From 006b6a7897df9eb6f4062d60c84171169405980c Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Wed, 9 Oct 2024 15:56:42 +0100 Subject: [PATCH] [Security Solution][Detection Engine] fixes showing all the fields for all indices when trying to edit filters in a rule (#194678) ## Summary - addresses https://github.com/elastic/kibana/issues/179468 - fixes issue when rule configured with Data view **Steps to reproduce:** 1. Create a minimal new index and corresponding data view ```JSON PUT fields_index PUT fields_index/_mapping { "properties": { "@timestamp": { "type": "date" }, "field-1": { "type": "keyword" }, "field-2": { "type": "keyword" }, "field-3": { "type": "keyword" } } } POST fields_index/_doc { "@timestamp": "2024-10-01T09:26:30.425Z", "field-1": "test-0" } ``` 2. Create a security rule with that data view 3. Edit the rule and try to add a filter 4. Fields for all indices show up instead of the fields from the rule index 5. Switching to indices and back to data view on rule form fixes issue
video with the bug https://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f
### Additional benefit of fixing the issue. Previously, there would be 2 additional field_caps requests, querying ALL indices in ES, when rule edit page loads and rule configured with data view. ``` http://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1 ``` Notice, there is `pattern=` query value, which results in querying all existing indices Now, these requests eliminated. #### Before Screenshot 2024-10-02 at 18 21 04 #### After Screenshot 2024-10-02 at 18 22 41 (cherry picked from commit 5a71d8445de185a7b6a73163a123b6a448f63f90) --- .../public/common/components/query_bar/index.tsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx b/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx index 039860093e423..793ca853598b3 100644 --- a/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { cloneDeep } from 'lodash'; +import { cloneDeep, isEmpty } from 'lodash'; import React, { memo, useMemo, useCallback, useState, useEffect } from 'react'; import deepEqual from 'fast-deep-equal'; @@ -125,7 +125,7 @@ export const QueryBar = memo( let dv: DataView; if (isDataView(indexPattern)) { setDataView(indexPattern); - } else if (!isEsql) { + } else if (!isEsql && !isEmpty(indexPattern.title)) { const createDataView = async () => { dv = await data.dataViews.create({ id: indexPattern.title, title: indexPattern.title }); setDataView(dv);