elastic · dplumlee · Dec 10, 2024 · Dec 3, 2024 · Dec 4, 2024 · Dec 5, 2024
diff --git a/...tion_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts b/...tion_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { transformDiffableFieldValues } from './diffable_rule_fields_mappings';
+
+describe('transformDiffableFieldValues', () => {
+  it('transforms rule_schedule into "from" value', () => {
+    const result = transformDiffableFieldValues('from', { interval: '5m', lookback: '4m' });
+    expect(result).toEqual({ type: 'TRANSFORMED_FIELD', value: 'now-540s' });
+  });
+});
diff --git a/...detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts b/...detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts
@@ -15,6 +15,7 @@ import type {
 } from '../../../../../../common/api/detection_engine';
 import { type AllFieldsDiff } from '../../../../../../common/api/detection_engine';
 import type { PrebuiltRuleAsset } from '../../model/rule_assets/prebuilt_rule_asset';
+import { calculateFromValueWithRuleScheduleFields } from '../../../rule_types/utils/utils';
 
 /**
  * Retrieves and transforms the value for a specific field from a DiffableRule group.
@@ -201,7 +202,11 @@ export const transformDiffableFieldValues = (
   diffableFieldValue: RuleSchedule | InlineKqlQuery | unknown
 ): TransformValuesReturnType => {
   if (fieldName === 'from' && isRuleSchedule(diffableFieldValue)) {
-    return { type: 'TRANSFORMED_FIELD', value: `now-${diffableFieldValue.lookback}` };
+    const from = calculateFromValueWithRuleScheduleFields(
+      diffableFieldValue.interval,
+      diffableFieldValue.lookback
+    );
+    return { type: 'TRANSFORMED_FIELD', value: `now-${from}s` };
   } else if (fieldName === 'to') {
     return { type: 'TRANSFORMED_FIELD', value: `now` };
   } else if (fieldName === 'saved_id' && isInlineQuery(diffableFieldValue)) {

diff --git a/...on/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts b/...on/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts
@@ -5,8 +5,6 @@
  * 2.0.
  */
 
-import moment from 'moment';
-import { parseInterval } from '@kbn/data-plugin/common/search/aggs/utils/date_interval_utils';
 import type { RuleParamsModifierResult } from '@kbn/alerting-plugin/server/rules_client/methods/bulk_edit';
 import type { ExperimentalFeatures } from '../../../../../../common';
 import type { InvestigationFieldsCombined, RuleAlertType } from '../../../rule_schema';
@@ -17,6 +15,7 @@ import type {
 } from '../../../../../../common/api/detection_engine/rule_management';
 import { BulkActionEditTypeEnum } from '../../../../../../common/api/detection_engine/rule_management';
 import { invariant } from '../../../../../../common/utils/invariant';
+import { calculateFromValueWithRuleScheduleFields } from '../../../rule_types/utils/utils';
 
 export const addItemsToArray = <T>(arr: T[], items: T[]): T[] =>
   Array.from(new Set([...arr, ...items]));
@@ -256,10 +255,10 @@ const applyBulkActionEditToRuleParams = (
     }
     // update look-back period in from and meta.from fields
     case BulkActionEditTypeEnum.set_schedule: {
-      const interval = parseInterval(action.value.interval) ?? moment.duration(0);
-      const parsedFrom = parseInterval(action.value.lookback) ?? moment.duration(0);
-
-      const from = parsedFrom.asSeconds() + interval.asSeconds();
+      const from = calculateFromValueWithRuleScheduleFields(
+        action.value.interval,
+        action.value.lookback
+      );
 
       ruleParams = {
         ...ruleParams,

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts
@@ -544,6 +544,19 @@ export const getCatchupTuples = ({
   return catchupTuples;
 };
 
+/**
+ * Takes the rule schedule fields `interval` and `lookback` and uses them to calculate the `from` value for a rule
+ *
+ * @param interval moment.Duration representing the interval on which the rule runs
+ * @param lookback moment.Moment representing the rule's additional lookback
+ * @returns moment.Moment representing the rule's 'from' property
+ */
+export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => {
-export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => {
+export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string): number => {
-export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => {
+export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string): number => {
+  const parsedInterval = parseInterval(interval) ?? moment.duration(0);
+  const parsedFrom = parseInterval(lookback) ?? moment.duration(0);
+  return parsedFrom.asSeconds() + parsedInterval.asSeconds();
+};
+
 /**
  * Given errors from a search query this will return an array of strings derived from the errors.
  * @param errors The errors to derive the strings from