From ef4f5f5b6d575f24ccf06d40d325d3556afd04af Mon Sep 17 00:00:00 2001
From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
Date: Wed, 18 Oct 2023 09:16:16 +0100
Subject: [PATCH] [Security Solution][Detection Engine] updates ES|QL info
popover (#168611)
## Summary
- addresses https://github.com/elastic/ux-writing/issues/41
- content of info tooltip is moved to doc page. Instead only link to
that page is displayed
### Before
### After
### Checklist
Delete any items that are not applicable to this PR.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
---
packages/kbn-doc-links/src/get_doc_links.ts | 4 +--
packages/kbn-doc-links/src/types.ts | 4 +--
.../components/esql_info_icon/index.tsx | 29 ++++++++-------
.../components/esql_info_icon/translations.ts | 36 -------------------
.../rule_creation/logic/translations.ts | 2 +-
.../rules/select_rule_type/translations.ts | 3 +-
.../rule_creation/esql_rule_ess.cy.ts | 4 +--
7 files changed, 23 insertions(+), 59 deletions(-)
diff --git a/packages/kbn-doc-links/src/get_doc_links.ts b/packages/kbn-doc-links/src/get_doc_links.ts
index 1f668ce162728ee..b8d46bad40cc431 100644
--- a/packages/kbn-doc-links/src/get_doc_links.ts
+++ b/packages/kbn-doc-links/src/get_doc_links.ts
@@ -457,6 +457,7 @@ export const getDocLinks = ({ kibanaBranch }: GetDocLinkOptions): DocLinks => {
},
privileges: `${SECURITY_SOLUTION_DOCS}endpoint-management-req.html`,
manageDetectionRules: `${SECURITY_SOLUTION_DOCS}rules-ui-management.html`,
+ createEsqlRuleType: `${SECURITY_SOLUTION_DOCS}rules-ui-create.html#create-esql-rule`,
},
query: {
eql: `${ELASTICSEARCH_DOCS}eql.html`,
@@ -856,9 +857,6 @@ export const getDocLinks = ({ kibanaBranch }: GetDocLinkOptions): DocLinks => {
synthetics: {
featureRoles: `${ELASTIC_WEBSITE_URL}guide/en/observability/${DOC_LINK_VERSION}/synthetics-feature-roles.html`,
},
- esql: {
- statsBy: `${ELASTICSEARCH_DOCS}esql.html`,
- },
telemetry: {
settings: `${KIBANA_DOCS}telemetry-settings-kbn.html`,
},
diff --git a/packages/kbn-doc-links/src/types.ts b/packages/kbn-doc-links/src/types.ts
index 555167bf8574e96..adc7f13c6c612ee 100644
--- a/packages/kbn-doc-links/src/types.ts
+++ b/packages/kbn-doc-links/src/types.ts
@@ -348,6 +348,7 @@ export interface DocLinks {
};
readonly privileges: string;
readonly manageDetectionRules: string;
+ readonly createEsqlRuleType: string;
};
readonly query: {
readonly eql: string;
@@ -613,9 +614,6 @@ export interface DocLinks {
readonly synthetics: {
readonly featureRoles: string;
};
- readonly esql: {
- readonly statsBy: string;
- };
readonly telemetry: {
readonly settings: string;
};
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx
index 0130b8eed78b835..d0b4cee6752ad56 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/index.tsx
@@ -6,16 +6,13 @@
*/
import React from 'react';
-import { EuiPopover, EuiText, EuiButtonIcon } from '@elastic/eui';
-import { Markdown } from '@kbn/kibana-react-plugin/public';
+import { EuiPopover, EuiText, EuiButtonIcon, EuiLink } from '@elastic/eui';
+import { FormattedMessage } from '@kbn/i18n-react';
import * as i18n from './translations';
import { useBoolState } from '../../../../common/hooks/use_bool_state';
-
import { useKibana } from '../../../../common/lib/kibana';
-const POPOVER_WIDTH = 640;
-
/**
* Icon and popover that gives hint to users how to get started with ES|QL rules
*/
@@ -30,14 +27,20 @@ const EsqlInfoIconComponent = () => {
return (
-
-
+
+
+
+ ),
+ }}
/>
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts
index db5f8ea86ce631a..8729f7b0dd3bc66 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/esql_info_icon/translations.ts
@@ -13,39 +13,3 @@ export const ARIA_LABEL = i18n.translate(
defaultMessage: `Open help popover`,
}
);
-
-export const getTooltipContent = (statsByLink: string, startUsingEsqlLink: string) =>
- i18n.translate(
- 'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.esqlInfoTooltipContent',
- {
- defaultMessage: `
-### Aggregating rule
-Is a rule that uses {statsByLink} grouping commands. So, its result can not be matched with a particular document in ES.
-\`\`\`
-FROM logs*
-| STATS count = COUNT(host.name) BY host.name
-| SORT host.name
-\`\`\`
-
-
-### Non-aggregating rule
-Is a rule that does not use {statsByLink} grouping commands. Hence, each row in result can be tracked to a source document in ES. For this type of rule,
-please use operator \`[metadata _id, _index, _version]\` after defining index source. This would allow deduplicate alerts and link them with the source document.
-
-Example
-
-\`\`\`
-FROM logs* [metadata _id, _index, _version]
-| WHERE event.id == "test"
-| LIMIT 10
-\`\`\`
-
-Please, ensure, metadata properties \`id\`, \`_index\`, \`_version\` are carried over through pipe operators.
- `,
- values: {
- statsByLink: `[STATS..BY](${statsByLink})`,
- // Docs team will provide actual link to a new page before release
- // startUsingEsqlLink: `[WIP: Get started using ES|QL rules](${startUsingEsqlLink})`,
- },
- }
- );
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts
index e0bbcd45b1f1a1d..bbb00053cdfabc6 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/translations.ts
@@ -23,6 +23,6 @@ export const esqlValidationErrorMessage = (message: string) =>
export const ESQL_VALIDATION_MISSING_ID_IN_QUERY_ERROR = i18n.translate(
'xpack.securitySolution.detectionEngine.esqlValidation.missingIdInQueryError',
{
- defaultMessage: `For non-aggregating rules(that don't use STATS..BY function), please write query that returns _id field from [metadata _id, _version, _index] operator`,
+ defaultMessage: `Queries that don’t use the STATS...BY function (non-aggregating queries) must include the [metadata _id, _version, _index] operator after the source command. For example: FROM logs* [metadata _id, _version, _index]. In addition, the metadata properties (_id, _version, and _index) must be returned in the query response.`,
}
);
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts
index cfd62ff3d57da85..d8b61de1368650e 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/translations.ts
@@ -32,7 +32,8 @@ export const ESQL_TYPE_TITLE = i18n.translate(
export const ESQL_TYPE_DESCRIPTION = i18n.translate(
'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.ruleTypeField.esqlTypeDescription',
{
- defaultMessage: 'Use The Elasticsearch Query Language (ES|QL) to search or aggregate events',
+ defaultMessage:
+ 'Use Elasticsearch Query Language (ES|QL) to find events and aggregate search results.',
}
);
diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts
index 254deb99f3259ab..a22d24a9fd5372f 100644
--- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts
+++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_creation/esql_rule_ess.cy.ts
@@ -125,7 +125,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => {
getDefineContinueButton().click();
cy.get(ESQL_QUERY_BAR).contains(
- 'write query that returns _id field from [metadata _id, _version, _index] operator'
+ 'must include the [metadata _id, _version, _index] operator after the source command'
);
});
@@ -139,7 +139,7 @@ describe('Detection ES|QL rules, creation', { tags: ['@ess'] }, () => {
getDefineContinueButton().click();
cy.get(ESQL_QUERY_BAR).contains(
- 'write query that returns _id field from [metadata _id, _version, _index] operator'
+ 'must include the [metadata _id, _version, _index] operator after the source command'
);
});