[8.x] [Security Solution][Detection Engine] fixes siem-signal update when it was reindexed from v7 to v8 (#206119) (#208174)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution][Detection Engine] fixes siem-signal update when
it was reindexed from v7 to v8
(#206119)](https://github.com/elastic/kibana/pull/206119)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-01-24T11:22:30Z","message":"[Security
Solution][Detection Engine] fixes siem-signal update when it was
reindexed from v7 to v8 (#206119)\n\n## Summary\r\n\r\n - addresses
https://github.com/elastic/security-team/issues/11440\r\n\r\n\r\n###
Testing\r\n\r\n1. Create cloud env of 7.17 version, (East US 2
(Virginia) on Azurem\r\nwhere 8.18 snapshot available)\r\n2. Create
rule\r\n3. Generate alerts\r\n4. Create cloud env of 8.18 from existing
7.x snapshot (Restore snapshot\r\ndata option)\r\n5. Connect local
Kibana of 8.18 from mirror branch of
this\r\none(https://github.com/elastic/kibana/pull/206120)\r\n6. Add to
Kibana dev config following options to enable Upgrade\r\nassistant(UA)
showing outdated indices\r\n ```yml\r\n
xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n
migrateDataStreams: true\r\n migrateSystemIndices: true\r\n
reindexCorrectiveActions: true\r\n ``` \r\n7. When Kibana started DO NOT
visit Detection rule or any Security page\r\n8. Open KIbana Upgrade
Assistant, \r\n9. Got to step 3 - Review deprecated settings and resolve
issues\r\n11. Click Elasticsearch section\r\n12. Find outdated
.siem-signals-* index\r\n13. Reindex it\r\n14. Visit detection page to
ensure index API updated mappings\r\n\r\nVisit to that page should
initiate `POST /api/detection_engine/index`,\r\nwhich updates
mappings\r\n\r\nSubsequent index status check should return:
\r\n\r\n```JSON\r\nGET kbn:/api/detection_engine/index\r\n\r\n// should
return\r\n\r\n{\r\n \"name\": \".alerts-security.alerts-default\",\r\n
\"index_mapping_outdated\":
false\r\n}\r\n```","sha":"5c670378d44d0af7f5c582fe06b5013008df56d4","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections
and Resp","backport:prev-minor","Team:Detection
Engine","v8.18.0"],"title":"[Security Solution][Detection Engine] fixes
siem-signal update when it was reindexed from v7 to
v8","number":206119,"url":"https://github.com/elastic/kibana/pull/206119","mergeCommit":{"message":"[Security
Solution][Detection Engine] fixes siem-signal update when it was
reindexed from v7 to v8 (#206119)\n\n## Summary\r\n\r\n - addresses
https://github.com/elastic/security-team/issues/11440\r\n\r\n\r\n###
Testing\r\n\r\n1. Create cloud env of 7.17 version, (East US 2
(Virginia) on Azurem\r\nwhere 8.18 snapshot available)\r\n2. Create
rule\r\n3. Generate alerts\r\n4. Create cloud env of 8.18 from existing
7.x snapshot (Restore snapshot\r\ndata option)\r\n5. Connect local
Kibana of 8.18 from mirror branch of
this\r\none(https://github.com/elastic/kibana/pull/206120)\r\n6. Add to
Kibana dev config following options to enable Upgrade\r\nassistant(UA)
showing outdated indices\r\n ```yml\r\n
xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n
migrateDataStreams: true\r\n migrateSystemIndices: true\r\n
reindexCorrectiveActions: true\r\n ``` \r\n7. When Kibana started DO NOT
visit Detection rule or any Security page\r\n8. Open KIbana Upgrade
Assistant, \r\n9. Got to step 3 - Review deprecated settings and resolve
issues\r\n11. Click Elasticsearch section\r\n12. Find outdated
.siem-signals-* index\r\n13. Reindex it\r\n14. Visit detection page to
ensure index API updated mappings\r\n\r\nVisit to that page should
initiate `POST /api/detection_engine/index`,\r\nwhich updates
mappings\r\n\r\nSubsequent index status check should return:
\r\n\r\n```JSON\r\nGET kbn:/api/detection_engine/index\r\n\r\n// should
return\r\n\r\n{\r\n \"name\": \".alerts-security.alerts-default\",\r\n
\"index_mapping_outdated\":
false\r\n}\r\n```","sha":"5c670378d44d0af7f5c582fe06b5013008df56d4"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/206119","number":206119,"mergeCommit":{"message":"[Security
Solution][Detection Engine] fixes siem-signal update when it was
reindexed from v7 to v8 (#206119)\n\n## Summary\r\n\r\n - addresses
https://github.com/elastic/security-team/issues/11440\r\n\r\n\r\n###
Testing\r\n\r\n1. Create cloud env of 7.17 version, (East US 2
(Virginia) on Azurem\r\nwhere 8.18 snapshot available)\r\n2. Create
rule\r\n3. Generate alerts\r\n4. Create cloud env of 8.18 from existing
7.x snapshot (Restore snapshot\r\ndata option)\r\n5. Connect local
Kibana of 8.18 from mirror branch of
this\r\none(https://github.com/elastic/kibana/pull/206120)\r\n6. Add to
Kibana dev config following options to enable Upgrade\r\nassistant(UA)
showing outdated indices\r\n ```yml\r\n
xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n
migrateDataStreams: true\r\n migrateSystemIndices: true\r\n
reindexCorrectiveActions: true\r\n ``` \r\n7. When Kibana started DO NOT
visit Detection rule or any Security page\r\n8. Open KIbana Upgrade
Assistant, \r\n9. Got to step 3 - Review deprecated settings and resolve
issues\r\n11. Click Elasticsearch section\r\n12. Find outdated
.siem-signals-* index\r\n13. Reindex it\r\n14. Visit detection page to
ensure index API updated mappings\r\n\r\nVisit to that page should
initiate `POST /api/detection_engine/index`,\r\nwhich updates
mappings\r\n\r\nSubsequent index status check should return:
\r\n\r\n```JSON\r\nGET kbn:/api/detection_engine/index\r\n\r\n// should
return\r\n\r\n{\r\n \"name\": \".alerts-security.alerts-default\",\r\n
\"index_mapping_outdated\":
false\r\n}\r\n```","sha":"5c670378d44d0af7f5c582fe06b5013008df56d4"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts

@@ -102,9 +102,20 @@ export const createDetectionIndex = async (
   const aadIndexAliasName = ruleDataService.getResourceName(`security.alerts-${spaceId}`);
 
   if (await templateNeedsUpdate({ alias: index, esClient })) {
+    const reIndexedIndexPatterns = await getReIndexedV8IndexPatterns({ index, esClient });
+    const template = getSignalsTemplate(index, aadIndexAliasName, spaceId) as Record<
+      string,
+      unknown
+    >;
+
+    // addresses https://github.com/elastic/security-team/issues/11440
+    if (reIndexedIndexPatterns.length > 0 && Array.isArray(template.index_patterns)) {
+      template.index_patterns.push(...reIndexedIndexPatterns);
+    }
+
     await esClient.indices.putIndexTemplate({
       name: index,
-      body: getSignalsTemplate(index, aadIndexAliasName, spaceId) as Record<string, unknown>,
+      body: template,
     });
   }
   // Check if the old legacy siem signals template exists and remove it
@@ -209,3 +220,25 @@ const addIndexAliases = async ({
   };
   await esClient.indices.updateAliases({ body: aliasActions });
 };
+
+/**
+ * checks if indices under alias were reIndexed from v7 to v8(prefixed with '.reindexed-v8-')
+ * returns wildcard index patterns to include these indices and possible rollovers in index template
+ */
+const getReIndexedV8IndexPatterns = async ({
+  esClient,
+  index,
+}: {
+  esClient: ElasticsearchClient;
+  index: string;
+}): Promise<string[]> => {
+  const V8_PREFIX = '.reindexed-v8-';
+  const indices = await esClient.indices.getAlias({ index: `${index}-*`, name: index });
+  return Object.keys(indices).reduce<string[]>((acc, concreteIndexName) => {
+    if (concreteIndexName.startsWith(V8_PREFIX)) {
+      acc.push(`${V8_PREFIX}${index.replace(/^\./, '')}-*`);
+    }
+
+    return acc;
+  }, []);
+};

x-pack/test/functional/es_archives/signals/reindexed_v8_siem_signals/data.json

@@ -0,0 +1,12 @@
+{
+  "type": "doc",
+  "value": {
+    "id": "1",
+    "index": ".reindexed-v8-siem-signals-default-000001",
+    "source": {
+      "@timestamp": "2020-10-10T00:00:00.000Z",
+      "signal": {}
+    },
+    "type": "_doc"
+  }
+}

x-pack/test/functional/es_archives/signals/reindexed_v8_siem_signals/mappings.json

@@ -0,0 +1,31 @@
+{
+  "type": "index",
+  "value": {
+    "aliases": {
+      ".siem-signals-default": {
+        "is_write_index": true
+      },
+      ".siem-signals-default-000001": {}
+    },
+    "index": ".reindexed-v8-siem-signals-default-000001",
+    "mappings": {
+      "_meta": {
+        "version": 1
+      },
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "signal": { "type": "object" }
+      }
+    },
+    "settings": {
+      "index": {
+        "lifecycle": {
+          "name": ".siem-signals-default",
+          "rollover_alias": ".siem-signals-default"
+        }
+      }
+    }
+  }
+}

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/create_index.ts

@@ -82,6 +82,43 @@ export default ({ getService }: FtrProviderContext) => {
           );
         });
       });
+
+      describe('with reIndexed from 7.xto 8.x .siem-signals index', () => {
+        beforeEach(async () => {
+          await esArchiver.load(
+            'x-pack/test/functional/es_archives/signals/reindexed_v8_siem_signals'
+          );
+        });
+
+        afterEach(async () => {
+          await esArchiver.unload(
+            'x-pack/test/functional/es_archives/signals/reindexed_v8_siem_signals'
+          );
+          await es.indices.delete({
+            index: '.reindexed-v8-siem-signals-default-000002',
+            ignore_unavailable: true,
+          });
+        });
+
+        it('should report that alerts index is outdated', async () => {
+          const { body } = await supertest.get(DETECTION_ENGINE_INDEX_URL).send().expect(200);
+          expect(body).to.eql({
+            index_mapping_outdated: true,
+            name: `${DEFAULT_ALERTS_INDEX}-default`,
+          });
+        });
+
+        it('should update index mappings', async () => {
+          await supertest
+            .post(DETECTION_ENGINE_INDEX_URL)
+            .set('kbn-xsrf', 'true')
+            .send()
+            .expect({ acknowledged: true });
+
+          const { body: indexStatusBody } = await supertest.get(DETECTION_ENGINE_INDEX_URL).send();
+          expect(indexStatusBody.index_mapping_outdated).to.be(false);
+        });
+      });
     });
   });
 };