[Security Solution] Handle negative lookback in rule upgrade flyout

[maximpn]

Fixes: #202715
Fixes: #204714

Summary

This PR makes inconsistent/wrong rule's look-back duration prominent for a user. It falls back to a default 1 minute value in rule upgrade workflow.

Details

Negative/wrong lookback problem

There is a difference between rule schedule value in a saved object and value represented to users

• Saved object (and rule management API) has interval, from and to fields representing rule schedule. interval shows how often a rule runs in task runner. from and to stored in date math format like now-10m represent a date time range used to fetch source events. Task manager strives to run rules exactly every interval but it's not always possible due to multiple reasons like system load and various delays. To avoid any gaps to appear from point in time usually stands earlier than current time minus interval, for example interval is 10 minutes and from is now-12m meaning rule will analyze events starting from 12 minutes old. to represents the latest point in time source events will be analyzed.
• Diffable rule and UI represent rule schedule as interval and lookback. Where interval is the same as above and lookback and a time duration before current time minus interval. For example interval is 10 minutes and lookback is 2 minutes it means a rule will analyzing events starting with 12 minutes old until the current moment in time.

Literally interval, from and to mean a rule runs every interval and analyzes events starting from from until to. Technically from and to may not have any correlation with interval, for example a rule may analyze one year old events. While it's reasonable for manual rule runs and gap remediation the same approach doesn't work well for usual rule schedule. Transformation between interval/from/to and interval/lookback works only when to is equal the current moment in time i.e. now.

Rule management APIs allow to set any from and to values resulting in inconsistent rule schedule. Transformed interval/lookback value won't represent real time interval used to fetch source events for analysis. On top of that negative lookback value may puzzle users on the meaning of the negative sign.

Prebuilt rules with interval/from/to resulting in negative lookback

Some prebuilt rules have such interval, from and to field values thatnegative lookback is expected, for example Multiple Okta Sessions Detected for a Single User. It runs every 60 minutes but has from field set to now-30m and to equals now. In the end we have lookback equals to - from - interval = 30 minutes - 60 minutes = -30 minutes.

Our UI doesn't handle negative lookback values. It simply discards a negative sign and substitutes the rest for editing. In the case above 30 minutes will be suggested for editing. Saving the form will result in changing from to now-90m

Changes in this PR

This PR mitigates rule schedule inconsistencies caused by to fields not using the current point in time i.e. now. The following was done

• DiffableRule's rule_schedule was changed to have interval, from and to fields instead of interval and lookback
• _perform rule upgrade API endpoint was adapted to the new DIffableRule's rule_schedule
• Rule upgrade flyout calculates and shows interval and lookback in Diff View, readonly view and field form when lookback is non-negative and to equals now
• Rule upgrade flyout shows interval, from and to in Diff View, readonly view and field form when to isn't equal now or calculated lookback is negative
• Rule upgrade flyout shows a warning when to isn't equal now or calculated lookback is negative
• Rule upgrade flyout's JSON Diff shows interval and lookback when lookback is non-negative and to equals now and shows interval, from and to in any other case
• Rule details page shows interval, from and to in Diff View, readonly view and field form when to isn't equal now or calculated lookback is negative
• maxValue was added to ScheduleItemField to have an ability to restrict input at reasonable values

Screenshots

• Rule upgrade workflow (negative look-back)

• Rule upgrade workflow (positive look-back)

• JSON view

• Rule details page

How to test?

• Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
• Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
• Clear Elasticsearch data
• Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
• Install an outdated version of the security_detection_engine Fleet package

curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1

• Install prebuilt rules

curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform

• Set "inconsistent" rule schedule for Suspicious File Creation via Kworker rule by running a query below

curl -X PATCH --user elastic:changeme -H "Content-Type: application/json" -H "elastic-api-version: 2023-10-31" -H "kbn-xsrf: 123" -d '{"rule_id":"ae343298-97bc-47bc-9ea2-5f2ad831c16e","interval":"10m","from":"now-5m","to":"now-2m"}' http://localhost:5601/kbn/api/detection_engine/rules

• Open rule upgrade flyout for Suspicious File Creation via Kworker rule

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[rylnd]

@maximpn when I follow your instructions and attempt to open the upgrade flyout for the modified rule, I receive the following error, which looks to have been thrown by parseDuration:

The above error occurred in ErrorBoundary:

    at ErrorBoundary (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:173844:7)
    at DragDropContext (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:182244:23)
    at DragDropContextWrapperComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:123797:3)
    at TourContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:125963:3)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.10.js:3132:3
    at div
    at P (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:416847:19797)
    at HomePageComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:119685:3)
    at FilesContext (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cases/1.0.0/cases.plugin.js:4051:3)
    at QueryClientProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:201457:3)
    at CasesProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cases/1.0.0/cases.plugin.js:12930:3)
    at Suspense
    at CasesProviderLazyWrapper (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cases/1.0.0/cases.plugin.js:10620:3)
    at CasesProviderLazyWrapperWithRegistry (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cases/1.0.0/cases.plugin.js:10648:5)
    at Route (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:365980:29)
    at Route (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:52215:3)
    at Switch (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:366182:29)
    at Routes (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:52349:3)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:124866:3
    at RenderedRoute (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:364147:5)
    at Routes (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:364708:5)
    at Router (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:364646:15)
    at CompatRouter (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:362673:5)
    at Router (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:365599:30)
    at Router (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:52305:3)
    at ManageRoutesSpyComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:141727:3)
    at PageRouterComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:119811:3)
    at AssistantProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:89064:3)
    at AssistantProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:121929:3)
    at DiscoverInTimelineContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:123268:86)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:135727:3
    at CellActionsProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.7.js:8148:3)
    at QueryClientProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:201457:3)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.default~lazy_app_links.js:593:3
    at NavigationProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.plugin.js:762:3)
    at ManageUserInfo (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:146394:3)
    at UserPrivilegesProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:135990:3)
    at http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:131967:3
    at Le (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:416847:17442)
    at KibanaStyledComponentsThemeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/kibanaReact/1.0.0/kibanaReact.plugin.js:2009:3)
    at Provider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:359229:20)
    at ManageGlobalToaster (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.0.js:884:3)
    at ErrorBoundaryInternal (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:63384:5)
    at KibanaErrorBoundary (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:63445:110)
    at KibanaErrorBoundaryProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:63205:3)
    at EuiContext (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:71325:24)
    at IntlProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:237142:47)
    at I18nProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js:57310:3)
    at I18nContext (http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js:21999:9)
    at EuiComponentDefaultsProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127252:36)
    at CurrentEuiBreakpointProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:152993:23)
    at ThemeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:164284:63)
    at EuiEmotionThemeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:158268:23)
    at EuiThemeMemoizedStylesProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:158743:23)
    at EuiThemeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:158537:22)
    at EuiSystemColorModeProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127579:23)
    at EuiCacheProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127173:20)
    at EuiProviderNestedCheck (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127405:23)
    at EuiProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127465:25)
    at KibanaEuiProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:51630:3)
    at KibanaRootContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:51751:3)
    at KibanaRenderContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:51528:3)
    at StartAppComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:119310:3)
    at CloudContextProvider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/cloud/1.0.0/cloud.plugin.js:599:7)
    at Provider (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/kibanaReact/1.0.0/kibanaReact.plugin.js:2813:15)
    at SecurityAppComponent (http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js:119342:3)
    ```
  </details>

[maximpn]

Hi @rylnd,

are you sure you pulled the latest PR changes? I double checked and it works for me locally as described in the PR description. Could you try removing the branch and pull the latest changes?

[banderror]

For "interval":"50m","from":"now-55m","to":"now":

For "interval":"50m","from":"now-50m","to":"now":

For "interval":"50m","from":"now-45m","to":"now":

If it's not a "simple rule schedule with non-negative lookback", on the Details page we show it correctly, but on the Editing page we reset the lookback to 0 seconds. It's the same if to != now.

Just wanted to log this here - I'll probably create a bug to fix it later.

[banderror]

@maximpn I found another bug that we should fix. Described in the comment below.

[banderror]

This code is crazy obscure and unreasonably complex. We should refactor it after the release in Serverless. No action is needed in this PR.

[banderror]

Reviewed about 5/6 of the changes. Posting the last pack of comments for today.

[maximpn]

@banderror Thanks for your through review 🙏

I addressed your comments. In particular

• Replaced time duration utility functions with TimeDuration class encompassing static and instance methods. It should improve encapsulation and locality of time duration related functionality as well as increase reusability.
• Rule schedule related schemas, types and utilities were moved to security_solution/common/api/detection_engine/model/rule_schema folder. I had to move toSimpleRuleSchedule to a separate file to produce smaller bundle (14.5KB when toSimpleRuleSchedule placed in one file with RuleSchedule and SimpleRuleSchedule Zod schemas versus 12.7KB when toSimpleRuleSchedule is placed in a separate file)

• TimeDuration factories always return a nomalized time duration which addresses [Security Solution] Handle negative lookback in rule upgrade flyout #204317 (comment)

---

There is one issue left related to non-normalized rule schedule we use right now. I described it in my answer. I suggest to discuss it and address it separately.

Could you have a look?

[banderror]

@elasticmachine merge upstream

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 23dd930
• Storybooks Preview

Failed CI Steps

• Jest Tests #9
• FTR Configs #41

Test Failures

• [job] [logs] FTR Configs #41 / console app misc console behavior keyboard shortcuts should execute the request when Ctrl+Enter is pressed
• [job] [logs] Jest Tests #9 / GraphInvestigation Component shows error on bad kql syntax

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	6562	6578	+16

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	21.2MB	21.2MB	+14.8KB

History

• 💛 Build #267658 was flaky ad57b91
• 💔 Build #267641 failed 078c482
• 💔 Build #267632 failed 1274907
• 💚 Build #267543 succeeded 54ed57a
• 💔 Build #267482 failed b9299c1
• 💔 Build #267323 failed d48d61e

cc @maximpn

[banderror]

Checked the latest code changes and re-tested the app locally.

LGTM, thanks @maximpn.

[banderror]

Files by Code Owner

elastic/kibana-localization

• x-pack/platform/plugins/private/translations/translations/fr-FR.json
• x-pack/platform/plugins/private/translations/translations/ja-JP.json
• x-pack/platform/plugins/private/translations/translations/zh-CN.json

elastic/security-detection-engine

• x-pack/solutions/security/packages/kbn-securitysolution-utils/date_math.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/kibana.jsonc
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/calc_date_math_diff.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/calc_date_math_diff.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/index.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/normalize_date_math.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/date_math/normalize_date_math.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/time_duration.test.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/src/time_duration/time_duration.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/time_duration.ts
• x-pack/solutions/security/packages/kbn-securitysolution-utils/tsconfig.json
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/to_simple_rule_schedule.test.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/to_simple_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/history_window_start_edit/history_window_start_edit.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_schedule_rule/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.test.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts

elastic/security-detection-rule-management

• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/to_simple_rule_schedule.test.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/to_simple_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_field_types.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/json_diff/json_diff.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/per_field_diff/get_field_diffs_for_grouped_fields.test.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/per_field_diff/get_field_diffs_for_grouped_fields.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_diff_tab.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_schedule_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/comparison_side/get_subfield_changes/rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/full_rule_schedule_adapter.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/full_rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/index.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/simple_rule_schedule_adapter.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/simple_rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/validators/date_math_validator.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/validators/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/rule_schedule.stories.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/rule_schedule.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/storybook/mocks.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/forms/schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
• x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts
• x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts

elastic/security-engineering-productivity

• x-pack/test/security_solution_cypress/cypress/screens/alerts_detection_rules.ts
• x-pack/test/security_solution_cypress/cypress/tasks/prebuilt_rules_preview.ts
• x-pack/test/security_solution_cypress/cypress/tsconfig.json

elastic/security-solution

• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/to_simple_rule_schedule.test.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/to_simple_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_field_types.ts
• x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts
• x-pack/solutions/security/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts
• x-pack/solutions/security/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/history_window_start_edit/history_window_start_edit.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_schedule_rule/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.test.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/json_diff/json_diff.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/per_field_diff/get_field_diffs_for_grouped_fields.test.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/per_field_diff/get_field_diffs_for_grouped_fields.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_diff_tab.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_schedule_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/comparison_side/get_subfield_changes/rule_schedule.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/full_rule_schedule_adapter.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/full_rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/index.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/simple_rule_schedule_adapter.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/simple_rule_schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/validators/date_math_validator.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/rule_schedule/validators/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/rule_schedule.stories.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/rule_schedule/rule_schedule.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/storybook/mocks.ts
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/forms/schedule_form.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
• x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts
• x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts

[vgomez-el]

LGTM!