[7.x] [Security Solution] [Detections] EQL Rule Creation (#76831) #77523
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Use existing predicate helper to avoid hardcoded strings * Render our field components with React.createElement Without this, we get some bad behaviors: * Cannot use React.memo'd components * Cannot switch between UseField components (causes a "change in the order of hooks" error from React) * WIP: EQL Rules can be created WIP because: they're probably not treated well in the UI, and they're certainly not going to execute properly, and there are no tests. * Add unit tests for changes to schema + helpers * Add unit tests for new EQL query input component It's mostly just a glorified textarea for now. * Add integration test for EQL Rule creation * Does not assert the query language, as that is not displayed on Rule Details * Does not exercise rule execution * Use predicate helper * Throw an error if an EQL Rule is executed This is to prevent undefined behavior until EQL execution is implemented. * Fix failing tests I changed the default value for the form field mock from an array to a string; this fixes the few tests that were relying on it being an array. * Audit our rule statements/switches I made a pass through our treatment of RuleType to verify that EQL rules would be treated appropriately. Since the default/fallthrough case is typically the Query rule, and since this rule has the same attributes/behavior as the new EQL rule, not much had to change here. I converted a few if statements to exhaustive switches where possible, and used predicate helpers in places where it was not. * Add tests around use of custom components with UseField There was an issue previously where memoized components would not work; these are primarily regression tests covering that use case. * Fix typo * Add keys to UseField to ensure unmount When swapping between the Custom Query and EQL rule types, we want to ensure that the corresponding input component coming from UseField fully unmounts and remounts with the new component. Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
💛 Build succeeded, but was flaky
Build metrics@kbn/optimizer bundle module count
async chunks size
page load bundle size
distributable file count
To update your PR or re-run it, just comment with: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports the following commits to 7.x: