[Security Solution] Remove index false from artifact saved objects mappings

[kevinlog]

Updates the mappings for the artifact saved objects

This effort is part of https://github.com/elastic/security-team/issues/6268 and https://github.com/elastic/dev/issues/2189

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[rylnd]

@kevinlog if none of these fields were being indexed previously, I suspect that mapping most of them is unnecessary. Ideally, all of these fields would be removed from the mapping declaration entirely, and reflected in a schema elsewhere, but the tricky part of this issue is determining which fields are actively used, or may be used in the future (since the whole point is to prevent any non-additive changes in the future).

For AET we're effectively removing all the index: false fields from each SO and seeing if anything breaks (both through automated tests, smoke tests, and domain knowledge of those SOs (😅)).

[kevinlog]

@rylnd

Ideally, all of these fields would be removed from the mapping declaration entirely, and reflected in a schema elsewhere, but the tricky part of this issue is determining which fields are actively used, or may be used in the future (since the whole point is to prevent any non-additive changes in the future).

Makes sense. I want @dasansol92 and @paul-tavares to take a look first before removing anything else. I ran a smoke test and it looked OK. Tests are running now.

It looks like we have these represented in a schema here: https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/common/endpoint/schema/common.ts#L10

[paul-tavares]

So this SO type (endpoint:user-artifact) is actually one we no longer use and have an issue open to remove it (team issue 6214), so whatever changes you want to do here, you can

[kevinlog]

@paul-tavares I went ahead and removed the SO here: 19d06c7

[TinaHeiligers]

LGTM

[rylnd]

I didn't see an explanation in the comments/PR so I'll ask here: why are we adding mappings for these fields, when they previously weren't needed? These mappings can be added at any point in the future, but this is our last opportunity to remove anything unnecessarily indexed (or specified to not be indexed).

[kevinlog]

@rylnd apologies - I was doing some smoke testing locally with the fields removed first. All looks OK, so I pushed up the changes.

[paul-tavares]

thats Awesome - Thanks @kevinlog for removing that type.

[kevinlog]

Hi @TinaHeiligers - could I get one more review from kibana-core on this? I made some changes involving removing an SO since your initial review. Apologies for the changes, this went through a couple rounds of discussion with the team.

[TinaHeiligers]

The updated code LGTM.
Thanks for cleaning up!

[azasypkin]

Changes in saved_object_api_integration/common/fixtures/es_archiver/saved_objects/spaces/mappings.json LGTM

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 85395d5

Metrics [docs]

Unknown metric groups

ESLint disabled line counts

id	before	after	diff
enterpriseSearch	17	19	+2
securitySolution	396	399	+3
total			+5

Total ESLint disabled count

id	before	after	diff
enterpriseSearch	18	20	+2
securitySolution	476	479	+3
total			+5

History

• 💔 Build #122834 failed 1aad7c0
• 💚 Build #121507 succeeded 8230f87
• 💔 Build #121347 failed e95a49f
• 💔 Build #121330 failed efdd7b1
• 💔 Build #121322 failed 0ea2a73

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream