[8.16] [Defend Workflows] Endpoint advanced options migration vs policy re-deployment issue mitigation (#196708) (#196835)

# Backport

This will backport the following commits from `main` to `8.16`:
- [[Defend Workflows] Endpoint advanced options migration vs policy
re-deployment issue mitigation
(#196708)](https://github.com/elastic/kibana/pull/196708)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Gergő
Ábrahám","email":"gergo.abraham@elastic.co"},"sourceCommit":{"committedDate":"2024-10-18T10:15:00Z","message":"[Defend
Workflows] Endpoint advanced options migration vs policy re-deployment
issue mitigation (#196708)\n\n## Summary\r\n\r\ncloses
https://github.com/elastic/security-team/issues/10851\r\n\r\n>
[!note]\r\n> ⚠️ needs to be included in v8.16\r\n> ⚠️ needs to be merged
this week to avoid
releasing\r\nhttps://github.com/elastic/kibana/pull/195797 on
Serverless\r\n\r\nAs backfilled package policies are not automatically
redeployed (see\r\nhttps://github.com/elastic/kibana/issues/193352),
this PR's goal is to\r\nprovide quick mitigation in the following
matters:\r\n- update default values in the descriptions of advanced
options added in\r\nhttps://github.com/elastic/kibana/pull/195797, to
harmonize with latest\r\nEndpoint changes
(https://github.com/elastic/endpoint-dev/issues/15109)\r\n- remove
backfill/migration of those default values:\r\n- we should be _able_ to
safely remove the backfills, as they have not\r\nyet been released to
serverless. and,\r\n- we _should_ remove them to make sure that when we
update the defaults\r\nin the future and apply the backfill, there will
be a data change that\r\ncould trigger policy re-deployment, in case
data change is what the\r\ntrigger will be in #193352.\r\n - example
scenario of what could go wrong:\r\n - if we'd apply backfill now, the
package won't be redeployed.\r\n- if the user does not touch it until
the next release - no redeploy.\r\n- if #193352 is implemented and uses
data comparison when running\r\nmigrations - again, no redeploy because
we already backfilled the data\r\nmonths before.\r\n - cc @ferullo
@nfritts \r\n- hide banner describing event volume reduction (added
in\r\nhttps://github.com/elastic/kibana/pull/195177, already released
to\r\nserverless, but it is what it is)\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"142997925e5aafac306056b00be1789271aa5dd0","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","Team:Defend
Workflows","v8.16.0","backport:version"],"title":"[Defend Workflows]
Endpoint advanced options migration vs policy re-deployment issue
mitigation","number":196708,"url":"https://github.com/elastic/kibana/pull/196708","mergeCommit":{"message":"[Defend
Workflows] Endpoint advanced options migration vs policy re-deployment
issue mitigation (#196708)\n\n## Summary\r\n\r\ncloses
https://github.com/elastic/security-team/issues/10851\r\n\r\n>
[!note]\r\n> ⚠️ needs to be included in v8.16\r\n> ⚠️ needs to be merged
this week to avoid
releasing\r\nhttps://github.com/elastic/kibana/pull/195797 on
Serverless\r\n\r\nAs backfilled package policies are not automatically
redeployed (see\r\nhttps://github.com/elastic/kibana/issues/193352),
this PR's goal is to\r\nprovide quick mitigation in the following
matters:\r\n- update default values in the descriptions of advanced
options added in\r\nhttps://github.com/elastic/kibana/pull/195797, to
harmonize with latest\r\nEndpoint changes
(https://github.com/elastic/endpoint-dev/issues/15109)\r\n- remove
backfill/migration of those default values:\r\n- we should be _able_ to
safely remove the backfills, as they have not\r\nyet been released to
serverless. and,\r\n- we _should_ remove them to make sure that when we
update the defaults\r\nin the future and apply the backfill, there will
be a data change that\r\ncould trigger policy re-deployment, in case
data change is what the\r\ntrigger will be in #193352.\r\n - example
scenario of what could go wrong:\r\n - if we'd apply backfill now, the
package won't be redeployed.\r\n- if the user does not touch it until
the next release - no redeploy.\r\n- if #193352 is implemented and uses
data comparison when running\r\nmigrations - again, no redeploy because
we already backfilled the data\r\nmonths before.\r\n - cc @ferullo
@nfritts \r\n- hide banner describing event volume reduction (added
in\r\nhttps://github.com/elastic/kibana/pull/195177, already released
to\r\nserverless, but it is what it is)\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"142997925e5aafac306056b00be1789271aa5dd0"}},"sourceBranch":"main","suggestedTargetBranches":["8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196708","number":196708,"mergeCommit":{"message":"[Defend
Workflows] Endpoint advanced options migration vs policy re-deployment
issue mitigation (#196708)\n\n## Summary\r\n\r\ncloses
https://github.com/elastic/security-team/issues/10851\r\n\r\n>
[!note]\r\n> ⚠️ needs to be included in v8.16\r\n> ⚠️ needs to be merged
this week to avoid
releasing\r\nhttps://github.com/elastic/kibana/pull/195797 on
Serverless\r\n\r\nAs backfilled package policies are not automatically
redeployed (see\r\nhttps://github.com/elastic/kibana/issues/193352),
this PR's goal is to\r\nprovide quick mitigation in the following
matters:\r\n- update default values in the descriptions of advanced
options added in\r\nhttps://github.com/elastic/kibana/pull/195797, to
harmonize with latest\r\nEndpoint changes
(https://github.com/elastic/endpoint-dev/issues/15109)\r\n- remove
backfill/migration of those default values:\r\n- we should be _able_ to
safely remove the backfills, as they have not\r\nyet been released to
serverless. and,\r\n- we _should_ remove them to make sure that when we
update the defaults\r\nin the future and apply the backfill, there will
be a data change that\r\ncould trigger policy re-deployment, in case
data change is what the\r\ntrigger will be in #193352.\r\n - example
scenario of what could go wrong:\r\n - if we'd apply backfill now, the
package won't be redeployed.\r\n- if the user does not touch it until
the next release - no redeploy.\r\n- if #193352 is implemented and uses
data comparison when running\r\nmigrations - again, no redeploy because
we already backfilled the data\r\nmonths before.\r\n - cc @ferullo
@nfritts \r\n- hide banner describing event volume reduction (added
in\r\nhttps://github.com/elastic/kibana/pull/195177, already released
to\r\nserverless, but it is what it is)\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"142997925e5aafac306056b00be1789271aa5dd0"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Gergő Ábrahám <gergo.abraham@elastic.co>

src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts

@@ -123,7 +123,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "ingest-agent-policies": "5e95e539826a40ad08fd0c1d161da0a4d86ffc6d",
         "ingest-download-sources": "279a68147e62e4d8858c09ad1cf03bd5551ce58d",
         "ingest-outputs": "daafff49255ab700e07491376fe89f04fc998b91",
-        "ingest-package-policies": "dc2af447c335215be2d6f7b7b8d437d05d6a1188",
+        "ingest-package-policies": "53a94064674835fdb35e5186233bcd7052eabd22",
         "ingest_manager_settings": "111a616eb72627c002029c19feb9e6c439a10505",
         "inventory-view": "b8683c8e352a286b4aca1ab21003115a4800af83",
         "kql-telemetry": "93c1d16c1a0dfca9c8842062cf5ef8f62ae401ad",

x-pack/plugins/fleet/server/saved_objects/index.ts

@@ -101,7 +101,6 @@ import {
   migratePackagePolicySetRequiresRootToV8150,
 } from './migrations/to_v8_15_0';
 import { backfillAgentPolicyToV4 } from './model_versions/agent_policy_v4';
-import { packagePolicyV15AdvancedFieldsForEndpointV816 } from './model_versions/security_solution/v15_advanced_package_policy_fields';
 
 /*
  * Saved object types and mappings
@@ -751,14 +750,6 @@ export const getSavedObjectTypes = (
             },
           ],
         },
-        '15': {
-          changes: [
-            {
-              type: 'data_backfill',
-              backfillFn: packagePolicyV15AdvancedFieldsForEndpointV816,
-            },
-          ],
-        },
       },
       migrations: {
         '7.10.0': migratePackagePolicyToV7100,

x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.test.ts

@@ -1,157 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import type { SavedObject } from '@kbn/core-saved-objects-api-server';
-import type { ModelVersionTestMigrator } from '@kbn/core-test-helpers-model-versions';
-import { createModelVersionTestMigrator } from '@kbn/core-test-helpers-model-versions';
-import { set } from '@kbn/safer-lodash-set';
-
-import { getSavedObjectTypes } from '../..';
-
-import type { PackagePolicy } from '../../../../common';
-import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../common';
-
-describe('Defend integration advanced policy fields v8.16.0', () => {
-  const TARGET_MODEL_VERSION = 15;
-
-  let migrator: ModelVersionTestMigrator;
-  let policyConfigSO: SavedObject<PackagePolicy>;
-
-  beforeEach(() => {
-    migrator = createModelVersionTestMigrator({
-      type: getSavedObjectTypes()[PACKAGE_POLICY_SAVED_OBJECT_TYPE],
-    });
-
-    policyConfigSO = {
-      id: 'mock-saved-object-id',
-      attributes: {
-        name: 'Some Policy Name',
-        package: {
-          name: 'endpoint',
-          title: '',
-          version: '',
-        },
-        id: 'endpoint',
-        policy_id: '',
-        policy_ids: [],
-        enabled: true,
-        namespace: '',
-        revision: 0,
-        updated_at: '',
-        updated_by: '',
-        created_at: '',
-        created_by: '',
-        inputs: [
-          {
-            type: 'endpoint',
-            enabled: true,
-            streams: [],
-            config: {
-              policy: {
-                value: {
-                  windows: {},
-                  mac: {},
-                  linux: {},
-                },
-              },
-            },
-          },
-        ],
-      },
-      type: PACKAGE_POLICY_SAVED_OBJECT_TYPE,
-      references: [],
-    };
-  });
-
-  /** Builds object key paths for all parent objects
-   *
-   * @param path e.g. `advanced.events.optionName`
-   * @returns e.g. ['advanced', 'advanced.events']
-   */
-  const getParentObjectKeyPaths = (path: string): string[] =>
-    path
-      .split('.') // ['advanced', 'events', 'optionName']
-      .slice(0, -1) // ['advanced', 'events']
-      .map((parentObject) => path.match(`^.*${parentObject}`)![0]); // ['advanced', 'advanced.events']
-
-  describe(`when updating to model version ${TARGET_MODEL_VERSION}`, () => {
-    describe.each`
-      name                               | path                                        | backfill
-      ${'aggregate_process'}             | ${'advanced.events.aggregate_process'}      | ${false}
-      ${'set_extended_host_information'} | ${'advanced.set_extended_host_information'} | ${true}
-      ${'alerts.hash.md5'}               | ${'advanced.alerts.hash.md5'}               | ${true}
-      ${'alerts.hash.sha1'}              | ${'advanced.alerts.hash.sha1'}              | ${true}
-      ${'events.hash.md5'}               | ${'advanced.events.hash.md5'}               | ${true}
-      ${'events.hash.sha1'}              | ${'advanced.events.hash.sha1'}              | ${true}
-    `(
-      'backfilling `$name` with `$backfill`',
-      ({ path, backfill }: { path: string; backfill: boolean }) => {
-        it('should backfill when there are no advanced options yet', () => {
-          const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
-            document: policyConfigSO,
-            fromVersion: TARGET_MODEL_VERSION - 1,
-            toVersion: TARGET_MODEL_VERSION,
-          });
-
-          const migratedPolicyConfig = getConfig(migratedPolicyConfigSO);
-
-          expectConfigToHave(migratedPolicyConfig, path, backfill);
-        });
-
-        it.each(getParentObjectKeyPaths(path))(
-          'should backfill without modifying other options in parent object `%s`',
-          (parentObjectKeyPath) => {
-            const policyConfig = getConfig(policyConfigSO);
-            const dummyField = `${parentObjectKeyPath}.cheese`;
-            set(policyConfig.windows, dummyField, 'brie');
-            set(policyConfig.mac, dummyField, 'maasdam');
-            set(policyConfig.linux, dummyField, 'camambert');
-
-            const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
-              document: policyConfigSO,
-              fromVersion: TARGET_MODEL_VERSION - 1,
-              toVersion: TARGET_MODEL_VERSION,
-            });
-
-            const migratedPolicyConfig = getConfig(migratedPolicyConfigSO);
-
-            expectConfigToHave(migratedPolicyConfig, path, backfill);
-            expect(migratedPolicyConfig.windows).toHaveProperty(dummyField, 'brie');
-            expect(migratedPolicyConfig.mac).toHaveProperty(dummyField, 'maasdam');
-            expect(migratedPolicyConfig.linux).toHaveProperty(dummyField, 'camambert');
-          }
-        );
-
-        it('should not backfill if field is already present', () => {
-          const policyConfig = getConfig(policyConfigSO);
-          set(policyConfig.windows, path, !backfill);
-          set(policyConfig.mac, path, !backfill);
-          set(policyConfig.linux, path, !backfill);
-
-          const migratedPolicyConfigSO = migrator.migrate<PackagePolicy, PackagePolicy>({
-            document: policyConfigSO,
-            fromVersion: TARGET_MODEL_VERSION - 1,
-            toVersion: TARGET_MODEL_VERSION,
-          });
-
-          const migratedPolicyConfig = getConfig(migratedPolicyConfigSO);
-
-          expectConfigToHave(migratedPolicyConfig, path, !backfill);
-        });
-      }
-    );
-  });
-
-  const getConfig = (so: SavedObject<PackagePolicy>) =>
-    so.attributes.inputs[0].config?.policy.value;
-
-  const expectConfigToHave = (config: any, path: string, value: string | boolean) => {
-    for (const os of ['windows', 'mac', 'linux']) {
-      expect(config[os]).toHaveProperty(path, value);
-    }
-  };
-});

x-pack/plugins/fleet/server/saved_objects/model_versions/security_solution/v15_advanced_package_policy_fields.ts

@@ -1,62 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import type {
-  SavedObjectModelDataBackfillFn,
-  SavedObjectUnsanitizedDoc,
-} from '@kbn/core-saved-objects-server';
-
-import type { PackagePolicy } from '../../../../common';
-
-export const packagePolicyV15AdvancedFieldsForEndpointV816: SavedObjectModelDataBackfillFn<
-  PackagePolicy,
-  PackagePolicy
-> = (packagePolicyDoc) => {
-  if (packagePolicyDoc.attributes.package?.name !== 'endpoint') {
-    return { attributes: packagePolicyDoc.attributes };
-  }
-
-  const updatedPackagePolicyDoc: SavedObjectUnsanitizedDoc<PackagePolicy> = packagePolicyDoc;
-
-  const input = updatedPackagePolicyDoc.attributes.inputs[0];
-
-  if (input && input.config) {
-    const policy = input.config.policy.value;
-
-    for (const os of ['windows', 'mac', 'linux']) {
-      const policyPerOs = policy[os];
-
-      policyPerOs.advanced = {
-        set_extended_host_information: true,
-        ...policyPerOs.advanced,
-
-        events: {
-          aggregate_process: false,
-          ...policyPerOs.advanced?.events,
-
-          hash: {
-            md5: true,
-            sha1: true,
-            ...policyPerOs.advanced?.events?.hash,
-          },
-        },
-
-        alerts: {
-          ...policyPerOs.advanced?.alerts,
-
-          hash: {
-            md5: true,
-            sha1: true,
-            ...policyPerOs.advanced?.alerts?.hash,
-          },
-        },
-      };
-    }
-  }
-
-  return { attributes: updatedPackagePolicyDoc.attributes };
-};

x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts

@@ -2014,7 +2014,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.events.aggregate_process',
       {
         defaultMessage:
-          'Reduce event volume by merging related process events into fewer aggregate events. Default is true.',
+          'Reduce event volume by merging related process events into fewer aggregate events. Default is false.',
       }
     ),
   },
@@ -2025,7 +2025,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.events.aggregate_process',
       {
         defaultMessage:
-          'Reduce event volume by merging related process events into fewer aggregate events. Default is true.',
+          'Reduce event volume by merging related process events into fewer aggregate events. Default is false.',
       }
     ),
   },
@@ -2036,7 +2036,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.events.aggregate_process',
       {
         defaultMessage:
-          'Reduce event volume by merging related process events into fewer aggregate events. Default is true.',
+          'Reduce event volume by merging related process events into fewer aggregate events. Default is false.',
       }
     ),
   },
@@ -2047,7 +2047,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.alerts.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2058,7 +2058,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.alerts.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2069,7 +2069,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.events.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2080,7 +2080,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.events.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2102,7 +2102,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.alerts.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2113,7 +2113,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.alerts.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2124,7 +2124,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.events.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2135,7 +2135,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.events.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2157,7 +2157,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.alerts.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include MD5 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2168,7 +2168,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.alerts.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: false',
+          'Compute and include SHA-1 hashes in alerts?  This will increase CPU usage and alert sizes.  If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.  Default: true',
       }
     ),
   },
@@ -2179,7 +2179,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.events.hash.md5',
       {
         defaultMessage:
-          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include MD5 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2190,7 +2190,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.events.hash.sha1',
       {
         defaultMessage:
-          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: false',
+          'Compute and include SHA-1 hashes for processes and libraries in events?  This will increase CPU usage and event sizes.  Default: true',
       }
     ),
   },
@@ -2212,7 +2212,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.set_extended_host_information',
       {
         defaultMessage:
-          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: false',
+          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: true',
       }
     ),
   },
@@ -2223,7 +2223,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.set_extended_host_information',
       {
         defaultMessage:
-          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: false',
+          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: true',
       }
     ),
   },
@@ -2234,7 +2234,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.set_extended_host_information',
       {
         defaultMessage:
-          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: false',
+          'Include more details about hosts in events? Set to false to receive only id, name and os. Setting to true will increase event size.  Default: true',
       }
     ),
   },

x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/components/event_merging_banner.tsx

@@ -10,6 +10,7 @@ import { i18n } from '@kbn/i18n';
 import { EuiCallOut, EuiLink, EuiText } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n-react';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
+import { ENDPOINT_VERSION_SUPPORTING_EVENT_MERGING_BY_DEFAULT } from '../constants';
 
 export interface EventMergingBannerProps {
   onDismiss: () => void;
@@ -29,7 +30,7 @@ export const EventMergingBanner = memo<EventMergingBannerProps>(({ onDismiss })
       <EuiText size="s">
         <FormattedMessage
           id="xpack.securitySolution.endpoint.policy.eventMergingBanner.body"
-          defaultMessage="Elastic Agent 8.16+ produces less telemetry without reducing system visibility, which may impact existing event filters. For more about these changes and how to adjust your settings, visit our {documentation}."
+          defaultMessage="Elastic Agent {minVersion}+ produces less telemetry without reducing system visibility, which may impact existing event filters. For more about these changes and how to adjust your settings, visit our {documentation}."
           values={{
             documentation: (
               <EuiLink
@@ -43,6 +44,7 @@ export const EventMergingBanner = memo<EventMergingBannerProps>(({ onDismiss })
                 />
               </EuiLink>
             ),
+            minVersion: ENDPOINT_VERSION_SUPPORTING_EVENT_MERGING_BY_DEFAULT,
           }}
         />
       </EuiText>

x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/constants.ts

@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * Event merging banner is hidden temporarily for 8.16 (and serverless).
+ * Probably will be enabled for 8.17 or 8.18, when we can change the defaults and trigger policy deploy by migration.
+ * Blocker issue: https://github.com/elastic/kibana/issues/193352
+ */
+export const ALLOW_SHOWING_EVENT_MERGING_BANNER = false;
+
+/**
+ * The version from which we decrease event volume by default.
+ */
+export const ENDPOINT_VERSION_SUPPORTING_EVENT_MERGING_BY_DEFAULT = '8.17';

x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.test.tsx

@@ -27,6 +27,13 @@ import type { IStorageWrapper } from '@kbn/kibana-utils-plugin/public';
 
 jest.mock('../../../../../common/hooks/use_license');
 
+const mockAllowShowingEventMergingBannerConstantGetter = jest.fn();
+jest.mock('./constants', () => ({
+  get ALLOW_SHOWING_EVENT_MERGING_BANNER() {
+    return mockAllowShowingEventMergingBannerConstantGetter();
+  },
+}));
+
 describe('Endpoint Policy Settings Form', () => {
   const testSubj = getPolicySettingsFormTestSubjects('test');
 
@@ -50,10 +57,23 @@ describe('Endpoint Policy Settings Form', () => {
       'data-test-subj': 'test',
     };
 
+    mockAllowShowingEventMergingBannerConstantGetter.mockReturnValue(false);
+
     render = () => (renderResult = mockedContext.render(<PolicySettingsForm {...formProps} />));
   });
 
   describe('event merging banner', () => {
+    beforeEach(() => {
+      mockAllowShowingEventMergingBannerConstantGetter.mockReturnValue(true);
+    });
+
+    it('should hide the banner if its not allowed to be displayed', () => {
+      mockAllowShowingEventMergingBannerConstantGetter.mockReturnValue(false);
+
+      render();
+
+      expect(renderResult.queryByTestId('eventMergingCallout')).not.toBeInTheDocument();
+    });
     it('should show the event merging banner for 8.16 if it has never been dismissed', () => {
       render();
 

x-pack/plugins/security_solution/public/management/pages/policy/view/policy_settings_form/policy_settings_form.tsx

@@ -26,6 +26,7 @@ import { MalwareProtectionsCard } from './components/cards/malware_protections_c
 import type { PolicyFormComponentCommonProps } from './types';
 import { AdvancedSection } from './components/advanced_section';
 import { useTestIdGenerator } from '../../../../hooks/use_test_id_generator';
+import { ALLOW_SHOWING_EVENT_MERGING_BANNER } from './constants';
 
 const PROTECTIONS_SECTION_TITLE = i18n.translate(
   'xpack.securitySolution.endpoint.policy.details.protections',
@@ -45,7 +46,8 @@ export const PolicySettingsForm = memo<PolicySettingsFormProps>((props) => {
 
   const { storage } = useKibana().services;
   const [showEventMergingBanner, setShowEventMergingBanner] = useState(
-    storage.get('securitySolution.showEventMergingBanner') ?? true
+    ALLOW_SHOWING_EVENT_MERGING_BANNER &&
+      (storage.get('securitySolution.showEventMergingBanner') ?? true)
   );
   const onBannerDismiss = useCallback(() => {
     setShowEventMergingBanner(false);