From 2c776f65c4d4cdb2cc5a832d04dbb7fa65047013 Mon Sep 17 00:00:00 2001
From: Nikita Indik <nikita.indik@elastic.co>
Date: Tue, 15 Oct 2024 16:12:35 +0200
Subject: [PATCH 1/6] Add `tags`

---
 .../final_edit/common_rule_field_edit.tsx     |  6 ++++-
 .../three_way_diff/final_edit/fields/name.tsx | 18 ++++++-------
 .../three_way_diff/final_edit/fields/tags.tsx | 25 +++++++++++++++++++
 .../final_readonly/fields/tags/tags.tsx       |  4 +++
 4 files changed, 41 insertions(+), 12 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/tags.tsx

diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
index 0cb7ce398286..51f54066ff6d 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
@@ -7,8 +7,10 @@
 
 import React from 'react';
 import { FieldFormWrapper } from './field_form_wrapper';
-import { NameEdit, nameSchema } from './fields/name';
 import type { UpgradeableCommonFields } from '../../../../model/prebuilt_rule_upgrade/fields';
+import { NameEdit, nameSchema } from './fields/name';
+import { TagsEdit, tagsSchema } from './fields/tags';
+
 interface CommonRuleFieldEditProps {
   fieldName: UpgradeableCommonFields;
 }
@@ -17,6 +19,8 @@ export function CommonRuleFieldEdit({ fieldName }: CommonRuleFieldEditProps) {
   switch (fieldName) {
     case 'name':
       return <FieldFormWrapper component={NameEdit} fieldFormSchema={nameSchema} />;
+    case 'tags':
+      return <FieldFormWrapper component={TagsEdit} fieldFormSchema={tagsSchema} />;
     default:
       return null; // Will be replaced with `assertUnreachable(fieldName)` once all fields are implemented
   }
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/name.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/name.tsx
index 10ae6cffbe50..d602da90f34b 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/name.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/name.tsx
@@ -13,16 +13,12 @@ import type { RuleName } from '../../../../../../../../common/api/detection_engi
 
 export const nameSchema = { name: schema.name } as FormSchema<{ name: RuleName }>;
 
+const componentProps = {
+  euiFieldProps: {
+    fullWidth: true,
+  },
+};
+
 export function NameEdit(): JSX.Element {
-  return (
-    <UseField
-      path="name"
-      component={Field}
-      componentProps={{
-        euiFieldProps: {
-          fullWidth: true,
-        },
-      }}
-    />
-  );
+  return <UseField path="name" component={Field} componentProps={componentProps} />;
 }
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/tags.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/tags.tsx
new file mode 100644
index 000000000000..063b7f4f48b8
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/tags.tsx
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import type { FormSchema } from '../../../../../../../shared_imports';
+import { Field, UseField } from '../../../../../../../shared_imports';
+import { schema } from '../../../../../../rule_creation_ui/components/step_about_rule/schema';
+import type { RuleTagArray } from '../../../../../../../../common/api/detection_engine';
+
+export const tagsSchema = { tags: schema.tags } as FormSchema<{ name: RuleTagArray }>;
+
+const componentProps = {
+  euiFieldProps: {
+    fullWidth: true,
+    placeholder: '',
+  },
+};
+
+export function TagsEdit(): JSX.Element {
+  return <UseField path="tags" component={Field} componentProps={componentProps} />;
+}
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/tags/tags.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/tags/tags.tsx
index dbb7928b5f22..452b6bf2d8b9 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/tags/tags.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/tags/tags.tsx
@@ -16,6 +16,10 @@ interface TagsReadOnlyProps {
 }
 
 export function TagsReadOnly({ tags }: TagsReadOnlyProps) {
+  if (tags.length === 0) {
+    return null;
+  }
+
   return (
     <EuiDescriptionList
       listItems={[

From d35ff651bdbaf78d97968023319557a020489dff Mon Sep 17 00:00:00 2001
From: Nikita Indik <nikita.indik@elastic.co>
Date: Tue, 15 Oct 2024 16:27:10 +0200
Subject: [PATCH 2/6] Add `description`

---
 .../final_edit/common_rule_field_edit.tsx     |  3 +++
 .../final_edit/fields/description.tsx         | 27 +++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/description.tsx

diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
index 51f54066ff6d..f5a093cd5caf 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
@@ -8,6 +8,7 @@
 import React from 'react';
 import { FieldFormWrapper } from './field_form_wrapper';
 import type { UpgradeableCommonFields } from '../../../../model/prebuilt_rule_upgrade/fields';
+import { DescriptionEdit, descriptionSchema } from './fields/description';
 import { NameEdit, nameSchema } from './fields/name';
 import { TagsEdit, tagsSchema } from './fields/tags';
 
@@ -17,6 +18,8 @@ interface CommonRuleFieldEditProps {
 
 export function CommonRuleFieldEdit({ fieldName }: CommonRuleFieldEditProps) {
   switch (fieldName) {
+    case 'description':
+      return <FieldFormWrapper component={DescriptionEdit} fieldFormSchema={descriptionSchema} />;
     case 'name':
       return <FieldFormWrapper component={NameEdit} fieldFormSchema={nameSchema} />;
     case 'tags':
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/description.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/description.tsx
new file mode 100644
index 000000000000..c2d279c0d72e
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/description.tsx
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import type { FormSchema } from '../../../../../../../shared_imports';
+import { Field, UseField } from '../../../../../../../shared_imports';
+import { schema } from '../../../../../../rule_creation_ui/components/step_about_rule/schema';
+import type { RuleDescription } from '../../../../../../../../common/api/detection_engine';
+
+export const descriptionSchema = { description: schema.description } as FormSchema<{
+  description: RuleDescription;
+}>;
+
+const componentProps = {
+  euiFieldProps: {
+    fullWidth: true,
+    compressed: true,
+  },
+};
+
+export function DescriptionEdit(): JSX.Element {
+  return <UseField path="description" component={Field} componentProps={componentProps} />;
+}

From 783a27eedf428c898571b6a8468f84abb186e232 Mon Sep 17 00:00:00 2001
From: Nikita Indik <nikita.indik@elastic.co>
Date: Wed, 16 Oct 2024 13:55:36 +0200
Subject: [PATCH 3/6] Add `references`

---
 .../final_edit/common_rule_field_edit.tsx     |  9 +++++
 .../final_edit/fields/references.tsx          | 38 +++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/references.tsx

diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
index f5a093cd5caf..a69f31f42c24 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
@@ -11,6 +11,7 @@ import type { UpgradeableCommonFields } from '../../../../model/prebuilt_rule_up
 import { DescriptionEdit, descriptionSchema } from './fields/description';
 import { NameEdit, nameSchema } from './fields/name';
 import { TagsEdit, tagsSchema } from './fields/tags';
+import { ReferencesEdit, referencesSchema, referencesSerializer } from './fields/references';
 
 interface CommonRuleFieldEditProps {
   fieldName: UpgradeableCommonFields;
@@ -22,6 +23,14 @@ export function CommonRuleFieldEdit({ fieldName }: CommonRuleFieldEditProps) {
       return <FieldFormWrapper component={DescriptionEdit} fieldFormSchema={descriptionSchema} />;
     case 'name':
       return <FieldFormWrapper component={NameEdit} fieldFormSchema={nameSchema} />;
+    case 'references':
+      return (
+        <FieldFormWrapper
+          component={ReferencesEdit}
+          fieldFormSchema={referencesSchema}
+          serializer={referencesSerializer}
+        />
+      );
     case 'tags':
       return <FieldFormWrapper component={TagsEdit} fieldFormSchema={tagsSchema} />;
     default:
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/references.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/references.tsx
new file mode 100644
index 000000000000..afa4fba09d89
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/references.tsx
@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { compact } from 'lodash';
+import * as i18n from '../../../../../../rule_creation_ui/components/step_about_rule/translations';
+import type { FormSchema, FormData } from '../../../../../../../shared_imports';
+import { UseField } from '../../../../../../../shared_imports';
+import { schema } from '../../../../../../rule_creation_ui/components/step_about_rule/schema';
+import type { RuleReferenceArray } from '../../../../../../../../common/api/detection_engine';
+import { AddItem } from '../../../../../../rule_creation_ui/components/add_item_form';
+import { isUrlInvalid } from '../../../../../../../common/utils/validators';
+
+export const referencesSchema = { references: schema.references } as FormSchema<{
+  references: RuleReferenceArray;
+}>;
+
+const componentProps = {
+  addText: i18n.ADD_REFERENCE,
+  validate: isUrlInvalid,
+};
+
+export function ReferencesEdit(): JSX.Element {
+  return <UseField path="references" component={AddItem} componentProps={componentProps} />;
+}
+
+export function referencesSerializer(formData: FormData): {
+  references: RuleReferenceArray;
+} {
+  return {
+    /* Remove empty items from the references array */
+    references: compact(formData.references),
+  };
+}

From 96bee4f5d82a91a71067dca56c001017bac77f21 Mon Sep 17 00:00:00 2001
From: Nikita Indik <nikita.indik@elastic.co>
Date: Wed, 16 Oct 2024 13:55:55 +0200
Subject: [PATCH 4/6] Add `false_positives`

---
 .../final_edit/common_rule_field_edit.tsx     | 15 +++++++
 .../final_edit/fields/false_positives.tsx     | 43 +++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/false_positives.tsx

diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
index a69f31f42c24..ef07aad10dd3 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
@@ -12,6 +12,12 @@ import { DescriptionEdit, descriptionSchema } from './fields/description';
 import { NameEdit, nameSchema } from './fields/name';
 import { TagsEdit, tagsSchema } from './fields/tags';
 import { ReferencesEdit, referencesSchema, referencesSerializer } from './fields/references';
+import {
+  FalsePositivesEdit,
+  falsePositivesSchema,
+  falsePositivesSerializer,
+  falsePositivesDeserializer,
+} from './fields/false_positives';
 
 interface CommonRuleFieldEditProps {
   fieldName: UpgradeableCommonFields;
@@ -21,6 +27,15 @@ export function CommonRuleFieldEdit({ fieldName }: CommonRuleFieldEditProps) {
   switch (fieldName) {
     case 'description':
       return <FieldFormWrapper component={DescriptionEdit} fieldFormSchema={descriptionSchema} />;
+    case 'false_positives':
+      return (
+        <FieldFormWrapper
+          component={FalsePositivesEdit}
+          fieldFormSchema={falsePositivesSchema}
+          serializer={falsePositivesSerializer}
+          deserializer={falsePositivesDeserializer}
+        />
+      );
     case 'name':
       return <FieldFormWrapper component={NameEdit} fieldFormSchema={nameSchema} />;
     case 'references':
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/false_positives.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/false_positives.tsx
new file mode 100644
index 000000000000..25f38e03dfa8
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/false_positives.tsx
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { compact } from 'lodash';
+import * as i18n from '../../../../../../rule_creation_ui/components/step_about_rule/translations';
+import type { FormSchema, FormData } from '../../../../../../../shared_imports';
+import { UseField } from '../../../../../../../shared_imports';
+import { schema } from '../../../../../../rule_creation_ui/components/step_about_rule/schema';
+import type { RuleFalsePositiveArray } from '../../../../../../../../common/api/detection_engine';
+import { AddItem } from '../../../../../../rule_creation_ui/components/add_item_form';
+
+export const falsePositivesSchema = { falsePositives: schema.falsePositives } as FormSchema<{
+  falsePositives: RuleFalsePositiveArray;
+}>;
+
+const componentProps = {
+  addText: i18n.ADD_FALSE_POSITIVE,
+};
+
+export function FalsePositivesEdit(): JSX.Element {
+  return <UseField path="falsePositives" component={AddItem} componentProps={componentProps} />;
+}
+
+export function falsePositivesDeserializer(defaultValue: FormData) {
+  /* Set initial form value with camelCase "falsePositives" key instead of "false_positives" */
+  return {
+    falsePositives: defaultValue,
+  };
+}
+
+export function falsePositivesSerializer(formData: FormData): {
+  false_positives: RuleFalsePositiveArray;
+} {
+  return {
+    /* Remove empty items from the falsePositives array */
+    false_positives: compact(formData.falsePositives),
+  };
+}

From cfacec35326fe07493ecf5cb3ea648a181be728c Mon Sep 17 00:00:00 2001
From: Nikita Indik <nikita.indik@elastic.co>
Date: Wed, 16 Oct 2024 17:28:03 +0200
Subject: [PATCH 5/6] Add `investigation_fields`

---
 .../final_edit/common_rule_field_edit.tsx     | 21 ++++-
 .../fields/investigation_fields.tsx           | 83 +++++++++++++++++++
 .../final_edit/fields/kql_query.tsx           | 34 +-------
 .../three_way_diff/final_edit/utils.ts        | 41 +++++++++
 .../false_positives/false_positives.tsx       |  4 +
 .../fields/references/references.tsx          |  4 +
 6 files changed, 151 insertions(+), 36 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/investigation_fields.tsx
 create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/utils.ts

diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
index ef07aad10dd3..95987bdf19b6 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/common_rule_field_edit.tsx
@@ -9,15 +9,21 @@ import React from 'react';
 import { FieldFormWrapper } from './field_form_wrapper';
 import type { UpgradeableCommonFields } from '../../../../model/prebuilt_rule_upgrade/fields';
 import { DescriptionEdit, descriptionSchema } from './fields/description';
-import { NameEdit, nameSchema } from './fields/name';
-import { TagsEdit, tagsSchema } from './fields/tags';
-import { ReferencesEdit, referencesSchema, referencesSerializer } from './fields/references';
 import {
   FalsePositivesEdit,
   falsePositivesSchema,
   falsePositivesSerializer,
   falsePositivesDeserializer,
 } from './fields/false_positives';
+import {
+  InvestigationFieldsEdit,
+  investigationFieldsSchema,
+  investigationFieldsDeserializer,
+  investigationFieldsSerializer,
+} from './fields/investigation_fields';
+import { NameEdit, nameSchema } from './fields/name';
+import { ReferencesEdit, referencesSchema, referencesSerializer } from './fields/references';
+import { TagsEdit, tagsSchema } from './fields/tags';
 
 interface CommonRuleFieldEditProps {
   fieldName: UpgradeableCommonFields;
@@ -36,6 +42,15 @@ export function CommonRuleFieldEdit({ fieldName }: CommonRuleFieldEditProps) {
           deserializer={falsePositivesDeserializer}
         />
       );
+    case 'investigation_fields':
+      return (
+        <FieldFormWrapper
+          component={InvestigationFieldsEdit}
+          fieldFormSchema={investigationFieldsSchema}
+          serializer={investigationFieldsSerializer}
+          deserializer={investigationFieldsDeserializer}
+        />
+      );
     case 'name':
       return <FieldFormWrapper component={NameEdit} fieldFormSchema={nameSchema} />;
     case 'references':
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/investigation_fields.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/investigation_fields.tsx
new file mode 100644
index 000000000000..39c0c75d965a
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/investigation_fields.tsx
@@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import type { FormSchema, FormData } from '../../../../../../../shared_imports';
+import { UseField } from '../../../../../../../shared_imports';
+import { schema } from '../../../../../../rule_creation_ui/components/step_about_rule/schema';
+import type {
+  DiffableRule,
+  InvestigationFields,
+  RuleFalsePositiveArray,
+} from '../../../../../../../../common/api/detection_engine';
+import { MultiSelectFieldsAutocomplete } from '../../../../../../rule_creation_ui/components/multi_select_fields';
+import { useAllEsqlRuleFields } from '../../../../../../rule_creation_ui/hooks';
+import { useDefaultIndexPattern } from '../../../use_default_index_pattern';
+import { useRuleIndexPattern } from '../../../../../../rule_creation_ui/pages/form';
+import { getUseRuleIndexPatternParameters } from '../utils';
+
+export const investigationFieldsSchema = {
+  investigationFields: schema.investigationFields,
+} as FormSchema<{
+  investigationFields: RuleFalsePositiveArray;
+}>;
+
+interface InvestigationFieldsEditProps {
+  finalDiffableRule: DiffableRule;
+}
+
+export function InvestigationFieldsEdit({
+  finalDiffableRule,
+}: InvestigationFieldsEditProps): JSX.Element {
+  const { type } = finalDiffableRule;
+
+  const defaultIndexPattern = useDefaultIndexPattern();
+  const indexPatternParameters = getUseRuleIndexPatternParameters(
+    finalDiffableRule,
+    defaultIndexPattern
+  );
+  const { indexPattern, isIndexPatternLoading } = useRuleIndexPattern(indexPatternParameters);
+
+  const { fields: investigationFields, isLoading: isInvestigationFieldsLoading } =
+    useAllEsqlRuleFields({
+      esqlQuery: type === 'esql' ? finalDiffableRule.esql_query.query : undefined,
+      indexPatternsFields: indexPattern.fields,
+    });
+
+  return (
+    <UseField
+      path="investigationFields"
+      component={MultiSelectFieldsAutocomplete}
+      componentProps={{
+        browserFields: investigationFields,
+        isDisabled: isIndexPatternLoading || isInvestigationFieldsLoading,
+        fullWidth: true,
+      }}
+    />
+  );
+}
+
+export function investigationFieldsDeserializer(defaultValue: FormData) {
+  /* Set initial form value with camelCase "investigationFields" key instead of "investigation_fields" */
+  return {
+    investigationFields: defaultValue?.field_names ?? [],
+  };
+}
+
+export function investigationFieldsSerializer(formData: FormData): {
+  investigation_fields: InvestigationFields | undefined;
+} {
+  const hasInvestigationFields = formData.investigationFields.length > 0;
+
+  return {
+    investigation_fields: hasInvestigationFields
+      ? {
+          field_names: formData.investigationFields,
+        }
+      : undefined,
+  };
+}
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/kql_query.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/kql_query.tsx
index 69a00436b699..c644dbdc74dc 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/kql_query.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/kql_query.tsx
@@ -18,7 +18,6 @@ import type { FieldValueQueryBar } from '../../../../../../rule_creation_ui/comp
 import * as stepDefineRuleI18n from '../../../../../../rule_creation_ui/components/step_define_rule/translations';
 import { useRuleIndexPattern } from '../../../../../../rule_creation_ui/pages/form';
 import {
-  DataSourceType as DataSourceTypeSnakeCase,
   KqlQueryLanguage,
   KqlQueryType,
   RuleQuery,
@@ -32,11 +31,11 @@ import type {
   SavedKqlQuery,
 } from '../../../../../../../../common/api/detection_engine';
 import { useDefaultIndexPattern } from '../../../use_default_index_pattern';
-import { DataSourceType } from '../../../../../../../detections/pages/detection_engine/rules/types';
 import { isFilters } from '../../../helpers';
 import type { SetRuleQuery } from '../../../../../../../detections/containers/detection_engine/rules/use_rule_from_timeline';
 import { useRuleFromTimeline } from '../../../../../../../detections/containers/detection_engine/rules/use_rule_from_timeline';
 import { useGetSavedQuery } from '../../../../../../../detections/pages/detection_engine/rules/use_get_saved_query';
+import { getUseRuleIndexPatternParameters } from '../utils';
 
 export const kqlQuerySchema = {
   ruleType: schema.ruleType,
@@ -199,37 +198,6 @@ export function kqlQueryDeserializer(
   return returnValue;
 }
 
-interface UseRuleIndexPatternParameters {
-  dataSourceType: DataSourceType;
-  index: string[];
-  dataViewId: string | undefined;
-}
-
-function getUseRuleIndexPatternParameters(
-  finalDiffableRule: DiffableRule,
-  defaultIndexPattern: string[]
-): UseRuleIndexPatternParameters {
-  if (!('data_source' in finalDiffableRule) || !finalDiffableRule.data_source) {
-    return {
-      dataSourceType: DataSourceType.IndexPatterns,
-      index: defaultIndexPattern,
-      dataViewId: undefined,
-    };
-  }
-  if (finalDiffableRule.data_source.type === DataSourceTypeSnakeCase.data_view) {
-    return {
-      dataSourceType: DataSourceType.DataView,
-      index: [],
-      dataViewId: finalDiffableRule.data_source.data_view_id,
-    };
-  }
-  return {
-    dataSourceType: DataSourceType.IndexPatterns,
-    index: finalDiffableRule.data_source.index_patterns,
-    dataViewId: undefined,
-  };
-}
-
 function getSavedQueryId(diffableRule: DiffableRule): string | undefined {
   if (diffableRule.type === 'saved_query' && 'saved_query_id' in diffableRule.kql_query) {
     return diffableRule.kql_query.saved_query_id;
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/utils.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/utils.ts
new file mode 100644
index 000000000000..bd78bb5e9ed2
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/utils.ts
@@ -0,0 +1,41 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { DataSourceType } from '../../../../../../detections/pages/detection_engine/rules/types';
+import { DataSourceType as DataSourceTypeSnakeCase } from '../../../../../../../common/api/detection_engine';
+import type { DiffableRule } from '../../../../../../../common/api/detection_engine';
+
+interface UseRuleIndexPatternParameters {
+  dataSourceType: DataSourceType;
+  index: string[];
+  dataViewId: string | undefined;
+}
+
+export function getUseRuleIndexPatternParameters(
+  finalDiffableRule: DiffableRule,
+  defaultIndexPattern: string[]
+): UseRuleIndexPatternParameters {
+  if (!('data_source' in finalDiffableRule) || !finalDiffableRule.data_source) {
+    return {
+      dataSourceType: DataSourceType.IndexPatterns,
+      index: defaultIndexPattern,
+      dataViewId: undefined,
+    };
+  }
+  if (finalDiffableRule.data_source.type === DataSourceTypeSnakeCase.data_view) {
+    return {
+      dataSourceType: DataSourceType.DataView,
+      index: [],
+      dataViewId: finalDiffableRule.data_source.data_view_id,
+    };
+  }
+  return {
+    dataSourceType: DataSourceType.IndexPatterns,
+    index: finalDiffableRule.data_source.index_patterns,
+    dataViewId: undefined,
+  };
+}
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/false_positives/false_positives.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/false_positives/false_positives.tsx
index f026609b6c85..7480af5dff4c 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/false_positives/false_positives.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/false_positives/false_positives.tsx
@@ -16,6 +16,10 @@ interface FalsePositivesReadOnlyProps {
 }
 
 export function FalsePositivesReadOnly({ falsePositives }: FalsePositivesReadOnlyProps) {
+  if (falsePositives.length === 0) {
+    return null;
+  }
+
   return (
     <EuiDescriptionList
       listItems={[
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/references/references.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/references/references.tsx
index c98c5a53bb2e..d9bb50dcaeb0 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/references/references.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/references/references.tsx
@@ -16,6 +16,10 @@ interface ReferencesReadOnlyProps {
 }
 
 export function ReferencesReadOnly({ references }: ReferencesReadOnlyProps) {
+  if (references.length === 0) {
+    return null;
+  }
+
   return (
     <EuiDescriptionList
       listItems={[

From 17a58df4daf4405c75179622e3310004f124ec54 Mon Sep 17 00:00:00 2001
From: Nikita Indik <nikita.indik@elastic.co>
Date: Thu, 17 Oct 2024 14:58:18 +0200
Subject: [PATCH 6/6] Fix a typo

---
 .../rule_details/three_way_diff/final_edit/fields/tags.tsx      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/tags.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/tags.tsx
index 063b7f4f48b8..78d712949888 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/tags.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/tags.tsx
@@ -11,7 +11,7 @@ import { Field, UseField } from '../../../../../../../shared_imports';
 import { schema } from '../../../../../../rule_creation_ui/components/step_about_rule/schema';
 import type { RuleTagArray } from '../../../../../../../../common/api/detection_engine';
 
-export const tagsSchema = { tags: schema.tags } as FormSchema<{ name: RuleTagArray }>;
+export const tagsSchema = { tags: schema.tags } as FormSchema<{ tags: RuleTagArray }>;
 
 const componentProps = {
   euiFieldProps: {