[Security Solution] [Detections] EQL rule cannot be created

[MadameSheema]

Kibana version:

• 7.10.0 BC1

Elasticsearch version:

• 7.10.0 BC1

Describe the bug:
EQL rule cannot be created because of a problem with the validator.

Steps to reproduce:

1. Navigate to Security > Detections
2. Click on Manage detection rules
3. Click on Create new rule
4. Select "Event Correlation"
5. Enter a valid EQL query, i.e. process where process.name == "smss.exe"

Current behaviour:

Expected behavior:

• No error is displayed
• The rule can be created

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[rylnd]

This is caused by the behavior described in elastic/elasticsearch#63295. While we were previously able to use allow_no_indices=true as a workaround, elastic/elasticsearch#63192 made the use of this option invalid.

[rylnd]

elastic/elasticsearch#63573 should be the fix, here, with no modifications necessary on the kibana side. However, it looks like that was not backported to the 7.10 branch, so I've opened that backport here: elastic/elasticsearch#63645

[rylnd]

elastic/elasticsearch#63645 has been merged, and I've got #80440 ready in anticipation of the next ES snapshot. This should be fixed in the upcoming BC2, and on master whenever the snapshot is released.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security Solution)

[rylnd]

I've verified this fix in BC2; labeling this as such and assigning to @MadameSheema for verification/closure. However, another bug prevents a majority of rule executions from succeeding, and is tracked in #80924.

[ghost]

Bug Conversion:

Updated 01 Test-Case for this Ticket

• https://elastic.testrail.io/index.php?/cases/view/35129

Thanks