Skip to content

[Security Solution] Unclear confirmation message when bulk updating index patterns for detection rules #237635

New issue
New issue
Open
Bug
Open
[Security Solution] Unclear confirmation message when bulk updating index patterns for detection rules#237635
Bug
Labels
Feature:Rule ManagementSecurity Solution Detection Rule Management areaTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response TeambugFixes for quality problems that affect the customer experiencegood first issuelow hanging fruitimpact:lowAddressing this issue will have a low level of impact on the quality/strength of our product.
@sdesalas

Description

@sdesalas
sdesalas
opened on Oct 6, 2025

Relates to: #236572

Summary

During bulk update of multiple detection rules, users sometimes receive a message that is hard to understand.

"If you did not select to apply changes to rules using Kibana data views, those rules were not updated and will continue using data views. "

Screenshot
Image

The message here is addressing an edge-case where a user bulk-updates detection rules by adding or modifying an index, and at least one of those rules has an associated data view. We are basically telling the user that the rule will not be updated with the index changes, unless they ticked a checkbox in the previous step called Apply changes to rules configured with data views.

Image

However, its unlikely this message will be very useful:

  • If the user DOES knows about the checkbox in the last step: This message is redundant.
  • If the user DOESN'T know about the checkbox in the last step: This message is confusing.

Besides, the confirmation dialog only appears for a few seconds, not giving users a chance to fully digest the message. It also contains a double negative "if you did not... those rules were not", which is likely to throw most users off.

How to reproduce:

Please checkout main branch and run kibana locally.

  1. Security AppRules > Detection Rules (SIEM)
  2. Create a new rule, that uses a data view instead of an index pattern.
  3. Select the rule you just created.
  4. Go to Bulk actions > Index patterns > Add Index patterns
  5. Add index pattern (ie test123-*) > Save

Expected Result

  • Message: "1 rule was skipped." (or some other simple message that is easy to digest)

Actual Result

  • Message: "1 rule was skipped. If you did not select to apply changes to rules using Kibana data views, those rules were not updated and will continue using data views. " (hard to understand)

Kibana/Elasticsearch Stack version:

9.2.0 / main

Potential approaches:

Some potential solutions here (this is not an exhaustive list, please discuss tradeoffs below).

  1. Simplify the message.
  2. Remove the message.
  3. Keep the message, but increase toast duration.

Whatever provides most value / least confusion in terms of UX.

Screenshots

Screen.Recording.2025-10-06.at.15.27.25.mov

Click to see more screenshots

 Image Image Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    Feature:Rule ManagementSecurity Solution Detection Rule Management areaTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response TeambugFixes for quality problems that affect the customer experiencegood first issuelow hanging fruitimpact:lowAddressing this issue will have a low level of impact on the quality/strength of our product.

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions