[Security Solution] Importing Prebuilt Rules Results in Rule ID Conflict Error #200828
Labels
bug
Fixes for quality problems that affect the customer experience
impact:high
Addressing this issue will have a high level of impact on the quality/strength of our product.
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
triage_needed
Describe the bug:
When attempting to import an exported prebuilt rule (after customization), the system throws an error:
rule_id: "<rule_id>" already exists.
Kibana/Elasticsearch Stack version:
8.x
Steps to reproduce:
Current behavior:
The import process throws an error: rule_id: "<rule_id>" already exists.
Expected behavior:
The import logic should:
-- If the rule_id and version match, allow the import and update the rule accordingly.
-- If the rule_id matches but the version does not, treat the rule as prebuilt with an older version and mark it as:
-- If the rule has diverged (customized fields differ from the base version), mark it as:
-- If the rule_id does not match any known rule, treat it as a custom rule:
Screenshots (if relevant):
Screen.Recording.2024-11-19.at.2.41.01.PM.mov
The text was updated successfully, but these errors were encountered: