[Security Solution][Detections] ML Rules configured with incorrect ML Job ID

[spong]

When the 7.13 rules were added (#98975), there were four ML Rules that ended up with incorrectly configured ML Job ID's, using -'s instead of _'s. As a result, when enabled the rule will fail to execute and display the following error message:

An error occurred during rule execution: message: "rare-destination-country missing" name: "Network Traffic to Rare Destination Country" id: "ab5b9612-cd61-11eb-b57c-fbc45cd7b06b" rule id: "35f86980-1fb1-4dff-b311-3be941549c8d" signals index: ".siem-signals-spong-default"

Workaround is to duplicate the rule (since pre-packaged rules cannot be edited), and to select the correct ML Job ID.

The Rules affected include:

"machine_learning_job_id": "high-count-by-destination-country" (Kibana Rule)
"machine_learning_job_id": "high-count-network-denies" (Kibana Rule)
"machine_learning_job_id": "high-count-network-events" (Kibana Rule)
"machine_learning_job_id": "rare-destination-country" (Kibana Rule)

Rule enabled showing error message, incorrect ML Job text, and correct job text from ML Job Settings UI:

(Note how the ML Job text is not a link and does not have a Started/Stopped badge next to it.)

cc @randomuserid

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[rw-access]

@spong are you okay if I move this issue to detection-rules and we fix it there?

[spong]

@spong are you okay if I move this issue to detection-rules and we fix it there?

So long as we still have a Kibana issue open for tracking them making it into the kibana pre-packaged rules that's okay with me. 👍

[spong]

Resolved in 7.13.3 as of #103695

And resolved in 7.14 as of #101846