[Osquery] Add additional ecs osquery fields validation on query change (#134431)

2025-04-23 09:19:04 -04:00 · 2022-07-08 14:19:23 +02:00 · 2022-07-08 14:19:23 +02:00 · b3c5689224
commit b3c5689224
parent 56831590e4
2 changed files with 25 additions and 0 deletions
--- a/x-pack/plugins/osquery/public/common/helpers.ts
+++ b/x-pack/plugins/osquery/public/common/helpers.ts
@ -15,6 +15,7 @@ import {
 } from '../../common/search_strategy';

 import { ESQuery } from '../../common/typed_json';
+import { ArrayItem } from '../shared_imports';

 export const createFilter = (filterQuery: ESQuery | string | undefined) =>
  isString(filterQuery) ? filterQuery : JSON.stringify(filterQuery);
@ -43,3 +44,12 @@ export const getInspectResponse = <T extends FactoryQueryTypes>(
  response:
    response != null ? [JSON.stringify(response.rawResponse, null, 2)] : prevResponse?.response,
 });
+
+export const prepareEcsFieldsToValidate = (ecsMapping: ArrayItem[]): string[] =>
+  ecsMapping
+    ?.map((_: unknown, index: number) => [
+      `ecs_mapping[${index}].result.value`,
+      `ecs_mapping[${index}].key`,
+    ])
+    .join(',')
+    .split(',');
--- a/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx
+++ b/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx
@ -40,6 +40,7 @@ import { i18n } from '@kbn/i18n';
 import styled from 'styled-components';
 import deepEqual from 'fast-deep-equal';

+import { prepareEcsFieldsToValidate } from '../../common/helpers';
 import ECSSchema from '../../common/schemas/ecs/v8.2.0.json';
 import osquerySchema from '../../common/schemas/osquery/v5.2.2.json';

@ -57,6 +58,7 @@ import {
  UseArray,
  ArrayItem,
  FormArrayField,
+  useFormContext,
 } from '../../shared_imports';
 import { OsqueryIcon } from '../../components/osquery_icon';
 import { removeMultilines } from '../../../common/utils/build_query/remove_multilines';
@ -768,9 +770,21 @@ export const ECSMappingEditorField = React.memo(
  ({ euiFieldProps }: ECSMappingEditorFieldProps) => {
    const lastItemPath = useRef<string>();
    const onAdd = useRef<FormArrayField['addItem']>();
+    const itemsList = useRef<ArrayItem[]>([]);
    const [osquerySchemaOptions, setOsquerySchemaOptions] = useState<OsquerySchemaOption[]>([]);
    const [{ query, ...formData }, formDataSerializer, isMounted] = useFormData();

+    const { validateFields } = useFormContext();
+
+    useEffect(() => {
+      // Additional 'suspended' validation of osquery ecs fields. fieldsToValidateOnChange doesn't work because it happens before the osquerySchema gets updated.
+      const fieldsToValidate = prepareEcsFieldsToValidate(itemsList.current);
+      // it is always at least 2 - empty fields
+      if (fieldsToValidate.length > 2) {
+        setTimeout(() => validateFields(fieldsToValidate), 0);
+      }
+    }, [query, validateFields]);
+
    useEffect(() => {
      if (!query?.length) {
        return;
@ -1074,6 +1088,7 @@ export const ECSMappingEditorField = React.memo(
          {({ items, addItem, removeItem }) => {
            lastItemPath.current = items[items.length - 1]?.path;
            onAdd.current = addItem;
+            itemsList.current = items;

            return (
              <>