[Security Solution] Editing rules independently of source data (#180407) #191487
+898
−138
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e40pud
added
Team: SecuritySolution
|
/ci |
|
/ci |
|
@elasticmachine merge upstream |
|
/ci |
|
/ci |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
|
@elasticmachine merge upstream |
vitaliidm
reviewed
Aug 29, 2024
x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/translations.ts
Outdated
Show resolved
Hide resolved
...gins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_editing/index.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/form.tsx
Outdated
Show resolved
Hide resolved
| @@ -559,7 +633,8 @@ const CreateRulePageComponent: React.FC = () => { | |||
| ); | |||
| const memoDefineStepExtraAction = useMemo( | |||
| () => | |||
| defineStepForm.isValid && ( | |||
| defineStepForm.isValid !== undefined && | |||
| activeStep !== RuleStep.defineRule && ( | |||
There was a problem hiding this comment.
why extra condition is needed here?
| * 2.0. | ||
| */ | ||
|
|
||
| import React from 'react'; |
There was a problem hiding this comment.
is this fine user that user sees some error, but can't go to Definition tab or see error itself?
I imagine it will be a case until full support of prebuilt rule editing will be released.
But before that, it can affect Serverless releases
There was a problem hiding this comment.
What you see right now is the current behaviour on both ESS and Serverless. Users are unable to modify prebuilt rules. They have to duplicate prebuilt rules right now to be able to adjust rule's properties.
The whole "rule customization" effort will allow user to do that without duplication.
There was a problem hiding this comment.
I am aware, prebuilt rule can't be modified.
It's the fact that we show user step is invalid without showing actual error and additional information how that can affect rule's behavior.
Is there a way for user in this situation to see actual error?
There was a problem hiding this comment.
As discussed here is the ticket to discuss this behaviour #191832
x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/form.tsx
Show resolved
Hide resolved
...ins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/index.tsx
Outdated
Show resolved
Hide resolved
…creation_ui/pages/translations.ts Co-authored-by: Vitalii Dmyterko <[email protected]>
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
- memoize callbacks - clarify multiple EQL validation errors functionality - comments to clarify step editing button visibility conditions - add unit tests for `useRuleFormsErrors`
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: cc @e40pud |
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#6830[❌] Security Solution Rule Management - Cypress: 75/100 tests passed. |
vitaliidm
approved these changes
Aug 30, 2024
kibanamachine
added
v8.16.0
backport:skip
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#6828[❌] Security Solution Detection Engine - Cypress: 30/100 tests passed. |
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#6831[❌] Security Solution Detection Engine - Cypress: 49/100 tests passed. |
Merged
1 task
e40pud
added a commit
that referenced
this pull request
Sep 13, 2024
… editing (#191832) (#192683) ## Summary Partially addressed #191832 With these changes: - We revert to the #180407 (comment). Specifically, we return back the validation errors to the modal window. An example of this modal is in the ticket description. - Additionally, on the Rule Editing page and **only for prebuilt rules** we: 1) hide the callout that says "You have an invalid input in this tab: ...", and 2) we don't show the modal if there are any data validation errors. We shouldn't show this modal and this callout until we release the prebuilt rule customization feature. 3) We will only validate the Actions tab. - Fix MKI flaky cypress tests introduced in #191487 ([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main), [2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main), [3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)). All three tests are failing due to missing `[data-test-subj="eqlRuleType"]` element. After checking and comparing my tests to other similar tests in the file, the only difference that I've found was extra `login();` call. Thus removing those. Here is the screen recording showing the new behaviour for prebuilt rules. The has missing data source query validation error, though we do not show it and allow user just to save the rule. Only Actions tab is validated on rule save action. https://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed * [Detection Engine - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925) (100 ESS & 100 Serverless) * [Rule Management - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926) (100 ESS & 100 Serverless) * [Prebuilt Rules - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927) (100 ESS & 100 Serverless)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 13, 2024
… editing (elastic#191832) (elastic#192683) ## Summary Partially addressed elastic#191832 With these changes: - We revert to the elastic#180407 (comment). Specifically, we return back the validation errors to the modal window. An example of this modal is in the ticket description. - Additionally, on the Rule Editing page and **only for prebuilt rules** we: 1) hide the callout that says "You have an invalid input in this tab: ...", and 2) we don't show the modal if there are any data validation errors. We shouldn't show this modal and this callout until we release the prebuilt rule customization feature. 3) We will only validate the Actions tab. - Fix MKI flaky cypress tests introduced in elastic#191487 ([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main), [2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main), [3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)). All three tests are failing due to missing `[data-test-subj="eqlRuleType"]` element. After checking and comparing my tests to other similar tests in the file, the only difference that I've found was extra `login();` call. Thus removing those. Here is the screen recording showing the new behaviour for prebuilt rules. The has missing data source query validation error, though we do not show it and allow user just to save the rule. Only Actions tab is validated on rule save action. https://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed * [Detection Engine - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925) (100 ESS & 100 Serverless) * [Rule Management - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926) (100 ESS & 100 Serverless) * [Prebuilt Rules - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927) (100 ESS & 100 Serverless) (cherry picked from commit c937e95)
kibanamachine
added a commit
that referenced
this pull request
Sep 13, 2024
…t rule editing (#191832) (#192683) (#192819) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Add validation error description on prebuilt rule editing (#191832) (#192683)](#192683) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ievgen Sorokopud","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-13T08:37:39Z","message":"[Security Solution] Add validation error description on prebuilt rule editing (#191832) (#192683)\n\n## Summary\r\n\r\nPartially addressed https://github.com/elastic/kibana/issues/191832\r\n\r\nWith these changes:\r\n- We revert to the\r\nhttps://github.com//issues/180407#issuecomment-2312891214.\r\nSpecifically, we return back the validation errors to the modal window.\r\nAn example of this modal is in the ticket description.\r\n- Additionally, on the Rule Editing page and **only for prebuilt rules**\r\nwe: 1) hide the callout that says \"You have an invalid input in this\r\ntab: ...\", and 2) we don't show the modal if there are any data\r\nvalidation errors. We shouldn't show this modal and this callout until\r\nwe release the prebuilt rule customization feature. 3) We will only\r\nvalidate the Actions tab.\r\n- Fix MKI flaky cypress tests introduced in\r\nhttps://github.com//pull/191487\r\n([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main),\r\n[2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main),\r\n[3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)).\r\nAll three tests are failing due to missing\r\n`[data-test-subj=\"eqlRuleType\"]` element. After checking and comparing\r\nmy tests to other similar tests in the file, the only difference that\r\nI've found was extra `login();` call. Thus removing those.\r\n\r\nHere is the screen recording showing the new behaviour for prebuilt\r\nrules. The has missing data source query validation error, though we do\r\nnot show it and allow user just to save the rule. Only Actions tab is\r\nvalidated on rule save action.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n* [Detection Engine -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925)\r\n(100 ESS & 100 Serverless)\r\n* [Rule Management -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926)\r\n(100 ESS & 100 Serverless)\r\n* [Prebuilt Rules -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927)\r\n(100 ESS & 100 Serverless)","sha":"c937e95e3137821b510fa480ee28f0cf3afb85ad","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team: SecuritySolution","ci:cloud-deploy","Team:Detection Engine","ci:project-deploy-security","v8.16.0"],"title":"[Security Solution] Add validation error description on prebuilt rule editing (#191832)","number":192683,"url":"https://github.com/elastic/kibana/pull/192683","mergeCommit":{"message":"[Security Solution] Add validation error description on prebuilt rule editing (#191832) (#192683)\n\n## Summary\r\n\r\nPartially addressed https://github.com/elastic/kibana/issues/191832\r\n\r\nWith these changes:\r\n- We revert to the\r\nhttps://github.com//issues/180407#issuecomment-2312891214.\r\nSpecifically, we return back the validation errors to the modal window.\r\nAn example of this modal is in the ticket description.\r\n- Additionally, on the Rule Editing page and **only for prebuilt rules**\r\nwe: 1) hide the callout that says \"You have an invalid input in this\r\ntab: ...\", and 2) we don't show the modal if there are any data\r\nvalidation errors. We shouldn't show this modal and this callout until\r\nwe release the prebuilt rule customization feature. 3) We will only\r\nvalidate the Actions tab.\r\n- Fix MKI flaky cypress tests introduced in\r\nhttps://github.com//pull/191487\r\n([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main),\r\n[2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main),\r\n[3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)).\r\nAll three tests are failing due to missing\r\n`[data-test-subj=\"eqlRuleType\"]` element. After checking and comparing\r\nmy tests to other similar tests in the file, the only difference that\r\nI've found was extra `login();` call. Thus removing those.\r\n\r\nHere is the screen recording showing the new behaviour for prebuilt\r\nrules. The has missing data source query validation error, though we do\r\nnot show it and allow user just to save the rule. Only Actions tab is\r\nvalidated on rule save action.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n* [Detection Engine -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925)\r\n(100 ESS & 100 Serverless)\r\n* [Rule Management -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926)\r\n(100 ESS & 100 Serverless)\r\n* [Prebuilt Rules -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927)\r\n(100 ESS & 100 Serverless)","sha":"c937e95e3137821b510fa480ee28f0cf3afb85ad"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192683","number":192683,"mergeCommit":{"message":"[Security Solution] Add validation error description on prebuilt rule editing (#191832) (#192683)\n\n## Summary\r\n\r\nPartially addressed https://github.com/elastic/kibana/issues/191832\r\n\r\nWith these changes:\r\n- We revert to the\r\nhttps://github.com//issues/180407#issuecomment-2312891214.\r\nSpecifically, we return back the validation errors to the modal window.\r\nAn example of this modal is in the ticket description.\r\n- Additionally, on the Rule Editing page and **only for prebuilt rules**\r\nwe: 1) hide the callout that says \"You have an invalid input in this\r\ntab: ...\", and 2) we don't show the modal if there are any data\r\nvalidation errors. We shouldn't show this modal and this callout until\r\nwe release the prebuilt rule customization feature. 3) We will only\r\nvalidate the Actions tab.\r\n- Fix MKI flaky cypress tests introduced in\r\nhttps://github.com//pull/191487\r\n([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main),\r\n[2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main),\r\n[3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)).\r\nAll three tests are failing due to missing\r\n`[data-test-subj=\"eqlRuleType\"]` element. After checking and comparing\r\nmy tests to other similar tests in the file, the only difference that\r\nI've found was extra `login();` call. Thus removing those.\r\n\r\nHere is the screen recording showing the new behaviour for prebuilt\r\nrules. The has missing data source query validation error, though we do\r\nnot show it and allow user just to save the rule. Only Actions tab is\r\nvalidated on rule save action.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n* [Detection Engine -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925)\r\n(100 ESS & 100 Serverless)\r\n* [Rule Management -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926)\r\n(100 ESS & 100 Serverless)\r\n* [Prebuilt Rules -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927)\r\n(100 ESS & 100 Serverless)","sha":"c937e95e3137821b510fa480ee28f0cf3afb85ad"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Ievgen Sorokopud <[email protected]>
3 tasks
3 tasks
dplumlee
added a commit
that referenced
this pull request
Nov 13, 2024
…e Editing page (#199550) **Resolves: #180172 ## Summary > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Removes the logic gates preventing prebuilt rules from being edited via the Rule Edit page behind the `prebuiltRulesCustomizationEnabled` feature flag. This allows all rules types to be fully editable via the UI. Also removes the muting logic we had in place for `Definition` tab warnings ([implemented here](#191487)) ### Screenshots #### _Before_ **Prebuilt rule only has the "Actions" tab enabled, users cannot customize anything else in the form**  #### _After_ **Prebuilt rule now has all tabs/fields available for editing and rule info is populated into the form**  ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 13, 2024
…e Editing page (elastic#199550) **Resolves: elastic#180172 ## Summary > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Removes the logic gates preventing prebuilt rules from being edited via the Rule Edit page behind the `prebuiltRulesCustomizationEnabled` feature flag. This allows all rules types to be fully editable via the UI. Also removes the muting logic we had in place for `Definition` tab warnings ([implemented here](elastic#191487)) ### Screenshots #### _Before_ **Prebuilt rule only has the "Actions" tab enabled, users cannot customize anything else in the form**  #### _After_ **Prebuilt rule now has all tabs/fields available for editing and rule info is populated into the form**  ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit d6e6145)
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Nov 18, 2024
…e Editing page (elastic#199550) **Resolves: elastic#180172 ## Summary > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Removes the logic gates preventing prebuilt rules from being edited via the Rule Edit page behind the `prebuiltRulesCustomizationEnabled` feature flag. This allows all rules types to be fully editable via the UI. Also removes the muting logic we had in place for `Definition` tab warnings ([implemented here](elastic#191487)) ### Screenshots #### _Before_ **Prebuilt rule only has the "Actions" tab enabled, users cannot customize anything else in the form**  #### _After_ **Prebuilt rule now has all tabs/fields available for editing and rule info is populated into the form**  ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]>
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Nov 18, 2024
…e Editing page (elastic#199550) **Resolves: elastic#180172 ## Summary > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Removes the logic gates preventing prebuilt rules from being edited via the Rule Edit page behind the `prebuiltRulesCustomizationEnabled` feature flag. This allows all rules types to be fully editable via the UI. Also removes the muting logic we had in place for `Definition` tab warnings ([implemented here](elastic#191487)) ### Screenshots #### _Before_ **Prebuilt rule only has the "Actions" tab enabled, users cannot customize anything else in the form**  #### _After_ **Prebuilt rule now has all tabs/fields available for editing and rule info is populated into the form**  ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Addresses #180407
Addresses #178611
With these changes we allow user to create and update a rule even if there are certain query bar validation error exist. Right now, we will make any non-syntax validation errors in
EQLandES|QLrules types to be non-blocking during the rule creation and rule updating workflows.Screenshot of the EQL rule creation workflow with existing non-blocking validation errors:
Screen.Recording.2024-08-27.at.13.44.14.mov
Screenshot of the EQL rule updating workflow with existing non-blocking validation errors:
Screen.Recording.2024-08-27.at.13.46.19.mov
UPDATE
After discussing confirmation modal with @approksiu, we decided to simplify it and show only title with generic description to avoid too be too literal in the modal. User can see the full error description during rule creation/editing workflows in the query bar where we show each validation error as part of the query bar form item.
Some test cases for local testing
Create EQL rule with missing data source
Steps:
any where true)Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking
Confirmbutton will create a rule.Create EQL rule with missing data field
Steps:
any where agent.non_existing_field)Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking
Confirmbutton will create a rule.Create EQL rule with syntax error in the query
Steps:
hello world)Expected: The continue button does not allow user to proceed to the About step due to existing syntax error.
Create ES|QL rule with missing data source
Steps:
from non-existing-index-* metadata _id, _version, _index | SORT @timestamp)Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking
Confirmbutton will create a rule.Create ES|QL rule with missing data field
Steps:
from logs-* metadata _id, _version, _index | SORT agent.non_existing_field)Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking
Confirmbutton will create a rule.Create ES|QL rule with syntax error in the query
Steps:
hello world)Expected: The continue button does not allow user to proceed to the About step due to existing syntax error.
Same behaviour applies to the rule updating workflow. For example, you can try to install one of the EQL or ES|QL rules that point to non-existing data source or uses non-existing data field. User can still update (add rule actions) to such installed pre-built rules.
Checklist
Delete any items that are not applicable to this PR.