From 9ad35b84148fb1ea22978f67e3f15f38f5f733cf Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Fri, 18 Oct 2024 23:08:14 +1100
Subject: [PATCH] [8.16] [Defend Workflows] Endpoint advanced options migration
 vs policy re-deployment issue mitigation (#196708) (#196835)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Backport

This will backport the following commits from `main` to `8.16`:
- [[Defend Workflows] Endpoint advanced options migration vs policy
re-deployment issue mitigation
(#196708)](https://github.com/elastic/kibana/pull/196708)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Gergő
Ábrahám","email":"gergo.abraham@elastic.co"},"sourceCommit":{"committedDate":"2024-10-18T10:15:00Z","message":"[Defend
Workflows] Endpoint advanced options migration vs policy re-deployment
issue mitigation (#196708)\n\n## Summary\r\n\r\ncloses
https://github.com/elastic/security-team/issues/10851\r\n\r\n>
[!note]\r\n> ⚠️ needs to be included in v8.16\r\n> ⚠️ needs to be merged
this week to avoid
releasing\r\nhttps://github.com/elastic/kibana/pull/195797 on
Serverless\r\n\r\nAs backfilled package policies are not automatically
redeployed (see\r\nhttps://github.com/elastic/kibana/issues/193352),
this PR's goal is to\r\nprovide quick mitigation in the following
matters:\r\n- update default values in the descriptions of advanced
options added in\r\nhttps://github.com/elastic/kibana/pull/195797, to
harmonize with latest\r\nEndpoint changes
(https://github.com/elastic/endpoint-dev/issues/15109)\r\n- remove
backfill/migration of those default values:\r\n- we should be _able_ to
safely remove the backfills, as they have not\r\nyet been released to
serverless. and,\r\n- we _should_ remove them to make sure that when we
update the defaults\r\nin the future and apply the backfill, there will
be a data change that\r\ncould trigger policy re-deployment, in case
data change is what the\r\ntrigger will be in #193352.\r\n - example
scenario of what could go wrong:\r\n - if we'd apply backfill now, the
package won't be redeployed.\r\n- if the user does not touch it until
the next release - no redeploy.\r\n- if #193352 is implemented and uses
data comparison when running\r\nmigrations - again, no redeploy because
we already backfilled the data\r\nmonths before.\r\n - cc @ferullo
@nfritts \r\n- hide banner describing event volume reduction (added
in\r\nhttps://github.com/elastic/kibana/pull/195177, already released
to\r\nserverless, but it is what it is)\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"142997925e5aafac306056b00be1789271aa5dd0","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","Team:Defend
Workflows","v8.16.0","backport:version"],"title":"[Defend Workflows]
Endpoint advanced options migration vs policy re-deployment issue
mitigation","number":196708,"url":"https://github.com/elastic/kibana/pull/196708","mergeCommit":{"message":"[Defend
Workflows] Endpoint advanced options migration vs policy re-deployment
issue mitigation (#196708)\n\n## Summary\r\n\r\ncloses
https://github.com/elastic/security-team/issues/10851\r\n\r\n>
[!note]\r\n> ⚠️ needs to be included in v8.16\r\n> ⚠️ needs to be merged
this week to avoid
releasing\r\nhttps://github.com/elastic/kibana/pull/195797 on
Serverless\r\n\r\nAs backfilled package policies are not automatically
redeployed (see\r\nhttps://github.com/elastic/kibana/issues/193352),
this PR's goal is to\r\nprovide quick mitigation in the following
matters:\r\n- update default values in the descriptions of advanced
options added in\r\nhttps://github.com/elastic/kibana/pull/195797, to
harmonize with latest\r\nEndpoint changes
(https://github.com/elastic/endpoint-dev/issues/15109)\r\n- remove
backfill/migration of those default values:\r\n- we should be _able_ to
safely remove the backfills, as they have not\r\nyet been released to
serverless. and,\r\n- we _should_ remove them to make sure that when we
update the defaults\r\nin the future and apply the backfill, there will
be a data change that\r\ncould trigger policy re-deployment, in case
data change is what the\r\ntrigger will be in #193352.\r\n - example
scenario of what could go wrong:\r\n - if we'd apply backfill now, the
package won't be redeployed.\r\n- if the user does not touch it until
the next release - no redeploy.\r\n- if #193352 is implemented and uses
data comparison when running\r\nmigrations - again, no redeploy because
we already backfilled the data\r\nmonths before.\r\n - cc @ferullo
@nfritts \r\n- hide banner describing event volume reduction (added
in\r\nhttps://github.com/elastic/kibana/pull/195177, already released
to\r\nserverless, but it is what it is)\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"142997925e5aafac306056b00be1789271aa5dd0"}},"sourceBranch":"main","suggestedTargetBranches":["8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196708","number":196708,"mergeCommit":{"message":"[Defend
Workflows] Endpoint advanced options migration vs policy re-deployment
issue mitigation (#196708)\n\n## Summary\r\n\r\ncloses
https://github.com/elastic/security-team/issues/10851\r\n\r\n>
[!note]\r\n> ⚠️ needs to be included in v8.16\r\n> ⚠️ needs to be merged
this week to avoid
releasing\r\nhttps://github.com/elastic/kibana/pull/195797 on
Serverless\r\n\r\nAs backfilled package policies are not automatically
redeployed (see\r\nhttps://github.com/elastic/kibana/issues/193352),
this PR's goal is to\r\nprovide quick mitigation in the following
matters:\r\n- update default values in the descriptions of advanced
options added in\r\nhttps://github.com/elastic/kibana/pull/195797, to
harmonize with latest\r\nEndpoint changes
(https://github.com/elastic/endpoint-dev/issues/15109)\r\n- remove
backfill/migration of those default values:\r\n- we should be _able_ to
safely remove the backfills, as they have not\r\nyet been released to
serverless. and,\r\n- we _should_ remove them to make sure that when we
update the defaults\r\nin the future and apply the backfill, there will
be a data change that\r\ncould trigger policy re-deployment, in case
data change is what the\r\ntrigger will be in #193352.\r\n - example
scenario of what could go wrong:\r\n - if we'd apply backfill now, the
package won't be redeployed.\r\n- if the user does not touch it until
the next release - no redeploy.\r\n- if #193352 is implemented and uses
data comparison when running\r\nmigrations - again, no redeploy because
we already backfilled the data\r\nmonths before.\r\n - cc @ferullo
@nfritts \r\n- hide banner describing event volume reduction (added
in\r\nhttps://github.com/elastic/kibana/pull/195177, already released
to\r\nserverless, but it is what it is)\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"142997925e5aafac306056b00be1789271aa5dd0"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Gergő Ábrahám <gergo.abraham@elastic.co>
---
 .../check_registered_types.test.ts            |   2 +-
 .../fleet/server/saved_objects/index.ts       |   9 -
 ...v15_advanced_package_policy_fields.test.ts | 157 ------------------
 .../v15_advanced_package_policy_fields.ts     |  62 -------
 .../policy/models/advanced_policy_schema.ts   |  36 ++--
 .../components/event_merging_banner.tsx       |   4 +-
 .../view/policy_settings_form/constants.ts    |  18 ++
 .../policy_settings_form.test.tsx             |  20 +++
 .../policy_settings_form.tsx                  |   4 +-
 9 files changed, 63 insertions(+), 249 deletions(-)
 delete mode 100644 x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.test.ts
 delete mode 100644 x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.ts
 create mode 100644 x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/constants.ts

diff --git a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts
index 406f6e4de5af..2eaa14bf24ed 100644
--- a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts
+++ b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts
@@ -123,7 +123,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "ingest-agent-policies": "5e95e539826a40ad08fd0c1d161da0a4d86ffc6d",
         "ingest-download-sources": "279a68147e62e4d8858c09ad1cf03bd5551ce58d",
         "ingest-outputs": "daafff49255ab700e07491376fe89f04fc998b91",
-        "ingest-package-policies": "dc2af447c335215be2d6f7b7b8d437d05d6a1188",
+        "ingest-package-policies": "53a94064674835fdb35e5186233bcd7052eabd22",
         "ingest_manager_settings": "111a616eb72627c002029c19feb9e6c439a10505",
         "inventory-view": "b8683c8e352a286b4aca1ab21003115a4800af83",
         "kql-telemetry": "93c1d16c1a0dfca9c8842062cf5ef8f62ae401ad",
diff --git a/x-pack/plugins/fleet/server/saved_objects/index.ts b/x-pack/plugins/fleet/server/saved_objects/index.ts
index d1dbeb9d35b6..ffb9381f8b30 100644
--- a/x-pack/plugins/fleet/server/saved_objects/index.ts
+++ b/x-pack/plugins/fleet/server/saved_objects/index.ts
@@ -101,7 +101,6 @@ import {
   migratePackagePolicySetRequiresRootToV8150,
 } from './migrations/to_v8_15_0';
 import { backfillAgentPolicyToV4 } from './model_versions/agent_policy_v4';
-import { packagePolicyV15AdvancedFieldsForEndpointV816 } from './model_versions/security_solution/v15_advanced_package_policy_fields';
 
 /*
  * Saved object types and mappings
@@ -751,14 +750,6 @@ export const getSavedObjectTypes = (
             },
           ],
         },
-        '15': {
-          changes: [
-            {
-              type: 'data_backfill',
-              backfillFn: packagePolicyV15AdvancedFieldsForEndpointV816,
-            },
-          ],
-        },
       },
       migrations: {
         '7.10.0': migratePackagePolicyToV7100,
diff --git a/x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.test.ts b/x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.test.ts
deleted file mode 100644
index 795c05966f53..000000000000
--- a/x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.test.ts
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import type { SavedObject } from '@kbn/core-saved-objects-api-server';
-import type { ModelVersionTestMigrator } from '@kbn/core-test-helpers-model-versions';
-import { createModelVersionTestMigrator } from '@kbn/core-test-helpers-model-versions';
-import { set } from '@kbn/safer-lodash-set';
-
-import { getSavedObjectTypes } from '../..';
-
-import type { PackagePolicy } from '../../../../common';
-import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../common';
-
-describe('Defend integration advanced policy fields v8.16.0', () => {
-  const TARGET_MODEL_VERSION = 15;
-
-  let migrator: ModelVersionTestMigrator;
-  let policyConfigSO: SavedObject<PackagePolicy>;
-
-  beforeEach(() => {
-    migrator = createModelVersionTestMigrator({
-      type: getSavedObjectTypes()[PACKAGE_POLICY_SAVED_OBJECT_TYPE],
-    });
-
-    policyConfigSO = {
-      id: 'mock-saved-object-id',
-      attributes: {
-        name: 'Some Policy Name',
-        package: {
-          name: 'endpoint',
-          title: '',
-          version: '',
-        },
-        id: 'endpoint',
-        policy_id: '',
-        policy_ids: [],
-        enabled: true,
-        namespace: '',
-        revision: 0,
-        updated_at: '',
-        updated_by: '',
-        created_at: '',
-        created_by: '',
-        inputs: [
-          {
-            type: 'endpoint',
-            enabled: true,
-            streams: [],
-            config: {
-              policy: {
-                value: {
-                  windows: {},
-                  mac: {},
-                  linux: {},
-                },
-              },
-            },
-          },
-        ],
-      },
-      type: PACKAGE_POLICY_SAVED_OBJECT_TYPE,
-      references: [],
-    };
-  });
-
-  /** Builds object key paths for all parent objects
-   *
-   * @param path e.g. `advanced.events.optionName`
-   * @returns e.g. ['advanced', 'advanced.events']
-   */
-  const getParentObjectKeyPaths = (path: string): string[] =>
-    path
-      .split('.') // ['advanced', 'events', 'optionName']
-      .slice(0, -1) // ['advanced', 'events']
-      .map((parentObject) => path.match(`^.*${parentObject}`)![0]); // ['advanced', 'advanced.events']
-
-  describe(`when updating to model version ${TARGET_MODEL_VERSION}`, () => {
-    describe.each`
-      name                               | path                                        | backfill
-      ${'aggregate_process'}             | ${'advanced.events.aggregate_process'}      | ${false}
-      ${'set_extended_host_information'} | ${'advanced.set_extended_host_information'} | ${true}
-      ${'alerts.hash.md5'}               | ${'advanced.alerts.hash.md5'}               | ${true}
-      ${'alerts.hash.sha1'}              | ${'advanced.alerts.hash.sha1'}              | ${true}
-      ${'events.hash.md5'}               | ${'advanced.events.hash.md5'}               | ${true}
-      ${'events.hash.sha1'}              | ${'advanced.events.hash.sha1'}              | ${true}
-    `(
-      'backfilling `$name` with `$backfill`',
-      ({ path, backfill }: { path: string; backfill: boolean }) => {
-        it('should backfill when there are no advanced options yet', () => {
-          const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
-            document: policyConfigSO,
-            fromVersion: TARGET_MODEL_VERSION - 1,
-            toVersion: TARGET_MODEL_VERSION,
-          });
-
-          const migratedPolicyConfig = getConfig(migratedPolicyConfigSO);
-
-          expectConfigToHave(migratedPolicyConfig, path, backfill);
-        });
-
-        it.each(getParentObjectKeyPaths(path))(
-          'should backfill without modifying other options in parent object `%s`',
-          (parentObjectKeyPath) => {
-            const policyConfig = getConfig(policyConfigSO);
-            const dummyField = `${parentObjectKeyPath}.cheese`;
-            set(policyConfig.windows, dummyField, 'brie');
-            set(policyConfig.mac, dummyField, 'maasdam');
-            set(policyConfig.linux, dummyField, 'camambert');
-
-            const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
-              document: policyConfigSO,
-              fromVersion: TARGET_MODEL_VERSION - 1,
-              toVersion: TARGET_MODEL_VERSION,
-            });
-
-            const migratedPolicyConfig = getConfig(migratedPolicyConfigSO);
-
-            expectConfigToHave(migratedPolicyConfig, path, backfill);
-            expect(migratedPolicyConfig.windows).toHaveProperty(dummyField, 'brie');
-            expect(migratedPolicyConfig.mac).toHaveProperty(dummyField, 'maasdam');
-            expect(migratedPolicyConfig.linux).toHaveProperty(dummyField, 'camambert');
-          }
-        );
-
-        it('should not backfill if field is already present', () => {
-          const policyConfig = getConfig(policyConfigSO);
-          set(policyConfig.windows, path, !backfill);
-          set(policyConfig.mac, path, !backfill);
-          set(policyConfig.linux, path, !backfill);
-
-          const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
-            document: policyConfigSO,
-            fromVersion: TARGET_MODEL_VERSION - 1,
-            toVersion: TARGET_MODEL_VERSION,
-          });
-
-          const migratedPolicyConfig = getConfig(migratedPolicyConfigSO);
-
-          expectConfigToHave(migratedPolicyConfig, path, !backfill);
-        });
-      }
-    );
-  });
-
-  const getConfig = (so: SavedObject<PackagePolicy>) =>
-    so.attributes.inputs[0].config?.policy.value;
-
-  const expectConfigToHave = (config: any, path: string, value: string | boolean) => {
-    for (const os of ['windows', 'mac', 'linux']) {
-      expect(config[os]).toHaveProperty(path, value);
-    }
-  };
-});
diff --git a/x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.ts b/x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.ts
deleted file mode 100644
index 1fa21f3c94c1..000000000000
--- a/x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.ts
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import type {
-  SavedObjectModelDataBackfillFn,
-  SavedObjectUnsanitizedDoc,
-} from '@kbn/core-saved-objects-server';
-
-import type { PackagePolicy } from '../../../../common';
-
-export const packagePolicyV15AdvancedFieldsForEndpointV816: SavedObjectModelDataBackfillFn<
-  PackagePolicy,
-  PackagePolicy
-> = (packagePolicyDoc) => {
-  if (packagePolicyDoc.attributes.package?.name !== 'endpoint') {
-    return { attributes: packagePolicyDoc.attributes };
-  }
-
-  const updatedPackagePolicyDoc: SavedObjectUnsanitizedDoc<PackagePolicy> = packagePolicyDoc;
-
-  const input = updatedPackagePolicyDoc.attributes.inputs[0];
-
-  if (input && input.config) {
-    const policy = input.config.policy.value;
-
-    for (const os of ['windows', 'mac', 'linux']) {
-      const policyPerOs = policy[os];
-
-      policyPerOs.advanced = {
-        set_extended_host_information: true,
-        ...policyPerOs.advanced,
-
-        events: {
-          aggregate_process: false,
-          ...policyPerOs.advanced?.events,
-
-          hash: {
-            md5: true,
-            sha1: true,
-            ...policyPerOs.advanced?.events?.hash,
-          },
-        },
-
-        alerts: {
-          ...policyPerOs.advanced?.alerts,
-
-          hash: {
-            md5: true,
-            sha1: true,
-            ...policyPerOs.advanced?.alerts?.hash,
-          },
-        },
-      };
-    }
-  }
-
-  return { attributes: updatedPackagePolicyDoc.attributes };
-};
diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
index d948cb5711f3..964936b310a4 100644
--- a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
@@ -2014,7 +2014,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.events.aggregate_process',
       {
         defaultMessage:
-          'Reduce event volume by merging related process events into fewer aggregate events. Default is true.',
+          'Reduce event volume by merging related process events into fewer aggregate events. Default is false.',
       }
     ),
   },
@@ -2025,7 +2025,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.events.aggregate_process',
       {
         defaultMessage:
-          'Reduce event volume by merging related process events into fewer aggregate events. Default is true.',
+          'Reduce event volume by merging related process events into fewer aggregate events. Default is false.',
       }
     ),
   },
@@ -2036,7 +2036,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.events.aggregate_process',
       {
         defaultMessage:
-          'Reduce event volume by merging related process events into fewer aggregate events. Default is true.',
+          'Reduce event volume by merging related process events into fewer aggregate events. Default is false.',
       }
     ),
   },
@@ -2047,7 +2047,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.alerts.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2058,7 +2058,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.alerts.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2069,7 +2069,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.events.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2080,7 +2080,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.events.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2102,7 +2102,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.alerts.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2113,7 +2113,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.alerts.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2124,7 +2124,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.events.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2135,7 +2135,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.events.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2157,7 +2157,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.alerts.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2168,7 +2168,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.alerts.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2179,7 +2179,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.events.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2190,7 +2190,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.events.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2212,7 +2212,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.set_extended_host_information',
       {
         defaultMessage:
-          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: false',
+          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: true',
       }
     ),
   },
@@ -2223,7 +2223,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.set_extended_host_information',
       {
         defaultMessage:
-          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: false',
+          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: true',
       }
     ),
   },
@@ -2234,7 +2234,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.set_extended_host_information',
       {
         defaultMessage:
-          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: false',
+          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: true',
       }
     ),
   },
diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/components/event_merging_banner.tsx b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/components/event_merging_banner.tsx
index 26b229e219c2..ec76a416e390 100644
--- a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/components/event_merging_banner.tsx
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/components/event_merging_banner.tsx
@@ -10,6 +10,7 @@ import { i18n } from '@kbn/i18n';
 import { EuiCallOut, EuiLink, EuiText } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n-react';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
+import { ENDPOINT_VERSION_SUPPORTING_EVENT_MERGING_BY_DEFAULT } from '../constants';
 
 export interface EventMergingBannerProps {
   onDismiss: () => void;
@@ -29,7 +30,7 @@ export const EventMergingBanner = memo<EventMergingBannerProps>(({ onDismiss })
       <EuiText size="s">
         <FormattedMessage
           id="xpack.securitySolution.endpoint.policy.eventMergingBanner.body"
-          defaultMessage="Elastic Agent 8.16+ produces less telemetry without reducing system visibility, which may impact existing event filters. For more about these changes and how to adjust your settings, visit our {documentation}."
+          defaultMessage="Elastic Agent {minVersion}+ produces less telemetry without reducing system visibility, which may impact existing event filters. For more about these changes and how to adjust your settings, visit our {documentation}."
           values={{
             documentation: (
               <EuiLink
@@ -43,6 +44,7 @@ export const EventMergingBanner = memo<EventMergingBannerProps>(({ onDismiss })
                 />
               </EuiLink>
             ),
+            minVersion: ENDPOINT_VERSION_SUPPORTING_EVENT_MERGING_BY_DEFAULT,
           }}
         />
       </EuiText>
diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/constants.ts b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/constants.ts
new file mode 100644
index 000000000000..19f1e36163aa
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/constants.ts
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * Event merging banner is hidden temporarily for 8.16 (and serverless).
+ * Probably will be enabled for 8.17 or 8.18, when we can change the defaults and trigger policy deploy by migration.
+ * Blocker issue: https://github.com/elastic/kibana/issues/193352
+ */
+export const ALLOW_SHOWING_EVENT_MERGING_BANNER = false;
+
+/**
+ * The version from which we decrease event volume by default.
+ */
+export const ENDPOINT_VERSION_SUPPORTING_EVENT_MERGING_BY_DEFAULT = '8.17';
diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.test.tsx b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.test.tsx
index d2e4c58adfb5..19a5ec8e6df3 100644
--- a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.test.tsx
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.test.tsx
@@ -27,6 +27,13 @@ import type { IStorageWrapper } from '@kbn/kibana-utils-plugin/public';
 
 jest.mock('../../../../../common/hooks/use_license');
 
+const mockAllowShowingEventMergingBannerConstantGetter = jest.fn();
+jest.mock('./constants', () => ({
+  get ALLOW_SHOWING_EVENT_MERGING_BANNER() {
+    return mockAllowShowingEventMergingBannerConstantGetter();
+  },
+}));
+
 describe('Endpoint Policy Settings Form', () => {
   const testSubj = getPolicySettingsFormTestSubjects('test');
 
@@ -50,10 +57,23 @@ describe('Endpoint Policy Settings Form', () => {
       'data-test-subj': 'test',
     };
 
+    mockAllowShowingEventMergingBannerConstantGetter.mockReturnValue(false);
+
     render = () => (renderResult = mockedContext.render(<PolicySettingsForm {...formProps} />));
   });
 
   describe('event merging banner', () => {
+    beforeEach(() => {
+      mockAllowShowingEventMergingBannerConstantGetter.mockReturnValue(true);
+    });
+
+    it('should hide the banner if its not allowed to be displayed', () => {
+      mockAllowShowingEventMergingBannerConstantGetter.mockReturnValue(false);
+
+      render();
+
+      expect(renderResult.queryByTestId('eventMergingCallout')).not.toBeInTheDocument();
+    });
     it('should show the event merging banner for 8.16 if it has never been dismissed', () => {
       render();
 
diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.tsx b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.tsx
index 7d83170df2d2..619ba07346f4 100644
--- a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.tsx
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.tsx
@@ -26,6 +26,7 @@ import { MalwareProtectionsCard } from './components/cards/malware_protections_c
 import type { PolicyFormComponentCommonProps } from './types';
 import { AdvancedSection } from './components/advanced_section';
 import { useTestIdGenerator } from '../../../../hooks/use_test_id_generator';
+import { ALLOW_SHOWING_EVENT_MERGING_BANNER } from './constants';
 
 const PROTECTIONS_SECTION_TITLE = i18n.translate(
   'xpack.securitySolution.endpoint.policy.details.protections',
@@ -45,7 +46,8 @@ export const PolicySettingsForm = memo<PolicySettingsFormProps>((props) => {
 
   const { storage } = useKibana().services;
   const [showEventMergingBanner, setShowEventMergingBanner] = useState(
-    storage.get('securitySolution.showEventMergingBanner') ?? true
+    ALLOW_SHOWING_EVENT_MERGING_BANNER &&
+      (storage.get('securitySolution.showEventMergingBanner') ?? true)
   );
   const onBannerDismiss = useCallback(() => {
     setShowEventMergingBanner(false);