[9.2] [Security Solution] Fix enable/disable action for rules with non-migrated lastRun.outcomeMsg (#258105)#259661
Merged
maximpn merged 3 commits intoelastic:9.2from Mar 27, 2026
Merged
Conversation
…ated lastRun.outcomeMsg (elastic#258105) **Resolves: elastic#177852 **Relates to: elastic#251164 ## Summary This PR fixes an issue blocking enabling and disabling security rules with non-migrated `lastRun.outcomeMsg` field. ## Details Some time ago Alerting Framework migrated `lastRun.outcomeMsg` from `string` to `string[]`. At that moment usual migrations were deprecated due to Serverless and model version migration wasn't ready yet. This migration went smoothly thanks to the according changes to the codebase. However, the changes didn't cover customers upgrading from `7.x` stack version and having something written to `lastRun.outcomeMsg`. elastic#251164 fixed the issue appearing in attempt to update prebuilt rules. This PR fixes the left issue blocking enabling and disabling non-migrated security rules with `lastRun.outcomeMsg` type `string` field. ## Testing - Start Kibana - Log in under `system_indices_superuser` to be able to write to the system indices - Create a rule by using the command below - Enable/Disable the rule - Perform any other bulk and non-bulk actions on the rule ER: All actions should work without errors. Without this fix enable/disable action will result in error. <details> <summary>ES command to put a non-migrated rule</summary> ``` PUT .kibana_alerting_cases/_doc/alert:d62167ce-1022-4b2c-915d-024fe3e6e557 { "alert": { "name": "Test rule 1", "tags": [], "enabled": false, "alertTypeId": "siem.queryRule", "consumer": "siem", "legacyId": null, "schedule": { "interval": "5m" }, "actions": [], "params": { "author": [], "description": "123", "falsePositives": [], "from": "now-6m", "ruleId": "5ecfb16d-5af2-4a31-b880-319a4a2ca92b", "immutable": false, "ruleSource": { "type": "internal" }, "license": "", "outputIndex": "", "meta": { "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "relatedIntegrations": [], "requiredFields": [], "setup": "", "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*" ], "query": "*:*", "filters": [] }, "mapped_params": { "risk_score": 21, "severity": "20-low" }, "createdBy": "elastic", "updatedBy": "elastic", "createdAt": "2026-03-17T10:52:28.688Z", "updatedAt": "2026-03-17T10:52:28.688Z", "apiKey": null, "apiKeyOwner": null, "apiKeyCreatedByUser": null, "throttle": null, "notifyWhen": null, "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2026-03-17T10:52:28.688Z" }, "monitoring": { "run": { "history": [], "calculated_metrics": { "success_ratio": 0 }, "last_run": { "timestamp": "2026-03-17T10:52:28.688Z", "metrics": { "duration": 0, "total_search_duration_ms": null, "total_indexing_duration_ms": null, "total_alerts_detected": null, "total_alerts_created": null, "gap_duration_s": null } } } }, "lastRun": { "outcome": "failed", "outcomeMsg": "security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: \"\"", "warning": "read", "alertsCount": {}, "outcomeOrder": 20 }, "snoozeSchedule": [], "revision": 0, "running": false, "artifacts": { "dashboards": [], "investigation_guide": { "blob": "" } }, "meta": { "versionApiKeyLastmodified": "9.4.0" } }, "type": "alert", "references": [], "managed": false, "namespaces": [ "default" ], "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.10.0", "updated_at": "2026-03-17T10:52:28.688Z", "created_at": "2026-03-17T10:52:28.688Z" } ``` </details> (cherry picked from commit b48ac09) # Conflicts: # x-pack/platform/plugins/shared/alerting/server/application/rule/methods/bulk_enable/bulk_enable_rules.test.ts
Contributor
💚 Build Succeeded
Metrics [docs]
History
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto9.2:Questions ?
Please refer to the Backport tool documentation