From 5a71d8445de185a7b6a73163a123b6a448f63f90 Mon Sep 17 00:00:00 2001
From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
Date: Wed, 9 Oct 2024 15:56:42 +0100
Subject: [PATCH] [Security Solution][Detection Engine] fixes showing all the
 fields for all indices when trying to edit filters in a rule (#194678)

## Summary

 - addresses https://github.com/elastic/kibana/issues/179468
 - fixes issue when rule configured with Data view

**Steps to reproduce:**

1. Create a minimal new index and corresponding data view
    ```JSON
    PUT fields_index
    PUT fields_index/_mapping
    {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "field-1": {
          "type": "keyword"
        },
        "field-2": {
          "type": "keyword"
        },
        "field-3": {
          "type": "keyword"
        }
      }
    }

    POST fields_index/_doc
    {
     "@timestamp": "2024-10-01T09:26:30.425Z",
     "field-1": "test-0"
    }
    ```
2. Create a security rule with that data view
3. Edit the rule and try to add a filter
4. Fields for all indices show up instead of the fields from the rule
index
5. Switching to indices and back to data view on rule form fixes issue

<details>
<summary>video with the bug</summary>



https://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f


</details>

### Additional benefit of fixing the issue.

Previously, there would be 2 additional field_caps requests, querying
ALL indices in ES, when rule edit page loads and rule configured with
data view.

```
http://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1
```
Notice, there is `pattern=` query value, which results in querying all
existing indices
Now, these requests eliminated.


#### Before
<img width="2551" alt="Screenshot 2024-10-02 at 18 21 04"
src="https://github.com/user-attachments/assets/aa2b6acb-897d-488f-9ddd-409379c6b54a">


#### After

<img width="2557" alt="Screenshot 2024-10-02 at 18 22 41"
src="https://github.com/user-attachments/assets/baeeecda-bf16-4d37-ae07-3cdc136d18b4">
---
 .../public/common/components/query_bar/index.tsx              | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx b/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx
index 039860093e423..793ca853598b3 100644
--- a/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { cloneDeep } from 'lodash';
+import { cloneDeep, isEmpty } from 'lodash';
 import React, { memo, useMemo, useCallback, useState, useEffect } from 'react';
 import deepEqual from 'fast-deep-equal';
 
@@ -125,7 +125,7 @@ export const QueryBar = memo<QueryBarComponentProps>(
       let dv: DataView;
       if (isDataView(indexPattern)) {
         setDataView(indexPattern);
-      } else if (!isEsql) {
+      } else if (!isEsql && !isEmpty(indexPattern.title)) {
         const createDataView = async () => {
           dv = await data.dataViews.create({ id: indexPattern.title, title: indexPattern.title });
           setDataView(dv);