Conflicts: # x-pack/platform/plugins/shared/alerting/server/application/rule/methods/bulk_enable/bulk_enable_rules.test.ts
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details>
kibanamachine
added a commit
that referenced
this pull request
Mar 27, 2026
…n-migrated lastRun.outcomeMsg (#258105) (#259592) # Backport This will backport the following commits from `main` to `9.3`: - [[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)](#258105) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-03-25T14:45:55Z","message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","QA:Validated","Feature:Rule Management","Team:Detection Rule Management","backport:version","v9.4.0","v8.19.13","v9.2.7","v9.3.2"],"title":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg","number":258105,"url":"https://github.com/elastic/kibana/pull/258105","mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","9.2","9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258105","number":258105,"mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},{"branch":"8.19","label":"v8.19.13","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 27, 2026
…kiness (elastic#259955) **Resolves: elastic#259634 **Relates to:** elastic#258105 ## Summary This PR fixes rule's `lastRun.outcomeMsg` functional test flakiness. The flakiness was caused by race condition between rule execution and setting the legacy `outcomeMsg`'s value. (cherry picked from commit 737848b)
maximpn
added a commit
that referenced
this pull request
Mar 27, 2026
…n-migrated lastRun.outcomeMsg (#258105) (#259661) # Backport This will backport the following commits from `main` to `9.2`: - [[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)](#258105) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-03-25T14:45:55Z","message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","QA:Validated","Feature:Rule Management","Team:Detection Rule Management","backport:version","v9.4.0","v8.19.13","v9.2.7","v9.3.2"],"title":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg","number":258105,"url":"https://github.com/elastic/kibana/pull/258105","mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","9.2"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258105","number":258105,"mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},{"branch":"8.19","label":"v8.19.13","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/259592","number":259592,"state":"OPEN"}]}] BACKPORT-->
maximpn
added a commit
that referenced
this pull request
Mar 27, 2026
…on-migrated lastRun.outcomeMsg (#258105) (#259662) # Backport This will backport the following commits from `main` to `8.19`: - [[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)](#258105) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2026-03-25T14:45:55Z","message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","QA:Validated","Feature:Rule Management","Team:Detection Rule Management","backport:version","v9.4.0","v8.19.13","v9.2.7","v9.3.2"],"title":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg","number":258105,"url":"https://github.com/elastic/kibana/pull/258105","mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","9.2"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258105","number":258105,"mergeCommit":{"message":"[Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)\n\n**Resolves: https://github.com/elastic/kibana/issues/177852**\n**Relates to: https://github.com/elastic/kibana/pull/251164**\n\n## Summary\n\nThis PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field.\n\n## Details\n\nSome time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`.\n\nhttps://github.com//pull/251164 fixed the issue appearing in attempt to update prebuilt rules.\n\nThis PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field.\n\n## Testing\n\n- Start Kibana\n- Log in under `system_indices_superuser` to be able to write to the system indices\n- Create a rule by using the command below\n- Enable/Disable the rule\n- Perform any other bulk and non-bulk actions on the rule\n\nER: All actions should work without errors.\n\nWithout this fix enable/disable action will result in error.\n\n<details>\n <summary>ES command to put a non-migrated rule</summary>\n \n```\nPUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557\n{\n \"alert\": {\n \"name\": \"Test rule 1\",\n \"tags\": [],\n \"enabled\": false,\n \"alertTypeId\": \"siem.queryRule\",\n \"consumer\": \"siem\",\n \"legacyId\": null,\n \"schedule\": {\n \"interval\": \"5m\"\n },\n \"actions\": [],\n \"params\": {\n \"author\": [],\n \"description\": \"123\",\n \"falsePositives\": [],\n \"from\": \"now-6m\",\n \"ruleId\": \"5ecfb16d-5af2-4a31-b880-319a4a2ca92b\",\n \"immutable\": false,\n \"ruleSource\": {\n \"type\": \"internal\"\n },\n \"license\": \"\",\n \"outputIndex\": \"\",\n \"meta\": {\n \"kibana_siem_app_url\": \"http://localhost:5601/kbn/app/security\"\n },\n \"maxSignals\": 100,\n \"riskScore\": 21,\n \"riskScoreMapping\": [],\n \"severity\": \"low\",\n \"severityMapping\": [],\n \"threat\": [],\n \"to\": \"now\",\n \"references\": [],\n \"version\": 1,\n \"exceptionsList\": [],\n \"relatedIntegrations\": [],\n \"requiredFields\": [],\n \"setup\": \"\",\n \"type\": \"query\",\n \"language\": \"kuery\",\n \"index\": [\n \"apm-*-transaction*\",\n \"auditbeat-*\",\n \"endgame-*\",\n \"filebeat-*\",\n \"logs-*\",\n \"packetbeat-*\",\n \"traces-apm*\",\n \"winlogbeat-*\",\n \"-*elastic-cloud-logs-*\"\n ],\n \"query\": \"*:*\",\n \"filters\": []\n },\n \"mapped_params\": {\n \"risk_score\": 21,\n \"severity\": \"20-low\"\n },\n \"createdBy\": \"elastic\",\n \"updatedBy\": \"elastic\",\n \"createdAt\": \"2026-03-17T10:52:28.688Z\",\n \"updatedAt\": \"2026-03-17T10:52:28.688Z\",\n \"apiKey\": null,\n \"apiKeyOwner\": null,\n \"apiKeyCreatedByUser\": null,\n \"throttle\": null,\n \"notifyWhen\": null,\n \"muteAll\": false,\n \"mutedInstanceIds\": [],\n \"executionStatus\": {\n \"status\": \"pending\",\n \"lastExecutionDate\": \"2026-03-17T10:52:28.688Z\"\n },\n \"monitoring\": {\n \"run\": {\n \"history\": [],\n \"calculated_metrics\": {\n \"success_ratio\": 0\n },\n \"last_run\": {\n \"timestamp\": \"2026-03-17T10:52:28.688Z\",\n \"metrics\": {\n \"duration\": 0,\n \"total_search_duration_ms\": null,\n \"total_indexing_duration_ms\": null,\n \"total_alerts_detected\": null,\n \"total_alerts_created\": null,\n \"gap_duration_s\": null\n }\n }\n }\n },\n \"lastRun\": {\n \"outcome\": \"failed\",\n \"outcomeMsg\": \"security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \\\"\\\"\",\n \"warning\": \"read\",\n \"alertsCount\": {},\n \"outcomeOrder\": 20\n },\n \"snoozeSchedule\": [],\n \"revision\": 0,\n \"running\": false,\n \"artifacts\": {\n \"dashboards\": [],\n \"investigation_guide\": {\n \"blob\": \"\"\n }\n },\n \"meta\": {\n \"versionApiKeyLastmodified\": \"9.4.0\"\n }\n },\n \"type\": \"alert\",\n \"references\": [],\n \"managed\": false,\n \"namespaces\": [\n \"default\"\n ],\n \"coreMigrationVersion\": \"8.8.0\",\n \"typeMigrationVersion\": \"10.10.0\",\n \"updated_at\": \"2026-03-17T10:52:28.688Z\",\n \"created_at\": \"2026-03-17T10:52:28.688Z\"\n }\n```\n</details>","sha":"b48ac09918bbd6e150c8b05b8ec963678458fee8"}},{"branch":"8.19","label":"v8.19.13","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/259592","number":259592,"state":"OPEN"}]}] BACKPORT-->
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Mar 27, 2026
…kiness (elastic#259955) **Resolves: elastic#259634 **Relates to:** elastic#258105 ## Summary This PR fixes rule's `lastRun.outcomeMsg` functional test flakiness. The flakiness was caused by race condition between rule execution and setting the legacy `outcomeMsg`'s value. (cherry picked from commit 737848b)
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Mar 27, 2026
…kiness (elastic#259955) **Resolves: elastic#259634 **Relates to:** elastic#258105 ## Summary This PR fixes rule's `lastRun.outcomeMsg` functional test flakiness. The flakiness was caused by race condition between rule execution and setting the legacy `outcomeMsg`'s value. (cherry picked from commit 737848b)
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this pull request
Mar 30, 2026
…kiness (elastic#259955) **Resolves: elastic#259634 **Relates to:** elastic#258105 ## Summary This PR fixes rule's `lastRun.outcomeMsg` functional test flakiness. The flakiness was caused by race condition between rule execution and setting the legacy `outcomeMsg`'s value.
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details>
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…kiness (elastic#259955) **Resolves: elastic#259634 **Relates to:** elastic#258105 ## Summary This PR fixes rule's `lastRun.outcomeMsg` functional test flakiness. The flakiness was caused by race condition between rule execution and setting the legacy `outcomeMsg`'s value.
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details>
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…kiness (elastic#259955) **Resolves: elastic#259634 **Relates to:** elastic#258105 ## Summary This PR fixes rule's `lastRun.outcomeMsg` functional test flakiness. The flakiness was caused by race condition between rule execution and setting the legacy `outcomeMsg`'s value.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: #177852
Relates to: #251164
Summary
This PR fixes an issue blocking enabling and disabling security rules with non-migrated
lastRun.outcomeMsgfield.Details
Some time ago Alerting Framework migrated
lastRun.outcomeMsgfromstringtostring[]. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from7.xstack version and having something written tolastRun.outcomeMsg.#251164 fixed the issue appearing in attempt to update prebuilt rules.
This PR fixes the left issue blocking enabling and disabling non-migrated security rules with
lastRun.outcomeMsgtypestringfield.Testing
system_indices_superuserto be able to write to the system indicesER: All actions should work without errors.
Without this fix enable/disable action will result in error.
ES command to put a non-migrated rule