Filter out 'signal.*' fields to prevent alias clashes (#124410)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-23 17:28:26 -04:00 · 2022-02-07 16:07:54 -05:00 · 2022-02-07 16:07:54 -05:00 · ed37a15ec1
commit ed37a15ec1
parent 31a953b86b
2 changed files with 45 additions and 0 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/filter_source.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/filter_source.ts
@ -13,11 +13,13 @@ export const filterSource = (doc: SignalSourceHit): Partial<RACAlert> => {
  const docSource = doc._source ?? {};
  const {
    event,
+    signal,
    threshold_result: siemSignalsThresholdResult,
    [ALERT_THRESHOLD_RESULT]: alertThresholdResult,
    ...filteredSource
  } = docSource || {
    event: null,
+    signal: null,
    threshold_result: null,
    [ALERT_THRESHOLD_RESULT]: null,
  };
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
@ -940,6 +940,49 @@ export default ({ getService }: FtrProviderContext) => {
      });
    });

+    /**
+     * Here we test that 8.0.x alerts can be generated on legacy (pre-8.x) alerts.
+     */
+    describe('Signals generated from legacy signals', async () => {
+      beforeEach(async () => {
+        await deleteSignalsIndex(supertest, log);
+        await createSignalsIndex(supertest, log);
+        await esArchiver.load(
+          'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
+        );
+      });
+
+      afterEach(async () => {
+        await esArchiver.unload(
+          'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
+        );
+        await deleteSignalsIndex(supertest, log);
+        await deleteAllAlerts(supertest, log);
+      });
+
+      it('should generate a signal-on-legacy-signal with legacy index pattern', async () => {
+        const rule: QueryCreateSchema = {
+          ...getRuleForSignalTesting([`.siem-signals-*`]),
+        };
+        const { id } = await createRule(supertest, log, rule);
+        await waitForRuleSuccessOrStatus(supertest, log, id);
+        await waitForSignalsToBePresent(supertest, log, 1, [id]);
+        const signalsOpen = await getSignalsByIds(supertest, log, [id]);
+        expect(signalsOpen.hits.hits.length).greaterThan(0);
+      });
+
+      it('should generate a signal-on-legacy-signal with AAD index pattern', async () => {
+        const rule: QueryCreateSchema = {
+          ...getRuleForSignalTesting([`.alerts-security.alerts-default`]),
+        };
+        const { id } = await createRule(supertest, log, rule);
+        await waitForRuleSuccessOrStatus(supertest, log, id);
+        await waitForSignalsToBePresent(supertest, log, 1, [id]);
+        const signalsOpen = await getSignalsByIds(supertest, log, [id]);
+        expect(signalsOpen.hits.hits.length).greaterThan(0);
+      });
+    });
+
    /**
     * Here we test the functionality of Severity and Risk Score overrides (also called "mappings"
     * in the code). If the rule specifies a mapping, then the final Severity or Risk Score