From e8dda9c1950ad6c828c8eb2441a1fbf75cd3fc2d Mon Sep 17 00:00:00 2001
From: "Devin W. Hurley" <devin.hurley@elastic.co>
Date: Mon, 13 Apr 2026 14:40:43 -0400
Subject: [PATCH] [Security Solution] Re-validate EQL query when index pattern
 changes (#261027)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Fixes https://github.com/elastic/kibana/issues/260991

When editing an EQL detection rule, switching the index pattern / data
view (e.g. valid index → closed index → valid index) without changing
the query text left stale validation errors on screen. The hook form
library only re-runs validators when the **field value** changes, while
the EQL validator already closes over the updated data view from
`EqlQueryEdit`.

## Changes

- **`eql_query_bar.tsx`**: Call `field.validate()` in an effect when
`indexPattern.id` or `indexPattern.title` changes. Use a ref to hold the
latest `validate` so we do not depend on `validate` in the effect deps
(which would re-run on every keystroke and duplicate debounced EQL
validation).
- **`eql_query_bar.test.tsx`**: Unit test that `validate` runs on mount
and again when the index pattern title changes.

## Release note

Fixes EQL rule creation so the query field re-validates after changing
the index pattern, clearing errors when the query is valid for the newly
selected data view.

Made with [Cursor](https://cursor.com)

(cherry picked from commit bce427afe5dcf5db3959a39dbc04a80130cb0423)
---
 .../eql_query_edit/eql_query_bar.test.tsx     | 34 +++++++++++++++++++
 .../eql_query_edit/eql_query_bar.tsx          | 10 ++++++
 2 files changed, 44 insertions(+)

diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.test.tsx
index 0496f08dd264c..970aecb9bfc26 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.test.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.test.tsx
@@ -55,6 +55,40 @@ describe('EqlQueryBar', () => {
     expect(wrapper.find('[data-test-subj="eqlFilterBar"]')).toHaveLength(1);
   });
 
+  it('re-validates when index pattern id or title changes', () => {
+    const validate = jest.fn();
+    mockField = useFormFieldMock({
+      value: mockQueryBar,
+      validate,
+    });
+
+    const { rerender } = render(
+      <TestProviders>
+        <EqlQueryBar
+          dataTestSubj="myQueryBar"
+          field={mockField}
+          isLoading={false}
+          indexPattern={mockIndexPattern}
+        />
+      </TestProviders>
+    );
+
+    expect(validate).toHaveBeenCalledTimes(1);
+
+    rerender(
+      <TestProviders>
+        <EqlQueryBar
+          dataTestSubj="myQueryBar"
+          field={mockField}
+          isLoading={false}
+          indexPattern={{ ...mockIndexPattern, title: 'other-*' }}
+        />
+      </TestProviders>
+    );
+
+    expect(validate).toHaveBeenCalledTimes(2);
+  });
+
   it('should set the field value on input change', () => {
     render(
       <TestProviders>
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.tsx
index f19969bb3c1e4..ae8ebdfca7a8b 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.tsx
@@ -54,6 +54,8 @@ export const EqlQueryBar: FC<EqlQueryBarProps> = ({
   const { addError } = useAppToasts();
   const { uiSettings } = useKibana().services;
   const filterManager = useRef<FilterManager>(new FilterManager(uiSettings));
+  const validateRef = useRef(field.validate);
+  validateRef.current = field.validate;
   const { isValidating, value: fieldValue, setValue: setFieldValue, isValid, errors } = field;
   const errorMessages = useMemo(() => errors.map((x) => x.message), [errors]);
 
@@ -83,6 +85,14 @@ export const EqlQueryBar: FC<EqlQueryBarProps> = ({
     }
   }, [errors, addError]);
 
+  // `use_field` only re-runs validators when the field value changes. The EQL validator closes
+  // over the current data view / index pattern, so errors from a previous index can stick around
+  // after switching back to a valid index until the user edits the query. Re-validate whenever
+  // the index pattern identity changes.
+  useEffect(() => {
+    void validateRef.current();
+  }, [indexPattern.id, indexPattern.title]);
+
   useEffect(() => {
     if (onValidatingChange) {
       onValidatingChange(isValidating);