Set default value for Indicator index query (#112300)

* Change deafult value for indicator query

* Move threat math query to constants

* Use existing constantant for Cypress test

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

x-pack/plugins/security_solution/common/constants.ts

@@ -64,6 +64,7 @@ export const DEFAULT_INDICATOR_SOURCE_PATH = 'threatintel.indicator';
 export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments';
 export const DEFAULT_THREAT_INDEX_KEY = 'securitySolution:defaultThreatIndex';
 export const DEFAULT_THREAT_INDEX_VALUE = ['filebeat-*'];
+export const DEFAULT_THREAT_MATCH_QUERY = '@timestamp >= "now-30d"';
 
 export enum SecurityPageName {
   administration = 'administration',

x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts

@@ -108,6 +108,7 @@ import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
 import { goBackToAllRulesTable } from '../../tasks/rule_details';
 
 import { ALERTS_URL, RULE_CREATION } from '../../urls/navigation';
+import { DEFAULT_THREAT_MATCH_QUERY } from '../../../common/constants';
 
 describe('indicator match', () => {
   describe('Detection rules, Indicator Match', () => {
@@ -180,8 +181,8 @@ describe('indicator match', () => {
       });
 
       describe('custom indicator query input', () => {
-        it('Has a default set of *:*', () => {
-          getCustomIndicatorQueryInput().should('have.text', '*:*');
+        it(`Has a default set of ${DEFAULT_THREAT_MATCH_QUERY}`, () => {
+          getCustomIndicatorQueryInput().should('have.text', DEFAULT_THREAT_MATCH_QUERY);
         });
 
         it('Shows invalidation text if text is removed', () => {

x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts

@@ -473,6 +473,7 @@ export const fillDefineIndicatorMatchRuleAndContinue = (rule: ThreatIndicatorRul
     indexField: rule.indicatorMappingField,
     indicatorIndexField: rule.indicatorIndexField,
   });
+  getCustomIndicatorQueryInput().type('{selectall}{enter}*:*');
   getDefineContinueButton().should('exist').click({ force: true });
   cy.get(CUSTOM_QUERY_INPUT).should('not.exist');
 };

x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx

@@ -11,7 +11,11 @@ import styled from 'styled-components';
 import { isEqual } from 'lodash';
 
 import { IndexPattern } from 'src/plugins/data/public';
-import { DEFAULT_INDEX_KEY, DEFAULT_THREAT_INDEX_KEY } from '../../../../../common/constants';
+import {
+  DEFAULT_INDEX_KEY,
+  DEFAULT_THREAT_INDEX_KEY,
+  DEFAULT_THREAT_MATCH_QUERY,
+} from '../../../../../common/constants';
 import { DEFAULT_TIMELINE_TITLE } from '../../../../timelines/components/timeline/translations';
 import { isMlRule } from '../../../../../common/machine_learning/helpers';
 import { hasMlAdminPermissions } from '../../../../../common/machine_learning/has_ml_admin_permissions';
@@ -72,7 +76,7 @@ const stepDefineDefaultValue: DefineStepRule = {
     saved_id: undefined,
   },
   threatQueryBar: {
-    query: { query: '*:*', language: 'kuery' },
+    query: { query: DEFAULT_THREAT_MATCH_QUERY, language: 'kuery' },
     filters: [],
     saved_id: undefined,
   },