[Security Solution]Enable the Export option under Bulk if there is Custom Rule under Selection

[ghost]

Describe the bug
Enable the Export action under bulk for Elastic Rule if there is Custom Rule under selection

Build Details

Version:8.2.0 SNAPSHOT
Commit:e1578ee2b5b4dfbab59113a9c58854799f4f7b42
Build:51037

Steps

• Login to Kibana
• Navigate to Alert page and make a duplicate rule from the Endpoint Security
• Search for Endpoint Security in Rule Details page search bar
• Now select two rule for Bulk Action
  • Endpoint Security (Built in Elastic Rule) : Export Action disabled for it
  • Endpoint Security [ Duplicate ] (Custom Rule): Export Rule work on it
• Now click on Bulk actions and check the Export action
• Observed that Export action should be Enabled so that user can at least Export the Custom which is permit-able to do and for the Elastic Rule selection Warning of Operation not permit-able can display Just like Tag, Add Index Bulk Action work flow

Screen-Cast

Export-Action.mp4

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[vitaliidm]

@yiyangliu9286 , @jethr0null can you please look at this one. What should be expected behaviour in this case?

Currently, for export action, if not all rules selected and any of rule is prebuilt, export button is disabled.
If users select all rules: export is always enabled.

It seems too restirctive condition for disabling export.

I would suggest:

• let's disable export only in case if: not all rules selected, and all of the selected are prebuilt
• if users try to export rules, they will see message something like

Successfully exported 5 of 10 rules.

I propose this approach, instead of one described in ticket(make it similar to edit actions):

Observed that Export action should be Enabled so that user can at least Export the Custom which is permit-able to do and for the Elastic Rule selection Warning of Operation not permit-able can display Just like Tag, Add Index Bulk Action work flow
because

• implementing behaviour similar to edit action would be time consuming(export is a separate case of bulk action that uses different underlying API to the rest of action: enable/disable/edit/etc)
• the current way it works: displays how many rules out of selected number were successfully exported, seems as a sufficient way to approach exporting
  https://user-images.githubusercontent.com/92328789/175579714-ab90ef28-405d-4bde-a340-a9315e69224d.mov

[yiyangliu9286]

@yiyangliu9286 , @jethr0null can you please look at this one. What should be expected behaviour in this case?

Currently, for export action, if not all rules selected and any of rule is prebuilt, export button is disabled. If users select all rules: export is always enabled.

It seems too restirctive condition for disabling export.

I would suggest:

• let's disable export only in case if: not all rules selected, and all of the selected are prebuilt
• if users try to export rules, they will see message something like

Successfully exported 5 of 10 rules.

I propose this approach, instead of one described in ticket(make it similar to edit actions):

Observed that Export action should be Enabled so that user can at least Export the Custom which is permit-able to do and for the Elastic Rule selection Warning of Operation not permit-able can display Just like Tag, Add Index Bulk Action work flow
because

• implementing behaviour similar to edit action would be time consuming(export is a separate case of bulk action that uses different underlying API to the rest of action: enable/disable/edit/etc)
• the current way it works: displays how many rules out of selected number were successfully exported, seems as a sufficient way to approach exporting
  https://user-images.githubusercontent.com/92328789/175579714-ab90ef28-405d-4bde-a340-a9315e69224d.mov

Thanks for giving suggestion for this improvement @vitaliidm! I'd say we should keep the bulk action experience consistent with other bulk actions like what it describes in this GH for export as well. So when users select bulk export not all rules selected and any of rule is prebuilt, we'll populate the same modal for them:

and that the number of selected custom rules will be edited if users agree on this action, so that the behaviour for bulk actions are consistent.

[vitaliidm]

per discussion with @elastic/security-detections-response-rules:

1. we won't need dry run action here, because export doesn't nutate state
2. once user click on export, we download file in browser, read it, and display message to user how many rules can/can't be exported
3. since all failed export are immutable rules, we can safely display immutable message error to users in modal window
4. user can proceed with download of exported rules OR cancel export action, thus experience will become consistent with bulk edit

[vitaliidm]

@yiyangliu9286, should we also change a behaviour for a single rule export?
Currently, if this rule is immutable, export option is disabled.

In my opinion, it's looks good, as user don't need to do extra click on menu item to know this rule can't be exported.
But it would be slightly inconsistent with bulk export experience.
Here is, how it's working with the recent changes:

Screen.Recording.2022-07-18.at.17.36.08.mov

What do you think can be the best solution?

1. Leave it as it is
2. Add dialog for a single rule export
3. Do not show dialog for bulk export, if all selected rules are immutabe

[yiyangliu9286]

@yiyangliu9286, should we also change a behaviour for a single rule export? Currently, if this rule is immutable, export option is disabled.

In my opinion, it's looks good, as user don't need to do extra click on menu item to know this rule can't be exported. But it would be slightly inconsistent with bulk export experience. Here is, how it's working with the recent changes:

Screen.Recording.2022-07-18.at.17.36.08.mov
What do you think can be the best solution?

1. Leave it as it is
2. Add dialog for a single rule export
3. Do not show dialog for bulk export, if all selected rules are immutabe

Thanks for the question. Yes I think the biggest problem right here is the inconsistency for how we treat and let users know that for prebuilt/immutable rules they cannot do single and bulk actions.

However I am leaning towards to leave as it is for now (because I don't see there would be strong negative or blocker for users to see a disable button since immutable rules cannot be edited anyway), and it would be nice if we have time or bandwidth, to Add the same dialog for a single rule export as a future direction to go for but I agree it's not critical for now.

[vitaliidm]

@karanbirsingh-qasource, issue has been addressed in #136418

[ghost]

Hi @vitaliidm

thanks for updating.

we have validated this issue on mains branch and found it fixed . export option is enabled and after ward message of only custom rule can be exported and not the elastic ones which are selected in bulk action.

Build Details:
Mains branch

Snap-Shoot:

Hence we are closing this issue and adding "QA:Validated" tag to it.

thanks !!

c.c @MadameSheema

[ghost]

Hi @MadameSheema

we have validated this issue on 8.4.0 BC1 and found the issue to be fixed ✔️ .

Build Details:

Version:8.4.0 BC1
Commit:58f7eaf0f8dc3c43cbfcd393e587f155e97b3d0d
Build:54999

Snap-Shoot/Screen-Cast

Hence we are closing this issue and adding "QA:Validated" tag to it.

thanks !!