Moved related.entity to security's alerts only

Author: kfirpeled

src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts

@@ -10,16 +10,15 @@
 import {
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
-  ALERT_CONSECUTIVE_MATCHES,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_FLAPPING_HISTORY,
   ALERT_FLAPPING,
-  ALERT_INSTANCE_ID,
-  ALERT_INTENDED_TIMESTAMP,
-  ALERT_LAST_DETECTED,
+  ALERT_FLAPPING_HISTORY,
   ALERT_MAINTENANCE_WINDOW_IDS,
+  ALERT_CONSECUTIVE_MATCHES,
   ALERT_PENDING_RECOVERED_COUNT,
+  ALERT_INSTANCE_ID,
+  ALERT_LAST_DETECTED,
   ALERT_PREVIOUS_ACTION_GROUP,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
@@ -46,14 +45,14 @@ import {
   ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
+  SPACE_IDS,
+  TIMESTAMP,
+  VERSION,
   EVENT_ACTION,
   EVENT_KIND,
   EVENT_ORIGINAL,
-  RELATED_ENTITY,
-  SPACE_IDS,
   TAGS,
-  TIMESTAMP,
-  VERSION,
+  ALERT_INTENDED_TIMESTAMP,
 } from '@kbn/rule-data-utils';
 import type { MultiField } from './types';
 
@@ -277,11 +276,6 @@ export const alertFieldMap = {
     required: false,
     ignore_above: 1024,
   },
-  [RELATED_ENTITY]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
   [SPACE_IDS]: {
     type: 'keyword',
     array: true,

src/platform/packages/shared/kbn-rule-data-utils/src/default_alerts_as_data.ts

@@ -10,7 +10,6 @@
 import type { ValuesType } from 'utility-types';
 
 const TIMESTAMP = '@timestamp' as const;
-const RELATED_ENTITY = 'related.entity';
 
 // namespaces
 const KIBANA_NAMESPACE = 'kibana' as const;
@@ -147,22 +146,22 @@ const namespaces = {
 export const fields = {
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
-  ALERT_CONSECUTIVE_MATCHES,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_FLAPPING_HISTORY,
   ALERT_FLAPPING,
-  ALERT_INSTANCE_ID,
-  ALERT_INTENDED_TIMESTAMP,
-  ALERT_LAST_DETECTED,
+  ALERT_FLAPPING_HISTORY,
   ALERT_MAINTENANCE_WINDOW_IDS,
   ALERT_PENDING_RECOVERED_COUNT,
+  ALERT_CONSECUTIVE_MATCHES,
+  ALERT_INSTANCE_ID,
+  ALERT_LAST_DETECTED,
   ALERT_PREVIOUS_ACTION_GROUP,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_EXECUTION_TIMESTAMP,
   ALERT_RULE_EXECUTION_TYPE,
+  ALERT_INTENDED_TIMESTAMP,
   ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
@@ -183,7 +182,6 @@ export const fields = {
   ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
-  RELATED_ENTITY,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,
@@ -198,22 +196,22 @@ export {
   // fields
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
-  ALERT_CONSECUTIVE_MATCHES,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_FLAPPING_HISTORY,
   ALERT_FLAPPING,
-  ALERT_INSTANCE_ID,
-  ALERT_INTENDED_TIMESTAMP,
-  ALERT_LAST_DETECTED,
+  ALERT_FLAPPING_HISTORY,
   ALERT_MAINTENANCE_WINDOW_IDS,
+  ALERT_CONSECUTIVE_MATCHES,
   ALERT_PENDING_RECOVERED_COUNT,
+  ALERT_INSTANCE_ID,
+  ALERT_LAST_DETECTED,
   ALERT_PREVIOUS_ACTION_GROUP,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_EXECUTION_TIMESTAMP,
   ALERT_RULE_EXECUTION_TYPE,
+  ALERT_INTENDED_TIMESTAMP,
   ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
@@ -234,7 +232,6 @@ export {
   ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
-  RELATED_ENTITY,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,

x-pack/platform/plugins/shared/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts

@@ -368,13 +368,6 @@ describe('mappingFromFieldMap', () => {
             },
           },
         },
-        related: {
-          properties: {
-            entity: {
-              type: 'keyword',
-            },
-          },
-        },
         tags: {
           type: 'keyword',
         },

x-pack/platform/plugins/shared/alerting/server/integration_tests/__snapshots__/alert_as_data_fields.test.ts.snap

@@ -391,11 +391,6 @@ it('matches snapshot', () => {
         "required": false,
         "type": "version",
       },
-      "related.entity": Object {
-        "array": true,
-        "required": false,
-        "type": "keyword",
-      },
       "tags": Object {
         "array": true,
         "required": false,

x-pack/platform/plugins/shared/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts

@@ -69,9 +69,9 @@ export default function createAlertsAsDataDynamicTemplatesTest({ getService }: F
         const numberOfExistingFields = Object.keys(existingFields).length;
         // there is no way to get the real number of fields from ES.
         // Eventhough we have only as many as alertFieldMap fields,
-        // ES counts each child of the nested objects and multi_fields as separate fields.
-        // therefore we add 12 to get the real number.
-        const nestedObjectsAndMultiFields = 12;
+        // ES counts the each childs of the nested objects and multi_fields as seperate fields.
+        // therefore we add 11 to get the real number.
+        const nestedObjectsAndMultiFields = 11;
         // Number of free slots that we want to have, so we can add dynamic fields as many
         const numberofFreeSlots = 2;
         const totalFields =

x-pack/platform/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data/alerts_as_data_dynamic_templates.ts

@@ -6,7 +6,7 @@
  */
 
 import { alertsFieldMap8190 } from '../8.19.0';
-import { ACTOR_ENTITY_ID, TARGET_ENTITY_ID } from '../field_names';
+import { ACTOR_ENTITY_ID, RELATED_ENTITY, TARGET_ENTITY_ID } from '../field_names';
 
 export const alertsFieldMap920 = {
   ...alertsFieldMap8190,
@@ -20,6 +20,11 @@ export const alertsFieldMap920 = {
     array: true,
     required: false,
   },
+  [RELATED_ENTITY]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
   [TARGET_ENTITY_ID]: {
     type: 'keyword',
     array: true,

x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/alerts.ts

@@ -67,4 +67,5 @@ export const ALERT_RULE_TIMESTAMP_OVERRIDE = `${ALERT_RULE_NAMESPACE}.timestamp_
 export const ALERT_RULE_INDICES = `${ALERT_RULE_NAMESPACE}.indices` as const;
 
 export const ACTOR_ENTITY_ID = 'actor.entity.id' as const;
+export const RELATED_ENTITY = 'related.entity' as const;
 export const TARGET_ENTITY_ID = 'target.entity.id' as const;