[Security Solution] Editing rules independently of source data (#180407)

[e40pud]

Summary

Addresses https://github.com/elastic/kibana/issues/180407 Addresses https://github.com/elastic/kibana/issues/178611

With these changes we allow user to create and update a rule even if there are certain query bar validation error exist. Right now, we will make any non-syntax validation errors in EQL and ES|QL rules types to be non-blocking during the rule creation and rule updating workflows.

Screenshot of the EQL rule creation workflow with existing non-blocking validation errors:

https://github.com/user-attachments/assets/06b7f76c-e600-4a99-8ead-1445d429e9d3

Screenshot of the EQL rule updating workflow with existing non-blocking validation errors:

https://github.com/user-attachments/assets/9b35e113-b127-487b-bc23-afecf704db9d

UPDATE

After discussing confirmation modal with @approksiu, we decided to simplify it and show only title with generic description to avoid too be too literal in the modal. User can see the full error description during rule creation/editing workflows in the query bar where we show each validation error as part of the query bar form item.

Some test cases for local testing

Create EQL rule with missing data source

Steps:

1. Open rules management page
2. Click create new rule button
3. Select EQL rule type
4. Set non-existing index in index patterns field
5. Add some valid EQL query (for example any where true)
6. Continue with other steps
7. Click create rule button

Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking Confirm button will create a rule.

Create EQL rule with missing data field

Steps:

1. Open rules management page
2. Click create new rule button
3. Select EQL rule type
4. Set existing indices in index patterns field
5. Add some valid EQL query referring non-existing data field (for example any where agent.non_existing_field)
6. Continue with other steps
7. Click create rule button

Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking Confirm button will create a rule.

Create EQL rule with syntax error in the query

Steps:

1. Open rules management page
2. Click create new rule button
3. Select EQL rule type
4. Set existing indices in index patterns field
5. Add some syntactically invalid EQL query (for example hello world)

Expected: The continue button does not allow user to proceed to the About step due to existing syntax error.

Create ES|QL rule with missing data source

Steps:

1. Open rules management page
2. Click create new rule button
3. Select ES|QL rule type
4. Add some valid ES|QL query with non-existing data source (for example from non-existing-index-* metadata _id, _version, _index | SORT @timestamp)
5. Continue with other steps
6. Click create rule button

Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking Confirm button will create a rule.

Create ES|QL rule with missing data field

Steps:

1. Open rules management page
2. Click create new rule button
3. Select ES|QL rule type
4. Add some valid ES|QL query with non-existing data field (for example from logs-* metadata _id, _version, _index | SORT agent.non_existing_field)
5. Continue with other steps
6. Click create rule button

Expected: You will see the confirmation modal that warns user about potentially failing rule executions. Clicking Confirm button will create a rule.

Create ES|QL rule with syntax error in the query

Steps:

1. Open rules management page
2. Click create new rule button
3. Select ES|QL rule type
4. Add some syntactically invalid ES|QL query (for example hello world)

Expected: The continue button does not allow user to proceed to the About step due to existing syntax error.

Same behaviour applies to the rule updating workflow. For example, you can try to install one of the EQL or ES|QL rules that point to non-existing data source or uses non-existing data field. User can still update (add rule actions) to such installed pre-built rules.

Checklist

Delete any items that are not applicable to this PR.

• [x] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• [ ] Documentation was added for features that require explanation or tutorials
• [x] Unit or functional tests were updated or added to match the most common scenarios
• [ ] Flaky Test Runner was used on any tests changed
  • Detection Engine - Cypress (100 ESS & 100 Serverless)
  • Rule Management - Cypress (100 ESS & 100 Serverless)