[Attack Discovery][Scheduling] Fix the attack discovery alert type (#218025)

## Summary

This is a fix for the incorrectly generated attack discovery alert
schema type due to the limitation of the generation tool.

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/schedules/constants.ts

@@ -6,12 +6,12 @@
  */
 
 import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server';
-import { SecurityAttackDiscoveryAlert } from '@kbn/alerts-as-data-utils';
 import { attackDiscoveryAlertFieldMap } from './fields';
+import { AttackDiscoveryAlertDocument } from './types';
 
 export const ATTACK_DISCOVERY_ALERTS_CONTEXT = 'security.attack.discovery' as const;
 
-export const ATTACK_DISCOVERY_ALERTS_AAD_CONFIG: IRuleTypeAlerts<SecurityAttackDiscoveryAlert> = {
+export const ATTACK_DISCOVERY_ALERTS_AAD_CONFIG: IRuleTypeAlerts<AttackDiscoveryAlertDocument> = {
   context: ATTACK_DISCOVERY_ALERTS_CONTEXT,
   mappings: { fieldMap: attackDiscoveryAlertFieldMap },
   isSpaceAware: true,

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/schedules/types.ts

@@ -9,6 +9,49 @@ import type { estypes } from '@elastic/elasticsearch';
 import { RuleExecutorOptions, RuleType, RuleTypeState } from '@kbn/alerting-plugin/server';
 import { SecurityAttackDiscoveryAlert } from '@kbn/alerts-as-data-utils';
 import { AttackDiscoveryScheduleParams } from '@kbn/elastic-assistant-common';
+import {
+  ALERT_ATTACK_DISCOVERY_API_CONFIG,
+  ALERT_ATTACK_DISCOVERY_REPLACEMENTS,
+  ALERT_ATTACK_DISCOVERY_USERS,
+} from './fields';
+
+/**
+ * This is a WORKAROUND until the `createSchemaFromFieldMap` can handle complex mappings.
+ * Right now that tool cannot properly handle the combination of optional and required fields within the same nested/object field type.
+ * Instead of creating an intersection type it generates a separate fields in required and optional sections as separate flattened fields.
+ * As a workaround, we strip out incorrectly generated fields and re-add them in a correct format.
+ */
+export type AttackDiscoveryAlertDocument = Omit<
+  SecurityAttackDiscoveryAlert,
+  | 'kibana.alert.attack_discovery.api_config'
+  | 'kibana.alert.attack_discovery.api_config.action_type_id'
+  | 'kibana.alert.attack_discovery.api_config.connector_id'
+  | 'kibana.alert.attack_discovery.api_config.model'
+  | 'kibana.alert.attack_discovery.api_config.name'
+  | 'kibana.alert.attack_discovery.api_config.provider'
+  | 'kibana.alert.attack_discovery.replacements'
+  | 'kibana.alert.attack_discovery.replacements.value'
+  | 'kibana.alert.attack_discovery.replacements.uuid'
+  | 'kibana.alert.attack_discovery.users'
+  | 'kibana.alert.attack_discovery.users.id'
+  | 'kibana.alert.attack_discovery.users.name'
+> & {
+  [ALERT_ATTACK_DISCOVERY_API_CONFIG]: {
+    action_type_id: string;
+    connector_id: string;
+    model?: string;
+    name: string;
+    provider?: string;
+  };
+  [ALERT_ATTACK_DISCOVERY_REPLACEMENTS]?: Array<{
+    value: string;
+    uuid: string;
+  }>;
+  [ALERT_ATTACK_DISCOVERY_USERS]?: Array<{
+    id?: string;
+    name: string;
+  }>;
+};
 
 export type AttackDiscoveryExecutorOptions = RuleExecutorOptions<
   AttackDiscoveryScheduleParams,
@@ -16,7 +59,7 @@ export type AttackDiscoveryExecutorOptions = RuleExecutorOptions<
   {},
   {},
   'default',
-  SecurityAttackDiscoveryAlert
+  AttackDiscoveryAlertDocument
 >;
 
 export type AttackDiscoveryScheduleType = RuleType<
@@ -27,7 +70,7 @@ export type AttackDiscoveryScheduleType = RuleType<
   {},
   'default',
   never,
-  SecurityAttackDiscoveryAlert
+  AttackDiscoveryAlertDocument
 >;
 
 export interface AttackDiscoveryScheduleSort {