[8.x] [Attack Discovery][Scheduling] Fix the attack discovery alert type (#218025) (#218312)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Attack Discovery][Scheduling] Fix the attack discovery alert type
(#218025)](https://github.com/elastic/kibana/pull/218025)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2025-04-15T16:18:33Z","message":"[Attack
Discovery][Scheduling] Fix the attack discovery alert type
(#218025)\n\n## Summary\n\nThis is a fix for the incorrectly generated
attack discovery alert\nschema type due to the limitation of the
generation
tool.","sha":"34df5e3328ed1c88c46d0ab0e2f8024b184e87c3","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:
SecuritySolution","Team:Security Generative
AI","backport:version","v9.1.0","v8.19.0"],"title":"[Attack
Discovery][Scheduling] Fix the attack discovery alert
type","number":218025,"url":"https://github.com/elastic/kibana/pull/218025","mergeCommit":{"message":"[Attack
Discovery][Scheduling] Fix the attack discovery alert type
(#218025)\n\n## Summary\n\nThis is a fix for the incorrectly generated
attack discovery alert\nschema type due to the limitation of the
generation
tool.","sha":"34df5e3328ed1c88c46d0ab0e2f8024b184e87c3"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/218025","number":218025,"mergeCommit":{"message":"[Attack
Discovery][Scheduling] Fix the attack discovery alert type
(#218025)\n\n## Summary\n\nThis is a fix for the incorrectly generated
attack discovery alert\nschema type due to the limitation of the
generation
tool.","sha":"34df5e3328ed1c88c46d0ab0e2f8024b184e87c3"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/schedules/constants.ts

@@ -6,12 +6,12 @@
  */
 
 import { IRuleTypeAlerts } from '@kbn/alerting-plugin/server';
-import { SecurityAttackDiscoveryAlert } from '@kbn/alerts-as-data-utils';
 import { attackDiscoveryAlertFieldMap } from './fields';
+import { AttackDiscoveryAlertDocument } from './types';
 
 export const ATTACK_DISCOVERY_ALERTS_CONTEXT = 'security.attack.discovery' as const;
 
-export const ATTACK_DISCOVERY_ALERTS_AAD_CONFIG: IRuleTypeAlerts<SecurityAttackDiscoveryAlert> = {
+export const ATTACK_DISCOVERY_ALERTS_AAD_CONFIG: IRuleTypeAlerts<AttackDiscoveryAlertDocument> = {
   context: ATTACK_DISCOVERY_ALERTS_CONTEXT,
   mappings: { fieldMap: attackDiscoveryAlertFieldMap },
   isSpaceAware: true,

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/schedules/types.ts

@@ -9,6 +9,49 @@ import type { estypes } from '@elastic/elasticsearch';
 import { RuleExecutorOptions, RuleType, RuleTypeState } from '@kbn/alerting-plugin/server';
 import { SecurityAttackDiscoveryAlert } from '@kbn/alerts-as-data-utils';
 import { AttackDiscoveryScheduleParams } from '@kbn/elastic-assistant-common';
+import {
+  ALERT_ATTACK_DISCOVERY_API_CONFIG,
+  ALERT_ATTACK_DISCOVERY_REPLACEMENTS,
+  ALERT_ATTACK_DISCOVERY_USERS,
+} from './fields';
+
+/**
+ * This is a WORKAROUND until the `createSchemaFromFieldMap` can handle complex mappings.
+ * Right now that tool cannot properly handle the combination of optional and required fields within the same nested/object field type.
+ * Instead of creating an intersection type it generates a separate fields in required and optional sections as separate flattened fields.
+ * As a workaround, we strip out incorrectly generated fields and re-add them in a correct format.
+ */
+export type AttackDiscoveryAlertDocument = Omit<
+  SecurityAttackDiscoveryAlert,
+  | 'kibana.alert.attack_discovery.api_config'
+  | 'kibana.alert.attack_discovery.api_config.action_type_id'
+  | 'kibana.alert.attack_discovery.api_config.connector_id'
+  | 'kibana.alert.attack_discovery.api_config.model'
+  | 'kibana.alert.attack_discovery.api_config.name'
+  | 'kibana.alert.attack_discovery.api_config.provider'
+  | 'kibana.alert.attack_discovery.replacements'
+  | 'kibana.alert.attack_discovery.replacements.value'
+  | 'kibana.alert.attack_discovery.replacements.uuid'
+  | 'kibana.alert.attack_discovery.users'
+  | 'kibana.alert.attack_discovery.users.id'
+  | 'kibana.alert.attack_discovery.users.name'
+> & {
+  [ALERT_ATTACK_DISCOVERY_API_CONFIG]: {
+    action_type_id: string;
+    connector_id: string;
+    model?: string;
+    name: string;
+    provider?: string;
+  };
+  [ALERT_ATTACK_DISCOVERY_REPLACEMENTS]?: Array<{
+    value: string;
+    uuid: string;
+  }>;
+  [ALERT_ATTACK_DISCOVERY_USERS]?: Array<{
+    id?: string;
+    name: string;
+  }>;
+};
 
 export type AttackDiscoveryExecutorOptions = RuleExecutorOptions<
   AttackDiscoveryScheduleParams,
@@ -16,7 +59,7 @@ export type AttackDiscoveryExecutorOptions = RuleExecutorOptions<
   {},
   {},
   'default',
-  SecurityAttackDiscoveryAlert
+  AttackDiscoveryAlertDocument
 >;
 
 export type AttackDiscoveryScheduleType = RuleType<
@@ -27,7 +70,7 @@ export type AttackDiscoveryScheduleType = RuleType<
   {},
   'default',
   never,
-  SecurityAttackDiscoveryAlert
+  AttackDiscoveryAlertDocument
 >;
 
 export interface AttackDiscoveryScheduleSort {