From 96e07905741386e6c619be99d3b2341cbb870d54 Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko Date: Fri, 6 Oct 2023 11:18:42 +0100 Subject: [PATCH 01/13] esql popover --- .../components/esql_info_icon/translations.ts | 11 +++++++---- .../components/rules/select_rule_type/translations.ts | 3 ++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts index db5f8ea86ce63..6413d15fdd5aa 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts @@ -19,8 +19,11 @@ export const getTooltipContent = (statsByLink: string, startUsingEsqlLink: strin 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.esqlInfoTooltipContent', { defaultMessage: ` -### Aggregating rule -Is a rule that uses {statsByLink} grouping commands. So, its result can not be matched with a particular document in ES. + +The Elasticsearch Query Language (ES|QL) is a query language that enables the iterative exploration of data. Check out our {startUsingEsqlLink} to get started using ES|QL rules in Security. Or, continue reading below to learn more about common ES|QL Security queries. + +### Aggregating query +Is a query that uses {statsByLink} grouping commands. So, its result can not be matched with a particular document in ES. \`\`\` FROM logs* | STATS count = COUNT(host.name) BY host.name @@ -28,7 +31,7 @@ FROM logs* \`\`\` -### Non-aggregating rule +### Search for events (non-aggregating query) Is a rule that does not use {statsByLink} grouping commands. Hence, each row in result can be tracked to a source document in ES. For this type of rule, please use operator \`[metadata _id, _index, _version]\` after defining index source. This would allow deduplicate alerts and link them with the source document. @@ -45,7 +48,7 @@ Please, ensure, metadata properties \`id\`, \`_index\`, \`_version\` are carried values: { statsByLink: `[STATS..BY](${statsByLink})`, // Docs team will provide actual link to a new page before release - // startUsingEsqlLink: `[WIP: Get started using ES|QL rules](${startUsingEsqlLink})`, + startUsingEsqlLink: `[documentation](${startUsingEsqlLink})`, }, } ); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts index cfd62ff3d57da..f3e60463a4aaf 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts @@ -32,7 +32,8 @@ export const ESQL_TYPE_TITLE = i18n.translate( export const ESQL_TYPE_DESCRIPTION = i18n.translate( 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ruleTypeField.esqlTypeDescription', { - defaultMessage: 'Use The Elasticsearch Query Language (ES|QL) to search or aggregate events', + defaultMessage: + 'Use The Elasticsearch Query Language (ES|QL) to search for or aggregate events.', } ); From f94026a3fbe00ec55ad8e3a15f2fc736121b8063 Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko Date: Thu, 12 Oct 2023 12:18:43 +0100 Subject: [PATCH 02/13] update popover --- packages/kbn-doc-links/src/get_doc_links.ts | 1 + packages/kbn-doc-links/src/types.ts | 1 + .../components/esql_info_icon/index.tsx | 11 ++---- .../components/esql_info_icon/translations.ts | 34 ++----------------- .../rule_creation/logic/translations.ts | 2 +- .../rules/select_rule_type/translations.ts | 2 +- 6 files changed, 9 insertions(+), 42 deletions(-) diff --git a/packages/kbn-doc-links/src/get_doc_links.ts b/packages/kbn-doc-links/src/get_doc_links.ts index a0670dc657056..99e895316bd6a 100644 --- a/packages/kbn-doc-links/src/get_doc_links.ts +++ b/packages/kbn-doc-links/src/get_doc_links.ts @@ -457,6 +457,7 @@ export const getDocLinks = ({ kibanaBranch }: GetDocLinkOptions): DocLinks => { }, privileges: `${SECURITY_SOLUTION_DOCS}endpoint-management-req.html`, manageDetectionRules: `${SECURITY_SOLUTION_DOCS}rules-ui-management.html`, + createEsqlRuleType: `${SECURITY_SOLUTION_DOCS}rules-ui-create.html#create-esql-rule`, }, query: { eql: `${ELASTICSEARCH_DOCS}eql.html`, diff --git a/packages/kbn-doc-links/src/types.ts b/packages/kbn-doc-links/src/types.ts index 7a61d9f3dd30e..83854810454b3 100644 --- a/packages/kbn-doc-links/src/types.ts +++ b/packages/kbn-doc-links/src/types.ts @@ -348,6 +348,7 @@ export interface DocLinks { }; readonly privileges: string; readonly manageDetectionRules: string; + readonly createEsqlRuleType: string; }; readonly query: { readonly eql: string; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx index 0130b8eed78b8..d1b1b1df9a28a 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx @@ -14,8 +14,6 @@ import { useBoolState } from '../../../../common/hooks/use_bool_state'; import { useKibana } from '../../../../common/lib/kibana'; -const POPOVER_WIDTH = 640; - /** * Icon and popover that gives hint to users how to get started with ES|QL rules */ @@ -30,14 +28,9 @@ const EsqlInfoIconComponent = () => { return ( - + diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts index 6413d15fdd5aa..39c252ef03a5b 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts @@ -14,41 +14,13 @@ export const ARIA_LABEL = i18n.translate( } ); -export const getTooltipContent = (statsByLink: string, startUsingEsqlLink: string) => +export const getTooltipContent = (esqlRuleTypeLink: string) => i18n.translate( 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.esqlInfoTooltipContent', { - defaultMessage: ` - -The Elasticsearch Query Language (ES|QL) is a query language that enables the iterative exploration of data. Check out our {startUsingEsqlLink} to get started using ES|QL rules in Security. Or, continue reading below to learn more about common ES|QL Security queries. - -### Aggregating query -Is a query that uses {statsByLink} grouping commands. So, its result can not be matched with a particular document in ES. -\`\`\` -FROM logs* -| STATS count = COUNT(host.name) BY host.name -| SORT host.name -\`\`\` - - -### Search for events (non-aggregating query) -Is a rule that does not use {statsByLink} grouping commands. Hence, each row in result can be tracked to a source document in ES. For this type of rule, -please use operator \`[metadata _id, _index, _version]\` after defining index source. This would allow deduplicate alerts and link them with the source document. - -Example - -\`\`\` -FROM logs* [metadata _id, _index, _version] -| WHERE event.id == "test" -| LIMIT 10 -\`\`\` - -Please, ensure, metadata properties \`id\`, \`_index\`, \`_version\` are carried over through pipe operators. - `, + defaultMessage: `Check out our {esqlRuleTypeLink} to get started using ES|QL rules in Security.`, values: { - statsByLink: `[STATS..BY](${statsByLink})`, - // Docs team will provide actual link to a new page before release - startUsingEsqlLink: `[documentation](${startUsingEsqlLink})`, + esqlRuleTypeLink: `[documentation](${esqlRuleTypeLink})`, }, } ); diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts index e0bbcd45b1f1a..f58e84a0c5d91 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts @@ -23,6 +23,6 @@ export const esqlValidationErrorMessage = (message: string) => export const ESQL_VALIDATION_MISSING_ID_IN_QUERY_ERROR = i18n.translate( 'xpack.securitySolution.detectionEngine.esqlValidation.missingIdInQueryError', { - defaultMessage: `For non-aggregating rules(that don't use STATS..BY function), please write query that returns _id field from [metadata _id, _version, _index] operator`, + defaultMessage: `For non-aggregating queries(that don't use STATS..BY function), use [metadata _id, _version, _index] operator after source index and ensure resulted fields contain _id`, } ); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts index f3e60463a4aaf..c7ec2b34ec08b 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts @@ -33,7 +33,7 @@ export const ESQL_TYPE_DESCRIPTION = i18n.translate( 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ruleTypeField.esqlTypeDescription', { defaultMessage: - 'Use The Elasticsearch Query Language (ES|QL) to search for or aggregate events.', + 'Use Elasticsearch Query Language (ES|QL) to iteratively explore and transform your data.', } ); From 85ba2267b008b09e8ede4e1037b453c4d44302da Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko Date: Thu, 12 Oct 2023 16:51:22 +0100 Subject: [PATCH 03/13] fixes --- packages/kbn-doc-links/src/get_doc_links.ts | 3 --- packages/kbn-doc-links/src/types.ts | 3 --- .../e2e/detection_response/rule_creation/esql_rule_ess.cy.ts | 4 ++-- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/packages/kbn-doc-links/src/get_doc_links.ts b/packages/kbn-doc-links/src/get_doc_links.ts index 99e895316bd6a..0245623f2aa4a 100644 --- a/packages/kbn-doc-links/src/get_doc_links.ts +++ b/packages/kbn-doc-links/src/get_doc_links.ts @@ -855,9 +855,6 @@ export const getDocLinks = ({ kibanaBranch }: GetDocLinkOptions): DocLinks => { synthetics: { featureRoles: `${ELASTIC_WEBSITE_URL}guide/en/observability/${DOC_LINK_VERSION}/synthetics-feature-roles.html`, }, - esql: { - statsBy: `${ELASTICSEARCH_DOCS}esql-stats-by.html`, - }, telemetry: { settings: `${KIBANA_DOCS}telemetry-settings-kbn.html`, }, diff --git a/packages/kbn-doc-links/src/types.ts b/packages/kbn-doc-links/src/types.ts index 83854810454b3..f45212fad1185 100644 --- a/packages/kbn-doc-links/src/types.ts +++ b/packages/kbn-doc-links/src/types.ts @@ -612,9 +612,6 @@ export interface DocLinks { readonly synthetics: { readonly featureRoles: string; }; - readonly esql: { - readonly statsBy: string; - }; readonly telemetry: { readonly settings: string; }; diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts index 254deb99f3259..6be37f923102d 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts @@ -125,7 +125,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => { getDefineContinueButton().click(); cy.get(ESQL_QUERY_BAR).contains( - 'write query that returns _id field from [metadata _id, _version, _index] operator' + 'use [metadata _id, _version, _index] operator after source index and ensure resulted fields contain _id' ); }); @@ -139,7 +139,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => { getDefineContinueButton().click(); cy.get(ESQL_QUERY_BAR).contains( - 'write query that returns _id field from [metadata _id, _version, _index] operator' + 'use [metadata _id, _version, _index] operator after source index and ensure resulted fields contain _id' ); }); From e5dcc2e58bea74ca117cd9ea63133a3d134782be Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko Date: Fri, 13 Oct 2023 13:10:28 +0100 Subject: [PATCH 04/13] refactoring --- .../components/esql_info_icon/index.tsx | 20 ++++++++++++++----- .../components/esql_info_icon/translations.ts | 11 ---------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx index d1b1b1df9a28a..fed84547034af 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx @@ -6,12 +6,11 @@ */ import React from 'react'; -import { EuiPopover, EuiText, EuiButtonIcon } from '@elastic/eui'; -import { Markdown } from '@kbn/kibana-react-plugin/public'; +import { EuiPopover, EuiText, EuiButtonIcon, EuiLink } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; import * as i18n from './translations'; import { useBoolState } from '../../../../common/hooks/use_bool_state'; - import { useKibana } from '../../../../common/lib/kibana'; /** @@ -29,8 +28,19 @@ const EsqlInfoIconComponent = () => { return ( - + + + ), + }} /> diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts index 39c252ef03a5b..8729f7b0dd3bc 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts @@ -13,14 +13,3 @@ export const ARIA_LABEL = i18n.translate( defaultMessage: `Open help popover`, } ); - -export const getTooltipContent = (esqlRuleTypeLink: string) => - i18n.translate( - 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.esqlInfoTooltipContent', - { - defaultMessage: `Check out our {esqlRuleTypeLink} to get started using ES|QL rules in Security.`, - values: { - esqlRuleTypeLink: `[documentation](${esqlRuleTypeLink})`, - }, - } - ); From 4f64052b41f41583afadb7b3c34950706c73514b Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko Date: Fri, 13 Oct 2023 14:56:24 +0100 Subject: [PATCH 05/13] fix checks --- .../rule_creation/components/esql_info_icon/index.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx index fed84547034af..a15eaec930a5d 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx @@ -35,7 +35,7 @@ const EsqlInfoIconComponent = () => { createEsqlRuleTypeLink: ( From 743a3d5d05332c90fd489a5429370355d455d1ab Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Mon, 16 Oct 2023 09:24:35 +0100 Subject: [PATCH 06/13] Update translations.ts --- .../public/detection_engine/rule_creation/logic/translations.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts index f58e84a0c5d91..002330533867a 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts @@ -23,6 +23,6 @@ export const esqlValidationErrorMessage = (message: string) => export const ESQL_VALIDATION_MISSING_ID_IN_QUERY_ERROR = i18n.translate( 'xpack.securitySolution.detectionEngine.esqlValidation.missingIdInQueryError', { - defaultMessage: `For non-aggregating queries(that don't use STATS..BY function), use [metadata _id, _version, _index] operator after source index and ensure resulted fields contain _id`, + defaultMessage: `For non-aggregating queries(that don't use STATS..BY function), use [metadata _id, _version, _index] operator after source index and ensure _id property is returned in response`, } ); From 506df03ab587c47288b99bde9beb8f9614130951 Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Mon, 16 Oct 2023 09:25:15 +0100 Subject: [PATCH 07/13] Update esql_rule_ess.cy.ts --- .../e2e/detection_response/rule_creation/esql_rule_ess.cy.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts index 6be37f923102d..7ce695fba51f3 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts @@ -125,7 +125,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => { getDefineContinueButton().click(); cy.get(ESQL_QUERY_BAR).contains( - 'use [metadata _id, _version, _index] operator after source index and ensure resulted fields contain _id' + 'use [metadata _id, _version, _index] operator after source index and ensure _id property is returned in response' ); }); @@ -139,7 +139,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => { getDefineContinueButton().click(); cy.get(ESQL_QUERY_BAR).contains( - 'use [metadata _id, _version, _index] operator after source index and ensure resulted fields contain _id' + 'use [metadata _id, _version, _index] operator after source index and ensure _id property is returned in response' ); }); From 284c430dcbdd857218c62847b44265bcd569ad57 Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Mon, 16 Oct 2023 16:04:20 +0100 Subject: [PATCH 08/13] Update x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- .../rule_creation/components/esql_info_icon/index.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx index a15eaec930a5d..d0b4cee6752ad 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx @@ -30,7 +30,7 @@ const EsqlInfoIconComponent = () => { From e2d8c3e9b89933cfae33f5da90ffc6b9f66c3a8f Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko Date: Mon, 16 Oct 2023 16:40:27 +0100 Subject: [PATCH 09/13] update text --- .../components/rules/select_rule_type/translations.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts index c7ec2b34ec08b..d8b61de136865 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts @@ -33,7 +33,7 @@ export const ESQL_TYPE_DESCRIPTION = i18n.translate( 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ruleTypeField.esqlTypeDescription', { defaultMessage: - 'Use Elasticsearch Query Language (ES|QL) to iteratively explore and transform your data.', + 'Use Elasticsearch Query Language (ES|QL) to find events and aggregate search results.', } ); From 6307811b3c1f858314c63a163f0733692a7c390d Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Tue, 17 Oct 2023 09:37:33 +0100 Subject: [PATCH 10/13] Update translations.ts --- .../public/detection_engine/rule_creation/logic/translations.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts index 002330533867a..cc497848ae7a9 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts @@ -23,6 +23,6 @@ export const esqlValidationErrorMessage = (message: string) => export const ESQL_VALIDATION_MISSING_ID_IN_QUERY_ERROR = i18n.translate( 'xpack.securitySolution.detectionEngine.esqlValidation.missingIdInQueryError', { - defaultMessage: `For non-aggregating queries(that don't use STATS..BY function), use [metadata _id, _version, _index] operator after source index and ensure _id property is returned in response`, + defaultMessage: `For non-aggregating queries(that don't use STATS..BY function), use [metadata _id, _version, _index] operator after source index and ensure _id property is returned in response. Example: FROM logs* [metadata _id, _version, _index]`, } ); From d8cf3f5c7ea169f6cd85a46ad00dfd3421a04af2 Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Tue, 17 Oct 2023 14:36:24 +0100 Subject: [PATCH 11/13] Update translations.ts --- .../public/detection_engine/rule_creation/logic/translations.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts index cc497848ae7a9..9e2fe63c38039 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts @@ -23,6 +23,6 @@ export const esqlValidationErrorMessage = (message: string) => export const ESQL_VALIDATION_MISSING_ID_IN_QUERY_ERROR = i18n.translate( 'xpack.securitySolution.detectionEngine.esqlValidation.missingIdInQueryError', { - defaultMessage: `For non-aggregating queries(that don't use STATS..BY function), use [metadata _id, _version, _index] operator after source index and ensure _id property is returned in response. Example: FROM logs* [metadata _id, _version, _index]`, + defaultMessage: `Queries that don’t use the STATS...BY function (non-aggregating queries) must include the [metadata _id, _version, _index] operator after the after source command. For example: FROM logs* [metadata _id, _version, _index]. In addition, the metadata properties (_id, _version, and _index) must be returned in the query response.`, } ); From f73d58da8bd0f331c76dc72204af5ce49ed1ea64 Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Tue, 17 Oct 2023 14:40:01 +0100 Subject: [PATCH 12/13] Update translations.ts --- .../public/detection_engine/rule_creation/logic/translations.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts index 9e2fe63c38039..bbb00053cdfab 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts @@ -23,6 +23,6 @@ export const esqlValidationErrorMessage = (message: string) => export const ESQL_VALIDATION_MISSING_ID_IN_QUERY_ERROR = i18n.translate( 'xpack.securitySolution.detectionEngine.esqlValidation.missingIdInQueryError', { - defaultMessage: `Queries that don’t use the STATS...BY function (non-aggregating queries) must include the [metadata _id, _version, _index] operator after the after source command. For example: FROM logs* [metadata _id, _version, _index]. In addition, the metadata properties (_id, _version, and _index) must be returned in the query response.`, + defaultMessage: `Queries that don’t use the STATS...BY function (non-aggregating queries) must include the [metadata _id, _version, _index] operator after the source command. For example: FROM logs* [metadata _id, _version, _index]. In addition, the metadata properties (_id, _version, and _index) must be returned in the query response.`, } ); From 374f5cf049ddab9dd608590876181ec75c59c2ed Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Tue, 17 Oct 2023 14:40:47 +0100 Subject: [PATCH 13/13] Update esql_rule_ess.cy.ts --- .../e2e/detection_response/rule_creation/esql_rule_ess.cy.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts index 7ce695fba51f3..a22d24a9fd537 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts @@ -125,7 +125,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => { getDefineContinueButton().click(); cy.get(ESQL_QUERY_BAR).contains( - 'use [metadata _id, _version, _index] operator after source index and ensure _id property is returned in response' + 'must include the [metadata _id, _version, _index] operator after the source command' ); }); @@ -139,7 +139,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => { getDefineContinueButton().click(); cy.get(ESQL_QUERY_BAR).contains( - 'use [metadata _id, _version, _index] operator after source index and ensure _id property is returned in response' + 'must include the [metadata _id, _version, _index] operator after the source command' ); });