Skip to content

[9.4] [Security Solution] Re-validate EQL query when index pattern changes (#261027)#263502

Merged
dhurley14 merged 1 commit intoelastic:9.4from
dhurley14:backport/9.4/pr-261027
Apr 15, 2026
Merged

[9.4] [Security Solution] Re-validate EQL query when index pattern changes (#261027)#263502
dhurley14 merged 1 commit intoelastic:9.4from
dhurley14:backport/9.4/pr-261027

Conversation

@dhurley14
Copy link
Copy Markdown
Contributor

@dhurley14 dhurley14 commented Apr 15, 2026

Backport

This will backport the following commits from main to 9.4:

Questions ?

Please refer to the Backport tool documentation

@dhurley14
[Security Solution] Re-validate EQL query when index pattern changes (e…
48d157b 
…lastic#261027)

## Summary

Fixes elastic#260991

When editing an EQL detection rule, switching the index pattern / data
view (e.g. valid index → closed index → valid index) without changing
the query text left stale validation errors on screen. The hook form
library only re-runs validators when the **field value** changes, while
the EQL validator already closes over the updated data view from
`EqlQueryEdit`.

## Changes

- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when
`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the
latest `validate` so we do not depend on `validate` in the effect deps
(which would re-run on every keystroke and duplicate debounced EQL
validation).
- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount
and again when the index pattern title changes.

## Release note

Fixes EQL rule creation so the query field re-validates after changing
the index pattern, clearing errors when the query is valid for the newly
selected data view.

Made with [Cursor](https://cursor.com)

(cherry picked from commit bce427a)
@dhurley14 dhurley14 added the backport This PR is a backport of another PR label Apr 15, 2026
@dhurley14 dhurley14 enabled auto-merge (squash) April 15, 2026 13:55
@dhurley14 dhurley14 mentioned this pull request Apr 15, 2026
Merged
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 15, 2026

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #44 / AgentBuilder Endpoints SML internal API POST /internal/agent_builder/sml/_attach attaches SML items and persists conversation attachment refs
  • [job] [logs] Detection Engine - Security Solution Cypress Tests #2 / Indicator Match - Rule Creation Detection rules, Indicator Match Generating signals Creates and enables a new Indicator Match rule Creates and enables a new Indicator Match rule
  • [job] [logs] Detection Engine - Security Solution Cypress Tests #2 / Indicator Match - Rule Creation Detection rules, Indicator Match Generating signals Investigate alert in timeline Investigate alert in timeline

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 11.7MB 11.7MB +105.0B

rylnd
rylnd approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dhurley14 dhurley14 merged commit f0fb46a into elastic:9.4 Apr 15, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rylnd rylnd rylnd approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dhurley14 @elasticmachine @rylnd