Signal scores are not mapped as float.

[jamesspi]

Kibana version: 7.6.2

Elasticsearch version: 7.6.2

Server OS version: ESS

Describe the bug: signal.rule.risk_score is mapped as text

Steps to reproduce:

1. Create/enable a signal, wait for it to fire.

Expected behavior: This should be mapped as float to allow users to run mathematical calculations, as well as conform to ECS.

Screenshots (if relevant):

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[spong]

@MadameSheema this is currently being worked for 7.9 by @marshallmain

[marshallmain]

@jamesspi I'm testing out a possible fix for this issue. Do you have an example query I can test with that would be useful to run on risk_score mapped as a float and isn't possible when it's mapped as a keyword?

[marshallmain]

Also, following up on the discussion in the security detections sync today to summarize and expand on the list of app features that break when changing the mapping of risk_score without reindexing:

• The alert count histogram on the main page fails if you choose "Stack by: signal.rule.risk_score". It fails even if all alerts in the provided time range (e.g. last 24 hours) use the new mapping. It works if you delete the indices that use the old mapping.
  Stacking by risk_score was thought not to be critical in the discussion, so we may be able to remove it.

• (new) Sorting the alert list by risk_score causes it to fail to load if the provided time range contains alerts that use both the old and new mappings. Note that unlike the "stack by" behavior above, sorting the alert list by risk_score does still work if all alerts in the time range use the same mapping.

[jamesspi]

Hey @marshallmain, mainly it would be queries like "sum of the risk score for host x over this time period", and, this will also give us the ability to run metrics based machine learning jobs - "this host typically never has a risk score of 100". Does that make sense?