Send Endpoint Alert _id field up as insights docs track that on status changes (#116687)

* Send Endpoint Alert _id field up as insights docs track that on status changes * Added test to make sure top-level underscore-prefixed fields are allowed Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 09:48:58 -04:00 · 2021-10-29 13:47:31 -06:00 · 2021-10-29 13:47:31 -06:00 · 478d138c32
commit 478d138c32
parent b59b132ff4
2 changed files with 4 additions and 0 deletions
--- a/x-pack/plugins/security_solution/server/lib/telemetry/filters.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/filters.test.ts
@ -10,6 +10,7 @@ import { copyAllowlistedFields } from './filters';
 describe('Security Telemetry filters', () => {
  describe('allowlistEventFields', () => {
    const allowlist = {
+      _id: true,
      a: true,
      b: true,
      c: {
@ -19,12 +20,14 @@ describe('Security Telemetry filters', () => {

    it('filters top level', () => {
      const event = {
+        _id: 'id',
        a: 'a',
        a1: 'a1',
        b: 'b',
        b1: 'b1',
      };
      expect(copyAllowlistedFields(allowlist, event)).toStrictEqual({
+        _id: 'id',
        a: 'a',
        b: 'b',
      });
--- a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts
@ -105,6 +105,7 @@ const allowlistBaseEventFields: AllowlistFields = {
 // blindly. Object contents means that we only copy the fields that appear explicitly in
 // the sub-object.
 export const allowlistEventFields: AllowlistFields = {
+  _id: true,
  '@timestamp': true,
  agent: true,
  Endpoint: true,