Skip to content

[9.3] [Security Solution] Re-validate EQL query when index pattern changes (#261027)#263504

Merged
dhurley14 merged 1 commit intoelastic:9.3from
dhurley14:backport/9.3/pr-261027
Apr 15, 2026
Merged

[9.3] [Security Solution] Re-validate EQL query when index pattern changes (#261027)#263504
dhurley14 merged 1 commit intoelastic:9.3from
dhurley14:backport/9.3/pr-261027

Conversation

@dhurley14
Copy link
Copy Markdown
Contributor

@dhurley14 dhurley14 commented Apr 15, 2026

Backport

This will backport the following commits from main to 9.3:

Questions ?

Please refer to the Backport tool documentation

@dhurley14
[Security Solution] Re-validate EQL query when index pattern changes (e…
e8dda9c 
…lastic#261027)

## Summary

Fixes elastic#260991

When editing an EQL detection rule, switching the index pattern / data
view (e.g. valid index → closed index → valid index) without changing
the query text left stale validation errors on screen. The hook form
library only re-runs validators when the **field value** changes, while
the EQL validator already closes over the updated data view from
`EqlQueryEdit`.

## Changes

- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when
`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the
latest `validate` so we do not depend on `validate` in the effect deps
(which would re-run on every keystroke and duplicate debounced EQL
validation).
- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount
and again when the index pattern title changes.

## Release note

Fixes EQL rule creation so the query field re-validates after changing
the index pattern, clearing errors when the query is valid for the newly
selected data view.

Made with [Cursor](https://cursor.com)

(cherry picked from commit bce427a)
@dhurley14 dhurley14 added the backport This PR is a backport of another PR label Apr 15, 2026
@dhurley14 dhurley14 enabled auto-merge (squash) April 15, 2026 14:00
@dhurley14 dhurley14 mentioned this pull request Apr 15, 2026
Merged
rylnd
rylnd approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dhurley14 dhurley14 merged commit 94bfc44 into elastic:9.3 Apr 15, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rylnd rylnd rylnd approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dhurley14 @rylnd