Skip to content

Commit

Permalink
[8.15] [Security Solution][Detection Engine] fixes showing all the fi…
Browse files Browse the repository at this point in the history
…elds for all indices when trying to edit filters in a rule (#194678) (#195783)

# Backport

This will backport the following commits from `main` to `8.15`:
- [[Security Solution][Detection Engine] fixes showing all the fields
for all indices when trying to edit filters in a rule
(#194678)](#194678)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-09T14:56:42Z","message":"[Security
Solution][Detection Engine] fixes showing all the fields for all indices
when trying to edit filters in a rule (#194678)\n\n## Summary\r\n\r\n -
addresses https://github.com/elastic/kibana/issues/179468\r\n - fixes
issue when rule configured with Data view\r\n \r\n**Steps to
reproduce:**\r\n\r\n1. Create a minimal new index and corresponding data
view\r\n ```JSON\r\n PUT fields_index\r\n PUT fields_index/_mapping\r\n
{\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n
},\r\n \"field-1\": {\r\n \"type\": \"keyword\"\r\n },\r\n \"field-2\":
{\r\n \"type\": \"keyword\"\r\n },\r\n \"field-3\": {\r\n \"type\":
\"keyword\"\r\n }\r\n }\r\n }\r\n \r\n POST fields_index/_doc\r\n {\r\n
\"@timestamp\": \"2024-10-01T09:26:30.425Z\",\r\n \"field-1\":
\"test-0\"\r\n }\r\n ```\r\n2. Create a security rule with that data
view\r\n3. Edit the rule and try to add a filter\r\n4. Fields for all
indices show up instead of the fields from the rule\r\nindex\r\n5.
Switching to indices and back to data view on rule form fixes
issue\r\n\r\n<details>\r\n<summary>video with the
bug</summary>\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f\r\n\r\n\r\n</details>\r\n\r\n###
Additional benefit of fixing the issue.\r\n\r\nPreviously, there would
be 2 additional field_caps requests, querying\r\nALL indices in ES, when
rule edit page loads and rule configured with\r\ndata
view.\r\n\r\n```\r\nhttp://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1\r\n```\r\nNotice,
there is `pattern=` query value, which results in querying
all\r\nexisting indices\r\nNow, these requests
eliminated.\r\n\r\n\r\n#### Before\r\n<img width=\"2551\"
alt=\"Screenshot 2024-10-02 at 18 21
04\"\r\nsrc=\"https://github.com/user-attachments/assets/aa2b6acb-897d-488f-9ddd-409379c6b54a\">\r\n\r\n\r\n####
After\r\n\r\n<img width=\"2557\" alt=\"Screenshot 2024-10-02 at 18 22
41\"\r\nsrc=\"https://github.com/user-attachments/assets/baeeecda-bf16-4d37-ae07-3cdc136d18b4\">","sha":"5a71d8445de185a7b6a73163a123b6a448f63f90","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team:
SecuritySolution","backport:prev-major","Team:Detection Engine","8.16
candidate","v8.16.0"],"title":"[Security Solution][Detection Engine]
fixes showing all the fields for all indices when trying to edit filters
in a
rule","number":194678,"url":"https://github.com/elastic/kibana/pull/194678","mergeCommit":{"message":"[Security
Solution][Detection Engine] fixes showing all the fields for all indices
when trying to edit filters in a rule (#194678)\n\n## Summary\r\n\r\n -
addresses https://github.com/elastic/kibana/issues/179468\r\n - fixes
issue when rule configured with Data view\r\n \r\n**Steps to
reproduce:**\r\n\r\n1. Create a minimal new index and corresponding data
view\r\n ```JSON\r\n PUT fields_index\r\n PUT fields_index/_mapping\r\n
{\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n
},\r\n \"field-1\": {\r\n \"type\": \"keyword\"\r\n },\r\n \"field-2\":
{\r\n \"type\": \"keyword\"\r\n },\r\n \"field-3\": {\r\n \"type\":
\"keyword\"\r\n }\r\n }\r\n }\r\n \r\n POST fields_index/_doc\r\n {\r\n
\"@timestamp\": \"2024-10-01T09:26:30.425Z\",\r\n \"field-1\":
\"test-0\"\r\n }\r\n ```\r\n2. Create a security rule with that data
view\r\n3. Edit the rule and try to add a filter\r\n4. Fields for all
indices show up instead of the fields from the rule\r\nindex\r\n5.
Switching to indices and back to data view on rule form fixes
issue\r\n\r\n<details>\r\n<summary>video with the
bug</summary>\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f\r\n\r\n\r\n</details>\r\n\r\n###
Additional benefit of fixing the issue.\r\n\r\nPreviously, there would
be 2 additional field_caps requests, querying\r\nALL indices in ES, when
rule edit page loads and rule configured with\r\ndata
view.\r\n\r\n```\r\nhttp://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1\r\n```\r\nNotice,
there is `pattern=` query value, which results in querying
all\r\nexisting indices\r\nNow, these requests
eliminated.\r\n\r\n\r\n#### Before\r\n<img width=\"2551\"
alt=\"Screenshot 2024-10-02 at 18 21
04\"\r\nsrc=\"https://github.com/user-attachments/assets/aa2b6acb-897d-488f-9ddd-409379c6b54a\">\r\n\r\n\r\n####
After\r\n\r\n<img width=\"2557\" alt=\"Screenshot 2024-10-02 at 18 22
41\"\r\nsrc=\"https://github.com/user-attachments/assets/baeeecda-bf16-4d37-ae07-3cdc136d18b4\">","sha":"5a71d8445de185a7b6a73163a123b6a448f63f90"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194678","number":194678,"mergeCommit":{"message":"[Security
Solution][Detection Engine] fixes showing all the fields for all indices
when trying to edit filters in a rule (#194678)\n\n## Summary\r\n\r\n -
addresses https://github.com/elastic/kibana/issues/179468\r\n - fixes
issue when rule configured with Data view\r\n \r\n**Steps to
reproduce:**\r\n\r\n1. Create a minimal new index and corresponding data
view\r\n ```JSON\r\n PUT fields_index\r\n PUT fields_index/_mapping\r\n
{\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n
},\r\n \"field-1\": {\r\n \"type\": \"keyword\"\r\n },\r\n \"field-2\":
{\r\n \"type\": \"keyword\"\r\n },\r\n \"field-3\": {\r\n \"type\":
\"keyword\"\r\n }\r\n }\r\n }\r\n \r\n POST fields_index/_doc\r\n {\r\n
\"@timestamp\": \"2024-10-01T09:26:30.425Z\",\r\n \"field-1\":
\"test-0\"\r\n }\r\n ```\r\n2. Create a security rule with that data
view\r\n3. Edit the rule and try to add a filter\r\n4. Fields for all
indices show up instead of the fields from the rule\r\nindex\r\n5.
Switching to indices and back to data view on rule form fixes
issue\r\n\r\n<details>\r\n<summary>video with the
bug</summary>\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f\r\n\r\n\r\n</details>\r\n\r\n###
Additional benefit of fixing the issue.\r\n\r\nPreviously, there would
be 2 additional field_caps requests, querying\r\nALL indices in ES, when
rule edit page loads and rule configured with\r\ndata
view.\r\n\r\n```\r\nhttp://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1\r\n```\r\nNotice,
there is `pattern=` query value, which results in querying
all\r\nexisting indices\r\nNow, these requests
eliminated.\r\n\r\n\r\n#### Before\r\n<img width=\"2551\"
alt=\"Screenshot 2024-10-02 at 18 21
04\"\r\nsrc=\"https://github.com/user-attachments/assets/aa2b6acb-897d-488f-9ddd-409379c6b54a\">\r\n\r\n\r\n####
After\r\n\r\n<img width=\"2557\" alt=\"Screenshot 2024-10-02 at 18 22
41\"\r\nsrc=\"https://github.com/user-attachments/assets/baeeecda-bf16-4d37-ae07-3cdc136d18b4\">","sha":"5a71d8445de185a7b6a73163a123b6a448f63f90"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/195624","number":195624,"state":"MERGED","mergeCommit":{"sha":"2e2ba4c6c0ac60cad7dfefc83abad31cdfccb05e","message":"[8.x]
[Security Solution][Detection Engine] fixes showing all the fields for
all indices when trying to edit filters in a rule (#194678)
(#195624)\n\n# Backport\n\nThis will backport the following commits from
`main` to `8.x`:\n- [[Security Solution][Detection Engine] fixes showing
all the fields\nfor all indices when trying to edit filters in a
rule\n(#194678)](https://github.com/elastic/kibana/pull/194678)\n\n<!---
Backport version: 9.4.3 -->\n\n### Questions ?\nPlease refer to the
[Backport
tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT
[{\"author\":{\"name\":\"Vitalii\nDmyterko\",\"email\":\"[email protected]\"},\"sourceCommit\":{\"committedDate\":\"2024-10-09T14:56:42Z\",\"message\":\"[Security\nSolution][Detection
Engine] fixes showing all the fields for all indices\nwhen trying to
edit filters in a rule (#194678)\\n\\n## Summary\\r\\n\\r\\n
-\naddresses https://github.com/elastic/kibana/issues/179468\\r\\n -
fixes\nissue when rule configured with Data view\\r\\n \\r\\n**Steps
to\nreproduce:**\\r\\n\\r\\n1. Create a minimal new index and
corresponding data\nview\\r\\n ```JSON\\r\\n PUT fields_index\\r\\n PUT
fields_index/_mapping\\r\\n\n{\\r\\n \\\"properties\\\": {\\r\\n
\\\"@timestamp\\\": {\\r\\n \\\"type\\\": \\\"date\\\"\\r\\n\n},\\r\\n
\\\"field-1\\\": {\\r\\n \\\"type\\\": \\\"keyword\\\"\\r\\n },\\r\\n
\\\"field-2\\\":\n{\\r\\n \\\"type\\\": \\\"keyword\\\"\\r\\n },\\r\\n
\\\"field-3\\\": {\\r\\n \\\"type\\\":\n\\\"keyword\\\"\\r\\n }\\r\\n
}\\r\\n }\\r\\n \\r\\n POST fields_index/_doc\\r\\n
{\\r\\n\n\\\"@timestamp\\\": \\\"2024-10-01T09:26:30.425Z\\\",\\r\\n
\\\"field-1\\\":\n\\\"test-0\\\"\\r\\n }\\r\\n ```\\r\\n2. Create a
security rule with that data\nview\\r\\n3. Edit the rule and try to add
a filter\\r\\n4. Fields for all\nindices show up instead of the fields
from the rule\\r\\nindex\\r\\n5.\nSwitching to indices and back to data
view on rule form fixes\nissue\\r\\n\\r\\n<details>\\r\\n<summary>video
with
the\nbug</summary>\\r\\n\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f\\r\\n\\r\\n\\r\\n</details>\\r\\n\\r\\n###\nAdditional
benefit of fixing the issue.\\r\\n\\r\\nPreviously, there would\nbe 2
additional field_caps requests, querying\\r\\nALL indices in ES,
when\nrule edit page loads and rule configured
with\\r\\ndata\nview.\\r\\n\\r\\n```\\r\\nhttp://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1\\r\\n```\\r\\nNotice,\nthere
is `pattern=` query value, which results in querying\nall\\r\\nexisting
indices\\r\\nNow, these requests\neliminated.\\r\\n\\r\\n\\r\\n####
Before\\r\\n<img width=\\\"2551\\\"\nalt=\\\"Screenshot 2024-10-02 at 18
21\n04\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/aa2b6acb-897d-488f-9ddd-409379c6b54a\\\">\\r\\n\\r\\n\\r\\n####\nAfter\\r\\n\\r\\n<img
width=\\\"2557\\\" alt=\\\"Screenshot 2024-10-02 at 18
22\n41\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/baeeecda-bf16-4d37-ae07-3cdc136d18b4\\\">\",\"sha\":\"5a71d8445de185a7b6a73163a123b6a448f63f90\",\"branchLabelMapping\":{\"^v9.0.0$\":\"main\",\"^v8.16.0$\":\"8.x\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:fix\",\"v9.0.0\",\"Team:\nSecuritySolution\",\"backport:prev-minor\",\"Team:Detection
Engine\",\"8.16\ncandidate\"],\"title\":\"[Security Solution][Detection
Engine] fixes showing\nall the fields for all indices when trying to
edit filters in
a\nrule\",\"number\":194678,\"url\":\"https://github.com/elastic/kibana/pull/194678\",\"mergeCommit\":{\"message\":\"[Security\nSolution][Detection
Engine] fixes showing all the fields for all indices\nwhen trying to
edit filters in a rule (#194678)\\n\\n## Summary\\r\\n\\r\\n
-\naddresses https://github.com/elastic/kibana/issues/179468\\r\\n -
fixes\nissue when rule configured with Data view\\r\\n \\r\\n**Steps
to\nreproduce:**\\r\\n\\r\\n1. Create a minimal new index and
corresponding data\nview\\r\\n ```JSON\\r\\n PUT fields_index\\r\\n PUT
fields_index/_mapping\\r\\n\n{\\r\\n \\\"properties\\\": {\\r\\n
\\\"@timestamp\\\": {\\r\\n \\\"type\\\": \\\"date\\\"\\r\\n\n},\\r\\n
\\\"field-1\\\": {\\r\\n \\\"type\\\": \\\"keyword\\\"\\r\\n },\\r\\n
\\\"field-2\\\":\n{\\r\\n \\\"type\\\": \\\"keyword\\\"\\r\\n },\\r\\n
\\\"field-3\\\": {\\r\\n \\\"type\\\":\n\\\"keyword\\\"\\r\\n }\\r\\n
}\\r\\n }\\r\\n \\r\\n POST fields_index/_doc\\r\\n
{\\r\\n\n\\\"@timestamp\\\": \\\"2024-10-01T09:26:30.425Z\\\",\\r\\n
\\\"field-1\\\":\n\\\"test-0\\\"\\r\\n }\\r\\n ```\\r\\n2. Create a
security rule with that data\nview\\r\\n3. Edit the rule and try to add
a filter\\r\\n4. Fields for all\nindices show up instead of the fields
from the rule\\r\\nindex\\r\\n5.\nSwitching to indices and back to data
view on rule form fixes\nissue\\r\\n\\r\\n<details>\\r\\n<summary>video
with
the\nbug</summary>\\r\\n\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f\\r\\n\\r\\n\\r\\n</details>\\r\\n\\r\\n###\nAdditional
benefit of fixing the issue.\\r\\n\\r\\nPreviously, there would\nbe 2
additional field_caps requests, querying\\r\\nALL indices in ES,
when\nrule edit page loads and rule configured
with\\r\\ndata\nview.\\r\\n\\r\\n```\\r\\nhttp://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1\\r\\n```\\r\\nNotice,\nthere
is `pattern=` query value, which results in querying\nall\\r\\nexisting
indices\\r\\nNow, these requests\neliminated.\\r\\n\\r\\n\\r\\n####
Before\\r\\n<img width=\\\"2551\\\"\nalt=\\\"Screenshot 2024-10-02 at 18
21\n04\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/aa2b6acb-897d-488f-9ddd-409379c6b54a\\\">\\r\\n\\r\\n\\r\\n####\nAfter\\r\\n\\r\\n<img
width=\\\"2557\\\" alt=\\\"Screenshot 2024-10-02 at 18
22\n41\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/baeeecda-bf16-4d37-ae07-3cdc136d18b4\\\">\",\"sha\":\"5a71d8445de185a7b6a73163a123b6a448f63f90\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v9.0.0\",\"branchLabelMappingKey\":\"^v9.0.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/194678\",\"number\":194678,\"mergeCommit\":{\"message\":\"[Security\nSolution][Detection
Engine] fixes showing all the fields for all indices\nwhen trying to
edit filters in a rule (#194678)\\n\\n## Summary\\r\\n\\r\\n
-\naddresses https://github.com/elastic/kibana/issues/179468\\r\\n -
fixes\nissue when rule configured with Data view\\r\\n \\r\\n**Steps
to\nreproduce:**\\r\\n\\r\\n1. Create a minimal new index and
corresponding data\nview\\r\\n ```JSON\\r\\n PUT fields_index\\r\\n PUT
fields_index/_mapping\\r\\n\n{\\r\\n \\\"properties\\\": {\\r\\n
\\\"@timestamp\\\": {\\r\\n \\\"type\\\": \\\"date\\\"\\r\\n\n},\\r\\n
\\\"field-1\\\": {\\r\\n \\\"type\\\": \\\"keyword\\\"\\r\\n },\\r\\n
\\\"field-2\\\":\n{\\r\\n \\\"type\\\": \\\"keyword\\\"\\r\\n },\\r\\n
\\\"field-3\\\": {\\r\\n \\\"type\\\":\n\\\"keyword\\\"\\r\\n }\\r\\n
}\\r\\n }\\r\\n \\r\\n POST fields_index/_doc\\r\\n
{\\r\\n\n\\\"@timestamp\\\": \\\"2024-10-01T09:26:30.425Z\\\",\\r\\n
\\\"field-1\\\":\n\\\"test-0\\\"\\r\\n }\\r\\n ```\\r\\n2. Create a
security rule with that data\nview\\r\\n3. Edit the rule and try to add
a filter\\r\\n4. Fields for all\nindices show up instead of the fields
from the rule\\r\\nindex\\r\\n5.\nSwitching to indices and back to data
view on rule form fixes\nissue\\r\\n\\r\\n<details>\\r\\n<summary>video
with
the\nbug</summary>\\r\\n\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f\\r\\n\\r\\n\\r\\n</details>\\r\\n\\r\\n###\nAdditional
benefit of fixing the issue.\\r\\n\\r\\nPreviously, there would\nbe 2
additional field_caps requests, querying\\r\\nALL indices in ES,
when\nrule edit page loads and rule configured
with\\r\\ndata\nview.\\r\\n\\r\\n```\\r\\nhttp://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1\\r\\n```\\r\\nNotice,\nthere
is `pattern=` query value, which results in querying\nall\\r\\nexisting
indices\\r\\nNow, these requests\neliminated.\\r\\n\\r\\n\\r\\n####
Before\\r\\n<img width=\\\"2551\\\"\nalt=\\\"Screenshot 2024-10-02 at 18
21\n04\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/aa2b6acb-897d-488f-9ddd-409379c6b54a\\\">\\r\\n\\r\\n\\r\\n####\nAfter\\r\\n\\r\\n<img
width=\\\"2557\\\" alt=\\\"Screenshot 2024-10-02 at 18
22\n41\\\"\\r\\nsrc=\\\"https://github.com/user-attachments/assets/baeeecda-bf16-4d37-ae07-3cdc136d18b4\\\">\",\"sha\":\"5a71d8445de185a7b6a73163a123b6a448f63f90\"}}]}]\nBACKPORT-->\n\nCo-authored-by:
Vitalii Dmyterko <[email protected]>"}}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <[email protected]>
  • Loading branch information
kibanamachine and vitaliidm authored Oct 10, 2024
1 parent 99f139c commit 4f86694
Showing 1 changed file with 2 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* 2.0.
*/

import { cloneDeep } from 'lodash';
import { cloneDeep, isEmpty } from 'lodash';
import React, { memo, useMemo, useCallback, useState, useEffect } from 'react';
import deepEqual from 'fast-deep-equal';

Expand Down Expand Up @@ -125,7 +125,7 @@ export const QueryBar = memo<QueryBarComponentProps>(
let dv: DataView;
if (isDataView(indexPattern)) {
setDataView(indexPattern);
} else if (!isEsql) {
} else if (!isEsql && !isEmpty(indexPattern.title)) {
const createDataView = async () => {
dv = await data.dataViews.create({ id: indexPattern.title, title: indexPattern.title });
setDataView(dv);
Expand Down

0 comments on commit 4f86694

Please sign in to comment.