[Security Solution][Detections] - Fix remaining render and validation bug with query preview + tests

[yctercero]

Summary

This PR is meant to address the remaining rule query preview bugs. It addresses the following:

• gives same loading experience for all rule query types (previously there were two different loading states)
• makes sure noise warnings are showing for all query types and disappear on timeframe or query change
• updates when to/from are set so it is set on preview click

Custom query

Threshold query

Eql query

Eql sequence query

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

[yctercero]

Removed these changes as I'm no longer using this component.

[rylnd]

A few quick fixes should get the validity logic a little tighter, here, especially around EQL rules. Otherwise, this looks great!

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 34bd856

Metrics [docs]

@kbn/optimizer bundle module count

id	before	after	diff
securitySolution	2057	2059	+2

async chunks size

id	before	after	diff
securitySolution	10.6MB	10.6MB	+10.4KB

page load bundle size

id	before	after	diff
securitySolution	593.2KB	600.5KB	+7.2KB

History

• 💚 Build #81170 succeeded bf088c0
• 💚 Build #81131 succeeded 59d57fd3e2ada128abaa4f3c0380aa04669616e1
• 💚 Build #81119 succeeded ec1d63476b0fbd2397a904c6422c8f7dbd10d4bf
• 💚 Build #81081 succeeded 151e47c591f3bb70dfa16633205aafa8a8aa7f5c
• 💚 Build #80969 succeeded fbadd78a509b98c3a2fb16af21ea0767d2499acc

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[yctercero]

@MikePaquette @marrasherrier getting feedback on the sequence histogram, that it's not very intuitive and not sure that it's of any added value. @madirey suggested maybe embedding resolver as it is able to visually represent event sequences, or maybe we could just show total hits when we detect that the query is a sequence?

[rylnd]

@yctercero I was able to somewhat reliably reproduce an issue where hitting Preview did not update the UI:

1. (re)Load the Create Rule page
2. Choose EQL type
3. Fill a sequence query: sequence [process where true] [process where true]
4. Click "Preview Results"

Often, the preview request would be issued, but no UI would update/no histogram would be displayed.

[rylnd]

This looks great! I'm really liking the rxjs stuff, I can't wait to play more with observables 🤗 .

I had one (product) question about the sequences preview histogram, and another issue with the preview button occasionally not working.

[rylnd]

I really like this pattern! The semantics of emitting to this to unsubscribe isn't exactly intuitive (to me), but it seems like a common solution to this scoping/unsubscribing issue. There are also some eslint hooks for rxjs (e.g. no-unsafe-takeuntil) that we might want to enable

[rylnd]

I think getSequenceAggs is the source of these console warnings:

Since the x-values are time strings and not numbers. However, wrapping them in moment().valueOf() fixes the warning but breaks the "buckets", since the x-axis is now back to using a linear scale:

[rylnd]

Taking a step back, the existing histogram is somewhat surprising in its behavior. There appear to be only two buckets in this graph:

Or perhaps each unique timestamp string is its own bucket? I'm not sure what the default behavior for their ordinal scale is, but the latter seems likely.

To me the graph is conveying three data points: the number of results, the number of sequences, and their distribution over time. However, distribution over time is ambiguous and potentially lossy/misleading; we may want to reconsider how we present this data for sequences.

[madirey]

Could we just preview this in an embedded Resolver?

[yctercero]

I'm not sure what you have against rainbow graphs @rylnd 😜 I have a draft where I'm trying to see if displaying it in more of a Gantt type form helps. Will definitely follow up with @MikePaquette and @marrasherrier on this.

@madirey I wonder how heavy that would be, or is it already easily embeddable?

[madirey]

Tested manually with several different EQL queries. Aside from the pending questions about the histogram, this LGTM. Thank you!

[yctercero]

Merging, with the following issues being addressed as follow up:

• the graph sometimes not showing as pointed out by @rylnd is a race condition where some query bar state is updating after button is clicked and this sets showHistogram to true - need to memoize a few values to minimize unnecessary re-renders, that will fix this
• continue discussion with team about best display for sequences. Working on a Gantt looking type graph, that could be useful, if not at the very least of more use than what's there now