[8.6] [Security Sollution][Alerts] fixes rule preview issue for new t…

…erms field (#145707) (#146449)

# Backport

This will backport the following commits from `main` to `8.6`:
- [[Security Sollution][Alerts] fixes rule preview issue for new terms
field (#145707)](#145707)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2022-11-28T17:36:40Z","message":"[Security
Sollution][Alerts] fixes rule preview issue for new terms field
(#145707)\n\n## Summary\r\n\r\n- fixes
https://github.com/elastic/kibana/issues/144322\r\n- details on
underlying\r\n[issue](https://github.com/elastic/kibana/issues/144322#issuecomment-1321838136)\r\nwithin
form-lib\r\n\r\n###
Before\r\n\r\n\r\nhttps://user-images.githubusercontent.com/92328789/202687215-e9606bd0-5cfd-4a92-9abf-edaf90868505.mov\r\n\r\n###
After\r\n\r\n\r\nhttps://user-images.githubusercontent.com/92328789/202688418-7cb7d250-02f3-4020-bfa0-65191b8a529b.mov","sha":"c086220f1ba89c9db0fe2c7500d86e3375aeee86","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection
Alerts","backport:prev-minor","v8.6.0","v8.7.0"],"number":145707,"url":"https://github.com/elastic/kibana/pull/145707","mergeCommit":{"message":"[Security
Sollution][Alerts] fixes rule preview issue for new terms field
(#145707)\n\n## Summary\r\n\r\n- fixes
https://github.com/elastic/kibana/issues/144322\r\n- details on
underlying\r\n[issue](https://github.com/elastic/kibana/issues/144322#issuecomment-1321838136)\r\nwithin
form-lib\r\n\r\n###
Before\r\n\r\n\r\nhttps://user-images.githubusercontent.com/92328789/202687215-e9606bd0-5cfd-4a92-9abf-edaf90868505.mov\r\n\r\n###
After\r\n\r\n\r\nhttps://user-images.githubusercontent.com/92328789/202688418-7cb7d250-02f3-4020-bfa0-65191b8a529b.mov","sha":"c086220f1ba89c9db0fe2c7500d86e3375aeee86"}},"sourceBranch":"main","suggestedTargetBranches":["8.6"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/145707","number":145707,"mergeCommit":{"message":"[Security
Sollution][Alerts] fixes rule preview issue for new terms field
(#145707)\n\n## Summary\r\n\r\n- fixes
https://github.com/elastic/kibana/issues/144322\r\n- details on
underlying\r\n[issue](https://github.com/elastic/kibana/issues/144322#issuecomment-1321838136)\r\nwithin
form-lib\r\n\r\n###
Before\r\n\r\n\r\nhttps://user-images.githubusercontent.com/92328789/202687215-e9606bd0-5cfd-4a92-9abf-edaf90868505.mov\r\n\r\n###
After\r\n\r\n\r\nhttps://user-images.githubusercontent.com/92328789/202688418-7cb7d250-02f3-4020-bfa0-65191b8a529b.mov","sha":"c086220f1ba89c9db0fe2c7500d86e3375aeee86"}}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>

x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/helpers.ts

@@ -15,6 +15,7 @@ import type { ChartSeriesConfigs } from '../../../../common/components/charts/co
 import type { FieldValueQueryBar } from '../query_bar';
 import type { TimeframePreviewOptions } from '../../../pages/detection_engine/rules/types';
 import { DataSourceType } from '../../../pages/detection_engine/rules/types';
+import { MAX_NUMBER_OF_NEW_TERMS_FIELDS } from '../../../../../common/constants';
 
 /**
  * Determines whether or not to display noise warning.
@@ -108,6 +109,10 @@ export const getHistogramConfig = (
   };
 };
 
+const isNewTermsPreviewDisabled = (newTermsFields: string[]): boolean => {
+  return newTermsFields.length === 0 || newTermsFields.length > MAX_NUMBER_OF_NEW_TERMS_FIELDS;
+};
+
 export const getIsRulePreviewDisabled = ({
   ruleType,
   isQueryBarValid,
@@ -157,7 +162,7 @@ export const getIsRulePreviewDisabled = ({
     return isEmpty(queryBar.query.query) && isEmpty(queryBar.filters);
   }
   if (ruleType === 'new_terms') {
-    return newTermsFields.length === 0;
+    return isNewTermsPreviewDisabled(newTermsFields);
   }
   return false;
 };

x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx

@@ -146,7 +146,7 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
     schema,
   });
 
-  const { getFields, getFormData, reset, submit } = form;
+  const { getFields, getFormData, reset, validate } = form;
   const [formData] = useFormData<DefineStepRule>({
     form,
     watch: [
@@ -392,21 +392,23 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
   }, [onSubmit]);
 
   const getData = useCallback(async () => {
-    const result = await submit();
-    result.data = {
-      ...result.data,
-      eqlOptions: optionsSelected,
+    // validate doesn't return actual state of form
+    // more details here: https://github.com/elastic/kibana/issues/144322#issuecomment-1321838136
+    // wrapping in setTimeout is a workaround until solution within forms-lib can be found
+    const isValid = await new Promise<boolean>((resolve) => {
+      setTimeout(async () => {
+        const valid = await validate();
+        resolve(valid);
+      }, 0);
+    });
+    return {
+      isValid,
+      data: {
+        ...getFormData(),
+        eqlOptions: optionsSelected,
+      },
     };
-    return result.isValid
-      ? result
-      : {
-          isValid: false,
-          data: {
-            ...getFormData(),
-            eqlOptions: optionsSelected,
-          },
-        };
-  }, [getFormData, optionsSelected, submit]);
+  }, [getFormData, optionsSelected, validate]);
 
   useEffect(() => {
     let didCancel = false;