[Security Solution] Create rule from timeline

[stephmilovic]

1. Introduces ability to create rule from timeline on the timelines page as shown in the gif below
2. Fixes an unreported bug we had with the current "Import query from saved timeline" button. We only got the query from the timeline, not the index pattern or fields.
3. Introduces a new hook to manage importing the timeline query, index pattern, and fields: useRuleFromTimeline

Cypress

Tests that use the feature "Import query from saved timeline" now have a different index pattern. We now match exactly the index pattern to the timeline index pattern. So: getIndexPatterns().join('') becomes 'auditbeat-*'. Depending on if any alerts have been generated yet, the timeline index pattern could also include .alerts-security.alerts-default. Added a method removeAlertsIndex to check if alerts index exists and remove it if it does, or it will break tests.

How to test

1. Create the following index via dev tools:

PUT ho_ho_ho
{
  "mappings": {
    "properties": {
      "good.job": {
        "type": "keyword"
      },
      "@timestamp": {
        "type": "date"
      }
    }
  }
}

POST ho_ho_ho/_doc
{
  "@timestamp": "2022-12-05T06:26:09.015Z",
  "good": { "job": "yessir" }
}

2. Create a Data View, ho_ho_ho
3. Create 2 saved timelines. One that uses the security data view and queries host.name: *, the other one uses the ho_ho_ho data view and queries good.job: *.
4. From the Timelines page, open the actions menu for the ho_ho_ho timeline and select "Create rule from timeline"
5. Once redirected to the rules page, ensure the index pattern and query match. Then use the KQL bar to ensure it is auto suggesting the custom field
6. Use the "Import query from saved timeline" button and select the other timeline with the security data view
7. Ensure the index pattern and query match. Then use the KQL bar to ensure it is auto suggesting our standard ecs fields

[stephmilovic]

@elasticmachine merge upstream

[stephmilovic]

this logic gets moved to new hook, use_rule_from_timeline.tsx

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[kqualters-elastic]

why is this in useState if the update function is unused?

[kqualters-elastic]

also consider renaming to just originalDataView or something

[stephmilovic]

this way when dataViewId and selectedPatterns update, ogDataView will stay the original values. Do you know another way to do this?

[jamster10]

good use case for useRef?

[stephmilovic]

renamed it tho

[stephmilovic]

@jamster10 useRef‘s current property is mutable, but useState‘s state variable not. The React team recommends in the documentation for setState, treat state like an immutable variable.

useRef is meant to be mutable and useState is meant to be immutable. Either would work, but as I do not want these values to ever update I think useState without pulling in the update method is the correct implementation

[maximpn]

@stephmilovic rules area related changes look good. I left some non critical comments.

[maximpn]

Thanks for the explanation here. I worry that the information you shared here can be forgotten in the future so it won't be so clear why alerts index is cleared here. Is it possible to remove alerts index inside importSavedQuery()? If not I'd leave a short comment in the code.

[maximpn]

Rules Area LGTM

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 2e476b1

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	3380	3381	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	10.1MB	10.1MB	+8.1KB

Unknown metric groups

ESLint disabled in files

id	before	after	diff
osquery	1	2	+1

ESLint disabled line counts

id	before	after	diff
enterpriseSearch	19	21	+2
fleet	59	65	+6
osquery	109	115	+6
securitySolution	445	451	+6
total			+20

References to deprecated APIs

id	before	after	diff
securitySolution	334	339	+5

Total ESLint disabled count

id	before	after	diff
enterpriseSearch	20	22	+2
fleet	68	74	+6
osquery	110	117	+7
securitySolution	521	527	+6
total			+21

History

• 💚 Build #93181 succeeded e67a962
• 💔 Build #93117 failed 77e76d0
• 💔 Build #93113 failed 7503b74
• 💔 Build #92913 failed e0aafad
• 💚 Build #92832 succeeded b6764ff
• 💛 Build #92393 was flaky 2ff4713

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @stephmilovic

[kqualters-elastic]

thanks for fixing the small nits, love this feature! Once upon an onweek I did something similar, only for eql only, could be cool to add that on top of this eventually. lgtm though 👍

[YulNaumenko]

LGTM! This is an awesome feature!:tada:

[marshallmain]

Alerts area changes LGTM