[Security Solution] Add Threat Match rule specific editable fields

[maximpn]

Partially addresses: #171520

Summary

This PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type

• threat_index
• threat_query
• threat_mapping
• threat_indicator_path
• threat_language threat_language was merged with threat_query

Details

This PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done

• Fixes a bug blocking Threat Match rules upgrading
• Existing functionality was refactored to have reusable self-contained editable components for threat_index, threat_query, threat_mapping and threat_indicator_path rule fields
• threat_language was removed since query type is included in threat_query field and can be edited with Query Bar
• threat mapping input was split into separate component for individual fields to be reused
• ThreatMatchComponent was refactored to be a controlled component instead of uncontrolled
  ThreatMatchComponent has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable ThreatMappingEdit component. Instead of trying to find a tricky fix ThreatMatchComponent was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in ThreatMappingEdit component.
• Fixes a bug reproducible in main where validation errors duplicated described in a comment
• Fixes a bug reproducible in main allowing to save unknown source indices or indicator indices fields described in a comment

How to test

• Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
• Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
• Clear Elasticsearch data
• Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
• Install an outdated version of the security_detection_engine Fleet package

curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1

• Install prebuilt rules

curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform

• Open a threat_match rule for editing. For example Threat Intel Hash Indicator Match with rule_id aab184d3-72b3-4639-b242-6597c99d8bca.

• Edit Indicator index patterns, Indicator index query and/or Indicator filters, Indicator mapping and Indicator prefix override fields

• Open Detection Rules (SIEM) Page -> Rule Updates -> click on Threat Intel Hash Indicator Match rule -> expand each Threat Match rule type specific field -> press Edit button

Screenshots

Threat Match Query edit component

Threat Match Index edit component

Threat Match Mapping edit component

Threat Match Indicator Path edit component

Threat Match Mapping unknown field names validation warnings

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[vitaliidm]

I have found few issues and left some comments, mostly questions and suggestions.
Will continue testing

[xcrzx]

I don’t have any changes in the filters field, but the diff shows some empty meta.alias fields that it thinks should be removed:

What is the meta field, and should it even be part of the diff calculation?

cc @dplumlee This seems similar to the issue we recently had with the schedule and threat fields.

[xcrzx]

The incorrect final field version has been selected. I have modifications to the field, so in this case, we should pre-select the current version and preserve all user modifications instead of removing them.

[maximpn]

This part looks sub-optimal but it's the best I was able to make to re-run threat match mapping validation upon index pattern changes. An alternative is using formData in validation to read index patterns/data source, transform them to data view asynchronously and then validate fields against known fields. Alternative's drawback is difficulty to reuse it in rule upgrade workflow.

Any bright ideas are welcome.

[vitaliidm]

some of the comments still not addressed: #200308 (comment)

[vitaliidm]

some of the comments still not addressed: #200308 (comment)

[vitaliidm]

There are few minor comments and mostly discussion over #200308 (comment)
I would like to be addressed before merge

About
#200308 (comment)
I think the proper solution should involve async validation.
At the same time, in alternative approach, are multiple requests to get index fields sent? (from created data view in validator and data views from parent component)
They might be very heavy, so ideally if we want to do them once.

[vitaliidm]

we should use plurals instead of field(s)

[vitaliidm]

we should use plurals instead of field(s)

[vitaliidm]

we should use plurals instead of field(s)

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 3cd7d30

Failed CI Steps

• Check Types

History

• 💚 Build #262212 succeeded 5ed85f5
• 💛 Build #262077 was flaky 1ab0f3c
• 💔 Build #261886 failed 6d84844
• 💔 Build #261868 failed 243d1e7
• 💔 Build #261786 failed b7db6d8

cc @maximpn