Wrong field mappings for the cloud trail logs

cypress/integration/1_detectors.spec.js

@@ -10,6 +10,7 @@ import dns_name_rule_data from '../fixtures/integration_tests/rule/create_dns_ru
 import dns_type_rule_data from '../fixtures/integration_tests/rule/create_dns_rule_with_type_selection.json';
 import dns_mapping_fields from '../fixtures/integration_tests/rule/sample_dns_field_mappings.json';
 import _ from 'lodash';
+import { getMappingFields } from '../../public/pages/Detectors/utils/helpers';
 
 const cypressIndexDns = 'cypress-index-dns';
 const cypressIndexWindows = 'cypress-index-windows';
@@ -56,7 +57,9 @@ const validateFieldMappingsTable = () => {
       if (_.isEmpty(properties)) {
         validatePendingFieldMappingsPanel(Object.entries(mappingFields));
       } else {
-        validateAutomaticFieldMappingsPanel(Object.entries(properties));
+        const items = getMappingFields(properties, [], '');
+        items.map((item) => [item.ruleFieldName, item.logFieldName]);
+        validateAutomaticFieldMappingsPanel(items);
       }
     });
   });

public/pages/Detectors/components/FieldMappingsView/FieldMappingsView.tsx

@@ -12,6 +12,7 @@ import { FieldMapping } from '../../../../../models/interfaces';
 import { errorNotificationToast } from '../../../../utils/helpers';
 import { NotificationsStart } from 'opensearch-dashboards/public';
 import { Detector } from '../../../../../types';
+import { getMappingFields } from '../../utils/helpers';
 
 export interface FieldMappingsViewProps {
   detector: Detector;
@@ -60,13 +61,11 @@ export const FieldMappingsView: React.FC<FieldMappingsViewProps> = ({
       if (getMappingRes?.ok) {
         const mappingsData = getMappingRes.response[indexName];
         if (mappingsData) {
-          let items: FieldMappingsTableItem[] = [];
-          Object.entries(mappingsData.mappings.properties).forEach((entry) => {
-            items.push({
-              ruleFieldName: entry[0],
-              logFieldName: entry[1].path,
-            });
-          });
+          const items: FieldMappingsTableItem[] = getMappingFields(
+            mappingsData.mappings.properties,
+            [],
+            ''
+          );
 
           setFieldMappingItems(items);
         }

public/pages/Detectors/containers/FieldMappings/EditFieldMapping.tsx

@@ -19,6 +19,8 @@ import { FieldMapping } from '../../../../../models/interfaces';
 import FieldMappingService from '../../../../services/FieldMappingService';
 import { MappingViewType } from '../../../CreateDetector/components/ConfigureFieldMapping/components/RequiredFieldMapping/FieldMappingsTable';
 import { Detector } from '../../../../../types';
+import { FieldMappingsTableItem } from '../../../CreateDetector/models/interfaces';
+import { getMappingFields } from '../../utils/helpers';
 import _ from 'lodash';
 
 export interface ruleFieldToIndexFieldMap {
@@ -117,13 +119,14 @@ export default class EditFieldMappings extends Component<
         const mappingsRes = await this.props.fieldMappingService?.getMappings(indexName);
         if (mappingsRes?.ok) {
           const mappedFieldsInfo = mappingsRes.response[indexName].mappings.properties;
-          let mappedRuleFields = Object.keys(mappedFieldsInfo);
+          const items: FieldMappingsTableItem[] = getMappingFields(mappedFieldsInfo, [], '');
+          let mappedRuleFields = _.map(items, 'ruleFieldName');
           unmappedRuleFields = unmappedRuleFields.filter((ruleField) => {
             return !mappedRuleFields.includes(ruleField);
           });
 
-          mappedRuleFields.forEach((ruleField) => {
-            existingMappings[ruleField] = mappedFieldsInfo[ruleField].path;
+          items.forEach((ruleField) => {
+            existingMappings[ruleField.ruleFieldName] = ruleField.logFieldName;
           });
 
           for (let key in existingMappings) {

public/pages/Detectors/utils/helpers.ts

@@ -4,6 +4,7 @@
  */
 
 import { DetectorHit } from '../../../../server/models/interfaces';
+import { FieldMappingsTableItem } from '../../../../types';
 
 export function getDetectorIds(detectors: DetectorHit[]) {
   return detectors.map((detector) => detector._id).join(', ');
@@ -12,3 +13,23 @@ export function getDetectorIds(detectors: DetectorHit[]) {
 export function getDetectorNames(detectors: DetectorHit[]) {
   return detectors.map((detector) => detector._source.name).join(', ');
 }
+
+export const getMappingFields = (
+  properties: any,
+  items: FieldMappingsTableItem[] = [],
+  prefix: string = ''
+): FieldMappingsTableItem[] => {
+  for (let field in properties) {
+    const fullFieldName = prefix ? `${prefix}.${field}` : field;
+    const nextProperties = properties[field].properties;
+    if (!nextProperties) {
+      items.push({
+        ruleFieldName: fullFieldName,
+        logFieldName: properties[field].path,
+      });
+    } else {
+      getMappingFields(nextProperties, items, fullFieldName);
+    }
+  }
+  return items;
+};