Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution][Detection Engine] fixes showing all the fields fo…
…r all indices when trying to edit filters in a rule (elastic#194678) ## Summary - addresses elastic#179468 - fixes issue when rule configured with Data view **Steps to reproduce:** 1. Create a minimal new index and corresponding data view ```JSON PUT fields_index PUT fields_index/_mapping { "properties": { "@timestamp": { "type": "date" }, "field-1": { "type": "keyword" }, "field-2": { "type": "keyword" }, "field-3": { "type": "keyword" } } } POST fields_index/_doc { "@timestamp": "2024-10-01T09:26:30.425Z", "field-1": "test-0" } ``` 2. Create a security rule with that data view 3. Edit the rule and try to add a filter 4. Fields for all indices show up instead of the fields from the rule index 5. Switching to indices and back to data view on rule form fixes issue <details> <summary>video with the bug</summary> https://github.com/user-attachments/assets/fc83356d-d727-4662-856e-a4f0b386b71f </details> ### Additional benefit of fixing the issue. Previously, there would be 2 additional field_caps requests, querying ALL indices in ES, when rule edit page loads and rule configured with data view. ``` http://localhost:5601/kbn/internal/data_views/fields?pattern=&meta_fields=_source&meta_fields=_id&meta_fields=_index&meta_fields=_score&meta_fields=_ignored&allow_no_index=true&apiVersion=1 ``` Notice, there is `pattern=` query value, which results in querying all existing indices Now, these requests eliminated. #### Before <img width="2551" alt="Screenshot 2024-10-02 at 18 21 04" src="https://github.com/user-attachments/assets/aa2b6acb-897d-488f-9ddd-409379c6b54a"> #### After <img width="2557" alt="Screenshot 2024-10-02 at 18 22 41" src="https://github.com/user-attachments/assets/baeeecda-bf16-4d37-ae07-3cdc136d18b4"> (cherry picked from commit 5a71d84)
- Loading branch information