fix IM rule

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts

@@ -76,7 +76,6 @@ export const createIndicatorMatchAlertType = (
           secondaryTimestamp,
           exceptionFilter,
           unprocessedExceptions,
-          inputIndexFields,
         },
         services,
         spaceId,
@@ -119,7 +118,6 @@ export const createIndicatorMatchAlertType = (
         secondaryTimestamp,
         exceptionFilter,
         unprocessedExceptions,
-        inputIndexFields,
         wrapSuppressedHits,
         runOpts,
         licensing,

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/indicator_match.ts

@@ -15,7 +15,7 @@ import type {
   RuleExecutorServices,
 } from '@kbn/alerting-plugin/server';
 import type { ListClient } from '@kbn/lists-plugin/server';
-import type { Filter, DataViewFieldBase } from '@kbn/es-query';
+import type { Filter } from '@kbn/es-query';
 import type { RuleRangeTuple, BulkCreate, WrapHits, WrapSuppressedHits, RunOpts } from '../types';
 import type { ITelemetryEventsSender } from '../../../telemetry/sender';
 import { createThreatSignals } from './threat_mapping/create_threat_signals';
@@ -43,7 +43,6 @@ export const indicatorMatchExecutor = async ({
   secondaryTimestamp,
   exceptionFilter,
   unprocessedExceptions,
-  inputIndexFields,
   wrapSuppressedHits,
   runOpts,
   licensing,
@@ -65,7 +64,6 @@ export const indicatorMatchExecutor = async ({
   secondaryTimestamp?: string;
   exceptionFilter: Filter | undefined;
   unprocessedExceptions: ExceptionListItemSchema[];
-  inputIndexFields: DataViewFieldBase[];
   wrapSuppressedHits: WrapSuppressedHits;
   runOpts: RunOpts<ThreatRuleParams>;
   licensing: LicensingPluginSetup;
@@ -106,7 +104,6 @@ export const indicatorMatchExecutor = async ({
       secondaryTimestamp,
       exceptionFilter,
       unprocessedExceptions,
-      inputIndexFields,
       runOpts,
       licensing,
       experimentalFeatures,

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/create_threat_signals.ts

@@ -10,6 +10,7 @@ import { firstValueFrom } from 'rxjs';
 import type { OpenPointInTimeResponse } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 
 import { uniq, chunk } from 'lodash/fp';
+import { queryToFields } from '@kbn/data-plugin/common';
 
 import { TelemetryChannel } from '../../../../telemetry/types';
 import { getThreatList, getThreatListCount } from './get_threat_list';
@@ -36,7 +37,6 @@ import { getEventCount, getEventList } from './get_event_count';
 import { getMappingFilters } from './get_mapping_filters';
 import { THREAT_PIT_KEEP_ALIVE } from '../../../../../../common/cti/constants';
 import { getMaxSignalsWarning, getSafeSortIds } from '../../utils/utils';
-import { getFieldsForWildcard } from '../../utils/get_fields_for_wildcard';
 import { getDataTierFilter } from '../../utils/get_data_tier_filter';
 
 export const createThreatSignals = async ({
@@ -72,7 +72,6 @@ export const createThreatSignals = async ({
   secondaryTimestamp,
   exceptionFilter,
   unprocessedExceptions,
-  inputIndexFields,
   licensing,
   experimentalFeatures,
 }: CreateThreatSignalsOptions): Promise<SearchAfterAndBulkCreateReturnType> => {
@@ -115,6 +114,17 @@ export const createThreatSignals = async ({
   const allEventFilters = [...filters, eventMappingFilter, ...dataTiersFilters];
   const allThreatFilters = [...threatFilters, indicatorMappingFilter, ...dataTiersFilters];
 
+  const dataViews = await services.getDataViews();
+  const inputIndexDataViewLazy = await dataViews.createDataViewLazy({
+    title: inputIndex.join(),
+  });
+  const inputIndexFields = Object.values(
+    await queryToFields({
+      dataView: inputIndexDataViewLazy,
+      request: { query: [{ query, language: language || 'kuery' }] },
+    })
+  );
+
   const eventCount = await getEventCount({
     esClient: services.scopedClusterClient.asCurrentUser,
     index: inputIndex,
@@ -140,14 +150,15 @@ export const createThreatSignals = async ({
     if (newPitId) threatPitId = newPitId;
   };
 
-  const dataViews = await services.getDataViews();
-  // const threatIndexFields = await getFieldsForWildcard({
-  //   index: threatIndex,
-  //   language: threatLanguage ?? 'kuery',
-  //   dataViews,
-  //   ruleExecutionLogger,
-  // });
-  const threatIndexFields = [];
+  const threatIndexDataViewLazy = await dataViews.createDataViewLazy({
+    title: threatIndex.join(),
+  });
+  const threatIndexFields = Object.values(
+    await queryToFields({
+      dataView: threatIndexDataViewLazy,
+      request: { query: [{ query: threatQuery, language: threatLanguage || 'kuery' }] },
+    })
+  );
 
   const threatListCount = await getThreatListCount({
     esClient: services.scopedClusterClient.asCurrentUser,

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/types.ts

@@ -77,7 +77,6 @@ export interface CreateThreatSignalsOptions {
   secondaryTimestamp?: string;
   exceptionFilter: Filter | undefined;
   unprocessedExceptions: ExceptionListItemSchema[];
-  inputIndexFields: DataViewFieldBase[];
   runOpts: RunOpts<ThreatRuleParams>;
   licensing: LicensingPluginSetup;
   experimentalFeatures: ExperimentalFeatures;

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts

@@ -18,7 +18,7 @@ import type {
   RuleExecutorServices,
 } from '@kbn/alerting-plugin/server';
 import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
-import type { Filter, DataViewFieldBase } from '@kbn/es-query';
+import type { Filter } from '@kbn/es-query';
 import type { CompleteRule, ThresholdRuleParams } from '../../rule_schema';
 import { getFilter } from '../utils/get_filter';
 import { bulkCreateThresholdSignals } from './bulk_create_threshold_signals';