[Security Solution] Add aliases, fix types, remove extra fields (#122880) (#123319)

* Add aliases, fix types, remove extra fields * Update aliases version and update tests * Update aliases version test * Remove dangling references to fields * Update test Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 886ad6fdaf) Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
2025-04-23 09:19:04 -04:00 · 2022-01-18 19:25:39 -05:00 · 2022-01-18 19:25:39 -05:00 · 1939432623
commit 1939432623
parent f83ef8dd8c
16 changed files with 52 additions and 498 deletions
--- a/x-pack/plugins/security_solution/common/field_maps/alerts.ts
+++ b/x-pack/plugins/security_solution/common/field_maps/alerts.ts
@ -54,7 +54,7 @@ export const alertsFieldMap: FieldMap = {
    required: false,
  },
  'kibana.alert.group.index': {
-    type: 'keyword',
+    type: 'integer',
    array: false,
    required: false,
  },
--- a/x-pack/plugins/security_solution/common/field_maps/rules.ts
+++ b/x-pack/plugins/security_solution/common/field_maps/rules.ts
@ -26,31 +26,11 @@ export const rulesFieldMap = {
    array: true,
    required: false,
  },
-  'kibana.alert.rule.index': {
-    type: 'keyword',
-    array: true,
-    required: true,
-  },
-  'kibana.alert.rule.language': {
-    type: 'keyword',
-    array: true,
-    required: true,
-  },
  'kibana.alert.rule.max_signals': {
    type: 'long',
    array: true,
    required: true,
  },
-  'kibana.alert.rule.query': {
-    type: 'keyword',
-    array: true,
-    required: true,
-  },
-  'kibana.alert.rule.saved_id': {
-    type: 'keyword',
-    array: true,
-    required: true,
-  },
  'kibana.alert.rule.threat.framework': {
    type: 'keyword',
    array: false,
@ -101,81 +81,6 @@ export const rulesFieldMap = {
    array: false,
    required: true,
  },
-  'kibana.alert.rule.threat_filters': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_index': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_indicator_path': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_language': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_mapping': {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_mapping.entries.field': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_mapping.entries.value': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_mapping.entries.type': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_query': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threshold': {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.field': {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.value': {
-    type: 'float',
-    array: false,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.cardinality': {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.cardinality.field': {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.cardinality.value': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
  'kibana.alert.rule.timeline_id': {
    type: 'keyword',
    array: true,
@ -186,6 +91,11 @@ export const rulesFieldMap = {
    array: true,
    required: false,
  },
+  'kibana.alert.rule.timestamp_override': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
 } as const;

 export type RulesFieldMap = typeof rulesFieldMap;
--- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
+++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
@ -139,31 +139,20 @@ export const allowTopN = ({
    'kibana.alert.original_event.timezone',
    'kibana.alert.original_event.type',
    'kibana.alert.original_time',
-    'kibana.alert.parent.depth',
-    'kibana.alert.parent.id',
-    'kibana.alert.parent.index',
-    'kibana.alert.parent.rule',
-    'kibana.alert.parent.type',
    'kibana.alert.rule.created_by',
    'kibana.alert.rule.description',
    'kibana.alert.rule.enabled',
    'kibana.alert.rule.false_positives',
-    'kibana.alert.rule.filters',
    'kibana.alert.rule.from',
    'kibana.alert.rule.uuid',
    'kibana.alert.rule.immutable',
-    'kibana.alert.rule.index',
    'kibana.alert.rule.interval',
-    'kibana.alert.rule.language',
    'kibana.alert.rule.max_signals',
    'kibana.alert.rule.name',
    'kibana.alert.rule.note',
-    'kibana.alert.rule.output_index',
-    'kibana.alert.rule.query',
    'kibana.alert.rule.references',
    'kibana.alert.risk_score',
    'kibana.alert.rule.rule_id',
-    'kibana.alert.rule.saved_id',
    'kibana.alert.severity',
    'kibana.alert.rule.size',
    'kibana.alert.rule.tags',
--- a/x-pack/plugins/security_solution/public/common/components/event_details/mocks/index.ts
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/mocks/index.ts
@ -332,22 +332,6 @@ export const mockAlertDetailsData = [
    originalValue: 'administrator',
  },
  { category: 'user', field: 'user.id', values: ['S-1-0-0'], originalValue: 'S-1-0-0' },
-  // TODO: The `parents` field no longer exists... use `ancestors` and `depth`
-  {
-    category: 'kibana',
-    field: 'kibana.alert.parents',
-    values: [
-      '{"id":"688MAHYB7WTwW_Glsi_d","type":"event","index":"winlogbeat-7.10.0-2020.11.12-000001","depth":0}',
-    ],
-    originalValue: [
-      {
-        id: '688MAHYB7WTwW_Glsi_d',
-        type: 'event',
-        index: 'winlogbeat-7.10.0-2020.11.12-000001',
-        depth: 0,
-      },
-    ],
-  },
  {
    category: 'kibana',
    field: 'kibana.alert.ancestors',
@ -399,12 +383,6 @@ export const mockAlertDetailsData = [
    values: [],
    originalValue: [],
  },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.output_index',
-    values: ['.siem-signals-angelachuang-default'],
-    originalValue: '.siem-signals-angelachuang-default',
-  },
  {
    category: 'kibana',
    field: 'kibana.alert.rule.description',
@ -417,45 +395,9 @@ export const mockAlertDetailsData = [
    values: ['now-360s'],
    originalValue: 'now-360s',
  },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.index',
-    values: [
-      'apm-*-transaction*',
-      'traces-apm*',
-      'auditbeat-*',
-      'endgame-*',
-      'filebeat-*',
-      'logs-*',
-      'packetbeat-*',
-      'winlogbeat-*',
-    ],
-    originalValue: [
-      'apm-*-transaction*',
-      'traces-apm*',
-      'auditbeat-*',
-      'endgame-*',
-      'filebeat-*',
-      'logs-*',
-      'packetbeat-*',
-      'winlogbeat-*',
-    ],
-  },
  { category: 'kibana', field: 'kibana.alert.rule.interval', values: ['5m'], originalValue: '5m' },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.language',
-    values: ['kuery'],
-    originalValue: 'kuery',
-  },
  { category: 'kibana', field: 'kibana.alert.rule.license', values: [''], originalValue: '' },
  { category: 'kibana', field: 'kibana.alert.rule.name', values: ['xxx'], originalValue: 'xxx' },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.query',
-    values: ['@timestamp : * '],
-    originalValue: '@timestamp : * ',
-  },
  { category: 'kibana', field: 'kibana.alert.rule.references', values: [], originalValue: [] },
  {
    category: 'kibana',
@ -477,27 +419,6 @@ export const mockAlertDetailsData = [
    originalValue: 'query',
  },
  { category: 'kibana', field: 'kibana.alert.rule.to', values: ['now'], originalValue: 'now' },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.filters',
-    values: [
-      '{"meta":{"alias":null,"negate":false,"disabled":false,"type":"exists","key":"message","value":"exists"},"exists":{"field":"message"},"$state":{"store":"appState"}}',
-    ],
-    originalValue: [
-      {
-        meta: {
-          alias: null,
-          negate: false,
-          disabled: false,
-          type: 'exists',
-          key: 'message',
-          value: 'exists',
-        },
-        exists: { field: 'message' },
-        $state: { store: 'appState' },
-      },
-    ],
-  },
  {
    category: 'kibana',
    field: 'kibana.alert.rule.created_by',
@ -526,28 +447,6 @@ export const mockAlertDetailsData = [
  },
  { category: 'kibana', field: 'kibana.alert.rule.exceptions_list', values: [], originalValue: [] },
  { category: 'kibana', field: 'kibana.alert.depth', values: [1], originalValue: 1 },
-  // TODO: The `parent` no longer exists. Use `ancestors` and `depth`
-  {
-    category: 'kibana',
-    field: 'kibana.alert.parent.id',
-    values: ['688MAHYB7WTwW_Glsi_d'],
-    originalValue: '688MAHYB7WTwW_Glsi_d',
-  },
-  // TODO: The `parent` no longer exists. Use `ancestors` and `depth`
-  {
-    category: 'kibana',
-    field: 'kibana.alert.parent.type',
-    values: ['event'],
-    originalValue: 'event',
-  },
-  // TODO: The `parent` no longer exists. Use `ancestors` and `depth`
-  {
-    category: 'kibana',
-    field: 'kibana.alert.parent.index',
-    values: ['winlogbeat-7.10.0-2020.11.12-000001'],
-    originalValue: 'winlogbeat-7.10.0-2020.11.12-000001',
-  },
-  { category: 'kibana', field: 'kibana.alert.parent.depth', values: [0], originalValue: 0 },
  {
    category: 'kibana',
    field: 'kibana.alert.original_time',
--- a/x-pack/plugins/security_solution/public/common/components/top_n/helpers.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/top_n/helpers.test.tsx
@ -115,17 +115,12 @@ const ruleNameFilter: Filter = {
 const threatMappingFilter: Filter = {
  meta: {
    alias: null,
-    negate: true,
    disabled: false,
-    type: 'exists',
-    key: 'kibana.alert.rule.threat_mapping',
-    value: 'exists',
-  },
-  query: {
-    exists: {
-      field: 'kibana.alert.rule.threat_mapping',
-    },
+    negate: false,
+    key: 'kibana.alert.rule.type',
+    type: 'term',
  },
+  query: { term: { 'kibana.alert.rule.type': 'threat_match' } },
 };

 const workflowStatusFilter: Filter = {
--- a/x-pack/plugins/security_solution/public/common/components/top_n/helpers.ts
+++ b/x-pack/plugins/security_solution/public/common/components/top_n/helpers.ts
@ -158,7 +158,6 @@ export const IGNORED_ALERT_FILTERS = [
  ALERT_RULE_RULE_ID, // filters alerts to a single rule on the Security > Rules > details pages
  ALERT_RULE_RULE_NAME_OVERRIDE,
  ALERT_RULE_TAGS,
-  'kibana.alert.rule.threat_mapping', // an "Additional filters" option on the alerts table
  ALERT_RULE_TO,
  ALERT_RULE_TYPE,
  ALERT_RULE_TYPE_ID,
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
@ -162,14 +162,10 @@ export const requiredFieldsForActions = [
  'kibana.alert.group.id',
  'kibana.alert.original_time',
  'kibana.alert.building_block_type',
-  'kibana.alert.rule.filters',
  'kibana.alert.rule.from',
-  'kibana.alert.rule.language',
-  'kibana.alert.rule.query',
  'kibana.alert.rule.name',
  'kibana.alert.rule.to',
  'kibana.alert.rule.uuid',
-  'kibana.alert.rule.index',
  'kibana.alert.rule.type',
  'kibana.alert.original_event.kind',
  'kibana.alert.original_event.module',
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx
@ -59,7 +59,8 @@ export const EventDetailsFooterComponent = React.memo(
    const ruleIndex = useMemo(
      () =>
        find({ category: 'signal', field: 'signal.rule.index' }, detailsData)?.values ??
-        find({ category: 'kibana', field: 'kibana.alert.rule.index' }, detailsData)?.values,
+        find({ category: 'kibana', field: 'kibana.alert.rule.parameters.index' }, detailsData)
+          ?.values,
      [detailsData]
    );

--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/snapshots/get_signals_template.test.ts.snap
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/snapshots/get_signals_template.test.ts.snap
@ -3,7 +3,7 @@
 exports[`get_signals_template backwards compatibility mappings for version 45 should match snapshot 1`] = `
 Object {
  "_meta": Object {
-    "aliases_version": 1,
+    "aliases_version": 2,
    "version": 45,
  },
  "properties": Object {
@ -31,6 +31,14 @@ Object {
      "path": "signal.depth",
      "type": "alias",
    },
+    "kibana.alert.group.id": Object {
+      "path": "signal.group.id",
+      "type": "alias",
+    },
+    "kibana.alert.group.index": Object {
+      "path": "signal.group.index",
+      "type": "alias",
+    },
    "kibana.alert.original_event.action": Object {
      "path": "signal.original_event.action",
      "type": "alias",
@ -159,18 +167,10 @@ Object {
      "path": "signal.rule.immutable",
      "type": "alias",
    },
-    "kibana.alert.rule.index": Object {
-      "path": "signal.rule.index",
-      "type": "alias",
-    },
    "kibana.alert.rule.interval": Object {
      "path": "signal.rule.interval",
      "type": "alias",
    },
-    "kibana.alert.rule.language": Object {
-      "path": "signal.rule.language",
-      "type": "alias",
-    },
    "kibana.alert.rule.license": Object {
      "path": "signal.rule.license",
      "type": "alias",
@ -187,10 +187,6 @@ Object {
      "path": "signal.rule.note",
      "type": "alias",
    },
-    "kibana.alert.rule.query": Object {
-      "path": "signal.rule.query",
-      "type": "alias",
-    },
    "kibana.alert.rule.references": Object {
      "path": "signal.rule.references",
      "type": "alias",
@ -203,10 +199,6 @@ Object {
      "path": "signal.rule.rule_name_override",
      "type": "alias",
    },
-    "kibana.alert.rule.saved_id": Object {
-      "path": "signal.rule.saved_id",
-      "type": "alias",
-    },
    "kibana.alert.rule.tags": Object {
      "path": "signal.rule.tags",
      "type": "alias",
@ -251,42 +243,6 @@ Object {
      "path": "signal.rule.threat.technique.subtechnique.reference",
      "type": "alias",
    },
-    "kibana.alert.rule.threat_index": Object {
-      "path": "signal.rule.threat_index",
-      "type": "alias",
-    },
-    "kibana.alert.rule.threat_indicator_path": Object {
-      "path": "signal.rule.threat_indicator_path",
-      "type": "alias",
-    },
-    "kibana.alert.rule.threat_language": Object {
-      "path": "signal.rule.threat_language",
-      "type": "alias",
-    },
-    "kibana.alert.rule.threat_mapping.entries.field": Object {
-      "path": "signal.rule.threat_mapping.entries.field",
-      "type": "alias",
-    },
-    "kibana.alert.rule.threat_mapping.entries.type": Object {
-      "path": "signal.rule.threat_mapping.entries.type",
-      "type": "alias",
-    },
-    "kibana.alert.rule.threat_mapping.entries.value": Object {
-      "path": "signal.rule.threat_mapping.entries.value",
-      "type": "alias",
-    },
-    "kibana.alert.rule.threat_query": Object {
-      "path": "signal.rule.threat_query",
-      "type": "alias",
-    },
-    "kibana.alert.rule.threshold.field": Object {
-      "path": "signal.rule.threshold.field",
-      "type": "alias",
-    },
-    "kibana.alert.rule.threshold.value": Object {
-      "path": "signal.rule.threshold.value",
-      "type": "alias",
-    },
    "kibana.alert.rule.timeline_id": Object {
      "path": "signal.rule.timeline_id",
      "type": "alias",
@ -295,6 +251,10 @@ Object {
      "path": "signal.rule.timeline_title",
      "type": "alias",
    },
+    "kibana.alert.rule.timestamp_override": Object {
+      "path": "signal.rule.timestamp_override",
+      "type": "alias",
+    },
    "kibana.alert.rule.to": Object {
      "path": "signal.rule.to",
      "type": "alias",
@ -519,6 +479,9 @@ Object {
              },
              "type": "object",
            },
+            "timestamp_override": Object {
+              "type": "keyword",
+            },
          },
          "type": "object",
        },
@ -570,7 +533,7 @@ Object {
 exports[`get_signals_template backwards compatibility mappings for version 57 should match snapshot 1`] = `
 Object {
  "_meta": Object {
-    "aliases_version": 1,
+    "aliases_version": 2,
    "version": 57,
  },
 }
@ -589,7 +552,7 @@ Object {
    },
    "mappings": Object {
      "_meta": Object {
-        "aliases_version": 1,
+        "aliases_version": 2,
        "version": 67,
      },
      "dynamic": false,
@ -2291,6 +2254,14 @@ Object {
          "path": "signal.depth",
          "type": "alias",
        },
+        "kibana.alert.group.id": Object {
+          "path": "signal.group.id",
+          "type": "alias",
+        },
+        "kibana.alert.group.index": Object {
+          "path": "signal.group.index",
+          "type": "alias",
+        },
        "kibana.alert.original_event.action": Object {
          "path": "signal.original_event.action",
          "type": "alias",
@ -2419,18 +2390,10 @@ Object {
          "path": "signal.rule.immutable",
          "type": "alias",
        },
-        "kibana.alert.rule.index": Object {
-          "path": "signal.rule.index",
-          "type": "alias",
-        },
        "kibana.alert.rule.interval": Object {
          "path": "signal.rule.interval",
          "type": "alias",
        },
-        "kibana.alert.rule.language": Object {
-          "path": "signal.rule.language",
-          "type": "alias",
-        },
        "kibana.alert.rule.license": Object {
          "path": "signal.rule.license",
          "type": "alias",
@ -2447,10 +2410,6 @@ Object {
          "path": "signal.rule.note",
          "type": "alias",
        },
-        "kibana.alert.rule.query": Object {
-          "path": "signal.rule.query",
-          "type": "alias",
-        },
        "kibana.alert.rule.references": Object {
          "path": "signal.rule.references",
          "type": "alias",
@ -2463,10 +2422,6 @@ Object {
          "path": "signal.rule.rule_name_override",
          "type": "alias",
        },
-        "kibana.alert.rule.saved_id": Object {
-          "path": "signal.rule.saved_id",
-          "type": "alias",
-        },
        "kibana.alert.rule.tags": Object {
          "path": "signal.rule.tags",
          "type": "alias",
@ -2511,42 +2466,6 @@ Object {
          "path": "signal.rule.threat.technique.subtechnique.reference",
          "type": "alias",
        },
-        "kibana.alert.rule.threat_index": Object {
-          "path": "signal.rule.threat_index",
-          "type": "alias",
-        },
-        "kibana.alert.rule.threat_indicator_path": Object {
-          "path": "signal.rule.threat_indicator_path",
-          "type": "alias",
-        },
-        "kibana.alert.rule.threat_language": Object {
-          "path": "signal.rule.threat_language",
-          "type": "alias",
-        },
-        "kibana.alert.rule.threat_mapping.entries.field": Object {
-          "path": "signal.rule.threat_mapping.entries.field",
-          "type": "alias",
-        },
-        "kibana.alert.rule.threat_mapping.entries.type": Object {
-          "path": "signal.rule.threat_mapping.entries.type",
-          "type": "alias",
-        },
-        "kibana.alert.rule.threat_mapping.entries.value": Object {
-          "path": "signal.rule.threat_mapping.entries.value",
-          "type": "alias",
-        },
-        "kibana.alert.rule.threat_query": Object {
-          "path": "signal.rule.threat_query",
-          "type": "alias",
-        },
-        "kibana.alert.rule.threshold.field": Object {
-          "path": "signal.rule.threshold.field",
-          "type": "alias",
-        },
-        "kibana.alert.rule.threshold.value": Object {
-          "path": "signal.rule.threshold.value",
-          "type": "alias",
-        },
        "kibana.alert.rule.timeline_id": Object {
          "path": "signal.rule.timeline_id",
          "type": "alias",
@ -2555,6 +2474,10 @@ Object {
          "path": "signal.rule.timeline_title",
          "type": "alias",
        },
+        "kibana.alert.rule.timestamp_override": Object {
+          "path": "signal.rule.timestamp_override",
+          "type": "alias",
+        },
        "kibana.alert.rule.to": Object {
          "path": "signal.rule.to",
          "type": "alias",
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@ -47,7 +47,7 @@ export const SIGNALS_TEMPLATE_VERSION = 67;
  UI will call create_index_route and and go through the index update process. Increment this number if
  making changes to the field aliases we use to make signals forwards-compatible.
 */
-export const SIGNALS_FIELD_ALIASES_VERSION = 1;
+export const SIGNALS_FIELD_ALIASES_VERSION = 2;

 /**
  @constant
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
@ -4,6 +4,8 @@
  "signal.ancestors.index": "kibana.alert.ancestors.index",
  "signal.ancestors.type": "kibana.alert.ancestors.type",
  "signal.depth": "kibana.alert.depth",
+  "signal.group.id": "kibana.alert.group.id",
+  "signal.group.index": "kibana.alert.group.index",
  "signal.original_event.action": "kibana.alert.original_event.action",
  "signal.original_event.category": "kibana.alert.original_event.category",
  "signal.original_event.code": "kibana.alert.original_event.code",
@ -37,19 +39,15 @@
  "signal.rule.from": "kibana.alert.rule.from",
  "signal.rule.id": "kibana.alert.rule.uuid",
  "signal.rule.immutable": "kibana.alert.rule.immutable",
-  "signal.rule.index": "kibana.alert.rule.index",
  "signal.rule.interval": "kibana.alert.rule.interval",
-  "signal.rule.language": "kibana.alert.rule.language",
  "signal.rule.license": "kibana.alert.rule.license",
  "signal.rule.max_signals": "kibana.alert.rule.max_signals",
  "signal.rule.name": "kibana.alert.rule.name",
  "signal.rule.note": "kibana.alert.rule.note",
-  "signal.rule.query": "kibana.alert.rule.query",
  "signal.rule.references": "kibana.alert.rule.references",
  "signal.rule.risk_score": "kibana.alert.risk_score",
  "signal.rule.rule_id": "kibana.alert.rule.rule_id",
  "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override",
-  "signal.rule.saved_id": "kibana.alert.rule.saved_id",
  "signal.rule.severity": "kibana.alert.severity",
  "signal.rule.tags": "kibana.alert.rule.tags",
  "signal.rule.threat.framework": "kibana.alert.rule.threat.framework",
@ -62,17 +60,9 @@
  "signal.rule.threat.technique.subtechnique.id": "kibana.alert.rule.threat.technique.subtechnique.id",
  "signal.rule.threat.technique.subtechnique.name": "kibana.alert.rule.threat.technique.subtechnique.name",
  "signal.rule.threat.technique.subtechnique.reference": "kibana.alert.rule.threat.technique.subtechnique.reference",
-  "signal.rule.threat_index": "kibana.alert.rule.threat_index",
-  "signal.rule.threat_indicator_path": "kibana.alert.rule.threat_indicator_path",
-  "signal.rule.threat_language": "kibana.alert.rule.threat_language",
-  "signal.rule.threat_mapping.entries.field": "kibana.alert.rule.threat_mapping.entries.field",
-  "signal.rule.threat_mapping.entries.value": "kibana.alert.rule.threat_mapping.entries.value",
-  "signal.rule.threat_mapping.entries.type": "kibana.alert.rule.threat_mapping.entries.type",
-  "signal.rule.threat_query": "kibana.alert.rule.threat_query",
-  "signal.rule.threshold.field": "kibana.alert.rule.threshold.field",
-  "signal.rule.threshold.value": "kibana.alert.rule.threshold.value",
  "signal.rule.timeline_id": "kibana.alert.rule.timeline_id",
  "signal.rule.timeline_title": "kibana.alert.rule.timeline_title",
+  "signal.rule.timestamp_override": "kibana.alert.rule.timestamp_override",
  "signal.rule.to": "kibana.alert.rule.to",
  "signal.rule.type": "kibana.alert.rule.type",
  "signal.rule.updated_at": "kibana.alert.rule.updated_at",
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json
@ -168,6 +168,9 @@
                "type": "float"
              }
            }
+          },
+          "timestamp_override": {
+            "type": "keyword"
          }
        }
      },
--- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx
@ -168,32 +168,21 @@ export const allowSorting = ({
    'kibana.alert.original_event.timezone',
    'kibana.alert.original_event.type',
    'kibana.alert.original_time',
-    'kibana.alert.parent.depth',
-    'kibana.alert.parent.id',
-    'kibana.alert.parent.index',
-    'kibana.alert.parent.rule',
-    'kibana.alert.parent.type',
    'kibana.alert.reason',
    'kibana.alert.rule.created_by',
    'kibana.alert.rule.description',
    'kibana.alert.rule.enabled',
    'kibana.alert.rule.false_positives',
-    'kibana.alert.rule.filters',
    'kibana.alert.rule.from',
    'kibana.alert.rule.uuid',
    'kibana.alert.rule.immutable',
-    'kibana.alert.rule.index',
    'kibana.alert.rule.interval',
-    'kibana.alert.rule.language',
    'kibana.alert.rule.max_signals',
    'kibana.alert.rule.name',
    'kibana.alert.rule.note',
-    'kibana.alert.rule.output_index',
-    'kibana.alert.rule.query',
    'kibana.alert.rule.references',
    'kibana.alert.risk_score',
    'kibana.alert.rule.rule_id',
-    'kibana.alert.rule.saved_id',
    'kibana.alert.severity',
    'kibana.alert.rule.size',
    'kibana.alert.rule.tags',
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts
@ -49,14 +49,10 @@ export const TIMELINE_EVENTS_FIELDS = [
  'kibana.alert.group.id',
  'kibana.alert.original_time',
  'kibana.alert.reason',
-  'kibana.alert.rule.filters',
  'kibana.alert.rule.from',
-  'kibana.alert.rule.language',
-  'kibana.alert.rule.query',
  'kibana.alert.rule.name',
  'kibana.alert.rule.to',
  'kibana.alert.rule.uuid',
-  'kibana.alert.rule.index',
  'kibana.alert.rule.type',
  'kibana.alert.original_event.kind',
  'kibana.alert.original_event.module',
@ -175,12 +171,9 @@ export const TIMELINE_EVENTS_FIELDS = [
  'endgame.target_domain_name',
  'endgame.target_logon_id',
  'endgame.target_user_name',
-  'kibana.alert.rule.saved_id',
  'kibana.alert.rule.timeline_id',
  'kibana.alert.rule.timeline_title',
-  'kibana.alert.rule.output_index',
  'kibana.alert.rule.note',
-  'kibana.alert.rule.threshold',
  'kibana.alert.rule.exceptions_list',
  'kibana.alert.rule.building_block_type',
  'suricata.eve.proto',
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts
@ -139,13 +139,6 @@ describe('#formatTimelineData', () => {
              count: 10000,
              value: '2a990c11-f61b-4c8e-b210-da2574e9f9db',
            },
-            parent: {
-              depth: 0,
-              index:
-                'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*',
-              id: '0268af90-d8da-576a-9747-2a191519416a',
-              type: 'event',
-            },
            depth: 1,
            _meta: {
              version: 14,
@ -158,13 +151,7 @@ describe('#formatTimelineData', () => {
              references: [],
              description: 'asdasd',
              created_at: '2021-01-09T11:25:45.046Z',
-              language: 'kuery',
-              threshold: {
-                field: '',
-                value: 200,
-              },
              building_block_type: null,
-              output_index: '.siem-signals-patrykkopycinski-default',
              type: 'threshold',
              rule_name_override: null,
              enabled: true,
@ -176,54 +163,8 @@ describe('#formatTimelineData', () => {
              timeline_id: null,
              max_signals: 100,
              author: [],
-              query: '_id :*',
-              index: [
-                'apm-*-transaction*',
-                'traces-apm*',
-                'auditbeat-*',
-                'endgame-*',
-                'filebeat-*',
-                'logs-*',
-                'packetbeat-*',
-                'winlogbeat-*',
-              ],
-              filters: [
-                {
-                  $state: {
-                    store: 'appState',
-                  },
-                  meta: {
-                    negate: false,
-                    alias: null,
-                    disabled: false,
-                    type: 'exists',
-                    value: 'exists',
-                    key: '_index',
-                  },
-                  exists: {
-                    field: '_index',
-                  },
-                },
-                {
-                  $state: {
-                    store: 'appState',
-                  },
-                  meta: {
-                    negate: false,
-                    alias: 'id_exists',
-                    disabled: false,
-                    type: 'exists',
-                    value: 'exists',
-                    key: '_id',
-                  },
-                  exists: {
-                    field: '_id',
-                  },
-                },
-              ],
              created_by: 'patryk_test_user',
              version: 1,
-              saved_id: null,
              tags: [],
              rule_id: '2a990c11-f61b-4c8e-b210-da2574e9f9db',
              license: '',
@ -251,25 +192,13 @@ describe('#formatTimelineData', () => {
                type: 'event',
              },
            ],
-            parents: [
-              {
-                depth: 0,
-                index:
-                  'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*',
-                id: '0268af90-d8da-576a-9747-2a191519416a',
-                type: 'event',
-              },
-            ],
            workflow_status: 'open',
          },
        },
      },
      fields: {
-        'kibana.alert.rule.output_index': ['.siem-signals-patrykkopycinski-default'],
        'kibana.alert.rule.from': ['now-360s'],
-        'kibana.alert.rule.language': ['kuery'],
        '@timestamp': ['2021-01-09T13:41:40.517Z'],
-        'kibana.alert.rule.query': ['_id :*'],
        'kibana.alert.rule.type': ['threshold'],
        'kibana.alert.rule.uuid': ['696c24e0-526d-11eb-836c-e1620268b945'],
        'kibana.alert.risk_score': [21],
@ -278,16 +207,6 @@ describe('#formatTimelineData', () => {
        'kibana.alert.original_time': ['2021-01-09T13:39:32.595Z'],
        'kibana.alert.severity': ['low'],
        'kibana.alert.rule.version': ['1'],
-        'kibana.alert.rule.index': [
-          'apm-*-transaction*',
-          'traces-apm*',
-          'auditbeat-*',
-          'endgame-*',
-          'filebeat-*',
-          'logs-*',
-          'packetbeat-*',
-          'winlogbeat-*',
-        ],
        'kibana.alert.rule.name': ['Threshold test'],
        'kibana.alert.rule.to': ['now'],
      },
@ -335,67 +254,13 @@ describe('#formatTimelineData', () => {
                exceptions_list: [],
                from: ['now-360s'],
                uuid: ['696c24e0-526d-11eb-836c-e1620268b945'],
-                index: [
-                  'apm-*-transaction*',
-                  'traces-apm*',
-                  'auditbeat-*',
-                  'endgame-*',
-                  'filebeat-*',
-                  'logs-*',
-                  'packetbeat-*',
-                  'winlogbeat-*',
-                ],
-                language: ['kuery'],
                name: ['Threshold test'],
-                output_index: ['.siem-signals-patrykkopycinski-default'],
-                query: ['_id :*'],
                to: ['now'],
                type: ['threshold'],
                version: ['1'],
                timeline_id: [],
                timeline_title: [],
-                saved_id: [],
                note: [],
-                threshold: [
-                  JSON.stringify({
-                    field: '',
-                    value: 200,
-                  }),
-                ],
-                filters: [
-                  JSON.stringify({
-                    $state: {
-                      store: 'appState',
-                    },
-                    meta: {
-                      negate: false,
-                      alias: null,
-                      disabled: false,
-                      type: 'exists',
-                      value: 'exists',
-                      key: '_index',
-                    },
-                    exists: {
-                      field: '_index',
-                    },
-                  }),
-                  JSON.stringify({
-                    $state: {
-                      store: 'appState',
-                    },
-                    meta: {
-                      negate: false,
-                      alias: 'id_exists',
-                      disabled: false,
-                      type: 'exists',
-                      value: 'exists',
-                      key: '_id',
-                    },
-                    exists: {
-                      field: '_id',
-                    },
-                  }),
-                ],
              },
            },
          },
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_index.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_index.ts
@ -11,6 +11,8 @@ import {
  DETECTION_ENGINE_INDEX_URL,
 } from '../../../../plugins/security_solution/common/constants';

+import { SIGNALS_FIELD_ALIASES_VERSION } from '../../../../plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template';
+
 import { FtrProviderContext } from '../../common/ftr_provider_context';
 import { deleteSignalsIndex } from '../../utils';

@ -81,7 +83,7 @@ export default ({ getService }: FtrProviderContext) => {
          });
          // Make sure that aliases_version has been updated on the existing index
          expect(mappings['.siem-signals-default-000001'].mappings?._meta?.aliases_version).to.eql(
-            1
+            SIGNALS_FIELD_ALIASES_VERSION
          );
        });
      });