[Streams][SigEvents] Prevent editing feature of significant event queries#249716
Merged
cesco-f merged 2 commits intoelastic:mainfrom Jan 21, 2026
Merged
[Streams][SigEvents] Prevent editing feature of significant event queries#249716cesco-f merged 2 commits intoelastic:mainfrom
cesco-f merged 2 commits intoelastic:mainfrom
Conversation
cesco-f
added
release_note:skip
github-actions
bot
added
the
author:actionable-obs
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
|
cesco-f
added
release_note:fix
backport:version
Contributor
I thought we’d have the same problem when updating the feature’s filter itself, but since we save the feature by value rather than reference, it continues to work as expected. This does however create an inconsistency in the UI, a feature can be attached to a query with an active filter that was updated but this update is not reflected in the query (in the alert rule and Discover link) |
Contributor
|
Starting backport for target branches: 9.3 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 21, 2026
…ries (elastic#249716) ### Summary This PR prevents modifying the `feature` field of existing significant event queries in both the UI and API. Feature selection remains available when **creating** new significant events, but becomes read-only when **editing** existing ones. ### Background When creating a significant event, a detection rule is created combining the KQL query with the feature condition. The rule ID is generated from the `ASSET_UUID` and `kql.query` only - it does not include the `feature` field. When the feature changes, the rule ID stays the same, causing alerts from the previous rule configuration to still appear. Since features are being removed from significant events, this is a temporary fix to prevent the bug from occurring. Before: https://github.com/user-attachments/assets/bf5e21ea-c55e-487c-9f32-163d767b13ad After: https://github.com/user-attachments/assets/268f4e65-1861-4a46-b07b-9473238995df (cherry picked from commit 2a33453)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
Merged
10 tasks
kibanamachine
added a commit
that referenced
this pull request
Jan 21, 2026
…nt queries (#249716) (#249879) # Backport This will backport the following commits from `main` to `9.3`: - [[Streams][SigEvents] Prevent editing feature of significant event queries (#249716)](#249716) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Francesco Fagnani","email":"fagnani.francesco@gmail.com"},"sourceCommit":{"committedDate":"2026-01-21T14:02:28Z","message":"[Streams][SigEvents] Prevent editing feature of significant event queries (#249716)\n\n### Summary\n\nThis PR prevents modifying the `feature` field of existing significant\nevent queries in both the UI and API. Feature selection remains\navailable when **creating** new significant events, but becomes\nread-only when **editing** existing ones.\n\n### Background\n\nWhen creating a significant event, a detection rule is created combining\nthe KQL query with the feature condition. The rule ID is generated from\nthe `ASSET_UUID` and `kql.query` only - it does not include the\n`feature` field. When the feature changes, the rule ID stays the same,\ncausing alerts from the previous rule configuration to still appear.\n\nSince features are being removed from significant events, this is a\ntemporary fix to prevent the bug from occurring.\n\nBefore:\n\n\nhttps://github.com/user-attachments/assets/bf5e21ea-c55e-487c-9f32-163d767b13ad\n\nAfter:\n\n\nhttps://github.com/user-attachments/assets/268f4e65-1861-4a46-b07b-9473238995df","sha":"2a334537c8304aff48176fa671fc3698fd2f393a","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:version","v9.4.0","author:actionable-obs","Feature:SigEvents","v9.3.1"],"title":"[Streams][SigEvents] Prevent editing feature of significant event queries","number":249716,"url":"https://github.com/elastic/kibana/pull/249716","mergeCommit":{"message":"[Streams][SigEvents] Prevent editing feature of significant event queries (#249716)\n\n### Summary\n\nThis PR prevents modifying the `feature` field of existing significant\nevent queries in both the UI and API. Feature selection remains\navailable when **creating** new significant events, but becomes\nread-only when **editing** existing ones.\n\n### Background\n\nWhen creating a significant event, a detection rule is created combining\nthe KQL query with the feature condition. The rule ID is generated from\nthe `ASSET_UUID` and `kql.query` only - it does not include the\n`feature` field. When the feature changes, the rule ID stays the same,\ncausing alerts from the previous rule configuration to still appear.\n\nSince features are being removed from significant events, this is a\ntemporary fix to prevent the bug from occurring.\n\nBefore:\n\n\nhttps://github.com/user-attachments/assets/bf5e21ea-c55e-487c-9f32-163d767b13ad\n\nAfter:\n\n\nhttps://github.com/user-attachments/assets/268f4e65-1861-4a46-b07b-9473238995df","sha":"2a334537c8304aff48176fa671fc3698fd2f393a"}},"sourceBranch":"main","suggestedTargetBranches":["9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/249716","number":249716,"mergeCommit":{"message":"[Streams][SigEvents] Prevent editing feature of significant event queries (#249716)\n\n### Summary\n\nThis PR prevents modifying the `feature` field of existing significant\nevent queries in both the UI and API. Feature selection remains\navailable when **creating** new significant events, but becomes\nread-only when **editing** existing ones.\n\n### Background\n\nWhen creating a significant event, a detection rule is created combining\nthe KQL query with the feature condition. The rule ID is generated from\nthe `ASSET_UUID` and `kql.query` only - it does not include the\n`feature` field. When the feature changes, the rule ID stays the same,\ncausing alerts from the previous rule configuration to still appear.\n\nSince features are being removed from significant events, this is a\ntemporary fix to prevent the bug from occurring.\n\nBefore:\n\n\nhttps://github.com/user-attachments/assets/bf5e21ea-c55e-487c-9f32-163d767b13ad\n\nAfter:\n\n\nhttps://github.com/user-attachments/assets/268f4e65-1861-4a46-b07b-9473238995df","sha":"2a334537c8304aff48176fa671fc3698fd2f393a"}},{"branch":"9.3","label":"v9.3.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: Francesco Fagnani <fagnani.francesco@gmail.com> Co-authored-by: Francesco Fagnani <francesco.fagnani@elastic.co>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Jan 22, 2026
…ries (elastic#249716) ### Summary This PR prevents modifying the `feature` field of existing significant event queries in both the UI and API. Feature selection remains available when **creating** new significant events, but becomes read-only when **editing** existing ones. ### Background When creating a significant event, a detection rule is created combining the KQL query with the feature condition. The rule ID is generated from the `ASSET_UUID` and `kql.query` only - it does not include the `feature` field. When the feature changes, the rule ID stays the same, causing alerts from the previous rule configuration to still appear. Since features are being removed from significant events, this is a temporary fix to prevent the bug from occurring. Before: https://github.com/user-attachments/assets/bf5e21ea-c55e-487c-9f32-163d767b13ad After: https://github.com/user-attachments/assets/268f4e65-1861-4a46-b07b-9473238995df
dennis-tismenko
pushed a commit
to dennis-tismenko/kibana
that referenced
this pull request
Jan 22, 2026
…ries (elastic#249716) ### Summary This PR prevents modifying the `feature` field of existing significant event queries in both the UI and API. Feature selection remains available when **creating** new significant events, but becomes read-only when **editing** existing ones. ### Background When creating a significant event, a detection rule is created combining the KQL query with the feature condition. The rule ID is generated from the `ASSET_UUID` and `kql.query` only - it does not include the `feature` field. When the feature changes, the rule ID stays the same, causing alerts from the previous rule configuration to still appear. Since features are being removed from significant events, this is a temporary fix to prevent the bug from occurring. Before: https://github.com/user-attachments/assets/bf5e21ea-c55e-487c-9f32-163d767b13ad After: https://github.com/user-attachments/assets/268f4e65-1861-4a46-b07b-9473238995df
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR prevents modifying the
featurefield of existing significant event queries in both the UI and API. Feature selection remains available when creating new significant events, but becomes read-only when editing existing ones.Background
When creating a significant event, a detection rule is created combining the KQL query with the feature condition. The rule ID is generated from the
ASSET_UUIDandkql.queryonly - it does not include thefeaturefield. When the feature changes, the rule ID stays the same, causing alerts from the previous rule configuration to still appear.Since features are being removed from significant events, this is a temporary fix to prevent the bug from occurring.
Before:
Screen.Recording.2026-01-20.at.14.15.51.mov
After:
Screen.Recording.2026-01-20.at.14.14.53.mov