-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Editing rules independently of source data (#180407) #191487
[Security Solution] Editing rules independently of source data (#180407) #191487
Conversation
/ci |
/ci |
@elasticmachine merge upstream |
/ci |
/ci |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for implementing this @e40pud
Looks good, just few minor comments from me
x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/translations.ts
Outdated
Show resolved
Hide resolved
...gins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_editing/index.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/form.tsx
Outdated
Show resolved
Hide resolved
@@ -559,7 +633,8 @@ const CreateRulePageComponent: React.FC = () => { | |||
); | |||
const memoDefineStepExtraAction = useMemo( | |||
() => | |||
defineStepForm.isValid && ( | |||
defineStepForm.isValid !== undefined && | |||
activeStep !== RuleStep.defineRule && ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why extra condition is needed here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added comments
* 2.0. | ||
*/ | ||
|
||
import React from 'react'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What you see right now is the current behaviour on both ESS and Serverless. Users are unable to modify prebuilt rules. They have to duplicate prebuilt rules right now to be able to adjust rule's properties.
The whole "rule customization" effort will allow user to do that without duplication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am aware, prebuilt rule can't be modified.
It's the fact that we show user step is invalid without showing actual error and additional information how that can affect rule's behavior.
Is there a way for user in this situation to see actual error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed here is the ticket to discuss this behaviour #191832
x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/form.tsx
Show resolved
Hide resolved
...ins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/index.tsx
Outdated
Show resolved
Hide resolved
…creation_ui/pages/translations.ts Co-authored-by: Vitalii Dmyterko <[email protected]>
@elasticmachine merge upstream |
@elasticmachine merge upstream |
- memoize callbacks - clarify multiple EQL validation errors functionality - comments to clarify step editing button visibility conditions - add unit tests for `useRuleFormsErrors`
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: cc @e40pud |
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#6830[❌] Security Solution Rule Management - Cypress: 75/100 tests passed. |
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#6828[❌] Security Solution Detection Engine - Cypress: 30/100 tests passed. |
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#6831[❌] Security Solution Detection Engine - Cypress: 49/100 tests passed. |
… editing (#191832) (#192683) ## Summary Partially addressed #191832 With these changes: - We revert to the #180407 (comment). Specifically, we return back the validation errors to the modal window. An example of this modal is in the ticket description. - Additionally, on the Rule Editing page and **only for prebuilt rules** we: 1) hide the callout that says "You have an invalid input in this tab: ...", and 2) we don't show the modal if there are any data validation errors. We shouldn't show this modal and this callout until we release the prebuilt rule customization feature. 3) We will only validate the Actions tab. - Fix MKI flaky cypress tests introduced in #191487 ([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main), [2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main), [3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)). All three tests are failing due to missing `[data-test-subj="eqlRuleType"]` element. After checking and comparing my tests to other similar tests in the file, the only difference that I've found was extra `login();` call. Thus removing those. Here is the screen recording showing the new behaviour for prebuilt rules. The has missing data source query validation error, though we do not show it and allow user just to save the rule. Only Actions tab is validated on rule save action. https://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed * [Detection Engine - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925) (100 ESS & 100 Serverless) * [Rule Management - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926) (100 ESS & 100 Serverless) * [Prebuilt Rules - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927) (100 ESS & 100 Serverless)
… editing (elastic#191832) (elastic#192683) ## Summary Partially addressed elastic#191832 With these changes: - We revert to the elastic#180407 (comment). Specifically, we return back the validation errors to the modal window. An example of this modal is in the ticket description. - Additionally, on the Rule Editing page and **only for prebuilt rules** we: 1) hide the callout that says "You have an invalid input in this tab: ...", and 2) we don't show the modal if there are any data validation errors. We shouldn't show this modal and this callout until we release the prebuilt rule customization feature. 3) We will only validate the Actions tab. - Fix MKI flaky cypress tests introduced in elastic#191487 ([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main), [2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main), [3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)). All three tests are failing due to missing `[data-test-subj="eqlRuleType"]` element. After checking and comparing my tests to other similar tests in the file, the only difference that I've found was extra `login();` call. Thus removing those. Here is the screen recording showing the new behaviour for prebuilt rules. The has missing data source query validation error, though we do not show it and allow user just to save the rule. Only Actions tab is validated on rule save action. https://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6 ### Checklist Delete any items that are not applicable to this PR. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed * [Detection Engine - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925) (100 ESS & 100 Serverless) * [Rule Management - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926) (100 ESS & 100 Serverless) * [Prebuilt Rules - Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927) (100 ESS & 100 Serverless) (cherry picked from commit c937e95)
…t rule editing (#191832) (#192683) (#192819) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Add validation error description on prebuilt rule editing (#191832) (#192683)](#192683) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ievgen Sorokopud","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-13T08:37:39Z","message":"[Security Solution] Add validation error description on prebuilt rule editing (#191832) (#192683)\n\n## Summary\r\n\r\nPartially addressed https://github.com/elastic/kibana/issues/191832\r\n\r\nWith these changes:\r\n- We revert to the\r\nhttps://github.com//issues/180407#issuecomment-2312891214.\r\nSpecifically, we return back the validation errors to the modal window.\r\nAn example of this modal is in the ticket description.\r\n- Additionally, on the Rule Editing page and **only for prebuilt rules**\r\nwe: 1) hide the callout that says \"You have an invalid input in this\r\ntab: ...\", and 2) we don't show the modal if there are any data\r\nvalidation errors. We shouldn't show this modal and this callout until\r\nwe release the prebuilt rule customization feature. 3) We will only\r\nvalidate the Actions tab.\r\n- Fix MKI flaky cypress tests introduced in\r\nhttps://github.com//pull/191487\r\n([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main),\r\n[2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main),\r\n[3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)).\r\nAll three tests are failing due to missing\r\n`[data-test-subj=\"eqlRuleType\"]` element. After checking and comparing\r\nmy tests to other similar tests in the file, the only difference that\r\nI've found was extra `login();` call. Thus removing those.\r\n\r\nHere is the screen recording showing the new behaviour for prebuilt\r\nrules. The has missing data source query validation error, though we do\r\nnot show it and allow user just to save the rule. Only Actions tab is\r\nvalidated on rule save action.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n* [Detection Engine -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925)\r\n(100 ESS & 100 Serverless)\r\n* [Rule Management -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926)\r\n(100 ESS & 100 Serverless)\r\n* [Prebuilt Rules -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927)\r\n(100 ESS & 100 Serverless)","sha":"c937e95e3137821b510fa480ee28f0cf3afb85ad","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team: SecuritySolution","ci:cloud-deploy","Team:Detection Engine","ci:project-deploy-security","v8.16.0"],"title":"[Security Solution] Add validation error description on prebuilt rule editing (#191832)","number":192683,"url":"https://github.com/elastic/kibana/pull/192683","mergeCommit":{"message":"[Security Solution] Add validation error description on prebuilt rule editing (#191832) (#192683)\n\n## Summary\r\n\r\nPartially addressed https://github.com/elastic/kibana/issues/191832\r\n\r\nWith these changes:\r\n- We revert to the\r\nhttps://github.com//issues/180407#issuecomment-2312891214.\r\nSpecifically, we return back the validation errors to the modal window.\r\nAn example of this modal is in the ticket description.\r\n- Additionally, on the Rule Editing page and **only for prebuilt rules**\r\nwe: 1) hide the callout that says \"You have an invalid input in this\r\ntab: ...\", and 2) we don't show the modal if there are any data\r\nvalidation errors. We shouldn't show this modal and this callout until\r\nwe release the prebuilt rule customization feature. 3) We will only\r\nvalidate the Actions tab.\r\n- Fix MKI flaky cypress tests introduced in\r\nhttps://github.com//pull/191487\r\n([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main),\r\n[2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main),\r\n[3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)).\r\nAll three tests are failing due to missing\r\n`[data-test-subj=\"eqlRuleType\"]` element. After checking and comparing\r\nmy tests to other similar tests in the file, the only difference that\r\nI've found was extra `login();` call. Thus removing those.\r\n\r\nHere is the screen recording showing the new behaviour for prebuilt\r\nrules. The has missing data source query validation error, though we do\r\nnot show it and allow user just to save the rule. Only Actions tab is\r\nvalidated on rule save action.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n* [Detection Engine -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925)\r\n(100 ESS & 100 Serverless)\r\n* [Rule Management -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926)\r\n(100 ESS & 100 Serverless)\r\n* [Prebuilt Rules -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927)\r\n(100 ESS & 100 Serverless)","sha":"c937e95e3137821b510fa480ee28f0cf3afb85ad"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192683","number":192683,"mergeCommit":{"message":"[Security Solution] Add validation error description on prebuilt rule editing (#191832) (#192683)\n\n## Summary\r\n\r\nPartially addressed https://github.com/elastic/kibana/issues/191832\r\n\r\nWith these changes:\r\n- We revert to the\r\nhttps://github.com//issues/180407#issuecomment-2312891214.\r\nSpecifically, we return back the validation errors to the modal window.\r\nAn example of this modal is in the ticket description.\r\n- Additionally, on the Rule Editing page and **only for prebuilt rules**\r\nwe: 1) hide the callout that says \"You have an invalid input in this\r\ntab: ...\", and 2) we don't show the modal if there are any data\r\nvalidation errors. We shouldn't show this modal and this callout until\r\nwe release the prebuilt rule customization feature. 3) We will only\r\nvalidate the Actions tab.\r\n- Fix MKI flaky cypress tests introduced in\r\nhttps://github.com//pull/191487\r\n([1](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/b1f442af-db44-8029-a9fb-7e3d988303b3?branch=main),\r\n[2](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/995655b6-ae70-86fd-b483-c65846cd8d66?branch=main),\r\n[3](https://buildkite.com/organizations/elastic/analytics/suites/serverless-mki-cypress-detection-engine/tests/02318f5c-6ca1-8779-a5a4-60f52a55b344?branch=main)).\r\nAll three tests are failing due to missing\r\n`[data-test-subj=\"eqlRuleType\"]` element. After checking and comparing\r\nmy tests to other similar tests in the file, the only difference that\r\nI've found was extra `login();` call. Thus removing those.\r\n\r\nHere is the screen recording showing the new behaviour for prebuilt\r\nrules. The has missing data source query validation error, though we do\r\nnot show it and allow user just to save the rule. Only Actions tab is\r\nvalidated on rule save action.\r\n\r\n\r\nhttps://github.com/user-attachments/assets/ce968f51-1a53-41b2-ad06-1b31dec085a6\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n* [Detection Engine -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6925)\r\n(100 ESS & 100 Serverless)\r\n* [Rule Management -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6926)\r\n(100 ESS & 100 Serverless)\r\n* [Prebuilt Rules -\r\nCypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6927)\r\n(100 ESS & 100 Serverless)","sha":"c937e95e3137821b510fa480ee28f0cf3afb85ad"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Ievgen Sorokopud <[email protected]>
…e Editing page (#199550) **Resolves: #180172 ## Summary > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Removes the logic gates preventing prebuilt rules from being edited via the Rule Edit page behind the `prebuiltRulesCustomizationEnabled` feature flag. This allows all rules types to be fully editable via the UI. Also removes the muting logic we had in place for `Definition` tab warnings ([implemented here](#191487)) ### Screenshots #### _Before_ **Prebuilt rule only has the "Actions" tab enabled, users cannot customize anything else in the form** ![Screenshot 2024-11-08 at 3 08 15 PM](https://github.com/user-attachments/assets/b83836e6-f78f-4b3a-9fbc-55a5208250dd) #### _After_ **Prebuilt rule now has all tabs/fields available for editing and rule info is populated into the form** ![Screenshot 2024-11-08 at 3 02 43 PM](https://github.com/user-attachments/assets/184f6fc4-b64c-4e20-a987-76e460c61786) ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]>
…e Editing page (elastic#199550) **Resolves: elastic#180172 ## Summary > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Removes the logic gates preventing prebuilt rules from being edited via the Rule Edit page behind the `prebuiltRulesCustomizationEnabled` feature flag. This allows all rules types to be fully editable via the UI. Also removes the muting logic we had in place for `Definition` tab warnings ([implemented here](elastic#191487)) ### Screenshots #### _Before_ **Prebuilt rule only has the "Actions" tab enabled, users cannot customize anything else in the form** ![Screenshot 2024-11-08 at 3 08 15 PM](https://github.com/user-attachments/assets/b83836e6-f78f-4b3a-9fbc-55a5208250dd) #### _After_ **Prebuilt rule now has all tabs/fields available for editing and rule info is populated into the form** ![Screenshot 2024-11-08 at 3 02 43 PM](https://github.com/user-attachments/assets/184f6fc4-b64c-4e20-a987-76e460c61786) ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit d6e6145)
…e Editing page (elastic#199550) **Resolves: elastic#180172 ## Summary > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Removes the logic gates preventing prebuilt rules from being edited via the Rule Edit page behind the `prebuiltRulesCustomizationEnabled` feature flag. This allows all rules types to be fully editable via the UI. Also removes the muting logic we had in place for `Definition` tab warnings ([implemented here](elastic#191487)) ### Screenshots #### _Before_ **Prebuilt rule only has the "Actions" tab enabled, users cannot customize anything else in the form** ![Screenshot 2024-11-08 at 3 08 15 PM](https://github.com/user-attachments/assets/b83836e6-f78f-4b3a-9fbc-55a5208250dd) #### _After_ **Prebuilt rule now has all tabs/fields available for editing and rule info is populated into the form** ![Screenshot 2024-11-08 at 3 02 43 PM](https://github.com/user-attachments/assets/184f6fc4-b64c-4e20-a987-76e460c61786) ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]>
…e Editing page (elastic#199550) **Resolves: elastic#180172 ## Summary > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Removes the logic gates preventing prebuilt rules from being edited via the Rule Edit page behind the `prebuiltRulesCustomizationEnabled` feature flag. This allows all rules types to be fully editable via the UI. Also removes the muting logic we had in place for `Definition` tab warnings ([implemented here](elastic#191487)) ### Screenshots #### _Before_ **Prebuilt rule only has the "Actions" tab enabled, users cannot customize anything else in the form** ![Screenshot 2024-11-08 at 3 08 15 PM](https://github.com/user-attachments/assets/b83836e6-f78f-4b3a-9fbc-55a5208250dd) #### _After_ **Prebuilt rule now has all tabs/fields available for editing and rule info is populated into the form** ![Screenshot 2024-11-08 at 3 02 43 PM](https://github.com/user-attachments/assets/184f6fc4-b64c-4e20-a987-76e460c61786) ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]>
Summary
Addresses #180407
Addresses #178611
With these changes we allow user to create and update a rule even if there are certain query bar validation error exist. Right now, we will make any non-syntax validation errors in
EQL
andES|QL
rules types to be non-blocking during the rule creation and rule updating workflows.Screenshot of the EQL rule creation workflow with existing non-blocking validation errors:
Screen.Recording.2024-08-27.at.13.44.14.mov
Screenshot of the EQL rule updating workflow with existing non-blocking validation errors:
Screen.Recording.2024-08-27.at.13.46.19.mov
UPDATE
After discussing confirmation modal with @approksiu, we decided to simplify it and show only title with generic description to avoid too be too literal in the modal. User can see the full error description during rule creation/editing workflows in the query bar where we show each validation error as part of the query bar form item.
Some test cases for local testing
Create EQL rule with missing data source
Steps:
any where true
)Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking
Confirm
button will create a rule.Create EQL rule with missing data field
Steps:
any where agent.non_existing_field
)Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking
Confirm
button will create a rule.Create EQL rule with syntax error in the query
Steps:
hello world
)Expected: The continue button does not allow user to proceed to the About step due to existing syntax error.
Create ES|QL rule with missing data source
Steps:
from non-existing-index-* metadata _id, _version, _index | SORT @timestamp
)Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking
Confirm
button will create a rule.Create ES|QL rule with missing data field
Steps:
from logs-* metadata _id, _version, _index | SORT agent.non_existing_field
)Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking
Confirm
button will create a rule.Create ES|QL rule with syntax error in the query
Steps:
hello world
)Expected: The continue button does not allow user to proceed to the About step due to existing syntax error.
Same behaviour applies to the rule updating workflow. For example, you can try to install one of the EQL or ES|QL rules that point to non-existing data source or uses non-existing data field. User can still update (add rule actions) to such installed pre-built rules.
Checklist
Delete any items that are not applicable to this PR.