[Security Solution] Use AST utils from @kbn/esql-ast for ES|QL rule type query parsing (#9282)

[e40pud]

Summary

Addresses https://github.com/elastic/security-team/issues/9282

With these changes we utilise AST based utils to do ES|QL query validation. This allows us to recognise and display syntax errors. Syntax errors have higher priority than the rest of the validation errors.

Validation errors priorities from top to bottom:

1. Syntax error
2. Missing metadata for non-aggregating queries
3. Missing data source and/or data fields
4. Missing _id column requested for non-aggregating queries via metadata operator

These priorities define the sequence in which we display errors to the user. If there are several errors detected, that the one with higher priority will be shown.

Screen.Recording.2024-08-02.at.11.02.16.mov

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios
• Flaky Test Runner was used on any tests changed
  • Integration tests (100 ESS, 100 Serverless)
  • Cypress DE tests (100 ESS, 100 Serverless)

[e40pud]

/ci

[e40pud]

/ci

[e40pud]

/ci

[e40pud]

/ci

[e40pud]

/ci

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Detection Engine)

[kibanamachine]

Flaky Test Runner Stats

🎉 All tests passed! - kibana-flaky-test-suite-runner#6681

[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/ess.config.ts: 100/100 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/serverless.config.ts: 100/100 tests passed.

see run history

[vitaliidm]

why casting is needed here?
Given that one of the types there does not have args property, it could lead to error of accessing property. Something we had already in the past.

[e40pud]

Seems like Array.find cannot infer the type in this case. I re-arranged the code.

[kibanamachine]

Flaky Test Runner Stats

🟠 Some tests failed. - kibana-flaky-test-suite-runner#6682

[❌] Security Solution Detection Engine - Cypress: 52/100 tests passed.
[❌] [Serverless] Security Solution Detection Engine - Cypress: 81/100 tests passed.

see run history

[vitaliidm]

LGTM
thanks for you work

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 03c7a14
• Cloud Deployment
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-189780-03c7a147bc14
• Security Deployment

Failed CI Steps

• FTR Configs #98

Test Failures

• [job] [logs] FTR Configs #98 / Cloud Security Posture Findings Page - Alerts Create detection rule Creates a detection rule from the Take Action button and navigates to rule page

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	5614	5645	+31

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/securitysolution-utils	44	46	+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	20.5MB	20.7MB	⚠️ +232.2KB

Unknown metric groups

API count

id	before	after	diff
@kbn/securitysolution-utils	49	51	+2

History

• 💔 Build #226268 failed 9091e77
• 💚 Build #226245 succeeded 55a282b
• 💔 Build #226044 failed f3591b0
• 💛 Build #225795 was flaky 1e4da00

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @e40pud

[kibanamachine]

Flaky Test Runner Stats

🟠 Some tests failed. - kibana-flaky-test-suite-runner#6712

[❌] Security Solution Detection Engine - Cypress: 60/100 tests passed.
[❌] [Serverless] Security Solution Detection Engine - Cypress: 78/100 tests passed.

see run history