Adding warning to exceptions that describes field conflicts and mapping issues

[nastasha-solomon]

Description

Copy has been added to the Add rule exception flyout that warns users when they're selecting an unmapped field or a field that that has conflicting data type mappings.

An unmapped field is a field that isn't defined (not present) in an event or an alert's document. A field with conflicts is a field that's mapped to different data types across multiple indices.

When users select a field that falls under one or both of these categories, they will see the following:

• A warning icon - The icon displays to the right of the field name in the Field drop-down.

  

• A warning message in the form of a tooltip - The tooltip displays when the user hover over the field with the icon.

  

• An expandable warning message - The message displays after the user selects the field. To view the warning message in full, the user needs to click on the message title ("This field is defined as several types across different indices"). This will expand the warning.

  

Related:

• [Security Solution][Alerts] Provide more information about rule exception behavior before creation kibana#146845
• [Security Solution][Alerts] Provide more information about rule exception behavior before creation kibana#149149

Example 1: Unmapped fields

Here's an example of the warning message that displays when a user selects a field that is unmapped in some indices.

The warning message provides the following details:

1. The _description field is defined as the text data type in the mapping definition for the field_caps_3, field_caps_4, and field_caps_5 indices. This is ok and doesn't break any field data type mapping rules.
2. The _description field is not defined (i.e., not present) in the field_caps_1, and field_caps_2 indices. This can be problematic if the user expects the exception to apply to the matching _description field value in the field_caps_3, field_caps_4, and field_caps_5 indices as well as the field_caps_1, and field_caps_2 indices.

To find out whether the data type mapping for the _description field wasn't defined or the field wasn't present in the field_caps_1, and field_caps_2 indices, I ran the get mapping API from the console. The request returned the index's mapping definition, and I could see that the _description field was missing from the mapping definitions for both indices. This might've been a mistake or a typo, but the important point here is that, because the _description field is not mapped in the field_caps_1 or the field_caps_2 indices, the exception won't apply to either.

Example 2: Conflicting data types

In this example, the user selected a field that's been defined as different data types across multiple indices.

The warning message provides the following details:

1. The doc_id field is defined as the text data type in the field_caps_1 and field_caps_2 indices.
2. The doc_id field is defined as the long data type in the field_caps_3, field_caps_4, and field_caps_5 indices.

Technically, the mapping definitions for all five indices are acceptable. However, unless the user is aware of these data type mappings, they might accidentally configure exception conditions incorrectly.

For example, if the user wasn't aware that the doc_id field was mapped to the long data type in the field_caps_3, field_caps_4, and field_caps_5 indices, and wrote an exception that would only work on the field_caps_1 and field_caps_2 indices, they would still get alerts from the field_caps_3, field_caps_4, and field_caps_5 indices.

Example 3: Conflicting data types and unmapped fields

In this example, the user selected a field that's been defined as different data types across four indices and is unmapped in one index.

The warning message provides the following details:

1. The published field is defined as the boolean data type in the field_caps_1 and field_caps_2 indices.
2. The published field is defined as the text data type in the field_caps_3 and field_caps_4 indices.
3. The published field is unmapped in the field_caps_5 index.

Again, technically the mappings in the field_caps_1, field_caps_2, field_caps_3, and field_caps_4 indices are acceptable. The user would just need to be careful when configuring exception conditions and make sure they're entering the correct values. They should also be aware the exception will not apply to field_caps_5 index because the published field isn't mapped in that index.

Notes

• To reduce the amount of text in the warning message, data stream indices are grouped under a single name. An example warning message might look like:

This field is defined as several types... 
text (7): logs-tortilla.process-default (3 indices) logs-gcp.audit(4 indices), keyword (3): logs-tortilla.process-default, logs-gcp.audit(2 indices)“. 

• When users encounter these warnings, they can choose to keep their data as is, update their index mappings, or handle the conflicts another way.
• It might be helpful to include a note that, if users select a field with mapping issues, they might encounter unexpected exception behavior (e.g., false positive alerts, which are alerts that shouldn't be generated).

[e40pud]

@nastasha-solomon the description above looks good to me and covers the new feature.