[Security Solution][Detections] Preview Rule: Make it possible to configure the time interval and look-back time

[e40pud]

Summary

These changes add advanced rule preview options which allows power users to have control over the timeframe, rule interval and look-back time.

Fixes https://github.com/elastic/security-team/issues/4362

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[banderror]

Just glanced at the changes real quick and skipped a thorough review and testing: I'm not really familiar with the internal implementation of rule preview and I don't want to block this PR.

High-level, the changes LGTM 👍

[dplumlee]

This is all looking great so far! One thing we'll need to update though is the rule run from the backend, specifically right here. The way the logic is currently set up, we just use now (or moment() in this case) to set up the timerange in which the rule runs. Then we use the interval count to step backwards and get to the startedAt time we use in the rule execution runs. With the addition of the advanced rule preview and the arbitrary dates we can now use, we'll have to set this up differently in the case of a user, for instance, running a rule from 20 days to 19 days ago (just a random example). I think the best way to do that is calculate and pass in an optional param alongside invocationCount called finalInvocationStartTime or something and have that essentially be the end time the user specifies. Then we can do something similar to the current logic where we use the invocation count that you've calculated and step backwards to run the rule over the user specified time range, not just based on the relative-to-now math we're currently using

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 1135fdd
• Storybooks Preview

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	3229	3230	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	5.5MB	5.5MB	+4.5KB

History

• 💔 Build #60698 failed 491ce32
• 💛 Build #60606 was flaky 20b829c
• 💔 Build #60594 failed 928a6e6
• 💚 Build #60534 succeeded d5dd9a6
• 💔 Build #60475 failed ee9d5e8

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @e40pud

[dplumlee]

Looks good, thanks for making those changes!

[marshallmain]

For docs reference, here is the warning that is displayed if the number of preview executions needed for the selected timeframe and rule interval is greater than 200: