diff --git a/packages/kbn-doc-links/src/get_doc_links.ts b/packages/kbn-doc-links/src/get_doc_links.ts index 1f668ce162728..b8d46bad40cc4 100644 --- a/packages/kbn-doc-links/src/get_doc_links.ts +++ b/packages/kbn-doc-links/src/get_doc_links.ts @@ -457,6 +457,7 @@ export const getDocLinks = ({ kibanaBranch }: GetDocLinkOptions): DocLinks => { }, privileges: `${SECURITY_SOLUTION_DOCS}endpoint-management-req.html`, manageDetectionRules: `${SECURITY_SOLUTION_DOCS}rules-ui-management.html`, + createEsqlRuleType: `${SECURITY_SOLUTION_DOCS}rules-ui-create.html#create-esql-rule`, }, query: { eql: `${ELASTICSEARCH_DOCS}eql.html`, @@ -856,9 +857,6 @@ export const getDocLinks = ({ kibanaBranch }: GetDocLinkOptions): DocLinks => { synthetics: { featureRoles: `${ELASTIC_WEBSITE_URL}guide/en/observability/${DOC_LINK_VERSION}/synthetics-feature-roles.html`, }, - esql: { - statsBy: `${ELASTICSEARCH_DOCS}esql.html`, - }, telemetry: { settings: `${KIBANA_DOCS}telemetry-settings-kbn.html`, }, diff --git a/packages/kbn-doc-links/src/types.ts b/packages/kbn-doc-links/src/types.ts index 555167bf8574e..adc7f13c6c612 100644 --- a/packages/kbn-doc-links/src/types.ts +++ b/packages/kbn-doc-links/src/types.ts @@ -348,6 +348,7 @@ export interface DocLinks { }; readonly privileges: string; readonly manageDetectionRules: string; + readonly createEsqlRuleType: string; }; readonly query: { readonly eql: string; @@ -613,9 +614,6 @@ export interface DocLinks { readonly synthetics: { readonly featureRoles: string; }; - readonly esql: { - readonly statsBy: string; - }; readonly telemetry: { readonly settings: string; }; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx index 0130b8eed78b8..d0b4cee6752ad 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx @@ -6,16 +6,13 @@ */ import React from 'react'; -import { EuiPopover, EuiText, EuiButtonIcon } from '@elastic/eui'; -import { Markdown } from '@kbn/kibana-react-plugin/public'; +import { EuiPopover, EuiText, EuiButtonIcon, EuiLink } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; import * as i18n from './translations'; import { useBoolState } from '../../../../common/hooks/use_bool_state'; - import { useKibana } from '../../../../common/lib/kibana'; -const POPOVER_WIDTH = 640; - /** * Icon and popover that gives hint to users how to get started with ES|QL rules */ @@ -30,14 +27,20 @@ const EsqlInfoIconComponent = () => { return ( - - + + + + ), + }} /> diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts index db5f8ea86ce63..8729f7b0dd3bc 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts @@ -13,39 +13,3 @@ export const ARIA_LABEL = i18n.translate( defaultMessage: `Open help popover`, } ); - -export const getTooltipContent = (statsByLink: string, startUsingEsqlLink: string) => - i18n.translate( - 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.esqlInfoTooltipContent', - { - defaultMessage: ` -### Aggregating rule -Is a rule that uses {statsByLink} grouping commands. So, its result can not be matched with a particular document in ES. -\`\`\` -FROM logs* -| STATS count = COUNT(host.name) BY host.name -| SORT host.name -\`\`\` - - -### Non-aggregating rule -Is a rule that does not use {statsByLink} grouping commands. Hence, each row in result can be tracked to a source document in ES. For this type of rule, -please use operator \`[metadata _id, _index, _version]\` after defining index source. This would allow deduplicate alerts and link them with the source document. - -Example - -\`\`\` -FROM logs* [metadata _id, _index, _version] -| WHERE event.id == "test" -| LIMIT 10 -\`\`\` - -Please, ensure, metadata properties \`id\`, \`_index\`, \`_version\` are carried over through pipe operators. - `, - values: { - statsByLink: `[STATS..BY](${statsByLink})`, - // Docs team will provide actual link to a new page before release - // startUsingEsqlLink: `[WIP: Get started using ES|QL rules](${startUsingEsqlLink})`, - }, - } - ); diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts index e0bbcd45b1f1a..bbb00053cdfab 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts @@ -23,6 +23,6 @@ export const esqlValidationErrorMessage = (message: string) => export const ESQL_VALIDATION_MISSING_ID_IN_QUERY_ERROR = i18n.translate( 'xpack.securitySolution.detectionEngine.esqlValidation.missingIdInQueryError', { - defaultMessage: `For non-aggregating rules(that don't use STATS..BY function), please write query that returns _id field from [metadata _id, _version, _index] operator`, + defaultMessage: `Queries that don’t use the STATS...BY function (non-aggregating queries) must include the [metadata _id, _version, _index] operator after the source command. For example: FROM logs* [metadata _id, _version, _index]. In addition, the metadata properties (_id, _version, and _index) must be returned in the query response.`, } ); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts index cfd62ff3d57da..d8b61de136865 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts @@ -32,7 +32,8 @@ export const ESQL_TYPE_TITLE = i18n.translate( export const ESQL_TYPE_DESCRIPTION = i18n.translate( 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ruleTypeField.esqlTypeDescription', { - defaultMessage: 'Use The Elasticsearch Query Language (ES|QL) to search or aggregate events', + defaultMessage: + 'Use Elasticsearch Query Language (ES|QL) to find events and aggregate search results.', } ); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts index 254deb99f3259..a22d24a9fd537 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts @@ -125,7 +125,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => { getDefineContinueButton().click(); cy.get(ESQL_QUERY_BAR).contains( - 'write query that returns _id field from [metadata _id, _version, _index] operator' + 'must include the [metadata _id, _version, _index] operator after the source command' ); }); @@ -139,7 +139,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => { getDefineContinueButton().click(); cy.get(ESQL_QUERY_BAR).contains( - 'write query that returns _id field from [metadata _id, _version, _index] operator' + 'must include the [metadata _id, _version, _index] operator after the source command' ); });