From 19fa96752eaa96cff592da0ae8a98d3e34007045 Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Fri, 2 Oct 2020 13:19:02 -0500
Subject: [PATCH] [Security Solution][Detections] EQL Validation (#77493)

* WIP: Adding new route for EQL Validation

This is mostly boilerplate with some rough parameter definitions; the
actual implementation of the validation is going to live in our
validateEql function.

A few tests are failing as the mocks haven't yet been implemented, I
need to see the shape of the responses first.

* Cherry-pick Marshall's EQL types

* Implements actual EQL validation

* Performs an EQL search
* filters out non-parsing errors, and returns what remains in the
  response
* Adds mocks for empty EQL responses (we don't yet have a need for
  mocked data, but we will when we unit-test validateEql)

* Adds validation calls to the EQL form input

* Adds EQL Validation response schema,mocks,tests
* Adds frontend function to call our validation endpoint
* Adds hook, useEqlValidation, to call the above function and return
  state
* Adds labels/help text for EQL Query bar
* EqlQueryBar consumes useEqlValidation and marks the field as invalid,
  but does not yet report errors.

* Do not call the validation API if query is not present

This causes a broader error that results in a 400 response; we can (and
do) handle the case of a blank query in the form itself.

* Remove EQL Help Text

It doesn't add any information for the user, and it currently looks bad
when combined with validation errors.

* Flesh out and use our popover for displaying validation errors

* Fixes issue where old errors were persisted after the user had made
  modifications

* Include verification_exception errors as validation errors

These include errors related to index fields and mappings.

* Generalize our validation helpers

We're concerned with validation errors; the source of those errors is an
implementation detail of these functions.

* Move error popover and EQL reference link to footer

This more closely resembles the new Eui Markdown editor, which places
errors and doc links in a footer.

* Fix jest tests following additional prop

* Add icon for EQL Rule card

* Fixes existing EqlQueryBar tests

These were broken by our use of useAppToasts and the EUI theme.

* Add unit tests around error rendering on EQL Query Bar

* Add tests for ErrorPopover

* Remove unused schema type

Decode doesn't do any additional processing, so we can use t.TypeOf here
(the default for buildRouteValidation).

* Remove duplicated header

* Use ignore parameter to prevent EQL validations from logging errors

Without `ignore: [400]` the ES client will log errors and then throw
them. We can catch the error, but the log is undesirable.

This updates the query to use the ignore parameter, along with updating
the validation logic to work with the updated response.

Adds some mocks and tests around these responses and helpers, since
these will exist independent of the validation implementation.

* Include mapping_exceptions during EQL query validation

These include errors for inaccessible indexes, which should be useful to
the rule writer in writing their EQL query.

* Display toast messages for non-validation messages

* fix type errors

This type was renamed.

* Do not request data in our validation request

By not having the cluster retrieve/send any data, this should saves us
a few CPU cycles.

* Move EQL validation to an async form validator

Rather than invoking a custom validation hook (useEqlValidation) at custom times (onBlur) in our EqlQueryBar
component, we can instead move this functionality to a form validation
function and have it be invoked automatically by our form when values
change. However, because we still need to handle the validation messages
slightly differently (place them in a popover as opposed to an
EuiFormRow), we also need custom error retrieval in the form of
getValidationResults.

After much pain, it was determined that the default behavior of
_.debounce does not work with async validator functions, as a debounced
call will not "wait" for the eventual invocation but will instead return
the most recently resolved value. This leads to stale validation
results and terrible UX, so I wrote a custom function (debounceAsync)
that behaves like we want/need; see tests for details.

* Invalidate our query field when index patterns change

Since EQL rules actually validate against the relevant indexes, changing
said indexes should invalidate/revalidate the query.

With the form lib, this is beautifully simple :)

* Set a min-height on our EQL textarea

* Remove unused prop from EqlQueryBar

Index corresponds to the value from the index field; now that our EQL
validation is performed by the form we have no need for it here.

* Update EQL overview link to point to elasticsearch docs

Adds an entry in our doclinks service, and uses that.

* Remove unused prop from stale tests

* Update docLinks documentation with new EQL link

* Fix bug where saved query rules had no type selected on Edit

* Wait for kibana requests to complete before moving between rule tabs

With our new async validation, a user can quickly navigate away from the
Definition tab before the validation has completed, resulting in the
form being invalidated. Any subsequent user actions cause the form to
correct itself, but until I can find a better solution here this really
just gives the validation time to complete and sidesteps the issue.
---
 ...-plugin-core-public.doclinksstart.links.md |   1 +
 ...kibana-plugin-core-public.doclinksstart.md |   2 +-
 .../public/doc_links/doc_links_service.ts     |   2 +
 src/core/public/public.api.md                 |   1 +
 .../security_solution/common/constants.ts     |   1 +
 .../request/eql_validation_schema.mock.ts     |  12 ++
 .../request/eql_validation_schema.test.ts     |  59 ++++++++++
 .../schemas/request/eql_validation_schema.ts  |  18 +++
 .../response/eql_validation_schema.mock.ts    |  17 +++
 .../response/eql_validation_schema.test.ts    |  59 ++++++++++
 .../schemas/response/eql_validation_schema.ts |  16 +++
 .../common/detection_engine/utils.ts          |   3 +-
 .../alerts_detection_rules_custom.spec.ts     |   3 +-
 .../cypress/screens/edit_rule.ts              |   2 +
 .../cypress/tasks/edit_rule.ts                |   6 +-
 .../public/common/hooks/eql/api.ts            |  31 ++++++
 .../rules/eql_query_bar/eql_overview_link.tsx |  26 +++++
 .../eql_query_bar/eql_query_bar.test.tsx      |  37 +++++-
 .../rules/eql_query_bar/eql_query_bar.tsx     |  53 +++++++--
 .../eql_query_bar/errors_popover.test.tsx     |  50 +++++++++
 .../rules/eql_query_bar/errors_popover.tsx    |  55 +++++++++
 .../components/rules/eql_query_bar/footer.tsx |  42 +++++++
 .../rules/eql_query_bar/translations.ts       |  42 +++++++
 .../rules/eql_query_bar/validators.mock.ts    |  19 ++++
 .../rules/eql_query_bar/validators.test.ts    |  52 +++++++++
 .../rules/eql_query_bar/validators.ts         | 105 ++++++++++++++++++
 .../select_rule_type/eql_search_icon.svg      |   6 +
 .../rules/select_rule_type/index.tsx          |   5 +-
 .../rules/step_define_rule/index.tsx          |   5 +
 .../rules/step_define_rule/schema.tsx         |  13 +--
 .../rules/step_define_rule/translations.tsx   |  14 +++
 .../public/shared_imports.ts                  |   1 +
 .../routes/__mocks__/request_context.ts       |   5 +-
 .../routes/__mocks__/request_responses.ts     |  27 ++++-
 .../routes/eql/helpers.mock.ts                |  69 ++++++++++++
 .../routes/eql/helpers.test.ts                |  58 ++++++++++
 .../detection_engine/routes/eql/helpers.ts    |  35 ++++++
 .../routes/eql/validate_eql.ts                |  46 ++++++++
 .../routes/eql/validation_route.test.ts       |  53 +++++++++
 .../routes/eql/validation_route.ts            |  49 ++++++++
 .../security_solution/server/routes/index.ts  |   4 +
 41 files changed, 1075 insertions(+), 29 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.mock.ts
 create mode 100644 x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.test.ts
 create mode 100644 x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.ts
 create mode 100644 x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.mock.ts
 create mode 100644 x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.test.ts
 create mode 100644 x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.ts
 create mode 100644 x-pack/plugins/security_solution/public/common/hooks/eql/api.ts
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_overview_link.tsx
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/errors_popover.test.tsx
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/errors_popover.tsx
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/footer.tsx
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/translations.ts
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.mock.ts
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.test.ts
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.ts
 create mode 100644 x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/eql_search_icon.svg
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.mock.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.test.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validate_eql.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validation_route.test.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validation_route.ts

diff --git a/docs/development/core/public/kibana-plugin-core-public.doclinksstart.links.md b/docs/development/core/public/kibana-plugin-core-public.doclinksstart.links.md
index f7b55b0650d8b..3afd5eaa6f1f7 100644
--- a/docs/development/core/public/kibana-plugin-core-public.doclinksstart.links.md
+++ b/docs/development/core/public/kibana-plugin-core-public.doclinksstart.links.md
@@ -91,6 +91,7 @@ readonly links: {
             readonly gettingStarted: string;
         };
         readonly query: {
+            readonly eql: string;
             readonly luceneQuerySyntax: string;
             readonly queryDsl: string;
             readonly kueryQuerySyntax: string;
diff --git a/docs/development/core/public/kibana-plugin-core-public.doclinksstart.md b/docs/development/core/public/kibana-plugin-core-public.doclinksstart.md
index 3f58cf08ee6b6..5249381969b98 100644
--- a/docs/development/core/public/kibana-plugin-core-public.doclinksstart.md
+++ b/docs/development/core/public/kibana-plugin-core-public.doclinksstart.md
@@ -17,5 +17,5 @@ export interface DocLinksStart
 |  --- | --- | --- |
 |  [DOC\_LINK\_VERSION](./kibana-plugin-core-public.doclinksstart.doc_link_version.md) | <code>string</code> |  |
 |  [ELASTIC\_WEBSITE\_URL](./kibana-plugin-core-public.doclinksstart.elastic_website_url.md) | <code>string</code> |  |
-|  [links](./kibana-plugin-core-public.doclinksstart.links.md) | <code>{</code><br/><code>        readonly dashboard: {</code><br/><code>            readonly drilldowns: string;</code><br/><code>            readonly drilldownsTriggerPicker: string;</code><br/><code>            readonly urlDrilldownTemplateSyntax: string;</code><br/><code>            readonly urlDrilldownVariables: string;</code><br/><code>        };</code><br/><code>        readonly filebeat: {</code><br/><code>            readonly base: string;</code><br/><code>            readonly installation: string;</code><br/><code>            readonly configuration: string;</code><br/><code>            readonly elasticsearchOutput: string;</code><br/><code>            readonly startup: string;</code><br/><code>            readonly exportedFields: string;</code><br/><code>        };</code><br/><code>        readonly auditbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly metricbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly heartbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly logstash: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly functionbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly winlogbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly aggs: {</code><br/><code>            readonly date_histogram: string;</code><br/><code>            readonly date_range: string;</code><br/><code>            readonly filter: string;</code><br/><code>            readonly filters: string;</code><br/><code>            readonly geohash_grid: string;</code><br/><code>            readonly histogram: string;</code><br/><code>            readonly ip_range: string;</code><br/><code>            readonly range: string;</code><br/><code>            readonly significant_terms: string;</code><br/><code>            readonly terms: string;</code><br/><code>            readonly avg: string;</code><br/><code>            readonly avg_bucket: string;</code><br/><code>            readonly max_bucket: string;</code><br/><code>            readonly min_bucket: string;</code><br/><code>            readonly sum_bucket: string;</code><br/><code>            readonly cardinality: string;</code><br/><code>            readonly count: string;</code><br/><code>            readonly cumulative_sum: string;</code><br/><code>            readonly derivative: string;</code><br/><code>            readonly geo_bounds: string;</code><br/><code>            readonly geo_centroid: string;</code><br/><code>            readonly max: string;</code><br/><code>            readonly median: string;</code><br/><code>            readonly min: string;</code><br/><code>            readonly moving_avg: string;</code><br/><code>            readonly percentile_ranks: string;</code><br/><code>            readonly serial_diff: string;</code><br/><code>            readonly std_dev: string;</code><br/><code>            readonly sum: string;</code><br/><code>            readonly top_hits: string;</code><br/><code>        };</code><br/><code>        readonly scriptedFields: {</code><br/><code>            readonly scriptFields: string;</code><br/><code>            readonly scriptAggs: string;</code><br/><code>            readonly painless: string;</code><br/><code>            readonly painlessApi: string;</code><br/><code>            readonly painlessSyntax: string;</code><br/><code>            readonly luceneExpressions: string;</code><br/><code>        };</code><br/><code>        readonly indexPatterns: {</code><br/><code>            readonly loadingData: string;</code><br/><code>            readonly introduction: string;</code><br/><code>        };</code><br/><code>        readonly addData: string;</code><br/><code>        readonly kibana: string;</code><br/><code>        readonly siem: {</code><br/><code>            readonly guide: string;</code><br/><code>            readonly gettingStarted: string;</code><br/><code>        };</code><br/><code>        readonly query: {</code><br/><code>            readonly luceneQuerySyntax: string;</code><br/><code>            readonly queryDsl: string;</code><br/><code>            readonly kueryQuerySyntax: string;</code><br/><code>        };</code><br/><code>        readonly date: {</code><br/><code>            readonly dateMath: string;</code><br/><code>        };</code><br/><code>        readonly management: Record&lt;string, string&gt;;</code><br/><code>        readonly visualize: Record&lt;string, string&gt;;</code><br/><code>    }</code> |  |
+|  [links](./kibana-plugin-core-public.doclinksstart.links.md) | <code>{</code><br/><code>        readonly dashboard: {</code><br/><code>            readonly drilldowns: string;</code><br/><code>            readonly drilldownsTriggerPicker: string;</code><br/><code>            readonly urlDrilldownTemplateSyntax: string;</code><br/><code>            readonly urlDrilldownVariables: string;</code><br/><code>        };</code><br/><code>        readonly filebeat: {</code><br/><code>            readonly base: string;</code><br/><code>            readonly installation: string;</code><br/><code>            readonly configuration: string;</code><br/><code>            readonly elasticsearchOutput: string;</code><br/><code>            readonly startup: string;</code><br/><code>            readonly exportedFields: string;</code><br/><code>        };</code><br/><code>        readonly auditbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly metricbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly heartbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly logstash: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly functionbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly winlogbeat: {</code><br/><code>            readonly base: string;</code><br/><code>        };</code><br/><code>        readonly aggs: {</code><br/><code>            readonly date_histogram: string;</code><br/><code>            readonly date_range: string;</code><br/><code>            readonly filter: string;</code><br/><code>            readonly filters: string;</code><br/><code>            readonly geohash_grid: string;</code><br/><code>            readonly histogram: string;</code><br/><code>            readonly ip_range: string;</code><br/><code>            readonly range: string;</code><br/><code>            readonly significant_terms: string;</code><br/><code>            readonly terms: string;</code><br/><code>            readonly avg: string;</code><br/><code>            readonly avg_bucket: string;</code><br/><code>            readonly max_bucket: string;</code><br/><code>            readonly min_bucket: string;</code><br/><code>            readonly sum_bucket: string;</code><br/><code>            readonly cardinality: string;</code><br/><code>            readonly count: string;</code><br/><code>            readonly cumulative_sum: string;</code><br/><code>            readonly derivative: string;</code><br/><code>            readonly geo_bounds: string;</code><br/><code>            readonly geo_centroid: string;</code><br/><code>            readonly max: string;</code><br/><code>            readonly median: string;</code><br/><code>            readonly min: string;</code><br/><code>            readonly moving_avg: string;</code><br/><code>            readonly percentile_ranks: string;</code><br/><code>            readonly serial_diff: string;</code><br/><code>            readonly std_dev: string;</code><br/><code>            readonly sum: string;</code><br/><code>            readonly top_hits: string;</code><br/><code>        };</code><br/><code>        readonly scriptedFields: {</code><br/><code>            readonly scriptFields: string;</code><br/><code>            readonly scriptAggs: string;</code><br/><code>            readonly painless: string;</code><br/><code>            readonly painlessApi: string;</code><br/><code>            readonly painlessSyntax: string;</code><br/><code>            readonly luceneExpressions: string;</code><br/><code>        };</code><br/><code>        readonly indexPatterns: {</code><br/><code>            readonly loadingData: string;</code><br/><code>            readonly introduction: string;</code><br/><code>        };</code><br/><code>        readonly addData: string;</code><br/><code>        readonly kibana: string;</code><br/><code>        readonly siem: {</code><br/><code>            readonly guide: string;</code><br/><code>            readonly gettingStarted: string;</code><br/><code>        };</code><br/><code>        readonly query: {</code><br/><code>            readonly eql: string;</code><br/><code>            readonly luceneQuerySyntax: string;</code><br/><code>            readonly queryDsl: string;</code><br/><code>            readonly kueryQuerySyntax: string;</code><br/><code>        };</code><br/><code>        readonly date: {</code><br/><code>            readonly dateMath: string;</code><br/><code>        };</code><br/><code>        readonly management: Record&lt;string, string&gt;;</code><br/><code>        readonly visualize: Record&lt;string, string&gt;;</code><br/><code>    }</code> |  |
 
diff --git a/src/core/public/doc_links/doc_links_service.ts b/src/core/public/doc_links/doc_links_service.ts
index f813a9326d741..63018c226c557 100644
--- a/src/core/public/doc_links/doc_links_service.ts
+++ b/src/core/public/doc_links/doc_links_service.ts
@@ -119,6 +119,7 @@ export class DocLinksService {
           gettingStarted: `${ELASTIC_WEBSITE_URL}guide/en/security/${DOC_LINK_VERSION}/index.html`,
         },
         query: {
+          eql: `${ELASTICSEARCH_DOCS}eql.html`,
           luceneQuerySyntax: `${ELASTICSEARCH_DOCS}query-dsl-query-string-query.html#query-string-syntax`,
           queryDsl: `${ELASTICSEARCH_DOCS}query-dsl.html`,
           kueryQuerySyntax: `${ELASTIC_WEBSITE_URL}guide/en/kibana/${DOC_LINK_VERSION}/kuery-query.html`,
@@ -228,6 +229,7 @@ export interface DocLinksStart {
       readonly gettingStarted: string;
     };
     readonly query: {
+      readonly eql: string;
       readonly luceneQuerySyntax: string;
       readonly queryDsl: string;
       readonly kueryQuerySyntax: string;
diff --git a/src/core/public/public.api.md b/src/core/public/public.api.md
index 5970c9a8571c4..08491dc76cd27 100644
--- a/src/core/public/public.api.md
+++ b/src/core/public/public.api.md
@@ -539,6 +539,7 @@ export interface DocLinksStart {
             readonly gettingStarted: string;
         };
         readonly query: {
+            readonly eql: string;
             readonly luceneQuerySyntax: string;
             readonly queryDsl: string;
             readonly kueryQuerySyntax: string;
diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts
index 2910f02a187f4..e46bd9e28d8c4 100644
--- a/x-pack/plugins/security_solution/common/constants.ts
+++ b/x-pack/plugins/security_solution/common/constants.ts
@@ -117,6 +117,7 @@ export const DETECTION_ENGINE_PREPACKAGED_URL = `${DETECTION_ENGINE_RULES_URL}/p
 export const DETECTION_ENGINE_PRIVILEGES_URL = `${DETECTION_ENGINE_URL}/privileges`;
 export const DETECTION_ENGINE_INDEX_URL = `${DETECTION_ENGINE_URL}/index`;
 export const DETECTION_ENGINE_TAGS_URL = `${DETECTION_ENGINE_URL}/tags`;
+export const DETECTION_ENGINE_EQL_VALIDATION_URL = `${DETECTION_ENGINE_URL}/validate_eql`;
 export const DETECTION_ENGINE_RULES_STATUS_URL = `${DETECTION_ENGINE_RULES_URL}/_find_statuses`;
 export const DETECTION_ENGINE_PREPACKAGED_RULES_STATUS_URL = `${DETECTION_ENGINE_RULES_URL}/prepackaged/_status`;
 
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.mock.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.mock.ts
new file mode 100644
index 0000000000000..96afc0c85df44
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.mock.ts
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EqlValidationSchema } from './eql_validation_schema';
+
+export const getEqlValidationSchemaMock = (): EqlValidationSchema => ({
+  index: ['index-123'],
+  query: 'process where process.name == "regsvr32.exe"',
+});
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.test.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.test.ts
new file mode 100644
index 0000000000000..84bb8e067bf75
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.test.ts
@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { pipe } from 'fp-ts/lib/pipeable';
+import { left } from 'fp-ts/lib/Either';
+
+import { exactCheck } from '../../../exact_check';
+import { foldLeftRight, getPaths } from '../../../test_utils';
+import { eqlValidationSchema, EqlValidationSchema } from './eql_validation_schema';
+import { getEqlValidationSchemaMock } from './eql_validation_schema.mock';
+
+describe('EQL validation schema', () => {
+  it('requires a value for index', () => {
+    const payload = {
+      ...getEqlValidationSchemaMock(),
+      index: undefined,
+    };
+    const decoded = eqlValidationSchema.decode(payload);
+    const checked = exactCheck(payload, decoded);
+    const message = pipe(checked, foldLeftRight);
+
+    expect(getPaths(left(message.errors))).toEqual([
+      'Invalid value "undefined" supplied to "index"',
+    ]);
+    expect(message.schema).toEqual({});
+  });
+
+  it('requires a value for query', () => {
+    const payload = {
+      ...getEqlValidationSchemaMock(),
+      query: undefined,
+    };
+    const decoded = eqlValidationSchema.decode(payload);
+    const checked = exactCheck(payload, decoded);
+    const message = pipe(checked, foldLeftRight);
+
+    expect(getPaths(left(message.errors))).toEqual([
+      'Invalid value "undefined" supplied to "query"',
+    ]);
+    expect(message.schema).toEqual({});
+  });
+
+  it('validates a payload with index and query', () => {
+    const payload = getEqlValidationSchemaMock();
+    const decoded = eqlValidationSchema.decode(payload);
+    const checked = exactCheck(payload, decoded);
+    const message = pipe(checked, foldLeftRight);
+    const expected: EqlValidationSchema = {
+      index: ['index-123'],
+      query: 'process where process.name == "regsvr32.exe"',
+    };
+
+    expect(getPaths(left(message.errors))).toEqual([]);
+    expect(message.schema).toEqual(expected);
+  });
+});
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.ts
new file mode 100644
index 0000000000000..abbbe33a32258
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/eql_validation_schema.ts
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import * as t from 'io-ts';
+
+import { index, query } from '../common/schemas';
+
+export const eqlValidationSchema = t.exact(
+  t.type({
+    index,
+    query,
+  })
+);
+
+export type EqlValidationSchema = t.TypeOf<typeof eqlValidationSchema>;
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.mock.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.mock.ts
new file mode 100644
index 0000000000000..98e5db47253fb
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.mock.ts
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EqlValidationSchema } from './eql_validation_schema';
+
+export const getEqlValidationResponseMock = (): EqlValidationSchema => ({
+  valid: false,
+  errors: ['line 3:52: token recognition error at: '],
+});
+
+export const getValidEqlValidationResponseMock = (): EqlValidationSchema => ({
+  valid: true,
+  errors: [],
+});
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.test.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.test.ts
new file mode 100644
index 0000000000000..939238e340cff
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.test.ts
@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { pipe } from 'fp-ts/lib/pipeable';
+import { left } from 'fp-ts/lib/Either';
+
+import { exactCheck } from '../../../exact_check';
+import { foldLeftRight, getPaths } from '../../../test_utils';
+import { getEqlValidationResponseMock } from './eql_validation_schema.mock';
+import { eqlValidationSchema } from './eql_validation_schema';
+
+describe('EQL validation response schema', () => {
+  it('validates a typical response', () => {
+    const payload = getEqlValidationResponseMock();
+    const decoded = eqlValidationSchema.decode(payload);
+    const checked = exactCheck(payload, decoded);
+    const message = pipe(checked, foldLeftRight);
+
+    expect(getPaths(left(message.errors))).toEqual([]);
+    expect(message.schema).toEqual(getEqlValidationResponseMock());
+  });
+
+  it('invalidates a response with extra properties', () => {
+    const payload = { ...getEqlValidationResponseMock(), extra: 'nope' };
+    const decoded = eqlValidationSchema.decode(payload);
+    const checked = exactCheck(payload, decoded);
+    const message = pipe(checked, foldLeftRight);
+
+    expect(getPaths(left(message.errors))).toEqual(['invalid keys "extra"']);
+    expect(message.schema).toEqual({});
+  });
+
+  it('invalidates a response with missing properties', () => {
+    const payload = { ...getEqlValidationResponseMock(), valid: undefined };
+    const decoded = eqlValidationSchema.decode(payload);
+    const checked = exactCheck(payload, decoded);
+    const message = pipe(checked, foldLeftRight);
+
+    expect(getPaths(left(message.errors))).toEqual([
+      'Invalid value "undefined" supplied to "valid"',
+    ]);
+    expect(message.schema).toEqual({});
+  });
+
+  it('invalidates a response with properties of the wrong type', () => {
+    const payload = { ...getEqlValidationResponseMock(), errors: 'should be an array' };
+    const decoded = eqlValidationSchema.decode(payload);
+    const checked = exactCheck(payload, decoded);
+    const message = pipe(checked, foldLeftRight);
+
+    expect(getPaths(left(message.errors))).toEqual([
+      'Invalid value "should be an array" supplied to "errors"',
+    ]);
+    expect(message.schema).toEqual({});
+  });
+});
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.ts
new file mode 100644
index 0000000000000..e999e1dd273f8
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/eql_validation_schema.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import * as t from 'io-ts';
+
+export const eqlValidationSchema = t.exact(
+  t.type({
+    valid: t.boolean,
+    errors: t.array(t.string),
+  })
+);
+
+export type EqlValidationSchema = t.TypeOf<typeof eqlValidationSchema>;
diff --git a/x-pack/plugins/security_solution/common/detection_engine/utils.ts b/x-pack/plugins/security_solution/common/detection_engine/utils.ts
index f76417099bb17..d7b23755699f5 100644
--- a/x-pack/plugins/security_solution/common/detection_engine/utils.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/utils.ts
@@ -19,5 +19,6 @@ export const hasNestedEntry = (entries: EntriesArray): boolean => {
 
 export const isEqlRule = (ruleType: Type | undefined): boolean => ruleType === 'eql';
 export const isThresholdRule = (ruleType: Type | undefined): boolean => ruleType === 'threshold';
-export const isQueryRule = (ruleType: Type | undefined): boolean => ruleType === 'query';
+export const isQueryRule = (ruleType: Type | undefined): boolean =>
+  ruleType === 'query' || ruleType === 'saved_query';
 export const isThreatMatchRule = (ruleType: Type): boolean => ruleType === 'threat_match';
diff --git a/x-pack/plugins/security_solution/cypress/integration/alerts_detection_rules_custom.spec.ts b/x-pack/plugins/security_solution/cypress/integration/alerts_detection_rules_custom.spec.ts
index f999c5cecc392..d8832dc4ee600 100644
--- a/x-pack/plugins/security_solution/cypress/integration/alerts_detection_rules_custom.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/alerts_detection_rules_custom.spec.ts
@@ -93,7 +93,7 @@ import {
   goToScheduleStepTab,
   waitForTheRuleToBeExecuted,
 } from '../tasks/create_new_rule';
-import { saveEditedRule } from '../tasks/edit_rule';
+import { saveEditedRule, waitForKibana } from '../tasks/edit_rule';
 import { esArchiverLoad, esArchiverUnload } from '../tasks/es_archiver';
 import { loginAndWaitForPageWithoutDateRange } from '../tasks/login';
 import { refreshPage } from '../tasks/security_header';
@@ -290,6 +290,7 @@ describe('Custom detection rules deletion and edition', () => {
   context('Edition', () => {
     it('Allows a rule to be edited', () => {
       editFirstRule();
+      waitForKibana();
 
       // expect define step to populate
       cy.get(CUSTOM_QUERY_INPUT).should('have.text', existingRule.customQuery);
diff --git a/x-pack/plugins/security_solution/cypress/screens/edit_rule.ts b/x-pack/plugins/security_solution/cypress/screens/edit_rule.ts
index 1bf0ff34ebd94..e25eb7453c63c 100644
--- a/x-pack/plugins/security_solution/cypress/screens/edit_rule.ts
+++ b/x-pack/plugins/security_solution/cypress/screens/edit_rule.ts
@@ -5,3 +5,5 @@
  */
 
 export const EDIT_SUBMIT_BUTTON = '[data-test-subj="ruleEditSubmitButton"]';
+export const KIBANA_LOADING_INDICATOR = '[data-test-subj="globalLoadingIndicator"]';
+export const KIBANA_LOADING_COMPLETE_INDICATOR = '[data-test-subj="globalLoadingIndicator-hidden"]';
diff --git a/x-pack/plugins/security_solution/cypress/tasks/edit_rule.ts b/x-pack/plugins/security_solution/cypress/tasks/edit_rule.ts
index 690a36058ec33..2dc1318ccb81d 100644
--- a/x-pack/plugins/security_solution/cypress/tasks/edit_rule.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/edit_rule.ts
@@ -4,9 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { EDIT_SUBMIT_BUTTON } from '../screens/edit_rule';
+import { EDIT_SUBMIT_BUTTON, KIBANA_LOADING_COMPLETE_INDICATOR } from '../screens/edit_rule';
 
 export const saveEditedRule = () => {
   cy.get(EDIT_SUBMIT_BUTTON).should('exist').click({ force: true });
   cy.get(EDIT_SUBMIT_BUTTON).should('not.exist');
 };
+
+export const waitForKibana = () => {
+  cy.get(KIBANA_LOADING_COMPLETE_INDICATOR).should('exist');
+};
diff --git a/x-pack/plugins/security_solution/public/common/hooks/eql/api.ts b/x-pack/plugins/security_solution/public/common/hooks/eql/api.ts
new file mode 100644
index 0000000000000..11fe79910bc87
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/hooks/eql/api.ts
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { HttpStart } from '../../../../../../../src/core/public';
+import { DETECTION_ENGINE_EQL_VALIDATION_URL } from '../../../../common/constants';
+import { EqlValidationSchema as EqlValidationRequest } from '../../../../common/detection_engine/schemas/request/eql_validation_schema';
+import { EqlValidationSchema as EqlValidationResponse } from '../../../../common/detection_engine/schemas/response/eql_validation_schema';
+
+interface ApiParams {
+  http: HttpStart;
+  signal: AbortSignal;
+}
+
+export const validateEql = async ({
+  http,
+  query,
+  index,
+  signal,
+}: ApiParams & EqlValidationRequest) => {
+  return http.fetch<EqlValidationResponse>(DETECTION_ENGINE_EQL_VALIDATION_URL, {
+    method: 'POST',
+    body: JSON.stringify({
+      query,
+      index,
+    }),
+    signal,
+  });
+};
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_overview_link.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_overview_link.tsx
new file mode 100644
index 0000000000000..e9891fc066ec2
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_overview_link.tsx
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import styled from 'styled-components';
+import { EuiLink, EuiText } from '@elastic/eui';
+
+import { useKibana } from '../../../../common/lib/kibana';
+import { EQL_OVERVIEW_LINK_TEXT } from './translations';
+
+const InlineText = styled(EuiText)`
+  display: inline-block;
+`;
+
+export const EqlOverviewLink = () => {
+  const overviewUrl = useKibana().services.docLinks.links.query.eql;
+
+  return (
+    <EuiLink external href={overviewUrl} target="_blank">
+      <InlineText size="xs">{EQL_OVERVIEW_LINK_TEXT}</InlineText>
+    </EuiLink>
+  );
+};
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.test.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.test.tsx
index 331c0ba4c4491..5539e5eb2c294 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.test.tsx
@@ -7,9 +7,12 @@
 import React from 'react';
 import { shallow, mount } from 'enzyme';
 
-import { useFormFieldMock } from '../../../../common/mock';
+import { TestProviders, useFormFieldMock } from '../../../../common/mock';
 import { mockQueryBar } from '../../../pages/detection_engine/rules/all/__mocks__/mock';
 import { EqlQueryBar, EqlQueryBarProps } from './eql_query_bar';
+import { getEqlValidationError } from './validators.mock';
+
+jest.mock('../../../../common/lib/kibana');
 
 describe('EqlQueryBar', () => {
   let mockField: EqlQueryBarProps['field'];
@@ -27,7 +30,11 @@ describe('EqlQueryBar', () => {
   });
 
   it('sets the field value on input change', () => {
-    const wrapper = mount(<EqlQueryBar dataTestSubj="myQueryBar" field={mockField} />);
+    const wrapper = mount(
+      <TestProviders>
+        <EqlQueryBar dataTestSubj="myQueryBar" field={mockField} />
+      </TestProviders>
+    );
 
     wrapper
       .find('[data-test-subj="eqlQueryBarTextInput"]')
@@ -44,4 +51,30 @@ describe('EqlQueryBar', () => {
 
     expect(mockField.setValue).toHaveBeenCalledWith(expected);
   });
+
+  it('does not render errors for a valid query', () => {
+    const wrapper = mount(
+      <TestProviders>
+        <EqlQueryBar dataTestSubj="myQueryBar" field={mockField} />
+      </TestProviders>
+    );
+
+    expect(wrapper.find('[data-test-subj="eql-validation-errors-popover"]').exists()).toEqual(
+      false
+    );
+  });
+
+  it('renders errors for an invalid query', () => {
+    const invalidMockField = useFormFieldMock({
+      value: mockQueryBar,
+      errors: [getEqlValidationError()],
+    });
+    const wrapper = mount(
+      <TestProviders>
+        <EqlQueryBar dataTestSubj="myQueryBar" field={invalidMockField} />
+      </TestProviders>
+    );
+
+    expect(wrapper.find('[data-test-subj="eql-validation-errors-popover"]').exists()).toEqual(true);
+  });
 });
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.tsx
index e3f33ea9b9b87..f7ee5be18154c 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/eql_query_bar.tsx
@@ -4,11 +4,24 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { FC, useCallback, ChangeEvent } from 'react';
+import React, { FC, useCallback, ChangeEvent, useEffect, useState } from 'react';
+import styled from 'styled-components';
 import { EuiFormRow, EuiTextArea } from '@elastic/eui';
 
-import { FieldHook, getFieldValidityAndErrorMessage } from '../../../../shared_imports';
+import { FieldHook } from '../../../../shared_imports';
+import { useAppToasts } from '../../../../common/hooks/use_app_toasts';
 import { DefineStepRule } from '../../../pages/detection_engine/rules/types';
+import * as i18n from './translations';
+import { EqlQueryBarFooter } from './footer';
+import { getValidationResults } from './validators';
+
+const TextArea = styled(EuiTextArea)`
+  display: block;
+  border: ${({ theme }) => theme.eui.euiBorderThin};
+  border-bottom: 0;
+  box-shadow: none;
+  min-height: ${({ theme }) => theme.eui.euiFormControlHeight};
+`;
 
 export interface EqlQueryBarProps {
   dataTestSubj: string;
@@ -17,14 +30,27 @@ export interface EqlQueryBarProps {
 }
 
 export const EqlQueryBar: FC<EqlQueryBarProps> = ({ dataTestSubj, field, idAria }) => {
+  const { addError } = useAppToasts();
+  const [errorMessages, setErrorMessages] = useState<string[]>([]);
   const { setValue } = field;
-  const { isInvalid, errorMessage } = getFieldValidityAndErrorMessage(field);
+  const { isValid, message, messages, error } = getValidationResults(field);
   const fieldValue = field.value.query.query as string;
 
+  useEffect(() => {
+    setErrorMessages(messages ?? []);
+  }, [messages]);
+
+  useEffect(() => {
+    if (error) {
+      addError(error, { title: i18n.EQL_VALIDATION_REQUEST_ERROR });
+    }
+  }, [error, addError]);
+
   const handleChange = useCallback(
     (e: ChangeEvent<HTMLTextAreaElement>) => {
       const newQuery = e.target.value;
 
+      setErrorMessages([]);
       setValue({
         filters: [],
         query: {
@@ -41,19 +67,22 @@ export const EqlQueryBar: FC<EqlQueryBarProps> = ({ dataTestSubj, field, idAria
       label={field.label}
       labelAppend={field.labelAppend}
       helpText={field.helpText}
-      error={errorMessage}
-      isInvalid={isInvalid}
+      error={message}
+      isInvalid={!isValid}
       fullWidth
       data-test-subj={dataTestSubj}
       describedByIds={idAria ? [idAria] : undefined}
     >
-      <EuiTextArea
-        data-test-subj="eqlQueryBarTextInput"
-        fullWidth
-        isInvalid={isInvalid}
-        value={fieldValue}
-        onChange={handleChange}
-      />
+      <>
+        <TextArea
+          data-test-subj="eqlQueryBarTextInput"
+          fullWidth
+          isInvalid={!isValid}
+          value={fieldValue}
+          onChange={handleChange}
+        />
+        <EqlQueryBarFooter errors={errorMessages} />
+      </>
     </EuiFormRow>
   );
 };
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/errors_popover.test.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/errors_popover.test.tsx
new file mode 100644
index 0000000000000..01bd8afd0e4ab
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/errors_popover.test.tsx
@@ -0,0 +1,50 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { shallow, mount } from 'enzyme';
+
+import { ErrorsPopover } from './errors_popover';
+
+describe('ErrorsPopover', () => {
+  let mockErrors: string[];
+
+  beforeEach(() => {
+    mockErrors = [];
+  });
+
+  it('renders correctly', () => {
+    const wrapper = shallow(<ErrorsPopover errors={mockErrors} />);
+
+    expect(wrapper.find('[data-test-subj="eql-validation-errors-popover"]')).toHaveLength(1);
+  });
+
+  it('renders the number of errors by default', () => {
+    mockErrors = ['error', 'other', 'third'];
+    const wrapper = mount(<ErrorsPopover errors={mockErrors} />);
+    expect(
+      wrapper.find('[data-test-subj="eql-validation-errors-popover"]').first().text()
+    ).toContain('3');
+  });
+
+  it('renders the error messages if clicked', () => {
+    mockErrors = ['error', 'other'];
+    const wrapper = mount(<ErrorsPopover errors={mockErrors} />);
+    wrapper
+      .find('[data-test-subj="eql-validation-errors-popover-button"]')
+      .first()
+      .simulate('click');
+
+    expect(
+      wrapper.find('[data-test-subj="eql-validation-errors-popover"]').first().text()
+    ).toContain('2');
+    const messagesContent = wrapper
+      .find('[data-test-subj="eql-validation-errors-popover-content"]')
+      .text();
+    expect(messagesContent).toContain('error');
+    expect(messagesContent).toContain('other');
+  });
+});
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/errors_popover.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/errors_popover.tsx
new file mode 100644
index 0000000000000..a7122b7dc65d8
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/errors_popover.tsx
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { FC, useCallback, useState } from 'react';
+import { EuiButtonEmpty, EuiPopover, EuiPopoverTitle, EuiText } from '@elastic/eui';
+
+import * as i18n from './translations';
+
+export interface ErrorsPopoverProps {
+  ariaLabel?: string;
+  errors: string[];
+}
+
+export const ErrorsPopover: FC<ErrorsPopoverProps> = ({ ariaLabel, errors }) => {
+  const [isOpen, setIsOpen] = useState(false);
+
+  const handleToggle = useCallback(() => {
+    setIsOpen(!isOpen);
+  }, [isOpen]);
+
+  const handleClose = useCallback(() => {
+    setIsOpen(false);
+  }, []);
+
+  return (
+    <EuiPopover
+      data-test-subj="eql-validation-errors-popover"
+      button={
+        <EuiButtonEmpty
+          data-test-subj="eql-validation-errors-popover-button"
+          iconType="crossInACircleFilled"
+          size="s"
+          color="danger"
+          aria-label={ariaLabel}
+          onClick={handleToggle}
+        >
+          {errors.length}
+        </EuiButtonEmpty>
+      }
+      isOpen={isOpen}
+      closePopover={handleClose}
+      anchorPosition="downCenter"
+    >
+      <div data-test-subj="eql-validation-errors-popover-content">
+        <EuiPopoverTitle>{i18n.EQL_VALIDATION_ERRORS_TITLE}</EuiPopoverTitle>
+        {errors.map((message, idx) => (
+          <EuiText key={idx}>{message}</EuiText>
+        ))}
+      </div>
+    </EuiPopover>
+  );
+};
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/footer.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/footer.tsx
new file mode 100644
index 0000000000000..19bab26f8aa58
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/footer.tsx
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { FC } from 'react';
+import styled from 'styled-components';
+import { EuiFlexGroup, EuiFlexItem, EuiPanel } from '@elastic/eui';
+
+import * as i18n from './translations';
+import { ErrorsPopover } from './errors_popover';
+import { EqlOverviewLink } from './eql_overview_link';
+
+export interface Props {
+  errors: string[];
+}
+
+const Container = styled(EuiPanel)`
+  border-radius: 0;
+  background: ${({ theme }) => theme.eui.euiPageBackgroundColor};
+  padding: ${({ theme }) => theme.eui.euiSizeXS};
+`;
+
+const FlexGroup = styled(EuiFlexGroup)`
+  min-height: ${({ theme }) => theme.eui.euiSizeXL};
+`;
+
+export const EqlQueryBarFooter: FC<Props> = ({ errors }) => (
+  <Container>
+    <FlexGroup alignItems="center" justifyContent="spaceBetween" gutterSize="none">
+      <EuiFlexItem>
+        {errors.length > 0 && (
+          <ErrorsPopover ariaLabel={i18n.EQL_VALIDATION_ERROR_POPOVER_LABEL} errors={errors} />
+        )}
+      </EuiFlexItem>
+      <EuiFlexItem grow={false}>
+        <EqlOverviewLink />
+      </EuiFlexItem>
+    </FlexGroup>
+  </Container>
+);
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/translations.ts b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/translations.ts
new file mode 100644
index 0000000000000..8b016d9ad68cb
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/translations.ts
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const EQL_VALIDATION_REQUEST_ERROR = i18n.translate(
+  'xpack.securitySolution.detectionEngine.eqlValidation.requestError',
+  {
+    defaultMessage: 'An error occurred while validating your EQL query',
+  }
+);
+
+export const EQL_VALIDATION_ERRORS_TITLE = i18n.translate(
+  'xpack.securitySolution.detectionEngine.eqlValidation.title',
+  {
+    defaultMessage: 'EQL Validation Errors',
+  }
+);
+
+export const EQL_VALIDATION_ERROR_POPOVER_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.eqlValidation.showErrorsLabel',
+  {
+    defaultMessage: 'Show EQL Validation Errors',
+  }
+);
+
+export const EQL_QUERY_BAR_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.eqlQueryBar.label',
+  {
+    defaultMessage: 'Enter an EQL Query',
+  }
+);
+
+export const EQL_OVERVIEW_LINK_TEXT = i18n.translate(
+  'xpack.securitySolution.detectionEngine.eqlOverViewLink.text',
+  {
+    defaultMessage: 'Event Query Language (EQL) Overview',
+  }
+);
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.mock.ts b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.mock.ts
new file mode 100644
index 0000000000000..40e45b9c2d470
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.mock.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { ValidationError } from '../../../../shared_imports';
+import { ERROR_CODES } from './validators';
+
+export const getEqlResponseError = (): ValidationError => ({
+  code: ERROR_CODES.FAILED_REQUEST,
+  message: 'something went wrong',
+});
+
+export const getEqlValidationError = (): ValidationError => ({
+  code: ERROR_CODES.INVALID_EQL,
+  messages: ['line 1: WRONG\nline 2: ALSO WRONG'],
+  message: '',
+});
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.test.ts b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.test.ts
new file mode 100644
index 0000000000000..24afce7bb18b0
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.test.ts
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { debounceAsync } from './validators';
+
+jest.useFakeTimers();
+
+describe('debounceAsync', () => {
+  let fn: jest.Mock;
+
+  beforeEach(() => {
+    fn = jest.fn().mockResolvedValueOnce('first');
+  });
+
+  it('resolves with the underlying invocation result', async () => {
+    const debounced = debounceAsync(fn, 0);
+    const promise = debounced();
+    jest.runOnlyPendingTimers();
+
+    expect(await promise).toEqual('first');
+  });
+
+  it('resolves intermediate calls when the next invocation resolves', async () => {
+    const debounced = debounceAsync(fn, 200);
+    fn.mockResolvedValueOnce('second');
+
+    const promise = debounced();
+    jest.runOnlyPendingTimers();
+    expect(await promise).toEqual('first');
+
+    const promises = [debounced(), debounced()];
+    jest.runOnlyPendingTimers();
+
+    expect(await Promise.all(promises)).toEqual(['second', 'second']);
+  });
+
+  it('debounces the function', async () => {
+    const debounced = debounceAsync(fn, 200);
+
+    debounced();
+    jest.runOnlyPendingTimers();
+
+    debounced();
+    debounced();
+    jest.runOnlyPendingTimers();
+
+    expect(fn).toHaveBeenCalledTimes(2);
+  });
+});
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.ts b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.ts
new file mode 100644
index 0000000000000..165522c10916e
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/validators.ts
@@ -0,0 +1,105 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isEmpty } from 'lodash';
+
+import { FieldHook, ValidationError, ValidationFunc } from '../../../../shared_imports';
+import { isEqlRule } from '../../../../../common/detection_engine/utils';
+import { KibanaServices } from '../../../../common/lib/kibana';
+import { DefineStepRule } from '../../../pages/detection_engine/rules/types';
+import { validateEql } from '../../../../common/hooks/eql/api';
+import { FieldValueQueryBar } from '../query_bar';
+import * as i18n from './translations';
+
+export enum ERROR_CODES {
+  FAILED_REQUEST = 'ERR_FAILED_REQUEST',
+  INVALID_EQL = 'ERR_INVALID_EQL',
+}
+
+/**
+ * Unlike lodash's debounce, which resolves intermediate calls with the most
+ * recent value, this implementation waits to resolve intermediate calls until
+ * the next invocation resolves.
+ *
+ * @param fn an async function
+ *
+ * @returns A debounced async function that resolves on the next invocation
+ */
+export const debounceAsync = <Args extends unknown[], Result extends Promise<unknown>>(
+  fn: (...args: Args) => Result,
+  interval: number
+): ((...args: Args) => Result) => {
+  let handle: ReturnType<typeof setTimeout> | undefined;
+  let resolves: Array<(value?: Result) => void> = [];
+
+  return (...args: Args): Result => {
+    if (handle) {
+      clearTimeout(handle);
+    }
+
+    handle = setTimeout(() => {
+      const result = fn(...args);
+      resolves.forEach((resolve) => resolve(result));
+      resolves = [];
+    }, interval);
+
+    return new Promise((resolve) => resolves.push(resolve)) as Result;
+  };
+};
+
+export const eqlValidator = async (
+  ...args: Parameters<ValidationFunc>
+): Promise<ValidationError<ERROR_CODES> | void | undefined> => {
+  const [{ value, formData }] = args;
+  const { query: queryValue } = value as FieldValueQueryBar;
+  const query = queryValue.query as string;
+  const { index, ruleType } = formData as DefineStepRule;
+
+  const needsValidation = isEqlRule(ruleType) && !isEmpty(query);
+  if (!needsValidation) {
+    return;
+  }
+
+  try {
+    const { http } = KibanaServices.get();
+    const signal = new AbortController().signal;
+    const response = await validateEql({ query, http, signal, index });
+
+    if (response?.valid === false) {
+      return {
+        code: ERROR_CODES.INVALID_EQL,
+        message: '',
+        messages: response.errors,
+      };
+    }
+  } catch (error) {
+    return {
+      code: ERROR_CODES.FAILED_REQUEST,
+      message: i18n.EQL_VALIDATION_REQUEST_ERROR,
+      error,
+    };
+  }
+};
+
+export const getValidationResults = <T = unknown>(
+  field: FieldHook<T>
+): { isValid: boolean; message: string; messages?: string[]; error?: Error } => {
+  const hasErrors = field.errors.length > 0;
+  const isValid = !field.isChangingValue && !hasErrors;
+
+  if (hasErrors) {
+    const [error] = field.errors;
+    const message = error.message;
+
+    if (error.code === ERROR_CODES.INVALID_EQL) {
+      return { isValid, message, messages: error.messages };
+    } else {
+      return { isValid, message, error: error.error };
+    }
+  } else {
+    return { isValid, message: '' };
+  }
+};
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/eql_search_icon.svg b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/eql_search_icon.svg
new file mode 100644
index 0000000000000..716fff726293c
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/eql_search_icon.svg
@@ -0,0 +1,6 @@
+<svg width="26" height="24" viewBox="0 0 26 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <path fill-rule="evenodd" clip-rule="evenodd" d="M17.0699 15.5699C18.2787 14.0377 19 12.1031 19 10C19 5.02944 14.9706 1 10 1C5.02944 1 1 5.02944 1 10C1 14.9706 5.02944 19 10 19C11.7165 19 13.3208 18.5195 14.6856 17.6856L20 23H24.5L17.0699 15.5699Z" fill="white"/>
+  <path d="M17.0699 15.5699L16.6773 15.2602L16.402 15.6091L16.7163 15.9234L17.0699 15.5699ZM14.6856 17.6856L15.0392 17.332L14.7608 17.0537L14.4249 17.2589L14.6856 17.6856ZM20 23L19.6464 23.3536L19.7929 23.5H20V23ZM24.5 23V23.5H25.7071L24.8536 22.6464L24.5 23ZM18.5 10C18.5 11.9868 17.819 13.8131 16.6773 15.2602L17.4624 15.8796C18.7383 14.2623 19.5 12.2194 19.5 10H18.5ZM10 1.5C14.6944 1.5 18.5 5.30558 18.5 10H19.5C19.5 4.75329 15.2467 0.5 10 0.5V1.5ZM1.5 10C1.5 5.30558 5.30558 1.5 10 1.5V0.5C4.75329 0.5 0.5 4.75329 0.5 10H1.5ZM10 18.5C5.30558 18.5 1.5 14.6944 1.5 10H0.5C0.5 15.2467 4.75329 19.5 10 19.5V18.5ZM14.4249 17.2589C13.1363 18.0462 11.6219 18.5 10 18.5V19.5C11.8111 19.5 13.5052 18.9927 14.9463 18.1123L14.4249 17.2589ZM20.3536 22.6464L15.0392 17.332L14.332 18.0392L19.6464 23.3536L20.3536 22.6464ZM24.5 22.5H20V23.5H24.5V22.5ZM16.7163 15.9234L24.1464 23.3536L24.8536 22.6464L17.4234 15.2163L16.7163 15.9234Z" fill="black"/>
+  <circle cx="10" cy="10" r="5.5" stroke="black"/>
+  <path d="M8 11.2169V8.7831L10 7.5831L12 8.7831V11.2169L10 12.4169L8 11.2169Z" stroke="black"/>
+</svg>
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/index.tsx
index 9a1d11a2dfe42..4b96b8a0ad7bd 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/select_rule_type/index.tsx
@@ -7,6 +7,7 @@
 import React, { useCallback, useMemo } from 'react';
 import { EuiCard, EuiFlexGrid, EuiFlexItem, EuiFormRow, EuiIcon } from '@elastic/eui';
 
+import { Type } from '../../../../../common/detection_engine/schemas/common/schemas';
 import { isMlRule } from '../../../../../common/machine_learning/helpers';
 import {
   isThresholdRule,
@@ -18,7 +19,7 @@ import { FieldHook } from '../../../../shared_imports';
 import { useKibana } from '../../../../common/lib/kibana';
 import * as i18n from './translations';
 import { MlCardDescription } from './ml_card_description';
-import { Type } from '../../../../../common/detection_engine/schemas/common/schemas';
+import EqlSearchIcon from './eql_search_icon.svg';
 
 interface SelectRuleTypeProps {
   describedByIds?: string[];
@@ -144,7 +145,7 @@ export const SelectRuleType: React.FC<SelectRuleTypeProps> = ({
             data-test-subj="eqlRuleType"
             title={i18n.EQL_TYPE_TITLE}
             description={i18n.EQL_TYPE_DESCRIPTION}
-            icon={<EuiIcon size="l" type="bullseye" />}
+            icon={<EuiIcon size="l" type={EqlSearchIcon} />}
             isDisabled={eqlSelectableConfig.isDisabled && !eqlSelectableConfig.isSelected}
             selectable={eqlSelectableConfig}
           />
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
index f728a508fef86..9bd0e4fb4da5d 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
@@ -274,6 +274,10 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
                     isLoading: indexPatternsLoading,
                     dataTestSubj: 'detectionEngineStepDefineRuleEqlQueryBar',
                   }}
+                  config={{
+                    ...schema.queryBar,
+                    label: i18n.EQL_QUERY_BAR_LABEL,
+                  }}
                 />
               ) : (
                 <UseField
@@ -281,6 +285,7 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
                   path="queryBar"
                   config={{
                     ...schema.queryBar,
+                    label: i18n.QUERY_BAR_LABEL,
                     labelAppend: (
                       <MyLabelButton
                         data-test-subj="importQueryFromSavedTimeline"
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
index 9c2f8fd80f66e..ebffb1abf4787 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/schema.tsx
@@ -4,9 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { isEmpty } from 'lodash';
 import { i18n } from '@kbn/i18n';
 import { EuiText } from '@elastic/eui';
-import { isEmpty } from 'lodash/fp';
 import React from 'react';
 
 import {
@@ -25,6 +25,7 @@ import {
   ValidationFunc,
 } from '../../../../shared_imports';
 import { DefineStepRule } from '../../../pages/detection_engine/rules/types';
+import { debounceAsync, eqlValidator } from '../eql_query_bar/validators';
 import {
   CUSTOM_QUERY_REQUIRED,
   INVALID_CUSTOM_QUERY,
@@ -36,6 +37,7 @@ import {
 
 export const schema: FormSchema<DefineStepRule> = {
   index: {
+    fieldsToValidateOnChange: ['index', 'queryBar'],
     type: FIELD_TYPES.COMBO_BOX,
     label: i18n.translate(
       'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fiedIndexPatternsLabel',
@@ -69,12 +71,6 @@ export const schema: FormSchema<DefineStepRule> = {
     ],
   },
   queryBar: {
-    label: i18n.translate(
-      'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldQuerBarLabel',
-      {
-        defaultMessage: 'Custom query',
-      }
-    ),
     validations: [
       {
         validator: (
@@ -120,6 +116,9 @@ export const schema: FormSchema<DefineStepRule> = {
           }
         },
       },
+      {
+        validator: debounceAsync(eqlValidator, 300),
+      },
     ],
   },
   ruleType: {
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
index 8e0a3f9b8659e..164b1df8463e6 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
@@ -71,6 +71,20 @@ export const ENABLE_ML_JOB_WARNING = i18n.translate(
   }
 );
 
+export const QUERY_BAR_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldQuerBarLabel',
+  {
+    defaultMessage: 'Custom query',
+  }
+);
+
+export const EQL_QUERY_BAR_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.EqlQueryBarLabel',
+  {
+    defaultMessage: 'EQL query',
+  }
+);
+
 export const THREAT_MATCH_INDEX_HELPER_TEXT = i18n.translate(
   'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.threatMatchingIcesHelperDescription',
   {
diff --git a/x-pack/plugins/security_solution/public/shared_imports.ts b/x-pack/plugins/security_solution/public/shared_imports.ts
index 08e9fb854e5a2..f60fefc4f6dfa 100644
--- a/x-pack/plugins/security_solution/public/shared_imports.ts
+++ b/x-pack/plugins/security_solution/public/shared_imports.ts
@@ -22,6 +22,7 @@ export {
   useForm,
   useFormContext,
   useFormData,
+  ValidationError,
   ValidationFunc,
   VALIDATION_TYPES,
 } from '../../../../src/plugins/es_ui_shared/static/forms/hook_form_lib';
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts
index c45dd5bd8a281..8e379e5caa89e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts
@@ -18,6 +18,7 @@ const createMockClients = () => ({
   alertsClient: alertsClientMock.create(),
   clusterClient: elasticsearchServiceMock.createLegacyScopedClusterClient(),
   licensing: { license: licensingMock.createLicenseMock() },
+  newClusterClient: elasticsearchServiceMock.createScopedClusterClient(),
   savedObjectsClient: savedObjectsClientMock.create(),
   appClient: siemMock.createClient(),
 });
@@ -31,7 +32,9 @@ const createRequestContextMock = (
     core: {
       ...coreContext,
       elasticsearch: {
-        legacy: { ...coreContext.elasticsearch, client: clients.clusterClient },
+        ...coreContext.elasticsearch,
+        client: clients.newClusterClient,
+        legacy: { ...coreContext.elasticsearch.legacy, client: clients.clusterClient },
       },
       savedObjects: { client: clients.savedObjectsClient },
     },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts
index 894ac2e0bb703..33da5a0c2322d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts
@@ -15,8 +15,9 @@ import {
   INTERNAL_RULE_ID_KEY,
   INTERNAL_IMMUTABLE_KEY,
   DETECTION_ENGINE_PREPACKAGED_URL,
+  DETECTION_ENGINE_EQL_VALIDATION_URL,
 } from '../../../../../common/constants';
-import { ShardsResponse } from '../../../types';
+import { EqlSearchResponse, ShardsResponse } from '../../../types';
 import {
   RuleAlertType,
   IRuleSavedAttributesSavedObjectAttributes,
@@ -28,6 +29,7 @@ import { QuerySignalsSchemaDecoded } from '../../../../../common/detection_engin
 import { SetSignalsStatusSchemaDecoded } from '../../../../../common/detection_engine/schemas/request/set_signal_status_schema';
 import { getCreateRulesSchemaMock } from '../../../../../common/detection_engine/schemas/request/create_rules_schema.mock';
 import { getListArrayMock } from '../../../../../common/detection_engine/schemas/types/lists.mock';
+import { getEqlValidationSchemaMock } from '../../../../../common/detection_engine/schemas/request/eql_validation_schema.mock';
 
 export const typicalSetStatusSignalByIdsPayload = (): SetSignalsStatusSchemaDecoded => ({
   signal_ids: ['somefakeid1', 'somefakeid2'],
@@ -145,6 +147,13 @@ export const getPrepackagedRulesStatusRequest = () =>
     path: `${DETECTION_ENGINE_PREPACKAGED_URL}/_status`,
   });
 
+export const eqlValidationRequest = () =>
+  requestMock.create({
+    method: 'post',
+    path: DETECTION_ENGINE_EQL_VALIDATION_URL,
+    body: getEqlValidationSchemaMock(),
+  });
+
 export interface FindHit<T = RuleAlertType> {
   page: number;
   perPage: number;
@@ -577,6 +586,22 @@ export const getEmptySignalsResponse = (): SignalSearchResponse => ({
   },
 });
 
+export const getEmptyEqlSearchResponse = (): EqlSearchResponse<unknown> => ({
+  hits: { total: { value: 0, relation: 'eq' }, events: [] },
+  is_partial: false,
+  is_running: false,
+  took: 1,
+  timed_out: false,
+});
+
+export const getEmptyEqlSequencesResponse = (): EqlSearchResponse<unknown> => ({
+  hits: { total: { value: 0, relation: 'eq' }, sequences: [] },
+  is_partial: false,
+  is_running: false,
+  took: 1,
+  timed_out: false,
+});
+
 export const getSuccessfulSignalUpdateResponse = () => ({
   took: 18,
   timed_out: false,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.mock.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.mock.ts
new file mode 100644
index 0000000000000..4aa4c38802a92
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.mock.ts
@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { ApiResponse } from '@elastic/elasticsearch';
+import { ErrorResponse } from './helpers';
+
+export const getValidEqlResponse = (): ApiResponse['body'] => ({
+  is_partial: false,
+  is_running: false,
+  took: 162,
+  timed_out: false,
+  hits: {
+    total: {
+      value: 1,
+      relation: 'eq',
+    },
+    sequences: [],
+  },
+});
+
+export const getEqlResponseWithValidationError = (): ErrorResponse => ({
+  error: {
+    root_cause: [
+      {
+        type: 'verification_exception',
+        reason:
+          'Found 2 problems\nline 1:1: Unknown column [event.category]\nline 1:13: Unknown column [event.name]',
+      },
+    ],
+    type: 'verification_exception',
+    reason:
+      'Found 2 problems\nline 1:1: Unknown column [event.category]\nline 1:13: Unknown column [event.name]',
+  },
+});
+
+export const getEqlResponseWithValidationErrors = (): ErrorResponse => ({
+  error: {
+    root_cause: [
+      {
+        type: 'verification_exception',
+        reason:
+          'Found 2 problems\nline 1:1: Unknown column [event.category]\nline 1:13: Unknown column [event.name]',
+      },
+      {
+        type: 'parsing_exception',
+        reason: "line 1:4: mismatched input '<EOF>' expecting 'where'",
+      },
+    ],
+    type: 'verification_exception',
+    reason:
+      'Found 2 problems\nline 1:1: Unknown column [event.category]\nline 1:13: Unknown column [event.name]',
+  },
+});
+
+export const getEqlResponseWithNonValidationError = (): ApiResponse['body'] => ({
+  error: {
+    root_cause: [
+      {
+        type: 'other_error',
+        reason: 'some other reason',
+      },
+    ],
+    type: 'other_error',
+    reason: 'some other reason',
+  },
+});
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.test.ts
new file mode 100644
index 0000000000000..41a1ef0faf69f
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.test.ts
@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getValidationErrors, isErrorResponse, isValidationErrorResponse } from './helpers';
+import {
+  getEqlResponseWithNonValidationError,
+  getEqlResponseWithValidationError,
+  getEqlResponseWithValidationErrors,
+  getValidEqlResponse,
+} from './helpers.mock';
+
+describe('eql validation helpers', () => {
+  describe('isErrorResponse', () => {
+    it('is false for a regular response', () => {
+      expect(isErrorResponse(getValidEqlResponse())).toEqual(false);
+    });
+
+    it('is true for a response with non-validation errors', () => {
+      expect(isErrorResponse(getEqlResponseWithNonValidationError())).toEqual(true);
+    });
+
+    it('is true for a response with validation errors', () => {
+      expect(isErrorResponse(getEqlResponseWithValidationError())).toEqual(true);
+    });
+  });
+
+  describe('isValidationErrorResponse', () => {
+    it('is false for a regular response', () => {
+      expect(isValidationErrorResponse(getValidEqlResponse())).toEqual(false);
+    });
+
+    it('is false for a response with non-validation errors', () => {
+      expect(isValidationErrorResponse(getEqlResponseWithNonValidationError())).toEqual(false);
+    });
+
+    it('is true for a response with validation errors', () => {
+      expect(isValidationErrorResponse(getEqlResponseWithValidationError())).toEqual(true);
+    });
+  });
+
+  describe('getValidationErrors', () => {
+    it('returns a single error for a single root cause', () => {
+      expect(getValidationErrors(getEqlResponseWithValidationError())).toEqual([
+        'Found 2 problems\nline 1:1: Unknown column [event.category]\nline 1:13: Unknown column [event.name]',
+      ]);
+    });
+
+    it('returns multiple errors for multiple root causes', () => {
+      expect(getValidationErrors(getEqlResponseWithValidationErrors())).toEqual([
+        'Found 2 problems\nline 1:1: Unknown column [event.category]\nline 1:13: Unknown column [event.name]',
+        "line 1:4: mismatched input '<EOF>' expecting 'where'",
+      ]);
+    });
+  });
+});
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.ts
new file mode 100644
index 0000000000000..71601574802ce
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/helpers.ts
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import get from 'lodash/get';
+import has from 'lodash/has';
+
+const PARSING_ERROR_TYPE = 'parsing_exception';
+const VERIFICATION_ERROR_TYPE = 'verification_exception';
+const MAPPING_ERROR_TYPE = 'mapping_exception';
+
+interface ErrorCause {
+  type: string;
+  reason: string;
+}
+
+export interface ErrorResponse {
+  error: ErrorCause & { root_cause: ErrorCause[] };
+}
+
+const isValidationErrorType = (type: unknown): boolean =>
+  type === PARSING_ERROR_TYPE || type === VERIFICATION_ERROR_TYPE || type === MAPPING_ERROR_TYPE;
+
+export const isErrorResponse = (response: unknown): response is ErrorResponse =>
+  has(response, 'error.type');
+
+export const isValidationErrorResponse = (response: unknown): response is ErrorResponse =>
+  isErrorResponse(response) && isValidationErrorType(get(response, 'error.type'));
+
+export const getValidationErrors = (response: ErrorResponse): string[] =>
+  response.error.root_cause
+    .filter((cause) => isValidationErrorType(cause.type))
+    .map((cause) => cause.reason);
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validate_eql.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validate_eql.ts
new file mode 100644
index 0000000000000..ab3bbc7b06cc9
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validate_eql.ts
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { ElasticsearchClient } from '../../../../../../../../src/core/server';
+import { getValidationErrors, isErrorResponse, isValidationErrorResponse } from './helpers';
+
+export interface Validation {
+  isValid: boolean;
+  errors: string[];
+}
+
+export interface ValidateEqlParams {
+  client: ElasticsearchClient;
+  index: string[];
+  query: string;
+}
+
+export const validateEql = async ({
+  client,
+  index,
+  query,
+}: ValidateEqlParams): Promise<Validation> => {
+  const response = await client.eql.search(
+    {
+      // @ts-expect-error type is missing allow_no_indices
+      allow_no_indices: true,
+      index: index.join(','),
+      body: {
+        query,
+        size: 0,
+      },
+    },
+    { ignore: [400] }
+  );
+
+  if (isValidationErrorResponse(response.body)) {
+    return { isValid: false, errors: getValidationErrors(response.body) };
+  } else if (isErrorResponse(response.body)) {
+    throw new Error(JSON.stringify(response.body));
+  } else {
+    return { isValid: true, errors: [] };
+  }
+};
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validation_route.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validation_route.test.ts
new file mode 100644
index 0000000000000..9fe2c13cff71a
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validation_route.test.ts
@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { ApiResponse, TransportRequestPromise } from '@elastic/elasticsearch/lib/Transport';
+import { serverMock, requestContextMock } from '../__mocks__';
+import { eqlValidationRequest, getEmptyEqlSearchResponse } from '../__mocks__/request_responses';
+import { eqlValidationRoute } from './validation_route';
+
+describe('validate_eql route', () => {
+  let server: ReturnType<typeof serverMock.create>;
+  let { clients, context } = requestContextMock.createTools();
+
+  beforeEach(() => {
+    server = serverMock.create();
+    ({ clients, context } = requestContextMock.createTools());
+
+    clients.newClusterClient.asCurrentUser.eql.search.mockResolvedValue(
+      (getEmptyEqlSearchResponse() as unknown) as TransportRequestPromise<
+        ApiResponse<unknown, unknown>
+      >
+    );
+    eqlValidationRoute(server.router);
+  });
+
+  describe('normal status codes', () => {
+    test('returns 200 when doing a normal request', async () => {
+      const response = await server.inject(eqlValidationRequest(), context);
+      expect(response.status).toEqual(200);
+    });
+
+    test('returns the payload when doing a normal request', async () => {
+      const response = await server.inject(eqlValidationRequest(), context);
+      const expectedBody = {
+        valid: true,
+        errors: [],
+      };
+      expect(response.status).toEqual(200);
+      expect(response.body).toEqual(expectedBody);
+    });
+
+    test('returns 500 when bad response from cluster', async () => {
+      clients.newClusterClient.asCurrentUser.eql.search.mockImplementation(() => {
+        throw new Error('Test error');
+      });
+      const response = await server.inject(eqlValidationRequest(), context);
+      expect(response.status).toEqual(500);
+      expect(response.body).toEqual({ message: 'Test error', status_code: 500 });
+    });
+  });
+});
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validation_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validation_route.ts
new file mode 100644
index 0000000000000..478cefbc5ba8e
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/eql/validation_route.ts
@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IRouter } from '../../../../../../../../src/core/server';
+import { eqlValidationSchema } from '../../../../../common/detection_engine/schemas/request/eql_validation_schema';
+import { DETECTION_ENGINE_EQL_VALIDATION_URL } from '../../../../../common/constants';
+import { buildRouteValidation } from '../../../../utils/build_validation/route_validation';
+import { transformError, buildSiemResponse } from '../utils';
+import { validateEql } from './validate_eql';
+
+export const eqlValidationRoute = (router: IRouter) => {
+  router.post(
+    {
+      path: DETECTION_ENGINE_EQL_VALIDATION_URL,
+      validate: {
+        body: buildRouteValidation(eqlValidationSchema),
+      },
+      options: {
+        tags: ['access:securitySolution'],
+      },
+    },
+    async (context, request, response) => {
+      const siemResponse = buildSiemResponse(response);
+      const { query, index } = request.body;
+      const esClient = context.core.elasticsearch.client.asCurrentUser;
+
+      try {
+        const validation = await validateEql({
+          client: esClient,
+          query,
+          index,
+        });
+
+        return response.ok({
+          body: { valid: validation.isValid, errors: validation.errors },
+        });
+      } catch (err) {
+        const error = transformError(err);
+        return siemResponse.error({
+          body: error.message,
+          statusCode: error.statusCode,
+        });
+      }
+    }
+  );
+};
diff --git a/x-pack/plugins/security_solution/server/routes/index.ts b/x-pack/plugins/security_solution/server/routes/index.ts
index 000bd875930f9..fff3cd4b2e391 100644
--- a/x-pack/plugins/security_solution/server/routes/index.ts
+++ b/x-pack/plugins/security_solution/server/routes/index.ts
@@ -34,6 +34,7 @@ import { createTimelinesRoute } from '../lib/timeline/routes/create_timelines_ro
 import { updateTimelinesRoute } from '../lib/timeline/routes/update_timelines_route';
 import { getDraftTimelinesRoute } from '../lib/timeline/routes/get_draft_timelines_route';
 import { cleanDraftTimelinesRoute } from '../lib/timeline/routes/clean_draft_timelines_route';
+import { eqlValidationRoute } from '../lib/detection_engine/routes/eql/validation_route';
 import { SetupPlugins } from '../plugin';
 import { ConfigType } from '../config';
 import { installPrepackedTimelinesRoute } from '../lib/timeline/routes/install_prepacked_timelines_route';
@@ -94,4 +95,7 @@ export const initRoutes = (
 
   // Privileges API to get the generic user privileges
   readPrivilegesRoute(router, security, usingEphemeralEncryptionKey);
+
+  // Route used by the UI for form validation
+  eqlValidationRoute(router);
 };