[Security Solution] Add history_window_start and new_terms_fields editable fields

x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_config.ts

@@ -5,16 +5,15 @@
  * 2.0.
  */
 
-import { useMemo } from 'react';
 import type { DataViewFieldBase } from '@kbn/es-query';
 import type { FieldSpec } from '@kbn/data-plugin/common';
 
-import { getTermsAggregationFields } from '../../../../detection_engine/rule_creation_ui/components/step_define_rule/utils';
 import { useRuleFields } from '../../../../detection_engine/rule_management/logic/use_rule_fields';
 import { useMlCapabilities } from './use_ml_capabilities';
 import { useMlRuleValidations } from './use_ml_rule_validations';
 import { hasMlAdminPermissions } from '../../../../../common/machine_learning/has_ml_admin_permissions';
 import { hasMlLicense } from '../../../../../common/machine_learning/has_ml_license';
+import { useTermsAggregationFields } from '../../../hooks/use_terms_aggregation_fields';
 
 export interface UseMlRuleConfigReturn {
   hasMlAdminPermissions: boolean;
@@ -45,10 +44,7 @@ export const useMLRuleConfig = ({
   const { loading: mlFieldsLoading, fields: mlFields } = useRuleFields({
     machineLearningJobId,
   });
-  const mlSuppressionFields = useMemo(
-    () => getTermsAggregationFields(mlFields as FieldSpec[]),
-    [mlFields]
-  );
+  const mlSuppressionFields = useTermsAggregationFields(mlFields);
 
   return {
     hasMlAdminPermissions: hasMlAdminPermissions(mlCapabilities),

x-pack/plugins/security_solution/public/common/constants.ts

@@ -18,3 +18,5 @@ export const RISK_SCORE_HIGH = 73;
 export const RISK_SCORE_CRITICAL = 99;
 
 export const ONBOARDING_VIDEO_SOURCE = '//play.vidyard.com/K6kKDBbP9SpXife9s2tHNP.html?';
+
+export const DEFAULT_HISTORY_WINDOW_SIZE = '7d';

x-pack/plugins/security_solution/public/common/hooks/use_terms_aggregation_fields.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useMemo } from 'react';
+import type { FieldSpec } from '@kbn/data-views-plugin/common';
+import type { DataViewFieldBase } from '@kbn/es-query';
+import { getTermsAggregationFields } from '../../detection_engine/rule_creation_ui/components/step_define_rule/utils';
+
+export function useTermsAggregationFields(fields?: DataViewFieldBase[]) {
+  const termsAggregationFields = useMemo(
+    /**
+     * Typecasting to FieldSpec because fields is
+     * typed as DataViewFieldBase[] which does not have
+     * the 'aggregatable' property, however the type is incorrect
+     *
+     * fields does contain elements with the aggregatable property.
+     * We will need to determine where these types are defined and
+     * figure out where the discrepancy is.
+     */
+    () => getTermsAggregationFields((fields as FieldSpec[]) ?? []),
+    [fields]
+  );
+
+  return termsAggregationFields;
+}

x-pack/plugins/security_solution/public/common/utils/date_math.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * Converts a date math string to a duration string by removing the 'now-' prefix.
+ *
+ * @param historyStart - Date math string to convert. For example, "now-30d".
+ * @returns Resulting duration string. For example, "30d".
+ */
+export const convertDateMathToDuration = (dateMathString: string): string => {
+  if (dateMathString.startsWith('now-')) {
+    return dateMathString.substring(4);
+  }
+
+  return dateMathString;
+};
+
+/**
+ * Converts a duration string to a dateMath string by adding the 'now-' prefix.
+ *
+ * @param durationString - Duration string to convert. For example, "30d".
+ * @returns Resulting date math string. For example, "now-30d".
+ */
+export const convertDurationToDateMath = (durationString: string): string =>
+  `now-${durationString}`;

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/history_window_start_edit/history_window_start_edit.tsx

@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { i18n } from '@kbn/i18n';
+import { ScheduleItemField } from '../schedule_item_field';
+import type { ERROR_CODE, ValidationFunc } from '../../../../shared_imports';
+import { type FieldConfig, UseField } from '../../../../shared_imports';
+import { type HistoryWindowStart } from '../../../../../common/api/detection_engine';
+import { historyWindowStartValidationFactory } from '../../../rule_creation_ui/validators/history_window_start_validator_factory';
+
+const COMPONENT_PROPS = {
+  idAria: 'historyWindowSize',
+  dataTestSubj: 'historyWindowSize',
+  timeTypes: ['m', 'h', 'd'],
+};
+
+interface HistoryWindowStartEditProps {
+  path: string;
+}
+
+export function HistoryWindowStartEdit({ path }: HistoryWindowStartEditProps): JSX.Element {
+  return (
+    <UseField
+      path={path}
+      config={HISTORY_WINDOW_START_FIELD_CONFIG}
+      component={ScheduleItemField}
+      componentProps={COMPONENT_PROPS}
+    />
+  );
+}
+
+const HISTORY_WINDOW_START_FIELD_CONFIG: FieldConfig<HistoryWindowStart> = {
+  label: i18n.translate(
+    'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.historyWindowSizeLabel',
+    {
+      defaultMessage: 'History Window Size',
+    }
+  ),
+  helpText: i18n.translate(
+    'xpack.securitySolution.detectionEngine.createRule.stepScheduleRule.historyWindowSizeHelpText',
+    {
+      defaultMessage: "New terms rules only alert if terms don't appear in historical data.",
+    }
+  ),
+  validations: [
+    {
+      validator: (
+        ...args: Parameters<ValidationFunc>
+      ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined =>
+        historyWindowStartValidationFactory(...args),
+    },
+  ],
+};

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/history_window_start_edit/index.tsx

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { HistoryWindowStartEdit } from './history_window_start_edit';

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/new_terms_fields_edit/index.tsx

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { NewTermsFieldsEdit } from './new_terms_fields_edit';

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/new_terms_fields_edit/new_terms_fields_edit.tsx

@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { memo } from 'react';
+import { i18n } from '@kbn/i18n';
+import type { ERROR_CODE, ValidationFunc } from '../../../../shared_imports';
+import { FIELD_TYPES, UseField } from '../../../../shared_imports';
+import { NewTermsFieldsField } from './new_terms_fields_field';
+import { newTermsFieldsValidatorFactory } from '../../../rule_creation_ui/validators/new_terms_fields_validator_factory';
+
+interface NewTermsFieldsEditProps {
+  path: string;
+  fieldNames: string[];
+}
+
+export const NewTermsFieldsEdit = memo(function NewTermsFieldsEdit({
+  path,
+  fieldNames,
+}: NewTermsFieldsEditProps): JSX.Element {
+  return (
+    <UseField
+      path={path}
+      config={NEW_TERMS_FIELDS_CONFIG}
+      component={NewTermsFieldsField}
+      componentProps={{ fieldNames }}
+    />
+  );
+});
+
+const NEW_TERMS_FIELDS_CONFIG = {
+  type: FIELD_TYPES.COMBO_BOX,
+  label: i18n.translate(
+    'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.newTermsFieldsLabel',
+    {
+      defaultMessage: 'Fields',
+    }
+  ),
+  helpText: i18n.translate(
+    'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldNewTermsFieldHelpText',
+    {
+      defaultMessage: 'Select a field to check for new terms.',
+    }
+  ),
+  validations: [
+    {
+      validator: (
+        ...args: Parameters<ValidationFunc>
+      ): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined => {
+        return newTermsFieldsValidatorFactory(...args);
+      },
+    },
+  ],
+};

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/new_terms_fields/index.tsx → x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/new_terms_fields_edit/new_terms_fields_field.tsx

@@ -5,38 +5,36 @@
  * 2.0.
  */
 
-import React, { useMemo } from 'react';
+import React from 'react';
 
 import type { DataViewFieldBase } from '@kbn/es-query';
 import type { FieldHook } from '../../../../shared_imports';
 import { Field } from '../../../../shared_imports';
 import { NEW_TERMS_FIELD_PLACEHOLDER } from './translations';
 
 interface NewTermsFieldsProps {
-  browserFields: DataViewFieldBase[];
+  fieldNames: DataViewFieldBase[];
   field: FieldHook;
 }
 
 const FIELD_COMBO_BOX_WIDTH = 410;
 
-const fieldDescribedByIds = 'detectionEngineStepDefineRuleNewTermsField';
+const fieldDescribedByIds = 'newTermsFieldEdit';
 
-export const NewTermsFieldsComponent: React.FC<NewTermsFieldsProps> = ({
-  browserFields,
+const NewTermsFieldsEditFieldComponent: React.FC<NewTermsFieldsProps> = ({
+  fieldNames,
   field,
 }: NewTermsFieldsProps) => {
-  const fieldEuiFieldProps = useMemo(
-    () => ({
-      fullWidth: true,
-      noSuggestions: false,
-      options: browserFields.map((browserField) => ({ label: browserField.name })),
-      placeholder: NEW_TERMS_FIELD_PLACEHOLDER,
-      onCreateOption: undefined,
-      style: { width: `${FIELD_COMBO_BOX_WIDTH}px` },
-    }),
-    [browserFields]
-  );
+  const fieldEuiFieldProps = {
+    fullWidth: true,
+    noSuggestions: false,
+    options: fieldNames.map((name) => ({ label: name })),
+    placeholder: NEW_TERMS_FIELD_PLACEHOLDER,
+    onCreateOption: undefined,
+    style: { width: `${FIELD_COMBO_BOX_WIDTH}px` },
+  };
+
   return <Field field={field} idAria={fieldDescribedByIds} euiFieldProps={fieldEuiFieldProps} />;
 };
 
-export const NewTermsFields = React.memo(NewTermsFieldsComponent);
+export const NewTermsFieldsField = React.memo(NewTermsFieldsEditFieldComponent);

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/index.ts

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { ScheduleItemField } from './schedule_item_field';

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_form/index.test.tsx → x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.test.tsx

@@ -8,14 +8,14 @@
 import React from 'react';
 import { mount, shallow } from 'enzyme';
 
-import { ScheduleItem } from '.';
+import { ScheduleItemField } from './schedule_item_field';
 import { TestProviders, useFormFieldMock } from '../../../../common/mock';
 
-describe('ScheduleItem', () => {
+describe('ScheduleItemField', () => {
   it('renders correctly', () => {
     const mockField = useFormFieldMock<string>();
     const wrapper = shallow(
-      <ScheduleItem
+      <ScheduleItemField
         dataTestSubj="schedule-item"
         idAria="idAria"
         isDisabled={false}
@@ -30,7 +30,7 @@ describe('ScheduleItem', () => {
     const mockField = useFormFieldMock<string>();
     const wrapper = mount(
       <TestProviders>
-        <ScheduleItem
+        <ScheduleItemField
           dataTestSubj="schedule-item"
           idAria="idAria"
           isDisabled={false}
@@ -53,7 +53,7 @@ describe('ScheduleItem', () => {
     const mockField = useFormFieldMock<string>();
     const wrapper = mount(
       <TestProviders>
-        <ScheduleItem
+        <ScheduleItemField
           dataTestSubj="schedule-item"
           idAria="idAria"
           isDisabled={false}
@@ -77,7 +77,7 @@ describe('ScheduleItem', () => {
     const mockField = useFormFieldMock<string>();
     const wrapper = mount(
       <TestProviders>
-        <ScheduleItem
+        <ScheduleItemField
           dataTestSubj="schedule-item"
           idAria="idAria"
           isDisabled={false}

x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_form/index.tsx → x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/schedule_item_field/schedule_item_field.tsx

@@ -76,7 +76,7 @@ const getNumberFromUserInput = (input: string, minimumValue = 0): number => {
   }
 };
 
-export const ScheduleItem = ({
+export const ScheduleItemField = ({
   dataTestSubj,
   field,
   idAria,

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/rule_preview/helpers.ts

@@ -107,7 +107,7 @@ export const getIsRulePreviewDisabled = ({
   threatMapping,
   machineLearningJobId,
   queryBar,
-  newTermsFields,
+  newTermsFields = [],
 }: {
   ruleType: Type;
   isQueryBarValid: boolean;