elastic · marshallmain · Aug 5, 2021 · Jul 16, 2021 · Jul 16, 2021 · Jul 17, 2021
diff --git a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
@@ -96,7 +96,8 @@ export class RuleDataClient implements IRuleDataClient {
           if (response.body.errors) {
             if (
               response.body.items.length > 0 &&
-              response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception'
+              (response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception' ||
+                response.body.items?.[0]?.index?.error?.type === 'illegal_argument_exception')
             ) {
               return this.createWriteTargetIfNeeded({ namespace }).then(() => {
                 return clusterClient.bulk(requestWithDefaultParameters);
@@ -116,13 +117,14 @@ export class RuleDataClient implements IRuleDataClient {
 
     const clusterClient = await this.getClusterClient();
 
-    const { body: aliasExists } = await clusterClient.indices.existsAlias({
-      name: alias,
+    const { body: indicesExist } = await clusterClient.indices.exists({
+      index: `${alias}-*`,
+      allow_no_indices: false,
     });
 
     const concreteIndexName = `${alias}-000001`;
 
-    if (!aliasExists) {
+    if (!indicesExist) {
       try {
         await clusterClient.indices.create({
           index: concreteIndexName,
@@ -135,8 +137,19 @@ export class RuleDataClient implements IRuleDataClient {
           },
         });
       } catch (err) {
-        // something might have created the index already, that sounds OK
-        if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception') {
+        // If the index already exists and it's the write index for the alias,
+        // something else created it so suppress the error. If it's not the write
+        // index, that's bad, throw an error.
+        if (err?.meta?.body?.error?.type === 'resource_already_exists_exception') {
+          const { body: existingIndices } = await clusterClient.indices.get({
+            index: concreteIndexName,
+          });
+          if (!existingIndices[concreteIndexName]?.aliases?.[alias]?.is_write_index) {
+            throw Error(
+              `Attempted to create index: ${concreteIndexName} as the write index for alias: ${alias}, but the index already exists and is not the write index for the alias`
+            );
+          }
+        } else {
           throw err;
         }
       }

diff --git a/.../plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/.../plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -26,8 +26,10 @@ import signalsPolicy from './signals_policy.json';
 import { templateNeedsUpdate } from './check_template_version';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
+import { parseExperimentalConfigValue } from '../../../../../common/experimental_features';
+import { ConfigType } from '../../../../config';
 
-export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
+export const createIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => {
   router.post(
     {
       path: DETECTION_ENGINE_INDEX_URL,
@@ -37,6 +39,10 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
       },
     },
     async (context, request, response) => {
+      const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental);
+      if (ruleRegistryEnabled) {
+        return response.ok({ body: { acknowledged: true } });
+      }
       const siemResponse = buildSiemResponse(response);
 
       try {

diff --git a/...lugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/...lugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -69,3 +69,50 @@ export const getSignalsTemplate = (index: string) => {
   };
   return template;
 };
+
+export const getNewSignalsTemplate = (index: string) => {
+  const template = {
+    index_patterns: [`${index}-*`],
+    template: {
+      settings: {
+        index: {
+          lifecycle: {
+            name: index,
+            rollover_alias: index,
+          },
+        },
+        mapping: {
+          total_fields: {
+            limit: 10000,
+          },
+        },
+      },
+      mappings: {
+        dynamic: false,
+        properties: {
+          ...ecsMapping.mappings.properties,
+          ...otherMapping.mappings.properties,
+          signal: signalsMapping.mappings.properties.signal,
+          threat: {
+            ...ecsMapping.mappings.properties.threat,
+            properties: {
+              ...ecsMapping.mappings.properties.threat.properties,
+              indicator: {
+                ...otherMapping.mappings.properties.threat.properties.indicator,
+                properties: {
+                  ...otherMapping.mappings.properties.threat.properties.indicator.properties,
+                  event: ecsMapping.mappings.properties.event,
+                },
+              },
+            },
+          },
+        },
+        _meta: {
+          version: SIGNALS_TEMPLATE_VERSION,
+        },
+      },
+    },
+    version: SIGNALS_TEMPLATE_VERSION,
+  };
+  return template;
+};
diff --git a/...lugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/...lugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
@@ -0,0 +1,93 @@
+{
+  "signal.ancestors.depth": "kibana.alert.ancestors.depth",
+  "signal.ancestors.id": "kibana.alert.ancestors.id",
+  "signal.ancestors.index": "kibana.alert.ancestors.index",
+  "signal.ancestors.type": "kibana.alert.ancestors.type",
+  "signal.depth": "kibana.alert.depth",
+  "signal.original_event.action": "kibana.alert.original_event.action",
+  "signal.original_event.category": "kibana.alert.original_event.category",
+  "signal.original_event.code": "kibana.alert.original_event.code",
+  "signal.original_event.created": "kibana.alert.original_event.created",
+  "signal.original_event.dataset": "kibana.alert.original_event.dataset",
+  "signal.original_event.duration": "kibana.alert.original_event.duration",
+  "signal.original_event.end": "kibana.alert.original_event.end",
+  "signal.original_event.hash": "kibana.alert.original_event.hash",
+  "signal.original_event.id": "kibana.alert.original_event.id",
+  "signal.original_event.kind": "kibana.alert.original_event.kind",
+  "signal.original_event.module": "kibana.alert.original_event.module",
+  "signal.original_event.outcome": "kibana.alert.original_event.outcome",
+  "signal.original_event.provider": "kibana.alert.original_event.provider",
+  "signal.original_event.risk_score": "kibana.alert.original_event.risk_score",
+  "signal.original_event.risk_score_norm": "kibana.alert.original_event.risk_score_norm",
+  "signal.original_event.sequence": "kibana.alert.original_event.sequence",
+  "signal.original_event.severity": "kibana.alert.original_event.severity",
+  "signal.original_event.start": "kibana.alert.original_event.start",
+  "signal.original_event.timezone": "kibana.alert.original_event.timezone",
+  "signal.original_event.type": "kibana.alert.original_event.type",
+  "signal.original_time": "kibana.alert.original_time",
+  "signal.rule.author": "kibana.alert.rule.author",
+  "signal.rule.building_block_type": "kibana.alert.rule.building_block_type",
+  "signal.rule.created_at": "kibana.alert.rule.created_at",
+  "signal.rule.created_by": "kibana.alert.rule.created_by",
+  "signal.rule.description": "kibana.alert.rule.description",
+  "signal.rule.enabled": "kibana.alert.rule.enabled",
+  "signal.rule.false_positives": "kibana.alert.rule.false_positives",
+  "signal.rule.from": "kibana.alert.rule.from",
+  "signal.rule.id": "kibana.alert.rule.id",
+  "signal.rule.immutable": "kibana.alert.rule.immutable",
+  "signal.rule.index": "kibana.alert.rule.index",
+  "signal.rule.interval": "kibana.alert.rule.interval",
+  "signal.rule.language": "kibana.alert.rule.language",
+  "signal.rule.license": "kibana.alert.rule.license",
+  "signal.rule.max_signals": "kibana.alert.rule.max_signals",
+  "signal.rule.name": "kibana.alert.rule.name",
+  "signal.rule.note": "kibana.alert.rule.note",
+  "signal.rule.query": "kibana.alert.rule.query",
+  "signal.rule.references": "kibana.alert.rule.references",
+  "signal.rule.risk_score": "kibana.alert.risk_score",
+  "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field",
+  "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator",
+  "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value",
+  "signal.rule.rule_id": "kibana.alert.rule.rule_id",
+  "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override",
+  "signal.rule.saved_id": "kibana.alert.rule.saved_id",
+  "signal.rule.severity": "kibana.alert.severity",
+  "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field",
+  "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator",
+  "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value",
+  "signal.rule.severity_mapping.severity": "kibana.alert.rule.severity_mapping.severity",
+  "signal.rule.tags": "kibana.alert.rule.tags",
+  "signal.rule.threat.framework": "kibana.alert.rule.threat.framework",
+  "signal.rule.threat.tactic.id": "kibana.alert.rule.threat.tactic.id",
+  "signal.rule.threat.tactic.name": "kibana.alert.rule.threat.tactic.name",
+  "signal.rule.threat.tactic.reference": "kibana.alert.rule.threat.tactic.reference",
+  "signal.rule.threat.technique.id": "kibana.alert.rule.threat.technique.id",
+  "signal.rule.threat.technique.name": "kibana.alert.rule.threat.technique.name",
+  "signal.rule.threat.technique.reference": "kibana.alert.rule.threat.technique.reference",
+  "signal.rule.threat.technique.subtechnique.id": "kibana.alert.rule.threat.technique.subtechnique.id",
+  "signal.rule.threat.technique.subtechnique.name": "kibana.alert.rule.threat.technique.subtechnique.name",
+  "signal.rule.threat.technique.subtechnique.reference": "kibana.alert.rule.threat.technique.subtechnique.reference",
+  "signal.rule.threat_index": "kibana.alert.rule.threat_index",
+  "signal.rule.threat_indicator_path": "kibana.alert.rule.threat_indicator_path",
+  "signal.rule.threat_language": "kibana.alert.rule.threat_language",
+  "signal.rule.threat_mapping.entries.field": "kibana.alert.rule.threat_mapping.entries.field",
+  "signal.rule.threat_mapping.entries.value": "kibana.alert.rule.threat_mapping.entries.value",
+  "signal.rule.threat_mapping.entries.type": "kibana.alert.rule.threat_mapping.entries.type",
+  "signal.rule.threat_query": "kibana.alert.rule.threat_query",
+  "signal.rule.threshold.field": "kibana.alert.rule.threshold.field",
+  "signal.rule.threshold.value": "kibana.alert.rule.threshold.value",
+  "signal.rule.timeline_id": "kibana.alert.rule.timeline_id",
+  "signal.rule.timeline_title": "kibana.alert.rule.timeline_title",
+  "signal.rule.to": "kibana.alert.rule.to",
+  "signal.rule.type": "kibana.alert.rule.type",
+  "signal.rule.updated_at": "kibana.alert.rule.updated_at",
+  "signal.rule.updated_by": "kibana.alert.rule.updated_by",
+  "signal.rule.version": "kibana.alert.rule.version",
+  "signal.status": "kibana.alert.workflow_status",
+  "signal.threshold_result.from": "kibana.alert.threshold_result.from",
+  "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field",
+  "signal.threshold_result.terms.value": "kibana.alert.threshold_result.terms.value",
+  "signal.threshold_result.cardinality.field": "kibana.alert.threshold_result.cardinality.field",
+  "signal.threshold_result.cardinality.value": "kibana.alert.threshold_result.cardinality.value",
+  "signal.threshold_result.count": "kibana.alert.threshold_result.count"
+}