diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_query.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_query.ts index 23238fd54fad5..5a79a580a7e1c 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_query.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_persistent_query.ts @@ -8,6 +8,7 @@ import { useEffect, useRef } from 'react'; import { isEqual } from 'lodash'; import usePrevious from 'react-use/lib/usePrevious'; +import type { FieldHook } from '../../../../shared_imports'; import { useFormData, type FormHook } from '../../../../shared_imports'; import type { DefineStepRule } from '../../../../detections/pages/detection_engine/rules/types'; import { @@ -23,6 +24,9 @@ import { type FieldValueQueryBar, } from '../query_bar'; +const EQL_QUERY_LANGUAGE = 'eql'; +const ESQL_QUERY_LANGIAGE = 'esql'; + interface UsePersistentQueryParams { form: FormHook; ruleTypePath: string; @@ -42,14 +46,18 @@ export function usePersistentQuery({ watch: [ruleTypePath, queryPath], }); const previousRuleType = usePrevious(ruleType); - const queryRef = useRef(); - const eqlQueryRef = useRef(); - const esqlQueryRef = useRef(); + const queryRef = useRef(DEFAULT_KQL_QUERY_FIELD_VALUE); + const eqlQueryRef = useRef(DEFAULT_EQL_QUERY_FIELD_VALUE); + const esqlQueryRef = useRef(DEFAULT_ESQL_QUERY_FIELD_VALUE); useEffect(() => { - if (isEqlRule(ruleType)) { + if (!ruleType) { + return; + } + + if (currentQuery?.query?.language === EQL_QUERY_LANGUAGE) { eqlQueryRef.current = currentQuery; - } else if (isEsqlRule(ruleType)) { + } else if (currentQuery?.query?.language === ESQL_QUERY_LANGIAGE) { esqlQueryRef.current = currentQuery; } else { queryRef.current = currentQuery; @@ -57,42 +65,49 @@ export function usePersistentQuery({ }, [ruleType, currentQuery]); useEffect(() => { - if (ruleType === previousRuleType) { + if (ruleType === previousRuleType || !ruleType) { return; } - const queryField = form.getFields()[queryPath]; + const queryField = form.getFields()[queryPath] as FieldHook; - if (isEsqlRule(ruleType)) { + if (isEqlRule(ruleType) && queryField.value?.query?.language !== EQL_QUERY_LANGUAGE) { queryField.reset({ - defaultValue: esqlQueryRef.current ?? DEFAULT_ESQL_QUERY_FIELD_VALUE, + defaultValue: eqlQueryRef.current, }); return; } - if (isEqlRule(ruleType)) { + if (isEsqlRule(ruleType) && queryField.value?.query?.language !== ESQL_QUERY_LANGIAGE) { queryField.reset({ - defaultValue: eqlQueryRef.current ?? DEFAULT_EQL_QUERY_FIELD_VALUE, + defaultValue: esqlQueryRef.current, }); return; } - if (isThreatMatchRule(ruleType)) { + if (isThreatMatchRule(ruleType) && isEqual(queryRef.current, DEFAULT_KQL_QUERY_FIELD_VALUE)) { queryField.reset({ - defaultValue: isEqual(queryRef.current, DEFAULT_KQL_QUERY_FIELD_VALUE) - ? DEFAULT_THREAT_MATCH_KQL_QUERY_FIELD_VALUE - : queryRef.current, + defaultValue: DEFAULT_THREAT_MATCH_KQL_QUERY_FIELD_VALUE, }); return; } - queryField.reset({ - defaultValue: isEqual(queryRef.current, DEFAULT_THREAT_MATCH_KQL_QUERY_FIELD_VALUE) - ? DEFAULT_KQL_QUERY_FIELD_VALUE - : queryRef.current, - }); + if ( + isThreatMatchRule(previousRuleType) && + isEqual(queryRef.current, DEFAULT_THREAT_MATCH_KQL_QUERY_FIELD_VALUE) + ) { + queryField.reset({ + defaultValue: DEFAULT_KQL_QUERY_FIELD_VALUE, + }); + } + + if (isEqlRule(previousRuleType) || isEsqlRule(previousRuleType)) { + queryField.reset({ + defaultValue: queryRef.current ?? DEFAULT_KQL_QUERY_FIELD_VALUE, + }); + } }, [queryPath, ruleType, previousRuleType, form]); }