elastic · FrankHassanabad · Nov 12, 2020 · Oct 27, 2020 · Oct 27, 2020 · Nov 3, 2020
diff --git a/...security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.test.tsx b/...security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.test.tsx
@@ -43,6 +43,7 @@ describe('EqlQueryBar', () => {
 
     const expected = {
       filters: [],
+      edited: true,
       query: {
         query: 'newQuery',
         language: 'eql',

diff --git a/...gins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.tsx b/...gins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.tsx
@@ -72,6 +72,7 @@ export const EqlQueryBar: FC<EqlQueryBarProps> = ({
           query: newQuery,
           language: 'eql',
         },
+        edited: true,
       });
     },
     [setValue]

diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/query_bar/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/query_bar/index.tsx
@@ -161,7 +161,7 @@ export const QueryBarDefineRule = ({
     (newQuery: Query) => {
       const { query } = field.value as FieldValueQueryBar;
       if (!deepEqual(query, newQuery)) {
-        field.setValue({ ...(field.value as FieldValueQueryBar), query: newQuery });
+        field.setValue({ ...(field.value as FieldValueQueryBar), query: newQuery, edited: true });
       }
     },
     [field]
@@ -171,7 +171,11 @@ export const QueryBarDefineRule = ({
     (newQuery: Query) => {
       const { query } = field.value as FieldValueQueryBar;
       if (!deepEqual(query, newQuery)) {
-        field.setValue({ ...(field.value as FieldValueQueryBar), query: newQuery });
+        field.setValue({
+          ...(field.value as FieldValueQueryBar),
+          query: newQuery,
+          edited: true,
+        });
       }
     },
     [field]
@@ -187,6 +191,7 @@ export const QueryBarDefineRule = ({
             filters: newSavedQuery.attributes.filters,
             query: newSavedQuery.attributes.query,
             saved_id: newSavedQuery.id,
+            edited: true,
           });
         }
       }

diff --git a/...k/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx b/...k/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
@@ -71,6 +71,7 @@ const stepDefineDefaultValue: DefineStepRule = {
     query: { query: '', language: 'kuery' },
     filters: [],
     saved_id: undefined,
+    edited: false,
   },
   threatQueryBar: {
     query: { query: '*:*', language: 'kuery' },
@@ -131,7 +132,7 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
     options: { stripEmptyFields: false },
     schema,
   });
-  const { getFields, getFormData, reset, submit } = form;
+  const { getFields, getFormData, reset, submit, setFieldValue } = form;
   const [
     {
       index: formIndex,
@@ -165,7 +166,20 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
   // reset form when rule type changes
   useEffect(() => {
     reset({ resetValues: false });
-  }, [reset, ruleType]);
+    if (getFields().queryBar != null) {
+      const queryBar = getFields().queryBar.value as DefineStepRule['queryBar'];
+      if (queryBar.edited !== true && !isUpdateView) {
+        if (isThreatMatchRule(ruleType)) {
+          setFieldValue('queryBar', {
+            ...stepDefineDefaultValue.queryBar,
+            query: { ...stepDefineDefaultValue.queryBar.query, query: '*:*' },
+          });
+        } else {
+          setFieldValue('queryBar', stepDefineDefaultValue.queryBar);
+        }
+      }
+    }
+  }, [reset, ruleType, setFieldValue, getFields, isUpdateView]);
 
   useEffect(() => {
     setIndexModified(!isEqual(index, indicesConfig));

diff --git a/.../plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx b/.../plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
@@ -77,12 +77,11 @@ export const schema: FormSchema<DefineStepRule> = {
           ...args: Parameters<ValidationFunc>
         ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
           const [{ value, path, formData }] = args;
-          const { query, filters } = value as FieldValueQueryBar;
+          const { query, filters } = value as DefineStepRule['queryBar'];
           const needsValidation = !isMlRule(formData.ruleType);
           if (!needsValidation) {
             return;
           }
-
           return isEmpty(query.query as string) && isEmpty(filters)
             ? {
                 code: 'ERR_FIELD_MISSING',
@@ -97,7 +96,7 @@ export const schema: FormSchema<DefineStepRule> = {
           ...args: Parameters<ValidationFunc>
         ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
           const [{ value, path, formData }] = args;
-          const { query } = value as FieldValueQueryBar;
+          const { query } = value as DefineStepRule['queryBar'];
           const needsValidation = !isMlRule(formData.ruleType);
           if (!needsValidation) {
             return;

diff --git a/...ns/security_solution/public/detections/pages/detection_engine/rules/all/__mocks__/mock.ts b/...ns/security_solution/public/detections/pages/detection_engine/rules/all/__mocks__/mock.ts
@@ -7,10 +7,9 @@
 import { esFilters } from '../../../../../../../../../../src/plugins/data/public';
 import { Rule, RuleError } from '../../../../../containers/detection_engine/rules';
 import { AboutStepRule, ActionsStepRule, DefineStepRule, ScheduleStepRule } from '../../types';
-import { FieldValueQueryBar } from '../../../../../components/rules/query_bar';
 import { fillEmptySeverityMappings } from '../../helpers';
 
-export const mockQueryBar: FieldValueQueryBar = {
+export const mockQueryBar: DefineStepRule['queryBar'] = {
   query: {
     query: 'test query',
     language: 'kuery',
@@ -38,6 +37,7 @@ export const mockQueryBar: FieldValueQueryBar = {
     },
   ],
   saved_id: 'test123',
+  edited: false,
 };
 
 export const mockRule = (id: string): Rule => ({

diff --git a/...plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx b/...plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx
@@ -54,6 +54,7 @@ describe('rule helpers', () => {
             query: 'user.name: root or user.name: admin',
             language: 'kuery',
           },
+          edited: false,
           filters: [
             {
               $state: {
@@ -220,6 +221,7 @@ describe('rule helpers', () => {
             query: '',
             language: 'kuery',
           },
+          edited: false,
           filters: [],
           saved_id: "Garrett's IP",
         },
@@ -262,6 +264,7 @@ describe('rule helpers', () => {
             query: '',
             language: 'kuery',
           },
+          edited: false,
           filters: [],
           saved_id: undefined,
         },

diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
@@ -92,6 +92,7 @@ export const getDefineStepsData = (rule: Rule): DefineStepRule => ({
     query: { query: rule.query ?? '', language: rule.language ?? '' },
     filters: (rule.filters ?? []) as Filter[],
     saved_id: rule.saved_id,
+    edited: false,
   },
   timeline: {
     id: rule.timeline_id ?? null,

diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts
@@ -124,7 +124,7 @@ export interface DefineStepRule {
   anomalyThreshold: number;
   index: string[];
   machineLearningJobId: string;
-  queryBar: FieldValueQueryBar;
+  queryBar: FieldValueQueryBar & { edited: boolean };
   ruleType: Type;
   timeline: FieldValueTimeline;
   threshold: FieldValueThreshold;