[Security Solution] Remove extra rule fields from kibana.alert.rule (e…

…lastic#121135)

* Remove kibana.alert.rule.risk_score and severity

* Fix tests related to risk_score and severity

* Make translation a template

* Can't use expression in template literal

* Remove commented line added by bad merge

* Fix linting

Co-authored-by: Kibana Machine <[email protected]>
# Conflicts:
#	x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap
#	x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx
#	x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx
#	x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx
#	x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx
#	x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts

packages/kbn-rule-data-utils/src/technical_field_names.ts

@@ -55,12 +55,8 @@ const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
 const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
 const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const;
 const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
-const ALERT_RULE_RISK_SCORE = `${ALERT_RULE_NAMESPACE}.risk_score` as const;
-const ALERT_RULE_RISK_SCORE_MAPPING = `${ALERT_RULE_NAMESPACE}.risk_score_mapping` as const;
 const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const;
 const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const;
-const ALERT_RULE_SEVERITY = `${ALERT_RULE_NAMESPACE}.severity` as const;
-const ALERT_RULE_SEVERITY_MAPPING = `${ALERT_RULE_NAMESPACE}.severity_mapping` as const;
 const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
 const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
 const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
@@ -114,12 +110,8 @@ const fields = {
   ALERT_RULE_NOTE,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_REFERENCES,
-  ALERT_RULE_RISK_SCORE,
-  ALERT_RULE_RISK_SCORE_MAPPING,
   ALERT_RULE_RULE_ID,
   ALERT_RULE_RULE_NAME_OVERRIDE,
-  ALERT_RULE_SEVERITY,
-  ALERT_RULE_SEVERITY_MAPPING,
   ALERT_RULE_TAGS,
   ALERT_RULE_TO,
   ALERT_RULE_TYPE,
@@ -171,19 +163,15 @@ export {
   ALERT_RULE_NOTE,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_REFERENCES,
-  ALERT_RULE_RISK_SCORE,
-  ALERT_RULE_RISK_SCORE_MAPPING,
   ALERT_RULE_RULE_ID,
   ALERT_RULE_RULE_NAME_OVERRIDE,
-  ALERT_RULE_SEVERITY_MAPPING,
   ALERT_RULE_TAGS,
   ALERT_RULE_TO,
   ALERT_RULE_TYPE,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UPDATED_AT,
   ALERT_RULE_UPDATED_BY,
   ALERT_RULE_VERSION,
-  ALERT_RULE_SEVERITY,
   ALERT_SEVERITY,
   ALERT_START,
   ALERT_SYSTEM_STATUS,

x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts

@@ -40,16 +40,6 @@ export const technicalRuleFieldMap = {
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_SEVERITY]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [Fields.ALERT_RULE_RISK_SCORE]: {
-    type: 'float',
-    array: false,
-    required: false,
-  },
   [Fields.ALERT_RISK_SCORE]: {
     type: 'float',
     array: false,
@@ -150,26 +140,6 @@ export const technicalRuleFieldMap = {
     array: true,
     required: false,
   },
-  [Fields.ALERT_RULE_RISK_SCORE_MAPPING]: {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.field`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.operator`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.value`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
   [Fields.ALERT_RULE_RULE_ID]: {
     type: 'keyword',
     array: false,
@@ -180,31 +150,6 @@ export const technicalRuleFieldMap = {
     array: false,
     required: false,
   },
-  [Fields.ALERT_RULE_SEVERITY_MAPPING]: {
-    type: 'object',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.field`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.operator`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.value`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.severity`]: {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
   [Fields.ALERT_RULE_TAGS]: {
     type: 'keyword',
     array: true,

x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts

@@ -57,7 +57,7 @@ const esFieldTypeMap = {
   float: t.union([t.number, NumberFromString]),
   scaled_float: t.union([t.number, NumberFromString]),
   unsigned_long: t.union([t.number, NumberFromString]),
-  flattened: t.record(t.string, t.array(t.string)),
+  flattened: t.UnknownRecord,
 };
 
 type EsFieldTypeMap = typeof esFieldTypeMap;

x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts

@@ -11,7 +11,7 @@ import {
   ALERT_RULE_CONSUMER,
   ALERT_RULE_NAME,
   ALERT_RULE_PRODUCER,
-  ALERT_RULE_RISK_SCORE,
+  ALERT_RISK_SCORE,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
   ALERT_STATUS,
@@ -35,7 +35,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({
   [ALERT_RULE_CONSUMER]: 'apm',
   [ALERT_RULE_NAME]: 'Check error rate',
   [ALERT_RULE_PRODUCER]: 'apm',
-  [ALERT_RULE_RISK_SCORE]: 20,
+  [ALERT_RISK_SCORE]: 20,
   [ALERT_RULE_TYPE_ID]: 'fake-rule-type-id',
   [ALERT_RULE_UUID]: 'fake-rule-uuid',
   [ALERT_STATUS]: ALERT_STATUS_ACTIVE,

x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts

@@ -14,8 +14,8 @@ import {
 
 import {
   ALERT_RULE_NAME,
-  ALERT_RULE_RISK_SCORE,
-  ALERT_RULE_SEVERITY,
+  ALERT_RISK_SCORE,
+  ALERT_SEVERITY,
   NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
 import {
@@ -505,12 +505,10 @@ describe('indicator match', () => {
 
         cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
         cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name);
-        cy.get(ALERT_RULE_SEVERITY)
+        cy.get(ALERT_SEVERITY)
           .first()
           .should('have.text', getNewThreatIndicatorRule().severity.toLowerCase());
-        cy.get(ALERT_RULE_RISK_SCORE)
-          .first()
-          .should('have.text', getNewThreatIndicatorRule().riskScore);
+        cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore);
       });
 
       it.skip('Investigate alert in timeline', () => {

x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts

@@ -139,7 +139,7 @@ describe('Detection rules, override', () => {
       getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore);
       getDetails(RISK_SCORE_OVERRIDE_DETAILS).should(
         'have.text',
-        `${this.rule.riskOverride}kibana.alert.rule.risk_score`
+        `${this.rule.riskOverride}kibana.alert.risk_score`
       );
       getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride);
       getDetails(REFERENCE_URLS_DETAILS).should((details) => {

x-pack/plugins/security_solution/cypress/screens/alerts.ts

@@ -15,14 +15,13 @@ export const ALERT_CHECKBOX = '[data-test-subj~="select-event"].euiCheckbox__inp
 export const ALERT_GRID_CELL = '[data-test-subj="dataGridRowCell"]';
 
 export const ALERT_RISK_SCORE_HEADER =
-  '[data-test-subj="dataGridHeaderCell-kibana.alert.rule.risk_score"]';
+  '[data-test-subj="dataGridHeaderCell-kibana.alert.risk_score"]';
 
 export const ALERT_RULE_NAME = '[data-test-subj="formatted-field-kibana.alert.rule.name"]';
 
-export const ALERT_RULE_RISK_SCORE =
-  '[data-test-subj="formatted-field-kibana.alert.rule.risk_score"]';
+export const ALERT_RISK_SCORE = '[data-test-subj="formatted-field-kibana.alert.risk_score"]';
 
-export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]';
+export const ALERT_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.severity"]';
 
 export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]';
 

x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts

@@ -161,10 +161,10 @@ export const allowTopN = ({
     'kibana.alert.rule.output_index',
     'kibana.alert.rule.query',
     'kibana.alert.rule.references',
-    'kibana.alert.rule.risk_score',
+    'kibana.alert.risk_score',
     'kibana.alert.rule.rule_id',
     'kibana.alert.rule.saved_id',
-    'kibana.alert.rule.severity',
+    'kibana.alert.severity',
     'kibana.alert.rule.size',
     'kibana.alert.rule.tags',
     'kibana.alert.rule.threat',

x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts

@@ -392,7 +392,7 @@ export const mockAlertDetailsData = [
     originalValue: 'http://localhost:5601/app/security',
   },
   { category: 'kibana', field: 'kibana.alert.rule.max_signals', values: [100], originalValue: 100 },
-  { category: 'kibana', field: 'kibana.alert.rule.risk_score', values: [21], originalValue: 21 },
+  { category: 'kibana', field: 'kibana.alert.risk_score', values: [21], originalValue: 21 },
   {
     category: 'kibana',
     field: 'kibana.alert.rule.risk_score_mapping',
@@ -459,7 +459,7 @@ export const mockAlertDetailsData = [
   { category: 'kibana', field: 'kibana.alert.rule.references', values: [], originalValue: [] },
   {
     category: 'kibana',
-    field: 'kibana.alert.rule.severity',
+    field: 'kibana.alert.severity',
     values: ['low'],
     originalValue: 'low',
   },

x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts

@@ -5,10 +5,12 @@
  * 2.0.
  */
 
+import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
+
 /** actions are disabled for these fields in tables and popovers */
 export const FIELDS_WITHOUT_CELL_ACTIONS = [
   'signal.rule.risk_score',
   'signal.reason',
-  'kibana.alert.rule.risk_score',
+  ALERT_RISK_SCORE,
   'kibana.alert.reason',
 ];

x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts

@@ -8,8 +8,8 @@
 import type { AlertsStackByOption } from './types';
 
 export const alertsStackByOptions: AlertsStackByOption[] = [
-  { text: 'kibana.alert.rule.risk_score', value: 'kibana.alert.rule.risk_score' },
-  { text: 'kibana.alert.rule.severity', value: 'kibana.alert.rule.severity' },
+  { text: 'kibana.alert.risk_score', value: 'kibana.alert.risk_score' },
+  { text: 'kibana.alert.severity', value: 'kibana.alert.severity' },
   { text: 'kibana.alert.rule.threat.tactic.name', value: 'kibana.alert.rule.threat.tactic.name' },
   { text: 'destination.ip', value: 'destination.ip' },
   { text: 'event.action', value: 'event.action' },

x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts

@@ -11,8 +11,8 @@ export interface AlertsStackByOption {
 }
 
 export type AlertsStackByField =
-  | 'kibana.alert.rule.risk_score'
-  | 'kibana.alert.rule.severity'
+  | 'kibana.alert.risk_score'
+  | 'kibana.alert.severity'
   | 'kibana.alert.rule.threat.tactic.name'
   | 'destination.ip'
   | 'event.action'