elastic · maximpn · Mar 5, 2025 · Feb 19, 2025 · Feb 13, 2025 · Feb 13, 2025
@@ -145,5 +145,6 @@ export interface ThreeWayDiff<TValue> {
  * Given the three versions of a value, calculates a three-way diff for it.
  */
 export type ThreeWayDiffAlgorithm<TValue> = (
-  versions: ThreeVersionsOf<TValue>
+  versions: ThreeVersionsOf<TValue>,
+  isRuleCustomized: boolean
 ) => ThreeWayDiff<TValue>;
@@ -10,7 +10,7 @@ import { SortOrder, type RuleObjectId, type RuleSignatureId, type RuleTagArray }
 import type { PartialRuleDiff } from '../model';
 import type { RuleResponse, RuleVersion } from '../../model/rule_schema';
 import { FindRulesSortField } from '../../rule_management';
-import { PrebuiltRulesFilter } from '../common/prebuilt_rules_filter';
+import { ReviewPrebuiltRuleUpgradeFilter } from '../common/review_prebuilt_rules_upgrade_filter';
 
 export type ReviewRuleUpgradeSort = z.infer<typeof ReviewRuleUpgradeSort>;
 export const ReviewRuleUpgradeSort = z.object({
@@ -27,7 +27,7 @@ export const ReviewRuleUpgradeSort = z.object({
 export type ReviewRuleUpgradeRequestBody = z.infer<typeof ReviewRuleUpgradeRequestBody>;
 export const ReviewRuleUpgradeRequestBody = z
   .object({
-    filter: PrebuiltRulesFilter.optional(),
+    filter: ReviewPrebuiltRuleUpgradeFilter.optional(),
     sort: ReviewRuleUpgradeSort.optional(),
 
     page: z.coerce.number().int().min(1).optional().default(1),
@@ -89,4 +89,5 @@ export interface RuleUpgradeInfoForReview {
   target_rule: RuleResponse;
   diff: PartialRuleDiff;
   revision: number;
+  has_base_version: boolean;
 }
@@ -11,6 +11,7 @@ import {
   EuiCallOut,
   EuiFlexGroup,
   EuiFlexItem,
+  EuiLink,
   EuiResizableContainer,
   EuiSpacer,
   EuiTab,
@@ -75,6 +76,8 @@ import { usePrebuiltRulesCustomizationStatus } from '../../../rule_management/lo
 import { PrebuiltRulesCustomizationDisabledReason } from '../../../../../common/detection_engine/prebuilt_rules/prebuilt_rule_customization_status';
 import { ALERT_SUPPRESSION_FIELDS_FIELD_NAME } from '../../../rule_creation/components/alert_suppression_edit';
 import { usePrebuiltRuleCustomizationUpsellingMessage } from '../../../rule_management/logic/prebuilt_rules/use_prebuilt_rule_customization_upselling_message';
+import { usePrebuiltRulesUpgrade } from '../../../rule_management_ui/components/rules_table/upgrade_prebuilt_rules_table/use_prebuilt_rules_upgrade';
+import { HasRuleUpdateCallout } from '../../../rule_management_ui/components/rule_update_callouts/has_rule_update_callout';
 
 const EditRulePageComponent: FC<{ rule: RuleResponse }> = ({ rule }) => {
   const { addSuccess } = useAppToasts();
@@ -172,7 +175,20 @@ const EditRulePageComponent: FC<{ rule: RuleResponse }> = ({ rule }) => {
     newTermsFields: defineStepData.newTermsFields,
   });
 
-  const loading = userInfoLoading || listsConfigLoading;
+  const { upgradeReviewResponse, isLoading: isRuleUpgradeReviewLoading } = usePrebuiltRulesUpgrade({
+    pagination: {
+      page: 1, // we only want to fetch one result
+      perPage: 1,
+    },
+    filter: { rule_ids: [ruleId] },
+  });
+
+  const isRuleUpgradeable = useMemo(
+    () => upgradeReviewResponse !== undefined && upgradeReviewResponse.total > 0,
+    [upgradeReviewResponse]
+  );
+
+  const loading = userInfoLoading || listsConfigLoading || isRuleUpgradeReviewLoading;
   const { isSavedQueryLoading, savedQuery } = useGetSavedQuery({
     savedQueryId: 'saved_id' in rule ? rule.saved_id : undefined,
     ruleType: rule?.type,
@@ -509,6 +525,15 @@ const EditRulePageComponent: FC<{ rule: RuleResponse }> = ({ rule }) => {
     [navigateToApp, ruleId]
   );
 
+  const updateCallToActionButton = useMemo(
+    () => (
+      <EuiLink onClick={goToDetailsRule} data-test-subj="ruleEditingUpdateRuleCalloutButton">
+        {ruleI18n.HAS_RULE_UPDATE_EDITING_CALLOUT_BUTTON}
+      </EuiLink>
+    ),
+    [goToDetailsRule]
+  );
+
   if (
     redirectToDetections(
       isSignalIndexExists,
@@ -550,6 +575,12 @@ const EditRulePageComponent: FC<{ rule: RuleResponse }> = ({ rule }) => {
                         setIsRulePreviewVisible={setIsRulePreviewVisible}
                         togglePanel={togglePanel}
                       />
+                      <HasRuleUpdateCallout
+                        rule={rule}
+                        hasUpdate={isRuleUpgradeable}
+                        message={ruleI18n.HAS_RULE_UPDATE_EDITING_CALLOUT_MESSAGE}
+                        actionButton={updateCallToActionButton}
+                      />
                       {invalidSteps.length > 0 && (
                         <EuiCallOut title={i18n.SORRY_ERRORS} color="danger" iconType="warning">
                           <FormattedMessage

@@ -13,6 +13,7 @@ import {
   EuiConfirmModal,
   EuiFlexGroup,
   EuiFlexItem,
+  EuiLink,
   EuiLoadingSpinner,
   EuiSpacer,
   EuiToolTip,
@@ -148,6 +149,8 @@ import { useManualRuleRunConfirmation } from '../../../rule_gaps/components/manu
 import { useLegacyUrlRedirect } from './use_redirect_legacy_url';
 import { RuleDetailTabs, useRuleDetailsTabs } from './use_rule_details_tabs';
 import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
+import { usePrebuiltRulesUpgrade } from '../../../rule_management_ui/components/rules_table/upgrade_prebuilt_rules_table/use_prebuilt_rules_upgrade';
+import { HasRuleUpdateCallout } from '../../../rule_management_ui/components/rule_update_callouts/has_rule_update_callout';
 
 const RULE_EXCEPTION_LIST_TYPES = [
   ExceptionListTypeEnum.DETECTION,
@@ -252,9 +255,36 @@ const RuleDetailsPageComponent: React.FC<DetectionEngineComponentProps> = ({
     isExistingRule,
   } = useRuleWithFallback(ruleId);
 
+  const onUpgrade = useCallback(() => {
+    refreshRule();
+  }, [refreshRule]);
+
+  const {
+    upgradeReviewResponse,
+    isLoading: isRuleUpgradeReviewLoading,
+    rulePreviewFlyout,
+    loadingRules,
+    openRulePreview,
+  } = usePrebuiltRulesUpgrade({
+    pagination: {
+      page: 1, // we only want to fetch one result
+      perPage: 1,
+    },
+    filter: { rule_ids: [ruleId] },
+    onUpgrade,
+  });
+
+  const isRuleUpgradeable = useMemo(
+    () => upgradeReviewResponse !== undefined && upgradeReviewResponse.total > 0,
+    [upgradeReviewResponse]
+  );
+
   const { pollForSignalIndex } = useSignalHelpers();
   const [rule, setRule] = useState<RuleResponse | null>(null);
-  const isLoading = ruleLoading && rule == null;
+  const isLoading = useMemo(
+    () => (ruleLoading && rule == null) || isRuleUpgradeReviewLoading || loadingRules.length > 0,
+    [isRuleUpgradeReviewLoading, loadingRules.length, rule, ruleLoading]
+  );
 
   const { starting: isStartingJobs, startMlJobs } = useStartMlJobs();
   const startMlJobsIfNeeded = useCallback(async () => {
@@ -316,8 +346,8 @@ const RuleDetailsPageComponent: React.FC<DetectionEngineComponentProps> = ({
   useLegacyUrlRedirect({ rule, spacesApi });
 
   const showUpdating = useMemo(
-    () => isLoadingIndexPattern || isAlertsLoading || loading,
-    [isLoadingIndexPattern, isAlertsLoading, loading]
+    () => isLoadingIndexPattern || isAlertsLoading || loading || isRuleUpgradeReviewLoading,
+    [isLoadingIndexPattern, isAlertsLoading, loading, isRuleUpgradeReviewLoading]
   );
 
   const title = useMemo(
@@ -394,6 +424,20 @@ const RuleDetailsPageComponent: React.FC<DetectionEngineComponentProps> = ({
   const lastExecutionDate = lastExecution?.date ?? '';
   const lastExecutionMessage = lastExecution?.message ?? '';
 
+  const updateCallToActionButton = useMemo(
+    () => (
+      <EuiLink
+        onClick={() => {
+          openRulePreview(ruleRuleId);
+        }}
+        data-test-subj="ruleDetailsUpdateRuleCalloutButton"
+      >
+        {ruleI18n.HAS_RULE_UPDATE_CALLOUT_BUTTON}
+      </EuiLink>
+    ),
+    [openRulePreview, ruleRuleId]
+  );
+
   const ruleStatusInfo = useMemo(() => {
     return (
       <>
@@ -555,6 +599,12 @@ const RuleDetailsPageComponent: React.FC<DetectionEngineComponentProps> = ({
     <>
       <NeedAdminForUpdateRulesCallOut />
       <MissingPrivilegesCallOut />
+      <HasRuleUpdateCallout
+        rule={rule}
+        hasUpdate={isRuleUpgradeable}
+        actionButton={updateCallToActionButton}
+        message={ruleI18n.HAS_RULE_UPDATE_DETAILS_CALLOUT_MESSAGE}
+      />
       {isBulkDuplicateConfirmationVisible && (
         <BulkActionDuplicateExceptionsConfirmation
           onCancel={cancelRuleDuplication}
@@ -579,6 +629,7 @@ const RuleDetailsPageComponent: React.FC<DetectionEngineComponentProps> = ({
       {isManualRuleRunConfirmationVisible && (
         <ManualRuleRunModal onCancel={cancelManualRuleRun} onConfirm={confirmManualRuleRun} />
       )}
+      {rulePreviewFlyout}
       <StyledFullHeightContainer onKeyDown={onKeyDown} ref={containerElement}>
         <EuiWindowEvent event="resize" handler={noop} />
         <FiltersGlobal show={showGlobalFilters({ globalFullScreen, graphEventId })}>

@@ -48,6 +48,7 @@ export const RuleUpgrade = memo(function RuleUpgrade({
       <RuleUpgradeCallout
         numOfSolvableConflicts={numOfSolvableConflicts}
         numOfNonSolvableConflicts={numOfNonSolvableConflicts}
+        hasBaseVersion={ruleUpgradeState.has_base_version}
       />
       <EuiSpacer size="s" />
       {fieldNames.map((fieldName) => (

@@ -6,7 +6,7 @@
  */
 
 import React from 'react';
-import { EuiCallOut } from '@elastic/eui';
+import { EuiCallOut, EuiSpacer } from '@elastic/eui';
 import { ActionRequiredBadge } from '../badges/action_required';
 import { ReviewRequiredBadge } from '../badges/review_required_badge';
 import { ReadyForUpgradeBadge } from '../badges/ready_for_upgrade_badge';
@@ -15,74 +15,97 @@ import * as i18n from './translations';
 interface RuleUpgradeCalloutProps {
   numOfSolvableConflicts: number;
   numOfNonSolvableConflicts: number;
+  hasBaseVersion: boolean;
 }
 
 export function RuleUpgradeCallout({
   numOfSolvableConflicts,
   numOfNonSolvableConflicts,
+  hasBaseVersion,
 }: RuleUpgradeCalloutProps): JSX.Element {
+  let missingBaseVersionCallout: JSX.Element | null = null;
+  if (!hasBaseVersion) {
+    missingBaseVersionCallout = (
+      <>
+        <EuiCallOut color="warning" size="s">
+          <p>{i18n.RULE_BASE_VERSION_IS_MISSING_DESCRIPTION}</p>
+        </EuiCallOut>
+        <EuiSpacer size="s" />
+      </>
+    );
+  }
+
   if (numOfNonSolvableConflicts > 0) {
     return (
-      <EuiCallOut
-        title={
-          <>
-            <strong>{i18n.UPGRADE_STATUS}</strong>
-            &nbsp;
-            <ActionRequiredBadge />
-            &nbsp;
-            {i18n.RULE_HAS_CONFLICTS(numOfNonSolvableConflicts + numOfSolvableConflicts)}
-          </>
-        }
-        color="danger"
-        size="s"
-      >
-        <span>{i18n.RULE_HAS_HARD_CONFLICTS_DESCRIPTION}</span>
-        <ul>
-          <li>{i18n.RULE_HAS_HARD_CONFLICTS_KEEP_YOUR_CHANGES}</li>
-          <li>{i18n.RULE_HAS_HARD_CONFLICTS_ACCEPT_ELASTIC_UPDATE}</li>
-          <li>{i18n.RULE_HAS_HARD_CONFLICTS_EDIT_FINAL_VERSION}</li>
-        </ul>
-      </EuiCallOut>
+      <>
+        {missingBaseVersionCallout}
+        <EuiCallOut
+          title={
+            <>
+              <strong>{i18n.UPGRADE_STATUS}</strong>
+              &nbsp;
+              <ActionRequiredBadge />
+              &nbsp;
+              {i18n.RULE_HAS_CONFLICTS(numOfNonSolvableConflicts + numOfSolvableConflicts)}
+            </>
+          }
+          color="danger"
+          size="s"
+        >
+          <span>{i18n.RULE_HAS_HARD_CONFLICTS_DESCRIPTION}</span>
+          <ul>
+            <li>{i18n.RULE_HAS_HARD_CONFLICTS_KEEP_YOUR_CHANGES}</li>
+            <li>{i18n.RULE_HAS_HARD_CONFLICTS_ACCEPT_ELASTIC_UPDATE}</li>
+            <li>{i18n.RULE_HAS_HARD_CONFLICTS_EDIT_FINAL_VERSION}</li>
+          </ul>
+        </EuiCallOut>
+      </>
     );
   }
 
   if (numOfSolvableConflicts > 0) {
     return (
+      <>
+        {missingBaseVersionCallout}
+        <EuiCallOut
+          title={
+            <>
+              <strong>{i18n.UPGRADE_STATUS}</strong>
+              &nbsp;
+              <ReviewRequiredBadge />
+              &nbsp;
+              {i18n.RULE_HAS_CONFLICTS(numOfSolvableConflicts)}
+            </>
+          }
+          color="warning"
+          size="s"
+        >
+          <span>{i18n.RULE_HAS_SOFT_CONFLICTS_DESCRIPTION}</span>
+          <ul>
+            <li>{i18n.RULE_HAS_SOFT_CONFLICTS_ACCEPT_SUGGESTED_UPDATE}</li>
+            <li>{i18n.RULE_HAS_SOFT_CONFLICTS_EDIT_FINAL_VERSION}</li>
+          </ul>
+        </EuiCallOut>
+      </>
+    );
+  }
+
+  return (
+    <>
+      {missingBaseVersionCallout}
       <EuiCallOut
         title={
           <>
             <strong>{i18n.UPGRADE_STATUS}</strong>
             &nbsp;
-            <ReviewRequiredBadge />
-            &nbsp;
-            {i18n.RULE_HAS_CONFLICTS(numOfSolvableConflicts)}
+            <ReadyForUpgradeBadge />
           </>
         }
-        color="warning"
+        color="success"
         size="s"
       >
-        <span>{i18n.RULE_HAS_SOFT_CONFLICTS_DESCRIPTION}</span>
-        <ul>
-          <li>{i18n.RULE_HAS_SOFT_CONFLICTS_ACCEPT_SUGGESTED_UPDATE}</li>
-          <li>{i18n.RULE_HAS_SOFT_CONFLICTS_EDIT_FINAL_VERSION}</li>
-        </ul>
+        <p>{i18n.RULE_IS_READY_FOR_UPGRADE_DESCRIPTION}</p>
       </EuiCallOut>
-    );
-  }
-
-  return (
-    <EuiCallOut
-      title={
-        <>
-          <strong>{i18n.UPGRADE_STATUS}</strong>
-          &nbsp;
-          <ReadyForUpgradeBadge />
-        </>
-      }
-      color="success"
-      size="s"
-    >
-      <p>{i18n.RULE_IS_READY_FOR_UPGRADE_DESCRIPTION}</p>
-    </EuiCallOut>
+    </>
   );
 }
@@ -158,3 +158,11 @@ export const FIELD_MODIFIED_BADGE_DESCRIPTION = i18n.translate(
       'This field value differs from the one provided in the original version of the rule.',
   }
 );
+
+export const RULE_BASE_VERSION_IS_MISSING_DESCRIPTION = i18n.translate(
+  'xpack.securitySolution.detectionEngine.upgradeFlyout.baseVersionMissingDescription',
+  {
+    defaultMessage:
+      "The original, unedited version of this Elastic rule couldn't be found. This sometimes happens when a rule hasn't been updated in a while. You can still update this rule, but will only have access to its current version and the incoming Elastic update. Updating Elastic rules more often can help you avoid this in the future. We encourage you to review this update carefully and ensure your changes are not accidentally overwritten.",
+  }
+);
@@ -17,4 +17,8 @@ export interface RuleUpgradeState extends RuleUpgradeInfoForReview {
    * Indicates whether there are conflicts blocking rule upgrading.
    */
   hasUnresolvedConflicts: boolean;
+  /**
+   * Indicates whether there are non-solvable conflicts blocking rule upgrading.
+   */
+  hasNonSolvableUnresolvedConflicts: boolean;
 }
@@ -34,7 +34,7 @@ type OnClick = () => void;
 export const getUpdateRulesCalloutTitle = (onClick: OnClick) => (
   <FormattedMessage
     id="xpack.securitySolution.detectionEngine.rules.updatePrebuiltRulesCalloutTitle"
-    defaultMessage="Updates available for installed rules. Review and update in&nbsp;{link}."
+    defaultMessage="Some Elastic rules have updates available. Update them to ensure you get the best detection experience. Review and update in&nbsp;{link}."
     values={{
       link: (
         <EuiLink