[RAM] alert table support runtime field (#156899)

## Summary FIX https://github.com/elastic/kibana/issues/156263 & https://github.com/elastic/kibana/issues/155488 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
2025-04-24 09:48:58 -04:00 · 2023-05-08 13:44:13 -04:00 · 2023-05-08 13:44:13 -04:00 · 73d60085d1
commit 73d60085d1
parent 952489fa71
6 changed files with 54 additions and 5 deletions
--- a/x-pack/plugins/rule_registry/common/search_strategy/index.ts
+++ b/x-pack/plugins/rule_registry/common/search_strategy/index.ts
@ -7,6 +7,7 @@
 import { TechnicalRuleDataFieldName, ValidFeatureId } from '@kbn/rule-data-utils';
 import { IEsSearchRequest, IEsSearchResponse } from '@kbn/data-plugin/common';
 import type {
+  MappingRuntimeFields,
  QueryDslFieldAndFormat,
  QueryDslQueryContainer,
  SortCombinations,
@ -18,6 +19,7 @@ export type RuleRegistrySearchRequest = IEsSearchRequest & {
  query?: Pick<QueryDslQueryContainer, 'bool' | 'ids'>;
  sort?: SortCombinations[];
  pagination?: RuleRegistrySearchRequestPagination;
+  runtimeMappings?: MappingRuntimeFields;
 };

 export interface RuleRegistrySearchRequestPagination {
--- a/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.ts
+++ b/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.ts
@ -136,6 +136,7 @@ export const ruleRegistrySearchStrategyProvider = (
              size,
              from: request.pagination ? request.pagination.pageIndex * size : 0,
              query,
+              ...(request.runtimeMappings ? { runtime_mappings: request.runtimeMappings } : {}),
            },
          };
          return (siemRequest ? requestUserEs : internalUserEs).search(
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx
@ -122,7 +122,11 @@ export const AlertsTableComponent: FC<DetectionEngineAlertTableProps> = ({
    enableIpDetailsFlyout: true,
    onRuleChange,
  });
-  const { browserFields, indexPattern: indexPatterns } = useSourcererDataView(sourcererScope);
+  const {
+    browserFields,
+    indexPattern: indexPatterns,
+    runtimeMappings,
+  } = useSourcererDataView(sourcererScope);
  const license = useLicense();

  const getGlobalFiltersQuerySelector = useMemo(
@ -265,23 +269,25 @@ export const AlertsTableComponent: FC<DetectionEngineAlertTableProps> = ({
      columns: finalColumns,
      browserFields: finalBrowserFields,
      onUpdate: onAlertTableUpdate,
+      runtimeMappings,
      toolbarVisibility: {
        showColumnSelector: !isEventRenderedView,
        showSortSelector: !isEventRenderedView,
      },
    }),
    [
-      finalBoolQuery,
-      configId,
      triggersActionsUi.alertsTableConfigurationRegistry,
+      configId,
+      tableView,
      flyoutSize,
+      finalBoolQuery,
      gridStyle,
      rowHeightsOptions,
      finalColumns,
      finalBrowserFields,
      onAlertTableUpdate,
+      runtimeMappings,
      isEventRenderedView,
-      tableView,
    ]
  );

--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.tsx
@ -16,6 +16,7 @@ import {
  EuiDataGridProps,
  EuiDataGridToolBarVisibilityOptions,
 } from '@elastic/eui';
+import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { ALERT_CASE_IDS } from '@kbn/rule-data-utils';
 import type { ValidFeatureId } from '@kbn/rule-data-utils';
 import type {
@ -68,6 +69,7 @@ export type AlertsTableStateProps = {
  showExpandToDetails: boolean;
  browserFields?: BrowserFields;
  onUpdate?: (args: TableUpdateHandlerArgs) => void;
+  runtimeMappings?: MappingRuntimeFields;
  showAlertStatusWithFlapping?: boolean;
  toolbarVisibility?: EuiDataGridToolBarVisibilityOptions;
  /**
@ -140,6 +142,7 @@ const AlertsTableStateWithQueryProvider = ({
  gridStyle,
  browserFields: propBrowserFields,
  onUpdate,
+  runtimeMappings,
  showAlertStatusWithFlapping,
  toolbarVisibility,
  shouldHighlightRow,
@ -233,6 +236,7 @@ const AlertsTableStateWithQueryProvider = ({
    featureIds,
    query,
    pagination,
+    runtimeMappings,
    sort,
    skip: false,
  });
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_fetch_alerts.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_fetch_alerts.tsx
@ -18,6 +18,7 @@ import type {
  RuleRegistrySearchResponse,
 } from '@kbn/rule-registry-plugin/common/search_strategy';
 import type {
+  MappingRuntimeFields,
  QueryDslFieldAndFormat,
  QueryDslQueryContainer,
  SortCombinations,
@ -35,6 +36,7 @@ export interface FetchAlertsArgs {
    pageIndex: number;
    pageSize: number;
  };
+  runtimeMappings?: MappingRuntimeFields;
  sort: SortCombinations[];
  skip: boolean;
 }
@ -144,6 +146,7 @@ export type UseFetchAlerts = ({
  fields,
  query,
  pagination,
+  runtimeMappings,
  skip,
  sort,
 }: FetchAlertsArgs) => [boolean, FetchAlertResp];
@ -152,6 +155,7 @@ const useFetchAlerts = ({
  fields,
  query,
  pagination,
+  runtimeMappings,
  skip,
  sort,
 }: FetchAlertsArgs): [boolean, FetchAlertResp] => {
@ -284,6 +288,7 @@ const useFetchAlerts = ({
      fields,
      pagination,
      query,
+      runtimeMappings,
      sort,
    };
    if (
@ -295,7 +300,7 @@ const useFetchAlerts = ({
        request: newAlertRequest,
      });
    }
-  }, [featureIds, fields, pagination, query, sort]);
+  }, [featureIds, fields, pagination, query, sort, runtimeMappings]);

  useEffect(() => {
    if (alertRequest.featureIds.length > 0 && !deepEqual(alertRequest, prevAlertRequest.current)) {
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/search_strategy.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/search_strategy.ts
@ -173,6 +173,37 @@ export default ({ getService }: FtrProviderContext) => {
          `The privateRuleRegistryAlertsSearchStrategy search strategy is unable to accommodate requests containing multiple feature IDs and one of those IDs is SIEM.`
        );
      });
+
+      it('should be able to handle runtime fields on alerts from siem rules', async () => {
+        const runtimeFieldValue = 'hello world';
+        const runtimeFieldKey = 'hello_world';
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAllEsRead.username,
+            password: obsOnlySpacesAllEsRead.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          options: {
+            featureIds: [AlertConsumers.SIEM],
+            runtimeMappings: {
+              [runtimeFieldKey]: {
+                type: 'keyword',
+                script: {
+                  source: `emit('${runtimeFieldValue}')`,
+                },
+              },
+            },
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+        });
+        expect(result.rawResponse.hits.total).to.eql(1);
+        const runtimeFields = result.rawResponse.hits.hits.map(
+          (hit) => hit.fields?.[runtimeFieldKey]
+        );
+        expect(runtimeFields.every((field) => field === runtimeFieldValue));
+      });
    });

    describe('apm', () => {