[Security Solution][Alerts] Strip kibana fields from source docs before building alert (#148923)

## Summary Addresses https://github.com/elastic/kibana/issues/147418 When generating alerts-on-alerts, we don't want fields specific to the original alert to pollute the new alert as that could be misleading. E.g. in the linked issue, an alert-on-suppressed-alert was copying over suppression fields to the new alert, even though the new alert does not have suppression enabled. This PR remove all fields starting with `kibana` from source documents before copying them into the new alert doc. Prior to this PR, for alerts-on-alerts most `kibana` fields would already have been overwritten by the `kibana` fields created as part of the new alert creation process. The exceptions would be fields that are unique to specific types of alerts, such as `kibana.alert.group.id` for EQL alerts and the new suppression fields.
2025-04-24 17:59:23 -04:00 · 2023-01-19 08:51:06 -08:00 · 2023-01-19 08:51:06 -08:00 · 45855feb35
commit 45855feb35
parent a31d844318
2 changed files with 39 additions and 0 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/filter_source.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/filter_source.test.ts
@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { filterSource } from './filter_source';
+
+describe('filterSource', () => {
+  test('should remove keys starting with kibana without modifying the original doc', () => {
+    const testDoc = {
+      _index: '',
+      _id: '',
+      _source: {
+        'kibana.alert.suppression.docs_count': 5,
+        'host.name': 'test-host',
+      },
+    };
+    const filtered = filterSource(testDoc);
+    expect(filtered).toEqual({
+      'host.name': 'test-host',
+    });
+    expect(testDoc).toEqual({
+      _index: '',
+      _id: '',
+      _source: {
+        'kibana.alert.suppression.docs_count': 5,
+        'host.name': 'test-host',
+      },
+    });
+  });
+});
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/filter_source.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/filter_source.ts
@ -25,5 +25,11 @@ export const filterSource = (doc: SignalSourceHit) => {
    [ALERT_THRESHOLD_RESULT]: null,
  };

+  Object.keys(filteredSource).forEach((key) => {
+    if (key.startsWith('kibana')) {
+      delete filteredSource[key];
+    }
+  });
+
  return filteredSource;
 };