elastic · angorayc · Nov 24, 2025 · Nov 27, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/x-pack/platform/plugins/private/translations/translations/de-DE.json b/x-pack/platform/plugins/private/translations/translations/de-DE.json
@@ -38414,7 +38414,6 @@
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.description": "Loggen Sie sich in Ihr Splunk-Administratorkonto ein, gehen Sie zur {section} App und führen Sie die folgende Abfrage aus. Exportieren Sie Ihre Ergebnisse als {format}.",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.description.section": "Search und Berichterstattung",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.title": "Splunk-Regeln exportieren",
-    "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.rulesFileUpload.prompt": "Wählen Sie die exportierte JSON-Datei aus oder ziehen Sie sie per Drag-and-Drop.",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.rulesFileUpload.title": "Exportierte Regeln aktualisieren",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.title": "Regeln hochladen",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.title": "Splunk SIEM-Regeln hochladen",

diff --git a/x-pack/platform/plugins/private/translations/translations/fr-FR.json b/x-pack/platform/plugins/private/translations/translations/fr-FR.json
@@ -38807,7 +38807,6 @@
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.description": "Connectez-vous à votre compte administrateur Splunk, rendez-vous dans l'application {section} et exécutez la recherche suivante. Exportez vos résultats au format {format}.",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.description.section": "Recherche et Rapports",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.title": "Exporter les règles Splunk",
-    "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.rulesFileUpload.prompt": "Sélectionnez ou faites un cliquer-glisser sur le fichier JSON exporté",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.rulesFileUpload.title": "Mettre à jour les règles exportées",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.title": "Charger les règles",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.title": "Charger les règles SIEM Splunk",

diff --git a/x-pack/platform/plugins/private/translations/translations/ja-JP.json b/x-pack/platform/plugins/private/translations/translations/ja-JP.json
@@ -38844,7 +38844,6 @@
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.description": "Splunk管理者アカウントにログインし、{section}アプリを開き、次のクエリを実行します。結果を{format}でエクスポートします。",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.description.section": "検索とレポート",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.title": "Splunkをエクスポート",
-    "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.rulesFileUpload.prompt": "エクスポートされたJSONファイルを選択するか、ドラッグしてドロップします",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.rulesFileUpload.title": "エクスポートしたルールを更新",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.title": "ルールのアップロード",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.title": "Splunk SIEMルールをアップロード",

diff --git a/x-pack/platform/plugins/private/translations/translations/zh-CN.json b/x-pack/platform/plugins/private/translations/translations/zh-CN.json
@@ -38826,7 +38826,6 @@
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.description": "登录到您的 Splunk 管理员帐户，前往 {section} 应用，然后运行以下查询。以 {format} 格式导出结果。",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.description.section": "搜索和报告",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.copyExportQuery.title": "导出 Splunk 规则",
-    "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.rulesFileUpload.prompt": "选择或拖放导出的 JSON 文件",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.rulesFileUpload.title": "更新导出的规则",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.rules.title": "上传规则",
     "xpack.securitySolution.siemMigrations.rules.dataInputFlyout.title": "上传 Splunk SIEM 规则",

@@ -62,7 +62,6 @@ export const MigrationNameInput = React.memo<MigrationNameInputProps>(
                 onBlur={onBlur}
                 onKeyDown={onEnter}
                 fullWidth
-                autoFocus
                 data-test-subj="migrationNameInput"
               />
             </EuiFormRow>

@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import React from 'react';
+import { render, screen } from '@testing-library/react';
+import { MigrationSource } from '../../types';
+import { MigrationSourceDropdown } from './migration_source_dropdown';
+import * as i18n from './translations';
+
+describe('MigrationSourceDropdown', () => {
+  const mockSetMigrationSource = jest.fn();
+
+  const defaultProps = {
+    migrationSource: MigrationSource.SPLUNK,
+    setMigrationSource: mockSetMigrationSource,
+    disabled: false,
+    migrationSourceOptions: [
+      {
+        value: MigrationSource.SPLUNK,
+        inputDisplay: <span>{i18n.MIGRATION_SOURCE_DROPDOWN_OPTION_SPLUNK}</span>,
+      },
+      {
+        value: MigrationSource.QRADAR,
+        inputDisplay: <span>{i18n.MIGRATION_SOURCE_DROPDOWN_OPTION_QRADAR}</span>,
+      },
+    ],
+  };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('renders with initial value', () => {
+    render(<MigrationSourceDropdown {...defaultProps} />);
+
+    const select = screen.getByTestId('migrationSourceDropdown');
+    expect(select.textContent).toContain(i18n.MIGRATION_SOURCE_DROPDOWN_OPTION_SPLUNK);
+  });
+
+  it('disables the dropdown when disabled equals true', () => {
+    render(<MigrationSourceDropdown {...defaultProps} disabled={true} />);
+
+    const select = screen.getByTestId('migrationSourceDropdown');
+    expect(select).toBeDisabled();
+  });
+
+  it('shows helper text when disabled', () => {
+    render(<MigrationSourceDropdown {...defaultProps} disabled={true} />);
+
+    expect(screen.getByText(i18n.MIGRATION_SOURCE_DROPDOWN_HELPER_TEXT)).toBeInTheDocument();
+  });
+});
@@ -0,0 +1,54 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import React, { useCallback, useState } from 'react';
+import { EuiFlexGroup, EuiFlexItem, EuiForm, EuiFormRow, EuiSuperSelect } from '@elastic/eui';
+import * as i18n from './translations';
+import type { MigrationSource } from '../../types';
+import type { MigrationSourceDropdownProps } from './use_migration_source_step';
+
+export const MigrationSourceDropdown = React.memo<MigrationSourceDropdownProps>(
+  ({ migrationSource, setMigrationSource, disabled, migrationSourceOptions }) => {
+    const [value, setValue] = useState<MigrationSource>(migrationSource);
+
+    const handleMigrationSourceChange = useCallback(
+      (selected: MigrationSource) => {
+        setValue(selected);
+        setMigrationSource(selected);
+      },
+      [setMigrationSource]
+    );
+
+    const onBlur = useCallback(() => {
+      setMigrationSource(value);
+    }, [setMigrationSource, value]);
+    return (
+      <EuiFlexGroup direction="column" gutterSize="s" alignItems="stretch">
+        <EuiFlexItem grow={true}>
+          <EuiForm>
+            <EuiFormRow
+              label={i18n.MIGRATION_SOURCE_DROPDOWN_TITLE}
+              fullWidth
+              helpText={disabled ? i18n.MIGRATION_SOURCE_DROPDOWN_HELPER_TEXT : undefined}
+            >
+              <EuiSuperSelect
+                options={migrationSourceOptions}
+                valueOfSelected={value}
+                onChange={handleMigrationSourceChange}
+                onBlur={onBlur}
+                autoFocus
+                data-test-subj="migrationSourceDropdown"
+                disabled={disabled}
+              />
+            </EuiFormRow>
+          </EuiForm>
+        </EuiFlexItem>
+      </EuiFlexGroup>
+    );
+  }
+);
+
+MigrationSourceDropdown.displayName = 'MigrationSourceDropdown';
@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const MIGRATION_SOURCE_DROPDOWN_TITLE = i18n.translate(
+  'xpack.securitySolution.siemMigrations.common.dataInputFlyout.migrationSource.title',
+  { defaultMessage: 'Select migration source' }
+);
+
+export const MIGRATION_SOURCE_DROPDOWN_OPTION_SPLUNK = i18n.translate(
+  'xpack.securitySolution.siemMigrations.common.dataInputFlyout.migrationSource.option.splunk',
+  { defaultMessage: 'Splunk' }
+);
+
+export const MIGRATION_SOURCE_DROPDOWN_OPTION_QRADAR = i18n.translate(
+  'xpack.securitySolution.siemMigrations.common.dataInputFlyout.migrationSource.option.qradar',
+  { defaultMessage: 'QRadar' }
+);
+
+export const MIGRATION_SOURCE_DROPDOWN_HELPER_TEXT = i18n.translate(
+  'xpack.securitySolution.siemMigrations.common.dataInputFlyout.migrationSource.helperText',
+  { defaultMessage: 'You cannot change the migration source after creating a migration.' }
+);
@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type {
+  DataInputStepId,
+  QradarDataInputStep,
+  SplunkDataInputStep,
+} from '../../../rules/components/data_input_flyout/steps/constants';
+import type { LookupsDataInput } from '../../../rules/components/data_input_flyout/steps/lookups/lookups_data_input';
+import type { MacrosDataInput } from '../../../rules/components/data_input_flyout/steps/macros/macros_data_input';
+import type { RulesDataInput } from '../../../rules/components/data_input_flyout/steps/rules/rules_data_input';
+import type { OnMissingResourcesFetched } from '../../../rules/components/data_input_flyout/types';
+import type { RuleMigrationStats } from '../../../rules/types';
+import type { MigrationSource } from '../../types';
+
+interface RulesStep<T extends DataInputStepId = DataInputStepId> {
+  id: T;
+  Component: typeof RulesDataInput;
+  props?: React.ComponentProps<typeof RulesDataInput>;
+}
+interface MacrosStep {
+  id: DataInputStepId.SplunkMacros;
+  Component: typeof MacrosDataInput;
+  props?: React.ComponentProps<typeof MacrosDataInput>;
+}
+interface LookupsStep {
+  id: DataInputStepId.SplunkLookups;
+  Component: typeof LookupsDataInput;
+  props?: React.ComponentProps<typeof LookupsDataInput>;
+}
+
+export type Step<T extends DataInputStepId = DataInputStepId> =
+  T extends DataInputStepId.SplunkRules
+    ? RulesStep
+    : T extends DataInputStepId.QradarRules
+    ? RulesStep
+    : T extends DataInputStepId.SplunkMacros
+    ? MacrosStep
+    : LookupsStep;
+
+export type SplunkStep = RulesStep | MacrosStep | LookupsStep;
+
+export type SplunkMigrationSteps = SplunkStep[];
+
+export type QradarMigrationSteps = Array<Step<DataInputStepId.QradarRules>>;
+
+export interface RulesDataInputSubStepsProps {
+  dataInputStep: SplunkDataInputStep | QradarDataInputStep;
+  migrationSource: MigrationSource;
+  migrationStats?: RuleMigrationStats;
+  onMigrationCreated: (createdMigrationStats: RuleMigrationStats) => void;
+  onMissingResourcesFetched?: OnMissingResourcesFetched;
+}
@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { renderHook } from '@testing-library/react';
+import { useMigrationSourceOptions } from './use_migration_source_options';
+import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
+import { MigrationSource } from '../../types';
+
+jest.mock('../../../../common/hooks/use_experimental_features', () => ({
+  useIsExperimentalFeatureEnabled: jest.fn(),
+}));
+
+describe('useMigrationSourceOptions', () => {
+  it('returns only Splunk option when QRadar feature is disabled', () => {
+    const { result } = renderHook(() => {
+      (useIsExperimentalFeatureEnabled as jest.Mock).mockReturnValue(false);
+      return useMigrationSourceOptions();
+    });
+    expect(result.current.length).toEqual(1);
+    expect(result.current[0].value).toEqual(MigrationSource.SPLUNK);
+  });
+  it('returns Splunk and QRadar options when QRadar feature is enabled', () => {
+    const { result } = renderHook(() => {
+      (useIsExperimentalFeatureEnabled as jest.Mock).mockReturnValue(true);
+      return useMigrationSourceOptions();
+    });
+    expect(result.current.length).toEqual(2);
+    expect(result.current[0].value).toEqual(MigrationSource.SPLUNK);
+    expect(result.current[1].value).toEqual(MigrationSource.QRADAR);
+  });
+});
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import React from 'react';
+import type { EuiSuperSelectOption } from '@elastic/eui';
+import { EuiIcon } from '@elastic/eui';
+import { MigrationSource } from '../../types';
+import * as i18n from './translations';
+import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
+
+export const useMigrationSourceOptions = () => {
+  const isQradarEnabled = useIsExperimentalFeatureEnabled('qradarRulesMigration');
+
+  const options: Array<EuiSuperSelectOption<MigrationSource>> = [
+    {
+      value: MigrationSource.SPLUNK,
+      inputDisplay: <span>{i18n.MIGRATION_SOURCE_DROPDOWN_OPTION_SPLUNK}</span>,
+    },
+  ];
+
+  if (isQradarEnabled) {
+    options.push({
+      value: MigrationSource.QRADAR,
+      inputDisplay: (
+        <span>
+          {i18n.MIGRATION_SOURCE_DROPDOWN_OPTION_QRADAR}
+          <EuiIcon type="flask" />
+        </span>
+      ),
+    });
+  }
+  return options;
+};
@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useState } from 'react';
+import type { EuiSuperSelectOption } from '@elastic/eui';
+import type { MigrationSource } from '../../types';
+import { useMigrationSourceOptions } from './use_migration_source_options';
+
+export interface MigrationSourceDropdownProps {
+  migrationSource: MigrationSource;
+  setMigrationSource: (migrationSource: MigrationSource) => void;
+  disabled: boolean;
+  migrationSourceOptions: Array<EuiSuperSelectOption<MigrationSource>>;
+}
+
+export const useMigrationSourceStep = (initialMigrationSource: MigrationSource) => {
+  const migrationSourceOptions = useMigrationSourceOptions();
+  const [migrationSource, setMigrationSource] = useState<MigrationSource>(initialMigrationSource);
+  const [migrationSourceDisabled, setMigrationSourceDisabled] = useState<boolean>(
+    migrationSourceOptions.length <= 1
+  );
+  return {
+    migrationSource,
+    setMigrationSource,
+    migrationSourceDisabled,
+    setMigrationSourceDisabled,
+    migrationSourceOptions,
+  };
+};
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { MigrationSource } from '../../types';
+import { DataInputStepId } from '../../../rules/components/data_input_flyout/steps/constants';
+import { RulesDataInput } from '../../../rules/components/data_input_flyout/steps/rules/rules_data_input';
+import { MacrosDataInput } from '../../../rules/components/data_input_flyout/steps/macros/macros_data_input';
+import { LookupsDataInput } from '../../../rules/components/data_input_flyout/steps/lookups/lookups_data_input';
+import type { QradarMigrationSteps, SplunkMigrationSteps } from '../migration_source_step/types';
+
+const SPLUNK_MIGRATION_STEPS: SplunkMigrationSteps = [
+  { id: DataInputStepId.SplunkRules, Component: RulesDataInput },
+  { id: DataInputStepId.SplunkMacros, Component: MacrosDataInput },
+  { id: DataInputStepId.SplunkLookups, Component: LookupsDataInput },
+] as const;
+
+const QRADAR_MIGRATION_STEPS: QradarMigrationSteps = [
+  { id: DataInputStepId.QradarRules, Component: RulesDataInput },
+] as const;
+
+export const STEP_COMPONENTS: {
+  [MigrationSource.SPLUNK]: SplunkMigrationSteps;
+  [MigrationSource.QRADAR]: QradarMigrationSteps;
+} = {
+  [MigrationSource.SPLUNK]: SPLUNK_MIGRATION_STEPS,
+  [MigrationSource.QRADAR]: QRADAR_MIGRATION_STEPS,
+};