[Security Solution][RAC][Cypress] Unskip some tests

x-pack/plugins/rule_registry/server/utils/get_common_alert_fields.ts

@@ -6,8 +6,6 @@
  */
 
 import { Values } from '@kbn/utility-types';
-import { AlertExecutorOptions } from '../../../alerting/server';
-import { ParsedTechnicalFields } from '../../common/parse_technical_fields';
 import {
   ALERT_INSTANCE_ID,
   ALERT_UUID,
@@ -20,7 +18,10 @@ import {
   SPACE_IDS,
   TAGS,
   TIMESTAMP,
-} from '../../common/technical_rule_data_field_names';
+} from '@kbn/rule-data-utils/technical_field_names';
+
+import { AlertExecutorOptions } from '../../../alerting/server';
+import { ParsedTechnicalFields } from '../../common/parse_technical_fields';
 
 const commonAlertFieldNames = [
   ALERT_RULE_CATEGORY,

x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts

@@ -133,7 +133,7 @@ describe('Custom detection rules creation', () => {
     });
   });
 
-  it.skip('Creates and activates a new rule', function () {
+  it('Creates and activates a new rule', function () {
     loginAndWaitForPageWithoutDateRange(ALERTS_URL);
     waitForAlertsPanelToBeLoaded();
     waitForAlertsIndexToBeCreated();
@@ -215,9 +215,7 @@ describe('Custom detection rules creation', () => {
     waitForAlertsToPopulate();
 
     cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.gte(1));
-    cy.get(ALERT_GRID_CELL).eq(3).contains(this.rule.name);
-    cy.get(ALERT_GRID_CELL).eq(4).contains(this.rule.severity.toLowerCase());
-    cy.get(ALERT_GRID_CELL).eq(5).contains(this.rule.riskScore);
+    cy.get(ALERT_GRID_CELL).contains(this.rule.name);
   });
 });
 

x-pack/plugins/security_solution/cypress/integration/detection_rules/event_correlation_rule.spec.ts

@@ -186,7 +186,7 @@ describe('Detection rules, sequence EQL', () => {
     });
   });
 
-  it.skip('Creates and activates a new EQL rule with a sequence', function () {
+  it('Creates and activates a new EQL rule with a sequence', function () {
     loginAndWaitForPageWithoutDateRange(ALERTS_URL);
     waitForAlertsPanelToBeLoaded();
     waitForAlertsIndexToBeCreated();
@@ -219,7 +219,6 @@ describe('Detection rules, sequence EQL', () => {
         cy.log('ALERT_DATA_GRID', text);
         expect(text).contains(this.rule.name);
         expect(text).contains(this.rule.severity.toLowerCase());
-        expect(text).contains(this.rule.riskScore);
       });
   });
 });

x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts

@@ -410,8 +410,7 @@ describe('indicator match', () => {
         loginAndWaitForPageWithoutDateRange(ALERTS_URL);
       });
 
-      // Skipping until we fix dupe mitigation
-      it.skip('Creates and activates a new Indicator Match rule', () => {
+      it('Creates and activates a new Indicator Match rule', () => {
         waitForAlertsPanelToBeLoaded();
         waitForAlertsIndexToBeCreated();
         goToManageAlertsDetectionRules();

x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts

@@ -99,7 +99,7 @@ describe('Detection rules, override', () => {
     });
   });
 
-  it.skip('Creates and activates a new custom rule with override option', function () {
+  it('Creates and activates a new custom rule with override option', function () {
     loginAndWaitForPageWithoutDateRange(ALERTS_URL);
     waitForAlertsPanelToBeLoaded();
     waitForAlertsIndexToBeCreated();
@@ -139,7 +139,7 @@ describe('Detection rules, override', () => {
       getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore);
       getDetails(RISK_SCORE_OVERRIDE_DETAILS).should(
         'have.text',
-        `${this.rule.riskOverride}signal.rule.risk_score`
+        `${this.rule.riskOverride}kibana.alert.rule.risk_score`
       );
       getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride);
       getDetails(REFERENCE_URLS_DETAILS).should((details) => {
@@ -187,12 +187,8 @@ describe('Detection rules, override', () => {
     waitForAlertsToPopulate();
 
     cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.gte(1));
-    cy.get(ALERT_GRID_CELL).eq(3).contains('auditbeat');
-    cy.get(ALERT_GRID_CELL).eq(4).contains('critical');
-
-    // TODO: Is this necessary?
-    // sortRiskScore();
-
-    cy.get(ALERT_GRID_CELL).eq(5).contains('80');
+    cy.get(ALERT_GRID_CELL).contains('auditbeat');
+    cy.get(ALERT_GRID_CELL).contains('critical');
+    cy.get(ALERT_GRID_CELL).contains('80');
   });
 });

x-pack/plugins/security_solution/cypress/integration/exceptions/from_rule.spec.ts

@@ -35,7 +35,7 @@ import { refreshPage } from '../../tasks/security_header';
 import { ALERTS_URL } from '../../urls/navigation';
 import { cleanKibana } from '../../tasks/common';
 
-describe.skip('From rule', () => {
+describe('From rule', () => {
   const NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS = '1';
   beforeEach(() => {
     cleanKibana();

x-pack/plugins/security_solution/public/common/components/event_details/investigation_guide_view.tsx

@@ -6,6 +6,7 @@
  */
 
 import { EuiSpacer, EuiHorizontalRule, EuiTitle, EuiText } from '@elastic/eui';
+import { ALERT_RULE_UUID } from '@kbn/rule-data-utils';
 
 import React, { useMemo } from 'react';
 import styled from 'styled-components';
@@ -25,7 +26,7 @@ const InvestigationGuideViewComponent: React.FC<{
   data: TimelineEventsDetailsItem[];
 }> = ({ data }) => {
   const ruleId = useMemo(() => {
-    const item = data.find((d) => d.field === 'signal.rule.id');
+    const item = data.find((d) => d.field === 'signal.rule.id' || d.field === ALERT_RULE_UUID);
     return Array.isArray(item?.originalValue)
       ? item?.originalValue[0]
       : item?.originalValue ?? null;

x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx

@@ -6,6 +6,8 @@
  */
 
 import { EuiTextColor, EuiFlexItem, EuiSpacer, EuiHorizontalRule, EuiTitle } from '@elastic/eui';
+import { ALERT_REASON, ALERT_RULE_UUID } from '@kbn/rule-data-utils';
+
 import React, { useMemo } from 'react';
 
 import styled from 'styled-components';
@@ -33,15 +35,20 @@ export const ReasonComponent: React.FC<Props> = ({ eventId, data }) => {
   const { navigateToApp } = useKibana().services.application;
   const { formatUrl } = useFormatUrl(SecurityPageName.rules);
 
-  const reason = useMemo(
-    () => getFieldValue({ category: 'signal', field: 'signal.reason' }, data),
-    [data]
-  );
+  const reason = useMemo(() => {
+    const siemSignalsReason = getFieldValue(
+      { category: 'signal', field: 'signal.alert.reason' },
+      data
+    );
+    const aadReason = getFieldValue({ category: 'kibana', field: ALERT_REASON }, data);
+    return aadReason.length > 0 ? aadReason : siemSignalsReason;
+  }, [data]);
 
-  const ruleId = useMemo(
-    () => getFieldValue({ category: 'signal', field: 'signal.rule.id' }, data),
-    [data]
-  );
+  const ruleId = useMemo(() => {
+    const siemSignalsRuleId = getFieldValue({ category: 'signal', field: 'signal.rule.id' }, data);
+    const aadRuleId = getFieldValue({ category: 'kibana', field: ALERT_RULE_UUID }, data);
+    return aadRuleId.length > 0 ? aadRuleId : siemSignalsRuleId;
+  }, [data]);
 
   if (!eventId) {
     return <EuiTextColor color="subdued">{EVENT_DETAILS_PLACEHOLDER}</EuiTextColor>;

x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx

@@ -35,14 +35,18 @@ import {
   OsTypeArray,
   ExceptionListItemSchema,
 } from '@kbn/securitysolution-io-ts-list-types';
+import { DataViewBase } from '@kbn/es-query';
 
 import { getExceptionListItemSchemaMock } from '../../../../../lists/common/schemas/response/exception_list_item_schema.mock';
 import { getEntryMatchMock } from '../../../../../lists/common/schemas/types/entry_match.mock';
 import { getCommentsArrayMock } from '../../../../../lists/common/schemas/types/comment.mock';
 import { fields } from '../../../../../../../src/plugins/data/common/mocks';
 import { ENTRIES, OLD_DATE_RELATIVE_TO_DATE_NOW } from '../../../../../lists/common/constants.mock';
 import { CodeSignature } from '../../../../common/ecs/file';
-import type { DataViewBase } from '@kbn/es-query';
+import {
+  ALERT_ORIGINAL_EVENT_KIND,
+  ALERT_ORIGINAL_EVENT_MODULE,
+} from '../../../../common/field_maps/field_names';
 
 jest.mock('uuid', () => ({
   v4: jest.fn().mockReturnValue('123'),
@@ -432,7 +436,7 @@ describe('Exception helpers', () => {
           entries: [
             {
               ...getEntryMatchMock(),
-              field: 'signal.original_event.kind',
+              field: ALERT_ORIGINAL_EVENT_KIND,
             },
             getEntryMatchMock(),
           ],
@@ -442,7 +446,7 @@ describe('Exception helpers', () => {
           entries: [
             {
               ...getEntryMatchMock(),
-              field: 'signal.original_event.module',
+              field: ALERT_ORIGINAL_EVENT_MODULE,
             },
           ],
         },

x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx

@@ -44,6 +44,7 @@ import exceptionableLinuxFields from './exceptionable_linux_fields.json';
 import exceptionableWindowsMacFields from './exceptionable_windows_mac_fields.json';
 import exceptionableEndpointFields from './exceptionable_endpoint_fields.json';
 import exceptionableEndpointEventFields from './exceptionable_endpoint_event_fields.json';
+import { ALERT_ORIGINAL_EVENT } from '../../../../common/field_maps/field_names';
 
 export const filterIndexPatterns = (
   patterns: DataViewBase,
@@ -145,7 +146,7 @@ export const prepareExceptionItemsForBulkClose = (
         return {
           ...itemEntry,
           field: itemEntry.field.startsWith('event.')
-            ? itemEntry.field.replace(/^event./, 'signal.original_event.')
+            ? itemEntry.field.replace(/^event./, `${ALERT_ORIGINAL_EVENT}.`)
             : itemEntry.field,
         };
       });

x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts

@@ -5,11 +5,13 @@
  * 2.0.
  */
 
+import { ALERT_WORKFLOW_STATUS, ALERT_RULE_UUID } from '@kbn/rule-data-utils';
+
 export const buildLastAlertsQuery = (ruleId: string | undefined | null) => {
   const queryFilter = [
     {
       bool: {
-        should: [{ match: { 'kibana.alert.workflow_status': 'open' } }],
+        should: [{ match: { [ALERT_WORKFLOW_STATUS]: 'open' } }],
         minimum_should_match: 1,
       },
     },
@@ -27,7 +29,10 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => {
                 ...queryFilter,
                 {
                   bool: {
-                    should: [{ match: { 'signal.rule.id': ruleId } }],
+                    should: [
+                      { match: { 'signal.rule.id': ruleId } },
+                      { match: { [ALERT_RULE_UUID]: ruleId } },
+                    ],
                     minimum_should_match: 1,
                   },
                 },

x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx

@@ -288,7 +288,7 @@ export const buildAlertsKqlFilter = (
         negate: false,
         disabled: false,
         type: 'phrases',
-        key: key.replace('signal.', 'kibana.alert.'),
+        key,
         value: alertIds.join(),
         params: alertIds,
       },

x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx

@@ -7,14 +7,15 @@
 
 import {
   ALERT_DURATION,
-  ALERT_INSTANCE_ID,
   ALERT_RULE_PRODUCER,
   ALERT_START,
   ALERT_WORKFLOW_STATUS,
   ALERT_UUID,
   ALERT_RULE_UUID,
   ALERT_RULE_NAME,
   ALERT_RULE_CATEGORY,
+  ALERT_RULE_SEVERITY,
+  ALERT_RULE_RISK_SCORE,
 } from '@kbn/rule-data-utils/technical_field_names';
 
 import type { Filter } from '@kbn/es-query';
@@ -271,10 +272,11 @@ export const buildShowBuildingBlockFilterRuleRegistry = (
 
 export const requiredFieldMappingsForActionsRuleRegistry = {
   '@timestamp': '@timestamp',
-  'alert.instance.id': ALERT_INSTANCE_ID,
   'event.kind': 'event.kind',
-  'alert.start': ALERT_START,
+  'rule.severity': ALERT_RULE_SEVERITY,
+  'rule.risk_score': ALERT_RULE_RISK_SCORE,
   'alert.uuid': ALERT_UUID,
+  'alert.start': ALERT_START,
   'event.action': 'event.action',
   'alert.workflow_status': ALERT_WORKFLOW_STATUS,
   'alert.duration.us': ALERT_DURATION,

x-pack/plugins/security_solution/public/detections/components/host_isolation/helpers.ts

@@ -18,7 +18,18 @@ export const getFieldValues = (
   },
   data: TimelineEventsDetailsItem[] | null
 ) => {
-  return find({ category, field }, data)?.values;
+  const categoryCompat =
+    category === 'signal' ? 'kibana' : category === 'kibana' ? 'signal' : category;
+  const fieldCompat =
+    category === 'signal'
+      ? field.replace('signal', 'kibana.alert').replace('rule.id', 'rule.uuid')
+      : category === 'kibana'
+      ? field.replace('kibana.alert', 'signal').replace('rule.uuid', 'rule.id')
+      : field;
+  return (
+    find({ category, field }, data)?.values ??
+    find({ category: categoryCompat, field: fieldCompat }, data)?.values
+  );
 };
 
 export const getFieldValue = (

x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx

@@ -17,6 +17,7 @@ import {
   EuiIcon,
   EuiToolTip,
 } from '@elastic/eui';
+import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils';
 
 import { isEmpty } from 'lodash/fp';
 import React from 'react';
@@ -353,7 +354,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt
                 <EuiFlexItem grow={false}>
                   <EuiIcon type={'sortRight'} />
                 </EuiFlexItem>
-                <EuiFlexItem>{'signal.rule.risk_score'}</EuiFlexItem>
+                <EuiFlexItem>{ALERT_RULE_RISK_SCORE}</EuiFlexItem>
               </EuiFlexGroup>
             ),
           };

x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx

@@ -24,7 +24,7 @@ export const DEFAULT_RISK_SCORE = i18n.translate(
 export const RISK_SCORE_FIELD = i18n.translate(
   'xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle',
   {
-    defaultMessage: 'signal.rule.risk_score',
+    defaultMessage: 'kibana.alert.rule.risk_score',
   }
 );
 

x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts

@@ -6,7 +6,11 @@
  */
 
 import { EuiDataGridColumn } from '@elastic/eui';
-import { ALERT_DURATION, ALERT_STATUS } from '@kbn/rule-data-utils/technical_field_names';
+import {
+  ALERT_DURATION,
+  ALERT_REASON,
+  ALERT_STATUS,
+} from '@kbn/rule-data-utils/technical_field_names';
 
 import { ColumnHeaderOptions } from '../../../../../common';
 import { defaultColumnHeaderType } from '../../../../timelines/components/timeline/body/column_headers/default_headers';
@@ -48,6 +52,6 @@ export const columns: Array<
   {
     columnHeaderType: defaultColumnHeaderType,
     displayAsText: i18n.ALERTS_HEADERS_REASON,
-    id: 'signal.reason',
+    id: ALERT_REASON,
   },
 ];

x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx

@@ -9,7 +9,12 @@ import moment from 'moment';
 import React from 'react';
 
 import { EuiDataGridCellValueElementProps, EuiLink } from '@elastic/eui';
-import { ALERT_DURATION, ALERT_STATUS } from '@kbn/rule-data-utils/technical_field_names';
+import {
+  ALERT_DURATION,
+  ALERT_REASON,
+  ALERT_RULE_SEVERITY,
+  ALERT_STATUS,
+} from '@kbn/rule-data-utils/technical_field_names';
 
 import { TruncatableText } from '../../../../common/components/truncatable_text';
 import { Severity } from '../../../components/severity';
@@ -53,9 +58,12 @@ export const RenderCellValue: React.FC<EuiDataGridCellValueElementProps & CellVa
           <Status data-test-subj="alert-status" status={random(0, 1) ? 'recovered' : 'active'} />
         );
       case ALERT_DURATION:
+      case 'signal.duration.us':
         return <span data-test-subj="alert-duration">{moment().fromNow(true)}</span>;
+      case ALERT_RULE_SEVERITY:
       case 'signal.rule.severity':
         return <Severity data-test-subj="rule-severity" severity={value} />;
+      case ALERT_REASON:
       case 'signal.reason':
         return (
           <EuiLink data-test-subj="reason">