[EDR Workflows] Remove usage of _source in automated response actions (#162316)

x-pack/plugins/security_solution/public/management/hooks/response_actions/use_get_automated_action_list.ts

@@ -124,11 +124,9 @@ export const useGetAutomatedActionResponseList = (
         )
       );
 
-      const action = responseData.edges[0]?._source;
-
       return {
         action_id: actionId,
-        completedAt: action?.EndpointActions.completed_at,
+        completedAt: responseData.edges[0]?.fields?.['EndpointActions.completed_at']?.[0],
         isExpired: responseData.isExpired,
         wasSuccessful: responseData.wasSuccessful,
         isCompleted: responseData.isCompleted,

x-pack/plugins/security_solution/server/search_strategy/endpoint/factory/response_actions/actions/query.all_actions.dsl.ts

@@ -34,6 +34,7 @@ export const buildResponseActionsQuery = (
     ignore_unavailable: true,
     body: {
       fields,
+      _source: false,
       query: {
         bool: {
           minimum_should_match: 2,

x-pack/plugins/security_solution/server/search_strategy/endpoint/factory/response_actions/results/query.action_results.dsl.ts

@@ -13,10 +13,13 @@ export const buildActionResultsQuery = ({
   actionId,
   sort,
 }: ActionResponsesRequestOptions): ISearchRequestParams => {
+  const fields = [{ field: '*' }, { field: 'EndpointActions.*', include_unmapped: true }];
   const dslQuery = {
     allow_no_indices: true,
     index: [ENDPOINT_ACTION_RESPONSES_INDEX],
     body: {
+      fields,
+      _source: false,
       size: 1,
       query: {
         term: { action_id: actionId },