elastic
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts‎
Lines changed: 11 additions & 0 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.test.ts‎
Lines changed: 36 additions & 5 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.test.ts‎
Lines changed: 36 additions & 5 deletions
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts‎
Lines changed: 6 additions & 0 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts‎
Lines changed: 1 addition & 1 deletion b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts‎
Lines changed: 3 additions & 3 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/create_field_and_set_tuples.test.ts‎
Lines changed: 4 additions & 4 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/create_field_and_set_tuples.test.ts‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/create_set_to_filter_against.test.ts‎
Lines changed: 4 additions & 4 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/create_set_to_filter_against.test.ts‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/create_set_to_filter_against.ts‎
Lines changed: 1 addition & 2 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/create_set_to_filter_against.ts‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/filter_events.test.ts‎
Lines changed: 5 additions & 5 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/filter_events.test.ts‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/filter_events.ts‎
Lines changed: 8 additions & 5 deletions b/‎x-pack/plugins/security_solution/server/lib/detection_engine/signals/filters/filter_events.ts‎
Lines changed: 8 additions & 5 deletions
@@ -166,6 +166,12 @@ export const sampleDocWithSortId = (
       ip: destIp ?? '127.0.0.1',
     },
   },
+  fields: {
+    someKey: ['someValue'],
+    '@timestamp': ['2020-04-20T21:27:45+0000'],
+    'source.ip': ip ? (Array.isArray(ip) ? ip : [ip]) : ['127.0.0.1'],
+    'destination.ip': destIp ? (Array.isArray(destIp) ? destIp : [destIp]) : ['127.0.0.1'],
+  },
   sort: ['1234567891111'],
 });
 
@@ -185,6 +191,11 @@ export const sampleDocNoSortId = (
       ip: ip ?? '127.0.0.1',
     },
   },
+  fields: {
+    someKey: ['someValue'],
+    '@timestamp': ['2020-04-20T21:27:45+0000'],
+    'source.ip': [ip ?? '127.0.0.1'],
+  },
   sort: [],
 });
 
 
@@ -56,7 +56,12 @@ describe('create_signals', () => {
             ],
           },
         },
-
+        fields: [
+          {
+            field: '*',
+            include_unmapped: true,
+          },
+        ],
         sort: [
           {
             '@timestamp': {
@@ -115,7 +120,12 @@ describe('create_signals', () => {
             ],
           },
         },
-
+        fields: [
+          {
+            field: '*',
+            include_unmapped: true,
+          },
+        ],
         sort: [
           {
             '@timestamp': {
@@ -175,7 +185,12 @@ describe('create_signals', () => {
             ],
           },
         },
-
+        fields: [
+          {
+            field: '*',
+            include_unmapped: true,
+          },
+        ],
         sort: [
           {
             '@timestamp': {
@@ -236,7 +251,12 @@ describe('create_signals', () => {
             ],
           },
         },
-
+        fields: [
+          {
+            field: '*',
+            include_unmapped: true,
+          },
+        ],
         sort: [
           {
             '@timestamp': {
@@ -296,7 +316,12 @@ describe('create_signals', () => {
             ],
           },
         },
-
+        fields: [
+          {
+            field: '*',
+            include_unmapped: true,
+          },
+        ],
         sort: [
           {
             '@timestamp': {
@@ -358,6 +383,12 @@ describe('create_signals', () => {
             ],
           },
         },
+        fields: [
+          {
+            field: '*',
+            include_unmapped: true,
+          },
+        ],
         aggregations: {
           tags: {
             terms: {
 
@@ -89,6 +89,12 @@ export const buildEventsSearchQuery = ({
           ],
         },
       },
+      fields: [
+        {
+          field: '*',
+          include_unmapped: true,
+        },
+      ],
       ...(aggregations ? { aggregations } : {}),
       sort: [
         {
 
@@ -67,7 +67,7 @@ describe('transformThresholdResultsToEcs', () => {
             _id,
             _index: 'test',
             _source: {
-              '@timestamp': '2020-04-20T21:27:45+0000',
+              '@timestamp': ['2020-04-20T21:27:45+0000'],
               threshold_result: {
                 count: 1,
                 value: '127.0.0.1',
 
@@ -75,7 +75,7 @@ const getTransformedHits = (
     }
 
     const source = {
-      '@timestamp': get(timestampOverride ?? '@timestamp', hit._source),
+      '@timestamp': get(timestampOverride ?? '@timestamp', hit.fields),
       threshold_result: {
         count: totalResults,
         value: ruleId,
@@ -104,10 +104,10 @@ const getTransformedHits = (
         }
 
         const source = {
-          '@timestamp': get(timestampOverride ?? '@timestamp', hit._source),
+          '@timestamp': get(timestampOverride ?? '@timestamp', hit.fields),
           threshold_result: {
             count: docCount,
-            value: get(threshold.field, hit._source),
+            value: key,
           },
         };
 
 
@@ -120,7 +120,7 @@ describe('filterEventsAgainstList', () => {
       exceptionItem,
       buildRuleMessage,
     });
-    expect([...matchedSet]).toEqual([JSON.stringify('1.1.1.1')]);
+    expect([...matchedSet]).toEqual([JSON.stringify(['1.1.1.1'])]);
   });
 
   test('it returns two matched sets as a JSON.stringify() set from the "events"', async () => {
@@ -133,7 +133,7 @@ describe('filterEventsAgainstList', () => {
       exceptionItem,
       buildRuleMessage,
     });
-    expect([...matchedSet]).toEqual([JSON.stringify('1.1.1.1'), JSON.stringify('2.2.2.2')]);
+    expect([...matchedSet]).toEqual([JSON.stringify(['1.1.1.1']), JSON.stringify(['2.2.2.2'])]);
   });
 
   test('it returns an array as a set as a JSON.stringify() array from the "events"', async () => {
@@ -282,7 +282,7 @@ describe('filterEventsAgainstList', () => {
       exceptionItem,
       buildRuleMessage,
     });
-    expect([...matchedSet1]).toEqual([JSON.stringify('1.1.1.1'), JSON.stringify('2.2.2.2')]);
-    expect([...matchedSet2]).toEqual([JSON.stringify('3.3.3.3'), JSON.stringify('5.5.5.5')]);
+    expect([...matchedSet1]).toEqual([JSON.stringify(['1.1.1.1']), JSON.stringify(['2.2.2.2'])]);
+    expect([...matchedSet2]).toEqual([JSON.stringify(['3.3.3.3']), JSON.stringify(['5.5.5.5'])]);
   });
 });
@@ -62,9 +62,9 @@ describe('createSetToFilterAgainst', () => {
     expect(listClient.searchListItemByValues).toHaveBeenCalledWith({
       listId: 'list-123',
       type: 'ip',
-      value: ['1.1.1.1'],
+      value: [['1.1.1.1']],
     });
-    expect([...field]).toEqual([JSON.stringify('1.1.1.1')]);
+    expect([...field]).toEqual([JSON.stringify(['1.1.1.1'])]);
   });
 
   test('it returns 2 fields if the list returns 2 items', async () => {
@@ -81,9 +81,9 @@ describe('createSetToFilterAgainst', () => {
     expect(listClient.searchListItemByValues).toHaveBeenCalledWith({
       listId: 'list-123',
       type: 'ip',
-      value: ['1.1.1.1', '2.2.2.2'],
+      value: [['1.1.1.1'], ['2.2.2.2']],
     });
-    expect([...field]).toEqual([JSON.stringify('1.1.1.1'), JSON.stringify('2.2.2.2')]);
+    expect([...field]).toEqual([JSON.stringify(['1.1.1.1']), JSON.stringify(['2.2.2.2'])]);
   });
 
   test('it returns 0 fields if the field does not match up to a valid field within the event', async () => {
 
@@ -5,7 +5,6 @@
  * 2.0.
  */
 
-import { get } from 'lodash/fp';
 import { CreateSetToFilterAgainstOptions } from './types';
 
 /**
@@ -31,7 +30,7 @@ export const createSetToFilterAgainst = async <T>({
   buildRuleMessage,
 }: CreateSetToFilterAgainstOptions<T>): Promise<Set<unknown>> => {
   const valuesFromSearchResultField = events.reduce((acc, searchResultItem) => {
-    const valueField = get(field, searchResultItem._source);
+    const valueField = searchResultItem.fields ? searchResultItem.fields[field] : undefined;
     if (valueField != null) {
       acc.add(valueField);
     }
 
@@ -40,7 +40,7 @@ describe('filterEvents', () => {
       {
         field: 'source.ip',
         operator: 'included',
-        matchedSet: new Set([JSON.stringify('1.1.1.1')]),
+        matchedSet: new Set([JSON.stringify(['1.1.1.1'])]),
       },
     ];
     const field = filterEvents({
@@ -56,7 +56,7 @@ describe('filterEvents', () => {
       {
         field: 'source.ip',
         operator: 'excluded',
-        matchedSet: new Set([JSON.stringify('1.1.1.1')]),
+        matchedSet: new Set([JSON.stringify(['1.1.1.1'])]),
       },
     ];
     const field = filterEvents({
@@ -72,7 +72,7 @@ describe('filterEvents', () => {
       {
         field: 'madeup.nonexistent', // field does not exist
         operator: 'included',
-        matchedSet: new Set([JSON.stringify('1.1.1.1')]),
+        matchedSet: new Set([JSON.stringify(['1.1.1.1'])]),
       },
     ];
     const field = filterEvents({
@@ -88,12 +88,12 @@ describe('filterEvents', () => {
       {
         field: 'source.ip',
         operator: 'included',
-        matchedSet: new Set([JSON.stringify('1.1.1.1')]),
+        matchedSet: new Set([JSON.stringify(['1.1.1.1'])]),
       },
       {
         field: 'source.ip',
         operator: 'excluded',
-        matchedSet: new Set([JSON.stringify('1.1.1.1')]),
+        matchedSet: new Set([JSON.stringify(['1.1.1.1'])]),
       },
     ];
 
 
@@ -5,7 +5,6 @@
  * 2.0.
  */
 
-import { get } from 'lodash/fp';
 import { SearchResponse } from '../../../types';
 import { FilterEventsOptions } from './types';
 
@@ -22,13 +21,17 @@ export const filterEvents = <T>({
   return events.filter((item) => {
     return fieldAndSetTuples
       .map((tuple) => {
-        const eventItem = get(tuple.field, item._source);
-        if (eventItem == null) {
-          return true;
-        } else if (tuple.operator === 'included') {
+        const eventItem = item.fields ? item.fields[tuple.field] : undefined;
+        if (tuple.operator === 'included') {
+          if (eventItem == null) {
+            return true;
+          }
           // only create a signal if the event is not in the value list
           return !tuple.matchedSet.has(JSON.stringify(eventItem));
         } else if (tuple.operator === 'excluded') {
+          if (eventItem == null) {
+            return false;
+          }
           // only create a signal if the event is in the value list
           return tuple.matchedSet.has(JSON.stringify(eventItem));
         } else {