elastic
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/common_fields.ts‎
Lines changed: 17 additions & 6 deletions b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/common_fields.ts‎
Lines changed: 17 additions & 6 deletions
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.gen.ts‎
Lines changed: 1 addition & 1 deletion b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.gen.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.schema.yaml‎
Lines changed: 3 additions & 1 deletion b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity.schema.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity_schema.ts‎
Lines changed: 3 additions & 1 deletion b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/entity_schema.ts‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/generic.ts‎
Lines changed: 8 additions & 3 deletions b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/generic.ts‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/host.ts‎
Lines changed: 2 additions & 0 deletions b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/host.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/service.ts‎
Lines changed: 6 additions & 1 deletion b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/service.ts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/user.ts‎
Lines changed: 2 additions & 8 deletions b/‎x-pack/solutions/security/plugins/entity_store/common/domain/definitions/user.ts‎
Lines changed: 2 additions & 8 deletions
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/euid/commons.ts‎
Lines changed: 4 additions & 2 deletions b/‎x-pack/solutions/security/plugins/entity_store/common/domain/euid/commons.ts‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎x-pack/solutions/security/plugins/entity_store/common/domain/euid/dsl.ts‎
Lines changed: 12 additions & 12 deletions b/‎x-pack/solutions/security/plugins/entity_store/common/domain/euid/dsl.ts‎
Lines changed: 12 additions & 12 deletions
@@ -6,19 +6,16 @@
  */
 
 import type { Condition } from '@kbn/streamlang';
-import type { EntityType, EntityField } from './entity_schema';
+import type { EntityType, EntityField, FieldEvaluation } from './entity_schema';
 import { collectValues, newestValue, oldestValue } from './field_retention_operations';
 
 export const ENTITY_ID_FIELD = 'entity.id';
+export const ENTITY_SOURCE_FIELD = 'entity.source';
 // Copied from x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_definitions/entity_descriptions/common.ts
 
 export const getCommonFieldDescriptions = (
   ecsField: Omit<EntityType, 'generic'> | 'entity'
 ): EntityField[] => [
-  newestValue({
-    source: '_index',
-    destination: 'entity.source',
-  }),
   newestValue({ source: 'asset.id' }),
   newestValue({ source: 'asset.name' }),
   newestValue({ source: 'asset.owner' }),
@@ -52,7 +49,10 @@ export const getEntityFieldsDescriptions = (rootField?: EntityType) => {
   const prefix = rootField ? `${rootField}.entity` : 'entity';
 
   return [
-    newestValue({ source: `${prefix}.source`, destination: 'entity.source' }),
+    collectValues({ source: 'event.module' }),
+    collectValues({ source: 'event.dataset' }),
+    collectValues({ source: 'data_stream.dataset', fieldHistoryLength: 50 }),
+    collectValues({ source: ENTITY_SOURCE_FIELD, fieldHistoryLength: 50 }),
     newestValue({ source: `${prefix}.type`, destination: 'entity.type' }),
     newestValue({ source: `${prefix}.sub_type`, destination: 'entity.sub_type' }),
     newestValue({ source: `${prefix}.url`, destination: 'entity.url' }),
@@ -189,6 +189,17 @@ export const getEntityFieldsDescriptions = (rootField?: EntityType) => {
   ];
 };
 
+export const ENTITY_SOURCE_FIELD_EVALUATION: FieldEvaluation = {
+  destination: ENTITY_SOURCE_FIELD,
+  sources: [
+    { field: 'event.module' },
+    { field: 'event.dataset' },
+    { field: 'data_stream.dataset' },
+  ],
+  fallbackValue: null,
+  whenClauses: [],
+};
+
 export function isNotEmptyCondition(field: string): Condition {
   return {
     and: [
 
@@ -35,7 +35,7 @@ export const EntityField = z
     name: z.string().optional(),
     type: z.string().optional(),
     sub_type: z.string().optional(),
-    source: z.string().optional(),
+    source: z.array(z.string()).optional(),
     EngineMetadata: EngineMetadata.optional(),
     attributes: z
       .object({
 
@@ -30,7 +30,9 @@ components:
         sub_type:
           type: string
         source:
-          type: string
+          type: array
+          items:
+            type: string
         EngineMetadata:
           $ref: '#/components/schemas/EngineMetadata'
         attributes:
 
@@ -51,7 +51,7 @@ const fieldEvaluationSourceSchema = z.union([
 const fieldEvaluationSchema = z.object({
   destination: z.string(),
   sources: z.array(fieldEvaluationSourceSchema),
-  fallbackValue: z.string(),
+  fallbackValue: z.string().nullable(),
   whenClauses: z.array(fieldEvaluationWhenClauseSchema),
 });
 
@@ -136,6 +136,8 @@ export const entitySchema = z.object({
   filter: z.string().optional(),
   entityTypeFallback: z.string().optional(),
   fields: z.array(fieldSchema),
+  // Optional evaluated fields applied before pre-agg overrides and STATS for all entity types.
+  fieldEvaluations: z.optional(z.array(fieldEvaluationSchema)),
   identityField: identityFieldSchema,
   indexPatterns: z.array(z.string()),
   // Optional filter (Condition from @kbn/streamlang) applied in ESQL only, right after the
 
@@ -7,13 +7,18 @@
 
 import { newestValue } from './field_retention_operations';
 import type { EntityDefinitionWithoutId } from './entity_schema';
-import { getCommonFieldDescriptions, getEntityFieldsDescriptions } from './common_fields';
+import {
+  ENTITY_SOURCE_FIELD_EVALUATION,
+  getCommonFieldDescriptions,
+  getEntityFieldsDescriptions,
+} from './common_fields';
 
-export const genericEntityDefinition: EntityDefinitionWithoutId = {
+export const genericEntityDefinition = {
   type: 'generic',
   name: `Security 'generic' Entity Store Definition`,
   identityField: { singleField: 'entity.id', skipTypePrepend: true },
   indexPatterns: [],
+  fieldEvaluations: [ENTITY_SOURCE_FIELD_EVALUATION],
   fields: [
     // We want this to make sure it's also extracted on CCS logs extraction
     newestValue({ source: 'entity.id' }),
@@ -50,4 +55,4 @@ export const genericEntityDefinition: EntityDefinitionWithoutId = {
 
     ...getCommonFieldDescriptions('entity'),
   ],
-} as const satisfies EntityDefinitionWithoutId;
+} satisfies EntityDefinitionWithoutId;
@@ -8,6 +8,7 @@
 import { collectValues as collect, newestValue, oldestValue } from './field_retention_operations';
 import type { EntityDefinitionWithoutId } from './entity_schema';
 import {
+  ENTITY_SOURCE_FIELD_EVALUATION,
   getCommonFieldDescriptions,
   getEntityFieldsDescriptions,
   isNotEmptyCondition,
@@ -36,6 +37,7 @@ export const hostEntityDefinition: EntityDefinitionWithoutId = {
   },
   entityTypeFallback: 'Host',
   indexPatterns: [],
+  fieldEvaluations: [ENTITY_SOURCE_FIELD_EVALUATION],
   fields: [
     newestValue({ destination: 'entity.name', source: 'host.name' }),
     oldestValue({ source: 'host.entity.id' }),
 
@@ -5,7 +5,11 @@
  * 2.0.
  */
 
-import { getCommonFieldDescriptions, getEntityFieldsDescriptions } from './common_fields';
+import {
+  ENTITY_SOURCE_FIELD_EVALUATION,
+  getCommonFieldDescriptions,
+  getEntityFieldsDescriptions,
+} from './common_fields';
 import type { EntityDefinitionWithoutId } from './entity_schema';
 import { collectValues as collect, newestValue, oldestValue } from './field_retention_operations';
 
@@ -15,6 +19,7 @@ export const serviceEntityDefinition: EntityDefinitionWithoutId = {
   identityField: { singleField: 'service.name' },
   indexPatterns: [],
   entityTypeFallback: 'Service',
+  fieldEvaluations: [ENTITY_SOURCE_FIELD_EVALUATION],
   fields: [
     newestValue({ destination: 'entity.name', source: 'service.name' }),
     oldestValue({ source: 'service.entity.id' }),
 
@@ -7,6 +7,7 @@
 
 import type { Condition } from '@kbn/streamlang';
 import {
+  ENTITY_SOURCE_FIELD_EVALUATION,
   fieldNotOneOfCondition,
   getCommonFieldDescriptions,
   getEntityFieldsDescriptions,
@@ -75,6 +76,7 @@ const nonIdpPostAggFilter = nonIdpDocumentFilter;
 export const userEntityDefinition: EntityDefinitionWithoutId = {
   type: 'user',
   name: `Security 'user' Entity Store Definition`,
+  fieldEvaluations: [ENTITY_SOURCE_FIELD_EVALUATION],
   identityField: {
     fieldEvaluations: [
       {
@@ -186,14 +188,6 @@ export const userEntityDefinition: EntityDefinitionWithoutId = {
   ],
   fields: [
     newestValue({ source: 'entity.name' }),
-    // Having multiple values in event.module or data_stream.dataset is a good feature
-    // but causes complexity for CCS extraction.
-    // That's why event.module and data_stream.dataset always use MV_FIRST on its usage
-    collect({ source: 'event.module' }),
-    // keep field length large for safety to not lose idps
-    // with many datasets
-    collect({ source: 'data_stream.dataset', fieldHistoryLength: 50 }),
-
     collect({ source: 'event.kind' }),
     collect({ source: 'event.category' }),
     collect({ source: 'event.type' }),
 
@@ -11,6 +11,8 @@ import type {
   CalculatedEntityIdentity,
   EntityDefinitionWithoutId,
   EuidAttribute,
+  EuidField,
+  EuidSeparator,
   FieldEvaluationSource,
   FieldValueSchema,
 } from '../definitions/entity_schema';
@@ -234,11 +236,11 @@ export function getFieldsToBeFilteredOut(
   return toFilterOut;
 }
 
-export function isEuidField(attr: EuidAttribute) {
+export function isEuidField(attr: EuidAttribute): attr is EuidField {
   return 'field' in attr;
 }
 
-export function isEuidSeparator(attr: EuidAttribute) {
+export function isEuidSeparator(attr: EuidAttribute): attr is EuidSeparator {
   return 'sep' in attr;
 }
 
 
@@ -7,7 +7,7 @@
 
 import type { QueryDslQueryContainer } from '@kbn/data-views-plugin/common/types';
 import { conditionToQueryDsl } from '@kbn/streamlang';
-import type { EntityType } from '../definitions/entity_schema';
+import type { EntityType, FieldEvaluation } from '../definitions/entity_schema';
 import { isSingleFieldIdentity } from '../definitions/entity_schema';
 import { getEntityDefinitionWithoutId } from '../definitions/registry';
 import { isNotEmptyCondition } from '../definitions/common_fields';
@@ -27,7 +27,6 @@ import {
   getSourceMatchSpec,
   type SourceMatchSpec,
 } from './field_evaluations';
-import type { FieldEvaluation } from '../definitions/entity_schema';
 
 /**
  * Returns a DSL filter that matches documents considered for the given entity type.
@@ -118,8 +117,9 @@ export function getEuidDslFilterBasedOnDocument(
     };
   }
 
-  if (identityField.fieldEvaluations?.length) {
-    const evaluated = applyFieldEvaluations(doc, identityField.fieldEvaluations);
+  const fieldEvaluations = identityField.fieldEvaluations ?? [];
+  if (fieldEvaluations.length > 0) {
+    const evaluated = applyFieldEvaluations(doc, fieldEvaluations);
     doc = { ...doc, ...evaluated };
   }
   if (entityDefinition.whenConditionTrueSetFieldsPreAgg?.length) {
@@ -139,9 +139,7 @@ export function getEuidDslFilterBasedOnDocument(
 
   // Evaluated fields (e.g. entity.namespace from event.module) are computed in memory and are not
   // stored in the index. Including them in the query would make it never match real documents.
-  const evaluatedDestinations = new Set(
-    identityField.fieldEvaluations?.map((e) => e.destination) ?? []
-  );
+  const evaluatedDestinations = new Set(fieldEvaluations.map((e) => e.destination));
 
   const filterValues = Object.entries(fieldsToBeFilteredOn.values).filter(
     ([field]) => !evaluatedDestinations.has(field)
@@ -153,21 +151,23 @@ export function getEuidDslFilterBasedOnDocument(
       })),
     },
   };
+  const boolQuery = dsl.bool!;
 
   const toBeFilteredOut = getFieldsToBeFilteredOut(effectiveRanking, fieldsToBeFilteredOn).filter(
     (field) => !evaluatedDestinations.has(field)
   );
   if (toBeFilteredOut.length > 0) {
-    const priorMust = Array.isArray(dsl.bool?.must) ? dsl.bool.must : [];
+    const priorMust = Array.isArray(boolQuery.must) ? boolQuery.must : [];
     dsl.bool = {
-      ...dsl.bool,
+      ...boolQuery,
       must: [...priorMust, ...toBeFilteredOut.map(fieldMissingOrEmptyDsl)],
     };
   }
 
-  if (identityField.fieldEvaluations?.length) {
-    const filterList = Array.isArray(dsl.bool?.filter) ? dsl.bool.filter : [];
-    for (const evaluation of identityField.fieldEvaluations) {
+  if (fieldEvaluations.length > 0) {
+    const currentBoolQuery = dsl.bool!;
+    const filterList = Array.isArray(currentBoolQuery.filter) ? currentBoolQuery.filter : [];
+    for (const evaluation of fieldEvaluations) {
       const { exactMatchFields, prefixMatchFields } = getSourceFieldNames(evaluation.sources);
       const sourceFields = [...exactMatchFields, ...prefixMatchFields];
       const hasEvaluatedSource = sourceFields.some((f) => evaluatedDestinations.has(f));
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ import type {`
`11`	`11`	`CalculatedEntityIdentity,`
`12`	`12`	`EntityDefinitionWithoutId,`
`13`	`13`	`EuidAttribute,`
	`14`	`+ EuidField,`
	`15`	`+ EuidSeparator,`
`14`	`16`	`FieldEvaluationSource,`
`15`	`17`	`FieldValueSchema,`
`16`	`18`	`} from '../definitions/entity_schema';`
`@@ -234,11 +236,11 @@ export function getFieldsToBeFilteredOut(`
`234`	`236`	`return toFilterOut;`
`235`	`237`	`}`
`236`	`238`
`237`		`-export function isEuidField(attr: EuidAttribute) {`
	`239`	`+export function isEuidField(attr: EuidAttribute): attr is EuidField {`
`238`	`240`	`return 'field' in attr;`
`239`	`241`	`}`
`240`	`242`
`241`		`-export function isEuidSeparator(attr: EuidAttribute) {`
	`243`	`+export function isEuidSeparator(attr: EuidAttribute): attr is EuidSeparator {`
`242`	`244`	`return 'sep' in attr;`
`243`	`245`	`}`
`244`	`246`