Summary

We want to improve the UX around searching for detection rules in the Rule Management ("Installed rules") and Rule Monitoring tables. The current UX is somewhat broken or limited and there are some inconsistencies when searching the pre-built "Elastic rules" and the list of rules installed by the user. It doesn't support searching by special characters (bug), sometimes doesn't support searching by a substring of a word, etc. We want the search results to be as useful and relevant as it can be based on the current architecture.

At this point we're interested in enhancing the search by rule name. Full-text search by other text fields, such as description and setup, is out of the scope.

Enhancing the search in the other rule tables, such as the Rule Installation table, is out of the scope.

The problem

Here is an example screenshot where the user has installed all rules.

They should see 5 pages of results when typing win on the search bar (All rules matching "Windows" etc). However they currently see 0 matches.

This is specially confusing because it does not match the behavior in the Pre-built Elastic Rules page:

How to reproduce:

Please use the following steps.

1. Security App > Rules > Detection Rules (SIEM)
2. A table of installed rules should appear.
3. Remove any pre-installed Elastic rules.

• Click filter Elastic Rules > Tick checkbox to select all > Click text Select all X Rules > Bulk actions > Delete > Delete

4. Click on Add Elastic Rules
5. Click input Search rules by name > win > Enter
6. You should see 5 pages of results (~84 rules)
7. Click Install All button at the top.
8. 'All Elastic rules have been installed' > Click Go back to installed Elastic rules
9. Search by rule name > win > Enter

Expected

10. You should see 5 pages of results (ie 84 rules)

Actual

10. You see 0 results.

User stories

• As a user, I want to filter for all rules that contain a word/combination of letters or numbers in the rule name, when using search bar on the rules pages (Installed rules, Rules Monitoring)

Acceptance criteria

• When user searches for text on the Installed rules, Rules Monitoring tabs all the rules where names contain such text should be returned including partial matches.

Test cases

• search for "Win" - all rules with "Windows" in the name should be returned, "Lin" -> "Linux
• edit a few rules and add "900-" at the start of the name. Search for "90" - all the rules with "900-" in the name should be returned

Technical details

We may have a dependency on the Alerting Framework here to resolve this issue.

Currently, rule name is mapped here:

There may or may not be a need to adjust this mapping. Feel free to collaborate with @elastic/response-ops-ram team and @marshallmain on figuring this out.