Moved actor and target fields to be only part of security's alert

Author: kfirpeled

src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts

@@ -8,7 +8,6 @@
  */
 
 import {
-  ACTOR_ENTITY_ID,
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
   ALERT_CONSECUTIVE_MATCHES,
@@ -53,18 +52,12 @@ import {
   RELATED_ENTITY,
   SPACE_IDS,
   TAGS,
-  TARGET_ENTITY_ID,
   TIMESTAMP,
   VERSION,
 } from '@kbn/rule-data-utils';
 import type { MultiField } from './types';
 
 export const alertFieldMap = {
-  [ACTOR_ENTITY_ID]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
   [ALERT_ACTION_GROUP]: {
     type: 'keyword',
     array: false,
@@ -299,11 +292,6 @@ export const alertFieldMap = {
     array: true,
     required: false,
   },
-  [TARGET_ENTITY_ID]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
   [TIMESTAMP]: {
     type: 'date',
     required: true,

src/platform/packages/shared/kbn-rule-data-utils/src/default_alerts_as_data.ts

@@ -11,8 +11,6 @@ import type { ValuesType } from 'utility-types';
 
 const TIMESTAMP = '@timestamp' as const;
 const RELATED_ENTITY = 'related.entity';
-const ACTOR_ENTITY_ID = 'actor.entity.id';
-const TARGET_ENTITY_ID = 'target.entity.id';
 
 // namespaces
 const KIBANA_NAMESPACE = 'kibana' as const;
@@ -147,7 +145,6 @@ const namespaces = {
 };
 
 export const fields = {
-  ACTOR_ENTITY_ID,
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
   ALERT_CONSECUTIVE_MATCHES,
@@ -188,7 +185,6 @@ export const fields = {
   ALERT_WORKFLOW_TAGS,
   RELATED_ENTITY,
   SPACE_IDS,
-  TARGET_ENTITY_ID,
   TIMESTAMP,
   VERSION,
 };
@@ -200,7 +196,6 @@ export {
   KIBANA_NAMESPACE,
 
   // fields
-  ACTOR_ENTITY_ID,
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
   ALERT_CONSECUTIVE_MATCHES,
@@ -241,7 +236,6 @@ export {
   ALERT_WORKFLOW_TAGS,
   RELATED_ENTITY,
   SPACE_IDS,
-  TARGET_ENTITY_ID,
   TIMESTAMP,
   VERSION,
 };

x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/alerts.ts

@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { alertsFieldMap8190 } from '../8.19.0';
+import { ACTOR_ENTITY_ID, TARGET_ENTITY_ID } from '../field_names';
+
+export const alertsFieldMap920 = {
+  ...alertsFieldMap8190,
+  /**
+   * Part of audit logs fields that are now processed. These fields helps us present alerts and logs in a graphical way.
+   * Both actor and target fields are a work in progress to become part of ECS.
+   * Right now, these fields are only relevant for security's alerts and audit logs. Therefore, we add them here.
+   */
+  [ACTOR_ENTITY_ID]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+  [TARGET_ENTITY_ID]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
+} as const;
+
+export type AlertsFieldMap920 = typeof alertsFieldMap920;

x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/index.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export type { AlertsFieldMap920 } from './alerts';
+export { alertsFieldMap920 } from './alerts';

x-pack/solutions/security/plugins/security_solution/common/field_maps/field_names.ts

@@ -65,3 +65,6 @@ export const ALERT_RULE_TIMELINE_ID = `${ALERT_RULE_NAMESPACE}.timeline_id` as c
 export const ALERT_RULE_TIMELINE_TITLE = `${ALERT_RULE_NAMESPACE}.timeline_title` as const;
 export const ALERT_RULE_TIMESTAMP_OVERRIDE = `${ALERT_RULE_NAMESPACE}.timestamp_override` as const;
 export const ALERT_RULE_INDICES = `${ALERT_RULE_NAMESPACE}.indices` as const;
+
+export const ACTOR_ENTITY_ID = 'actor.entity.id' as const;
+export const TARGET_ENTITY_ID = 'target.entity.id' as const;

x-pack/solutions/security/plugins/security_solution/common/field_maps/index.ts

@@ -4,9 +4,9 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import type { AlertsFieldMap8190 } from './8.19.0';
-import { alertsFieldMap8190 } from './8.19.0';
+import type { AlertsFieldMap920 } from './9.2.0';
+import { alertsFieldMap920 } from './9.2.0';
 import type { RulesFieldMap } from './8.0.0/rules';
 import { rulesFieldMap } from './8.0.0/rules';
-export type { AlertsFieldMap8190 as AlertsFieldMap, RulesFieldMap };
-export { alertsFieldMap8190 as alertsFieldMap, rulesFieldMap };
+export type { AlertsFieldMap920 as AlertsFieldMap, RulesFieldMap };
+export { alertsFieldMap920 as alertsFieldMap, rulesFieldMap };