elastic · marshallmain · Dec 17, 2021 · Dec 13, 2021 · Dec 14, 2021 · Dec 14, 2021
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -55,12 +55,8 @@ const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
 const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
 const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const;
 const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
-const ALERT_RULE_RISK_SCORE = `${ALERT_RULE_NAMESPACE}.risk_score` as const;
-const ALERT_RULE_RISK_SCORE_MAPPING = `${ALERT_RULE_NAMESPACE}.risk_score_mapping` as const;
 const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const;
 const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const;
-const ALERT_RULE_SEVERITY = `${ALERT_RULE_NAMESPACE}.severity` as const;
-const ALERT_RULE_SEVERITY_MAPPING = `${ALERT_RULE_NAMESPACE}.severity_mapping` as const;
 const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
 const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
 const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
@@ -114,12 +110,8 @@ const fields = {
   ALERT_RULE_NOTE,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_REFERENCES,
-  ALERT_RULE_RISK_SCORE,
-  ALERT_RULE_RISK_SCORE_MAPPING,
   ALERT_RULE_RULE_ID,
   ALERT_RULE_RULE_NAME_OVERRIDE,
-  ALERT_RULE_SEVERITY,
-  ALERT_RULE_SEVERITY_MAPPING,
   ALERT_RULE_TAGS,
   ALERT_RULE_TO,
   ALERT_RULE_TYPE,
@@ -171,19 +163,15 @@ export {
   ALERT_RULE_NOTE,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_REFERENCES,
-  ALERT_RULE_RISK_SCORE,
-  ALERT_RULE_RISK_SCORE_MAPPING,
   ALERT_RULE_RULE_ID,
   ALERT_RULE_RULE_NAME_OVERRIDE,
-  ALERT_RULE_SEVERITY_MAPPING,
   ALERT_RULE_TAGS,
   ALERT_RULE_TO,
   ALERT_RULE_TYPE,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UPDATED_AT,
   ALERT_RULE_UPDATED_BY,
   ALERT_RULE_VERSION,
-  ALERT_RULE_SEVERITY,
   ALERT_SEVERITY,
   ALERT_START,
   ALERT_SYSTEM_STATUS,

@@ -40,16 +40,6 @@ export const technicalRuleFieldMap = {
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_SEVERITY]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_RISK_SCORE]: {
-    type: 'float',
-    array: false,
-    required: false,
-  },
   [Fields.ALERT_RISK_SCORE]: {
     type: 'float',
     array: false,
@@ -150,26 +140,6 @@ export const technicalRuleFieldMap = {
     array: true,
     required: false,
   },
-  [Fields.ALERT_RULE_RISK_SCORE_MAPPING]: {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.field`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.operator`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.value`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
   [Fields.ALERT_RULE_RULE_ID]: {
     type: 'keyword',
     array: false,
@@ -180,31 +150,6 @@ export const technicalRuleFieldMap = {
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_SEVERITY_MAPPING]: {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.field`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.operator`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.value`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.severity`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
   [Fields.ALERT_RULE_TAGS]: {
     type: 'keyword',
     array: true,

@@ -57,7 +57,7 @@ const esFieldTypeMap = {
   float: t.union([t.number, NumberFromString]),
   scaled_float: t.union([t.number, NumberFromString]),
   unsigned_long: t.union([t.number, NumberFromString]),
-  flattened: t.record(t.string, t.array(t.string)),
+  flattened: t.UnknownRecord,
 };
 
 type EsFieldTypeMap = typeof esFieldTypeMap;

@@ -11,7 +11,7 @@ import {
   ALERT_RULE_CONSUMER,
   ALERT_RULE_NAME,
   ALERT_RULE_PRODUCER,
-  ALERT_RULE_RISK_SCORE,
+  ALERT_RISK_SCORE,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
   ALERT_STATUS,
@@ -35,7 +35,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({
   [ALERT_RULE_CONSUMER]: 'apm',
   [ALERT_RULE_NAME]: 'Check error rate',
   [ALERT_RULE_PRODUCER]: 'apm',
-  [ALERT_RULE_RISK_SCORE]: 20,
+  [ALERT_RISK_SCORE]: 20,
   [ALERT_RULE_TYPE_ID]: 'fake-rule-type-id',
   [ALERT_RULE_UUID]: 'fake-rule-uuid',
   [ALERT_STATUS]: ALERT_STATUS_ACTIVE,

diff --git a/...lugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/...lugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
@@ -14,8 +14,8 @@ import {
 
 import {
   ALERT_RULE_NAME,
-  ALERT_RULE_RISK_SCORE,
-  ALERT_RULE_SEVERITY,
+  ALERT_RISK_SCORE,
+  ALERT_SEVERITY,
   NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
 import {
@@ -505,12 +505,10 @@ describe('indicator match', () => {
 
         cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
         cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name);
-        cy.get(ALERT_RULE_SEVERITY)
+        cy.get(ALERT_SEVERITY)
           .first()
           .should('have.text', getNewThreatIndicatorRule().severity.toLowerCase());
-        cy.get(ALERT_RULE_RISK_SCORE)
-          .first()
-          .should('have.text', getNewThreatIndicatorRule().riskScore);
+        cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore);
       });
 
       it.skip('Investigate alert in timeline', () => {

diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts
@@ -139,7 +139,7 @@ describe('Detection rules, override', () => {
       getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore);
       getDetails(RISK_SCORE_OVERRIDE_DETAILS).should(
         'have.text',
-        `${this.rule.riskOverride}kibana.alert.rule.risk_score`
+        `${this.rule.riskOverride}kibana.alert.risk_score`
       );
       getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride);
       getDetails(REFERENCE_URLS_DETAILS).should((details) => {

diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts.ts b/x-pack/plugins/security_solution/cypress/screens/alerts.ts
@@ -15,14 +15,13 @@ export const ALERT_CHECKBOX = '[data-test-subj~="select-event"].euiCheckbox__inp
 export const ALERT_GRID_CELL = '[data-test-subj="dataGridRowCell"]';
 
 export const ALERT_RISK_SCORE_HEADER =
-  '[data-test-subj="dataGridHeaderCell-kibana.alert.rule.risk_score"]';
+  '[data-test-subj="dataGridHeaderCell-kibana.alert.risk_score"]';
 
 export const ALERT_RULE_NAME = '[data-test-subj="formatted-field-kibana.alert.rule.name"]';
 
-export const ALERT_RULE_RISK_SCORE =
-  '[data-test-subj="formatted-field-kibana.alert.rule.risk_score"]';
+export const ALERT_RISK_SCORE = '[data-test-subj="formatted-field-kibana.alert.risk_score"]';
 
-export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]';
+export const ALERT_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.severity"]';
 
 export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]';
 

diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
@@ -161,10 +161,10 @@ export const allowTopN = ({
     'kibana.alert.rule.output_index',
     'kibana.alert.rule.query',
     'kibana.alert.rule.references',
-    'kibana.alert.rule.risk_score',
+    'kibana.alert.risk_score',
     'kibana.alert.rule.rule_id',
     'kibana.alert.rule.saved_id',
-    'kibana.alert.rule.severity',
+    'kibana.alert.severity',
     'kibana.alert.rule.size',
     'kibana.alert.rule.tags',
     'kibana.alert.rule.threat',

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts
@@ -392,7 +392,7 @@ export const mockAlertDetailsData = [
     originalValue: 'http://localhost:5601/app/security',
   },
   { category: 'kibana', field: 'kibana.alert.rule.max_signals', values: [100], originalValue: 100 },
-  { category: 'kibana', field: 'kibana.alert.rule.risk_score', values: [21], originalValue: 21 },
+  { category: 'kibana', field: 'kibana.alert.risk_score', values: [21], originalValue: 21 },
   {
     category: 'kibana',
     field: 'kibana.alert.rule.risk_score_mapping',
@@ -459,7 +459,7 @@ export const mockAlertDetailsData = [
   { category: 'kibana', field: 'kibana.alert.rule.references', values: [], originalValue: [] },
   {
     category: 'kibana',
-    field: 'kibana.alert.rule.severity',
+    field: 'kibana.alert.severity',
     values: ['low'],
     originalValue: 'low',
   },

diff --git a/...ion/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/...ion/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap
diff --git a/...olution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap b/...olution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap