adds normalization in diffable rule conversion

x-pack/solutions/security/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_data_query.test.ts

@@ -5,13 +5,32 @@
  * 2.0.
  */
 
+import type { Filter } from '@kbn/es-query';
 import { KqlQueryType } from '../../../api/detection_engine';
 import {
   extractRuleEqlQuery,
   extractRuleEsqlQuery,
   extractRuleKqlQuery,
 } from './extract_rule_data_query';
 
+const mockFilter: Filter = {
+  meta: {
+    alias: null,
+    negate: false,
+    disabled: false,
+    type: 'phrase',
+    key: 'test',
+    params: {
+      query: 'value',
+    },
+  },
+  query: {
+    term: {
+      field: 'value',
+    },
+  },
+};
+
 describe('extract rule data queries', () => {
   describe('extractRuleKqlQuery', () => {
     it('extracts a trimmed version of the query field for inline query types', () => {
@@ -24,6 +43,39 @@ describe('extract rule data queries', () => {
         filters: [],
       });
     });
+
+    it('normalizes filters', () => {
+      const extractedKqlQuery = extractRuleKqlQuery(
+        'event.kind:alert',
+        'kuery',
+        [mockFilter],
+        undefined
+      );
+
+      expect(extractedKqlQuery).toEqual({
+        type: KqlQueryType.inline_query,
+        query: 'event.kind:alert',
+        language: 'kuery',
+        filters: [
+          {
+            meta: {
+              negate: false,
+              disabled: false,
+              type: 'phrase',
+              key: 'test',
+              params: {
+                query: 'value',
+              },
+            },
+            query: {
+              term: {
+                field: 'value',
+              },
+            },
+          },
+        ],
+      });
+    });
   });
 
   describe('extractRuleEqlQuery', () => {

x-pack/solutions/security/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_data_query.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import type { Filter } from '@kbn/es-query';
 import type {
   EqlQueryLanguage,
   EsqlQueryLanguage,
@@ -48,7 +49,7 @@ export const extractInlineKqlQuery = (
     type: KqlQueryType.inline_query,
     query: query?.trim() ?? '',
     language: language ?? 'kuery',
-    filters: filters ?? [],
+    filters: normalizeFilterArray(filters),
   };
 };
 
@@ -65,7 +66,7 @@ export const extractRuleEqlQuery = (params: ExtractRuleEqlQueryParams): RuleEqlQ
   return {
     query: params.query.trim(),
     language: params.language,
-    filters: params.filters ?? [],
+    filters: normalizeFilterArray(params.filters),
     event_category_override: params.eventCategoryOverride,
     timestamp_field: params.timestampField,
     tiebreaker_field: params.tiebreakerField,
@@ -81,3 +82,20 @@ export const extractRuleEsqlQuery = (
     language,
   };
 };
+
+/**
+ * Removes the null `alias` field that gets appended from the internal kibana filter util for comparison
+ * Relevant issue: https://github.com/elastic/kibana/issues/202966
+ */
+const normalizeFilterArray = (filters: RuleFilterArray | undefined): RuleFilterArray => {
+  if (filters && filters.length > 0) {
+    return (filters as Filter[]).map((filter) => {
+      if (filter.meta.alias == null) {
+        return { ...filter, meta: { ...filter.meta, alias: undefined } };
+      }
+      return filter;
+    });
+  } else {
+    return [];
+  }
+};

x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation_ui/components/query_bar_field/query_field.tsx

@@ -175,8 +175,8 @@ export const QueryBarField = ({
   // if saved query fetched, reset values in queryBar input and filters to saved query's values
   useEffect(() => {
     if (resetToSavedQuery && savedQuery) {
-      const newFiledValue = savedQueryToFieldValue(savedQuery);
-      setFieldValue(newFiledValue);
+      const newFieldValue = savedQueryToFieldValue(savedQuery);
+      setFieldValue(newFieldValue);
     }
   }, [resetToSavedQuery, savedQuery, setFieldValue]);