From 70341e2a449ac30d7b25a2dd401c057967334cc8 Mon Sep 17 00:00:00 2001
From: machadoum <pablo.nevesmachado@elastic.co>
Date: Wed, 25 Jun 2025 11:43:26 +0200
Subject: [PATCH] Fix search indices that was returning unmapped fields

---
 .../privilege_monitoring_data_client.ts       | 23 ++++++-------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/privilege_monitoring_data_client.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/privilege_monitoring_data_client.ts
index dfaf549fe856a..364f5909c993f 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/privilege_monitoring_data_client.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/privilege_monitoring_data_client.ts
@@ -236,34 +236,25 @@ export class PrivilegeMonitoringDataClient {
   }
 
   public async searchPrivilegesIndices(query: string | undefined) {
-    const { indices } = await this.esClient.fieldCaps({
+    const { indices, fields } = await this.esClient.fieldCaps({
       index: [query ? `*${query}*` : '*', ...PRE_EXCLUDE_INDICES],
       types: ['keyword'],
       fields: ['user.name.keyword'], // search for indices with field 'user.name.keyword' of type 'keyword'
-      include_unmapped: false,
+      include_unmapped: true,
       ignore_unavailable: true,
       allow_no_indices: true,
       expand_wildcards: 'open',
-      include_empty_fields: false,
+      include_empty_fields: true,
       filters: '-parent',
-      index_filter: {
-        bool: {
-          must: [
-            {
-              exists: {
-                field: 'user.name.keyword',
-              },
-            },
-          ],
-        },
-      },
     });
 
-    if (!Array.isArray(indices) || indices.length === 0) {
+    const indicesWithUserName = fields['user.name.keyword']?.keyword?.indices ?? indices;
+
+    if (!Array.isArray(indicesWithUserName) || indicesWithUserName.length === 0) {
       return [];
     }
 
-    return indices.filter(
+    return indicesWithUserName.filter(
       (name) => !POST_EXCLUDE_INDICES.some((pattern) => name.startsWith(pattern))
     );
   }