[Security Solution] Switches remaining rule types to use new Rule Pre…

…view API (#116374)

x-pack/plugins/rule_registry/server/config.ts

@@ -32,4 +32,3 @@ export const config: PluginConfigDescriptor = {
 export type RuleRegistryPluginConfig = TypeOf<typeof config.schema>;
 
 export const INDEX_PREFIX = '.alerts' as const;
-export const INDEX_PREFIX_FOR_BACKING_INDICES = '.internal.alerts' as const;

x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.mock.ts

@@ -29,6 +29,7 @@ export const createRuleDataClientMock = (
     indexName,
     kibanaVersion: '7.16.0',
     isWriteEnabled: jest.fn(() => true),
+    indexNameWithNamespace: jest.fn((namespace: string) => indexName + namespace),
 
     // @ts-ignore 4.3.5 upgrade
     getReader: jest.fn((_options?: { namespace?: string }) => ({

x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.ts

@@ -54,6 +54,10 @@ export class RuleDataClient implements IRuleDataClient {
     return this.options.indexInfo.kibanaVersion;
   }
 
+  public indexNameWithNamespace(namespace: string): string {
+    return this.options.indexInfo.getPrimaryAlias(namespace);
+  }
+
   private get writeEnabled(): boolean {
     return this._isWriteEnabled;
   }

x-pack/plugins/rule_registry/server/rule_data_client/types.ts

@@ -14,6 +14,7 @@ import { TechnicalRuleDataFieldName } from '../../common/technical_rule_data_fie
 
 export interface IRuleDataClient {
   indexName: string;
+  indexNameWithNamespace(namespace: string): string;
   kibanaVersion: string;
   isWriteEnabled(): boolean;
   getReader(options?: { namespace?: string }): IRuleDataReader;

x-pack/plugins/rule_registry/server/rule_data_plugin_service/index_info.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { INDEX_PREFIX, INDEX_PREFIX_FOR_BACKING_INDICES } from '../config';
+import { INDEX_PREFIX } from '../config';
 import { IndexOptions } from './index_options';
 import { joinWithDash } from './utils';
 
@@ -23,16 +23,16 @@ interface ConstructorOptions {
 export class IndexInfo {
   constructor(options: ConstructorOptions) {
     const { indexOptions, kibanaVersion } = options;
-    const { registrationContext, dataset } = indexOptions;
+    const { registrationContext, dataset, additionalPrefix } = indexOptions;
 
     this.indexOptions = indexOptions;
     this.kibanaVersion = kibanaVersion;
-    this.baseName = joinWithDash(INDEX_PREFIX, `${registrationContext}.${dataset}`);
-    this.basePattern = joinWithDash(this.baseName, '*');
-    this.baseNameForBackingIndices = joinWithDash(
-      INDEX_PREFIX_FOR_BACKING_INDICES,
+    this.baseName = joinWithDash(
+      `${additionalPrefix ?? ''}${INDEX_PREFIX}`,
       `${registrationContext}.${dataset}`
     );
+    this.basePattern = joinWithDash(this.baseName, '*');
+    this.baseNameForBackingIndices = `.internal${this.baseName}`;
   }
 
   /**

x-pack/plugins/rule_registry/server/rule_data_plugin_service/index_options.ts

@@ -95,6 +95,17 @@ export interface IndexOptions {
    * @example '.siem-signals', undefined
    */
   secondaryAlias?: string;
+
+  /**
+   * Optional prefix name that will be prepended to indices in addition to
+   * primary dataset and context naming convention.
+   *
+   * Currently used only for creating a preview index for the purpose of
+   * previewing alerts from a rule. The documents are identical to alerts, but
+   * shouldn't exist on an alert index and shouldn't be queried together with
+   * real alerts in any way, because the rule that created them doesn't exist
+   */
+  additionalPrefix?: string;
 }
 
 /**

x-pack/plugins/security_solution/common/constants.ts

@@ -39,7 +39,7 @@ export const DEFAULT_APP_TIME_RANGE = 'securitySolution:timeDefaults' as const;
 export const DEFAULT_APP_REFRESH_INTERVAL = 'securitySolution:refreshIntervalDefaults' as const;
 export const DEFAULT_ALERTS_INDEX = '.alerts-security.alerts' as const;
 export const DEFAULT_SIGNALS_INDEX = '.siem-signals' as const;
-export const DEFAULT_PREVIEW_INDEX = '.siem-preview-signals' as const;
+export const DEFAULT_PREVIEW_INDEX = '.preview.alerts-security.alerts' as const;
 export const DEFAULT_LISTS_INDEX = '.lists' as const;
 export const DEFAULT_ITEMS_INDEX = '.items' as const;
 // The DEFAULT_MAX_SIGNALS value exists also in `x-pack/plugins/cases/common/constants.ts`
@@ -256,8 +256,6 @@ export const DETECTION_ENGINE_PREPACKAGED_RULES_STATUS_URL =
 export const DETECTION_ENGINE_RULES_BULK_ACTION =
   `${DETECTION_ENGINE_RULES_URL}/_bulk_action` as const;
 export const DETECTION_ENGINE_RULES_PREVIEW = `${DETECTION_ENGINE_RULES_URL}/preview` as const;
-export const DETECTION_ENGINE_RULES_PREVIEW_INDEX_URL =
-  `${DETECTION_ENGINE_RULES_PREVIEW}/index` as const;
 
 /**
  * Internal detection engine routes

x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/use_preview_index.tsx → x-pack/plugins/security_solution/common/detection_engine/constants.ts

@@ -5,11 +5,9 @@
  * 2.0.
  */
 
-import { useEffect } from 'react';
-import { createPreviewIndex } from './api';
-
-export const usePreviewIndex = () => {
-  useEffect(() => {
-    createPreviewIndex();
-  }, []);
-};
+export enum RULE_PREVIEW_INVOCATION_COUNT {
+  HOUR = 20,
+  DAY = 24,
+  WEEK = 168,
+  MONTH = 30,
+}

x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts

@@ -370,6 +370,7 @@ export const previewRulesSchema = t.intersection([
   createTypeSpecific,
   t.type({ invocationCount: t.number }),
 ]);
+export type PreviewRulesSchema = t.TypeOf<typeof previewRulesSchema>;
 
 type UpdateSchema<T> = SharedUpdateSchema & T;
 export type EqlUpdateSchema = UpdateSchema<t.TypeOf<typeof eqlCreateParams>>;

x-pack/plugins/security_solution/cypress/integration/detection_rules/threshold_rule.spec.ts

@@ -174,7 +174,7 @@ describe('Detection rules, threshold', () => {
     cy.get(ALERT_GRID_CELL).contains(rule.name);
   });
 
-  it('Preview results of keyword using "host.name"', () => {
+  it.skip('Preview results of keyword using "host.name"', () => {
     rule.index = [...rule.index, '.siem-signals*'];
 
     createCustomRuleActivated(getNewRule());
@@ -188,7 +188,7 @@ describe('Detection rules, threshold', () => {
     cy.get(PREVIEW_HEADER_SUBTITLE).should('have.text', '3 unique hits');
   });
 
-  it('Preview results of "ip" using "source.ip"', () => {
+  it.skip('Preview results of "ip" using "source.ip"', () => {
     const previewRule: ThresholdRule = {
       ...rule,
       thresholdField: 'source.ip',

x-pack/plugins/security_solution/cypress/screens/create_new_rule.ts

@@ -104,9 +104,9 @@ export const DEFINE_INDEX_INPUT =
 
 export const EQL_TYPE = '[data-test-subj="eqlRuleType"]';
 
-export const EQL_QUERY_INPUT = '[data-test-subj="eqlQueryBarTextInput"]';
+export const PREVIEW_HISTOGRAM = '[data-test-subj="preview-histogram-panel"]';
 
-export const EQL_QUERY_PREVIEW_HISTOGRAM = '[data-test-subj="queryPreviewEqlHistogram"]';
+export const EQL_QUERY_INPUT = '[data-test-subj="eqlQueryBarTextInput"]';
 
 export const EQL_QUERY_VALIDATION_SPINNER = '[data-test-subj="eql-validation-loading"]';
 
@@ -170,7 +170,7 @@ export const RISK_OVERRIDE =
 
 export const RULES_CREATION_FORM = '[data-test-subj="stepDefineRule"]';
 
-export const RULES_CREATION_PREVIEW = '[data-test-subj="ruleCreationQueryPreview"]';
+export const RULES_CREATION_PREVIEW = '[data-test-subj="rule-preview"]';
 
 export const RULE_DESCRIPTION_INPUT =
   '[data-test-subj="detectionEngineStepAboutRuleDescription"] [data-test-subj="input"]';

x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts

@@ -33,7 +33,6 @@ import {
   DEFAULT_RISK_SCORE_INPUT,
   DEFINE_CONTINUE_BUTTON,
   EQL_QUERY_INPUT,
-  EQL_QUERY_PREVIEW_HISTOGRAM,
   EQL_QUERY_VALIDATION_SPINNER,
   EQL_TYPE,
   FALSE_POSITIVES_INPUT,
@@ -92,6 +91,7 @@ import {
   EMAIL_CONNECTOR_USER_INPUT,
   EMAIL_CONNECTOR_PASSWORD_INPUT,
   EMAIL_CONNECTOR_SERVICE_SELECTOR,
+  PREVIEW_HISTOGRAM,
 } from '../screens/create_new_rule';
 import { TOAST_ERROR } from '../screens/shared';
 import { SERVER_SIDE_EVENT_COUNT } from '../screens/timeline';
@@ -324,12 +324,12 @@ export const fillDefineEqlRuleAndContinue = (rule: CustomRule) => {
     .find(QUERY_PREVIEW_BUTTON)
     .should('not.be.disabled')
     .click({ force: true });
-  cy.get(EQL_QUERY_PREVIEW_HISTOGRAM)
+  cy.get(PREVIEW_HISTOGRAM)
     .invoke('text')
     .then((text) => {
       if (text !== 'Hits') {
         cy.get(RULES_CREATION_PREVIEW).find(QUERY_PREVIEW_BUTTON).click({ force: true });
-        cy.get(EQL_QUERY_PREVIEW_HISTOGRAM).should('contain.text', 'Hits');
+        cy.get(PREVIEW_HISTOGRAM).should('contain.text', 'Hits');
       }
     });
   cy.get(TOAST_ERROR).should('not.exist');

x-pack/plugins/security_solution/public/common/components/matrix_histogram/types.ts

@@ -15,7 +15,7 @@ import { MatrixHistogramType } from '../../../../common/search_strategy/security
 import { UpdateDateRange } from '../charts/common';
 import { GlobalTimeArgs } from '../../containers/use_global_time';
 import { DocValueFields } from '../../../../common/search_strategy';
-import { Threshold } from '../../../detections/components/rules/query_preview';
+import { FieldValueThreshold } from '../../../detections/components/rules/threshold_input';
 
 export type MatrixHistogramMappingTypes = Record<
   string,
@@ -77,7 +77,7 @@ export interface MatrixHistogramQueryProps {
   stackByField: string;
   startDate: string;
   histogramType: MatrixHistogramType;
-  threshold?: Threshold;
+  threshold?: FieldValueThreshold;
   skip?: boolean;
   isPtrIncluded?: boolean;
   includeMissingData?: boolean;