[SIEM migrations] Implement ES|QL lookups and other fixes

[semd]

Summary

Adds support for ES|QL native LOOKUP JOIN operators for Splunk lookups.

• Lookups import changes:

  • Stores the lookups files as indices using lookup_<lookup_name> pattern (queries fail if the name contains -)
  • Indexes the lookups content data without duplicates (supports csv and json/ndjson)
  • Stores the lookup index name as the resource content that is passed to the translation agent
  • Fixes bug with _lookup suffix in the names coming from Splunk: queries use the _lookup suffix, but files in the. lookup editor don't have it)

• Lookups translation changes:

  • Prompt for the inline_query node updated to support lookups, replacing the splunk lookup name with the new Elastic lookup index name. Placeholders for missing macros/lookups are now added in this node instead of the translate_query node.
  • Prompt for ES|QL translation updated to convert LOOKUP syntax and ignore macro/lookups placeholders

• Other improvements on the agent graph:

  • All rule migration nodes in the graph now generate a "summary" explaining the reasoning behind each decision of the LLM, they are displayed in the comments section of each rule translation.
  • The inline query node was moved inside the translation sub-graph since it's only needed there.
  • Validation now is executed without placeholders, preventing it from running all the iterations without being able to fix it.
  • A deterministic node was added at the end to set the translation result and ensure minimum defaults are met.
  • Avoid inline_query LLM calls when a prebuilt rule matched or when the Splunk query is unsupported
  • Avoid prebuilt_rule matching LLM calls when no prebuilt rule is retrieved from the semantic search.
  • Avoid integration matching LLM calls when no integration is retrieved from the semantic search.

• Other fixes

  • Fixes bug which was setting translation FULL when we missed the integration and index pattern (logs-*). Changed to PARTIAL
  • Fixes bug where the description was missing for custom translated rules, we now fallback to the splunk rule title if the description is missing
  • Added summary comment for prebuilt rule matching

Screenshots

New summary comments:

Prebuilt rule matching:

• matching
  

• not matching
  

Query inlining summary:

Integration matching:

• matching:
  

• not matching
  

ES|QL translation

Needs manual translation reason:

Lookups UI:

Lookup index example:

Translation

Test data

rules.json
all_macros.json
lookups.zip (uncompress before uploading)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[e40pud]

I think we should not be able to get to this point because it will be caught in the previous check state.validation_errors?.esql_errors since [(macro|lookup):.*?\] like string will be a syntax error. Does not hurt to have this check though.

[semd]

I changed the validation node to execute the syntax check without the placeholders, this way we only try to fix the query when there is a real syntax issue. Placeholders were causing the graph to run all iterations trying to fix a query that could not be fixed.
That's why now we check for placeholders explicitly at the end.

[e40pud]

won't queries like

1. |
2. [macro:something]
3. [lookup:something]

and similar variations, lead to an empty sanitizedQuery after removePlaceHolders(query) call? And this will suggest those queries pass ES|QL validation?

[semd]

Yes, that's fine, the graph tries to fix queries that do not validate here. I don't think we should try to fix queries like these. They will be labeled as partial translation at the last translationResult node.

[angorayc]

Some minor stuff:

1. I found only required lookups will be displayed in the list. If users uploaded a non-required lookups, then it won't be indicated anywhere.

Screen.Recording.2024-12-30.at.15.47.57.mov

2. Rules with Needs manual translation status have a blank overview tab:

Screen.Recording.2024-12-30.at.16.06.10.mov

[semd]

Hey @angorayc
About your comments:

1. I found only required lookups will be displayed in the list. If users uploaded a non-required lookups, then it won't be indicated anywhere.

Yes, the lookups list is generated from the content uploaded previously (rules and macros). If the user provides lookups that are not in the list (they are not needed), we just ignore them, they are not even uploaded to the server. We only care about lookups that we need to perform the translations.

Screen.Recording.2024-12-30.at.15.47.57.mov
2. Rules with Needs manual translation status have a blank overview tab:

Good catch. Noted. We'll fix that in a separate PR since it's not part of this task

Thanks for the review!

[P1llus]

Changes looking great! I think from my perspective its nice to get it merged and anything that might need an update later it would be easier to modify it at that point, as the PR gives plenty of great improvements!

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: cee4f09

Failed CI Steps

• Jest Tests #10
• Jest Tests #20
• Jest Tests #20
• FTR Configs #47

Test Failures

• [job] [logs] Jest Tests #20 / StepDefinePackagePolicy default API response should display vars coming from package policy
• [job] [logs] Jest Tests #20 / StepDefinePackagePolicy default API response should display vars coming from package policy

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	22.2MB	22.2MB	-61.0B

Unknown metric groups

ESLint disabled in files

id	before	after	diff
@kbn/index-adapter	0	1	+1

Total ESLint disabled count

id	before	after	diff
@kbn/index-adapter	2	3	+1

History

• 💚 Build #263658 succeeded 71e67d4
• 💔 Build #262836 failed be04b80
• 💚 Build #262667 succeeded f758e7d
• 💔 Build #262648 failed eea5487

cc @semd

[kibanamachine]

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12677626515

[kibanamachine]

💔 All backports failed

Status	Branch	Result
❌	8.x	Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 204960

Questions ?

Please refer to the Backport tool documentation