Fix attachment of wrong enrichments for Indicator Match rule (#133591)

* Add enrichments to signal by id * [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix' Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2025-04-23 17:28:26 -04:00 · 2022-06-06 20:49:47 +02:00 · 2022-06-06 20:49:47 +02:00 · f50efa3db5
commit f50efa3db5
parent f6eafdd746
1 changed files with 6 additions and 5 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/enrich_signal_threat_matches.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threat_mapping/enrich_signal_threat_matches.ts
@ -136,13 +136,14 @@ export const enrichSignalThreatMatches = async (
  ];
  const matchedThreats = await getMatchedThreats(matchedThreatIds);

-  const enrichmentsWithoutAtomic = signalMatches.map((signalMatch) =>
-    buildEnrichments({
+  const enrichmentsWithoutAtomic: { [key: string]: ThreatEnrichment[] } = {};
+  signalMatches.forEach((signalMatch) => {
+    enrichmentsWithoutAtomic[signalMatch.signalId] = buildEnrichments({
      indicatorPath,
      queries: signalMatch.queries,
      threats: matchedThreats,
-    })
-  );
+    });
+  });

  const enrichedSignals: SignalSourceHit[] = uniqueHits.map((signalHit, i) => {
    const threat = get(signalHit._source, 'threat') ?? {};
@ -155,7 +156,7 @@ export const enrichSignalThreatMatches = async (
    // new issues.
    const existingEnrichmentValue = get(signalHit._source, 'threat.enrichments') ?? [];
    const existingEnrichments = [existingEnrichmentValue].flat(); // ensure enrichments is an array
-    const newEnrichmentsWithoutAtomic = enrichmentsWithoutAtomic[i];
+    const newEnrichmentsWithoutAtomic = enrichmentsWithoutAtomic[signalHit._id] ?? [];
    const newEnrichments = newEnrichmentsWithoutAtomic.map((enrichment) => ({
      ...enrichment,
      matched: {