[Security Solution][CTI] Add non-ECS Security Solution and CTI mappings (RAC)

[ecezalp]

Summary

There are some non-ECS fields within the Security Solution that need to be added to be added to the RAC implementation of rules for backwards compatibility. This commit ensures that all mappings that existed within the security solution continue to exist.

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[rylnd]

This looks good! I had one note about the ECS compatibility that we'll need to resolve before this can be merged.

@ecezalp could we pair on running this locally? I'd like to see the final output that this produces but I'm a bit behind the RAC curve here.

[rylnd]

We are removing the as, geo, and most other nested fields from threat.indicator as per the current RFC.

If these mappings will be used in 7.14, the current implementation makes sense. If these aren't going to be in effect until 7.15, we should strive to use the fields as presented in the RFC.

[rylnd]

For posterity: what was the logic used to generate this list of fields?

[rylnd]

Answered offline: these are all the fields in the existing signals index that were NOT either:

1. part of ECS
2. identified as past/current/future CTI fields.

[ecezalp]

@elasticmachine merge upstream

[ecezalp]

@elasticmachine merge upstream

[spalger]

jenkins, test this

(restarting due to jenkins upgrade)

[ecezalp]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: b056a69
• Storybooks Preview

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
apm	4.3MB	4.3MB	+50.0B
observability	453.2KB	453.3KB	+50.0B
total			+100.0B

History

• 💚 Build #131875 succeeded 1accd4f
• 💚 Build #131069 succeeded 34abeff
• 💚 Build #129647 succeeded c0f1f07

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ecezalp

[ecezalp]

closing as duplicate of #107977