[Security Solution] Rule Preview Follow-up

[dplumlee]

Summary

Follow-up to #116374.

• Changes the API response for the rule preview to include more in depth errors/warnings
• Changes the error/warning display to be more readable for users
• Fixes bug caused by preview not being disabled when ML job wasn't running
• Addresses comments from previous PR
• Fixes [Security Solution][Detections] No results in Rule Preview #119098

Screenshots

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[marshallmain]

Is there a reference somewhere that we're using to decide on these noisy thresholds?

[dplumlee]

Going based off this comment, I think it was the spec in the original feature as well but we should get product to sign off for certain sure

[ecezalp]

a quick git blame show the 1 alert per hour logic committed 14 months ago

[marshallmain]

Instead of storing the warnings as a separate array where each invocation only has an entry if the invocation generated a warning, it would be nice to return a single array of objects for both errors and warnings where each invocation always has an entry. E.g.

[
  {startedAt: 1st date, errors: [], warnings: []}, 
  {startedAt: 2nd date, errors: [your error object here], warnings: []},
  ...
]

This way we can (1) easily associated errors and warnings that came from the same rule execution, and (2) we have a place to add more status information for each invocation in the future.

[dplumlee]

@marshallmain is there a good default to use for these messages that already exists? Would display when whatever error/warning occurred didn't have an associated message

[ecezalp]

is it possible to have errors & warnings with no message? that's interesting, I think if that's the case we could probably handle it on the frontend with translated strings

[marshallmain]

We shouldn't be creating errors or warnings with no message, so ideally we'd enforce that with type checking at some point. For now I think something like Unknown error and Unknown warning would be reasonable ways to represent it if we do run into that case. And if we see Unknown messages in the UI, we should track down where we're creating an error or warning and add a descriptive message.

[ecezalp]

a quick git blame show the 1 alert per hour logic committed 14 months ago

[ecezalp]

is it possible to have errors & warnings with no message? that's interesting, I think if that's the case we could probably handle it on the frontend with translated strings

[ecezalp]

do the logs have a key defined? I thought the reducer above didn't actually add any keys

[ecezalp]

@elasticmachine merge upstream

API changes made

[marshallmain]

1 remaining bug I found: timestamps are no longer appearing with each warning/error message.

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 967660f
• Storybooks Preview

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	4.6MB	4.6MB	+1.1KB

Unknown metric groups

ESLint disabled line counts

id	before	after	diff
securitySolution	455	454	-1

Total ESLint disabled count

id	before	after	diff
securitySolution	522	521	-1

History

• 💚 Build #15975 succeeded d3447d2
• 💔 Build #15965 failed 7199078
• 💚 Build #15307 succeeded 914f71e9fdfe79aa0a4115637e1df7517a40bf37
• 💛 Build #14653 was flaky eac767c716af17cd6a18e05e7c58b9f0c5816592
• 💔 Build #14402 failed 24d9fad621b228537cc2d43856037a6286c5a44d
• 💔 Build #14382 failed 8a7d4635aa6fb18e583decbe73e6f587032729c5

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dplumlee

[kibanamachine]

The following labels were identified as gaps in your version labels and will be added automatically:

• v8.1.0

If any of these should not be on your pull request, please manually remove them.

[kibanamachine]

💔 Backport failed

The backport operation could not be completed due to the following error:
You must specify a valid Github repository

You can specify it via either:

• Config file (recommended): ".backportrc.json". Read more: https://github.com/sqren/backport/blob/e119d71d6dc03cd061f6ad9b9a8b1cd995f98961/docs/configuration.md#project-config-backportrcjson
• CLI: "--upstream elastic/kibana"

The backport PRs will be merged automatically after passing CI.

To backport manually run:
node scripts/backport --pr 121249