[Rules migration] Improvements & fixes (elastic#206285)

## Summary [Internal link](elastic/security-team#10820) to the feature details This PR includes next improvements and fixes ### Improvements 1. Update copies across SIEM migrations feature 2. Add technical preview icon 3. Rename "Dismiss" to "Close" button within the flyout 4. Add simplified version of the ES|QL editor ### Fixes 1. Disable Overview tab for untranslated rules 2. Use "code block" instead of "markdown" to display queries 3. Show "Install and enable" button for translations that matched elastic prebuilt rules only 4. Allow user to open installed rule details in a separate tab > [!NOTE] > This feature needs `siemMigrationsEnabled` experimental flag enabled to work. --------- Co-authored-by: kibanamachine <[email protected]>
e40pud · Jan 14, 2025 · 3a95bec · 3a95bec
1 parent c964c58
commit 3a95bec
Show file tree

Hide file tree

Showing 28 changed files with 338 additions and 146 deletions.
diff --git a/...ons/security/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts b/...ons/security/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts
@@ -342,10 +342,6 @@ export const UpdateRuleMigrationData = z.object({
    * The migrated elastic rule attributes to update.
    */
   elastic_rule: ElasticRulePartial.optional(),
-  /**
-   * The rule translation result.
-   */
-  translation_result: RuleMigrationTranslationResult.optional(),
   /**
    * The comments for the migration including a summary from the LLM in markdown.
    */

diff --git a/...ecurity/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml b/...ecurity/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml
@@ -313,9 +313,6 @@ components:
         elastic_rule:
           description: The migrated elastic rule attributes to update.
           $ref: '#/components/schemas/ElasticRulePartial'
-        translation_result:
-          description: The rule translation result.
-          $ref: '#/components/schemas/RuleMigrationTranslationResult'
         comments:
           description: The comments for the migration including a summary from the LLM in markdown.
           $ref: '#/components/schemas/RuleMigrationComments'

diff --git a/x-pack/solutions/security/plugins/security_solution/kibana.jsonc b/x-pack/solutions/security/plugins/security_solution/kibana.jsonc
@@ -88,7 +88,8 @@
       "usageCollection",
       "lists",
       "ml",
-      "unifiedSearch"
+      "unifiedSearch",
+      "esql"
     ],
     "extraPublicDirs": [
       "common"

diff --git a/x-pack/solutions/security/plugins/security_solution/public/app/translations.ts b/x-pack/solutions/security/plugins/security_solution/public/app/translations.ts
@@ -104,7 +104,7 @@ export const EXCEPTIONS = i18n.translate('xpack.securitySolution.navigation.exce
 export const SIEM_MIGRATIONS_RULES = i18n.translate(
   'xpack.securitySolution.navigation.siemMigrationsRules',
   {
-    defaultMessage: 'SIEM Rules Migrations',
+    defaultMessage: 'SIEM Rule Migrations',
   }
 );
 

diff --git a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/links.ts b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/links.ts
@@ -19,7 +19,7 @@ export const siemMigrationsLinks: LinkItem = {
   id: SecurityPageName.siemMigrationsRules,
   title: SIEM_MIGRATIONS_RULES,
   description: i18n.translate('xpack.securitySolution.appLinks.siemMigrationsRulesDescription', {
-    defaultMessage: 'SIEM Rules Migrations.',
+    defaultMessage: 'SIEM Rule Migrations.',
   }),
   landingIcon: SiemMigrationsIcon,
   path: SIEM_MIGRATIONS_RULES_PATH,
@@ -28,8 +28,9 @@ export const siemMigrationsLinks: LinkItem = {
   hideTimeline: true,
   globalSearchKeywords: [
     i18n.translate('xpack.securitySolution.appLinks.siemMigrationsRules', {
-      defaultMessage: 'SIEM Rules Migrations',
+      defaultMessage: 'SIEM Rule Migrations',
     }),
   ],
   experimentalKey: 'siemMigrationsEnabled',
+  isBeta: true,
 };
diff --git a/...lugins/security_solution/public/siem_migrations/rules/components/header_buttons/index.tsx b/...lugins/security_solution/public/siem_migrations/rules/components/header_buttons/index.tsx
@@ -8,7 +8,7 @@
 import React, { useMemo } from 'react';
 
 import type { EuiComboBoxOptionOption } from '@elastic/eui';
-import { EuiComboBox, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
+import { EuiComboBox, EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiTitle } from '@elastic/eui';
 import * as i18n from './translations';
 import type { RuleMigrationStats } from '../../types';
 
@@ -67,6 +67,10 @@ export const HeaderButtons: React.FC<HeaderButtonsProps> = React.memo(
     return (
       <EuiFlexGroup alignItems="center" gutterSize="s" responsive={false} wrap={true}>
         <EuiFlexItem grow={false}>
+          <EuiTitle size="xxxs">
+            <h6>{i18n.SIEM_MIGRATIONS_OPTION_TITLE}</h6>
+          </EuiTitle>
+          <EuiSpacer size="xs" />
           <EuiComboBox
             aria-label={i18n.SIEM_MIGRATIONS_OPTION_AREAL_LABEL}
             onChange={onChange}

diff --git a/.../security_solution/public/siem_migrations/rules/components/header_buttons/translations.ts b/.../security_solution/public/siem_migrations/rules/components/header_buttons/translations.ts
@@ -7,6 +7,13 @@
 
 import { i18n } from '@kbn/i18n';
 
+export const SIEM_MIGRATIONS_OPTION_TITLE = i18n.translate(
+  'xpack.securitySolution.siemMigrations.rules.selectionOption.title',
+  {
+    defaultMessage: 'Migrations',
+  }
+);
+
 export const SIEM_MIGRATIONS_OPTION_AREAL_LABEL = i18n.translate(
   'xpack.securitySolution.siemMigrations.rules.selectionOption.arealLabel',
   {

diff --git a/...s/security_solution/public/siem_migrations/rules/components/rule_details_flyout/index.tsx b/...s/security_solution/public/siem_migrations/rules/components/rule_details_flyout/index.tsx
@@ -27,6 +27,7 @@ import {
 } from '@elastic/eui';
 import type { EuiTabbedContentTab, EuiTabbedContentProps, EuiFlyoutProps } from '@elastic/eui';
 
+import { RuleTranslationResult } from '../../../../../common/siem_migrations/constants';
 import type { RuleMigration } from '../../../../../common/siem_migrations/model/rule_migration.gen';
 import { useAppToasts } from '../../../../common/hooks/use_app_toasts';
 import {
@@ -111,6 +112,7 @@ export const MigrationRuleDetailsFlyout: React.FC<MigrationRuleDetailsFlyoutProp
               elastic_rule: {
                 title: ruleName,
                 query: ruleQuery,
+                query_language: 'esql',
               },
             },
           ]);
@@ -170,8 +172,15 @@ export const MigrationRuleDetailsFlyout: React.FC<MigrationRuleDetailsFlyoutProp
             )}
           </TabContentPadding>
         ),
+        disabled: ruleMigration.translation_result === RuleTranslationResult.UNTRANSLATABLE,
       }),
-      [ruleDetailsToOverview, size, expandedOverviewSections, toggleOverviewSection]
+      [
+        ruleDetailsToOverview,
+        size,
+        expandedOverviewSections,
+        toggleOverviewSection,
+        ruleMigration.translation_result,
+      ]
     );
 
     const summaryTab: EuiTabbedContentTab = useMemo(
@@ -255,7 +264,7 @@ export const MigrationRuleDetailsFlyout: React.FC<MigrationRuleDetailsFlyoutProp
           <EuiFlexGroup justifyContent="spaceBetween">
             <EuiFlexItem grow={false}>
               <EuiButtonEmpty onClick={closeFlyout} flush="left">
-                {i18n.DISMISS_BUTTON_LABEL}
+                {i18n.CLOSE_BUTTON_LABEL}
               </EuiButtonEmpty>
             </EuiFlexItem>
             <EuiFlexItem grow={false}>{ruleActions}</EuiFlexItem>

diff --git a/...rations/rules/components/rule_details_flyout/tabs/translation/esql_editor/esql_editor.tsx b/...rations/rules/components/rule_details_flyout/tabs/translation/esql_editor/esql_editor.tsx
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { useMemo } from 'react';
+import type { FieldValueQueryBar } from '../../../../../../../detection_engine/rule_creation_ui/components/query_bar_field';
+import { UseField } from '../../../../../../../shared_imports';
+import { EsqlEditorField } from './esql_editor_field';
+import type { RuleTranslationSchema } from '../types';
+
+interface EsqlEditorFieldProps {
+  path: string;
+}
+
+export const EsqlEditor: React.FC<EsqlEditorFieldProps> = React.memo(({ path }) => {
+  const componentProps = useMemo(
+    () => ({
+      idAria: 'ruleEsqlQueryBar',
+      dataTestSubj: 'ruleEsqlQueryBar',
+    }),
+    []
+  );
+
+  return (
+    <UseField<FieldValueQueryBar, RuleTranslationSchema>
+      path={path}
+      component={EsqlEditorField}
+      componentProps={componentProps}
+    />
+  );
+});
+EsqlEditor.displayName = 'EsqlEditor';
diff --git a/...s/rules/components/rule_details_flyout/tabs/translation/esql_editor/esql_editor_field.tsx b/...s/rules/components/rule_details_flyout/tabs/translation/esql_editor/esql_editor_field.tsx
@@ -0,0 +1,67 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { useCallback } from 'react';
+import deepEqual from 'fast-deep-equal';
+import { EuiFormRow } from '@elastic/eui';
+import { ESQLLangEditor } from '@kbn/esql/public';
+import type { AggregateQuery } from '@kbn/es-query';
+import { convertToQueryType } from '../../../../../../../common/components/query_bar/convert_to_query_type';
+import type { FieldValueQueryBar } from '../../../../../../../detection_engine/rule_creation_ui/components/query_bar_field';
+import type { FieldHook } from '../../../../../../../shared_imports';
+
+interface EsqlEditorFieldProps {
+  field: FieldHook<FieldValueQueryBar>;
+  idAria?: string;
+  dataTestSubj: string;
+}
+
+export const EsqlEditorField: React.FC<EsqlEditorFieldProps> = React.memo(
+  ({ field, idAria, dataTestSubj }) => {
+    const { value: fieldValue, setValue: setFieldValue } = field;
+
+    const onQueryChange = useCallback(
+      (newQuery: AggregateQuery) => {
+        const { query } = fieldValue;
+        if (!deepEqual(query, newQuery)) {
+          const esqlQuery = convertToQueryType(newQuery);
+          setFieldValue({ ...fieldValue, query: esqlQuery });
+        }
+      },
+      [fieldValue, setFieldValue]
+    );
+
+    const onQuerySubmit = useCallback(
+      async (newQuery?: AggregateQuery) => {
+        if (newQuery) {
+          onQueryChange(newQuery);
+        }
+      },
+      [onQueryChange]
+    );
+
+    return (
+      <EuiFormRow
+        fullWidth
+        data-test-subj={dataTestSubj}
+        describedByIds={idAria ? [idAria] : undefined}
+      >
+        <ESQLLangEditor
+          query={{ esql: fieldValue.query.query as string }}
+          onTextLangQueryChange={onQueryChange}
+          onTextLangQuerySubmit={onQuerySubmit}
+          hideRunQueryText={true}
+          disableSubmitAction={true}
+          hideTimeFilterInfo={true}
+          hideQueryHistory={true}
+          hasOutline={true}
+        />
+      </EuiFormRow>
+    );
+  }
+);
+EsqlEditorField.displayName = 'EsqlEditorField';
diff --git a/...m_migrations/rules/pages/translations.tsx → ...ut/tabs/translation/esql_editor/index.tsx b/...m_migrations/rules/pages/translations.tsx → ...ut/tabs/translation/esql_editor/index.tsx
@@ -5,8 +5,4 @@
  * 2.0.
  */
 
-import { i18n } from '@kbn/i18n';
-
-export const PAGE_TITLE = i18n.translate('xpack.securitySolution.siemMigrations.rules.pageTitle', {
-  defaultMessage: 'Translated rules',
-});
+export * from './esql_editor';
diff --git a/...on/public/siem_migrations/rules/components/rule_details_flyout/tabs/translation/index.tsx b/...on/public/siem_migrations/rules/components/rule_details_flyout/tabs/translation/index.tsx
@@ -42,15 +42,36 @@ export const TranslationTab: React.FC<TranslationTabProps> = React.memo(
     const isInstalled = !!ruleMigration.elastic_rule?.id;
     const canEdit = !matchedPrebuiltRule && !isInstalled;
 
-    const ruleName = matchedPrebuiltRule?.name ?? ruleMigration.elastic_rule?.title;
-    const originalQuery = ruleMigration.original_rule.query;
-    const elasticQuery = useMemo(() => {
-      let query = ruleMigration.elastic_rule?.query;
+    const originalRuleQueryComponent = useMemo(() => {
+      return (
+        <MigrationRuleQuery
+          title={i18n.SPLUNK_QUERY_TITLE}
+          ruleName={ruleMigration.original_rule.title}
+          query={ruleMigration.original_rule.query}
+          queryLanguage={ruleMigration.original_rule.query_language}
+          canEdit={false}
+        />
+      );
+    }, [ruleMigration]);
+
+    const translatedRuleQueryComponent = useMemo(() => {
+      let translatedQuery = ruleMigration.elastic_rule?.query ?? '';
+      let translatedQueryLanguage = ruleMigration.elastic_rule?.query_language ?? '';
       if (matchedPrebuiltRule && matchedPrebuiltRule.type !== 'machine_learning') {
-        query = matchedPrebuiltRule.query;
+        translatedQuery = matchedPrebuiltRule.query ?? '';
+        translatedQueryLanguage = matchedPrebuiltRule.language;
       }
-      return query ?? '';
-    }, [matchedPrebuiltRule, ruleMigration.elastic_rule?.query]);
+      return (
+        <MigrationRuleQuery
+          title={i18n.ESQL_TRANSLATION_TITLE}
+          ruleName={matchedPrebuiltRule?.name ?? ruleMigration.elastic_rule?.title}
+          query={translatedQuery}
+          queryLanguage={translatedQueryLanguage}
+          canEdit={canEdit}
+          onTranslationUpdate={onTranslationUpdate}
+        />
+      );
+    }, [canEdit, matchedPrebuiltRule, onTranslationUpdate, ruleMigration]);
 
     return (
       <>
@@ -96,30 +117,15 @@ export const TranslationTab: React.FC<TranslationTabProps> = React.memo(
               </EuiSplitPanel.Inner>
               <EuiSplitPanel.Inner grow>
                 <EuiFlexGroup gutterSize="s" alignItems="flexStart">
-                  <EuiFlexItem grow={1}>
-                    <MigrationRuleQuery
-                      title={i18n.SPLUNK_QUERY_TITLE}
-                      ruleName={ruleMigration.original_rule.title}
-                      query={originalQuery}
-                      canEdit={false}
-                    />
-                  </EuiFlexItem>
+                  <EuiFlexItem grow={1}>{originalRuleQueryComponent}</EuiFlexItem>
                   <EuiFlexItem
                     grow={0}
                     css={css`
                       align-self: stretch;
                       border-right: ${euiTheme.border.thin};
                     `}
                   />
-                  <EuiFlexItem grow={1}>
-                    <MigrationRuleQuery
-                      title={i18n.ESQL_TRANSLATION_TITLE}
-                      ruleName={ruleName}
-                      query={elasticQuery}
-                      canEdit={canEdit}
-                      onTranslationUpdate={onTranslationUpdate}
-                    />
-                  </EuiFlexItem>
+                  <EuiFlexItem grow={1}>{translatedRuleQueryComponent}</EuiFlexItem>
                 </EuiFlexGroup>
               </EuiSplitPanel.Inner>
             </EuiSplitPanel.Outer>