-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution] Add ES|QL Query editable component (#199887)
**Partially addresses:** #171520 ## Summary This PR adds is built on top of #193828 and #196948 and adds an ES|QL Query editable component for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow. ## Details This PR extracts ES|QL Query edit component from Define rule form step and makes it reusable. The following changes were made - ES|QL validator was refactored and covered by unit tests - Query persistence was addressed and covered by tests (previous functionality didn't work out of the box and didn't have tests) ## How to test The simplest way to test is via patching installed prebuilt rules (a.k.a. downgrading a prebuilt rule) via Rule Patch API. Please follow steps below - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Run Kibana locally - Install an ES|QL prebuilt rule, e.g. `AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session` with rule_id `0cd2f3e6-41da-40e6-b28b-466f688f00a6` - Patch the installed rule by running a query below ```bash curl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"0cd2f3e6-41da-40e6-b28b-466f688f00a6","version":1,"query":"from logs-*","language":"esql"}' http://localhost:5601/kbn/api/detection_engine/rules ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button ## Screenshots <img width="2550" alt="image" src="https://github.com/user-attachments/assets/f65d04d5-9fd9-4d3f-8741-eba04a3be8a6"> <img width="2552" alt="image" src="https://github.com/user-attachments/assets/dd0a2613-5262-44b2-bbeb-d0ed34d57d9c">
- Loading branch information
Showing
59 changed files
with
1,375 additions
and
905 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 0 additions & 50 deletions
50
x-pack/plugins/security_solution/public/common/utils/use_set_field_value_cb.test.ts
This file was deleted.
Oops, something went wrong.
42 changes: 0 additions & 42 deletions
42
x-pack/plugins/security_solution/public/common/utils/use_set_field_value_cb.ts
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
88 changes: 88 additions & 0 deletions
88
...tion/public/detection_engine/rule_creation/components/esql_query_edit/esql_query_edit.tsx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import React, { memo, useMemo } from 'react'; | ||
import { useQueryClient } from '@tanstack/react-query'; | ||
import type { DataViewBase } from '@kbn/es-query'; | ||
import { debounceAsync } from '@kbn/securitysolution-utils'; | ||
import type { FieldConfig } from '../../../../shared_imports'; | ||
import { UseField } from '../../../../shared_imports'; | ||
import type { FieldValueQueryBar } from '../../../rule_creation_ui/components/query_bar_field'; | ||
import { QueryBarField } from '../../../rule_creation_ui/components/query_bar_field'; | ||
import { esqlQueryRequiredValidator } from './validators/esql_query_required_validator'; | ||
import { esqlQueryValidatorFactory } from './validators/esql_query_validator_factory'; | ||
import { EsqlInfoIcon } from './esql_info_icon'; | ||
import * as i18n from './translations'; | ||
|
||
interface EsqlQueryEditProps { | ||
path: string; | ||
fieldsToValidateOnChange?: string | string[]; | ||
dataView: DataViewBase; | ||
required?: boolean; | ||
loading?: boolean; | ||
disabled?: boolean; | ||
skipIdColumnCheck?: boolean; | ||
onValidityChange?: (arg: boolean) => void; | ||
} | ||
|
||
export const EsqlQueryEdit = memo(function EsqlQueryEdit({ | ||
path, | ||
fieldsToValidateOnChange, | ||
dataView, | ||
required = false, | ||
loading = false, | ||
disabled = false, | ||
skipIdColumnCheck, | ||
onValidityChange, | ||
}: EsqlQueryEditProps): JSX.Element { | ||
const queryClient = useQueryClient(); | ||
const componentProps = useMemo( | ||
() => ({ | ||
isDisabled: disabled, | ||
isLoading: loading, | ||
indexPattern: dataView, | ||
idAria: 'ruleEsqlQueryBar', | ||
dataTestSubj: 'ruleEsqlQueryBar', | ||
onValidityChange, | ||
}), | ||
[dataView, loading, disabled, onValidityChange] | ||
); | ||
const fieldConfig: FieldConfig<FieldValueQueryBar> = useMemo( | ||
() => ({ | ||
label: i18n.ESQL_QUERY, | ||
labelAppend: <EsqlInfoIcon />, | ||
fieldsToValidateOnChange: fieldsToValidateOnChange | ||
? [path, fieldsToValidateOnChange].flat() | ||
: undefined, | ||
validations: [ | ||
...(required | ||
? [ | ||
{ | ||
validator: esqlQueryRequiredValidator, | ||
}, | ||
] | ||
: []), | ||
{ | ||
validator: debounceAsync( | ||
esqlQueryValidatorFactory({ queryClient, skipIdColumnCheck }), | ||
300 | ||
), | ||
}, | ||
], | ||
}), | ||
[required, path, fieldsToValidateOnChange, queryClient, skipIdColumnCheck] | ||
); | ||
|
||
return ( | ||
<UseField | ||
path={path} | ||
component={QueryBarField} | ||
componentProps={componentProps} | ||
config={fieldConfig} | ||
/> | ||
); | ||
}); |
9 changes: 9 additions & 0 deletions
9
...curity_solution/public/detection_engine/rule_creation/components/esql_query_edit/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
export * from './esql_query_edit'; | ||
export * from './validators/error_codes'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
...ublic/detection_engine/rule_creation/components/esql_query_edit/validators/error_codes.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
export enum ESQL_ERROR_CODES { | ||
INVALID_ESQL = 'ERR_INVALID_ESQL', | ||
INVALID_SYNTAX = 'ERR_INVALID_SYNTAX', | ||
ERR_MISSING_ID_FIELD_FROM_RESULT = 'ERR_MISSING_ID_FIELD_FROM_RESULT', | ||
} |
22 changes: 22 additions & 0 deletions
22
...gine/rule_creation/components/esql_query_edit/validators/esql_query_required_validator.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { fieldValidators, type FormData, type ValidationFunc } from '../../../../../shared_imports'; | ||
import type { FieldValueQueryBar } from '../../../../rule_creation_ui/components/query_bar_field'; | ||
import * as i18n from './translations'; | ||
|
||
export const esqlQueryRequiredValidator: ValidationFunc<FormData, string, FieldValueQueryBar> = ( | ||
data | ||
) => { | ||
const { value } = data; | ||
const esqlQuery = value.query.query as string; | ||
|
||
return fieldValidators.emptyField(i18n.ESQL_QUERY_VALIDATION_REQUIRED)({ | ||
...data, | ||
value: esqlQuery, | ||
}); | ||
}; |
Oops, something went wrong.