[8.9] [Security Solution] formatAlertForNotificationActions fails to merge dot and object notations correctly (#164075) (#164267)

# Backport

This will backport the following commits from `main` to `8.9`:
- [[Security Solution] formatAlertForNotificationActions fails to merge
dot and object notations correctly
(#164075)](https://github.com/elastic/kibana/pull/164075)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2023-08-17T08:39:24Z","message":"[Security
Solution] formatAlertForNotificationActions fails to merge dot and
object notations correctly (#164075)\n\n## Summary\r\n\r\nOriginal
ticket: #163844\r\n\r\nThese changes fix the issue with the incorrect
`expandDottedObject`\r\nfunctionality which instead of merging objects
would replace with the\r\nlatest version of
it.","sha":"a50b33032359410e7ee93e65a6cff58e00205856","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:
SecuritySolution","ci:cloud-deploy","Team:Detection
Engine","v8.10.0","v8.11.0","v8.9.2"],"number":164075,"url":"https://github.com/elastic/kibana/pull/164075","mergeCommit":{"message":"[Security
Solution] formatAlertForNotificationActions fails to merge dot and
object notations correctly (#164075)\n\n## Summary\r\n\r\nOriginal
ticket: #163844\r\n\r\nThese changes fix the issue with the incorrect
`expandDottedObject`\r\nfunctionality which instead of merging objects
would replace with the\r\nlatest version of
it.","sha":"a50b33032359410e7ee93e65a6cff58e00205856"}},"sourceBranch":"main","suggestedTargetBranches":["8.11","8.9"],"targetPullRequestStates":[{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/164075","number":164075,"mergeCommit":{"message":"[Security
Solution] formatAlertForNotificationActions fails to merge dot and
object notations correctly (#164075)\n\n## Summary\r\n\r\nOriginal
ticket: #163844\r\n\r\nThese changes fix the issue with the incorrect
`expandDottedObject`\r\nfunctionality which instead of merging objects
would replace with the\r\nlatest version of
it.","sha":"a50b33032359410e7ee93e65a6cff58e00205856"}},{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.9","label":"v8.9.2","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"url":"https://github.com/elastic/kibana/pull/164140","number":164140,"branch":"8.10","state":"MERGED","mergeCommit":{"sha":"7d8b808d8acf6d8f8824cafea649f23556347edf","message":"[8.10]
[Security Solution] formatAlertForNotificationActions fails to merge dot
and object notations correctly (#164075) (#164140)\n\n# Backport\n\nThis
will backport the following commits from `main` to `8.10`:\n- [[Security
Solution] formatAlertForNotificationActions fails to merge\ndot and
object notations
correctly\n(#164075)](https://github.com/elastic/kibana/pull/164075)\n\n<!---
Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the
[Backport
tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT
[{\"author\":{\"name\":\"Ievgen\nSorokopud\",\"email\":\"ievgen.sorokopud@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2023-08-17T08:39:24Z\",\"message\":\"[Security\nSolution]
formatAlertForNotificationActions fails to merge dot and\nobject
notations correctly (#164075)\\n\\n##
Summary\\r\\n\\r\\nOriginal\nticket: #163844\\r\\n\\r\\nThese changes
fix the issue with the
incorrect\n`expandDottedObject`\\r\\nfunctionality which instead of
merging objects\nwould replace with the\\r\\nlatest version
of\nit.\",\"sha\":\"a50b33032359410e7ee93e65a6cff58e00205856\",\"branchLabelMapping\":{\"^v8.10.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:fix\",\"Team:\nSecuritySolution\",\"ci:cloud-deploy\",\"Team:Detection\nEngine\",\"v8.10.0\",\"v8.11.0\"],\"number\":164075,\"url\":\"https://github.com/elastic/kibana/pull/164075\",\"mergeCommit\":{\"message\":\"[Security\nSolution]
formatAlertForNotificationActions fails to merge dot and\nobject
notations correctly (#164075)\\n\\n##
Summary\\r\\n\\r\\nOriginal\nticket: #163844\\r\\n\\r\\nThese changes
fix the issue with the
incorrect\n`expandDottedObject`\\r\\nfunctionality which instead of
merging objects\nwould replace with the\\r\\nlatest version
of\nit.\",\"sha\":\"a50b33032359410e7ee93e65a6cff58e00205856\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[\"8.11\"],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.10.0\",\"labelRegex\":\"^v8.10.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/164075\",\"number\":164075,\"mergeCommit\":{\"message\":\"[Security\nSolution]
formatAlertForNotificationActions fails to merge dot and\nobject
notations correctly (#164075)\\n\\n##
Summary\\r\\n\\r\\nOriginal\nticket: #163844\\r\\n\\r\\nThese changes
fix the issue with the
incorrect\n`expandDottedObject`\\r\\nfunctionality which instead of
merging objects\nwould replace with the\\r\\nlatest version
of\nit.\",\"sha\":\"a50b33032359410e7ee93e65a6cff58e00205856\"}},{\"branch\":\"8.11\",\"label\":\"v8.11.0\",\"labelRegex\":\"^v(\\\\d+).(\\\\d+).\\\\d+$\",\"isSourceBranch\":false,\"state\":\"NOT_CREATED\"}]}]\nBACKPORT-->\n\nCo-authored-by:
Ievgen Sorokopud <ievgen.sorokopud@elastic.co>"}}]}] BACKPORT-->

x-pack/plugins/security_solution/common/utils/expand_dotted.test.ts

@@ -134,4 +134,24 @@ describe('Expand Dotted', () => {
       },
     });
   });
+  it('should merge objects when field represented as an object followed by similar dotted field', () => {
+    const dottedObj = {
+      kibana: { test2: 'b', test3: 'c' },
+      'kibana.test1': 'a',
+      'kibana.test3': 'd',
+    };
+    expect(expandDottedObject(dottedObj)).toEqual({
+      kibana: { test1: 'a', test2: 'b', test3: 'd' },
+    });
+  });
+  it('should merge objects when dotted field followed by similar field represented as an object', () => {
+    const dottedObj = {
+      'kibana.test1': 'a',
+      'kibana.test3': 'd',
+      kibana: { test2: 'b', test3: 'c' },
+    };
+    expect(expandDottedObject(dottedObj)).toEqual({
+      kibana: { test1: 'a', test2: 'b', test3: 'c' },
+    });
+  });
 });

x-pack/plugins/security_solution/common/utils/expand_dotted.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { setWith } from 'lodash';
+import { merge, setWith } from 'lodash';
 
 /*
  * Expands an object with "dotted" fields to a nested object with unflattened fields.
@@ -47,7 +47,7 @@ export const expandDottedObject = (
     const isOneElementArray =
       changeArrayOfLengthOneToString && Array.isArray(value) && value.length === 1;
 
-    setWith(returnObj, key, isOneElementArray ? value[0] : value, Object);
+    merge(returnObj, setWith({}, key, isOneElementArray ? value[0] : value, Object));
   });
   return returnObj;
 };

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/schedule_notification_actions.test.ts

@@ -148,4 +148,67 @@ describe('schedule_notification_actions', () => {
       })
     );
   });
+
+  describe('formatAlertsForNotificationActions', () => {
+    it('should properly format alerts with the field represented as an object followed by similar dotted field', () => {
+      const signals = [
+        {
+          'kibana.alert.uuid': '1',
+          user: {
+            risk: {
+              calculated_level: 'Unknown',
+              calculated_score_norm: 5,
+            },
+          },
+          'user.name': 'my-user',
+        },
+      ];
+      expect(formatAlertsForNotificationActions(signals)).toEqual([
+        {
+          kibana: {
+            alert: {
+              uuid: '1',
+            },
+          },
+          user: {
+            risk: {
+              calculated_level: 'Unknown',
+              calculated_score_norm: 5,
+            },
+            name: 'my-user',
+          },
+        },
+      ]);
+    });
+    it('should properly format alerts with the dotted field followed by similar field represented as an object', () => {
+      const signals = [
+        {
+          'kibana.alert.uuid': '1',
+          'user.name': 'my-user',
+          user: {
+            risk: {
+              calculated_level: 'Unknown',
+              calculated_score_norm: 5,
+            },
+          },
+        },
+      ];
+      expect(formatAlertsForNotificationActions(signals)).toEqual([
+        {
+          kibana: {
+            alert: {
+              uuid: '1',
+            },
+          },
+          user: {
+            risk: {
+              calculated_level: 'Unknown',
+              calculated_score_norm: 5,
+            },
+            name: 'my-user',
+          },
+        },
+      ]);
+    });
+  });
 });