Cypress test fixes

x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts

@@ -290,6 +290,7 @@ export const systemFieldsMap: Readonly<Record<string, string>> = {
   'system.auth.ssh.method': 'system.auth.ssh.method',
 };
 
+// Is this being used?
 export const signalFieldsMap: Readonly<Record<string, string>> = {
   'signal.original_time': 'signal.original_time',
   'signal.rule.id': 'signal.rule.id',
@@ -331,6 +332,7 @@ export const ruleFieldsMap: Readonly<Record<string, string>> = {
   'rule.reference': 'rule.reference',
 };
 
+// Is this being used?
 export const eventFieldsMap: Readonly<Record<string, string>> = {
   timestamp: '@timestamp',
   '@timestamp': '@timestamp',

x-pack/plugins/security_solution/common/ecs/index.ts

@@ -18,7 +18,7 @@ import { HostEcs } from './host';
 import { NetworkEcs } from './network';
 import { RegistryEcs } from './registry';
 import { RuleEcs } from './rule';
-import { SignalEcs } from './signal';
+import { SignalEcs, SignalEcsAAD } from './signal';
 import { SourceEcs } from './source';
 import { SuricataEcs } from './suricata';
 import { TlsEcs } from './tls';
@@ -48,6 +48,9 @@ export interface Ecs {
   network?: NetworkEcs;
   registry?: RegistryEcs;
   rule?: RuleEcs;
+  kibana?: {
+    alert: SignalEcsAAD;
+  };
   signal?: SignalEcs;
   source?: SourceEcs;
   suricata?: SuricataEcs;

x-pack/plugins/security_solution/common/ecs/signal/index.ts

@@ -16,3 +16,8 @@ export interface SignalEcs {
   };
   threshold_result?: unknown;
 }
+
+export type SignalEcsAAD = Exclude<SignalEcs, 'rule' | 'status'> & {
+  rule?: Exclude<RuleEcs, 'id'> & { uuid: string };
+  workflow_status?: string[];
+};

x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx

@@ -25,14 +25,14 @@ describe('alerts default_config', () => {
           negate: false,
           disabled: false,
           type: 'phrase',
-          key: 'signal.rule.id',
+          key: 'kibana.alert.rule.uuid',
           params: {
             query: 'rule-id-1',
           },
         },
         query: {
           match_phrase: {
-            'signal.rule.id': 'rule-id-1',
+            'kibana.alert.rule.uuid': 'rule-id-1',
           },
         },
       };
@@ -48,13 +48,13 @@ describe('alerts default_config', () => {
             alias: null,
             disabled: false,
             negate: false,
-            key: 'signal.rule.threat_mapping',
+            key: 'kibana.alert.rule.threat_mapping',
             type: 'exists',
             value: 'exists',
           },
           query: {
             exists: {
-              field: 'signal.rule.threat_mapping',
+              field: 'kibana.alert.rule.threat_mapping',
             },
           },
         };

x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx

@@ -103,14 +103,14 @@ export const buildAlertsRuleIdFilter = (ruleId: string | null): Filter[] =>
             negate: false,
             disabled: false,
             type: 'phrase',
-            key: 'signal.rule.id',
+            key: 'kibana.alert.rule.uuid',
             params: {
               query: ruleId,
             },
           },
           query: {
             match_phrase: {
-              'signal.rule.id': ruleId,
+              'kibana.alert.rule.uuid': ruleId,
             },
           },
         },
@@ -127,10 +127,10 @@ export const buildShowBuildingBlockFilter = (showBuildingBlockAlerts: boolean):
             negate: true,
             disabled: false,
             type: 'exists',
-            key: 'signal.rule.building_block_type',
+            key: 'kibana.alert.rule.building_block_type',
             value: 'exists',
           },
-          query: { exists: { field: 'signal.rule.building_block_type' } },
+          query: { exists: { field: 'kibana.alert.rule.building_block_type' } },
         },
       ];
 
@@ -142,11 +142,11 @@ export const buildThreatMatchFilter = (showOnlyThreatIndicatorAlerts: boolean):
             alias: null,
             disabled: false,
             negate: false,
-            key: 'signal.rule.threat_mapping',
+            key: 'kibana.alert.rule.threat_mapping',
             type: 'exists',
             value: 'exists',
           },
-          query: { exists: { field: 'signal.rule.threat_mapping' } },
+          query: { exists: { field: 'kibana.alert.rule.threat_mapping' } },
         },
       ]
     : [];
@@ -161,20 +161,20 @@ export const alertsDefaultModel: SubsetTimelineModel = {
 export const requiredFieldsForActions = [
   '@timestamp',
   'kibana.alert.workflow_status',
-  'signal.group.id',
-  'signal.original_time',
-  'signal.rule.building_block_type',
-  'signal.rule.filters',
-  'signal.rule.from',
-  'signal.rule.language',
-  'signal.rule.query',
-  'signal.rule.name',
-  'signal.rule.to',
-  'signal.rule.id',
-  'signal.rule.index',
-  'signal.rule.type',
-  'signal.original_event.kind',
-  'signal.original_event.module',
+  'kibana.alert.group.id',
+  'kibana.alert.original_time',
+  'kibana.alert.rule.building_block_type',
+  'kibana.alert.rule.filters',
+  'kibana.alert.rule.from',
+  'kibana.alert.rule.language',
+  'kibana.alert.rule.query',
+  'kibana.alert.rule.name',
+  'kibana.alert.rule.to',
+  'kibana.alert.rule.uuid',
+  'kibana.alert.rule.index',
+  'kibana.alert.rule.type',
+  'kibana.alert.original_event.kind',
+  'kibana.alert.original_event.module',
   // Endpoint exception fields
   'file.path',
   'file.Ext.code_signature.subject_name',

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx

@@ -68,8 +68,8 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps & PropsFromRedux
   const afterItemSelection = useCallback(() => {
     setPopover(false);
   }, []);
-  const ruleId = get(0, ecsRowData?.signal?.rule?.id);
-  const ruleName = get(0, ecsRowData?.signal?.rule?.name);
+  const ruleId = get(0, ecsRowData?.kibana?.alert?.rule?.uuid);
+  const ruleName = get(0, ecsRowData?.kibana?.alert?.rule?.name);
   const { timelines: timelinesUi } = useKibana().services;
 
   const { addToCaseActionProps, addToCaseActionItems } = useAddToCaseActions({

x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.test.tsx

@@ -126,7 +126,7 @@ describe('Actions', () => {
     test('it enables for eventType=signal', () => {
       const ecsData = {
         ...mockTimelineData[0].ecs,
-        signal: { rule: { id: ['123'] } },
+        kibana: { alert: { rule: { uuid: ['123'] } } },
       };
       const wrapper = mount(
         <TestProviders>

x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.tsx

@@ -104,15 +104,15 @@ const ActionsComponent: React.FC<ActionProps> = ({
   );
   const eventType = getEventType(ecsData);
 
-  const isContextMenuDisabled = useMemo(
-    () =>
+  const isContextMenuDisabled = useMemo(() => {
+    return (
       eventType !== 'signal' &&
       !(
         (ecsData.event?.kind?.includes('event') || ecsData.event?.kind?.includes('alert')) &&
         ecsData.agent?.type?.includes('endpoint')
-      ),
-    [eventType, ecsData.event?.kind, ecsData.agent?.type]
-  );
+      )
+    );
+  }, [ecsData, eventType]);
 
   const isDisabled = useMemo(() => !isInvestigateInResolverActionEnabled(ecsData), [ecsData]);
   const { setGlobalFullScreen } = useGlobalFullScreen();

x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx

@@ -102,7 +102,7 @@ export const getEventIdToDataMapping = (
   }, {});
 
 export const isEventBuildingBlockType = (event: Ecs): boolean =>
-  !isEmpty(event.signal?.rule?.building_block_type);
+  !isEmpty(event.kibana?.alert?.rule?.building_block_type);
 
 export const isEvenEqlSequence = (event: Ecs): boolean => {
   if (!isEmpty(event.eql?.sequenceNumber)) {
@@ -117,7 +117,7 @@ export const isEvenEqlSequence = (event: Ecs): boolean => {
 };
 /** Return eventType raw or signal or eql */
 export const getEventType = (event: Ecs): Omit<TimelineEventsType, 'all'> => {
-  if (!isEmpty(event.signal?.rule?.id)) {
+  if (!isEmpty(event.kibana?.alert?.rule?.uuid)) {
     return 'signal';
   } else if (!isEmpty(event.eql?.parentId)) {
     return 'eql';

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts

@@ -13,7 +13,10 @@ import {
   setSignalsStatusSchema,
 } from '../../../../../common/detection_engine/schemas/request/set_signal_status_schema';
 import type { SecuritySolutionPluginRouter } from '../../../../types';
-import { DETECTION_ENGINE_SIGNALS_STATUS_URL } from '../../../../../common/constants';
+import {
+  DEFAULT_ALERTS_INDEX,
+  DETECTION_ENGINE_SIGNALS_STATUS_URL,
+} from '../../../../../common/constants';
 import { buildSiemResponse } from '../utils';
 
 import { buildRouteValidation } from '../../../../utils/build_validation/route_validation';
@@ -37,6 +40,7 @@ export const setSignalsStatusRoute = (router: SecuritySolutionPluginRouter) => {
       const siemClient = context.securitySolution?.getAppClient();
       const siemResponse = buildSiemResponse(response);
       const validationErrors = setSignalStatusValidateTypeDependents(request.body);
+      const spaceId = context.securitySolution.getSpaceId();
 
       if (validationErrors.length) {
         return siemResponse.error({ statusCode: 400, body: validationErrors });
@@ -59,7 +63,7 @@ export const setSignalsStatusRoute = (router: SecuritySolutionPluginRouter) => {
       }
       try {
         const { body } = await esClient.updateByQuery({
-          index: siemClient.getSignalsIndex(),
+          index: `${DEFAULT_ALERTS_INDEX}-${spaceId}`,
           conflicts: conflicts ?? 'abort',
           // https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-update-by-query.html#_refreshing_shards_2
           // Note: Before we tried to use "refresh: wait_for" but I do not think that was available and instead it defaulted to "refresh: true"

x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts

@@ -43,25 +43,25 @@ export const CTI_ROW_RENDERER_FIELDS = [
 export const TIMELINE_EVENTS_FIELDS = [
   ALERT_RULE_CONSUMER,
   '@timestamp',
-  'signal.status',
-  'signal.group.id',
-  'signal.original_time',
-  'signal.reason',
-  'signal.rule.filters',
-  'signal.rule.from',
-  'signal.rule.language',
-  'signal.rule.query',
-  'signal.rule.name',
-  'signal.rule.to',
-  'signal.rule.id',
-  'signal.rule.index',
-  'signal.rule.type',
-  'signal.original_event.kind',
-  'signal.original_event.module',
-  'signal.rule.version',
-  'signal.rule.severity',
-  'signal.rule.risk_score',
-  'signal.threshold_result',
+  'kibana.alert.workflow_status',
+  'kibana.alert.group.id',
+  'kibana.alert.original_time',
+  'kibana.alert.reason',
+  'kibana.alert.rule.filters',
+  'kibana.alert.rule.from',
+  'kibana.alert.rule.language',
+  'kibana.alert.rule.query',
+  'kibana.alert.rule.name',
+  'kibana.alert.rule.to',
+  'kibana.alert.rule.uuid',
+  'kibana.alert.rule.index',
+  'kibana.alert.rule.type',
+  'kibana.alert.original_event.kind',
+  'kibana.alert.original_event.module',
+  'kibana.alert.rule.version',
+  'kibana.alert.rule.severity',
+  'kibana.alert.rule.risk_score',
+  'kibana.alert.threshold_result',
   'event.code',
   'event.module',
   'event.action',
@@ -172,14 +172,14 @@ export const TIMELINE_EVENTS_FIELDS = [
   'endgame.target_domain_name',
   'endgame.target_logon_id',
   'endgame.target_user_name',
-  'signal.rule.saved_id',
-  'signal.rule.timeline_id',
-  'signal.rule.timeline_title',
-  'signal.rule.output_index',
-  'signal.rule.note',
-  'signal.rule.threshold',
-  'signal.rule.exceptions_list',
-  'signal.rule.building_block_type',
+  'kibana.alert.rule.saved_id',
+  'kibana.alert.rule.timeline_id',
+  'kibana.alert.rule.timeline_title',
+  'kibana.alert.rule.output_index',
+  'kibana.alert.rule.note',
+  'kibana.alert.rule.threshold',
+  'kibana.alert.rule.exceptions_list',
+  'kibana.alert.rule.building_block_type',
   'suricata.eve.proto',
   'suricata.eve.flow_id',
   'suricata.eve.alert.signature',