[Security Solution][Detections][Threshold Rules] Threshold Rule Bug Fixes

src/plugins/data/server/index_patterns/fetcher/index_patterns_fetcher.ts

@@ -65,14 +65,16 @@ export class IndexPatternsFetcher {
     pattern: string | string[];
     metaFields?: string[];
     fieldCapsOptions?: { allow_no_indices: boolean };
+    filters?: { aggregatable: boolean };
     type?: string;
     rollupIndex?: string;
   }): Promise<FieldDescriptor[]> {
-    const { pattern, metaFields, fieldCapsOptions, type, rollupIndex } = options;
+    const { pattern, metaFields, fieldCapsOptions, filters, type, rollupIndex } = options;
     const fieldCapsResponse = await getFieldCapabilities(
       this.elasticsearchClient,
       pattern,
       metaFields,
+      filters,
       {
         allow_no_indices: fieldCapsOptions
           ? fieldCapsOptions.allow_no_indices

src/plugins/data/server/index_patterns/fetcher/lib/field_capabilities/field_capabilities.ts

@@ -39,6 +39,7 @@ export async function getFieldCapabilities(
   callCluster: ElasticsearchClient,
   indices: string | string[] = [],
   metaFields: string[] = [],
+  filters?: { aggregatable: boolean },
   fieldCapsOptions?: { allow_no_indices: boolean }
 ) {
   const esFieldCaps = await callFieldCapsApi(callCluster, indices, fieldCapsOptions);
@@ -69,7 +70,8 @@ export async function getFieldCapabilities(
         readFromDocValues: false,
       })
     )
-    .map(mergeOverrides);
+    .map(mergeOverrides)
+    .filter((field) => (filters?.aggregatable ? field.aggregatable === true : true));
 
   return sortBy(allFieldsUnsorted, 'name');
 }

src/plugins/es_ui_shared/static/forms/hook_form_lib/hooks/use_field.ts

@@ -42,7 +42,7 @@ export const useField = <T, FormType = FormData, I = T>(
 ) => {
   const {
     type = FIELD_TYPES.TEXT,
-    defaultValue = '', // The value to use a fallback mecanism when no initial value is passed
+    defaultValue = '', // The value to use a fallback mechanism when no initial value is passed
     initialValue = config.defaultValue ?? '', // The value explicitly passed
     isIncludedInOutput = true,
     label = '',

x-pack/plugins/security_solution/common/search_strategy/index_fields/index.ts

@@ -51,6 +51,7 @@ export type BeatFields = Record<string, FieldInfo>;
 export interface IndexFieldsStrategyRequest extends IEsSearchRequest {
   indices: string[];
   onlyCheckIfIndicesExist: boolean;
+  filters?: { aggregatable: boolean };
 }
 
 export interface IndexFieldsStrategyResponse extends IEsSearchResponse {

x-pack/plugins/security_solution/public/common/containers/source/index.tsx

@@ -121,7 +121,8 @@ interface FetchIndexReturn {
 
 export const useFetchIndex = (
   indexNames: string[],
-  onlyCheckIfIndicesExist: boolean = false
+  onlyCheckIfIndicesExist: boolean = false,
+  filters?: { aggregatable: boolean }
 ): [boolean, FetchIndexReturn] => {
   const { data, notifications } = useKibana().services;
   const abortCtrl = useRef(new AbortController());
@@ -144,7 +145,7 @@ export const useFetchIndex = (
         setLoading(true);
         const searchSubscription$ = data.search
           .search<IndexFieldsStrategyRequest, IndexFieldsStrategyResponse>(
-            { indices: iNames, onlyCheckIfIndicesExist },
+            { indices: iNames, onlyCheckIfIndicesExist, filters },
             {
               abortSignal: abortCtrl.current.signal,
               strategy: 'securitySolutionIndexFields',
@@ -193,7 +194,7 @@ export const useFetchIndex = (
         abortCtrl.current.abort();
       };
     },
-    [data.search, notifications.toasts, onlyCheckIfIndicesExist]
+    [data.search, filters, notifications.toasts, onlyCheckIfIndicesExist]
   );
 
   useEffect(() => {

x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx

@@ -11,6 +11,7 @@ import { get, getOr, isEmpty, find } from 'lodash/fp';
 import moment from 'moment';
 import { i18n } from '@kbn/i18n';
 
+import { buildQueryFilter, Filter } from '../../../../../../../src/plugins/data/common';
 import { TimelineId, TimelineStatus, TimelineType } from '../../../../common/types/timeline';
 import { updateAlertStatus } from '../../containers/detection_engine/alerts/api';
 import { SendAlertToTimelineActionProps, UpdateAlertStatusActionProps } from './types';
@@ -289,6 +290,13 @@ export const sendAlertToTimelineAction = async ({
           end: to,
         },
         eventType: 'all',
+        filters: [
+          buildQueryFilter(
+            ecsData.signal?.rule?.filters,
+            ecsData._index ?? '',
+            (ecsData.signal?.rule?.filters as Filter).meta?.alias ?? ''
+          ),
+        ],
         kqlQuery: {
           filterQuery: {
             kuery: {

x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx

@@ -167,7 +167,12 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
   const ruleType = formRuleType || initialState.ruleType;
   const queryBarQuery =
     formQuery != null ? formQuery.query.query : '' || initialState.queryBar.query.query;
-  const [indexPatternsLoading, { browserFields, indexPatterns }] = useFetchIndex(index);
+  const filters = isThresholdRule(ruleType) ? { aggregatable: true } : undefined;
+  const [indexPatternsLoading, { browserFields, indexPatterns }] = useFetchIndex(
+    index,
+    false,
+    filters
+  );
   const [
     threatIndexPatternsLoading,
     { browserFields: threatBrowserFields, indexPatterns: threatIndexPatterns },