elastic · rylnd · Oct 18, 2023 · rylnd · Oct 18, 2023
@@ -7,19 +7,16 @@
  */
 
 import type { EqlSearchRequest } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
-import type { TransportResult, TransportRequestOptions } from '@elastic/elasticsearch';
+import type { TransportResult } from '@elastic/elasticsearch';
 
 import { IKibanaSearchRequest, IKibanaSearchResponse } from '../../types';
 
 export const EQL_SEARCH_STRATEGY = 'eql';
 
-export type EqlRequestParams = EqlSearchRequest;
-
-export interface EqlSearchStrategyRequest extends IKibanaSearchRequest<EqlRequestParams> {
-  /**
-   * @deprecated: use IAsyncSearchOptions.transport instead.
-   */
-  options?: TransportRequestOptions;
+export interface EqlRequestParams extends EqlSearchRequest {
+  validate?: boolean;
 }
 
+export type EqlSearchStrategyRequest = IKibanaSearchRequest<EqlRequestParams>;
+
 export type EqlSearchStrategyResponse<T = unknown> = IKibanaSearchResponse<TransportResult<T>>;
@@ -16,7 +16,11 @@ import {
   IAsyncSearchOptions,
   pollSearch,
 } from '../../../../common';
-import { toEqlKibanaSearchResponse } from './response_utils';
+import {
+  errorToEqlKibanaSearchResponse,
+  isEqlValidationResponseError,
+  toEqlKibanaSearchResponse,
+} from './response_utils';
 import { EqlSearchResponse } from './types';
 import { ISearchStrategy } from '../../types';
 import { getDefaultSearchParams } from '../es_search';
@@ -47,6 +51,7 @@ export const eqlSearchStrategyProvider = (
         const { track_total_hits: _, ...defaultParams } = await getDefaultSearchParams(
           uiSettingsClient
         );
+        const { validate: isValidationRequest, ...eqlParams } = request.params ?? {};
         const params = id
           ? getCommonDefaultAsyncGetParams(searchConfig, options, {
               /* disable until full eql support */ disableSearchSessions: true,
@@ -57,27 +62,33 @@ export const eqlSearchStrategyProvider = (
               ...getCommonDefaultAsyncGetParams(searchConfig, options, {
                 /* disable until full eql support */ disableSearchSessions: true,
               }),
-              ...request.params,
+              ...eqlParams,
             };
-        const response = id
-          ? await client.get(
-              { ...params, id },
-              {
-                ...request.options,
+
+        try {
+          const response = id
+            ? await client.get(
+                { ...params, id },
+                {
+                  ...options.transport,
+                  signal: options.abortSignal,
+                  meta: true,
+                }
+              )
+            : // @ts-expect-error optional key cannot be used since search doesn't expect undefined
+              await client.search(params, {
                 ...options.transport,
                 signal: options.abortSignal,
                 meta: true,
-              }
-            )
-          : // @ts-expect-error optional key cannot be used since search doesn't expect undefined
-            await client.search(params as EqlSearchStrategyRequest['params'], {
-              ...request.options,
-              ...options.transport,
-              signal: options.abortSignal,
-              meta: true,
-            });
-
-        return toEqlKibanaSearchResponse(response as TransportResult<EqlSearchResponse>);
+              });
+          return toEqlKibanaSearchResponse(response as TransportResult<EqlSearchResponse>);
+        } catch (e) {
+          if (isValidationRequest && isEqlValidationResponseError(e)) {
+            return errorToEqlKibanaSearchResponse(e);
+          } else {
+            throw e;
+          }
+        }
       };
 
       const cancel = async () => {

@@ -6,7 +6,8 @@
  * Side Public License, v 1.
  */
 
-import type { TransportResult } from '@elastic/elasticsearch';
+import { get } from 'lodash';
+import { errors, TransportResult } from '@elastic/elasticsearch';
 import { EqlSearchResponse } from './types';
 import { EqlSearchStrategyResponse } from '../../../../common';
 
@@ -24,3 +25,40 @@ export function toEqlKibanaSearchResponse(
     isRunning: response.body.is_running,
   };
 }
+
+export function errorToEqlKibanaSearchResponse(
+  response: EqlResponseError
+): EqlSearchStrategyResponse {
+  return {
+    id: undefined,
+    rawResponse: response.meta,
+    isPartial: false,
+    isRunning: false,
+  };
+}
+
+const PARSING_ERROR_TYPE = 'parsing_exception';
+const VERIFICATION_ERROR_TYPE = 'verification_exception';
+const MAPPING_ERROR_TYPE = 'mapping_exception';
+
+interface ErrorCause {
+  type: string;
+  reason: string;
+}
+
+interface EqlErrorBody {
+  error: ErrorCause & { root_cause: ErrorCause[] };
+}
+
+export interface EqlResponseError extends errors.ResponseError {
+  meta: TransportResult<EqlErrorBody>;
+}
+
+const isValidationErrorType = (type: unknown): boolean =>
+  type === PARSING_ERROR_TYPE || type === VERIFICATION_ERROR_TYPE || type === MAPPING_ERROR_TYPE;
+
+export const isEqlResponseError = (response: unknown): response is EqlResponseError =>
+  response instanceof errors.ResponseError;
+
+export const isEqlValidationResponseError = (response: unknown): response is EqlResponseError =>
+  isEqlResponseError(response) && isValidationErrorType(get(response, 'meta.body.error.type'));
diff --git a/x-pack/plugins/security_solution/public/common/hooks/eql/api.ts b/x-pack/plugins/security_solution/public/common/hooks/eql/api.ts
@@ -38,8 +38,8 @@ export const validateEql = async ({
         params: {
           index: dataViewTitle,
           body: { query, runtime_mappings: runtimeMappings, size: 0 },
+          validate: true,
         },
-        options: { ignore: [400] },
       },
       {
         strategy: EQL_SEARCH_STRATEGY,