[Security Solution] Warnings in rule filters on the Rule Details page: "Field does not exist in current view"

[banderror]

Related to: #177081
Kibana version: 8.14.0-SNAPSHOT

Summary

If you create a rule with a filter, such as host.name: "some-value" AND host.os.family: "windows", then:

• On the Rule Creation page, during rule creation, the filter will be displayed correctly.
• On the Rule Details page, after saving this rule, it will be displayed with warnings, e.g. host.name: Warning AND host.os.family: Warning.
• On the Rule Editing page, if you edit this rule, it will be displayed correctly again.

Rule Creation:

Rule Details:

Steps to reproduce

0. Launch a clean Kibana + ES environment.
1. Create some valid indices with source events. Locally, one easy way to do this would be using the resolver_generator script that generates fake endpoint events (events generated by Endpoint Security aka Elastic Defend): node x-pack/plugins/security_solution/scripts/endpoint/resolver_generator.js --node http://elastic:changeme@127.0.0.1:9200 --kibana http://elastic:changeme@0.0.0.0:5601/kbn --numHosts=5 --numDocs=2.
2. Create a new custom rule. Keep the default set of index patterns if you used the resolver_generator script. Otherwise, point the rule to the indices you created on the previous step.
3. Enter * as the rule's query.
4. Add a rule filter, for example host.name: Host-avy6d0956e AND host.os.family: windows (use any values from your source data).
5. Notice that the filter is displayed without any warnings, and the field values in the filter are clearly visible.
6. Save the rule.
7. On the Rule Details page, notice that instead of the field values Warnings are displayed.

Expected behavior: on the Rule Details page there shouldn't be any warnings in rule filters, when we know that source events with the field values used in the filters exist. Field values should be displayed instead of warnings, just like on the Rule Creation and Editing pages.

Hypothesis

Maybe the bug is caused by the fact that on the Rule Details page we use a data view that includes only the .alerts-security.alerts-<spaceid> index:

The filter's UI component tries to find the filter's fields and their values in this data view, and doesn't find them because there are no alerts created with these fields yet. You can check in Discover that indeed, there are source events with those fields, but there are no alerts:

Source events:

Alerts:

So the fix would be to use on the Rule Details page a data view that would correspond to the list of index patterns or the data view of the rule, instead of the data view pointing to the alerts index of the current Kibana space.

Places the fix needs to be checked:

• Rule details page (in a few places)
• Prebuilt rule upgrade flyout - Diff readonly view
• Prebuilt rule upgrade flyout - Overview tab
• Event flyout (owned by the Threat Hunting team)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[shayfeld]

Hi @banderror :)

How is this issue progressing?
It is not possible for my SOC team to see the value inside the filters in definition screen.