Description
Description
When the user creates a new Elastic Defend integration policy, it will upgrade all the installed prebuilt rules to their latest versions (if any new versions are available). During the upgrade:
- On
v8.16.x,v8.17.x:- the upgraded rules will loose rule actions and exceptions if any were added by the user
- On
v8.18.0,v9.0.0:- the upgraded rules will loose rule actions and exceptions if any were added by the user
- the upgraded rules will loose user customizations, if any other rule fields were customized by the user
- In Serverless at this moment:
- the upgraded rules will loose rule actions and exceptions if any were added by the user
- the upgraded rules will loose user customizations, if any other rule fields were customized by the user
We should add a known issue about that to the following release notes: v8.16.6, v8.17.4, v8.17.5, v8.18.0, v9.0.0, Serverless.
The bug will be fixed in: v8.17.6, v8.18.1, v9.0.1, as well as in Serverless as soon as possible.
Workaround:
Before adding Elastic Defend integration to a policy in fleet, apply the pending prebuilt rule updates to prevent exceptions and actions being overwritten.
Resources
Related issue: https://github.com/elastic/security-team/issues/7216
PR with a fix: elastic/kibana#217959
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
What release is this request related to?
N/A
Collaboration model
The documentation team
Point of contact.
Main contact: @xcrzx
Stakeholders: @approksiu, @banderror