[CTI] Adds validation to Indicator index pattern (#105649) (#106177)

* [CTI] Adds validation to Indicator index pattern

x-pack/plugins/security_solution/public/common/components/threat_match/helpers.test.tsx

@@ -19,6 +19,7 @@ import {
   getFormattedEntries,
   getFormattedEntry,
   getUpdatedEntriesOnDelete,
+  customValidators,
 } from './helpers';
 import { ThreatMapEntry } from '@kbn/securitysolution-io-ts-alerting-types';
 
@@ -294,4 +295,19 @@ describe('Helpers', () => {
       expect(items).toEqual([{ entries: [entry] }]);
     });
   });
+
+  describe('customValidators.forbiddenField', () => {
+    const FORBIDDEN = '*';
+
+    test('it returns expected value when a forbidden value is passed in', () => {
+      expect(customValidators.forbiddenField('*', FORBIDDEN)).toEqual({
+        code: 'ERR_FIELD_FORMAT',
+        message: 'The index pattern cannot be *. Please choose a more specific index pattern.',
+      });
+    });
+
+    test('it returns undefined when a non-forbidden value is passed in', () => {
+      expect(customValidators.forbiddenField('.test-index', FORBIDDEN)).not.toBeDefined();
+    });
+  });
 });

x-pack/plugins/security_solution/public/common/components/threat_match/helpers.tsx

@@ -6,11 +6,14 @@
  */
 
 import uuid from 'uuid';
+import { i18n } from '@kbn/i18n';
 import { addIdToItem } from '@kbn/securitysolution-utils';
 import { ThreatMap, threatMap, ThreatMapping } from '@kbn/securitysolution-io-ts-alerting-types';
 
 import { IndexPattern, IFieldType } from '../../../../../../../src/plugins/data/common';
 import { Entry, FormattedEntry, ThreatMapEntries, EmptyEntry } from './types';
+import { ValidationFunc } from '../../../../../../../src/plugins/es_ui_shared/static/forms/hook_form_lib';
+import { ERROR_CODE } from '../../../../../../../src/plugins/es_ui_shared/static/forms/helpers/field_validators/types';
 
 /**
  * Formats the entry into one that is easily usable for the UI.
@@ -178,3 +181,36 @@ export const singleEntryThreat = (items: ThreatMapEntries[]): boolean => {
     items[0].entries[0].value === ''
   );
 };
+
+export const customValidators = {
+  forbiddenField: (
+    value: unknown,
+    forbiddenString: string
+  ): ReturnType<ValidationFunc<{}, ERROR_CODE>> => {
+    let match: boolean;
+
+    if (typeof value === 'string') {
+      match = value === forbiddenString;
+    } else if (Array.isArray(value)) {
+      match = !!value.find((item) => item === forbiddenString);
+    } else {
+      match = false;
+    }
+
+    if (match) {
+      return {
+        code: 'ERR_FIELD_FORMAT',
+        message: i18n.translate(
+          'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.threatMatchIndexForbiddenError',
+          {
+            defaultMessage:
+              'The index pattern cannot be { forbiddenString }. Please choose a more specific index pattern.',
+            values: {
+              forbiddenString,
+            },
+          }
+        ),
+      };
+    }
+  },
+};

x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx

@@ -13,6 +13,7 @@ import React from 'react';
 import {
   singleEntryThreat,
   containsInvalidItems,
+  customValidators,
 } from '../../../../common/components/threat_match/helpers';
 import { isThreatMatchRule, isThresholdRule } from '../../../../../common/detection_engine/utils';
 import { isMlRule } from '../../../../../common/machine_learning/helpers';
@@ -371,6 +372,19 @@ export const schema: FormSchema<DefineStepRule> = {
           )(...args);
         },
       },
+      {
+        validator: (
+          ...args: Parameters<ValidationFunc>
+        ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
+          const [{ formData, value }] = args;
+          const needsValidation = isThreatMatchRule(formData.ruleType);
+          if (!needsValidation) {
+            return;
+          }
+
+          return customValidators.forbiddenField(value, '*');
+        },
+      },
     ],
   },
   threatMapping: {