[Security Solution] Re-validate EQL query when index pattern changes#261027
Merged
dhurley14 merged 2 commits intoelastic:mainfrom Apr 13, 2026
Merged
[Security Solution] Re-validate EQL query when index pattern changes#261027dhurley14 merged 2 commits intoelastic:mainfrom
dhurley14 merged 2 commits intoelastic:mainfrom
Conversation
The hook form library only re-runs field validators when the field value changes. The EQL async validator closes over the current data view, so after switching index patterns (e.g. valid → closed index → valid) without editing the query text, stale validation errors remained until the user typed again. Trigger validate() when indexPattern.id or indexPattern.title changes, using a ref for the latest validate callback so we do not duplicate debounced validation on every keystroke. Adds a unit test asserting validate runs on mount and when the index pattern title changes. Fixes elastic#260991 Made-with: Cursor
dhurley14
added
release_note:fix
backport:version
Contributor
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
denar50
approved these changes
Apr 7, 2026
Contributor
denar50
left a comment
denar50
left a comment
There was a problem hiding this comment.
Tested it locally. LGTM!
Contributor
|
Caution Review failedAn error occurred during the review process. Please try again later. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
cc @dhurley14 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 13, 2026
…lastic#261027) ## Summary Fixes elastic#260991 When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the **field value** changes, while the EQL validator already closes over the updated data view from `EqlQueryEdit`. ## Changes - **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when `indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the latest `validate` so we do not depend on `validate` in the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation). - **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount and again when the index pattern title changes. ## Release note Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view. Made with [Cursor](https://cursor.com) (cherry picked from commit bce427a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 13, 2026
…lastic#261027) ## Summary Fixes elastic#260991 When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the **field value** changes, while the EQL validator already closes over the updated data view from `EqlQueryEdit`. ## Changes - **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when `indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the latest `validate` so we do not depend on `validate` in the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation). - **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount and again when the index pattern title changes. ## Release note Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view. Made with [Cursor](https://cursor.com) (cherry picked from commit bce427a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 13, 2026
…lastic#261027) ## Summary Fixes elastic#260991 When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the **field value** changes, while the EQL validator already closes over the updated data view from `EqlQueryEdit`. ## Changes - **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when `indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the latest `validate` so we do not depend on `validate` in the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation). - **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount and again when the index pattern title changes. ## Release note Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view. Made with [Cursor](https://cursor.com) (cherry picked from commit bce427a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 13, 2026
…lastic#261027) ## Summary Fixes elastic#260991 When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the **field value** changes, while the EQL validator already closes over the updated data view from `EqlQueryEdit`. ## Changes - **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when `indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the latest `validate` so we do not depend on `validate` in the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation). - **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount and again when the index pattern title changes. ## Release note Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view. Made with [Cursor](https://cursor.com) (cherry picked from commit bce427a)
This was referenced Apr 14, 2026
tfcmarques
pushed a commit
to tfcmarques/kibana
that referenced
this pull request
Apr 14, 2026
…lastic#261027) ## Summary Fixes elastic#260991 When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the **field value** changes, while the EQL validator already closes over the updated data view from `EqlQueryEdit`. ## Changes - **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when `indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the latest `validate` so we do not depend on `validate` in the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation). - **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount and again when the index pattern title changes. ## Release note Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view. Made with [Cursor](https://cursor.com)
kibanamachine
added
the
backport missing
Contributor
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Apr 15, 2026
…lastic#261027) ## Summary Fixes elastic#260991 When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the **field value** changes, while the EQL validator already closes over the updated data view from `EqlQueryEdit`. ## Changes - **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when `indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the latest `validate` so we do not depend on `validate` in the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation). - **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount and again when the index pattern title changes. ## Release note Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view. Made with [Cursor](https://cursor.com) (cherry picked from commit bce427a)
Contributor
Author
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
This was referenced Apr 15, 2026
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Apr 15, 2026
…lastic#261027) ## Summary Fixes elastic#260991 When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the **field value** changes, while the EQL validator already closes over the updated data view from `EqlQueryEdit`. ## Changes - **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when `indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the latest `validate` so we do not depend on `validate` in the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation). - **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount and again when the index pattern title changes. ## Release note Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view. Made with [Cursor](https://cursor.com) (cherry picked from commit bce427a)
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Apr 15, 2026
…lastic#261027) ## Summary Fixes elastic#260991 When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the **field value** changes, while the EQL validator already closes over the updated data view from `EqlQueryEdit`. ## Changes - **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when `indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the latest `validate` so we do not depend on `validate` in the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation). - **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount and again when the index pattern title changes. ## Release note Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view. Made with [Cursor](https://cursor.com) (cherry picked from commit bce427a)
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
dhurley14
added a commit
that referenced
this pull request
Apr 15, 2026
…hanges (#261027) (#263506) # Backport This will backport the following commits from `main` to `8.19`: - [[Security Solution] Re-validate EQL query when index pattern changes (#261027)](#261027) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Devin W. Hurley","email":"devin.hurley@elastic.co"},"sourceCommit":{"committedDate":"2026-04-13T18:40:43Z","message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["review","release_note:fix","backport missing","Feature:Detection Rules","Feature:Event Correlation (EQL) Rule","Feature:Rule Creation","Team:Detection Engine","Feature:Rule Edit","backport:version","v9.4.0","v9.5.0","v9.3.4","v9.2.9","v8.19.15"],"title":"[Security Solution] Re-validate EQL query when index pattern changes","number":261027,"url":"https://github.com/elastic/kibana/pull/261027","mergeCommit":{"message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423"}},"sourceBranch":"main","suggestedTargetBranches":["9.3","9.2","8.19"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/263502","number":263502,"state":"OPEN"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/261027","number":261027,"mergeCommit":{"message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423"}},{"branch":"9.3","label":"v9.3.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.9","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.15","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
dhurley14
added a commit
that referenced
this pull request
Apr 15, 2026
…anges (#261027) (#263502) # Backport This will backport the following commits from `main` to `9.4`: - [[Security Solution] Re-validate EQL query when index pattern changes (#261027)](#261027) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Devin W. Hurley","email":"devin.hurley@elastic.co"},"sourceCommit":{"committedDate":"2026-04-13T18:40:43Z","message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["review","release_note:fix","backport missing","Feature:Detection Rules","Feature:Event Correlation (EQL) Rule","Feature:Rule Creation","Team:Detection Engine","Feature:Rule Edit","backport:version","v9.4.0","v9.5.0","v9.3.4","v9.2.9","v8.19.15"],"title":"[Security Solution] Re-validate EQL query when index pattern changes","number":261027,"url":"https://github.com/elastic/kibana/pull/261027","mergeCommit":{"message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423"}},"sourceBranch":"main","suggestedTargetBranches":["9.4","9.3","9.2","8.19"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/261027","number":261027,"mergeCommit":{"message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423"}},{"branch":"9.3","label":"v9.3.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.9","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.15","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
dhurley14
added a commit
that referenced
this pull request
Apr 15, 2026
…anges (#261027) (#263504) # Backport This will backport the following commits from `main` to `9.3`: - [[Security Solution] Re-validate EQL query when index pattern changes (#261027)](#261027) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Devin W. Hurley","email":"devin.hurley@elastic.co"},"sourceCommit":{"committedDate":"2026-04-13T18:40:43Z","message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["review","release_note:fix","backport missing","Feature:Detection Rules","Feature:Event Correlation (EQL) Rule","Feature:Rule Creation","Team:Detection Engine","Feature:Rule Edit","backport:version","v9.4.0","v9.5.0","v9.3.4","v9.2.9","v8.19.15"],"title":"[Security Solution] Re-validate EQL query when index pattern changes","number":261027,"url":"https://github.com/elastic/kibana/pull/261027","mergeCommit":{"message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423"}},"sourceBranch":"main","suggestedTargetBranches":["9.3","9.2","8.19"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/263502","number":263502,"state":"OPEN"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/261027","number":261027,"mergeCommit":{"message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423"}},{"branch":"9.3","label":"v9.3.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.9","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.15","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
dhurley14
added a commit
that referenced
this pull request
Apr 16, 2026
…anges (#261027) (#263505) # Backport This will backport the following commits from `main` to `9.2`: - [[Security Solution] Re-validate EQL query when index pattern changes (#261027)](#261027) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Devin W. Hurley","email":"devin.hurley@elastic.co"},"sourceCommit":{"committedDate":"2026-04-13T18:40:43Z","message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["review","release_note:fix","backport missing","Feature:Detection Rules","Feature:Event Correlation (EQL) Rule","Feature:Rule Creation","Team:Detection Engine","Feature:Rule Edit","backport:version","v9.4.0","v9.5.0","v9.3.4","v9.2.9","v8.19.15"],"title":"[Security Solution] Re-validate EQL query when index pattern changes","number":261027,"url":"https://github.com/elastic/kibana/pull/261027","mergeCommit":{"message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423"}},"sourceBranch":"main","suggestedTargetBranches":["9.3","9.2","8.19"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/263502","number":263502,"state":"OPEN"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/261027","number":261027,"mergeCommit":{"message":"[Security Solution] Re-validate EQL query when index pattern changes (#261027)\n\n## Summary\n\nFixes https://github.com/elastic/kibana/issues/260991\n\nWhen editing an EQL detection rule, switching the index pattern / data\nview (e.g. valid index → closed index → valid index) without changing\nthe query text left stale validation errors on screen. The hook form\nlibrary only re-runs validators when the **field value** changes, while\nthe EQL validator already closes over the updated data view from\n`EqlQueryEdit`.\n\n## Changes\n\n- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when\n`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the\nlatest `validate` so we do not depend on `validate` in the effect deps\n(which would re-run on every keystroke and duplicate debounced EQL\nvalidation).\n- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount\nand again when the index pattern title changes.\n\n## Release note\n\nFixes EQL rule creation so the query field re-validates after changing\nthe index pattern, clearing errors when the query is valid for the newly\nselected data view.\n\nMade with [Cursor](https://cursor.com)","sha":"bce427afe5dcf5db3959a39dbc04a80130cb0423"}},{"branch":"9.3","label":"v9.3.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.9","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.15","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
kibanamachine
removed
the
backport missing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #260991
When editing an EQL detection rule, switching the index pattern / data view (e.g. valid index → closed index → valid index) without changing the query text left stale validation errors on screen. The hook form library only re-runs validators when the field value changes, while the EQL validator already closes over the updated data view from
EqlQueryEdit.Changes
eql_query_bar.tsx: Callfield.validate()in an effect whenindexPattern.idorindexPattern.titlechanges. Use a ref to hold the latestvalidateso we do not depend onvalidatein the effect deps (which would re-run on every keystroke and duplicate debounced EQL validation).eql_query_bar.test.tsx: Unit test thatvalidateruns on mount and again when the index pattern title changes.Release note
Fixes EQL rule creation so the query field re-validates after changing the index pattern, clearing errors when the query is valid for the newly selected data view.
Made with Cursor