Added mapping for actor and target entity id, related.entity

src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts

@@ -120,6 +120,7 @@ const SecurityAlertRequired = rt.type({
 });
 // prettier-ignore
 const SecurityAlertOptional = rt.partial({
+  'actor.entity.id': schemaStringArray,
   'ecs.version': schemaString,
   'event.action': schemaString,
   'event.kind': schemaString,
@@ -219,10 +220,12 @@ const SecurityAlertOptional = rt.partial({
   'kibana.alert.workflow_tags': schemaStringArray,
   'kibana.alert.workflow_user': schemaString,
   'kibana.version': schemaString,
+  'related.entity': schemaStringArray,
   'service.asset.criticality': schemaString,
   'service.risk.calculated_level': schemaString,
   'service.risk.calculated_score_norm': schemaNumber,
   tags: schemaStringArray,
+  'target.entity.id': schemaStringArray,
   'user.asset.criticality': schemaString,
 });
 

x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/alerts.ts

@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { alertsFieldMap8190 } from '../8.19.0';
+import { ACTOR_ENTITY_ID, RELATED_ENTITY, TARGET_ENTITY_ID } from '../field_names';
+
+export const alertsFieldMap920 = {
+  ...alertsFieldMap8190,
+  /**
+   * Part of audit logs fields that are now processed. These fields helps us present alerts and logs in a graphical way.
+   * Both actor and target fields are a work in progress to become part of ECS.
+   * Right now, these fields are only relevant for security's alerts and audit logs. Therefore, we add them here.
+   */
+  [ACTOR_ENTITY_ID]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [RELATED_ENTITY]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [TARGET_ENTITY_ID]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+} as const;
+
+export type AlertsFieldMap920 = typeof alertsFieldMap920;

x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/index.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export type { AlertsFieldMap920 } from './alerts';
+export { alertsFieldMap920 } from './alerts';

x-pack/solutions/security/plugins/security_solution/common/field_maps/field_names.ts

@@ -65,3 +65,7 @@ export const ALERT_RULE_TIMELINE_ID = `${ALERT_RULE_NAMESPACE}.timeline_id` as c
 export const ALERT_RULE_TIMELINE_TITLE = `${ALERT_RULE_NAMESPACE}.timeline_title` as const;
 export const ALERT_RULE_TIMESTAMP_OVERRIDE = `${ALERT_RULE_NAMESPACE}.timestamp_override` as const;
 export const ALERT_RULE_INDICES = `${ALERT_RULE_NAMESPACE}.indices` as const;
+
+export const ACTOR_ENTITY_ID = 'actor.entity.id' as const;
+export const RELATED_ENTITY = 'related.entity' as const;
+export const TARGET_ENTITY_ID = 'target.entity.id' as const;

x-pack/solutions/security/plugins/security_solution/common/field_maps/index.ts

@@ -4,9 +4,9 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import type { AlertsFieldMap8190 } from './8.19.0';
-import { alertsFieldMap8190 } from './8.19.0';
+import type { AlertsFieldMap920 } from './9.2.0';
+import { alertsFieldMap920 } from './9.2.0';
 import type { RulesFieldMap } from './8.0.0/rules';
 import { rulesFieldMap } from './8.0.0/rules';
-export type { AlertsFieldMap8190 as AlertsFieldMap, RulesFieldMap };
-export { alertsFieldMap8190 as alertsFieldMap, rulesFieldMap };
+export type { AlertsFieldMap920 as AlertsFieldMap, RulesFieldMap };
+export { alertsFieldMap920 as alertsFieldMap, rulesFieldMap };