[Security Solution][Alerts] Don't use maxSignals for topHits agg size (#146564)

## Summary Addresses https://github.com/elastic/kibana/issues/146494 We only need the first document from the bucket to create the alert, not `maxSignals` documents. If `maxSignals` was greater than 100, this caused an error in the search.
2025-04-24 01:38:56 -04:00 · 2022-11-30 07:50:16 -08:00 · 2022-11-30 07:50:16 -08:00 · d659ee6f2e
commit d659ee6f2e
parent 9ad78b244a
2 changed files with 2 additions and 2 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/snapshots/build_group_by_field_aggregation.test.ts.snap
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/snapshots/build_group_by_field_aggregation.test.ts.snap
@ -16,7 +16,7 @@ Object {
      },
      "topHits": Object {
        "top_hits": Object {
-          "size": 100,
+          "size": 1,
          "sort": Array [
            Object {
              "kibana.combined_timestamp": Object {
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts
@ -31,7 +31,7 @@ export const buildGroupByFieldAggregation = ({
    aggs: {
      topHits: {
        top_hits: {
-          size: maxSignals,
+          size: 1,
          sort: [
            {
              [aggregatableTimestampField]: {