From 010f093e6a7702761dfa700be2fe7b62346455b0 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Thu, 15 Jul 2021 22:17:18 -0700
Subject: [PATCH 01/32] Add aliases mapping signal fields to alerts as data
 fields

---
 .../routes/index/create_index_route.ts        |   8 +-
 .../routes/index/signal_aad_mapping.json      |  93 +++
 .../routes/index/signal_extra_fields.json     | 195 ++++++
 .../index/signals_alerts_field_aliases.json   | 644 ++++++++++++++++++
 .../security_solution/server/plugin.ts        |  72 +-
 .../security_solution/server/routes/index.ts  |   2 +-
 6 files changed, 1010 insertions(+), 4 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_alerts_field_aliases.json

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index d98cd7cea0f2b7..4383b3feb62ad9 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -26,8 +26,10 @@ import signalsPolicy from './signals_policy.json';
 import { templateNeedsUpdate } from './check_template_version';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
+import { parseExperimentalConfigValue } from '../../../../../common/experimental_features';
+import { ConfigType } from '../../../../config';
 
-export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
+export const createIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => {
   router.post(
     {
       path: DETECTION_ENGINE_INDEX_URL,
@@ -37,6 +39,10 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
       },
     },
     async (context, request, response) => {
+      const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental);
+      if (ruleRegistryEnabled) {
+        return response.ok({ body: { acknowledged: true } });
+      }
       const siemResponse = buildSiemResponse(response);
 
       try {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
new file mode 100644
index 00000000000000..066fdbc87f9066
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
@@ -0,0 +1,93 @@
+{
+  "signal.ancestors.depth": "kibana.alert.ancestors.depth",
+  "signal.ancestors.id": "kibana.alert.ancestors.id",
+  "signal.ancestors.index": "kibana.alert.ancestors.index",
+  "signal.ancestors.type": "kibana.alert.ancestors.type",
+  "signal.depth": "kibana.alert.depth",
+  "signal.original_event.action": "kibana.alert.original_event.action",
+  "signal.original_event.category": "kibana.alert.original_event.category",
+  "signal.original_event.code": "kibana.alert.original_event.code",
+  "signal.original_event.created": "kibana.alert.original_event.created",
+  "signal.original_event.dataset": "kibana.alert.original_event.dataset",
+  "signal.original_event.duration": "kibana.alert.original_event.duration",
+  "signal.original_event.end": "kibana.alert.original_event.end",
+  "signal.original_event.hash": "kibana.alert.original_event.hash",
+  "signal.original_event.id": "kibana.alert.original_event.id",
+  "signal.original_event.kind": "kibana.alert.original_event.kind",
+  "signal.original_event.module": "kibana.alert.original_event.module",
+  "signal.original_event.outcome": "kibana.alert.original_event.outcome",
+  "signal.original_event.provider": "kibana.alert.original_event.provider",
+  "signal.original_event.risk_score": "kibana.alert.original_event.risk_score",
+  "signal.original_event.risk_score_norm": "kibana.alert.original_event.risk_score_norm",
+  "signal.original_event.sequence": "kibana.alert.original_event.sequence",
+  "signal.original_event.severity": "kibana.alert.original_event.severity",
+  "signal.original_event.start": "kibana.alert.original_event.start",
+  "signal.original_event.timezone": "kibana.alert.original_event.timezone",
+  "signal.original_event.type": "kibana.alert.original_event.type",
+  "signal.original_time": "kibana.alert.original_time",
+  "signal.rule.author": "kibana.alert.rule.author",
+  "signal.rule.building_block_type": "kibana.alert.rule.building_block_type",
+  "signal.rule.created_at": "kibana.alert.rule.created_at",
+  "signal.rule.created_by": "kibana.alert.rule.created_by",
+  "signal.rule.description": "kibana.alert.rule.description",
+  "signal.rule.enabled": "kibana.alert.rule.enabled",
+  "signal.rule.false_positives": "kibana.alert.rule.false_positives",
+  "signal.rule.from": "kibana.alert.rule.from",
+  "signal.rule.id": "kibana.alert.rule.id",
+  "signal.rule.immutable": "kibana.alert.rule.immutable",
+  "signal.rule.index": "kibana.alert.rule.index",
+  "signal.rule.interval": "kibana.alert.rule.interval",
+  "signal.rule.language": "kibana.alert.rule.language",
+  "signal.rule.license": "kibana.alert.rule.license",
+  "signal.rule.max_signals": "kibana.alert.rule.max_signals",
+  "signal.rule.name": "kibana.alert.rule.name",
+  "signal.rule.note": "kibana.alert.rule.note",
+  "signal.rule.query": "kibana.alert.rule.query",
+  "signal.rule.references": "kibana.alert.rule.references",
+  "signal.rule.risk_score": "kibana.alert.risk_score",
+  "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field",
+  "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator",
+  "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value",
+  "signal.rule.rule_id": "kibana.alert.rule.rule_id",
+  "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override",
+  "signal.rule.saved_id": "kibana.alert.rule.saved_id",
+  "signal.rule.severity": "kibana.alert.severity",
+  "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field",
+  "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator",
+  "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value",
+  "signal.rule.severity_mapping.severity": "kibana.alert.rule.severity_mapping.severity",
+  "signal.rule.tags": "kibana.alert.rule.tags",
+  "signal.rule.threat.framework": "kibana.alert.rule.threat.framework",
+  "signal.rule.threat.tactic.id": "kibana.alert.rule.threat.tactic.id",
+  "signal.rule.threat.tactic.name": "kibana.alert.rule.threat.tactic.name",
+  "signal.rule.threat.tactic.reference": "kibana.alert.rule.threat.tactic.reference",
+  "signal.rule.threat.technique.id": "kibana.alert.rule.threat.technique.id",
+  "signal.rule.threat.technique.name": "kibana.alert.rule.threat.technique.name",
+  "signal.rule.threat.technique.reference": "kibana.alert.rule.threat.technique.reference",
+  "signal.rule.threat.technique.subtechnique.id": "kibana.alert.rule.threat.technique.subtechnique.id",
+  "signal.rule.threat.technique.subtechnique.name": "kibana.alert.rule.threat.technique.subtechnique.name",
+  "signal.rule.threat.technique.subtechnique.reference": "kibana.alert.rule.threat.technique.subtechnique.reference",
+  "signal.rule.threat_index": "kibana.alert.rule.threat_index",
+  "signal.rule.threat_indicator_path": "kibana.alert.rule.threat_indicator_path",
+  "signal.rule.threat_language": "kibana.alert.rule.threat_language",
+  "signal.rule.threat_mapping.entries.field": "kibana.alert.rule.threat_mapping.entries.field",
+  "signal.rule.threat_mapping.entries.value": "kibana.alert.rule.threat_mapping.entries.value",
+  "signal.rule.threat_mapping.entries.type": "kibana.alert.rule.threat_mapping.entries.type",
+  "signal.rule.threat_query": "kibana.alert.rule.threat_query",
+  "signal.rule.threshold.field": "kibana.alert.rule.threshold.field",
+  "signal.rule.threshold.value": "kibana.alert.rule.threshold.value",
+  "signal.rule.timeline_id": "kibana.alert.rule.timeline_id",
+  "signal.rule.timeline_title": "kibana.alert.rule.timeline_title",
+  "signal.rule.to": "kibana.alert.rule.to",
+  "signal.rule.type": "kibana.alert.rule.type",
+  "signal.rule.updated_at": "kibana.alert.rule.updated_at",
+  "signal.rule.updated_by": "kibana.alert.rule.updated_by",
+  "signal.rule.version": "kibana.alert.rule.version",
+  "signal.status": "kibana.alert.workflow_status",
+  "signal.threshold_result.from": "kibana.alert.threshold_result.from",
+  "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field",
+  "signal.threshold_result.terms.value": "kibana.alert.threshold_result.terms.value",
+  "signal.threshold_result.cardinality.field": "kibana.alert.threshold_result.cardinality.field",
+  "signal.threshold_result.cardinality.value": "kibana.alert.threshold_result.cardinality.value",
+  "signal.threshold_result.count": "kibana.alert.threshold_result.count"
+}
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json
new file mode 100644
index 00000000000000..e20aa0ef16df43
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json
@@ -0,0 +1,195 @@
+{
+  "signal": {
+    "type": "object",
+    "properties": {
+      "_meta": {
+        "type": "object",
+        "properties": {
+          "version": {
+            "type": "long"
+          }
+        }
+      },
+      "ancestors": {
+        "properties": {
+          "rule": {
+            "type": "keyword"
+          },
+          "index": {
+            "type": "keyword"
+          },
+          "id": {
+            "type": "keyword"
+          },
+          "type": {
+            "type": "keyword"
+          },
+          "depth": {
+            "type": "long"
+          }
+        }
+      },
+      "depth": {
+        "type": "integer"
+      },
+      "group": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "keyword"
+          },
+          "index": {
+            "type": "integer"
+          }
+        }
+      },
+      "rule": {
+        "type": "object",
+        "properties": {
+          "author": {
+            "type": "keyword"
+          },
+          "building_block_type": {
+            "type": "keyword"
+          },
+          "license": {
+            "type": "keyword"
+          },
+          "note": {
+            "type": "text"
+          },
+          "risk_score_mapping": {
+            "type": "object",
+            "properties": {
+              "field": {
+                "type": "keyword"
+              },
+              "operator": {
+                "type": "keyword"
+              },
+              "value": {
+                "type": "keyword"
+              }
+            }
+          },
+          "rule_name_override": {
+            "type": "keyword"
+          },
+          "severity_mapping": {
+            "type": "object",
+            "properties": {
+              "field": {
+                "type": "keyword"
+              },
+              "operator": {
+                "type": "keyword"
+              },
+              "value": {
+                "type": "keyword"
+              },
+              "severity": {
+                "type": "keyword"
+              }
+            }
+          },
+          "threat": {
+            "type": "object",
+            "properties": {
+              "technique": {
+                "type": "object",
+                "properties": {
+                  "subtechnique": {
+                    "type": "object",
+                    "properties": {
+                      "id": {
+                        "type": "keyword"
+                      },
+                      "name": {
+                        "type": "keyword"
+                      },
+                      "reference": {
+                        "type": "keyword"
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "threat_index": {
+            "type": "keyword"
+          },
+          "threat_indicator_path": {
+            "type": "keyword"
+          },
+          "threat_language": {
+            "type": "keyword"
+          },
+          "threat_mapping": {
+            "type": "object",
+            "properties": {
+              "entries": {
+                "type": "object",
+                "properties": {
+                  "field": {
+                    "type": "keyword"
+                  },
+                  "value": {
+                    "type": "keyword"
+                  },
+                  "type": {
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          },
+          "threat_query": {
+            "type": "keyword"
+          },
+          "threshold": {
+            "type": "object",
+            "properties": {
+              "field": {
+                "type": "keyword"
+              },
+              "value": {
+                "type": "float"
+              }
+            }
+          }
+        }
+      },
+      "threshold_result": {
+        "properties": {
+          "from": {
+            "type": "date"
+          },
+          "terms": {
+            "properties": {
+              "field": {
+                "type": "keyword"
+              },
+              "value": {
+                "type": "keyword"
+              }
+            }
+          },
+          "cardinality": {
+            "properties": {
+              "field": {
+                "type": "keyword"
+              },
+              "value": {
+                "type": "long"
+              }
+            }
+          },
+          "count": {
+            "type": "long"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_alerts_field_aliases.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_alerts_field_aliases.json
new file mode 100644
index 00000000000000..6a510f4b472d5a
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_alerts_field_aliases.json
@@ -0,0 +1,644 @@
+{
+  "properties": {
+    "kibana": {
+      "type": "object",
+      "properties": {
+        "alert": {
+          "type": "object",
+          "properties": {
+            "ancestors": {
+              "type": "object",
+              "properties": {
+                "depth": {
+                  "type": "alias",
+                  "path": "signal.ancestors.depth"
+                },
+                "id": {
+                  "type": "alias",
+                  "path": "signal.ancestors.id"
+                },
+                "index": {
+                  "type": "alias",
+                  "path": "signal.ancestors.index"
+                },
+                "type": {
+                  "type": "alias",
+                  "path": "signal.ancestors.type"
+                }
+              }
+            },
+            "depth": {
+              "type": "alias",
+              "path": "signal.depth"
+            },
+            "original_event": {
+              "type": "object",
+              "properties": {
+                "action": {
+                  "type": "alias",
+                  "path": "signal.original_event.action"
+                },
+                "category": {
+                  "type": "alias",
+                  "path": "signal.original_event.category"
+                },
+                "code": {
+                  "type": "alias",
+                  "path": "signal.original_event.code"
+                },
+                "created": {
+                  "type": "alias",
+                  "path": "signal.original_event.created"
+                },
+                "dataset": {
+                  "type": "alias",
+                  "path": "signal.original_event.dataset"
+                },
+                "duration": {
+                  "type": "alias",
+                  "path": "signal.original_event.duration"
+                },
+                "end": {
+                  "type": "alias",
+                  "path": "signal.original_event.end"
+                },
+                "hash": {
+                  "type": "alias",
+                  "path": "signal.original_event.hash"
+                },
+                "id": {
+                  "type": "alias",
+                  "path": "signal.original_event.id"
+                },
+                "kind": {
+                  "type": "alias",
+                  "path": "signal.original_event.kind"
+                },
+                "module": {
+                  "type": "alias",
+                  "path": "signal.original_event.module"
+                },
+                "outcome": {
+                  "type": "alias",
+                  "path": "signal.original_event.outcome"
+                },
+                "provider": {
+                  "type": "alias",
+                  "path": "signal.original_event.provider"
+                },
+                "risk_score": {
+                  "type": "alias",
+                  "path": "signal.original_event.risk_score"
+                },
+                "risk_score_norm": {
+                  "type": "alias",
+                  "path": "signal.original_event.risk_score_norm"
+                },
+                "sequence": {
+                  "type": "alias",
+                  "path": "signal.original_event.sequence"
+                },
+                "severity": {
+                  "type": "alias",
+                  "path": "signal.original_event.severity"
+                },
+                "start": {
+                  "type": "alias",
+                  "path": "signal.original_event.start"
+                },
+                "timezone": {
+                  "type": "alias",
+                  "path": "signal.original_event.timezone"
+                },
+                "type": {
+                  "type": "alias",
+                  "path": "signal.original_event.type"
+                }
+              }
+            },
+            "original_time": {
+              "type": "alias",
+              "path": "signal.original_time"
+            },
+            "risk_score": {
+              "type": "alias",
+              "path": "signal.rule.risk_score"
+            },
+            "rule": {
+              "type": "object",
+              "properties": {
+                "author": {
+                  "type": "alias",
+                  "path": "signal.rule.author"
+                },
+                "building_block_type": {
+                  "type": "alias",
+                  "path": "signal.rule.building_block_type"
+                },
+                "created_at": {
+                  "type": "alias",
+                  "path": "signal.rule.created_at"
+                },
+                "created_by": {
+                  "type": "alias",
+                  "path": "signal.rule.created_by"
+                },
+                "description": {
+                  "type": "alias",
+                  "path": "signal.rule.description"
+                },
+                "enabled": {
+                  "type": "alias",
+                  "path": "signal.rule.enabled"
+                },
+                "false_positives": {
+                  "type": "alias",
+                  "path": "signal.rule.false_positives"
+                },
+                "from": {
+                  "type": "alias",
+                  "path": "signal.rule.from"
+                },
+                "id": {
+                  "type": "alias",
+                  "path": "signal.rule.id"
+                },
+                "immutable": {
+                  "type": "alias",
+                  "path": "signal.rule.immutable"
+                },
+                "index": {
+                  "type": "alias",
+                  "path": "signal.rule.index"
+                },
+                "interval": {
+                  "type": "alias",
+                  "path": "signal.rule.interval"
+                },
+                "language": {
+                  "type": "alias",
+                  "path": "signal.rule.language"
+                },
+                "license": {
+                  "type": "alias",
+                  "path": "signal.rule.license"
+                },
+                "max_signals": {
+                  "type": "alias",
+                  "path": "signal.rule.max_signals"
+                },
+                "name": {
+                  "type": "alias",
+                  "path": "signal.rule.name"
+                },
+                "note": {
+                  "type": "alias",
+                  "path": "signal.rule.note"
+                },
+                "query": {
+                  "type": "alias",
+                  "path": "signal.rule.query"
+                },
+                "references": {
+                  "type": "alias",
+                  "path": "signal.rule.references"
+                },
+                "risk_score_mapping": {
+                  "type": "object",
+                  "properties": {
+                    "field": {
+                      "type": "alias",
+                      "path": "signal.rule.risk_score_mapping.field"
+                    },
+                    "operator": {
+                      "type": "alias",
+                      "path": "signal.rule.risk_score_mapping.operator"
+                    },
+                    "value": {
+                      "type": "alias",
+                      "path": "signal.rule.risk_score_mapping.value"
+                    }
+                  }
+                },
+                "rule_id": {
+                  "type": "alias",
+                  "path": "signal.rule.rule_id"
+                },
+                "rule_name_override": {
+                  "type": "alias",
+                  "path": "signal.rule.rule_name_override"
+                },
+                "saved_id": {
+                  "type": "alias",
+                  "path": "signal.rule.saved_id"
+                },
+                "severity_mapping": {
+                  "type": "object",
+                  "properties": {
+                    "field": {
+                      "type": "alias",
+                      "path": "signal.rule.severity_mapping.field"
+                    },
+                    "operator": {
+                      "type": "alias",
+                      "path": "signal.rule.severity_mapping.operator"
+                    },
+                    "value": {
+                      "type": "alias",
+                      "path": "signal.rule.severity_mapping.value"
+                    },
+                    "severity": {
+                      "type": "alias",
+                      "path": "signal.rule.severity_mapping.severity"
+                    }
+                  }
+                },
+                "tags": {
+                  "type": "alias",
+                  "path": "signal.rule.tags"
+                },
+                "threat": {
+                  "type": "object",
+                  "properties": {
+                    "framework": {
+                      "type": "alias",
+                      "path": "signal.rule.threat.framework"
+                    },
+                    "tactic": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "alias",
+                          "path": "signal.rule.threat.tactic.id"
+                        },
+                        "name": {
+                          "type": "alias",
+                          "path": "signal.rule.threat.tactic.name"
+                        },
+                        "reference": {
+                          "type": "alias",
+                          "path": "signal.rule.threat.tactic.reference"
+                        }
+                      }
+                    },
+                    "technique": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "alias",
+                          "path": "signal.rule.threat.technique.id"
+                        },
+                        "name": {
+                          "type": "alias",
+                          "path": "signal.rule.threat.technique.name"
+                        },
+                        "reference": {
+                          "type": "alias",
+                          "path": "signal.rule.threat.technique.reference"
+                        },
+                        "subtechnique": {
+                          "type": "object",
+                          "properties": {
+                            "id": {
+                              "type": "alias",
+                              "path": "signal.rule.threat.technique.subtechnique.id"
+                            },
+                            "name": {
+                              "type": "alias",
+                              "path": "signal.rule.threat.technique.subtechnique.name"
+                            },
+                            "reference": {
+                              "type": "alias",
+                              "path": "signal.rule.threat.technique.subtechnique.reference"
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                },
+                "threat_index": {
+                  "type": "alias",
+                  "path": "signal.rule.threat_index"
+                },
+                "threat_indicator_path": {
+                  "type": "alias",
+                  "path": "signal.rule.threat_indicator_path"
+                },
+                "threat_language": {
+                  "type": "alias",
+                  "path": "signal.rule.threat_language"
+                },
+                "threat_mapping": {
+                  "type": "object",
+                  "properties": {
+                    "entries": {
+                      "type": "object",
+                      "properties": {
+                        "field": {
+                          "type": "alias",
+                          "path": "signal.rule.threat_mapping.entries.field"
+                        },
+                        "value": {
+                          "type": "alias",
+                          "path": "signal.rule.threat_mapping.entries.value"
+                        },
+                        "type": {
+                          "type": "alias",
+                          "path": "signal.rule.threat_mapping.entries.type"
+                        }
+                      }
+                    }
+                  }
+                },
+                "threat_query": {
+                  "type": "alias",
+                  "path": "signal.rule.threat_query"
+                },
+                "threshold": {
+                  "type": "object",
+                  "properties": {
+                    "field": {
+                      "type": "alias",
+                      "path": "signal.rule.threshold.field"
+                    },
+                    "value": {
+                      "type": "alias",
+                      "path": "signal.rule.threshold.value"
+                    }
+                  }
+                },
+                "timeline_id": {
+                  "type": "alias",
+                  "path": "signal.rule.timeline_id"
+                },
+                "timeline_title": {
+                  "type": "alias",
+                  "path": "signal.rule.timeline_title"
+                },
+                "to": {
+                  "type": "alias",
+                  "path": "signal.rule.to"
+                },
+                "type": {
+                  "type": "alias",
+                  "path": "signal.rule.type"
+                },
+                "updated_at": {
+                  "type": "alias",
+                  "path": "signal.rule.updated_at"
+                },
+                "updated_by": {
+                  "type": "alias",
+                  "path": "signal.rule.updated_by"
+                },
+                "version": {
+                  "type": "alias",
+                  "path": "signal.rule.version"
+                }
+              }
+            },
+            "severity": {
+              "type": "alias",
+              "path": "signal.rule.severity"
+            },
+            "threshold_result": {
+              "type": "object",
+              "properties": {
+                "from": {
+                  "type": "alias",
+                  "path": "signal.threshold_result.from"
+                },
+                "terms": {
+                  "properties": {
+                    "field": {
+                      "type": "alias",
+                      "path": "signal.threshold_result.terms.field"
+                    },
+                    "value": {
+                      "type": "alias",
+                      "path": "signal.threshold_result.terms.value"
+                    }
+                  }
+                },
+                "cardinality": {
+                  "properties": {
+                    "field": {
+                      "type": "alias",
+                      "path": "signal.threshold_result.cardinality.field"
+                    },
+                    "value": {
+                      "type": "alias",
+                      "path": "signal.threshold_result.cardinality.value"
+                    }
+                  }
+                },
+                "count": {
+                  "type": "alias",
+                  "path": "signal.threshold_result.count"
+                }
+              }
+            },
+            "workflow_status": {
+              "type": "alias",
+              "path": "signal.status"
+            }
+          }
+        }
+      }
+    },
+    "signal": {
+      "type": "object",
+      "properties": {
+        "_meta": {
+          "type": "object",
+          "properties": {
+            "version": {
+              "type": "long"
+            }
+          }
+        },
+        "ancestors": {
+          "properties": {
+            "rule": {
+              "type": "keyword"
+            },
+            "index": {
+              "type": "keyword"
+            },
+            "id": {
+              "type": "keyword"
+            },
+            "type": {
+              "type": "keyword"
+            },
+            "depth": {
+              "type": "long"
+            }
+          }
+        },
+        "depth": {
+          "type": "integer"
+        },
+        "group": {
+          "type": "object",
+          "properties": {
+            "id": {
+              "type": "keyword"
+            },
+            "index": {
+              "type": "integer"
+            }
+          }
+        },
+        "rule": {
+          "type": "object",
+          "properties": {
+            "author": {
+              "type": "keyword"
+            },
+            "building_block_type": {
+              "type": "keyword"
+            },
+            "license": {
+              "type": "keyword"
+            },
+            "note": {
+              "type": "text"
+            },
+            "risk_score_mapping": {
+              "type": "object",
+              "properties": {
+                "field": {
+                  "type": "keyword"
+                },
+                "operator": {
+                  "type": "keyword"
+                },
+                "value": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "rule_name_override": {
+              "type": "keyword"
+            },
+            "severity_mapping": {
+              "type": "object",
+              "properties": {
+                "field": {
+                  "type": "keyword"
+                },
+                "operator": {
+                  "type": "keyword"
+                },
+                "value": {
+                  "type": "keyword"
+                },
+                "severity": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "threat": {
+              "type": "object",
+              "properties": {
+                "technique": {
+                  "type": "object",
+                  "properties": {
+                    "subtechnique": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "keyword"
+                        },
+                        "name": {
+                          "type": "keyword"
+                        },
+                        "reference": {
+                          "type": "keyword"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            },
+            "threat_index": {
+              "type": "keyword"
+            },
+            "threat_indicator_path": {
+              "type": "keyword"
+            },
+            "threat_language": {
+              "type": "keyword"
+            },
+            "threat_mapping": {
+              "type": "object",
+              "properties": {
+                "entries": {
+                  "type": "object",
+                  "properties": {
+                    "field": {
+                      "type": "keyword"
+                    },
+                    "value": {
+                      "type": "keyword"
+                    },
+                    "type": {
+                      "type": "keyword"
+                    }
+                  }
+                }
+              }
+            },
+            "threat_query": {
+              "type": "keyword"
+            },
+            "threshold": {
+              "type": "object",
+              "properties": {
+                "field": {
+                  "type": "keyword"
+                },
+                "value": {
+                  "type": "float"
+                }
+              }
+            }
+          }
+        },
+        "threshold_result": {
+          "properties": {
+            "from": {
+              "type": "date"
+            },
+            "terms": {
+              "properties": {
+                "field": {
+                  "type": "keyword"
+                },
+                "value": {
+                  "type": "keyword"
+                }
+              }
+            },
+            "cardinality": {
+              "properties": {
+                "field": {
+                  "type": "keyword"
+                },
+                "value": {
+                  "type": "long"
+                }
+              }
+            },
+            "count": {
+              "type": "long"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index a8ad6c919a04d0..afa976d8ad2a48 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -5,10 +5,11 @@
  * 2.0.
  */
 
-import { once } from 'lodash';
+import { once, merge } from 'lodash';
 import { Observable } from 'rxjs';
 import { i18n } from '@kbn/i18n';
 import LRU from 'lru-cache';
+import { estypes } from '@elastic/elasticsearch';
 
 import {
   CoreSetup,
@@ -91,6 +92,9 @@ import { licenseService } from './lib/license';
 import { PolicyWatcher } from './endpoint/lib/policy/license_watch';
 import { parseExperimentalConfigValue } from '../common/experimental_features';
 import { migrateArtifactsToFleet } from './endpoint/lib/artifacts/migrate_artifacts_to_fleet';
+import aadFieldConversion from './lib/detection_engine/routes/index/signal_aad_mapping.json';
+import signalExtraFields from './lib/detection_engine/routes/index/signal_extra_fields.json';
+import { getSignalsTemplate } from './lib/detection_engine/routes/index/get_signals_template';
 
 export interface SetupPlugins {
   alerting: AlertingSetup;
@@ -418,7 +422,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
 
     compose(core, plugins, endpointContext);
 
-    core.getStartServices().then(([_, depsStart]) => {
+    core.getStartServices().then(([coreStart, depsStart]) => {
       const securitySolutionSearchStrategy = securitySolutionSearchStrategyProvider(
         depsStart.data,
         endpointContext
@@ -427,6 +431,70 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
         'securitySolutionSearchStrategy',
         securitySolutionSearchStrategy
       );
+      if (isRuleRegistryEnabled) {
+        const clusterClient = coreStart.elasticsearch.client.asInternalUser;
+        const updateExistingSignalsIndices = async () => {
+          const signalIndices = await clusterClient.indices
+            .get({
+              index: `${config.signalsIndex}-*`,
+            })
+            .catch((err) => {
+              this.logger.error(`Failed to fetch existing siem signals indices: ${err.message}`);
+            });
+          if (!signalIndices || Object.keys(signalIndices.body).length === 0) {
+            return;
+          }
+          const signalsTemplate = getSignalsTemplate(config.signalsIndex);
+          const aliases: Record<string, unknown> = {};
+          Object.entries(aadFieldConversion).forEach(([key, value]) => {
+            aliases[value] = {
+              type: 'alias',
+              path: key,
+            };
+          });
+          merge(signalsTemplate.mappings.properties, aliases);
+          await clusterClient.indices
+            .putTemplate({
+              name: config.signalsIndex,
+              body: signalsTemplate as Record<string, unknown>,
+            })
+            .catch((err) => {
+              this.logger.error(
+                `Failed to install new legacy siem signals template: ${err.message}`
+              );
+            });
+          await clusterClient.indices
+            .deleteTemplate({
+              name: `${config.signalsIndex}-*`,
+            })
+            .catch((err) => {
+              if (err.meta?.body?.status !== 404) {
+                this.logger.error(`Failed to delete old signals index templates: ${err.message}`);
+              }
+            });
+          // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
+          // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
+          // mapping) or else this call will fail and not update ANY signals indices
+          const newMapping = {
+            properties: {
+              ...signalExtraFields,
+              ...aliases,
+            },
+          };
+          await clusterClient.indices
+            .putMapping({
+              index: `${config.signalsIndex}*`,
+              body: newMapping,
+              allow_no_indices: true,
+            } as estypes.IndicesPutMappingRequest)
+            .catch((err) => {
+              this.logger.error(
+                `Failed to insert alerts as data field aliases to signals indices: ${err.message}`
+              );
+            });
+        };
+        updateExistingSignalsIndices();
+      }
     });
 
     this.telemetryEventsSender.setup(plugins.telemetry, plugins.taskManager);
diff --git a/x-pack/plugins/security_solution/server/routes/index.ts b/x-pack/plugins/security_solution/server/routes/index.ts
index 00de66c0dec284..a97d599d572227 100644
--- a/x-pack/plugins/security_solution/server/routes/index.ts
+++ b/x-pack/plugins/security_solution/server/routes/index.ts
@@ -117,7 +117,7 @@ export const initRoutes = (
 
   // Detection Engine index routes that have the REST endpoints of /api/detection_engine/index
   // All REST index creation, policy management for spaces
-  createIndexRoute(router);
+  createIndexRoute(router, config);
   readIndexRoute(router, config);
   deleteIndexRoute(router);
 

From c4edc7df3578c6b005360b1f37755be0afc81ec2 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Fri, 16 Jul 2021 13:24:44 -0700
Subject: [PATCH 02/32] Add aliases mapping alerts as data fields to signal
 fields

---
 x-pack/plugins/security_solution/server/plugin.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index afa976d8ad2a48..91174cd71d39c3 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -209,7 +209,13 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
         if (!ruleDataService.isWriteEnabled()) {
           return;
         }
-
+        const aliases: Record<string, estypes.MappingProperty> = {};
+        Object.entries(aadFieldConversion).forEach(([key, value]) => {
+          aliases[key] = {
+            type: 'alias',
+            path: value,
+          };
+        });
         await ruleDataService.createOrUpdateComponentTemplate({
           name: componentTemplateName,
           body: {
@@ -217,6 +223,8 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
               settings: {
                 number_of_shards: 1,
               },
+              // TODO: once https://github.com/elastic/kibana/pull/105096 is merged, add aliases into mappings.
+              // Until we add the actual fields to the mappings we can't add aliases for them
               mappings: {}, // TODO: Add mappings here via `mappingFromFieldMap()`
             },
           },

From f9433138885eaab9184586e02c46b73e91c95dd7 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Fri, 16 Jul 2021 23:44:59 -0700
Subject: [PATCH 03/32] Replace siem signals templates per space and add AAD
 index aliases to siem signals indices

---
 .../server/rule_data_client/index.ts          | 36 ++++----
 .../security_solution/server/plugin.ts        | 82 +++++++++++--------
 2 files changed, 63 insertions(+), 55 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
index a9e559a6b19325..3f467b69768a58 100644
--- a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
+++ b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
@@ -96,7 +96,8 @@ export class RuleDataClient implements IRuleDataClient {
           if (response.body.errors) {
             if (
               response.body.items.length > 0 &&
-              response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception'
+              (response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception' ||
+                response.body.items?.[0]?.index?.error?.type === 'illegal_argument_exception')
             ) {
               return this.createWriteTargetIfNeeded({ namespace }).then(() => {
                 return clusterClient.bulk(requestWithDefaultParameters);
@@ -116,29 +117,22 @@ export class RuleDataClient implements IRuleDataClient {
 
     const clusterClient = await this.getClusterClient();
 
-    const { body: aliasExists } = await clusterClient.indices.existsAlias({
-      name: alias,
-    });
-
     const concreteIndexName = `${alias}-000001`;
-
-    if (!aliasExists) {
-      try {
-        await clusterClient.indices.create({
-          index: concreteIndexName,
-          body: {
-            aliases: {
-              [alias]: {
-                is_write_index: true,
-              },
+    try {
+      await clusterClient.indices.create({
+        index: concreteIndexName,
+        body: {
+          aliases: {
+            [alias]: {
+              is_write_index: true,
             },
           },
-        });
-      } catch (err) {
-        // something might have created the index already, that sounds OK
-        if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception') {
-          throw err;
-        }
+        },
+      });
+    } catch (err) {
+      // something might have created the index already, that sounds OK
+      if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception') {
+        throw err;
       }
     }
   }
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 91174cd71d39c3..0acdb8df7411a4 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -442,51 +442,65 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       if (isRuleRegistryEnabled) {
         const clusterClient = coreStart.elasticsearch.client.asInternalUser;
         const updateExistingSignalsIndices = async () => {
-          const signalIndices = await clusterClient.indices
-            .get({
-              index: `${config.signalsIndex}-*`,
-            })
-            .catch((err) => {
-              this.logger.error(`Failed to fetch existing siem signals indices: ${err.message}`);
-            });
-          if (!signalIndices || Object.keys(signalIndices.body).length === 0) {
-            return;
-          }
-          const signalsTemplate = getSignalsTemplate(config.signalsIndex);
-          const aliases: Record<string, unknown> = {};
+          const { body: existingSignalsTemplates } = await clusterClient.indices.getTemplate({
+            name: `${config.signalsIndex}-*`,
+          });
+          const fieldAliases: Record<string, unknown> = {};
           Object.entries(aadFieldConversion).forEach(([key, value]) => {
-            aliases[value] = {
+            fieldAliases[value] = {
               type: 'alias',
               path: key,
             };
           });
-          merge(signalsTemplate.mappings.properties, aliases);
-          await clusterClient.indices
-            .putTemplate({
-              name: config.signalsIndex,
-              body: signalsTemplate as Record<string, unknown>,
-            })
-            .catch((err) => {
-              this.logger.error(
-                `Failed to install new legacy siem signals template: ${err.message}`
-              );
-            });
-          await clusterClient.indices
-            .deleteTemplate({
-              name: `${config.signalsIndex}-*`,
-            })
-            .catch((err) => {
-              if (err.meta?.body?.status !== 404) {
-                this.logger.error(`Failed to delete old signals index templates: ${err.message}`);
-              }
-            });
+          const existingTemplateNames = Object.keys(existingSignalsTemplates);
+          for (const existingTemplateName of existingTemplateNames) {
+            const spaceId = existingTemplateName.substr(config.signalsIndex.length + 1);
+            const { ruleDataService } = plugins.ruleRegistry;
+            const alertsIndexPattern = ruleDataService.getFullAssetName('security.alerts');
+            const aadIndexAliasName = `${alertsIndexPattern}-${spaceId}`;
+
+            const indexAliases = {
+              aliases: {
+                [aadIndexAliasName]: {
+                  is_write_index: false,
+                },
+              },
+            };
+            const signalsTemplate = getSignalsTemplate(existingTemplateName);
+            merge(signalsTemplate.mappings.properties, fieldAliases);
+            merge(signalsTemplate, indexAliases);
+
+            await clusterClient.indices
+              .putTemplate({
+                name: existingTemplateName,
+                body: signalsTemplate as Record<string, unknown>,
+              })
+              .catch((err) => {
+                this.logger.error(
+                  `Failed to install new legacy siem signals template: ${err.message}`
+                );
+              });
+            await clusterClient.indices
+              .putAlias({
+                index: `${existingTemplateName}-*`,
+                name: aadIndexAliasName,
+                body: {
+                  is_write_index: false,
+                },
+              })
+              .catch((err) => {
+                this.logger.error(
+                  `Failed to add alerts as data alias to existing signals indices: ${err.message}`
+                );
+              });
+          }
           // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
           // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
           // mapping) or else this call will fail and not update ANY signals indices
           const newMapping = {
             properties: {
               ...signalExtraFields,
-              ...aliases,
+              ...fieldAliases,
             },
           };
           await clusterClient.indices

From 5f11d3124f96d9828dd09eaac0b406d1da6bc04c Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 19 Jul 2021 11:57:28 -0700
Subject: [PATCH 04/32] Remove first version of new mapping json file

---
 .../index/signals_alerts_field_aliases.json   | 644 ------------------
 1 file changed, 644 deletions(-)
 delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_alerts_field_aliases.json

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_alerts_field_aliases.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_alerts_field_aliases.json
deleted file mode 100644
index 6a510f4b472d5a..00000000000000
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_alerts_field_aliases.json
+++ /dev/null
@@ -1,644 +0,0 @@
-{
-  "properties": {
-    "kibana": {
-      "type": "object",
-      "properties": {
-        "alert": {
-          "type": "object",
-          "properties": {
-            "ancestors": {
-              "type": "object",
-              "properties": {
-                "depth": {
-                  "type": "alias",
-                  "path": "signal.ancestors.depth"
-                },
-                "id": {
-                  "type": "alias",
-                  "path": "signal.ancestors.id"
-                },
-                "index": {
-                  "type": "alias",
-                  "path": "signal.ancestors.index"
-                },
-                "type": {
-                  "type": "alias",
-                  "path": "signal.ancestors.type"
-                }
-              }
-            },
-            "depth": {
-              "type": "alias",
-              "path": "signal.depth"
-            },
-            "original_event": {
-              "type": "object",
-              "properties": {
-                "action": {
-                  "type": "alias",
-                  "path": "signal.original_event.action"
-                },
-                "category": {
-                  "type": "alias",
-                  "path": "signal.original_event.category"
-                },
-                "code": {
-                  "type": "alias",
-                  "path": "signal.original_event.code"
-                },
-                "created": {
-                  "type": "alias",
-                  "path": "signal.original_event.created"
-                },
-                "dataset": {
-                  "type": "alias",
-                  "path": "signal.original_event.dataset"
-                },
-                "duration": {
-                  "type": "alias",
-                  "path": "signal.original_event.duration"
-                },
-                "end": {
-                  "type": "alias",
-                  "path": "signal.original_event.end"
-                },
-                "hash": {
-                  "type": "alias",
-                  "path": "signal.original_event.hash"
-                },
-                "id": {
-                  "type": "alias",
-                  "path": "signal.original_event.id"
-                },
-                "kind": {
-                  "type": "alias",
-                  "path": "signal.original_event.kind"
-                },
-                "module": {
-                  "type": "alias",
-                  "path": "signal.original_event.module"
-                },
-                "outcome": {
-                  "type": "alias",
-                  "path": "signal.original_event.outcome"
-                },
-                "provider": {
-                  "type": "alias",
-                  "path": "signal.original_event.provider"
-                },
-                "risk_score": {
-                  "type": "alias",
-                  "path": "signal.original_event.risk_score"
-                },
-                "risk_score_norm": {
-                  "type": "alias",
-                  "path": "signal.original_event.risk_score_norm"
-                },
-                "sequence": {
-                  "type": "alias",
-                  "path": "signal.original_event.sequence"
-                },
-                "severity": {
-                  "type": "alias",
-                  "path": "signal.original_event.severity"
-                },
-                "start": {
-                  "type": "alias",
-                  "path": "signal.original_event.start"
-                },
-                "timezone": {
-                  "type": "alias",
-                  "path": "signal.original_event.timezone"
-                },
-                "type": {
-                  "type": "alias",
-                  "path": "signal.original_event.type"
-                }
-              }
-            },
-            "original_time": {
-              "type": "alias",
-              "path": "signal.original_time"
-            },
-            "risk_score": {
-              "type": "alias",
-              "path": "signal.rule.risk_score"
-            },
-            "rule": {
-              "type": "object",
-              "properties": {
-                "author": {
-                  "type": "alias",
-                  "path": "signal.rule.author"
-                },
-                "building_block_type": {
-                  "type": "alias",
-                  "path": "signal.rule.building_block_type"
-                },
-                "created_at": {
-                  "type": "alias",
-                  "path": "signal.rule.created_at"
-                },
-                "created_by": {
-                  "type": "alias",
-                  "path": "signal.rule.created_by"
-                },
-                "description": {
-                  "type": "alias",
-                  "path": "signal.rule.description"
-                },
-                "enabled": {
-                  "type": "alias",
-                  "path": "signal.rule.enabled"
-                },
-                "false_positives": {
-                  "type": "alias",
-                  "path": "signal.rule.false_positives"
-                },
-                "from": {
-                  "type": "alias",
-                  "path": "signal.rule.from"
-                },
-                "id": {
-                  "type": "alias",
-                  "path": "signal.rule.id"
-                },
-                "immutable": {
-                  "type": "alias",
-                  "path": "signal.rule.immutable"
-                },
-                "index": {
-                  "type": "alias",
-                  "path": "signal.rule.index"
-                },
-                "interval": {
-                  "type": "alias",
-                  "path": "signal.rule.interval"
-                },
-                "language": {
-                  "type": "alias",
-                  "path": "signal.rule.language"
-                },
-                "license": {
-                  "type": "alias",
-                  "path": "signal.rule.license"
-                },
-                "max_signals": {
-                  "type": "alias",
-                  "path": "signal.rule.max_signals"
-                },
-                "name": {
-                  "type": "alias",
-                  "path": "signal.rule.name"
-                },
-                "note": {
-                  "type": "alias",
-                  "path": "signal.rule.note"
-                },
-                "query": {
-                  "type": "alias",
-                  "path": "signal.rule.query"
-                },
-                "references": {
-                  "type": "alias",
-                  "path": "signal.rule.references"
-                },
-                "risk_score_mapping": {
-                  "type": "object",
-                  "properties": {
-                    "field": {
-                      "type": "alias",
-                      "path": "signal.rule.risk_score_mapping.field"
-                    },
-                    "operator": {
-                      "type": "alias",
-                      "path": "signal.rule.risk_score_mapping.operator"
-                    },
-                    "value": {
-                      "type": "alias",
-                      "path": "signal.rule.risk_score_mapping.value"
-                    }
-                  }
-                },
-                "rule_id": {
-                  "type": "alias",
-                  "path": "signal.rule.rule_id"
-                },
-                "rule_name_override": {
-                  "type": "alias",
-                  "path": "signal.rule.rule_name_override"
-                },
-                "saved_id": {
-                  "type": "alias",
-                  "path": "signal.rule.saved_id"
-                },
-                "severity_mapping": {
-                  "type": "object",
-                  "properties": {
-                    "field": {
-                      "type": "alias",
-                      "path": "signal.rule.severity_mapping.field"
-                    },
-                    "operator": {
-                      "type": "alias",
-                      "path": "signal.rule.severity_mapping.operator"
-                    },
-                    "value": {
-                      "type": "alias",
-                      "path": "signal.rule.severity_mapping.value"
-                    },
-                    "severity": {
-                      "type": "alias",
-                      "path": "signal.rule.severity_mapping.severity"
-                    }
-                  }
-                },
-                "tags": {
-                  "type": "alias",
-                  "path": "signal.rule.tags"
-                },
-                "threat": {
-                  "type": "object",
-                  "properties": {
-                    "framework": {
-                      "type": "alias",
-                      "path": "signal.rule.threat.framework"
-                    },
-                    "tactic": {
-                      "type": "object",
-                      "properties": {
-                        "id": {
-                          "type": "alias",
-                          "path": "signal.rule.threat.tactic.id"
-                        },
-                        "name": {
-                          "type": "alias",
-                          "path": "signal.rule.threat.tactic.name"
-                        },
-                        "reference": {
-                          "type": "alias",
-                          "path": "signal.rule.threat.tactic.reference"
-                        }
-                      }
-                    },
-                    "technique": {
-                      "type": "object",
-                      "properties": {
-                        "id": {
-                          "type": "alias",
-                          "path": "signal.rule.threat.technique.id"
-                        },
-                        "name": {
-                          "type": "alias",
-                          "path": "signal.rule.threat.technique.name"
-                        },
-                        "reference": {
-                          "type": "alias",
-                          "path": "signal.rule.threat.technique.reference"
-                        },
-                        "subtechnique": {
-                          "type": "object",
-                          "properties": {
-                            "id": {
-                              "type": "alias",
-                              "path": "signal.rule.threat.technique.subtechnique.id"
-                            },
-                            "name": {
-                              "type": "alias",
-                              "path": "signal.rule.threat.technique.subtechnique.name"
-                            },
-                            "reference": {
-                              "type": "alias",
-                              "path": "signal.rule.threat.technique.subtechnique.reference"
-                            }
-                          }
-                        }
-                      }
-                    }
-                  }
-                },
-                "threat_index": {
-                  "type": "alias",
-                  "path": "signal.rule.threat_index"
-                },
-                "threat_indicator_path": {
-                  "type": "alias",
-                  "path": "signal.rule.threat_indicator_path"
-                },
-                "threat_language": {
-                  "type": "alias",
-                  "path": "signal.rule.threat_language"
-                },
-                "threat_mapping": {
-                  "type": "object",
-                  "properties": {
-                    "entries": {
-                      "type": "object",
-                      "properties": {
-                        "field": {
-                          "type": "alias",
-                          "path": "signal.rule.threat_mapping.entries.field"
-                        },
-                        "value": {
-                          "type": "alias",
-                          "path": "signal.rule.threat_mapping.entries.value"
-                        },
-                        "type": {
-                          "type": "alias",
-                          "path": "signal.rule.threat_mapping.entries.type"
-                        }
-                      }
-                    }
-                  }
-                },
-                "threat_query": {
-                  "type": "alias",
-                  "path": "signal.rule.threat_query"
-                },
-                "threshold": {
-                  "type": "object",
-                  "properties": {
-                    "field": {
-                      "type": "alias",
-                      "path": "signal.rule.threshold.field"
-                    },
-                    "value": {
-                      "type": "alias",
-                      "path": "signal.rule.threshold.value"
-                    }
-                  }
-                },
-                "timeline_id": {
-                  "type": "alias",
-                  "path": "signal.rule.timeline_id"
-                },
-                "timeline_title": {
-                  "type": "alias",
-                  "path": "signal.rule.timeline_title"
-                },
-                "to": {
-                  "type": "alias",
-                  "path": "signal.rule.to"
-                },
-                "type": {
-                  "type": "alias",
-                  "path": "signal.rule.type"
-                },
-                "updated_at": {
-                  "type": "alias",
-                  "path": "signal.rule.updated_at"
-                },
-                "updated_by": {
-                  "type": "alias",
-                  "path": "signal.rule.updated_by"
-                },
-                "version": {
-                  "type": "alias",
-                  "path": "signal.rule.version"
-                }
-              }
-            },
-            "severity": {
-              "type": "alias",
-              "path": "signal.rule.severity"
-            },
-            "threshold_result": {
-              "type": "object",
-              "properties": {
-                "from": {
-                  "type": "alias",
-                  "path": "signal.threshold_result.from"
-                },
-                "terms": {
-                  "properties": {
-                    "field": {
-                      "type": "alias",
-                      "path": "signal.threshold_result.terms.field"
-                    },
-                    "value": {
-                      "type": "alias",
-                      "path": "signal.threshold_result.terms.value"
-                    }
-                  }
-                },
-                "cardinality": {
-                  "properties": {
-                    "field": {
-                      "type": "alias",
-                      "path": "signal.threshold_result.cardinality.field"
-                    },
-                    "value": {
-                      "type": "alias",
-                      "path": "signal.threshold_result.cardinality.value"
-                    }
-                  }
-                },
-                "count": {
-                  "type": "alias",
-                  "path": "signal.threshold_result.count"
-                }
-              }
-            },
-            "workflow_status": {
-              "type": "alias",
-              "path": "signal.status"
-            }
-          }
-        }
-      }
-    },
-    "signal": {
-      "type": "object",
-      "properties": {
-        "_meta": {
-          "type": "object",
-          "properties": {
-            "version": {
-              "type": "long"
-            }
-          }
-        },
-        "ancestors": {
-          "properties": {
-            "rule": {
-              "type": "keyword"
-            },
-            "index": {
-              "type": "keyword"
-            },
-            "id": {
-              "type": "keyword"
-            },
-            "type": {
-              "type": "keyword"
-            },
-            "depth": {
-              "type": "long"
-            }
-          }
-        },
-        "depth": {
-          "type": "integer"
-        },
-        "group": {
-          "type": "object",
-          "properties": {
-            "id": {
-              "type": "keyword"
-            },
-            "index": {
-              "type": "integer"
-            }
-          }
-        },
-        "rule": {
-          "type": "object",
-          "properties": {
-            "author": {
-              "type": "keyword"
-            },
-            "building_block_type": {
-              "type": "keyword"
-            },
-            "license": {
-              "type": "keyword"
-            },
-            "note": {
-              "type": "text"
-            },
-            "risk_score_mapping": {
-              "type": "object",
-              "properties": {
-                "field": {
-                  "type": "keyword"
-                },
-                "operator": {
-                  "type": "keyword"
-                },
-                "value": {
-                  "type": "keyword"
-                }
-              }
-            },
-            "rule_name_override": {
-              "type": "keyword"
-            },
-            "severity_mapping": {
-              "type": "object",
-              "properties": {
-                "field": {
-                  "type": "keyword"
-                },
-                "operator": {
-                  "type": "keyword"
-                },
-                "value": {
-                  "type": "keyword"
-                },
-                "severity": {
-                  "type": "keyword"
-                }
-              }
-            },
-            "threat": {
-              "type": "object",
-              "properties": {
-                "technique": {
-                  "type": "object",
-                  "properties": {
-                    "subtechnique": {
-                      "type": "object",
-                      "properties": {
-                        "id": {
-                          "type": "keyword"
-                        },
-                        "name": {
-                          "type": "keyword"
-                        },
-                        "reference": {
-                          "type": "keyword"
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            },
-            "threat_index": {
-              "type": "keyword"
-            },
-            "threat_indicator_path": {
-              "type": "keyword"
-            },
-            "threat_language": {
-              "type": "keyword"
-            },
-            "threat_mapping": {
-              "type": "object",
-              "properties": {
-                "entries": {
-                  "type": "object",
-                  "properties": {
-                    "field": {
-                      "type": "keyword"
-                    },
-                    "value": {
-                      "type": "keyword"
-                    },
-                    "type": {
-                      "type": "keyword"
-                    }
-                  }
-                }
-              }
-            },
-            "threat_query": {
-              "type": "keyword"
-            },
-            "threshold": {
-              "type": "object",
-              "properties": {
-                "field": {
-                  "type": "keyword"
-                },
-                "value": {
-                  "type": "float"
-                }
-              }
-            }
-          }
-        },
-        "threshold_result": {
-          "properties": {
-            "from": {
-              "type": "date"
-            },
-            "terms": {
-              "properties": {
-                "field": {
-                  "type": "keyword"
-                },
-                "value": {
-                  "type": "keyword"
-                }
-              }
-            },
-            "cardinality": {
-              "properties": {
-                "field": {
-                  "type": "keyword"
-                },
-                "value": {
-                  "type": "long"
-                }
-              }
-            },
-            "count": {
-              "type": "long"
-            }
-          }
-        }
-      }
-    }
-  }
-}

From 31485696bf98bde2abbddc5323bb91e1ccc2dae9 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 26 Jul 2021 12:15:31 -0700
Subject: [PATCH 05/32] Convert existing legacy siem-signals templates to new
 ES templates

---
 .../routes/index/get_signals_template.ts      | 47 +++++++++++++++++++
 .../security_solution/server/plugin.ts        | 46 +++++++++---------
 2 files changed, 72 insertions(+), 21 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
index 53035ebf28cd78..19f914e6ccaef9 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -69,3 +69,50 @@ export const getSignalsTemplate = (index: string) => {
   };
   return template;
 };
+
+export const getNewSignalsTemplate = (index: string) => {
+  const template = {
+    index_patterns: [`${index}-*`],
+    template: {
+      settings: {
+        index: {
+          lifecycle: {
+            name: index,
+            rollover_alias: index,
+          },
+        },
+        mapping: {
+          total_fields: {
+            limit: 10000,
+          },
+        },
+      },
+      mappings: {
+        dynamic: false,
+        properties: {
+          ...ecsMapping.mappings.properties,
+          ...otherMapping.mappings.properties,
+          signal: signalsMapping.mappings.properties.signal,
+          threat: {
+            ...ecsMapping.mappings.properties.threat,
+            properties: {
+              ...ecsMapping.mappings.properties.threat.properties,
+              indicator: {
+                ...otherMapping.mappings.properties.threat.properties.indicator,
+                properties: {
+                  ...otherMapping.mappings.properties.threat.properties.indicator.properties,
+                  event: ecsMapping.mappings.properties.event,
+                },
+              },
+            },
+          },
+        },
+        _meta: {
+          version: SIGNALS_TEMPLATE_VERSION,
+        },
+      },
+    },
+    version: SIGNALS_TEMPLATE_VERSION,
+  };
+  return template;
+};
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 4ee346b7697ccb..d3642156711dfe 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -92,7 +92,7 @@ import { parseExperimentalConfigValue } from '../common/experimental_features';
 import { migrateArtifactsToFleet } from './endpoint/lib/artifacts/migrate_artifacts_to_fleet';
 import aadFieldConversion from './lib/detection_engine/routes/index/signal_aad_mapping.json';
 import signalExtraFields from './lib/detection_engine/routes/index/signal_extra_fields.json';
-import { getSignalsTemplate } from './lib/detection_engine/routes/index/get_signals_template';
+import { getNewSignalsTemplate } from './lib/detection_engine/routes/index/get_signals_template';
 import { getKibanaPrivilegesFeaturePrivileges } from './features';
 
 export interface SetupPlugins {
@@ -343,9 +343,19 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       if (isRuleRegistryEnabled) {
         const clusterClient = coreStart.elasticsearch.client.asInternalUser;
         const updateExistingSignalsIndices = async () => {
-          const { body: existingSignalsTemplates } = await clusterClient.indices.getTemplate({
-            name: `${config.signalsIndex}-*`,
-          });
+          const existingTemplateResponse = await clusterClient.indices
+            .getTemplate({
+              name: `${config.signalsIndex}-*`,
+            })
+            .catch((err) => {
+              this.logger.error(
+                `Failed to get existing legacy siem signals templates: ${err.message}`
+              );
+            });
+          if (existingTemplateResponse == null) {
+            return;
+          }
+          const existingSignalsTemplates = existingTemplateResponse.body;
           const fieldAliases: Record<string, unknown> = {};
           Object.entries(aadFieldConversion).forEach(([key, value]) => {
             fieldAliases[value] = {
@@ -367,34 +377,28 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
                 },
               },
             };
-            const signalsTemplate = getSignalsTemplate(existingTemplateName);
-            merge(signalsTemplate.mappings.properties, fieldAliases);
-            merge(signalsTemplate, indexAliases);
+            const signalsTemplate = getNewSignalsTemplate(existingTemplateName);
+            merge(signalsTemplate.template.mappings.properties, fieldAliases);
+            merge(signalsTemplate.template, indexAliases);
 
-            await clusterClient.indices
-              .putTemplate({
+            try {
+              await clusterClient.indices.putIndexTemplate({
                 name: existingTemplateName,
                 body: signalsTemplate as Record<string, unknown>,
-              })
-              .catch((err) => {
-                this.logger.error(
-                  `Failed to install new legacy siem signals template: ${err.message}`
-                );
               });
-            await clusterClient.indices
-              .putAlias({
+              await clusterClient.indices.putAlias({
                 index: `${existingTemplateName}-*`,
                 name: aadIndexAliasName,
                 body: {
                   is_write_index: false,
                 },
-              })
-              .catch((err) => {
-                this.logger.error(
-                  `Failed to add alerts as data alias to existing signals indices: ${err.message}`
-                );
               });
+              await clusterClient.indices.deleteTemplate({ name: existingTemplateName });
+            } catch (err) {
+              this.logger.error(`Failed to install new siem signals template: ${err.message}`);
+            }
           }
+
           // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
           // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
           // mapping) or else this call will fail and not update ANY signals indices

From 3e08e73f382cc07de8660e49bb8cdb533d59fb04 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 26 Jul 2021 12:54:53 -0700
Subject: [PATCH 06/32] Catch 404 if siem signals templates were already
 updated

---
 x-pack/plugins/security_solution/server/plugin.ts | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index d3642156711dfe..045e79747221bf 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -348,9 +348,12 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
               name: `${config.signalsIndex}-*`,
             })
             .catch((err) => {
-              this.logger.error(
-                `Failed to get existing legacy siem signals templates: ${err.message}`
-              );
+              // If the siem signals templates have already been converted, we expect a 404 here
+              if (err.meta?.statusCode !== 404) {
+                this.logger.error(
+                  `Failed to get existing legacy siem signals templates: ${err.message}`
+                );
+              }
             });
           if (existingTemplateResponse == null) {
             return;

From 58f74644c201717ae9294882964159d65565d427 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 26 Jul 2021 13:04:59 -0700
Subject: [PATCH 07/32] Enhance error message when index exists but is not
 write index for alias

---
 .../rule_registry/server/rule_data_client/index.ts    | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
index 3f467b69768a58..831b45b1498095 100644
--- a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
+++ b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
@@ -131,7 +131,16 @@ export class RuleDataClient implements IRuleDataClient {
       });
     } catch (err) {
       // something might have created the index already, that sounds OK
-      if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception') {
+      if (err?.meta?.body?.error?.type === 'resource_already_exists_exception') {
+        const { body: existingIndices } = await clusterClient.indices.get({
+          index: concreteIndexName,
+        });
+        if (!existingIndices[concreteIndexName]?.aliases?.[alias]?.is_write_index) {
+          throw Error(
+            `Attempted to create index: ${concreteIndexName} as the write index for alias: ${alias}, but the index already exists and is not the write index for the alias`
+          );
+        }
+      } else {
         throw err;
       }
     }

From 9377e0c23cb6263632f1937fb9e06f6dd1395172 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 26 Jul 2021 15:32:34 -0700
Subject: [PATCH 08/32] Check if alias write index exists before creating new
 write index

---
 .../server/rule_data_client/index.ts          | 49 +++++++++++--------
 .../security_solution/server/plugin.ts        |  1 -
 2 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
index 831b45b1498095..d77cb8630b28f7 100644
--- a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
+++ b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
@@ -117,31 +117,38 @@ export class RuleDataClient implements IRuleDataClient {
 
     const clusterClient = await this.getClusterClient();
 
-    const concreteIndexName = `${alias}-000001`;
-    try {
-      await clusterClient.indices.create({
-        index: concreteIndexName,
-        body: {
-          aliases: {
-            [alias]: {
-              is_write_index: true,
+    const { body: aliasesResponse } = await clusterClient.indices.getAlias({ name: alias });
+    const aliasWriteIndexExists = Object.entries(aliasesResponse).some(
+      ([_, aliases]) => aliases.aliases[alias].is_write_index
+    );
+
+    if (!aliasWriteIndexExists) {
+      const concreteIndexName = `${alias}-000001`;
+      try {
+        await clusterClient.indices.create({
+          index: concreteIndexName,
+          body: {
+            aliases: {
+              [alias]: {
+                is_write_index: true,
+              },
             },
           },
-        },
-      });
-    } catch (err) {
-      // something might have created the index already, that sounds OK
-      if (err?.meta?.body?.error?.type === 'resource_already_exists_exception') {
-        const { body: existingIndices } = await clusterClient.indices.get({
-          index: concreteIndexName,
         });
-        if (!existingIndices[concreteIndexName]?.aliases?.[alias]?.is_write_index) {
-          throw Error(
-            `Attempted to create index: ${concreteIndexName} as the write index for alias: ${alias}, but the index already exists and is not the write index for the alias`
-          );
+      } catch (err) {
+        // something might have created the index already, that sounds OK
+        if (err?.meta?.body?.error?.type === 'resource_already_exists_exception') {
+          const { body: existingIndices } = await clusterClient.indices.get({
+            index: concreteIndexName,
+          });
+          if (!existingIndices[concreteIndexName]?.aliases?.[alias]?.is_write_index) {
+            throw Error(
+              `Attempted to create index: ${concreteIndexName} as the write index for alias: ${alias}, but the index already exists and is not the write index for the alias`
+            );
+          }
+        } else {
+          throw err;
         }
-      } else {
-        throw err;
       }
     }
   }
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 6173b41af40d55..1954931c4aefee 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -329,7 +329,6 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       });
     }
 
-
     core.getStartServices().then(([coreStart, depsStart]) => {
       const securitySolutionSearchStrategy = securitySolutionSearchStrategyProvider(
         depsStart.data,

From df9b0104d8b6c15f91f901cae7eb2dbf6813b4c5 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 26 Jul 2021 16:46:44 -0700
Subject: [PATCH 09/32] More robust write target creation logic

---
 .../server/rule_data_client/index.ts            | 17 ++++++++++-------
 .../plugins/security_solution/server/plugin.ts  |  6 ++++++
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
index d77cb8630b28f7..a3a3d967cf9476 100644
--- a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
+++ b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
@@ -117,13 +117,14 @@ export class RuleDataClient implements IRuleDataClient {
 
     const clusterClient = await this.getClusterClient();
 
-    const { body: aliasesResponse } = await clusterClient.indices.getAlias({ name: alias });
-    const aliasWriteIndexExists = Object.entries(aliasesResponse).some(
-      ([_, aliases]) => aliases.aliases[alias].is_write_index
-    );
+    const { body: indicesExist } = await clusterClient.indices.exists({
+      index: `${alias}-*`,
+      allow_no_indices: false,
+    });
 
-    if (!aliasWriteIndexExists) {
-      const concreteIndexName = `${alias}-000001`;
+    const concreteIndexName = `${alias}-000001`;
+
+    if (!indicesExist) {
       try {
         await clusterClient.indices.create({
           index: concreteIndexName,
@@ -136,7 +137,9 @@ export class RuleDataClient implements IRuleDataClient {
           },
         });
       } catch (err) {
-        // something might have created the index already, that sounds OK
+        // If the index already exists and it's the write index for the alias,
+        // something else created it so suppress the error. If it's not the write
+        // index, that's bad, throw an error.
         if (err?.meta?.body?.error?.type === 'resource_already_exists_exception') {
           const { body: existingIndices } = await clusterClient.indices.get({
             index: concreteIndexName,
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 1954931c4aefee..b12d65fcdad8d7 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -254,6 +254,12 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       );
 
       // sec
+      ruleDataClient
+        .getWriter({ namespace: 'default' })
+        .bulk({ body: [{ index: {} }, { '@timestamp': 1626499490000 }] });
+      ruleDataClient
+        .getWriter({ namespace: 'default' })
+        .bulk({ body: [{ index: {} }, { '@timestamp': 1626499490000 }] });
 
       // Register reference rule types via rule-registry
       this.setupPlugins.alerting.registerType(createQueryAlertType(ruleDataClient, this.logger));

From bad23218e6e576e130f5ab79bd274f20982acc35 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Tue, 27 Jul 2021 15:39:50 -0700
Subject: [PATCH 10/32] Add RBAC required fields for AAD to siem signals
 indices

---
 .../routes/index/get_signals_template.ts      | 50 +++++++++++-
 .../security_solution/server/plugin.ts        | 79 ++++++++-----------
 2 files changed, 81 insertions(+), 48 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
index 19f914e6ccaef9..5c1fe4ad87ad51 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -8,6 +8,7 @@
 import signalsMapping from './signals_mapping.json';
 import ecsMapping from './ecs_mapping.json';
 import otherMapping from './other_mappings.json';
+import aadFieldConversion from './signal_aad_mapping.json';
 
 /**
   @constant
@@ -70,10 +71,55 @@ export const getSignalsTemplate = (index: string) => {
   return template;
 };
 
-export const getNewSignalsTemplate = (index: string) => {
+export const createSignalsFieldAliases = () => {
+  const fieldAliases: Record<string, unknown> = {};
+  Object.entries(aadFieldConversion).forEach(([key, value]) => {
+    fieldAliases[value] = {
+      type: 'alias',
+      path: key,
+    };
+  });
+  return fieldAliases;
+};
+
+export const getRbacRequiredFields = (spaceId: string) => {
+  return {
+    'kibana.space_ids': {
+      type: 'constant_keyword',
+      value: spaceId,
+    },
+    'kibana.consumers': {
+      type: 'constant_keyword',
+      value: 'siem',
+    },
+    'kibana.producer': {
+      type: 'constant_keyword',
+      value: 'siem',
+    },
+    // TODO: discuss naming of this field and what the value will be for legacy signals.
+    // Can we leave it as 'siem.signals' or do we need a runtime field that will map signal.rule.type
+    // to the new ruleTypeId?
+    'kibana.alert.rule.rule_type_id': {
+      type: 'constant_keyword',
+      value: 'siem.signals',
+    },
+  };
+};
+
+export const getNewSignalsTemplate = (
+  index: string,
+  spaceId: string,
+  aadIndexAliasName: string
+) => {
+  const fieldAliases = createSignalsFieldAliases();
   const template = {
     index_patterns: [`${index}-*`],
     template: {
+      aliases: {
+        [aadIndexAliasName]: {
+          is_write_index: false,
+        },
+      },
       settings: {
         index: {
           lifecycle: {
@@ -92,6 +138,8 @@ export const getNewSignalsTemplate = (index: string) => {
         properties: {
           ...ecsMapping.mappings.properties,
           ...otherMapping.mappings.properties,
+          ...fieldAliases,
+          ...getRbacRequiredFields(spaceId),
           signal: signalsMapping.mappings.properties.signal,
           threat: {
             ...ecsMapping.mappings.properties.threat,
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index b12d65fcdad8d7..55ae8e5003c6fe 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { once, merge } from 'lodash';
+import { once } from 'lodash';
 import { Observable } from 'rxjs';
 import LRU from 'lru-cache';
 import { estypes } from '@elastic/elasticsearch';
@@ -91,7 +91,11 @@ import { parseExperimentalConfigValue } from '../common/experimental_features';
 import { migrateArtifactsToFleet } from './endpoint/lib/artifacts/migrate_artifacts_to_fleet';
 import aadFieldConversion from './lib/detection_engine/routes/index/signal_aad_mapping.json';
 import signalExtraFields from './lib/detection_engine/routes/index/signal_extra_fields.json';
-import { getNewSignalsTemplate } from './lib/detection_engine/routes/index/get_signals_template';
+import {
+  createSignalsFieldAliases,
+  getNewSignalsTemplate,
+  getRbacRequiredFields,
+} from './lib/detection_engine/routes/index/get_signals_template';
 import { getKibanaPrivilegesFeaturePrivileges } from './features';
 
 export interface SetupPlugins {
@@ -254,12 +258,6 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       );
 
       // sec
-      ruleDataClient
-        .getWriter({ namespace: 'default' })
-        .bulk({ body: [{ index: {} }, { '@timestamp': 1626499490000 }] });
-      ruleDataClient
-        .getWriter({ namespace: 'default' })
-        .bulk({ body: [{ index: {} }, { '@timestamp': 1626499490000 }] });
 
       // Register reference rule types via rule-registry
       this.setupPlugins.alerting.registerType(createQueryAlertType(ruleDataClient, this.logger));
@@ -363,13 +361,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
             return;
           }
           const existingSignalsTemplates = existingTemplateResponse.body;
-          const fieldAliases: Record<string, unknown> = {};
-          Object.entries(aadFieldConversion).forEach(([key, value]) => {
-            fieldAliases[value] = {
-              type: 'alias',
-              path: key,
-            };
-          });
+          const fieldAliases = createSignalsFieldAliases();
           const existingTemplateNames = Object.keys(existingSignalsTemplates);
           for (const existingTemplateName of existingTemplateNames) {
             const spaceId = existingTemplateName.substr(config.signalsIndex.length + 1);
@@ -377,16 +369,11 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
             const alertsIndexPattern = ruleDataService.getFullAssetName('security.alerts');
             const aadIndexAliasName = `${alertsIndexPattern}-${spaceId}`;
 
-            const indexAliases = {
-              aliases: {
-                [aadIndexAliasName]: {
-                  is_write_index: false,
-                },
-              },
-            };
-            const signalsTemplate = getNewSignalsTemplate(existingTemplateName);
-            merge(signalsTemplate.template.mappings.properties, fieldAliases);
-            merge(signalsTemplate.template, indexAliases);
+            const signalsTemplate = getNewSignalsTemplate(
+              existingTemplateName,
+              spaceId,
+              aadIndexAliasName
+            );
 
             try {
               await clusterClient.indices.putIndexTemplate({
@@ -400,32 +387,30 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
                   is_write_index: false,
                 },
               });
+
+              // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
+              // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
+              // mapping) or else this call will fail and not update ANY signals indices
+              const newMapping = {
+                properties: {
+                  ...signalExtraFields,
+                  ...fieldAliases,
+                  ...getRbacRequiredFields(spaceId),
+                },
+              };
+              await clusterClient.indices.putMapping({
+                index: `${config.signalsIndex}*`,
+                body: newMapping,
+                allow_no_indices: true,
+              } as estypes.IndicesPutMappingRequest);
+
               await clusterClient.indices.deleteTemplate({ name: existingTemplateName });
             } catch (err) {
-              this.logger.error(`Failed to install new siem signals template: ${err.message}`);
-            }
-          }
-
-          // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
-          // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
-          // mapping) or else this call will fail and not update ANY signals indices
-          const newMapping = {
-            properties: {
-              ...signalExtraFields,
-              ...fieldAliases,
-            },
-          };
-          await clusterClient.indices
-            .putMapping({
-              index: `${config.signalsIndex}*`,
-              body: newMapping,
-              allow_no_indices: true,
-            } as estypes.IndicesPutMappingRequest)
-            .catch((err) => {
               this.logger.error(
-                `Failed to insert alerts as data field aliases to signals indices: ${err.message}`
+                `Failed to install new siem signals template for space ${spaceId}: ${err.message}`
               );
-            });
+            }
+          }
         };
         updateExistingSignalsIndices();
       }

From b837f27ef4299bdcb78bed3076c432411b94031e Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Tue, 27 Jul 2021 18:42:10 -0700
Subject: [PATCH 11/32] Fix index name in index mapping update

---
 x-pack/plugins/security_solution/server/plugin.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 55ae8e5003c6fe..7215b754354584 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -399,7 +399,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
                 },
               };
               await clusterClient.indices.putMapping({
-                index: `${config.signalsIndex}*`,
+                index: `${existingTemplateName}-*`,
                 body: newMapping,
                 allow_no_indices: true,
               } as estypes.IndicesPutMappingRequest);

From 28722b13558ae58ac85d42906f694af84dc0fd80 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Wed, 28 Jul 2021 11:16:35 -0700
Subject: [PATCH 12/32] Throw errors if bulk retry fails or existing indices
 are not writeable

---
 .../server/rule_data_client/index.ts          | 30 +++++++++++++++++--
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
index a3a3d967cf9476..94427eee2e2e5d 100644
--- a/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
+++ b/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
@@ -96,11 +96,20 @@ export class RuleDataClient implements IRuleDataClient {
           if (response.body.errors) {
             if (
               response.body.items.length > 0 &&
-              (response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception' ||
-                response.body.items?.[0]?.index?.error?.type === 'illegal_argument_exception')
+              (response.body.items.every(
+                (item) => item.index?.error?.type === 'index_not_found_exception'
+              ) ||
+                response.body.items.every(
+                  (item) => item.index?.error?.type === 'illegal_argument_exception'
+                ))
             ) {
               return this.createWriteTargetIfNeeded({ namespace }).then(() => {
-                return clusterClient.bulk(requestWithDefaultParameters);
+                return clusterClient.bulk(requestWithDefaultParameters).then((retryResponse) => {
+                  if (retryResponse.body.errors) {
+                    throw new ResponseError(retryResponse);
+                  }
+                  return retryResponse;
+                });
               });
             }
             const error = new ResponseError(response);
@@ -153,6 +162,21 @@ export class RuleDataClient implements IRuleDataClient {
           throw err;
         }
       }
+    } else {
+      // If we find indices matching the pattern, then we expect one of them to be the write index for the alias.
+      // Throw an error if none of them are the write index.
+      const { body: aliasesResponse } = await clusterClient.indices.getAlias({
+        index: `${alias}-*`,
+      });
+      if (
+        !Object.entries(aliasesResponse).some(
+          ([_, aliasesObject]) => aliasesObject.aliases[alias]?.is_write_index
+        )
+      ) {
+        throw Error(
+          `Indices matching pattern ${alias}-* exist but none are set as the write index for alias ${alias}`
+        );
+      }
     }
   }
 }

From 185f4bab33d4cc473291aa5e083f7eae54971ffd Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Fri, 30 Jul 2021 09:57:51 -0700
Subject: [PATCH 13/32] Add new template to routes even without experimental
 rule registry flag enabled

---
 x-pack/plugins/rule_registry/server/index.ts  |    1 +
 .../security_solution/server/client/client.ts |    7 +-
 .../get_signals_template.test.ts.snap         | 4533 -----------------
 .../routes/index/check_template_version.ts    |    7 +-
 .../routes/index/create_index_route.ts        |   81 +-
 .../routes/index/delete_index_route.ts        |   11 +-
 .../routes/index/get_signals_template.test.ts |   56 +-
 .../routes/index/get_signals_template.ts      |  124 +-
 .../security_solution/server/plugin.ts        |    9 +-
 .../security_solution/server/routes/index.ts  |    5 +-
 10 files changed, 169 insertions(+), 4665 deletions(-)
 delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap

diff --git a/x-pack/plugins/rule_registry/server/index.ts b/x-pack/plugins/rule_registry/server/index.ts
index f8d9dec3ea83a4..b84acbc2796a80 100644
--- a/x-pack/plugins/rule_registry/server/index.ts
+++ b/x-pack/plugins/rule_registry/server/index.ts
@@ -11,6 +11,7 @@ import { RuleRegistryPlugin } from './plugin';
 export * from './config';
 export type { RuleRegistryPluginSetupContract, RuleRegistryPluginStartContract } from './plugin';
 export type { RacRequestHandlerContext, RacApiRequestHandlerContext } from './types';
+export { RuleDataPluginService } from './rule_data_plugin_service';
 export { RuleDataClient } from './rule_data_client';
 export { IRuleDataClient } from './rule_data_client/types';
 export { getRuleData, RuleExecutorData } from './utils/get_rule_executor_data';
diff --git a/x-pack/plugins/security_solution/server/client/client.ts b/x-pack/plugins/security_solution/server/client/client.ts
index ffab9a1cbdfbff..a94a0fa920c651 100644
--- a/x-pack/plugins/security_solution/server/client/client.ts
+++ b/x-pack/plugins/security_solution/server/client/client.ts
@@ -9,12 +9,15 @@ import { ConfigType } from '../config';
 
 export class AppClient {
   private readonly signalsIndex: string;
+  private readonly spaceId: string;
 
-  constructor(private spaceId: string, private config: ConfigType) {
+  constructor(_spaceId: string, private config: ConfigType) {
     const configuredSignalsIndex = this.config.signalsIndex;
 
-    this.signalsIndex = `${configuredSignalsIndex}-${this.spaceId}`;
+    this.signalsIndex = `${configuredSignalsIndex}-${_spaceId}`;
+    this.spaceId = _spaceId;
   }
 
   public getSignalsIndex = (): string => this.signalsIndex;
+  public getSpaceId = (): string => this.spaceId;
 }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
deleted file mode 100644
index 4f060746b92b0c..00000000000000
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
+++ /dev/null
@@ -1,4533 +0,0 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
-
-exports[`get_signals_template it should match snapshot 1`] = `
-Object {
-  "index_patterns": Array [
-    "test-index-*",
-  ],
-  "mappings": Object {
-    "_meta": Object {
-      "version": 45,
-    },
-    "dynamic": false,
-    "properties": Object {
-      "@timestamp": Object {
-        "type": "date",
-      },
-      "agent": Object {
-        "properties": Object {
-          "build": Object {
-            "properties": Object {
-              "original": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "ephemeral_id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "as": Object {
-        "properties": Object {
-          "number": Object {
-            "type": "long",
-          },
-          "organization": Object {
-            "properties": Object {
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "client": Object {
-        "properties": Object {
-          "address": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "as": Object {
-            "properties": Object {
-              "number": Object {
-                "type": "long",
-              },
-              "organization": Object {
-                "properties": Object {
-                  "name": Object {
-                    "fields": Object {
-                      "text": Object {
-                        "norms": false,
-                        "type": "text",
-                      },
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-          },
-          "bytes": Object {
-            "type": "long",
-          },
-          "domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "geo": Object {
-            "properties": Object {
-              "city_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "location": Object {
-                "type": "geo_point",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "postal_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "timezone": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "ip": Object {
-            "type": "ip",
-          },
-          "mac": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "nat": Object {
-            "properties": Object {
-              "ip": Object {
-                "type": "ip",
-              },
-              "port": Object {
-                "type": "long",
-              },
-            },
-          },
-          "packets": Object {
-            "type": "long",
-          },
-          "port": Object {
-            "type": "long",
-          },
-          "registered_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "subdomain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "top_level_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "user": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full_name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "group": Object {
-                "properties": Object {
-                  "domain": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "hash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "roles": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "cloud": Object {
-        "properties": Object {
-          "account": Object {
-            "properties": Object {
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "availability_zone": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "instance": Object {
-            "properties": Object {
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "machine": Object {
-            "properties": Object {
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "project": Object {
-            "properties": Object {
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "provider": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "region": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "service": Object {
-            "properties": Object {
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "code_signature": Object {
-        "properties": Object {
-          "exists": Object {
-            "type": "boolean",
-          },
-          "status": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "subject_name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "trusted": Object {
-            "type": "boolean",
-          },
-          "valid": Object {
-            "type": "boolean",
-          },
-        },
-      },
-      "container": Object {
-        "properties": Object {
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "image": Object {
-            "properties": Object {
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "tag": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "labels": Object {
-            "type": "object",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "runtime": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "data_stream": Object {
-        "properties": Object {
-          "dataset": Object {
-            "type": "keyword",
-          },
-          "namespace": Object {
-            "type": "keyword",
-          },
-          "type": Object {
-            "type": "keyword",
-          },
-        },
-      },
-      "destination": Object {
-        "properties": Object {
-          "address": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "as": Object {
-            "properties": Object {
-              "number": Object {
-                "type": "long",
-              },
-              "organization": Object {
-                "properties": Object {
-                  "name": Object {
-                    "fields": Object {
-                      "text": Object {
-                        "norms": false,
-                        "type": "text",
-                      },
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-          },
-          "bytes": Object {
-            "type": "long",
-          },
-          "domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "geo": Object {
-            "properties": Object {
-              "city_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "location": Object {
-                "type": "geo_point",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "postal_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "timezone": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "ip": Object {
-            "type": "ip",
-          },
-          "mac": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "nat": Object {
-            "properties": Object {
-              "ip": Object {
-                "type": "ip",
-              },
-              "port": Object {
-                "type": "long",
-              },
-            },
-          },
-          "packets": Object {
-            "type": "long",
-          },
-          "port": Object {
-            "type": "long",
-          },
-          "registered_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "subdomain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "top_level_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "user": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full_name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "group": Object {
-                "properties": Object {
-                  "domain": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "hash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "roles": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "dll": Object {
-        "properties": Object {
-          "code_signature": Object {
-            "properties": Object {
-              "exists": Object {
-                "type": "boolean",
-              },
-              "signing_id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "status": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "subject_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "team_id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "trusted": Object {
-                "type": "boolean",
-              },
-              "valid": Object {
-                "type": "boolean",
-              },
-            },
-          },
-          "hash": Object {
-            "properties": Object {
-              "md5": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha1": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha256": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha512": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "ssdeep": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "path": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "pe": Object {
-            "properties": Object {
-              "architecture": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "company": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "description": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "file_version": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "imphash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "original_file_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "product": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "dns": Object {
-        "properties": Object {
-          "answers": Object {
-            "properties": Object {
-              "class": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "data": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "ttl": Object {
-                "type": "long",
-              },
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-            "type": "object",
-          },
-          "header_flags": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "op_code": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "question": Object {
-            "properties": Object {
-              "class": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "registered_domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "subdomain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "top_level_domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "resolved_ip": Object {
-            "type": "ip",
-          },
-          "response_code": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "ecs": Object {
-        "properties": Object {
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "error": Object {
-        "properties": Object {
-          "code": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "message": Object {
-            "norms": false,
-            "type": "text",
-          },
-          "stack_trace": Object {
-            "doc_values": false,
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "index": false,
-            "type": "keyword",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "event": Object {
-        "properties": Object {
-          "action": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "category": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "code": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "created": Object {
-            "type": "date",
-          },
-          "dataset": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "duration": Object {
-            "type": "long",
-          },
-          "end": Object {
-            "type": "date",
-          },
-          "hash": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "ingested": Object {
-            "type": "date",
-          },
-          "kind": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "module": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "original": Object {
-            "doc_values": false,
-            "ignore_above": 1024,
-            "index": false,
-            "type": "keyword",
-          },
-          "outcome": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "provider": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "reason": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "reference": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "risk_score": Object {
-            "type": "float",
-          },
-          "risk_score_norm": Object {
-            "type": "float",
-          },
-          "sequence": Object {
-            "type": "long",
-          },
-          "severity": Object {
-            "type": "long",
-          },
-          "start": Object {
-            "type": "date",
-          },
-          "timezone": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "url": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "file": Object {
-        "properties": Object {
-          "accessed": Object {
-            "type": "date",
-          },
-          "attributes": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "code_signature": Object {
-            "properties": Object {
-              "exists": Object {
-                "type": "boolean",
-              },
-              "signing_id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "status": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "subject_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "team_id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "trusted": Object {
-                "type": "boolean",
-              },
-              "valid": Object {
-                "type": "boolean",
-              },
-            },
-          },
-          "created": Object {
-            "type": "date",
-          },
-          "ctime": Object {
-            "type": "date",
-          },
-          "device": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "directory": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "drive_letter": Object {
-            "ignore_above": 1,
-            "type": "keyword",
-          },
-          "extension": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "gid": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "group": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "hash": Object {
-            "properties": Object {
-              "md5": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha1": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha256": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha512": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "ssdeep": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "inode": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "mime_type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "mode": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "mtime": Object {
-            "type": "date",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "owner": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "path": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "pe": Object {
-            "properties": Object {
-              "architecture": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "company": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "description": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "file_version": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "imphash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "original_file_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "product": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "size": Object {
-            "type": "long",
-          },
-          "target_path": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "uid": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "x509": Object {
-            "properties": Object {
-              "alternative_names": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "issuer": Object {
-                "properties": Object {
-                  "common_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "country": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "distinguished_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "locality": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "organization": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "organizational_unit": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "state_or_province": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "not_after": Object {
-                "type": "date",
-              },
-              "not_before": Object {
-                "type": "date",
-              },
-              "public_key_algorithm": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "public_key_curve": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "public_key_exponent": Object {
-                "doc_values": false,
-                "index": false,
-                "type": "long",
-              },
-              "public_key_size": Object {
-                "type": "long",
-              },
-              "serial_number": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "signature_algorithm": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "subject": Object {
-                "properties": Object {
-                  "common_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "country": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "distinguished_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "locality": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "organization": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "organizational_unit": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "state_or_province": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "version_number": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "geo": Object {
-        "properties": Object {
-          "city_name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "continent_name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "country_iso_code": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "country_name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "location": Object {
-            "type": "geo_point",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "region_iso_code": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "region_name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "group": Object {
-        "properties": Object {
-          "domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "hash": Object {
-        "properties": Object {
-          "md5": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "sha1": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "sha256": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "sha512": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "host": Object {
-        "properties": Object {
-          "architecture": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "cpu": Object {
-            "properties": Object {
-              "usage": Object {
-                "scaling_factor": 1000,
-                "type": "scaled_float",
-              },
-            },
-          },
-          "disk": Object {
-            "properties": Object {
-              "read": Object {
-                "properties": Object {
-                  "bytes": Object {
-                    "type": "long",
-                  },
-                },
-              },
-              "write": Object {
-                "properties": Object {
-                  "bytes": Object {
-                    "type": "long",
-                  },
-                },
-              },
-            },
-          },
-          "domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "geo": Object {
-            "properties": Object {
-              "city_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "location": Object {
-                "type": "geo_point",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "postal_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "timezone": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "hostname": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "ip": Object {
-            "type": "ip",
-          },
-          "mac": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "network": Object {
-            "properties": Object {
-              "egress": Object {
-                "properties": Object {
-                  "bytes": Object {
-                    "type": "long",
-                  },
-                  "packets": Object {
-                    "type": "long",
-                  },
-                },
-              },
-              "ingress": Object {
-                "properties": Object {
-                  "bytes": Object {
-                    "type": "long",
-                  },
-                  "packets": Object {
-                    "type": "long",
-                  },
-                },
-              },
-            },
-          },
-          "os": Object {
-            "properties": Object {
-              "family": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "kernel": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "platform": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "version": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "uptime": Object {
-            "type": "long",
-          },
-          "user": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full_name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "group": Object {
-                "properties": Object {
-                  "domain": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "hash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "roles": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "http": Object {
-        "properties": Object {
-          "request": Object {
-            "properties": Object {
-              "body": Object {
-                "properties": Object {
-                  "bytes": Object {
-                    "type": "long",
-                  },
-                  "content": Object {
-                    "fields": Object {
-                      "text": Object {
-                        "norms": false,
-                        "type": "text",
-                      },
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "bytes": Object {
-                "type": "long",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "method": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "mime_type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "referrer": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "response": Object {
-            "properties": Object {
-              "body": Object {
-                "properties": Object {
-                  "bytes": Object {
-                    "type": "long",
-                  },
-                  "content": Object {
-                    "fields": Object {
-                      "text": Object {
-                        "norms": false,
-                        "type": "text",
-                      },
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "bytes": Object {
-                "type": "long",
-              },
-              "mime_type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "status_code": Object {
-                "type": "long",
-              },
-            },
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "interface": Object {
-        "properties": Object {
-          "alias": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "labels": Object {
-        "type": "object",
-      },
-      "log": Object {
-        "properties": Object {
-          "file": Object {
-            "properties": Object {
-              "path": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "level": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "logger": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "origin": Object {
-            "properties": Object {
-              "file": Object {
-                "properties": Object {
-                  "line": Object {
-                    "type": "integer",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "function": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "original": Object {
-            "doc_values": false,
-            "ignore_above": 1024,
-            "index": false,
-            "type": "keyword",
-          },
-          "syslog": Object {
-            "properties": Object {
-              "facility": Object {
-                "properties": Object {
-                  "code": Object {
-                    "type": "long",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "priority": Object {
-                "type": "long",
-              },
-              "severity": Object {
-                "properties": Object {
-                  "code": Object {
-                    "type": "long",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-            "type": "object",
-          },
-        },
-      },
-      "message": Object {
-        "norms": false,
-        "type": "text",
-      },
-      "network": Object {
-        "properties": Object {
-          "application": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "bytes": Object {
-            "type": "long",
-          },
-          "community_id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "direction": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "forwarded_ip": Object {
-            "type": "ip",
-          },
-          "iana_number": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "inner": Object {
-            "properties": Object {
-              "vlan": Object {
-                "properties": Object {
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-            "type": "object",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "packets": Object {
-            "type": "long",
-          },
-          "protocol": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "transport": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "vlan": Object {
-            "properties": Object {
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "observer": Object {
-        "properties": Object {
-          "egress": Object {
-            "properties": Object {
-              "interface": Object {
-                "properties": Object {
-                  "alias": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "vlan": Object {
-                "properties": Object {
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "zone": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-            "type": "object",
-          },
-          "geo": Object {
-            "properties": Object {
-              "city_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "location": Object {
-                "type": "geo_point",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "postal_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "timezone": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "hostname": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "ingress": Object {
-            "properties": Object {
-              "interface": Object {
-                "properties": Object {
-                  "alias": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "vlan": Object {
-                "properties": Object {
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "zone": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-            "type": "object",
-          },
-          "ip": Object {
-            "type": "ip",
-          },
-          "mac": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "os": Object {
-            "properties": Object {
-              "family": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "kernel": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "platform": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "version": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "product": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "serial_number": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "vendor": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "orchestrator": Object {
-        "properties": Object {
-          "api_version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "cluster": Object {
-            "properties": Object {
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "url": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "version": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "namespace": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "organization": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "resource": Object {
-            "properties": Object {
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "organization": Object {
-        "properties": Object {
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "os": Object {
-        "properties": Object {
-          "family": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "full": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "kernel": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "platform": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "package": Object {
-        "properties": Object {
-          "architecture": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "build_version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "checksum": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "description": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "install_scope": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "installed": Object {
-            "type": "date",
-          },
-          "license": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "path": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "reference": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "size": Object {
-            "type": "long",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "pe": Object {
-        "properties": Object {
-          "company": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "description": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "file_version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "original_file_name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "product": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "process": Object {
-        "properties": Object {
-          "args": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "args_count": Object {
-            "type": "long",
-          },
-          "code_signature": Object {
-            "properties": Object {
-              "exists": Object {
-                "type": "boolean",
-              },
-              "signing_id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "status": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "subject_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "team_id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "trusted": Object {
-                "type": "boolean",
-              },
-              "valid": Object {
-                "type": "boolean",
-              },
-            },
-          },
-          "command_line": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "entity_id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "executable": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "exit_code": Object {
-            "type": "long",
-          },
-          "hash": Object {
-            "properties": Object {
-              "md5": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha1": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha256": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "sha512": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "ssdeep": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "name": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "parent": Object {
-            "properties": Object {
-              "args": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "args_count": Object {
-                "type": "long",
-              },
-              "code_signature": Object {
-                "properties": Object {
-                  "exists": Object {
-                    "type": "boolean",
-                  },
-                  "signing_id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "status": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "subject_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "team_id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "trusted": Object {
-                    "type": "boolean",
-                  },
-                  "valid": Object {
-                    "type": "boolean",
-                  },
-                },
-              },
-              "command_line": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "entity_id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "executable": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "exit_code": Object {
-                "type": "long",
-              },
-              "hash": Object {
-                "properties": Object {
-                  "md5": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "sha1": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "sha256": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "sha512": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "ssdeep": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "pe": Object {
-                "properties": Object {
-                  "architecture": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "company": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "description": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "file_version": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "imphash": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "original_file_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "product": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "pgid": Object {
-                "type": "long",
-              },
-              "pid": Object {
-                "type": "long",
-              },
-              "ppid": Object {
-                "type": "long",
-              },
-              "start": Object {
-                "type": "date",
-              },
-              "thread": Object {
-                "properties": Object {
-                  "id": Object {
-                    "type": "long",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "title": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "uptime": Object {
-                "type": "long",
-              },
-              "working_directory": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "pe": Object {
-            "properties": Object {
-              "architecture": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "company": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "description": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "file_version": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "imphash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "original_file_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "product": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "pgid": Object {
-            "type": "long",
-          },
-          "pid": Object {
-            "type": "long",
-          },
-          "ppid": Object {
-            "type": "long",
-          },
-          "start": Object {
-            "type": "date",
-          },
-          "thread": Object {
-            "properties": Object {
-              "id": Object {
-                "type": "long",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "title": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "uptime": Object {
-            "type": "long",
-          },
-          "working_directory": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "registry": Object {
-        "properties": Object {
-          "data": Object {
-            "properties": Object {
-              "bytes": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "strings": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "hive": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "key": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "path": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "value": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "related": Object {
-        "properties": Object {
-          "hash": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "hosts": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "ip": Object {
-            "type": "ip",
-          },
-          "user": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "rule": Object {
-        "properties": Object {
-          "author": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "category": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "description": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "license": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "reference": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "ruleset": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "uuid": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "server": Object {
-        "properties": Object {
-          "address": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "as": Object {
-            "properties": Object {
-              "number": Object {
-                "type": "long",
-              },
-              "organization": Object {
-                "properties": Object {
-                  "name": Object {
-                    "fields": Object {
-                      "text": Object {
-                        "norms": false,
-                        "type": "text",
-                      },
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-          },
-          "bytes": Object {
-            "type": "long",
-          },
-          "domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "geo": Object {
-            "properties": Object {
-              "city_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "location": Object {
-                "type": "geo_point",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "postal_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "timezone": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "ip": Object {
-            "type": "ip",
-          },
-          "mac": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "nat": Object {
-            "properties": Object {
-              "ip": Object {
-                "type": "ip",
-              },
-              "port": Object {
-                "type": "long",
-              },
-            },
-          },
-          "packets": Object {
-            "type": "long",
-          },
-          "port": Object {
-            "type": "long",
-          },
-          "registered_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "subdomain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "top_level_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "user": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full_name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "group": Object {
-                "properties": Object {
-                  "domain": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "hash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "roles": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "service": Object {
-        "properties": Object {
-          "ephemeral_id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "node": Object {
-            "properties": Object {
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "state": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "type": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "signal": Object {
-        "properties": Object {
-          "_meta": Object {
-            "properties": Object {
-              "version": Object {
-                "type": "long",
-              },
-            },
-          },
-          "ancestors": Object {
-            "properties": Object {
-              "depth": Object {
-                "type": "long",
-              },
-              "id": Object {
-                "type": "keyword",
-              },
-              "index": Object {
-                "type": "keyword",
-              },
-              "rule": Object {
-                "type": "keyword",
-              },
-              "type": Object {
-                "type": "keyword",
-              },
-            },
-          },
-          "depth": Object {
-            "type": "integer",
-          },
-          "group": Object {
-            "properties": Object {
-              "id": Object {
-                "type": "keyword",
-              },
-              "index": Object {
-                "type": "integer",
-              },
-            },
-          },
-          "original_event": Object {
-            "properties": Object {
-              "action": Object {
-                "type": "keyword",
-              },
-              "category": Object {
-                "type": "keyword",
-              },
-              "code": Object {
-                "type": "keyword",
-              },
-              "created": Object {
-                "type": "date",
-              },
-              "dataset": Object {
-                "type": "keyword",
-              },
-              "duration": Object {
-                "type": "long",
-              },
-              "end": Object {
-                "type": "date",
-              },
-              "hash": Object {
-                "type": "keyword",
-              },
-              "id": Object {
-                "type": "keyword",
-              },
-              "kind": Object {
-                "type": "keyword",
-              },
-              "module": Object {
-                "type": "keyword",
-              },
-              "original": Object {
-                "doc_values": false,
-                "index": false,
-                "type": "keyword",
-              },
-              "outcome": Object {
-                "type": "keyword",
-              },
-              "provider": Object {
-                "type": "keyword",
-              },
-              "risk_score": Object {
-                "type": "float",
-              },
-              "risk_score_norm": Object {
-                "type": "float",
-              },
-              "sequence": Object {
-                "type": "long",
-              },
-              "severity": Object {
-                "type": "long",
-              },
-              "start": Object {
-                "type": "date",
-              },
-              "timezone": Object {
-                "type": "keyword",
-              },
-              "type": Object {
-                "type": "keyword",
-              },
-            },
-          },
-          "original_signal": Object {
-            "dynamic": false,
-            "enabled": false,
-            "type": "object",
-          },
-          "original_time": Object {
-            "type": "date",
-          },
-          "parent": Object {
-            "properties": Object {
-              "depth": Object {
-                "type": "long",
-              },
-              "id": Object {
-                "type": "keyword",
-              },
-              "index": Object {
-                "type": "keyword",
-              },
-              "rule": Object {
-                "type": "keyword",
-              },
-              "type": Object {
-                "type": "keyword",
-              },
-            },
-          },
-          "parents": Object {
-            "properties": Object {
-              "depth": Object {
-                "type": "long",
-              },
-              "id": Object {
-                "type": "keyword",
-              },
-              "index": Object {
-                "type": "keyword",
-              },
-              "rule": Object {
-                "type": "keyword",
-              },
-              "type": Object {
-                "type": "keyword",
-              },
-            },
-          },
-          "rule": Object {
-            "properties": Object {
-              "author": Object {
-                "type": "keyword",
-              },
-              "building_block_type": Object {
-                "type": "keyword",
-              },
-              "created_at": Object {
-                "type": "date",
-              },
-              "created_by": Object {
-                "type": "keyword",
-              },
-              "description": Object {
-                "type": "keyword",
-              },
-              "enabled": Object {
-                "type": "keyword",
-              },
-              "false_positives": Object {
-                "type": "keyword",
-              },
-              "filters": Object {
-                "type": "object",
-              },
-              "from": Object {
-                "type": "keyword",
-              },
-              "id": Object {
-                "type": "keyword",
-              },
-              "immutable": Object {
-                "type": "keyword",
-              },
-              "index": Object {
-                "type": "keyword",
-              },
-              "interval": Object {
-                "type": "keyword",
-              },
-              "language": Object {
-                "type": "keyword",
-              },
-              "license": Object {
-                "type": "keyword",
-              },
-              "max_signals": Object {
-                "type": "keyword",
-              },
-              "name": Object {
-                "type": "keyword",
-              },
-              "note": Object {
-                "type": "text",
-              },
-              "output_index": Object {
-                "type": "keyword",
-              },
-              "query": Object {
-                "type": "keyword",
-              },
-              "references": Object {
-                "type": "keyword",
-              },
-              "risk_score": Object {
-                "type": "float",
-              },
-              "risk_score_mapping": Object {
-                "properties": Object {
-                  "field": Object {
-                    "type": "keyword",
-                  },
-                  "operator": Object {
-                    "type": "keyword",
-                  },
-                  "value": Object {
-                    "type": "keyword",
-                  },
-                },
-              },
-              "rule_id": Object {
-                "type": "keyword",
-              },
-              "rule_name_override": Object {
-                "type": "keyword",
-              },
-              "saved_id": Object {
-                "type": "keyword",
-              },
-              "severity": Object {
-                "type": "keyword",
-              },
-              "severity_mapping": Object {
-                "properties": Object {
-                  "field": Object {
-                    "type": "keyword",
-                  },
-                  "operator": Object {
-                    "type": "keyword",
-                  },
-                  "severity": Object {
-                    "type": "keyword",
-                  },
-                  "value": Object {
-                    "type": "keyword",
-                  },
-                },
-              },
-              "size": Object {
-                "type": "keyword",
-              },
-              "tags": Object {
-                "type": "keyword",
-              },
-              "threat": Object {
-                "properties": Object {
-                  "framework": Object {
-                    "type": "keyword",
-                  },
-                  "tactic": Object {
-                    "properties": Object {
-                      "id": Object {
-                        "type": "keyword",
-                      },
-                      "name": Object {
-                        "type": "keyword",
-                      },
-                      "reference": Object {
-                        "type": "keyword",
-                      },
-                    },
-                  },
-                  "technique": Object {
-                    "properties": Object {
-                      "id": Object {
-                        "type": "keyword",
-                      },
-                      "name": Object {
-                        "type": "keyword",
-                      },
-                      "reference": Object {
-                        "type": "keyword",
-                      },
-                      "subtechnique": Object {
-                        "properties": Object {
-                          "id": Object {
-                            "type": "keyword",
-                          },
-                          "name": Object {
-                            "type": "keyword",
-                          },
-                          "reference": Object {
-                            "type": "keyword",
-                          },
-                        },
-                      },
-                    },
-                  },
-                },
-              },
-              "threat_filters": Object {
-                "type": "object",
-              },
-              "threat_index": Object {
-                "type": "keyword",
-              },
-              "threat_indicator_path": Object {
-                "type": "keyword",
-              },
-              "threat_language": Object {
-                "type": "keyword",
-              },
-              "threat_mapping": Object {
-                "properties": Object {
-                  "entries": Object {
-                    "properties": Object {
-                      "field": Object {
-                        "type": "keyword",
-                      },
-                      "type": Object {
-                        "type": "keyword",
-                      },
-                      "value": Object {
-                        "type": "keyword",
-                      },
-                    },
-                  },
-                },
-              },
-              "threat_query": Object {
-                "type": "keyword",
-              },
-              "threshold": Object {
-                "properties": Object {
-                  "field": Object {
-                    "type": "keyword",
-                  },
-                  "value": Object {
-                    "type": "float",
-                  },
-                },
-              },
-              "timeline_id": Object {
-                "type": "keyword",
-              },
-              "timeline_title": Object {
-                "type": "keyword",
-              },
-              "timestamp_override": Object {
-                "type": "keyword",
-              },
-              "to": Object {
-                "type": "keyword",
-              },
-              "type": Object {
-                "type": "keyword",
-              },
-              "updated_at": Object {
-                "type": "date",
-              },
-              "updated_by": Object {
-                "type": "keyword",
-              },
-              "version": Object {
-                "type": "keyword",
-              },
-            },
-          },
-          "status": Object {
-            "type": "keyword",
-          },
-          "threshold_count": Object {
-            "type": "float",
-          },
-          "threshold_result": Object {
-            "properties": Object {
-              "cardinality": Object {
-                "properties": Object {
-                  "field": Object {
-                    "type": "keyword",
-                  },
-                  "value": Object {
-                    "type": "long",
-                  },
-                },
-              },
-              "count": Object {
-                "type": "long",
-              },
-              "from": Object {
-                "type": "date",
-              },
-              "terms": Object {
-                "properties": Object {
-                  "field": Object {
-                    "type": "keyword",
-                  },
-                  "value": Object {
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-          },
-        },
-      },
-      "source": Object {
-        "properties": Object {
-          "address": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "as": Object {
-            "properties": Object {
-              "number": Object {
-                "type": "long",
-              },
-              "organization": Object {
-                "properties": Object {
-                  "name": Object {
-                    "fields": Object {
-                      "text": Object {
-                        "norms": false,
-                        "type": "text",
-                      },
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-          },
-          "bytes": Object {
-            "type": "long",
-          },
-          "domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "geo": Object {
-            "properties": Object {
-              "city_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "continent_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "country_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "location": Object {
-                "type": "geo_point",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "postal_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_iso_code": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "region_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "timezone": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "ip": Object {
-            "type": "ip",
-          },
-          "mac": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "nat": Object {
-            "properties": Object {
-              "ip": Object {
-                "type": "ip",
-              },
-              "port": Object {
-                "type": "long",
-              },
-            },
-          },
-          "packets": Object {
-            "type": "long",
-          },
-          "port": Object {
-            "type": "long",
-          },
-          "registered_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "subdomain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "top_level_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "user": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full_name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "group": Object {
-                "properties": Object {
-                  "domain": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "hash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "roles": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "span": Object {
-        "properties": Object {
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "tags": Object {
-        "ignore_above": 1024,
-        "type": "keyword",
-      },
-      "threat": Object {
-        "properties": Object {
-          "framework": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "indicator": Object {
-            "properties": Object {
-              "as": Object {
-                "properties": Object {
-                  "number": Object {
-                    "type": "long",
-                  },
-                  "organization": Object {
-                    "properties": Object {
-                      "name": Object {
-                        "fields": Object {
-                          "text": Object {
-                            "norms": false,
-                            "type": "text",
-                          },
-                        },
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                    },
-                  },
-                },
-              },
-              "confidence": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "dataset": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "description": Object {
-                "type": "wildcard",
-              },
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "properties": Object {
-                  "address": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "event": Object {
-                "properties": Object {
-                  "action": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "category": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "code": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "created": Object {
-                    "type": "date",
-                  },
-                  "dataset": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "duration": Object {
-                    "type": "long",
-                  },
-                  "end": Object {
-                    "type": "date",
-                  },
-                  "hash": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "ingested": Object {
-                    "type": "date",
-                  },
-                  "kind": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "module": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "original": Object {
-                    "doc_values": false,
-                    "ignore_above": 1024,
-                    "index": false,
-                    "type": "keyword",
-                  },
-                  "outcome": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "provider": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "reason": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "reference": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "risk_score": Object {
-                    "type": "float",
-                  },
-                  "risk_score_norm": Object {
-                    "type": "float",
-                  },
-                  "sequence": Object {
-                    "type": "long",
-                  },
-                  "severity": Object {
-                    "type": "long",
-                  },
-                  "start": Object {
-                    "type": "date",
-                  },
-                  "timezone": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "type": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "url": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "first_seen": Object {
-                "type": "date",
-              },
-              "geo": Object {
-                "properties": Object {
-                  "city_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "continent_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "country_iso_code": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "country_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "location": Object {
-                    "type": "geo_point",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "region_iso_code": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "region_name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "ip": Object {
-                "type": "ip",
-              },
-              "last_seen": Object {
-                "type": "date",
-              },
-              "marking": Object {
-                "properties": Object {
-                  "tlp": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "matched": Object {
-                "properties": Object {
-                  "atomic": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "field": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "type": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "module": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "port": Object {
-                "type": "long",
-              },
-              "provider": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "scanner_stats": Object {
-                "type": "long",
-              },
-              "sightings": Object {
-                "type": "long",
-              },
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-            "type": "nested",
-          },
-          "tactic": Object {
-            "properties": Object {
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "reference": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "technique": Object {
-            "properties": Object {
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "reference": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "subtechnique": Object {
-                "properties": Object {
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "fields": Object {
-                      "text": Object {
-                        "norms": false,
-                        "type": "text",
-                      },
-                    },
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "reference": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-          },
-        },
-      },
-      "tls": Object {
-        "properties": Object {
-          "cipher": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "client": Object {
-            "properties": Object {
-              "certificate": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "certificate_chain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "hash": Object {
-                "properties": Object {
-                  "md5": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "sha1": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "sha256": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "issuer": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "ja3": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "not_after": Object {
-                "type": "date",
-              },
-              "not_before": Object {
-                "type": "date",
-              },
-              "server_name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "subject": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "supported_ciphers": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "x509": Object {
-                "properties": Object {
-                  "alternative_names": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "issuer": Object {
-                    "properties": Object {
-                      "common_name": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "country": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "distinguished_name": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "locality": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "organization": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "organizational_unit": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "state_or_province": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                    },
-                  },
-                  "not_after": Object {
-                    "type": "date",
-                  },
-                  "not_before": Object {
-                    "type": "date",
-                  },
-                  "public_key_algorithm": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "public_key_curve": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "public_key_exponent": Object {
-                    "doc_values": false,
-                    "index": false,
-                    "type": "long",
-                  },
-                  "public_key_size": Object {
-                    "type": "long",
-                  },
-                  "serial_number": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "signature_algorithm": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "subject": Object {
-                    "properties": Object {
-                      "common_name": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "country": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "distinguished_name": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "locality": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "organization": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "organizational_unit": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "state_or_province": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                    },
-                  },
-                  "version_number": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-          },
-          "curve": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "established": Object {
-            "type": "boolean",
-          },
-          "next_protocol": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "resumed": Object {
-            "type": "boolean",
-          },
-          "server": Object {
-            "properties": Object {
-              "certificate": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "certificate_chain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "hash": Object {
-                "properties": Object {
-                  "md5": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "sha1": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "sha256": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "issuer": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "ja3s": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "not_after": Object {
-                "type": "date",
-              },
-              "not_before": Object {
-                "type": "date",
-              },
-              "subject": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "x509": Object {
-                "properties": Object {
-                  "alternative_names": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "issuer": Object {
-                    "properties": Object {
-                      "common_name": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "country": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "distinguished_name": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "locality": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "organization": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "organizational_unit": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "state_or_province": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                    },
-                  },
-                  "not_after": Object {
-                    "type": "date",
-                  },
-                  "not_before": Object {
-                    "type": "date",
-                  },
-                  "public_key_algorithm": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "public_key_curve": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "public_key_exponent": Object {
-                    "doc_values": false,
-                    "index": false,
-                    "type": "long",
-                  },
-                  "public_key_size": Object {
-                    "type": "long",
-                  },
-                  "serial_number": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "signature_algorithm": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "subject": Object {
-                    "properties": Object {
-                      "common_name": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "country": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "distinguished_name": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "locality": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "organization": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "organizational_unit": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                      "state_or_province": Object {
-                        "ignore_above": 1024,
-                        "type": "keyword",
-                      },
-                    },
-                  },
-                  "version_number": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-            },
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "version_protocol": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "trace": Object {
-        "properties": Object {
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "transaction": Object {
-        "properties": Object {
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "url": Object {
-        "properties": Object {
-          "domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "extension": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "fragment": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "full": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "original": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "password": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "path": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "port": Object {
-            "type": "long",
-          },
-          "query": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "registered_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "scheme": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "subdomain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "top_level_domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "username": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "user": Object {
-        "properties": Object {
-          "changes": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full_name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "group": Object {
-                "properties": Object {
-                  "domain": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "hash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "roles": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "domain": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "effective": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full_name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "group": Object {
-                "properties": Object {
-                  "domain": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "hash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "roles": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "email": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "full_name": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "group": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "hash": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "roles": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "target": Object {
-            "properties": Object {
-              "domain": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "email": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full_name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "group": Object {
-                "properties": Object {
-                  "domain": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "id": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                  "name": Object {
-                    "ignore_above": 1024,
-                    "type": "keyword",
-                  },
-                },
-              },
-              "hash": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "id": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "roles": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-        },
-      },
-      "user_agent": Object {
-        "properties": Object {
-          "device": Object {
-            "properties": Object {
-              "name": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "original": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "os": Object {
-            "properties": Object {
-              "family": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "full": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "kernel": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "name": Object {
-                "fields": Object {
-                  "text": Object {
-                    "norms": false,
-                    "type": "text",
-                  },
-                },
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "platform": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "type": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-              "version": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "version": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "vlan": Object {
-        "properties": Object {
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "name": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-      "vulnerability": Object {
-        "properties": Object {
-          "category": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "classification": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "description": Object {
-            "fields": Object {
-              "text": Object {
-                "norms": false,
-                "type": "text",
-              },
-            },
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "enumeration": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "reference": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "report_id": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-          "scanner": Object {
-            "properties": Object {
-              "vendor": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "score": Object {
-            "properties": Object {
-              "base": Object {
-                "type": "float",
-              },
-              "environmental": Object {
-                "type": "float",
-              },
-              "temporal": Object {
-                "type": "float",
-              },
-              "version": Object {
-                "ignore_above": 1024,
-                "type": "keyword",
-              },
-            },
-          },
-          "severity": Object {
-            "ignore_above": 1024,
-            "type": "keyword",
-          },
-        },
-      },
-    },
-  },
-  "settings": Object {
-    "index": Object {
-      "lifecycle": Object {
-        "name": "test-index",
-        "rollover_alias": "test-index",
-      },
-    },
-    "mapping": Object {
-      "total_fields": Object {
-        "limit": 10000,
-      },
-    },
-  },
-  "version": 45,
-}
-`;
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
index 164c8644acaa9d..36a0aaf38e15d6 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
@@ -9,6 +9,7 @@ import { ElasticsearchClient } from 'src/core/server';
 import { isOutdated } from '../../migrations/helpers';
 import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
 
+// TODO: update this to check both legacy and component templates
 export const getTemplateVersion = async ({
   alias,
   esClient,
@@ -17,10 +18,8 @@ export const getTemplateVersion = async ({
   alias: string;
 }): Promise<number> => {
   try {
-    const response = await esClient.indices.getTemplate<{
-      [templateName: string]: { version: number };
-    }>({ name: alias });
-    return response.body[alias].version ?? 0;
+    const response = await esClient.indices.getIndexTemplate({ name: alias });
+    return response.body.index_templates[0].index_template.version ?? 0;
   } catch (e) {
     return 0;
   }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index 4383b3feb62ad9..d51520c1bede98 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -5,12 +5,13 @@
  * 2.0.
  */
 
+import { estypes } from '@elastic/elasticsearch';
+import { ElasticsearchClient } from 'src/core/server';
 import {
   transformError,
   getIndexExists,
   getPolicyExists,
   setPolicy,
-  setTemplate,
   createBootstrapIndex,
 } from '@kbn/securitysolution-es-utils';
 import type {
@@ -20,16 +21,24 @@ import type {
 } from '../../../../types';
 import { DETECTION_ENGINE_INDEX_URL } from '../../../../../common/constants';
 import { buildSiemResponse } from '../utils';
-import { getSignalsTemplate, SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
+import {
+  createSignalsFieldAliases,
+  getSignalsTemplate,
+  getRbacRequiredFields,
+  SIGNALS_TEMPLATE_VERSION,
+} from './get_signals_template';
 import { ensureMigrationCleanupPolicy } from '../../migrations/migration_cleanup';
 import signalsPolicy from './signals_policy.json';
-import { templateNeedsUpdate } from './check_template_version';
+import { getTemplateVersion, templateNeedsUpdate } from './check_template_version';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
-import { parseExperimentalConfigValue } from '../../../../../common/experimental_features';
-import { ConfigType } from '../../../../config';
+import { RuleDataPluginService } from '../../../../../../rule_registry/server';
+import signalExtraFields from './signal_extra_fields.json';
 
-export const createIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => {
+export const createIndexRoute = (
+  router: SecuritySolutionPluginRouter,
+  ruleDataService: RuleDataPluginService
+) => {
   router.post(
     {
       path: DETECTION_ENGINE_INDEX_URL,
@@ -39,10 +48,6 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter, config: C
       },
     },
     async (context, request, response) => {
-      const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental);
-      if (ruleRegistryEnabled) {
-        return response.ok({ body: { acknowledged: true } });
-      }
       const siemResponse = buildSiemResponse(response);
 
       try {
@@ -50,7 +55,7 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter, config: C
         if (!siemClient) {
           return siemResponse.error({ statusCode: 404 });
         }
-        await createDetectionIndex(context, siemClient!);
+        await createDetectionIndex(context, siemClient!, ruleDataService);
         return response.ok({ body: { acknowledged: true } });
       } catch (err) {
         const error = transformError(err);
@@ -73,9 +78,11 @@ class CreateIndexError extends Error {
 
 export const createDetectionIndex = async (
   context: SecuritySolutionRequestHandlerContext,
-  siemClient: AppClient
+  siemClient: AppClient,
+  ruleDataService: RuleDataPluginService
 ): Promise<void> => {
   const esClient = context.core.elasticsearch.client.asCurrentUser;
+  const spaceId = siemClient.getSpaceId();
 
   if (!siemClient) {
     throw new CreateIndexError('', 404);
@@ -88,7 +95,18 @@ export const createDetectionIndex = async (
     await setPolicy(esClient, index, signalsPolicy);
   }
   if (await templateNeedsUpdate({ alias: index, esClient })) {
-    await setTemplate(esClient, index, getSignalsTemplate(index));
+    const aadIndexAliasName = `${ruleDataService.getFullAssetName('security.alerts')}-${spaceId}`;
+    await esClient.indices.putIndexTemplate({
+      name: index,
+      body: getSignalsTemplate(index, spaceId, aadIndexAliasName) as Record<string, unknown>,
+    });
+    const templateVersion = await getTemplateVersion({ alias: index, esClient });
+    // 45 is the last version that did not include alerts-as-data field and index aliases in the template
+    // Update existing indices with these field and index aliases if upgrading from <= v45
+    if (templateVersion <= 45) {
+      await addAliasesToIndices({ esClient, index, aadIndexAliasName, spaceId });
+      await esClient.indices.deleteTemplate({ name: index });
+    }
   }
   const indexExists = await getIndexExists(esClient, index);
   if (indexExists) {
@@ -100,3 +118,40 @@ export const createDetectionIndex = async (
     await createBootstrapIndex(esClient, index);
   }
 };
+
+const addAliasesToIndices = async ({
+  esClient,
+  index,
+  aadIndexAliasName,
+  spaceId,
+}: {
+  esClient: ElasticsearchClient;
+  index: string;
+  aadIndexAliasName: string;
+  spaceId: string;
+}) => {
+  await esClient.indices.putAlias({
+    index: `${index}-*`,
+    name: aadIndexAliasName,
+    body: {
+      is_write_index: false,
+    },
+  });
+
+  // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
+  // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
+  // mapping) or else this call will fail and not update ANY signals indices
+  const fieldAliases = createSignalsFieldAliases();
+  const newMapping = {
+    properties: {
+      ...signalExtraFields,
+      ...fieldAliases,
+      ...getRbacRequiredFields(spaceId),
+    },
+  };
+  await esClient.indices.putMapping({
+    index: `${index}-*`,
+    body: newMapping,
+    allow_no_indices: true,
+  } as estypes.IndicesPutMappingRequest);
+};
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts
index 5260c9487de8a5..6d1422a660abca 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts
@@ -10,9 +10,7 @@ import {
   getIndexExists,
   getPolicyExists,
   deletePolicy,
-  getTemplateExists,
   deleteAllIndex,
-  deleteTemplate,
 } from '@kbn/securitysolution-es-utils';
 import type { SecuritySolutionPluginRouter } from '../../../../types';
 import { DETECTION_ENGINE_INDEX_URL } from '../../../../../common/constants';
@@ -22,6 +20,7 @@ import { buildSiemResponse } from '../utils';
  * Deletes all of the indexes, template, ilm policies, and aliases. You can check
  * this by looking at each of these settings from ES after a deletion:
  * GET /_template/.siem-signals-default
+ * GET /_index_template/.siem-signals-default
  * GET /.siem-signals-default-000001/
  * GET /_ilm/policy/.signals-default
  * GET /_alias/.siem-signals-default
@@ -63,9 +62,13 @@ export const deleteIndexRoute = (router: SecuritySolutionPluginRouter) => {
           if (policyExists) {
             await deletePolicy(esClient, index);
           }
-          const templateExists = await getTemplateExists(esClient, index);
+          const templateExists = await esClient.indices.existsIndexTemplate({ name: index });
           if (templateExists) {
-            await deleteTemplate(esClient, index);
+            await esClient.indices.deleteIndexTemplate({ name: index });
+          }
+          const legacyTemplateExists = await esClient.indices.existsTemplate({ name: index });
+          if (legacyTemplateExists) {
+            await esClient.indices.deleteTemplate({ name: index });
           }
           return response.ok({ body: { acknowledged: true } });
         }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
index 4691db1b19595e..e003c96e612dc2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
@@ -9,8 +9,12 @@ import { getSignalsTemplate } from './get_signals_template';
 
 describe('get_signals_template', () => {
   test('it should set the lifecycle "name" and "rollover_alias" to be the name of the index passed in', () => {
-    const template = getSignalsTemplate('test-index');
-    expect(template.settings).toEqual({
+    const template = getSignalsTemplate(
+      'test-index',
+      'space-id',
+      '.alerts-security.alerts-space-id'
+    );
+    expect(template.template.settings).toEqual({
       index: {
         lifecycle: {
           name: 'test-index',
@@ -24,23 +28,39 @@ describe('get_signals_template', () => {
   });
 
   test('it should set have the index patterns with an ending glob in it', () => {
-    const template = getSignalsTemplate('test-index');
+    const template = getSignalsTemplate(
+      'test-index',
+      'space-id',
+      '.alerts-security.alerts-space-id'
+    );
     expect(template.index_patterns).toEqual(['test-index-*']);
   });
 
   test('it should have a mappings section which is an object type', () => {
-    const template = getSignalsTemplate('test-index');
-    expect(typeof template.mappings).toEqual('object');
+    const template = getSignalsTemplate(
+      'test-index',
+      'space-id',
+      '.alerts-security.alerts-space-id'
+    );
+    expect(typeof template.template.mappings).toEqual('object');
   });
 
   test('it should have a signals section which is an object type', () => {
-    const template = getSignalsTemplate('test-index');
-    expect(typeof template.mappings.properties.signal).toEqual('object');
+    const template = getSignalsTemplate(
+      'test-index',
+      'space-id',
+      '.alerts-security.alerts-space-id'
+    );
+    expect(typeof template.template.mappings.properties.signal).toEqual('object');
   });
 
   test('it should have a "total_fields" section that is at least 10k in size', () => {
-    const template = getSignalsTemplate('test-index');
-    expect(template.settings.mapping.total_fields.limit).toBeGreaterThanOrEqual(10000);
+    const template = getSignalsTemplate(
+      'test-index',
+      'space-id',
+      '.alerts-security.alerts-space-id'
+    );
+    expect(template.template.settings.mapping.total_fields.limit).toBeGreaterThanOrEqual(10000);
   });
 
   // If you see this test fail, you should track down any and all "constant_keyword" in your ecs_mapping.json and replace
@@ -62,7 +82,11 @@ describe('get_signals_template', () => {
   // Instead you have to use "keyword". This test was first introduced when ECS 1.10 came out and data_stream.* values which had
   // "constant_keyword" fields and we needed to change those to be "keyword" instead.
   test('it should NOT have any "constant_keyword" and instead those should be replaced with regular "keyword" in the mapping', () => {
-    const template = getSignalsTemplate('test-index');
+    const template = getSignalsTemplate(
+      'test-index',
+      'space-id',
+      '.alerts-security.alerts-space-id'
+    );
 
     // Small recursive function to find any values of "constant_keyword" and mark which fields it was found on and then error on those fields
     // The matchers from jest such as jest.toMatchObject do not support recursion, so I have to write it here:
@@ -83,11 +107,11 @@ describe('get_signals_template', () => {
         }
       }, []);
     const constantKeywordsFound = recursiveConstantKeywordFound('', template);
-    expect(constantKeywordsFound).toEqual([]);
-  });
-
-  test('it should match snapshot', () => {
-    const template = getSignalsTemplate('test-index');
-    expect(template).toMatchSnapshot();
+    expect(constantKeywordsFound).toEqual([
+      'template.mappings.properties.kibana.space_ids',
+      'template.mappings.properties.kibana.consumers',
+      'template.mappings.properties.kibana.producer',
+      'template.mappings.properties.kibana.alert.rule.rule_type_id',
+    ]);
   });
 });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
index 5c1fe4ad87ad51..d56e81c65be1de 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { SPACE_IDS } from '@kbn/rule-data-utils';
 import signalsMapping from './signals_mapping.json';
 import ecsMapping from './ecs_mapping.json';
 import otherMapping from './other_mappings.json';
@@ -23,94 +24,10 @@ import aadFieldConversion from './signal_aad_mapping.json';
   incremented by 10 in order to add "room" for the aforementioned patch
   release
 */
-export const SIGNALS_TEMPLATE_VERSION = 45;
+export const SIGNALS_TEMPLATE_VERSION = 55;
 export const MIN_EQL_RULE_INDEX_VERSION = 2;
 
-export const getSignalsTemplate = (index: string) => {
-  const template = {
-    settings: {
-      index: {
-        lifecycle: {
-          name: index,
-          rollover_alias: index,
-        },
-      },
-      mapping: {
-        total_fields: {
-          limit: 10000,
-        },
-      },
-    },
-    index_patterns: [`${index}-*`],
-    mappings: {
-      dynamic: false,
-      properties: {
-        ...ecsMapping.mappings.properties,
-        ...otherMapping.mappings.properties,
-        signal: signalsMapping.mappings.properties.signal,
-        threat: {
-          ...ecsMapping.mappings.properties.threat,
-          properties: {
-            ...ecsMapping.mappings.properties.threat.properties,
-            indicator: {
-              ...otherMapping.mappings.properties.threat.properties.indicator,
-              properties: {
-                ...otherMapping.mappings.properties.threat.properties.indicator.properties,
-                event: ecsMapping.mappings.properties.event,
-              },
-            },
-          },
-        },
-      },
-      _meta: {
-        version: SIGNALS_TEMPLATE_VERSION,
-      },
-    },
-    version: SIGNALS_TEMPLATE_VERSION,
-  };
-  return template;
-};
-
-export const createSignalsFieldAliases = () => {
-  const fieldAliases: Record<string, unknown> = {};
-  Object.entries(aadFieldConversion).forEach(([key, value]) => {
-    fieldAliases[value] = {
-      type: 'alias',
-      path: key,
-    };
-  });
-  return fieldAliases;
-};
-
-export const getRbacRequiredFields = (spaceId: string) => {
-  return {
-    'kibana.space_ids': {
-      type: 'constant_keyword',
-      value: spaceId,
-    },
-    'kibana.consumers': {
-      type: 'constant_keyword',
-      value: 'siem',
-    },
-    'kibana.producer': {
-      type: 'constant_keyword',
-      value: 'siem',
-    },
-    // TODO: discuss naming of this field and what the value will be for legacy signals.
-    // Can we leave it as 'siem.signals' or do we need a runtime field that will map signal.rule.type
-    // to the new ruleTypeId?
-    'kibana.alert.rule.rule_type_id': {
-      type: 'constant_keyword',
-      value: 'siem.signals',
-    },
-  };
-};
-
-export const getNewSignalsTemplate = (
-  index: string,
-  spaceId: string,
-  aadIndexAliasName: string
-) => {
+export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAliasName: string) => {
   const fieldAliases = createSignalsFieldAliases();
   const template = {
     index_patterns: [`${index}-*`],
@@ -164,3 +81,38 @@ export const getNewSignalsTemplate = (
   };
   return template;
 };
+
+export const createSignalsFieldAliases = () => {
+  const fieldAliases: Record<string, unknown> = {};
+  Object.entries(aadFieldConversion).forEach(([key, value]) => {
+    fieldAliases[value] = {
+      type: 'alias',
+      path: key,
+    };
+  });
+  return fieldAliases;
+};
+
+export const getRbacRequiredFields = (spaceId: string) => {
+  return {
+    [SPACE_IDS]: {
+      type: 'constant_keyword',
+      value: spaceId,
+    },
+    'kibana.consumers': {
+      type: 'constant_keyword',
+      value: 'siem',
+    },
+    'kibana.producer': {
+      type: 'constant_keyword',
+      value: 'siem',
+    },
+    // TODO: discuss naming of this field and what the value will be for legacy signals.
+    // Can we leave it as 'siem.signals' or do we need a runtime field that will map signal.rule.type
+    // to the new ruleTypeId?
+    'kibana.alert.rule.rule_type_id': {
+      type: 'constant_keyword',
+      value: 'siem.signals',
+    },
+  };
+};
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 881f43893380a6..cc5226d8dd86fb 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -96,7 +96,7 @@ import aadFieldConversion from './lib/detection_engine/routes/index/signal_aad_m
 import signalExtraFields from './lib/detection_engine/routes/index/signal_extra_fields.json';
 import {
   createSignalsFieldAliases,
-  getNewSignalsTemplate,
+  getSignalsTemplate,
   getRbacRequiredFields,
 } from './lib/detection_engine/routes/index/get_signals_template';
 import { getKibanaPrivilegesFeaturePrivileges } from './features';
@@ -203,9 +203,8 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
     const isRuleRegistryEnabled = experimentalFeatures.ruleRegistryEnabled;
 
     let ruleDataClient: RuleDataClient | null = null;
+    const { ruleDataService } = plugins.ruleRegistry;
     if (isRuleRegistryEnabled) {
-      const { ruleDataService } = plugins.ruleRegistry;
-
       const alertsIndexPattern = ruleDataService.getFullAssetName('security.alerts*');
 
       const initializeRuleDataTemplates = once(async () => {
@@ -277,6 +276,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       plugins.encryptedSavedObjects?.canEncrypt === true,
       plugins.security,
       plugins.ml,
+      ruleDataService,
       ruleDataClient
     );
     registerEndpointRoutes(router, endpointContext);
@@ -369,11 +369,10 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
           const existingTemplateNames = Object.keys(existingSignalsTemplates);
           for (const existingTemplateName of existingTemplateNames) {
             const spaceId = existingTemplateName.substr(config.signalsIndex.length + 1);
-            const { ruleDataService } = plugins.ruleRegistry;
             const alertsIndexPattern = ruleDataService.getFullAssetName('security.alerts');
             const aadIndexAliasName = `${alertsIndexPattern}-${spaceId}`;
 
-            const signalsTemplate = getNewSignalsTemplate(
+            const signalsTemplate = getSignalsTemplate(
               existingTemplateName,
               spaceId,
               aadIndexAliasName
diff --git a/x-pack/plugins/security_solution/server/routes/index.ts b/x-pack/plugins/security_solution/server/routes/index.ts
index a97d599d572227..0fcaecc13b0199 100644
--- a/x-pack/plugins/security_solution/server/routes/index.ts
+++ b/x-pack/plugins/security_solution/server/routes/index.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { RuleDataClient } from '../../../rule_registry/server';
+import { RuleDataClient, RuleDataPluginService } from '../../../rule_registry/server';
 
 import { SecuritySolutionPluginRouter } from '../types';
 
@@ -63,6 +63,7 @@ export const initRoutes = (
   hasEncryptionKey: boolean,
   security: SetupPlugins['security'],
   ml: SetupPlugins['ml'],
+  ruleDataService: RuleDataPluginService,
   ruleDataClient: RuleDataClient | null
 ) => {
   // Detection Engine Rule routes that have the REST endpoints of /api/detection_engine/rules
@@ -117,7 +118,7 @@ export const initRoutes = (
 
   // Detection Engine index routes that have the REST endpoints of /api/detection_engine/index
   // All REST index creation, policy management for spaces
-  createIndexRoute(router, config);
+  createIndexRoute(router, ruleDataService);
   readIndexRoute(router, config);
   deleteIndexRoute(router);
 

From 30ac118f5d57151f9df22aa7e22612e6d327d497 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Fri, 30 Jul 2021 10:21:56 -0700
Subject: [PATCH 14/32] Check template version before updating template

---
 .../lib/detection_engine/routes/index/create_index_route.ts     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index d51520c1bede98..35515e44bf4f31 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -94,13 +94,13 @@ export const createDetectionIndex = async (
   if (!policyExists) {
     await setPolicy(esClient, index, signalsPolicy);
   }
+  const templateVersion = await getTemplateVersion({ alias: index, esClient });
   if (await templateNeedsUpdate({ alias: index, esClient })) {
     const aadIndexAliasName = `${ruleDataService.getFullAssetName('security.alerts')}-${spaceId}`;
     await esClient.indices.putIndexTemplate({
       name: index,
       body: getSignalsTemplate(index, spaceId, aadIndexAliasName) as Record<string, unknown>,
     });
-    const templateVersion = await getTemplateVersion({ alias: index, esClient });
     // 45 is the last version that did not include alerts-as-data field and index aliases in the template
     // Update existing indices with these field and index aliases if upgrading from <= v45
     if (templateVersion <= 45) {

From 3c6f7b7ed33f361fcb026386820b0e6daf3a3bbe Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Fri, 30 Jul 2021 13:39:53 -0700
Subject: [PATCH 15/32] First pass at modifying routes to handle inserting
 field aliases

---
 .../routes/index/check_template_version.ts    | 14 +++++++-
 .../routes/index/create_index_route.ts        | 15 ++++----
 .../routes/index/get_signals_template.ts      |  2 ++
 .../routes/index/read_index_route.ts          | 34 +++++++++++++------
 .../security_solution/server/plugin.ts        | 32 ++++-------------
 5 files changed, 52 insertions(+), 45 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
index 36a0aaf38e15d6..a0f3704b327110 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
@@ -5,9 +5,10 @@
  * 2.0.
  */
 
+import { get } from 'lodash';
 import { ElasticsearchClient } from 'src/core/server';
 import { isOutdated } from '../../migrations/helpers';
-import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
+import { SIGNALS_FIELD_ALIASES_VERSION, SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
 
 // TODO: update this to check both legacy and component templates
 export const getTemplateVersion = async ({
@@ -36,3 +37,14 @@ export const templateNeedsUpdate = async ({
 
   return isOutdated({ current: templateVersion, target: SIGNALS_TEMPLATE_VERSION });
 };
+
+export const fieldAliasesOutdated = async (esClient: ElasticsearchClient, index: string) => {
+  const { body: indexMappings } = await esClient.indices.get({ index });
+  for (const [_, mapping] of Object.entries(indexMappings)) {
+    const aliasesVersion = get(mapping.mappings?._meta, 'aliases_version') ?? 0;
+    if (aliasesVersion < SIGNALS_FIELD_ALIASES_VERSION) {
+      return true;
+    }
+  }
+  return false;
+};
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index 35515e44bf4f31..4267a548bf8e6e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -29,7 +29,7 @@ import {
 } from './get_signals_template';
 import { ensureMigrationCleanupPolicy } from '../../migrations/migration_cleanup';
 import signalsPolicy from './signals_policy.json';
-import { getTemplateVersion, templateNeedsUpdate } from './check_template_version';
+import { fieldAliasesOutdated, templateNeedsUpdate } from './check_template_version';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
 import { RuleDataPluginService } from '../../../../../../rule_registry/server';
@@ -94,20 +94,19 @@ export const createDetectionIndex = async (
   if (!policyExists) {
     await setPolicy(esClient, index, signalsPolicy);
   }
-  const templateVersion = await getTemplateVersion({ alias: index, esClient });
+  const aadIndexAliasName = `${ruleDataService.getFullAssetName('security.alerts')}-${spaceId}`;
   if (await templateNeedsUpdate({ alias: index, esClient })) {
-    const aadIndexAliasName = `${ruleDataService.getFullAssetName('security.alerts')}-${spaceId}`;
     await esClient.indices.putIndexTemplate({
       name: index,
       body: getSignalsTemplate(index, spaceId, aadIndexAliasName) as Record<string, unknown>,
     });
-    // 45 is the last version that did not include alerts-as-data field and index aliases in the template
-    // Update existing indices with these field and index aliases if upgrading from <= v45
-    if (templateVersion <= 45) {
-      await addAliasesToIndices({ esClient, index, aadIndexAliasName, spaceId });
+    if (await esClient.indices.existsTemplate({ name: index })) {
       await esClient.indices.deleteTemplate({ name: index });
     }
   }
+  if (await fieldAliasesOutdated(esClient, index)) {
+    await addAliasesToIndices({ esClient, index, aadIndexAliasName, spaceId });
+  }
   const indexExists = await getIndexExists(esClient, index);
   if (indexExists) {
     const indexVersion = await getIndexVersion(esClient, index);
@@ -119,7 +118,7 @@ export const createDetectionIndex = async (
   }
 };
 
-const addAliasesToIndices = async ({
+export const addAliasesToIndices = async ({
   esClient,
   index,
   aadIndexAliasName,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
index d56e81c65be1de..5e264ded20fb47 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -26,6 +26,7 @@ import aadFieldConversion from './signal_aad_mapping.json';
 */
 export const SIGNALS_TEMPLATE_VERSION = 55;
 export const MIN_EQL_RULE_INDEX_VERSION = 2;
+export const SIGNALS_FIELD_ALIASES_VERSION = 1;
 
 export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAliasName: string) => {
   const fieldAliases = createSignalsFieldAliases();
@@ -74,6 +75,7 @@ export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAlias
         },
         _meta: {
           version: SIGNALS_TEMPLATE_VERSION,
+          aliases_version: SIGNALS_FIELD_ALIASES_VERSION,
         },
       },
     },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
index 3527e43c03d52b..4cfedd5dcaa011 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
@@ -15,6 +15,7 @@ import { buildSiemResponse } from '../utils';
 import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
+import { fieldAliasesOutdated } from './check_template_version';
 
 export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => {
   router.get(
@@ -38,23 +39,20 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con
 
         // TODO: Once we are past experimental phase this code should be removed
         const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental);
-        if (ruleRegistryEnabled) {
-          return response.ok({
-            body: { name: DEFAULT_ALERTS_INDEX, index_mapping_outdated: false },
-          });
-        }
 
         const index = siemClient.getSignalsIndex();
-        const indexExists = ruleRegistryEnabled ? true : await getIndexExists(esClient, index);
+        const indexExists = await getIndexExists(esClient, index);
 
         if (indexExists) {
           let mappingOutdated: boolean | null = null;
+          let aliasesOutdated: boolean | null = null;
           try {
             const indexVersion = await getIndexVersion(esClient, index);
             mappingOutdated = isOutdated({
               current: indexVersion,
               target: SIGNALS_TEMPLATE_VERSION,
             });
+            aliasesOutdated = await fieldAliasesOutdated(esClient, index);
           } catch (err) {
             const error = transformError(err);
             // Some users may not have the view_index_metadata permission necessary to check the index mapping version
@@ -66,12 +64,26 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con
               });
             }
           }
-          return response.ok({ body: { name: index, index_mapping_outdated: mappingOutdated } });
-        } else {
-          return siemResponse.error({
-            statusCode: 404,
-            body: 'index for this space does not exist',
+          return response.ok({
+            body: {
+              name: ruleRegistryEnabled ? DEFAULT_ALERTS_INDEX : index,
+              index_mapping_outdated: mappingOutdated || aliasesOutdated,
+            },
           });
+        } else {
+          if (ruleRegistryEnabled) {
+            return response.ok({
+              body: {
+                name: DEFAULT_ALERTS_INDEX,
+                index_mapping_outdated: false,
+              },
+            });
+          } else {
+            return siemResponse.error({
+              statusCode: 404,
+              body: 'index for this space does not exist',
+            });
+          }
         }
       } catch (err) {
         const error = transformError(err);
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 847d467d98c5bd..7ecbbbcb03847f 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -101,6 +101,7 @@ import {
 } from './lib/detection_engine/routes/index/get_signals_template';
 import { getKibanaPrivilegesFeaturePrivileges } from './features';
 import { EndpointMetadataService } from './endpoint/services/metadata';
+import { addAliasesToIndices } from './lib/detection_engine/routes/index/create_index_route';
 
 export interface SetupPlugins {
   alerting: AlertingSetup;
@@ -347,7 +348,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
         'securitySolutionSearchStrategy',
         securitySolutionSearchStrategy
       );
-      if (isRuleRegistryEnabled) {
+      /* if (isRuleRegistryEnabled) {
         const clusterClient = coreStart.elasticsearch.client.asInternalUser;
         const updateExistingSignalsIndices = async () => {
           const existingTemplateResponse = await clusterClient.indices
@@ -366,7 +367,6 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
             return;
           }
           const existingSignalsTemplates = existingTemplateResponse.body;
-          const fieldAliases = createSignalsFieldAliases();
           const existingTemplateNames = Object.keys(existingSignalsTemplates);
           for (const existingTemplateName of existingTemplateNames) {
             const spaceId = existingTemplateName.substr(config.signalsIndex.length + 1);
@@ -384,30 +384,12 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
                 name: existingTemplateName,
                 body: signalsTemplate as Record<string, unknown>,
               });
-              await clusterClient.indices.putAlias({
+              await addAliasesToIndices({
+                esClient: clusterClient,
                 index: `${existingTemplateName}-*`,
-                name: aadIndexAliasName,
-                body: {
-                  is_write_index: false,
-                },
+                aadIndexAliasName,
+                spaceId,
               });
-
-              // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
-              // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
-              // mapping) or else this call will fail and not update ANY signals indices
-              const newMapping = {
-                properties: {
-                  ...signalExtraFields,
-                  ...fieldAliases,
-                  ...getRbacRequiredFields(spaceId),
-                },
-              };
-              await clusterClient.indices.putMapping({
-                index: `${existingTemplateName}-*`,
-                body: newMapping,
-                allow_no_indices: true,
-              } as estypes.IndicesPutMappingRequest);
-
               await clusterClient.indices.deleteTemplate({ name: existingTemplateName });
             } catch (err) {
               this.logger.error(
@@ -417,7 +399,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
           }
         };
         updateExistingSignalsIndices();
-      }
+      }*/
     });
 
     this.telemetryEventsSender.setup(plugins.telemetry, plugins.taskManager);

From 3c26be493a40ecd7b25cbda7d0d7f640b68e0a2d Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Fri, 30 Jul 2021 14:21:28 -0700
Subject: [PATCH 16/32] Always insert field aliases when create_index_route is
 called

---
 .../routes/index/check_template_version.ts         | 14 +-------------
 .../routes/index/create_index_route.ts             | 11 +++++------
 .../routes/index/get_signals_template.ts           |  2 --
 .../routes/index/read_index_route.ts               |  5 +----
 4 files changed, 7 insertions(+), 25 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
index a0f3704b327110..36a0aaf38e15d6 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
@@ -5,10 +5,9 @@
  * 2.0.
  */
 
-import { get } from 'lodash';
 import { ElasticsearchClient } from 'src/core/server';
 import { isOutdated } from '../../migrations/helpers';
-import { SIGNALS_FIELD_ALIASES_VERSION, SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
+import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
 
 // TODO: update this to check both legacy and component templates
 export const getTemplateVersion = async ({
@@ -37,14 +36,3 @@ export const templateNeedsUpdate = async ({
 
   return isOutdated({ current: templateVersion, target: SIGNALS_TEMPLATE_VERSION });
 };
-
-export const fieldAliasesOutdated = async (esClient: ElasticsearchClient, index: string) => {
-  const { body: indexMappings } = await esClient.indices.get({ index });
-  for (const [_, mapping] of Object.entries(indexMappings)) {
-    const aliasesVersion = get(mapping.mappings?._meta, 'aliases_version') ?? 0;
-    if (aliasesVersion < SIGNALS_FIELD_ALIASES_VERSION) {
-      return true;
-    }
-  }
-  return false;
-};
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index 4267a548bf8e6e..3a7d586433bfd1 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -29,7 +29,7 @@ import {
 } from './get_signals_template';
 import { ensureMigrationCleanupPolicy } from '../../migrations/migration_cleanup';
 import signalsPolicy from './signals_policy.json';
-import { fieldAliasesOutdated, templateNeedsUpdate } from './check_template_version';
+import { templateNeedsUpdate } from './check_template_version';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
 import { RuleDataPluginService } from '../../../../../../rule_registry/server';
@@ -100,13 +100,12 @@ export const createDetectionIndex = async (
       name: index,
       body: getSignalsTemplate(index, spaceId, aadIndexAliasName) as Record<string, unknown>,
     });
-    if (await esClient.indices.existsTemplate({ name: index })) {
-      await esClient.indices.deleteTemplate({ name: index });
-    }
   }
-  if (await fieldAliasesOutdated(esClient, index)) {
-    await addAliasesToIndices({ esClient, index, aadIndexAliasName, spaceId });
+  // Check if the old legacy siem signals template exists and remove it
+  if (await esClient.indices.existsTemplate({ name: index })) {
+    await esClient.indices.deleteTemplate({ name: index });
   }
+  await addAliasesToIndices({ esClient, index, aadIndexAliasName, spaceId });
   const indexExists = await getIndexExists(esClient, index);
   if (indexExists) {
     const indexVersion = await getIndexVersion(esClient, index);
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
index 5e264ded20fb47..d56e81c65be1de 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -26,7 +26,6 @@ import aadFieldConversion from './signal_aad_mapping.json';
 */
 export const SIGNALS_TEMPLATE_VERSION = 55;
 export const MIN_EQL_RULE_INDEX_VERSION = 2;
-export const SIGNALS_FIELD_ALIASES_VERSION = 1;
 
 export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAliasName: string) => {
   const fieldAliases = createSignalsFieldAliases();
@@ -75,7 +74,6 @@ export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAlias
         },
         _meta: {
           version: SIGNALS_TEMPLATE_VERSION,
-          aliases_version: SIGNALS_FIELD_ALIASES_VERSION,
         },
       },
     },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
index 4cfedd5dcaa011..3b0c16df185da6 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
@@ -15,7 +15,6 @@ import { buildSiemResponse } from '../utils';
 import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
-import { fieldAliasesOutdated } from './check_template_version';
 
 export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => {
   router.get(
@@ -45,14 +44,12 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con
 
         if (indexExists) {
           let mappingOutdated: boolean | null = null;
-          let aliasesOutdated: boolean | null = null;
           try {
             const indexVersion = await getIndexVersion(esClient, index);
             mappingOutdated = isOutdated({
               current: indexVersion,
               target: SIGNALS_TEMPLATE_VERSION,
             });
-            aliasesOutdated = await fieldAliasesOutdated(esClient, index);
           } catch (err) {
             const error = transformError(err);
             // Some users may not have the view_index_metadata permission necessary to check the index mapping version
@@ -67,7 +64,7 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con
           return response.ok({
             body: {
               name: ruleRegistryEnabled ? DEFAULT_ALERTS_INDEX : index,
-              index_mapping_outdated: mappingOutdated || aliasesOutdated,
+              index_mapping_outdated: mappingOutdated,
             },
           });
         } else {

From f1f5ddcdd33099be7a3bc0ccb14eb079f2cc5ae5 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Fri, 30 Jul 2021 15:26:52 -0700
Subject: [PATCH 17/32] Update snapshot test

---
 .../get_signals_template.test.ts.snap         | 4920 +++++++++++++++++
 .../routes/index/get_signals_template.test.ts |    9 +
 2 files changed, 4929 insertions(+)
 create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
new file mode 100644
index 00000000000000..0afa8966d9eb47
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
@@ -0,0 +1,4920 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`get_signals_template it should match snapshot 1`] = `
+Object {
+  "index_patterns": Array [
+    "test-index-*",
+  ],
+  "template": Object {
+    "aliases": Object {
+      ".alerts-security.alerts-space-id": Object {
+        "is_write_index": false,
+      },
+    },
+    "mappings": Object {
+      "_meta": Object {
+        "version": 55,
+      },
+      "dynamic": false,
+      "properties": Object {
+        "@timestamp": Object {
+          "type": "date",
+        },
+        "agent": Object {
+          "properties": Object {
+            "build": Object {
+              "properties": Object {
+                "original": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "ephemeral_id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "as": Object {
+          "properties": Object {
+            "number": Object {
+              "type": "long",
+            },
+            "organization": Object {
+              "properties": Object {
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "client": Object {
+          "properties": Object {
+            "address": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "as": Object {
+              "properties": Object {
+                "number": Object {
+                  "type": "long",
+                },
+                "organization": Object {
+                  "properties": Object {
+                    "name": Object {
+                      "fields": Object {
+                        "text": Object {
+                          "norms": false,
+                          "type": "text",
+                        },
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+            },
+            "bytes": Object {
+              "type": "long",
+            },
+            "domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "geo": Object {
+              "properties": Object {
+                "city_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "location": Object {
+                  "type": "geo_point",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "postal_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "timezone": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "ip": Object {
+              "type": "ip",
+            },
+            "mac": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "nat": Object {
+              "properties": Object {
+                "ip": Object {
+                  "type": "ip",
+                },
+                "port": Object {
+                  "type": "long",
+                },
+              },
+            },
+            "packets": Object {
+              "type": "long",
+            },
+            "port": Object {
+              "type": "long",
+            },
+            "registered_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "subdomain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "top_level_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "user": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full_name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "group": Object {
+                  "properties": Object {
+                    "domain": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "hash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "roles": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "cloud": Object {
+          "properties": Object {
+            "account": Object {
+              "properties": Object {
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "availability_zone": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "instance": Object {
+              "properties": Object {
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "machine": Object {
+              "properties": Object {
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "project": Object {
+              "properties": Object {
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "provider": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "region": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "service": Object {
+              "properties": Object {
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "code_signature": Object {
+          "properties": Object {
+            "exists": Object {
+              "type": "boolean",
+            },
+            "status": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "subject_name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "trusted": Object {
+              "type": "boolean",
+            },
+            "valid": Object {
+              "type": "boolean",
+            },
+          },
+        },
+        "container": Object {
+          "properties": Object {
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "image": Object {
+              "properties": Object {
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "tag": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "labels": Object {
+              "type": "object",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "runtime": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "data_stream": Object {
+          "properties": Object {
+            "dataset": Object {
+              "type": "keyword",
+            },
+            "namespace": Object {
+              "type": "keyword",
+            },
+            "type": Object {
+              "type": "keyword",
+            },
+          },
+        },
+        "destination": Object {
+          "properties": Object {
+            "address": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "as": Object {
+              "properties": Object {
+                "number": Object {
+                  "type": "long",
+                },
+                "organization": Object {
+                  "properties": Object {
+                    "name": Object {
+                      "fields": Object {
+                        "text": Object {
+                          "norms": false,
+                          "type": "text",
+                        },
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+            },
+            "bytes": Object {
+              "type": "long",
+            },
+            "domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "geo": Object {
+              "properties": Object {
+                "city_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "location": Object {
+                  "type": "geo_point",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "postal_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "timezone": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "ip": Object {
+              "type": "ip",
+            },
+            "mac": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "nat": Object {
+              "properties": Object {
+                "ip": Object {
+                  "type": "ip",
+                },
+                "port": Object {
+                  "type": "long",
+                },
+              },
+            },
+            "packets": Object {
+              "type": "long",
+            },
+            "port": Object {
+              "type": "long",
+            },
+            "registered_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "subdomain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "top_level_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "user": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full_name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "group": Object {
+                  "properties": Object {
+                    "domain": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "hash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "roles": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "dll": Object {
+          "properties": Object {
+            "code_signature": Object {
+              "properties": Object {
+                "exists": Object {
+                  "type": "boolean",
+                },
+                "signing_id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "status": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "subject_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "team_id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "trusted": Object {
+                  "type": "boolean",
+                },
+                "valid": Object {
+                  "type": "boolean",
+                },
+              },
+            },
+            "hash": Object {
+              "properties": Object {
+                "md5": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha1": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha256": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha512": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "ssdeep": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "path": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "pe": Object {
+              "properties": Object {
+                "architecture": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "company": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "description": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "file_version": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "imphash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "original_file_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "product": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "dns": Object {
+          "properties": Object {
+            "answers": Object {
+              "properties": Object {
+                "class": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "data": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "ttl": Object {
+                  "type": "long",
+                },
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+              "type": "object",
+            },
+            "header_flags": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "op_code": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "question": Object {
+              "properties": Object {
+                "class": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "registered_domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "subdomain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "top_level_domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "resolved_ip": Object {
+              "type": "ip",
+            },
+            "response_code": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "ecs": Object {
+          "properties": Object {
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "error": Object {
+          "properties": Object {
+            "code": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "message": Object {
+              "norms": false,
+              "type": "text",
+            },
+            "stack_trace": Object {
+              "doc_values": false,
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "event": Object {
+          "properties": Object {
+            "action": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "category": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "code": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "created": Object {
+              "type": "date",
+            },
+            "dataset": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "duration": Object {
+              "type": "long",
+            },
+            "end": Object {
+              "type": "date",
+            },
+            "hash": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "ingested": Object {
+              "type": "date",
+            },
+            "kind": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "module": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "original": Object {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword",
+            },
+            "outcome": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "provider": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "reason": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "reference": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "risk_score": Object {
+              "type": "float",
+            },
+            "risk_score_norm": Object {
+              "type": "float",
+            },
+            "sequence": Object {
+              "type": "long",
+            },
+            "severity": Object {
+              "type": "long",
+            },
+            "start": Object {
+              "type": "date",
+            },
+            "timezone": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "url": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "file": Object {
+          "properties": Object {
+            "accessed": Object {
+              "type": "date",
+            },
+            "attributes": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "code_signature": Object {
+              "properties": Object {
+                "exists": Object {
+                  "type": "boolean",
+                },
+                "signing_id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "status": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "subject_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "team_id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "trusted": Object {
+                  "type": "boolean",
+                },
+                "valid": Object {
+                  "type": "boolean",
+                },
+              },
+            },
+            "created": Object {
+              "type": "date",
+            },
+            "ctime": Object {
+              "type": "date",
+            },
+            "device": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "directory": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "drive_letter": Object {
+              "ignore_above": 1,
+              "type": "keyword",
+            },
+            "extension": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "gid": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "group": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "hash": Object {
+              "properties": Object {
+                "md5": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha1": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha256": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha512": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "ssdeep": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "inode": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "mime_type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "mode": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "mtime": Object {
+              "type": "date",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "owner": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "path": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "pe": Object {
+              "properties": Object {
+                "architecture": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "company": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "description": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "file_version": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "imphash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "original_file_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "product": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "size": Object {
+              "type": "long",
+            },
+            "target_path": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "uid": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "x509": Object {
+              "properties": Object {
+                "alternative_names": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "issuer": Object {
+                  "properties": Object {
+                    "common_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "country": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "distinguished_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "locality": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "organization": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "organizational_unit": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "state_or_province": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "not_after": Object {
+                  "type": "date",
+                },
+                "not_before": Object {
+                  "type": "date",
+                },
+                "public_key_algorithm": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "public_key_curve": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "public_key_exponent": Object {
+                  "doc_values": false,
+                  "index": false,
+                  "type": "long",
+                },
+                "public_key_size": Object {
+                  "type": "long",
+                },
+                "serial_number": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "signature_algorithm": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "subject": Object {
+                  "properties": Object {
+                    "common_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "country": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "distinguished_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "locality": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "organization": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "organizational_unit": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "state_or_province": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "version_number": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "geo": Object {
+          "properties": Object {
+            "city_name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "continent_name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "country_iso_code": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "country_name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "location": Object {
+              "type": "geo_point",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "region_iso_code": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "region_name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "group": Object {
+          "properties": Object {
+            "domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "hash": Object {
+          "properties": Object {
+            "md5": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "sha1": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "sha256": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "sha512": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "host": Object {
+          "properties": Object {
+            "architecture": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "cpu": Object {
+              "properties": Object {
+                "usage": Object {
+                  "scaling_factor": 1000,
+                  "type": "scaled_float",
+                },
+              },
+            },
+            "disk": Object {
+              "properties": Object {
+                "read": Object {
+                  "properties": Object {
+                    "bytes": Object {
+                      "type": "long",
+                    },
+                  },
+                },
+                "write": Object {
+                  "properties": Object {
+                    "bytes": Object {
+                      "type": "long",
+                    },
+                  },
+                },
+              },
+            },
+            "domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "geo": Object {
+              "properties": Object {
+                "city_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "location": Object {
+                  "type": "geo_point",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "postal_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "timezone": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "hostname": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "ip": Object {
+              "type": "ip",
+            },
+            "mac": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "network": Object {
+              "properties": Object {
+                "egress": Object {
+                  "properties": Object {
+                    "bytes": Object {
+                      "type": "long",
+                    },
+                    "packets": Object {
+                      "type": "long",
+                    },
+                  },
+                },
+                "ingress": Object {
+                  "properties": Object {
+                    "bytes": Object {
+                      "type": "long",
+                    },
+                    "packets": Object {
+                      "type": "long",
+                    },
+                  },
+                },
+              },
+            },
+            "os": Object {
+              "properties": Object {
+                "family": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "kernel": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "platform": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "version": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "uptime": Object {
+              "type": "long",
+            },
+            "user": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full_name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "group": Object {
+                  "properties": Object {
+                    "domain": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "hash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "roles": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "http": Object {
+          "properties": Object {
+            "request": Object {
+              "properties": Object {
+                "body": Object {
+                  "properties": Object {
+                    "bytes": Object {
+                      "type": "long",
+                    },
+                    "content": Object {
+                      "fields": Object {
+                        "text": Object {
+                          "norms": false,
+                          "type": "text",
+                        },
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "bytes": Object {
+                  "type": "long",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "method": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "mime_type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "referrer": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "response": Object {
+              "properties": Object {
+                "body": Object {
+                  "properties": Object {
+                    "bytes": Object {
+                      "type": "long",
+                    },
+                    "content": Object {
+                      "fields": Object {
+                        "text": Object {
+                          "norms": false,
+                          "type": "text",
+                        },
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "bytes": Object {
+                  "type": "long",
+                },
+                "mime_type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "status_code": Object {
+                  "type": "long",
+                },
+              },
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "interface": Object {
+          "properties": Object {
+            "alias": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "kibana.alert.ancestors.depth": Object {
+          "path": "signal.ancestors.depth",
+          "type": "alias",
+        },
+        "kibana.alert.ancestors.id": Object {
+          "path": "signal.ancestors.id",
+          "type": "alias",
+        },
+        "kibana.alert.ancestors.index": Object {
+          "path": "signal.ancestors.index",
+          "type": "alias",
+        },
+        "kibana.alert.ancestors.type": Object {
+          "path": "signal.ancestors.type",
+          "type": "alias",
+        },
+        "kibana.alert.depth": Object {
+          "path": "signal.depth",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.action": Object {
+          "path": "signal.original_event.action",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.category": Object {
+          "path": "signal.original_event.category",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.code": Object {
+          "path": "signal.original_event.code",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.created": Object {
+          "path": "signal.original_event.created",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.dataset": Object {
+          "path": "signal.original_event.dataset",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.duration": Object {
+          "path": "signal.original_event.duration",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.end": Object {
+          "path": "signal.original_event.end",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.hash": Object {
+          "path": "signal.original_event.hash",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.id": Object {
+          "path": "signal.original_event.id",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.kind": Object {
+          "path": "signal.original_event.kind",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.module": Object {
+          "path": "signal.original_event.module",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.outcome": Object {
+          "path": "signal.original_event.outcome",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.provider": Object {
+          "path": "signal.original_event.provider",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.risk_score": Object {
+          "path": "signal.original_event.risk_score",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.risk_score_norm": Object {
+          "path": "signal.original_event.risk_score_norm",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.sequence": Object {
+          "path": "signal.original_event.sequence",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.severity": Object {
+          "path": "signal.original_event.severity",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.start": Object {
+          "path": "signal.original_event.start",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.timezone": Object {
+          "path": "signal.original_event.timezone",
+          "type": "alias",
+        },
+        "kibana.alert.original_event.type": Object {
+          "path": "signal.original_event.type",
+          "type": "alias",
+        },
+        "kibana.alert.original_time": Object {
+          "path": "signal.original_time",
+          "type": "alias",
+        },
+        "kibana.alert.risk_score": Object {
+          "path": "signal.rule.risk_score",
+          "type": "alias",
+        },
+        "kibana.alert.rule.author": Object {
+          "path": "signal.rule.author",
+          "type": "alias",
+        },
+        "kibana.alert.rule.building_block_type": Object {
+          "path": "signal.rule.building_block_type",
+          "type": "alias",
+        },
+        "kibana.alert.rule.created_at": Object {
+          "path": "signal.rule.created_at",
+          "type": "alias",
+        },
+        "kibana.alert.rule.created_by": Object {
+          "path": "signal.rule.created_by",
+          "type": "alias",
+        },
+        "kibana.alert.rule.description": Object {
+          "path": "signal.rule.description",
+          "type": "alias",
+        },
+        "kibana.alert.rule.enabled": Object {
+          "path": "signal.rule.enabled",
+          "type": "alias",
+        },
+        "kibana.alert.rule.false_positives": Object {
+          "path": "signal.rule.false_positives",
+          "type": "alias",
+        },
+        "kibana.alert.rule.from": Object {
+          "path": "signal.rule.from",
+          "type": "alias",
+        },
+        "kibana.alert.rule.id": Object {
+          "path": "signal.rule.id",
+          "type": "alias",
+        },
+        "kibana.alert.rule.immutable": Object {
+          "path": "signal.rule.immutable",
+          "type": "alias",
+        },
+        "kibana.alert.rule.index": Object {
+          "path": "signal.rule.index",
+          "type": "alias",
+        },
+        "kibana.alert.rule.interval": Object {
+          "path": "signal.rule.interval",
+          "type": "alias",
+        },
+        "kibana.alert.rule.language": Object {
+          "path": "signal.rule.language",
+          "type": "alias",
+        },
+        "kibana.alert.rule.license": Object {
+          "path": "signal.rule.license",
+          "type": "alias",
+        },
+        "kibana.alert.rule.max_signals": Object {
+          "path": "signal.rule.max_signals",
+          "type": "alias",
+        },
+        "kibana.alert.rule.name": Object {
+          "path": "signal.rule.name",
+          "type": "alias",
+        },
+        "kibana.alert.rule.note": Object {
+          "path": "signal.rule.note",
+          "type": "alias",
+        },
+        "kibana.alert.rule.query": Object {
+          "path": "signal.rule.query",
+          "type": "alias",
+        },
+        "kibana.alert.rule.references": Object {
+          "path": "signal.rule.references",
+          "type": "alias",
+        },
+        "kibana.alert.rule.risk_score_mapping.field": Object {
+          "path": "signal.rule.risk_score_mapping.field",
+          "type": "alias",
+        },
+        "kibana.alert.rule.risk_score_mapping.operator": Object {
+          "path": "signal.rule.risk_score_mapping.operator",
+          "type": "alias",
+        },
+        "kibana.alert.rule.risk_score_mapping.value": Object {
+          "path": "signal.rule.risk_score_mapping.value",
+          "type": "alias",
+        },
+        "kibana.alert.rule.rule_id": Object {
+          "path": "signal.rule.rule_id",
+          "type": "alias",
+        },
+        "kibana.alert.rule.rule_name_override": Object {
+          "path": "signal.rule.rule_name_override",
+          "type": "alias",
+        },
+        "kibana.alert.rule.rule_type_id": Object {
+          "type": "constant_keyword",
+          "value": "siem.signals",
+        },
+        "kibana.alert.rule.saved_id": Object {
+          "path": "signal.rule.saved_id",
+          "type": "alias",
+        },
+        "kibana.alert.rule.severity_mapping.field": Object {
+          "path": "signal.rule.severity_mapping.field",
+          "type": "alias",
+        },
+        "kibana.alert.rule.severity_mapping.operator": Object {
+          "path": "signal.rule.severity_mapping.operator",
+          "type": "alias",
+        },
+        "kibana.alert.rule.severity_mapping.severity": Object {
+          "path": "signal.rule.severity_mapping.severity",
+          "type": "alias",
+        },
+        "kibana.alert.rule.severity_mapping.value": Object {
+          "path": "signal.rule.severity_mapping.value",
+          "type": "alias",
+        },
+        "kibana.alert.rule.tags": Object {
+          "path": "signal.rule.tags",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.framework": Object {
+          "path": "signal.rule.threat.framework",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.tactic.id": Object {
+          "path": "signal.rule.threat.tactic.id",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.tactic.name": Object {
+          "path": "signal.rule.threat.tactic.name",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.tactic.reference": Object {
+          "path": "signal.rule.threat.tactic.reference",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.technique.id": Object {
+          "path": "signal.rule.threat.technique.id",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.technique.name": Object {
+          "path": "signal.rule.threat.technique.name",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.technique.reference": Object {
+          "path": "signal.rule.threat.technique.reference",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.technique.subtechnique.id": Object {
+          "path": "signal.rule.threat.technique.subtechnique.id",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.technique.subtechnique.name": Object {
+          "path": "signal.rule.threat.technique.subtechnique.name",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat.technique.subtechnique.reference": Object {
+          "path": "signal.rule.threat.technique.subtechnique.reference",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat_index": Object {
+          "path": "signal.rule.threat_index",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat_indicator_path": Object {
+          "path": "signal.rule.threat_indicator_path",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat_language": Object {
+          "path": "signal.rule.threat_language",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat_mapping.entries.field": Object {
+          "path": "signal.rule.threat_mapping.entries.field",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat_mapping.entries.type": Object {
+          "path": "signal.rule.threat_mapping.entries.type",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat_mapping.entries.value": Object {
+          "path": "signal.rule.threat_mapping.entries.value",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threat_query": Object {
+          "path": "signal.rule.threat_query",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threshold.field": Object {
+          "path": "signal.rule.threshold.field",
+          "type": "alias",
+        },
+        "kibana.alert.rule.threshold.value": Object {
+          "path": "signal.rule.threshold.value",
+          "type": "alias",
+        },
+        "kibana.alert.rule.timeline_id": Object {
+          "path": "signal.rule.timeline_id",
+          "type": "alias",
+        },
+        "kibana.alert.rule.timeline_title": Object {
+          "path": "signal.rule.timeline_title",
+          "type": "alias",
+        },
+        "kibana.alert.rule.to": Object {
+          "path": "signal.rule.to",
+          "type": "alias",
+        },
+        "kibana.alert.rule.type": Object {
+          "path": "signal.rule.type",
+          "type": "alias",
+        },
+        "kibana.alert.rule.updated_at": Object {
+          "path": "signal.rule.updated_at",
+          "type": "alias",
+        },
+        "kibana.alert.rule.updated_by": Object {
+          "path": "signal.rule.updated_by",
+          "type": "alias",
+        },
+        "kibana.alert.rule.version": Object {
+          "path": "signal.rule.version",
+          "type": "alias",
+        },
+        "kibana.alert.severity": Object {
+          "path": "signal.rule.severity",
+          "type": "alias",
+        },
+        "kibana.alert.threshold_result.cardinality.field": Object {
+          "path": "signal.threshold_result.cardinality.field",
+          "type": "alias",
+        },
+        "kibana.alert.threshold_result.cardinality.value": Object {
+          "path": "signal.threshold_result.cardinality.value",
+          "type": "alias",
+        },
+        "kibana.alert.threshold_result.count": Object {
+          "path": "signal.threshold_result.count",
+          "type": "alias",
+        },
+        "kibana.alert.threshold_result.from": Object {
+          "path": "signal.threshold_result.from",
+          "type": "alias",
+        },
+        "kibana.alert.threshold_result.terms.field": Object {
+          "path": "signal.threshold_result.terms.field",
+          "type": "alias",
+        },
+        "kibana.alert.threshold_result.terms.value": Object {
+          "path": "signal.threshold_result.terms.value",
+          "type": "alias",
+        },
+        "kibana.alert.workflow_status": Object {
+          "path": "signal.status",
+          "type": "alias",
+        },
+        "kibana.consumers": Object {
+          "type": "constant_keyword",
+          "value": "siem",
+        },
+        "kibana.producer": Object {
+          "type": "constant_keyword",
+          "value": "siem",
+        },
+        "kibana.space_ids": Object {
+          "type": "constant_keyword",
+          "value": "space-id",
+        },
+        "labels": Object {
+          "type": "object",
+        },
+        "log": Object {
+          "properties": Object {
+            "file": Object {
+              "properties": Object {
+                "path": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "level": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "logger": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "origin": Object {
+              "properties": Object {
+                "file": Object {
+                  "properties": Object {
+                    "line": Object {
+                      "type": "integer",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "function": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "original": Object {
+              "doc_values": false,
+              "ignore_above": 1024,
+              "index": false,
+              "type": "keyword",
+            },
+            "syslog": Object {
+              "properties": Object {
+                "facility": Object {
+                  "properties": Object {
+                    "code": Object {
+                      "type": "long",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "priority": Object {
+                  "type": "long",
+                },
+                "severity": Object {
+                  "properties": Object {
+                    "code": Object {
+                      "type": "long",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+              "type": "object",
+            },
+          },
+        },
+        "message": Object {
+          "norms": false,
+          "type": "text",
+        },
+        "network": Object {
+          "properties": Object {
+            "application": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "bytes": Object {
+              "type": "long",
+            },
+            "community_id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "direction": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "forwarded_ip": Object {
+              "type": "ip",
+            },
+            "iana_number": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "inner": Object {
+              "properties": Object {
+                "vlan": Object {
+                  "properties": Object {
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+              "type": "object",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "packets": Object {
+              "type": "long",
+            },
+            "protocol": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "transport": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "vlan": Object {
+              "properties": Object {
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "observer": Object {
+          "properties": Object {
+            "egress": Object {
+              "properties": Object {
+                "interface": Object {
+                  "properties": Object {
+                    "alias": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "vlan": Object {
+                  "properties": Object {
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "zone": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+              "type": "object",
+            },
+            "geo": Object {
+              "properties": Object {
+                "city_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "location": Object {
+                  "type": "geo_point",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "postal_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "timezone": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "hostname": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "ingress": Object {
+              "properties": Object {
+                "interface": Object {
+                  "properties": Object {
+                    "alias": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "vlan": Object {
+                  "properties": Object {
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "zone": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+              "type": "object",
+            },
+            "ip": Object {
+              "type": "ip",
+            },
+            "mac": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "os": Object {
+              "properties": Object {
+                "family": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "kernel": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "platform": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "version": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "product": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "serial_number": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "vendor": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "orchestrator": Object {
+          "properties": Object {
+            "api_version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "cluster": Object {
+              "properties": Object {
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "url": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "version": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "namespace": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "organization": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "resource": Object {
+              "properties": Object {
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "organization": Object {
+          "properties": Object {
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "os": Object {
+          "properties": Object {
+            "family": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "full": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "kernel": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "platform": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "package": Object {
+          "properties": Object {
+            "architecture": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "build_version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "checksum": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "description": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "install_scope": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "installed": Object {
+              "type": "date",
+            },
+            "license": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "path": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "reference": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "size": Object {
+              "type": "long",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "pe": Object {
+          "properties": Object {
+            "company": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "description": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "file_version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "original_file_name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "product": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "process": Object {
+          "properties": Object {
+            "args": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "args_count": Object {
+              "type": "long",
+            },
+            "code_signature": Object {
+              "properties": Object {
+                "exists": Object {
+                  "type": "boolean",
+                },
+                "signing_id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "status": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "subject_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "team_id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "trusted": Object {
+                  "type": "boolean",
+                },
+                "valid": Object {
+                  "type": "boolean",
+                },
+              },
+            },
+            "command_line": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "entity_id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "executable": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "exit_code": Object {
+              "type": "long",
+            },
+            "hash": Object {
+              "properties": Object {
+                "md5": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha1": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha256": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "sha512": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "ssdeep": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "name": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "parent": Object {
+              "properties": Object {
+                "args": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "args_count": Object {
+                  "type": "long",
+                },
+                "code_signature": Object {
+                  "properties": Object {
+                    "exists": Object {
+                      "type": "boolean",
+                    },
+                    "signing_id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "status": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "subject_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "team_id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "trusted": Object {
+                      "type": "boolean",
+                    },
+                    "valid": Object {
+                      "type": "boolean",
+                    },
+                  },
+                },
+                "command_line": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "entity_id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "executable": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "exit_code": Object {
+                  "type": "long",
+                },
+                "hash": Object {
+                  "properties": Object {
+                    "md5": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "sha1": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "sha256": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "sha512": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "ssdeep": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "pe": Object {
+                  "properties": Object {
+                    "architecture": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "company": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "description": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "file_version": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "imphash": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "original_file_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "product": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "pgid": Object {
+                  "type": "long",
+                },
+                "pid": Object {
+                  "type": "long",
+                },
+                "ppid": Object {
+                  "type": "long",
+                },
+                "start": Object {
+                  "type": "date",
+                },
+                "thread": Object {
+                  "properties": Object {
+                    "id": Object {
+                      "type": "long",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "title": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "uptime": Object {
+                  "type": "long",
+                },
+                "working_directory": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "pe": Object {
+              "properties": Object {
+                "architecture": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "company": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "description": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "file_version": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "imphash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "original_file_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "product": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "pgid": Object {
+              "type": "long",
+            },
+            "pid": Object {
+              "type": "long",
+            },
+            "ppid": Object {
+              "type": "long",
+            },
+            "start": Object {
+              "type": "date",
+            },
+            "thread": Object {
+              "properties": Object {
+                "id": Object {
+                  "type": "long",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "title": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "uptime": Object {
+              "type": "long",
+            },
+            "working_directory": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "registry": Object {
+          "properties": Object {
+            "data": Object {
+              "properties": Object {
+                "bytes": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "strings": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "hive": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "key": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "path": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "value": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "related": Object {
+          "properties": Object {
+            "hash": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "hosts": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "ip": Object {
+              "type": "ip",
+            },
+            "user": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "rule": Object {
+          "properties": Object {
+            "author": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "category": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "description": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "license": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "reference": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "ruleset": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "uuid": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "server": Object {
+          "properties": Object {
+            "address": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "as": Object {
+              "properties": Object {
+                "number": Object {
+                  "type": "long",
+                },
+                "organization": Object {
+                  "properties": Object {
+                    "name": Object {
+                      "fields": Object {
+                        "text": Object {
+                          "norms": false,
+                          "type": "text",
+                        },
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+            },
+            "bytes": Object {
+              "type": "long",
+            },
+            "domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "geo": Object {
+              "properties": Object {
+                "city_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "location": Object {
+                  "type": "geo_point",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "postal_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "timezone": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "ip": Object {
+              "type": "ip",
+            },
+            "mac": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "nat": Object {
+              "properties": Object {
+                "ip": Object {
+                  "type": "ip",
+                },
+                "port": Object {
+                  "type": "long",
+                },
+              },
+            },
+            "packets": Object {
+              "type": "long",
+            },
+            "port": Object {
+              "type": "long",
+            },
+            "registered_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "subdomain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "top_level_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "user": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full_name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "group": Object {
+                  "properties": Object {
+                    "domain": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "hash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "roles": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "service": Object {
+          "properties": Object {
+            "ephemeral_id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "node": Object {
+              "properties": Object {
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "state": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "type": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "signal": Object {
+          "properties": Object {
+            "_meta": Object {
+              "properties": Object {
+                "version": Object {
+                  "type": "long",
+                },
+              },
+            },
+            "ancestors": Object {
+              "properties": Object {
+                "depth": Object {
+                  "type": "long",
+                },
+                "id": Object {
+                  "type": "keyword",
+                },
+                "index": Object {
+                  "type": "keyword",
+                },
+                "rule": Object {
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "type": "keyword",
+                },
+              },
+            },
+            "depth": Object {
+              "type": "integer",
+            },
+            "group": Object {
+              "properties": Object {
+                "id": Object {
+                  "type": "keyword",
+                },
+                "index": Object {
+                  "type": "integer",
+                },
+              },
+            },
+            "original_event": Object {
+              "properties": Object {
+                "action": Object {
+                  "type": "keyword",
+                },
+                "category": Object {
+                  "type": "keyword",
+                },
+                "code": Object {
+                  "type": "keyword",
+                },
+                "created": Object {
+                  "type": "date",
+                },
+                "dataset": Object {
+                  "type": "keyword",
+                },
+                "duration": Object {
+                  "type": "long",
+                },
+                "end": Object {
+                  "type": "date",
+                },
+                "hash": Object {
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "type": "keyword",
+                },
+                "kind": Object {
+                  "type": "keyword",
+                },
+                "module": Object {
+                  "type": "keyword",
+                },
+                "original": Object {
+                  "doc_values": false,
+                  "index": false,
+                  "type": "keyword",
+                },
+                "outcome": Object {
+                  "type": "keyword",
+                },
+                "provider": Object {
+                  "type": "keyword",
+                },
+                "risk_score": Object {
+                  "type": "float",
+                },
+                "risk_score_norm": Object {
+                  "type": "float",
+                },
+                "sequence": Object {
+                  "type": "long",
+                },
+                "severity": Object {
+                  "type": "long",
+                },
+                "start": Object {
+                  "type": "date",
+                },
+                "timezone": Object {
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "type": "keyword",
+                },
+              },
+            },
+            "original_signal": Object {
+              "dynamic": false,
+              "enabled": false,
+              "type": "object",
+            },
+            "original_time": Object {
+              "type": "date",
+            },
+            "parent": Object {
+              "properties": Object {
+                "depth": Object {
+                  "type": "long",
+                },
+                "id": Object {
+                  "type": "keyword",
+                },
+                "index": Object {
+                  "type": "keyword",
+                },
+                "rule": Object {
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "type": "keyword",
+                },
+              },
+            },
+            "parents": Object {
+              "properties": Object {
+                "depth": Object {
+                  "type": "long",
+                },
+                "id": Object {
+                  "type": "keyword",
+                },
+                "index": Object {
+                  "type": "keyword",
+                },
+                "rule": Object {
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "type": "keyword",
+                },
+              },
+            },
+            "rule": Object {
+              "properties": Object {
+                "author": Object {
+                  "type": "keyword",
+                },
+                "building_block_type": Object {
+                  "type": "keyword",
+                },
+                "created_at": Object {
+                  "type": "date",
+                },
+                "created_by": Object {
+                  "type": "keyword",
+                },
+                "description": Object {
+                  "type": "keyword",
+                },
+                "enabled": Object {
+                  "type": "keyword",
+                },
+                "false_positives": Object {
+                  "type": "keyword",
+                },
+                "filters": Object {
+                  "type": "object",
+                },
+                "from": Object {
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "type": "keyword",
+                },
+                "immutable": Object {
+                  "type": "keyword",
+                },
+                "index": Object {
+                  "type": "keyword",
+                },
+                "interval": Object {
+                  "type": "keyword",
+                },
+                "language": Object {
+                  "type": "keyword",
+                },
+                "license": Object {
+                  "type": "keyword",
+                },
+                "max_signals": Object {
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "type": "keyword",
+                },
+                "note": Object {
+                  "type": "text",
+                },
+                "output_index": Object {
+                  "type": "keyword",
+                },
+                "query": Object {
+                  "type": "keyword",
+                },
+                "references": Object {
+                  "type": "keyword",
+                },
+                "risk_score": Object {
+                  "type": "float",
+                },
+                "risk_score_mapping": Object {
+                  "properties": Object {
+                    "field": Object {
+                      "type": "keyword",
+                    },
+                    "operator": Object {
+                      "type": "keyword",
+                    },
+                    "value": Object {
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "rule_id": Object {
+                  "type": "keyword",
+                },
+                "rule_name_override": Object {
+                  "type": "keyword",
+                },
+                "saved_id": Object {
+                  "type": "keyword",
+                },
+                "severity": Object {
+                  "type": "keyword",
+                },
+                "severity_mapping": Object {
+                  "properties": Object {
+                    "field": Object {
+                      "type": "keyword",
+                    },
+                    "operator": Object {
+                      "type": "keyword",
+                    },
+                    "severity": Object {
+                      "type": "keyword",
+                    },
+                    "value": Object {
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "size": Object {
+                  "type": "keyword",
+                },
+                "tags": Object {
+                  "type": "keyword",
+                },
+                "threat": Object {
+                  "properties": Object {
+                    "framework": Object {
+                      "type": "keyword",
+                    },
+                    "tactic": Object {
+                      "properties": Object {
+                        "id": Object {
+                          "type": "keyword",
+                        },
+                        "name": Object {
+                          "type": "keyword",
+                        },
+                        "reference": Object {
+                          "type": "keyword",
+                        },
+                      },
+                    },
+                    "technique": Object {
+                      "properties": Object {
+                        "id": Object {
+                          "type": "keyword",
+                        },
+                        "name": Object {
+                          "type": "keyword",
+                        },
+                        "reference": Object {
+                          "type": "keyword",
+                        },
+                        "subtechnique": Object {
+                          "properties": Object {
+                            "id": Object {
+                              "type": "keyword",
+                            },
+                            "name": Object {
+                              "type": "keyword",
+                            },
+                            "reference": Object {
+                              "type": "keyword",
+                            },
+                          },
+                        },
+                      },
+                    },
+                  },
+                },
+                "threat_filters": Object {
+                  "type": "object",
+                },
+                "threat_index": Object {
+                  "type": "keyword",
+                },
+                "threat_indicator_path": Object {
+                  "type": "keyword",
+                },
+                "threat_language": Object {
+                  "type": "keyword",
+                },
+                "threat_mapping": Object {
+                  "properties": Object {
+                    "entries": Object {
+                      "properties": Object {
+                        "field": Object {
+                          "type": "keyword",
+                        },
+                        "type": Object {
+                          "type": "keyword",
+                        },
+                        "value": Object {
+                          "type": "keyword",
+                        },
+                      },
+                    },
+                  },
+                },
+                "threat_query": Object {
+                  "type": "keyword",
+                },
+                "threshold": Object {
+                  "properties": Object {
+                    "field": Object {
+                      "type": "keyword",
+                    },
+                    "value": Object {
+                      "type": "float",
+                    },
+                  },
+                },
+                "timeline_id": Object {
+                  "type": "keyword",
+                },
+                "timeline_title": Object {
+                  "type": "keyword",
+                },
+                "timestamp_override": Object {
+                  "type": "keyword",
+                },
+                "to": Object {
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "type": "keyword",
+                },
+                "updated_at": Object {
+                  "type": "date",
+                },
+                "updated_by": Object {
+                  "type": "keyword",
+                },
+                "version": Object {
+                  "type": "keyword",
+                },
+              },
+            },
+            "status": Object {
+              "type": "keyword",
+            },
+            "threshold_count": Object {
+              "type": "float",
+            },
+            "threshold_result": Object {
+              "properties": Object {
+                "cardinality": Object {
+                  "properties": Object {
+                    "field": Object {
+                      "type": "keyword",
+                    },
+                    "value": Object {
+                      "type": "long",
+                    },
+                  },
+                },
+                "count": Object {
+                  "type": "long",
+                },
+                "from": Object {
+                  "type": "date",
+                },
+                "terms": Object {
+                  "properties": Object {
+                    "field": Object {
+                      "type": "keyword",
+                    },
+                    "value": Object {
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+        "source": Object {
+          "properties": Object {
+            "address": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "as": Object {
+              "properties": Object {
+                "number": Object {
+                  "type": "long",
+                },
+                "organization": Object {
+                  "properties": Object {
+                    "name": Object {
+                      "fields": Object {
+                        "text": Object {
+                          "norms": false,
+                          "type": "text",
+                        },
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+            },
+            "bytes": Object {
+              "type": "long",
+            },
+            "domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "geo": Object {
+              "properties": Object {
+                "city_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "continent_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "country_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "location": Object {
+                  "type": "geo_point",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "postal_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_iso_code": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "region_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "timezone": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "ip": Object {
+              "type": "ip",
+            },
+            "mac": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "nat": Object {
+              "properties": Object {
+                "ip": Object {
+                  "type": "ip",
+                },
+                "port": Object {
+                  "type": "long",
+                },
+              },
+            },
+            "packets": Object {
+              "type": "long",
+            },
+            "port": Object {
+              "type": "long",
+            },
+            "registered_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "subdomain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "top_level_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "user": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full_name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "group": Object {
+                  "properties": Object {
+                    "domain": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "hash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "roles": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "span": Object {
+          "properties": Object {
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "tags": Object {
+          "ignore_above": 1024,
+          "type": "keyword",
+        },
+        "threat": Object {
+          "properties": Object {
+            "framework": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "indicator": Object {
+              "properties": Object {
+                "as": Object {
+                  "properties": Object {
+                    "number": Object {
+                      "type": "long",
+                    },
+                    "organization": Object {
+                      "properties": Object {
+                        "name": Object {
+                          "fields": Object {
+                            "text": Object {
+                              "norms": false,
+                              "type": "text",
+                            },
+                          },
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                      },
+                    },
+                  },
+                },
+                "confidence": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "dataset": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "description": Object {
+                  "type": "wildcard",
+                },
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "properties": Object {
+                    "address": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "event": Object {
+                  "properties": Object {
+                    "action": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "category": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "code": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "created": Object {
+                      "type": "date",
+                    },
+                    "dataset": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "duration": Object {
+                      "type": "long",
+                    },
+                    "end": Object {
+                      "type": "date",
+                    },
+                    "hash": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "ingested": Object {
+                      "type": "date",
+                    },
+                    "kind": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "module": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "original": Object {
+                      "doc_values": false,
+                      "ignore_above": 1024,
+                      "index": false,
+                      "type": "keyword",
+                    },
+                    "outcome": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "provider": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "reason": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "reference": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "risk_score": Object {
+                      "type": "float",
+                    },
+                    "risk_score_norm": Object {
+                      "type": "float",
+                    },
+                    "sequence": Object {
+                      "type": "long",
+                    },
+                    "severity": Object {
+                      "type": "long",
+                    },
+                    "start": Object {
+                      "type": "date",
+                    },
+                    "timezone": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "type": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "url": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "first_seen": Object {
+                  "type": "date",
+                },
+                "geo": Object {
+                  "properties": Object {
+                    "city_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "continent_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "country_iso_code": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "country_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "location": Object {
+                      "type": "geo_point",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "region_iso_code": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "region_name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "ip": Object {
+                  "type": "ip",
+                },
+                "last_seen": Object {
+                  "type": "date",
+                },
+                "marking": Object {
+                  "properties": Object {
+                    "tlp": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "matched": Object {
+                  "properties": Object {
+                    "atomic": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "field": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "type": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "module": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "port": Object {
+                  "type": "long",
+                },
+                "provider": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "scanner_stats": Object {
+                  "type": "long",
+                },
+                "sightings": Object {
+                  "type": "long",
+                },
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+              "type": "nested",
+            },
+            "tactic": Object {
+              "properties": Object {
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "reference": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "technique": Object {
+              "properties": Object {
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "reference": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "subtechnique": Object {
+                  "properties": Object {
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "fields": Object {
+                        "text": Object {
+                          "norms": false,
+                          "type": "text",
+                        },
+                      },
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "reference": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+        "tls": Object {
+          "properties": Object {
+            "cipher": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "client": Object {
+              "properties": Object {
+                "certificate": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "certificate_chain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "hash": Object {
+                  "properties": Object {
+                    "md5": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "sha1": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "sha256": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "issuer": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "ja3": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "not_after": Object {
+                  "type": "date",
+                },
+                "not_before": Object {
+                  "type": "date",
+                },
+                "server_name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "subject": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "supported_ciphers": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "x509": Object {
+                  "properties": Object {
+                    "alternative_names": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "issuer": Object {
+                      "properties": Object {
+                        "common_name": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "country": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "distinguished_name": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "locality": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "organization": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "organizational_unit": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "state_or_province": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                      },
+                    },
+                    "not_after": Object {
+                      "type": "date",
+                    },
+                    "not_before": Object {
+                      "type": "date",
+                    },
+                    "public_key_algorithm": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "public_key_curve": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "public_key_exponent": Object {
+                      "doc_values": false,
+                      "index": false,
+                      "type": "long",
+                    },
+                    "public_key_size": Object {
+                      "type": "long",
+                    },
+                    "serial_number": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "signature_algorithm": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "subject": Object {
+                      "properties": Object {
+                        "common_name": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "country": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "distinguished_name": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "locality": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "organization": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "organizational_unit": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "state_or_province": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                      },
+                    },
+                    "version_number": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+            },
+            "curve": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "established": Object {
+              "type": "boolean",
+            },
+            "next_protocol": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "resumed": Object {
+              "type": "boolean",
+            },
+            "server": Object {
+              "properties": Object {
+                "certificate": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "certificate_chain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "hash": Object {
+                  "properties": Object {
+                    "md5": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "sha1": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "sha256": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "issuer": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "ja3s": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "not_after": Object {
+                  "type": "date",
+                },
+                "not_before": Object {
+                  "type": "date",
+                },
+                "subject": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "x509": Object {
+                  "properties": Object {
+                    "alternative_names": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "issuer": Object {
+                      "properties": Object {
+                        "common_name": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "country": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "distinguished_name": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "locality": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "organization": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "organizational_unit": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "state_or_province": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                      },
+                    },
+                    "not_after": Object {
+                      "type": "date",
+                    },
+                    "not_before": Object {
+                      "type": "date",
+                    },
+                    "public_key_algorithm": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "public_key_curve": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "public_key_exponent": Object {
+                      "doc_values": false,
+                      "index": false,
+                      "type": "long",
+                    },
+                    "public_key_size": Object {
+                      "type": "long",
+                    },
+                    "serial_number": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "signature_algorithm": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "subject": Object {
+                      "properties": Object {
+                        "common_name": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "country": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "distinguished_name": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "locality": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "organization": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "organizational_unit": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                        "state_or_province": Object {
+                          "ignore_above": 1024,
+                          "type": "keyword",
+                        },
+                      },
+                    },
+                    "version_number": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+              },
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "version_protocol": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "trace": Object {
+          "properties": Object {
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "transaction": Object {
+          "properties": Object {
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "url": Object {
+          "properties": Object {
+            "domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "extension": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "fragment": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "full": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "original": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "password": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "path": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "port": Object {
+              "type": "long",
+            },
+            "query": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "registered_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "scheme": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "subdomain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "top_level_domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "username": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "user": Object {
+          "properties": Object {
+            "changes": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full_name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "group": Object {
+                  "properties": Object {
+                    "domain": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "hash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "roles": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "domain": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "effective": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full_name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "group": Object {
+                  "properties": Object {
+                    "domain": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "hash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "roles": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "email": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "full_name": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "group": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "hash": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "roles": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "target": Object {
+              "properties": Object {
+                "domain": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "email": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full_name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "group": Object {
+                  "properties": Object {
+                    "domain": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "id": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                    "name": Object {
+                      "ignore_above": 1024,
+                      "type": "keyword",
+                    },
+                  },
+                },
+                "hash": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "id": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "roles": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+          },
+        },
+        "user_agent": Object {
+          "properties": Object {
+            "device": Object {
+              "properties": Object {
+                "name": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "original": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "os": Object {
+              "properties": Object {
+                "family": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "full": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "kernel": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "name": Object {
+                  "fields": Object {
+                    "text": Object {
+                      "norms": false,
+                      "type": "text",
+                    },
+                  },
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "platform": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "type": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+                "version": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "version": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "vlan": Object {
+          "properties": Object {
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "name": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+        "vulnerability": Object {
+          "properties": Object {
+            "category": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "classification": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "description": Object {
+              "fields": Object {
+                "text": Object {
+                  "norms": false,
+                  "type": "text",
+                },
+              },
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "enumeration": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "reference": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "report_id": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+            "scanner": Object {
+              "properties": Object {
+                "vendor": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "score": Object {
+              "properties": Object {
+                "base": Object {
+                  "type": "float",
+                },
+                "environmental": Object {
+                  "type": "float",
+                },
+                "temporal": Object {
+                  "type": "float",
+                },
+                "version": Object {
+                  "ignore_above": 1024,
+                  "type": "keyword",
+                },
+              },
+            },
+            "severity": Object {
+              "ignore_above": 1024,
+              "type": "keyword",
+            },
+          },
+        },
+      },
+    },
+    "settings": Object {
+      "index": Object {
+        "lifecycle": Object {
+          "name": "test-index",
+          "rollover_alias": "test-index",
+        },
+      },
+      "mapping": Object {
+        "total_fields": Object {
+          "limit": 10000,
+        },
+      },
+    },
+  },
+  "version": 55,
+}
+`;
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
index e003c96e612dc2..c4d19b0e46ed4e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
@@ -114,4 +114,13 @@ describe('get_signals_template', () => {
       'template.mappings.properties.kibana.alert.rule.rule_type_id',
     ]);
   });
+
+  test('it should match snapshot', () => {
+    const template = getSignalsTemplate(
+      'test-index',
+      'space-id',
+      '.alerts-security.alerts-space-id'
+    );
+    expect(template).toMatchSnapshot();
+  });
 });

From 58d0e0171da29bc801ac96cf974466838d4da797 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Fri, 30 Jul 2021 15:30:32 -0700
Subject: [PATCH 18/32] Remove template update logic from plugin setup

---
 .../security_solution/server/plugin.ts        | 61 +------------------
 1 file changed, 1 insertion(+), 60 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 7ecbbbcb03847f..e590c488e7ee4f 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -93,15 +93,8 @@ import { PolicyWatcher } from './endpoint/lib/policy/license_watch';
 import { parseExperimentalConfigValue } from '../common/experimental_features';
 import { migrateArtifactsToFleet } from './endpoint/lib/artifacts/migrate_artifacts_to_fleet';
 import aadFieldConversion from './lib/detection_engine/routes/index/signal_aad_mapping.json';
-import signalExtraFields from './lib/detection_engine/routes/index/signal_extra_fields.json';
-import {
-  createSignalsFieldAliases,
-  getSignalsTemplate,
-  getRbacRequiredFields,
-} from './lib/detection_engine/routes/index/get_signals_template';
 import { getKibanaPrivilegesFeaturePrivileges } from './features';
 import { EndpointMetadataService } from './endpoint/services/metadata';
-import { addAliasesToIndices } from './lib/detection_engine/routes/index/create_index_route';
 
 export interface SetupPlugins {
   alerting: AlertingSetup;
@@ -339,7 +332,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       });
     }
 
-    core.getStartServices().then(([coreStart, depsStart]) => {
+    core.getStartServices().then(([_, depsStart]) => {
       const securitySolutionSearchStrategy = securitySolutionSearchStrategyProvider(
         depsStart.data,
         endpointContext
@@ -348,58 +341,6 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
         'securitySolutionSearchStrategy',
         securitySolutionSearchStrategy
       );
-      /* if (isRuleRegistryEnabled) {
-        const clusterClient = coreStart.elasticsearch.client.asInternalUser;
-        const updateExistingSignalsIndices = async () => {
-          const existingTemplateResponse = await clusterClient.indices
-            .getTemplate({
-              name: `${config.signalsIndex}-*`,
-            })
-            .catch((err) => {
-              // If the siem signals templates have already been converted, we expect a 404 here
-              if (err.meta?.statusCode !== 404) {
-                this.logger.error(
-                  `Failed to get existing legacy siem signals templates: ${err.message}`
-                );
-              }
-            });
-          if (existingTemplateResponse == null) {
-            return;
-          }
-          const existingSignalsTemplates = existingTemplateResponse.body;
-          const existingTemplateNames = Object.keys(existingSignalsTemplates);
-          for (const existingTemplateName of existingTemplateNames) {
-            const spaceId = existingTemplateName.substr(config.signalsIndex.length + 1);
-            const alertsIndexPattern = ruleDataService.getFullAssetName('security.alerts');
-            const aadIndexAliasName = `${alertsIndexPattern}-${spaceId}`;
-
-            const signalsTemplate = getSignalsTemplate(
-              existingTemplateName,
-              spaceId,
-              aadIndexAliasName
-            );
-
-            try {
-              await clusterClient.indices.putIndexTemplate({
-                name: existingTemplateName,
-                body: signalsTemplate as Record<string, unknown>,
-              });
-              await addAliasesToIndices({
-                esClient: clusterClient,
-                index: `${existingTemplateName}-*`,
-                aadIndexAliasName,
-                spaceId,
-              });
-              await clusterClient.indices.deleteTemplate({ name: existingTemplateName });
-            } catch (err) {
-              this.logger.error(
-                `Failed to install new siem signals template for space ${spaceId}: ${err.message}`
-              );
-            }
-          }
-        };
-        updateExistingSignalsIndices();
-      }*/
     });
 
     this.telemetryEventsSender.setup(plugins.telemetry, plugins.taskManager);

From e8f464c99dfe27d773b8f45b0e2241aa0f668099 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 2 Aug 2021 12:36:00 -0700
Subject: [PATCH 19/32] Use aliases_version field to detect if aliases need
 update

---
 .../routes/index/check_template_version.ts    | 19 ++++++++--
 .../routes/index/create_index_route.ts        | 35 ++++++++++++-------
 .../routes/index/get_signals_template.ts      |  3 ++
 .../routes/index/read_index_route.ts          |  5 ++-
 4 files changed, 47 insertions(+), 15 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
index 36a0aaf38e15d6..974d18292a078c 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/check_template_version.ts
@@ -5,11 +5,15 @@
  * 2.0.
  */
 
+import { get } from 'lodash';
 import { ElasticsearchClient } from 'src/core/server';
 import { isOutdated } from '../../migrations/helpers';
-import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
+import {
+  ALIAS_VERSION_FIELD,
+  SIGNALS_FIELD_ALIASES_VERSION,
+  SIGNALS_TEMPLATE_VERSION,
+} from './get_signals_template';
 
-// TODO: update this to check both legacy and component templates
 export const getTemplateVersion = async ({
   alias,
   esClient,
@@ -36,3 +40,14 @@ export const templateNeedsUpdate = async ({
 
   return isOutdated({ current: templateVersion, target: SIGNALS_TEMPLATE_VERSION });
 };
+
+export const fieldAliasesOutdated = async (esClient: ElasticsearchClient, index: string) => {
+  const { body: indexMappings } = await esClient.indices.get({ index });
+  for (const [_, mapping] of Object.entries(indexMappings)) {
+    const aliasesVersion = get(mapping.mappings?._meta, ALIAS_VERSION_FIELD) ?? 0;
+    if (aliasesVersion < SIGNALS_FIELD_ALIASES_VERSION) {
+      return true;
+    }
+  }
+  return false;
+};
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index 3a7d586433bfd1..ac409ef746d37f 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { get } from 'lodash';
 import { estypes } from '@elastic/elasticsearch';
 import { ElasticsearchClient } from 'src/core/server';
 import {
@@ -26,6 +27,8 @@ import {
   getSignalsTemplate,
   getRbacRequiredFields,
   SIGNALS_TEMPLATE_VERSION,
+  SIGNALS_FIELD_ALIASES_VERSION,
+  ALIAS_VERSION_FIELD,
 } from './get_signals_template';
 import { ensureMigrationCleanupPolicy } from '../../migrations/migration_cleanup';
 import signalsPolicy from './signals_policy.json';
@@ -136,20 +139,28 @@ export const addAliasesToIndices = async ({
     },
   });
 
+  const { body: indexMappings } = await esClient.indices.get({ index });
   // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
   // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
   // mapping) or else this call will fail and not update ANY signals indices
   const fieldAliases = createSignalsFieldAliases();
-  const newMapping = {
-    properties: {
-      ...signalExtraFields,
-      ...fieldAliases,
-      ...getRbacRequiredFields(spaceId),
-    },
-  };
-  await esClient.indices.putMapping({
-    index: `${index}-*`,
-    body: newMapping,
-    allow_no_indices: true,
-  } as estypes.IndicesPutMappingRequest);
+  for (const [indexName, mapping] of Object.entries(indexMappings)) {
+    const currentVersion: number | undefined = get(mapping.mappings?._meta, 'version');
+    const newMapping = {
+      properties: {
+        ...signalExtraFields,
+        ...fieldAliases,
+        ...getRbacRequiredFields(spaceId),
+        _meta: {
+          version: currentVersion,
+          [ALIAS_VERSION_FIELD]: SIGNALS_FIELD_ALIASES_VERSION,
+        },
+      },
+    };
+    await esClient.indices.putMapping({
+      index: indexName,
+      body: newMapping,
+      allow_no_indices: true,
+    } as estypes.IndicesPutMappingRequest);
+  }
 };
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
index d56e81c65be1de..7740b65da7323b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -25,7 +25,9 @@ import aadFieldConversion from './signal_aad_mapping.json';
   release
 */
 export const SIGNALS_TEMPLATE_VERSION = 55;
+export const SIGNALS_FIELD_ALIASES_VERSION = 1;
 export const MIN_EQL_RULE_INDEX_VERSION = 2;
+export const ALIAS_VERSION_FIELD = 'aliases_version';
 
 export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAliasName: string) => {
   const fieldAliases = createSignalsFieldAliases();
@@ -74,6 +76,7 @@ export const getSignalsTemplate = (index: string, spaceId: string, aadIndexAlias
         },
         _meta: {
           version: SIGNALS_TEMPLATE_VERSION,
+          [ALIAS_VERSION_FIELD]: SIGNALS_FIELD_ALIASES_VERSION,
         },
       },
     },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
index 3b0c16df185da6..4cfedd5dcaa011 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
@@ -15,6 +15,7 @@ import { buildSiemResponse } from '../utils';
 import { SIGNALS_TEMPLATE_VERSION } from './get_signals_template';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
+import { fieldAliasesOutdated } from './check_template_version';
 
 export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => {
   router.get(
@@ -44,12 +45,14 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con
 
         if (indexExists) {
           let mappingOutdated: boolean | null = null;
+          let aliasesOutdated: boolean | null = null;
           try {
             const indexVersion = await getIndexVersion(esClient, index);
             mappingOutdated = isOutdated({
               current: indexVersion,
               target: SIGNALS_TEMPLATE_VERSION,
             });
+            aliasesOutdated = await fieldAliasesOutdated(esClient, index);
           } catch (err) {
             const error = transformError(err);
             // Some users may not have the view_index_metadata permission necessary to check the index mapping version
@@ -64,7 +67,7 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con
           return response.ok({
             body: {
               name: ruleRegistryEnabled ? DEFAULT_ALERTS_INDEX : index,
-              index_mapping_outdated: mappingOutdated,
+              index_mapping_outdated: mappingOutdated || aliasesOutdated,
             },
           });
         } else {

From 3054481a319f7ef318ee6ffd791561368d5f932e Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 2 Aug 2021 13:16:45 -0700
Subject: [PATCH 20/32] Fix bugs

---
 .../routes/index/create_index_route.ts             | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index ac409ef746d37f..e85401ee9adc74 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -105,8 +105,12 @@ export const createDetectionIndex = async (
     });
   }
   // Check if the old legacy siem signals template exists and remove it
-  if (await esClient.indices.existsTemplate({ name: index })) {
+  try {
     await esClient.indices.deleteTemplate({ name: index });
+  } catch (err) {
+    if (err.statusCode !== 404) {
+      throw err;
+    }
   }
   await addAliasesToIndices({ esClient, index, aadIndexAliasName, spaceId });
   const indexExists = await getIndexExists(esClient, index);
@@ -151,10 +155,10 @@ export const addAliasesToIndices = async ({
         ...signalExtraFields,
         ...fieldAliases,
         ...getRbacRequiredFields(spaceId),
-        _meta: {
-          version: currentVersion,
-          [ALIAS_VERSION_FIELD]: SIGNALS_FIELD_ALIASES_VERSION,
-        },
+      },
+      _meta: {
+        version: currentVersion,
+        [ALIAS_VERSION_FIELD]: SIGNALS_FIELD_ALIASES_VERSION,
       },
     };
     await esClient.indices.putMapping({

From 0910131405daf446dee46c8ee5cb9050160ee605 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 2 Aug 2021 14:46:46 -0700
Subject: [PATCH 21/32] oops update snapshot

---
 .../routes/index/__snapshots__/get_signals_template.test.ts.snap | 1 +
 1 file changed, 1 insertion(+)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
index 0afa8966d9eb47..2ea0d0a4e47e3c 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
@@ -13,6 +13,7 @@ Object {
     },
     "mappings": Object {
       "_meta": Object {
+        "aliases_version": 1,
         "version": 55,
       },
       "dynamic": false,

From 38271889c27a0ba70befce370dde96657a77fa53 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 2 Aug 2021 16:21:54 -0700
Subject: [PATCH 22/32] Use internal user for PUT alias to fix perms issue

---
 .../routes/index/create_index_route.ts        | 26 ++++++++++---------
 .../routes/index/get_signals_template.ts      |  9 +++++++
 2 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index e85401ee9adc74..5d4769c5369632 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -112,7 +112,19 @@ export const createDetectionIndex = async (
       throw err;
     }
   }
-  await addAliasesToIndices({ esClient, index, aadIndexAliasName, spaceId });
+  await addFieldAliasesToIndices({ esClient, index, spaceId });
+  // The internal user is used here because Elasticsearch requires the PUT alias requestor to have 'manage' permissions
+  // for BOTH the index AND alias name. However, through 7.14 admins only needed permissions for .siem-signals (the index)
+  // and not .alerts-security.alerts (the alias). From the security solution perspective, a user that has manage permissions
+  // for .siem-signals should be allowed to add this alias. If the call to addFieldAliasesToIndices above succeeds, then
+  // we assume they are allowed to add this alias.
+  await context.core.elasticsearch.client.asInternalUser.indices.putAlias({
+    index: `${index}-*`,
+    name: aadIndexAliasName,
+    body: {
+      is_write_index: false,
+    },
+  });
   const indexExists = await getIndexExists(esClient, index);
   if (indexExists) {
     const indexVersion = await getIndexVersion(esClient, index);
@@ -124,25 +136,15 @@ export const createDetectionIndex = async (
   }
 };
 
-export const addAliasesToIndices = async ({
+const addFieldAliasesToIndices = async ({
   esClient,
   index,
-  aadIndexAliasName,
   spaceId,
 }: {
   esClient: ElasticsearchClient;
   index: string;
-  aadIndexAliasName: string;
   spaceId: string;
 }) => {
-  await esClient.indices.putAlias({
-    index: `${index}-*`,
-    name: aadIndexAliasName,
-    body: {
-      is_write_index: false,
-    },
-  });
-
   const { body: indexMappings } = await esClient.indices.get({ index });
   // Make sure that all signal fields we add aliases for are guaranteed to exist in the mapping for ALL historical
   // signals indices (either by adding them to signalExtraFields or ensuring they exist in the original signals
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
index 7740b65da7323b..eac1ddc53ae3f6 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -25,6 +25,15 @@ import aadFieldConversion from './signal_aad_mapping.json';
   release
 */
 export const SIGNALS_TEMPLATE_VERSION = 55;
+/**
+  @constant
+  @type {number}
+  @description This value represents the version of the field aliases that map the new field names
+  used for alerts-as-data to the old signal.* field names. If any .siem-signals-<space id> indices
+  have an aliases_version less than this value, the detections UI will call create_index_route and
+  and go through the index update process. Increment this number if making changes to the field
+  aliases we use to make signals forwards-compatible.
+*/
 export const SIGNALS_FIELD_ALIASES_VERSION = 1;
 export const MIN_EQL_RULE_INDEX_VERSION = 2;
 export const ALIAS_VERSION_FIELD = 'aliases_version';

From 0cd9b8335fbd2a4a39b26f435a1b26daab6703bc Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 2 Aug 2021 16:38:28 -0700
Subject: [PATCH 23/32] Update comment

---
 .../lib/detection_engine/routes/index/create_index_route.ts  | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index 5d4769c5369632..85b7000ac7bc93 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -115,9 +115,8 @@ export const createDetectionIndex = async (
   await addFieldAliasesToIndices({ esClient, index, spaceId });
   // The internal user is used here because Elasticsearch requires the PUT alias requestor to have 'manage' permissions
   // for BOTH the index AND alias name. However, through 7.14 admins only needed permissions for .siem-signals (the index)
-  // and not .alerts-security.alerts (the alias). From the security solution perspective, a user that has manage permissions
-  // for .siem-signals should be allowed to add this alias. If the call to addFieldAliasesToIndices above succeeds, then
-  // we assume they are allowed to add this alias.
+  // and not .alerts-security.alerts (the alias). From the security solution perspective, all .siem-signals-<space id>-*
+  // indices should have an alias to .alerts-security.alerts-<space id> so it's safe to add those aliases as the internal user.
   await context.core.elasticsearch.client.asInternalUser.indices.putAlias({
     index: `${index}-*`,
     name: aadIndexAliasName,

From 5973dde554486c5668ff5453bc2b378f70a09876 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Mon, 2 Aug 2021 17:12:21 -0700
Subject: [PATCH 24/32] Disable new resource creation if ruleRegistryEnabled

---
 .../routes/index/create_index_route.ts        | 21 +++++++++++++++----
 .../security_solution/server/routes/index.ts  |  2 +-
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index 85b7000ac7bc93..f4477937724aaf 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -37,10 +37,13 @@ import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
 import { RuleDataPluginService } from '../../../../../../rule_registry/server';
 import signalExtraFields from './signal_extra_fields.json';
+import { ConfigType } from '../../../../config';
+import { parseExperimentalConfigValue } from '../../../../../common/experimental_features';
 
 export const createIndexRoute = (
   router: SecuritySolutionPluginRouter,
-  ruleDataService: RuleDataPluginService
+  ruleDataService: RuleDataPluginService,
+  config: ConfigType
 ) => {
   router.post(
     {
@@ -52,13 +55,14 @@ export const createIndexRoute = (
     },
     async (context, request, response) => {
       const siemResponse = buildSiemResponse(response);
+      const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental);
 
       try {
         const siemClient = context.securitySolution?.getAppClient();
         if (!siemClient) {
           return siemResponse.error({ statusCode: 404 });
         }
-        await createDetectionIndex(context, siemClient!, ruleDataService);
+        await createDetectionIndex(context, siemClient!, ruleDataService, ruleRegistryEnabled);
         return response.ok({ body: { acknowledged: true } });
       } catch (err) {
         const error = transformError(err);
@@ -82,7 +86,8 @@ class CreateIndexError extends Error {
 export const createDetectionIndex = async (
   context: SecuritySolutionRequestHandlerContext,
   siemClient: AppClient,
-  ruleDataService: RuleDataPluginService
+  ruleDataService: RuleDataPluginService,
+  ruleRegistryEnabled: boolean
 ): Promise<void> => {
   const esClient = context.core.elasticsearch.client.asCurrentUser;
   const spaceId = siemClient.getSpaceId();
@@ -92,6 +97,14 @@ export const createDetectionIndex = async (
   }
 
   const index = siemClient.getSignalsIndex();
+
+  const indexExists = await getIndexExists(esClient, index);
+  // If using the rule registry implementation, we don't want to create new .siem-signals indices -
+  // only create/update resources if there are existing indices
+  if (ruleRegistryEnabled && !indexExists) {
+    return;
+  }
+
   await ensureMigrationCleanupPolicy({ alias: index, esClient });
   const policyExists = await getPolicyExists(esClient, index);
   if (!policyExists) {
@@ -124,7 +137,7 @@ export const createDetectionIndex = async (
       is_write_index: false,
     },
   });
-  const indexExists = await getIndexExists(esClient, index);
+
   if (indexExists) {
     const indexVersion = await getIndexVersion(esClient, index);
     if (isOutdated({ current: indexVersion, target: SIGNALS_TEMPLATE_VERSION })) {
diff --git a/x-pack/plugins/security_solution/server/routes/index.ts b/x-pack/plugins/security_solution/server/routes/index.ts
index 0fcaecc13b0199..c029e421ab81ea 100644
--- a/x-pack/plugins/security_solution/server/routes/index.ts
+++ b/x-pack/plugins/security_solution/server/routes/index.ts
@@ -118,7 +118,7 @@ export const initRoutes = (
 
   // Detection Engine index routes that have the REST endpoints of /api/detection_engine/index
   // All REST index creation, policy management for spaces
-  createIndexRoute(router, ruleDataService);
+  createIndexRoute(router, ruleDataService, config);
   readIndexRoute(router, config);
   deleteIndexRoute(router);
 

From ded440e163ccd3f0b59472a4ff006f5e7b42050b Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Tue, 3 Aug 2021 10:14:30 -0700
Subject: [PATCH 25/32] Only attempt to add aliases if siem-signals index
 already exists

---
 .../routes/index/create_index_route.ts        | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index f4477937724aaf..76022a1b3407c2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -125,20 +125,20 @@ export const createDetectionIndex = async (
       throw err;
     }
   }
-  await addFieldAliasesToIndices({ esClient, index, spaceId });
-  // The internal user is used here because Elasticsearch requires the PUT alias requestor to have 'manage' permissions
-  // for BOTH the index AND alias name. However, through 7.14 admins only needed permissions for .siem-signals (the index)
-  // and not .alerts-security.alerts (the alias). From the security solution perspective, all .siem-signals-<space id>-*
-  // indices should have an alias to .alerts-security.alerts-<space id> so it's safe to add those aliases as the internal user.
-  await context.core.elasticsearch.client.asInternalUser.indices.putAlias({
-    index: `${index}-*`,
-    name: aadIndexAliasName,
-    body: {
-      is_write_index: false,
-    },
-  });
 
   if (indexExists) {
+    await addFieldAliasesToIndices({ esClient, index, spaceId });
+    // The internal user is used here because Elasticsearch requires the PUT alias requestor to have 'manage' permissions
+    // for BOTH the index AND alias name. However, through 7.14 admins only needed permissions for .siem-signals (the index)
+    // and not .alerts-security.alerts (the alias). From the security solution perspective, all .siem-signals-<space id>-*
+    // indices should have an alias to .alerts-security.alerts-<space id> so it's safe to add those aliases as the internal user.
+    await context.core.elasticsearch.client.asInternalUser.indices.putAlias({
+      index: `${index}-*`,
+      name: aadIndexAliasName,
+      body: {
+        is_write_index: false,
+      },
+    });
     const indexVersion = await getIndexVersion(esClient, index);
     if (isOutdated({ current: indexVersion, target: SIGNALS_TEMPLATE_VERSION })) {
       await esClient.indices.rollover({ alias: index });

From 8e7e00ed8e1972cd6f31ba7c06f7e52c48b5bc5c Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Tue, 3 Aug 2021 10:45:59 -0700
Subject: [PATCH 26/32] Fix types, add aliases to aad indices, use package
 field names

---
 .../src/technical_field_names.ts                    |  6 ++++++
 x-pack/plugins/rule_registry/server/index.ts        |  1 -
 .../routes/index/get_signals_template.ts            | 13 +++++++++----
 x-pack/plugins/security_solution/server/plugin.ts   | 10 +++++-----
 4 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
index c55be6cfe8ff68..0df1ad79f6702b 100644
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -34,6 +34,7 @@ const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
 const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
 const ALERT_OWNER = `${ALERT_NAMESPACE}.owner` as const;
+const ALERT_CONSUMERS = `${ALERT_NAMESPACE}.consumers` as const;
 const ALERT_PRODUCER = `${ALERT_NAMESPACE}.producer` as const;
 const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
 const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
@@ -70,6 +71,7 @@ const ALERT_RULE_SEVERITY_MAPPING = `${ALERT_RULE_NAMESPACE}.severity_mapping` a
 const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
 const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
 const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
+const ALERT_RULE_TYPE_ID = `${ALERT_RULE_NAMESPACE}.rule_type_id` as const;
 const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const;
 const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const;
 const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const;
@@ -93,6 +95,7 @@ const fields = {
   ALERT_EVALUATION_VALUE,
   ALERT_ID,
   ALERT_OWNER,
+  ALERT_CONSUMERS,
   ALERT_PRODUCER,
   ALERT_REASON,
   ALERT_RISK_SCORE,
@@ -118,6 +121,7 @@ const fields = {
   ALERT_RULE_TAGS,
   ALERT_RULE_TO,
   ALERT_RULE_TYPE,
+  ALERT_RULE_TYPE_ID,
   ALERT_RULE_UPDATED_AT,
   ALERT_RULE_UPDATED_BY,
   ALERT_RULE_VERSION,
@@ -143,6 +147,7 @@ export {
   ALERT_EVALUATION_VALUE,
   ALERT_ID,
   ALERT_OWNER,
+  ALERT_CONSUMERS,
   ALERT_PRODUCER,
   ALERT_REASON,
   ALERT_RISK_SCORE,
@@ -171,6 +176,7 @@ export {
   ALERT_RULE_TAGS,
   ALERT_RULE_TO,
   ALERT_RULE_TYPE,
+  ALERT_RULE_TYPE_ID,
   ALERT_RULE_UPDATED_AT,
   ALERT_RULE_UPDATED_BY,
   ALERT_RULE_VERSION,
diff --git a/x-pack/plugins/rule_registry/server/index.ts b/x-pack/plugins/rule_registry/server/index.ts
index ef41af62693fab..cbd8145a44fe78 100644
--- a/x-pack/plugins/rule_registry/server/index.ts
+++ b/x-pack/plugins/rule_registry/server/index.ts
@@ -16,7 +16,6 @@ export { RuleDataClient } from './rule_data_client';
 export { IRuleDataClient } from './rule_data_client/types';
 export { getRuleData, RuleExecutorData } from './utils/get_rule_executor_data';
 export { createLifecycleRuleTypeFactory } from './utils/create_lifecycle_rule_type_factory';
-export { RuleDataPluginService } from './rule_data_plugin_service';
 export {
   LifecycleRuleExecutor,
   LifecycleAlertService,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
index eac1ddc53ae3f6..bc41441e1a1179 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -5,7 +5,12 @@
  * 2.0.
  */
 
-import { SPACE_IDS } from '@kbn/rule-data-utils';
+import {
+  SPACE_IDS,
+  ALERT_CONSUMERS,
+  ALERT_PRODUCER,
+  ALERT_RULE_TYPE_ID,
+} from '@kbn/rule-data-utils';
 import signalsMapping from './signals_mapping.json';
 import ecsMapping from './ecs_mapping.json';
 import otherMapping from './other_mappings.json';
@@ -111,18 +116,18 @@ export const getRbacRequiredFields = (spaceId: string) => {
       type: 'constant_keyword',
       value: spaceId,
     },
-    'kibana.consumers': {
+    [ALERT_CONSUMERS]: {
       type: 'constant_keyword',
       value: 'siem',
     },
-    'kibana.producer': {
+    [ALERT_PRODUCER]: {
       type: 'constant_keyword',
       value: 'siem',
     },
     // TODO: discuss naming of this field and what the value will be for legacy signals.
     // Can we leave it as 'siem.signals' or do we need a runtime field that will map signal.rule.type
     // to the new ruleTypeId?
-    'kibana.alert.rule.rule_type_id': {
+    [ALERT_RULE_TYPE_ID]: {
       type: 'constant_keyword',
       value: 'siem.signals',
     },
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index a8e016b7d28ad9..80304f4a5bc5c5 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { once } from 'lodash';
+import { merge, once } from 'lodash';
 import { Observable } from 'rxjs';
 import LRU from 'lru-cache';
 import { estypes } from '@elastic/elasticsearch';
@@ -220,9 +220,11 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
             path: value,
           };
         });
+        // TODO: convert the aliases to a FieldMap. Requires enhancing FieldMap type to support alias path
+        const mappings = mappingFromFieldMap({ ...alertsFieldMap, ...rulesFieldMap }, false);
+        merge(mappings.properties, aliases);
 
         const componentTemplateName = ruleDataService.getFullAssetName('security.alerts-mappings');
-
         await ruleDataService.createOrUpdateComponentTemplate({
           name: componentTemplateName,
           body: {
@@ -230,9 +232,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
               settings: {
                 number_of_shards: 1,
               },
-              // TODO: once https://github.com/elastic/kibana/pull/105096 is merged, add aliases into mappings.
-              // Until we add the actual fields to the mappings we can't add aliases for them
-              mappings: mappingFromFieldMap({ ...alertsFieldMap, ...rulesFieldMap }, false),
+              mappings,
             },
           },
         });

From c033517e9c8e3c79d9a722e1b5291f1716b06419 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Tue, 3 Aug 2021 10:53:12 -0700
Subject: [PATCH 27/32] Undo adding aliases to AAD indices

---
 x-pack/plugins/security_solution/server/plugin.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 80304f4a5bc5c5..3b885b9eda7e19 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -213,6 +213,9 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
           return;
         }
 
+        // TODO: convert the aliases to FieldMaps. Requires enhancing FieldMap to support alias path.
+        // Split aliases by component template since we need to alias some fields in technical field mappings,
+        // some fields in security solution specific component template.
         const aliases: Record<string, estypes.MappingProperty> = {};
         Object.entries(aadFieldConversion).forEach(([key, value]) => {
           aliases[key] = {
@@ -220,9 +223,6 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
             path: value,
           };
         });
-        // TODO: convert the aliases to a FieldMap. Requires enhancing FieldMap type to support alias path
-        const mappings = mappingFromFieldMap({ ...alertsFieldMap, ...rulesFieldMap }, false);
-        merge(mappings.properties, aliases);
 
         const componentTemplateName = ruleDataService.getFullAssetName('security.alerts-mappings');
         await ruleDataService.createOrUpdateComponentTemplate({
@@ -232,7 +232,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
               settings: {
                 number_of_shards: 1,
               },
-              mappings,
+              mappings: mappingFromFieldMap({ ...alertsFieldMap, ...rulesFieldMap }, false),
             },
           },
         });

From fc475fd1a7f449bcc1e40f528bd5468c6fefac01 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Tue, 3 Aug 2021 10:54:55 -0700
Subject: [PATCH 28/32] Remove unused import

---
 x-pack/plugins/security_solution/server/plugin.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 3b885b9eda7e19..bda2b64745ccff 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { merge, once } from 'lodash';
+import { once } from 'lodash';
 import { Observable } from 'rxjs';
 import LRU from 'lru-cache';
 import { estypes } from '@elastic/elasticsearch';

From 5828090c5ca8875874faf61362e2a197f07fe062 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Tue, 3 Aug 2021 12:30:24 -0700
Subject: [PATCH 29/32] Update test and snapshot oops

---
 .../get_signals_template.test.ts.snap            | 16 ++++++++--------
 .../routes/index/get_signals_template.test.ts    |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
index 2ea0d0a4e47e3c..80ae8b9309f1f2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
@@ -1583,6 +1583,10 @@ Object {
           "path": "signal.ancestors.type",
           "type": "alias",
         },
+        "kibana.alert.consumers": Object {
+          "type": "constant_keyword",
+          "value": "siem",
+        },
         "kibana.alert.depth": Object {
           "path": "signal.depth",
           "type": "alias",
@@ -1671,6 +1675,10 @@ Object {
           "path": "signal.original_time",
           "type": "alias",
         },
+        "kibana.alert.producer": Object {
+          "type": "constant_keyword",
+          "value": "siem",
+        },
         "kibana.alert.risk_score": Object {
           "path": "signal.rule.risk_score",
           "type": "alias",
@@ -1935,14 +1943,6 @@ Object {
           "path": "signal.status",
           "type": "alias",
         },
-        "kibana.consumers": Object {
-          "type": "constant_keyword",
-          "value": "siem",
-        },
-        "kibana.producer": Object {
-          "type": "constant_keyword",
-          "value": "siem",
-        },
         "kibana.space_ids": Object {
           "type": "constant_keyword",
           "value": "space-id",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
index c4d19b0e46ed4e..88c549cec55797 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts
@@ -109,8 +109,8 @@ describe('get_signals_template', () => {
     const constantKeywordsFound = recursiveConstantKeywordFound('', template);
     expect(constantKeywordsFound).toEqual([
       'template.mappings.properties.kibana.space_ids',
-      'template.mappings.properties.kibana.consumers',
-      'template.mappings.properties.kibana.producer',
+      'template.mappings.properties.kibana.alert.consumers',
+      'template.mappings.properties.kibana.alert.producer',
       'template.mappings.properties.kibana.alert.rule.rule_type_id',
     ]);
   });

From 4275da74bb73c9bbc685abe8d6b6556c90498a25 Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Wed, 4 Aug 2021 00:30:21 -0700
Subject: [PATCH 30/32] Filter out kibana.* fields from generated signals

---
 .../lib/detection_engine/signals/build_bulk_body.ts   | 11 +++++++++--
 .../server/lib/detection_engine/signals/types.ts      |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
index 2e6f4b9303d897..54a41be5cbadeb 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
@@ -44,7 +44,10 @@ export const buildBulkBody = (
     ...additionalSignalFields(mergedDoc),
   };
   const event = buildEventTypeSignal(mergedDoc);
-  const { threshold_result: thresholdResult, ...filteredSource } = mergedDoc._source || {
+  // Filter out any kibana.* fields from the generated signal - kibana.* fields are aliases
+  // in siem-signals so we can't write to them, but for signals-on-signals they'll be returned
+  // in the fields API response and merged into the mergedDoc source
+  const { threshold_result: thresholdResult, kibana, ...filteredSource } = mergedDoc._source || {
     threshold_result: null,
   };
   const signalHit: SignalHit = {
@@ -145,9 +148,13 @@ export const buildSignalFromEvent = (
     ...additionalSignalFields(mergedEvent),
   };
   const eventFields = buildEventTypeSignal(mergedEvent);
+  // Filter out any kibana.* fields from the generated signal - kibana.* fields are aliases
+  // in siem-signals so we can't write to them, but for signals-on-signals they'll be returned
+  // in the fields API response and merged into the mergedDoc source
+  const { kibana, ...filteredSource } = mergedEvent._source || {};
   // TODO: better naming for SignalHit - it's really a new signal to be inserted
   const signalHit: SignalHit = {
-    ...mergedEvent._source,
+    ...filteredSource,
     '@timestamp': new Date().toISOString(),
     event: eventFields,
     signal,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts
index 4ad734c3bf7d96..8088742b32f7e2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts
@@ -119,6 +119,7 @@ export interface SignalSource {
     original_time?: string;
     threshold_result?: ThresholdResult;
   };
+  kibana?: SearchTypes;
 }
 
 export interface BulkItem {

From 0214b61f498c2b87200cf8e36f6eb46d113eddfa Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Wed, 4 Aug 2021 09:35:18 -0700
Subject: [PATCH 31/32] Update cypress test to account for new fields in table

---
 .../ccs_integration/detection_alerts/alerts_details.spec.ts     | 2 +-
 .../cypress/integration/detection_alerts/alerts_details.spec.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts b/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts
index 24de882bdfb905..2e300fab127a91 100644
--- a/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts
@@ -55,7 +55,7 @@ describe('Alert details with unmapped fields', () => {
 
   it('Displays the unmapped field on the table', () => {
     const expectedUnmmappedField = {
-      row: 55,
+      row: 88,
       field: 'unmapped',
       text: 'This is the unmapped field',
     };
diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
index dda86d2717386c..7799ab4d184a44 100644
--- a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
@@ -53,7 +53,7 @@ describe('Alert details with unmapped fields', () => {
 
   it('Displays the unmapped field on the table', () => {
     const expectedUnmmappedField = {
-      row: 55,
+      row: 88,
       field: 'unmapped',
       text: 'This is the unmapped field',
     };

From 498f9c4f00d7c59c1a0a2f7faa0529b173cea13b Mon Sep 17 00:00:00 2001
From: Marshall Main <marshall.main@elastic.co>
Date: Wed, 4 Aug 2021 11:00:18 -0700
Subject: [PATCH 32/32] Properly handle space ids with dashes in them

---
 .../routes/index/create_index_route.ts        | 34 +++++++++++++++----
 1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
index 76022a1b3407c2..c6635eec520b22 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -132,12 +132,10 @@ export const createDetectionIndex = async (
     // for BOTH the index AND alias name. However, through 7.14 admins only needed permissions for .siem-signals (the index)
     // and not .alerts-security.alerts (the alias). From the security solution perspective, all .siem-signals-<space id>-*
     // indices should have an alias to .alerts-security.alerts-<space id> so it's safe to add those aliases as the internal user.
-    await context.core.elasticsearch.client.asInternalUser.indices.putAlias({
-      index: `${index}-*`,
-      name: aadIndexAliasName,
-      body: {
-        is_write_index: false,
-      },
+    await addIndexAliases({
+      esClient: context.core.elasticsearch.client.asInternalUser,
+      index,
+      aadIndexAliasName,
     });
     const indexVersion = await getIndexVersion(esClient, index);
     if (isOutdated({ current: indexVersion, target: SIGNALS_TEMPLATE_VERSION })) {
@@ -182,3 +180,27 @@ const addFieldAliasesToIndices = async ({
     } as estypes.IndicesPutMappingRequest);
   }
 };
+
+const addIndexAliases = async ({
+  esClient,
+  index,
+  aadIndexAliasName,
+}: {
+  esClient: ElasticsearchClient;
+  index: string;
+  aadIndexAliasName: string;
+}) => {
+  const { body: indices } = await esClient.indices.getAlias({ name: index });
+  const aliasActions = {
+    actions: Object.keys(indices).map((concreteIndexName) => {
+      return {
+        add: {
+          index: concreteIndexName,
+          alias: aadIndexAliasName,
+          is_write_index: false,
+        },
+      };
+    }),
+  };
+  await esClient.indices.updateAliases({ body: aliasActions });
+};