[Security Solution] Create rule from timeline

x-pack/plugins/security_solution/cypress/e2e/detection_rules/custom_query_rule.cy.ts

@@ -102,6 +102,7 @@ import {
   goToActionsStepTab,
   goToScheduleStepTab,
   importSavedQuery,
+  removeAlertsIndex,
   waitForAlertsToPopulate,
   waitForTheRuleToBeExecuted,
 } from '../../tasks/create_new_rule';
@@ -133,6 +134,7 @@ describe('Custom query rules', () => {
 
       cy.log('Filling define section');
       importSavedQuery(this.timelineId);
+      removeAlertsIndex();
       continueWithNextSection();
 
       cy.log('Filling about section');
@@ -215,10 +217,7 @@ describe('Custom query rules', () => {
       cy.get(INVESTIGATION_NOTES_TOGGLE).click({ force: true });
       cy.get(ABOUT_INVESTIGATION_NOTES).should('have.text', INVESTIGATION_NOTES_MARKDOWN);
       cy.get(DEFINITION_DETAILS).within(() => {
-        getDetails(INDEX_PATTERNS_DETAILS).should(
-          'have.text',
-          ruleFields.defaultIndexPatterns.join('')
-        );
+        getDetails(INDEX_PATTERNS_DETAILS).should('have.text', 'auditbeat-*');
         getDetails(CUSTOM_QUERY_DETAILS).should('have.text', ruleFields.ruleQuery);
         getDetails(RULE_TYPE_DETAILS).should('have.text', 'Query');
         getDetails(TIMELINE_TEMPLATE_DETAILS).should('have.text', 'None');

x-pack/plugins/security_solution/cypress/e2e/detection_rules/new_terms_rule.cy.ts

@@ -7,7 +7,7 @@
 
 import { formatMitreAttackDescription } from '../../helpers/rules';
 import type { Mitre } from '../../objects/rule';
-import { getNewTermsRule, getIndexPatterns } from '../../objects/rule';
+import { getNewTermsRule } from '../../objects/rule';
 
 import { ALERT_DATA_GRID } from '../../screens/alerts';
 import {
@@ -128,7 +128,7 @@ describe('New Terms rules', () => {
       cy.get(INVESTIGATION_NOTES_TOGGLE).click({ force: true });
       cy.get(ABOUT_INVESTIGATION_NOTES).should('have.text', INVESTIGATION_NOTES_MARKDOWN);
       cy.get(DEFINITION_DETAILS).within(() => {
-        getDetails(INDEX_PATTERNS_DETAILS).should('have.text', getIndexPatterns().join(''));
+        getDetails(INDEX_PATTERNS_DETAILS).should('have.text', 'auditbeat-*');
         getDetails(CUSTOM_QUERY_DETAILS).should('have.text', this.rule.customQuery);
         getDetails(RULE_TYPE_DETAILS).should('have.text', 'New Terms');
         getDetails(TIMELINE_TEMPLATE_DETAILS).should('have.text', 'None');

x-pack/plugins/security_solution/cypress/e2e/detection_rules/override.cy.ts

@@ -7,7 +7,7 @@
 
 import { formatMitreAttackDescription } from '../../helpers/rules';
 import type { Mitre, OverrideRule } from '../../objects/rule';
-import { getIndexPatterns, getNewOverrideRule, getSeveritiesOverride } from '../../objects/rule';
+import { getNewOverrideRule, getSeveritiesOverride } from '../../objects/rule';
 import type { CompleteTimeline } from '../../objects/timeline';
 
 import { NUMBER_OF_ALERTS, ALERT_GRID_CELL } from '../../screens/alerts';
@@ -146,7 +146,7 @@ describe('Detection rules, override', () => {
     cy.get(INVESTIGATION_NOTES_TOGGLE).click({ force: true });
     cy.get(ABOUT_INVESTIGATION_NOTES).should('have.text', INVESTIGATION_NOTES_MARKDOWN);
     cy.get(DEFINITION_DETAILS).within(() => {
-      getDetails(INDEX_PATTERNS_DETAILS).should('have.text', getIndexPatterns().join(''));
+      getDetails(INDEX_PATTERNS_DETAILS).should('have.text', 'auditbeat-*');
       getDetails(CUSTOM_QUERY_DETAILS).should('have.text', this.rule.customQuery);
       getDetails(RULE_TYPE_DETAILS).should('have.text', 'Query');
       getDetails(TIMELINE_TEMPLATE_DETAILS).should('have.text', 'None');

x-pack/plugins/security_solution/cypress/e2e/detection_rules/threshold_rule.cy.ts

@@ -7,7 +7,7 @@
 
 import { formatMitreAttackDescription } from '../../helpers/rules';
 import type { Mitre } from '../../objects/rule';
-import { getIndexPatterns, getNewThresholdRule } from '../../objects/rule';
+import { getNewThresholdRule } from '../../objects/rule';
 
 import { ALERT_GRID_CELL, NUMBER_OF_ALERTS } from '../../screens/alerts';
 
@@ -124,7 +124,7 @@ describe('Detection rules, threshold', () => {
     cy.get(INVESTIGATION_NOTES_TOGGLE).click({ force: true });
     cy.get(ABOUT_INVESTIGATION_NOTES).should('have.text', INVESTIGATION_NOTES_MARKDOWN);
     cy.get(DEFINITION_DETAILS).within(() => {
-      getDetails(INDEX_PATTERNS_DETAILS).should('have.text', getIndexPatterns().join(''));
+      getDetails(INDEX_PATTERNS_DETAILS).should('have.text', 'auditbeat-*');
       getDetails(CUSTOM_QUERY_DETAILS).should('have.text', rule.customQuery);
       getDetails(RULE_TYPE_DETAILS).should('have.text', 'Threshold');
       getDetails(TIMELINE_TEMPLATE_DETAILS).should('have.text', 'None');

x-pack/plugins/security_solution/cypress/screens/create_new_rule.ts

@@ -228,3 +228,8 @@ export const savedQueryByName = (savedQueryName: string) =>
 
 export const APPLY_SELECTED_SAVED_QUERY_BUTTON =
   '[data-test-subj="saved-query-management-apply-changes-button"]';
+
+export const RULE_INDICES =
+  '[data-test-subj="detectionEngineStepDefineRuleIndices"] [data-test-subj="comboBoxInput"]';
+
+export const ALERTS_INDEX_BUTTON = 'span[title=".alerts-security.alerts-default"] button';

x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts

@@ -105,6 +105,8 @@ import {
   ACTIONS_THROTTLE_INPUT,
   CONTINUE_BUTTON,
   CREATE_WITHOUT_ENABLING_BTN,
+  RULE_INDICES,
+  ALERTS_INDEX_BUTTON,
 } from '../screens/create_new_rule';
 import {
   INDEX_SELECTOR,
@@ -344,13 +346,27 @@ const fillCustomQuery = (rule: CustomRule | OverrideRule) => {
     cy.get(IMPORT_QUERY_FROM_SAVED_TIMELINE_LINK).click();
     cy.get(TIMELINE(rule.timeline.id)).click();
     cy.get(CUSTOM_QUERY_INPUT).should('have.value', rule.customQuery);
+    if (rule.dataSource.type === 'indexPatterns') {
+      removeAlertsIndex();
+    }
   } else {
     cy.get(CUSTOM_QUERY_INPUT)
       .first()
       .type(rule.customQuery || '');
   }
 };
 
+// called after import rule from saved timeline
+// if alerts index is created, it is included in the timeline
+// to be consistent in multiple test runs, remove it if it's there
+export const removeAlertsIndex = () => {
+  cy.get(RULE_INDICES).then(($body) => {
+    if ($body.find(ALERTS_INDEX_BUTTON).length > 0) {
+      cy.get(ALERTS_INDEX_BUTTON).click();
+    }
+  });
+};
+
 export const continueWithNextSection = () => {
   cy.get(CONTINUE_BUTTON).should('exist').click();
 };
@@ -690,20 +706,3 @@ export const checkLoadQueryDynamically = () => {
 export const uncheckLoadQueryDynamically = () => {
   cy.get(LOAD_QUERY_DYNAMICALLY_CHECKBOX).click({ force: true }).should('not.be.checked');
 };
-
-export const defineSection = { importSavedQuery };
-export const aboutSection = {
-  fillRuleName,
-  fillDescription,
-  fillSeverity,
-  fillRiskScore,
-  fillRuleTags,
-  expandAdvancedSettings,
-  fillReferenceUrls,
-  fillFalsePositiveExamples,
-  fillThreat,
-  fillThreatTechnique,
-  fillThreatSubtechnique,
-  fillNote,
-};
-export const scheduleSection = { fillFrom };

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/translations.ts

@@ -28,14 +28,6 @@ export const RULE_PREVIEW_TITLE = i18n.translate(
   }
 );
 
-export const RULE_PREVIEW_DESCRIPTION = i18n.translate(
-  'xpack.securitySolution.detectionEngine.createRule.rulePreviewDescription',
-  {
-    defaultMessage:
-      'Rule preview reflects the current configuration of your rule settings and exceptions, click refresh icon to see the updated preview.',
-  }
-);
-
 export const CANCEL_BUTTON_LABEL = i18n.translate(
   'xpack.securitySolution.detectionEngine.createRule.cancelButtonLabel',
   {

x-pack/plugins/security_solution/public/detections/components/rules/query_bar/index.test.tsx

@@ -6,7 +6,6 @@
  */
 
 import React from 'react';
-import { mount } from 'enzyme';
 
 import { QueryBarDefineRule } from '.';
 import {
@@ -16,7 +15,11 @@ import {
 } from '../../../../common/mock';
 import { useGetAllTimeline, getAllTimeline } from '../../../../timelines/containers/all';
 import { mockHistory, Router } from '../../../../common/mock/router';
+import { render, act, fireEvent } from '@testing-library/react';
+import { resolveTimeline } from '../../../../timelines/containers/api';
+import { mockTimeline } from '../../../../../server/lib/timeline/__mocks__/create_timelines';
 
+jest.mock('../../../../timelines/containers/api');
 jest.mock('../../../../common/lib/kibana', () => {
   const actual = jest.requireActual('../../../../common/lib/kibana');
   return {
@@ -48,68 +51,95 @@ jest.mock('../../../../timelines/containers/all', () => {
 
 describe('QueryBarDefineRule', () => {
   beforeEach(() => {
+    jest.clearAllMocks();
     (useGetAllTimeline as unknown as jest.Mock).mockReturnValue({
       fetchAllTimeline: jest.fn(),
       timelines: getAllTimeline('', mockOpenTimelineQueryResults.timeline ?? []),
       loading: false,
       totalCount: mockOpenTimelineQueryResults.totalCount,
       refetch: jest.fn(),
     });
+    (resolveTimeline as jest.Mock).mockResolvedValue({
+      data: {
+        timeline: { mockTimeline },
+      },
+    });
   });
 
   it('renders correctly', () => {
-    const Component = () => {
-      const field = useFormFieldMock();
+    const field = useFormFieldMock();
 
-      return (
-        <QueryBarDefineRule
-          browserFields={{}}
-          isLoading={false}
-          indexPattern={{ fields: [], title: 'title' }}
-          onCloseTimelineSearch={jest.fn()}
-          openTimelineSearch={true}
-          dataTestSubj="query-bar-define-rule"
-          idAria="idAria"
-          field={field}
-        />
-      );
-    };
-    const wrapper = mount(
+    const { getByTestId } = render(
       <TestProviders>
         <Router history={mockHistory}>
-          <Component />
+          <QueryBarDefineRule
+            browserFields={{}}
+            isLoading={false}
+            indexPattern={{ fields: [], title: 'title' }}
+            onCloseTimelineSearch={jest.fn()}
+            openTimelineSearch={true}
+            dataTestSubj="query-bar-define-rule"
+            idAria="idAria"
+            field={field}
+          />
         </Router>
       </TestProviders>
     );
-    expect(wrapper.find('[data-test-subj="query-bar-define-rule"]').exists()).toBeTruthy();
+    expect(getByTestId('query-bar-define-rule')).toBeInTheDocument();
   });
 
-  it('renders import query from saved timeline modal actions hidden correctly', () => {
-    const Component = () => {
+  it('renders import query from saved timeline modal actions hidden correctly', async () => {
+    await act(async () => {
       const field = useFormFieldMock();
 
-      return (
-        <QueryBarDefineRule
-          browserFields={{}}
-          isLoading={false}
-          indexPattern={{ fields: [], title: 'title' }}
-          onCloseTimelineSearch={jest.fn()}
-          openTimelineSearch={true}
-          dataTestSubj="query-bar-define-rule"
-          idAria="idAria"
-          field={field}
-        />
+      const { queryByTestId } = render(
+        <TestProviders>
+          <Router history={mockHistory}>
+            <QueryBarDefineRule
+              browserFields={{}}
+              isLoading={false}
+              indexPattern={{ fields: [], title: 'title' }}
+              onCloseTimelineSearch={jest.fn()}
+              openTimelineSearch={true}
+              dataTestSubj="query-bar-define-rule"
+              idAria="idAria"
+              field={field}
+            />
+          </Router>
+        </TestProviders>
       );
-    };
-    const wrapper = mount(
+
+      expect(queryByTestId('open-duplicate')).not.toBeInTheDocument();
+      expect(queryByTestId('create-from-template')).not.toBeInTheDocument();
+    });
+  });
+
+  it('calls onOpenTimeline correctly', async () => {
+    const field = useFormFieldMock();
+    const onOpenTimeline = jest.fn();
+
+    const { getByTestId } = render(
       <TestProviders>
         <Router history={mockHistory}>
-          <Component />
+          <QueryBarDefineRule
+            browserFields={{}}
+            isLoading={false}
+            indexPattern={{ fields: [], title: 'title' }}
+            onCloseTimelineSearch={jest.fn()}
+            openTimelineSearch={true}
+            dataTestSubj="query-bar-define-rule"
+            idAria="idAria"
+            field={field}
+            onOpenTimeline={onOpenTimeline}
+          />
         </Router>
       </TestProviders>
     );
+    getByTestId('open-timeline-modal').click();
 
-    expect(wrapper.find('[data-test-subj="open-duplicate"]').exists()).toBeFalsy();
-    expect(wrapper.find('[data-test-subj="create-from-template"]').exists()).toBeFalsy();
+    await act(async () => {
+      fireEvent.click(getByTestId('title-10849df0-7b44-11e9-a608-ab3d811609'));
+    });
+    expect(onOpenTimeline).toHaveBeenCalled();
   });
 });

x-pack/plugins/security_solution/public/detections/components/rules/query_bar/index.tsx

@@ -17,9 +17,6 @@ import type { BrowserFields } from '../../../../common/containers/source';
 import { OpenTimelineModal } from '../../../../timelines/components/open_timeline/open_timeline_modal';
 import type { ActionTimelineToShow } from '../../../../timelines/components/open_timeline/types';
 import { QueryBar } from '../../../../common/components/query_bar';
-import { buildGlobalQuery } from '../../../../timelines/components/timeline/helpers';
-import { getDataProviderFilter } from '../../../../timelines/components/timeline/query_bar';
-import { convertKueryToElasticSearchQuery } from '../../../../common/lib/kuery';
 import { useKibana } from '../../../../common/lib/kibana';
 import type { TimelineModel } from '../../../../timelines/store/timeline/model';
 import { useSavedQueryServices } from '../../../../common/utils/saved_query_services';
@@ -54,6 +51,7 @@ export interface QueryBarDefineRuleProps {
    */
   onSavedQueryError?: () => void;
   defaultSavedQuery?: SavedQuery | undefined;
+  onOpenTimeline?: (timeline: TimelineModel) => void;
 }
 
 const actionTimelineToHide: ActionTimelineToShow[] = ['duplicate', 'createFrom'];
@@ -88,6 +86,7 @@ export const QueryBarDefineRule = ({
   onValidityChange,
   isDisabled,
   resetToSavedQuery,
+  onOpenTimeline,
   onSavedQueryError,
 }: QueryBarDefineRuleProps) => {
   const { value: fieldValue, setValue: setFieldValue } = field as FieldHook<FieldValueQueryBar>;
@@ -234,31 +233,12 @@ export const QueryBarDefineRule = ({
     onCloseTimelineSearch();
   }, [onCloseTimelineSearch]);
 
-  const onOpenTimeline = useCallback(
+  const onOpenTimelineCb = useCallback(
     (timeline: TimelineModel) => {
       setLoadingTimeline(false);
-      const newQuery = {
-        query: timeline.kqlQuery.filterQuery?.kuery?.expression ?? '',
-        language: timeline.kqlQuery.filterQuery?.kuery?.kind ?? 'kuery',
-      };
-      const dataProvidersDsl =
-        timeline.dataProviders != null && timeline.dataProviders.length > 0
-          ? convertKueryToElasticSearchQuery(
-              buildGlobalQuery(timeline.dataProviders, browserFields),
-              indexPattern
-            )
-          : '';
-      const newFilters = timeline.filters ?? [];
-      setFieldValue({
-        filters:
-          dataProvidersDsl !== ''
-            ? [...newFilters, getDataProviderFilter(dataProvidersDsl)]
-            : newFilters,
-        query: newQuery,
-        saved_id: null,
-      });
+      if (onOpenTimeline != null) onOpenTimeline(timeline);
     },
-    [browserFields, indexPattern, setFieldValue]
+    [onOpenTimeline]
   );
 
   const onMutation = () => {
@@ -324,7 +304,7 @@ export const QueryBarDefineRule = ({
           hideActions={actionTimelineToHide}
           modalTitle={i18n.IMPORT_TIMELINE_MODAL}
           onClose={onCloseTimelineModal}
-          onOpen={onOpenTimeline}
+          onOpen={onOpenTimelineCb}
         />
       ) : null}
     </>