[8.19] [Attack discovery] Optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries (#225029)

src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts

@@ -37,6 +37,9 @@ import {
   ALERT_START,
   ALERT_STATUS,
   ALERT_TIME_RANGE,
+  ALERT_UPDATED_AT,
+  ALERT_UPDATED_BY_USER_ID,
+  ALERT_UPDATED_BY_USER_NAME,
   ALERT_URL,
   ALERT_UUID,
   ALERT_WORKFLOW_ASSIGNEE_IDS,
@@ -213,6 +216,21 @@ export const alertFieldMap = {
     array: false,
     required: false,
   },
+  [ALERT_UPDATED_AT]: {
+    type: 'date',
+    array: false,
+    required: false,
+  },
+  [ALERT_UPDATED_BY_USER_ID]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_UPDATED_BY_USER_NAME]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
   [ALERT_URL]: {
     type: 'keyword',
     array: false,

src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts

@@ -107,6 +107,9 @@ const AlertOptional = rt.partial({
   'kibana.alert.severity_improving': schemaBoolean,
   'kibana.alert.start': schemaDate,
   'kibana.alert.time_range': schemaDateRange,
+  'kibana.alert.updated_at': schemaDate,
+  'kibana.alert.updated_by.user.id': schemaString,
+  'kibana.alert.updated_by.user.name': schemaString,
   'kibana.alert.url': schemaString,
   'kibana.alert.workflow_assignee_ids': schemaStringArray,
   'kibana.alert.workflow_status': schemaString,

src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts

@@ -207,6 +207,9 @@ const SecurityAlertOptional = rt.partial({
     })
   ),
   'kibana.alert.time_range': schemaDateRange,
+  'kibana.alert.updated_at': schemaDate,
+  'kibana.alert.updated_by.user.id': schemaString,
+  'kibana.alert.updated_by.user.name': schemaString,
   'kibana.alert.url': schemaString,
   'kibana.alert.user.criticality_level': schemaString,
   'kibana.alert.workflow_assignee_ids': schemaStringArray,

src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/streams_schema.ts

@@ -107,6 +107,9 @@ const StreamsAlertOptional = rt.partial({
   'kibana.alert.severity_improving': schemaBoolean,
   'kibana.alert.start': schemaDate,
   'kibana.alert.time_range': schemaDateRange,
+  'kibana.alert.updated_at': schemaDate,
+  'kibana.alert.updated_by.user.id': schemaString,
+  'kibana.alert.updated_by.user.name': schemaString,
   'kibana.alert.url': schemaString,
   'kibana.alert.workflow_assignee_ids': schemaStringArray,
   'kibana.alert.workflow_status': schemaString,

src/platform/packages/shared/kbn-rule-data-utils/src/default_alerts_as_data.ts

@@ -71,6 +71,15 @@ const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
 // kibana.alert.start - timestamp when the alert is first active
 const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
 
+// kibana.alert.updated_at - timestamp when the alert was last updated
+const ALERT_UPDATED_AT = `${ALERT_NAMESPACE}.updated_at` as const;
+
+// kibana.alert.updated_by.user.id - user id of the user that last updated the alert
+const ALERT_UPDATED_BY_USER_ID = `${ALERT_NAMESPACE}.updated_by.user.id` as const;
+
+// kibana.alert.updated_by.user.name - user name of the user that last updated the alert
+const ALERT_UPDATED_BY_USER_NAME = `${ALERT_NAMESPACE}.updated_by.user.name` as const;
+
 // kibana.alert.status - active/recovered status of alert
 const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
 
@@ -163,6 +172,9 @@ export const fields = {
   ALERT_RULE_UUID,
   ALERT_SEVERITY_IMPROVING,
   ALERT_START,
+  ALERT_UPDATED_AT,
+  ALERT_UPDATED_BY_USER_ID,
+  ALERT_UPDATED_BY_USER_NAME,
   ALERT_STATUS,
   ALERT_TIME_RANGE,
   ALERT_URL,
@@ -210,6 +222,9 @@ export {
   ALERT_RULE_UUID,
   ALERT_SEVERITY_IMPROVING,
   ALERT_START,
+  ALERT_UPDATED_AT,
+  ALERT_UPDATED_BY_USER_ID,
+  ALERT_UPDATED_BY_USER_NAME,
   ALERT_STATUS,
   ALERT_TIME_RANGE,
   ALERT_URL,

x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/schemas/attack_discovery/attack_discovery_alert.gen.ts

@@ -44,6 +44,26 @@ export const AttackDiscoveryAlert = z.object({
    * The (human readable) name of the connector that generated the attack discovery
    */
   connectorName: z.string(),
+  /**
+   * The optional time the attack discovery alert was created
+   */
+  alertStart: z.string().optional(),
+  /**
+   * The optional time the attack discovery alert was last updated
+   */
+  alertUpdatedAt: z.string().optional(),
+  /**
+   * The optional id of the user who last updated the attack discovery alert
+   */
+  alertUpdatedByUserId: z.string().optional(),
+  /**
+   * The optional username of the user who updated the attack discovery alert
+   */
+  alertUpdatedByUserName: z.string().optional(),
+  /**
+   * The optional time the attack discovery alert workflow status was last updated
+   */
+  alertWorkflowStatusUpdatedAt: z.string().optional(),
   /**
    * Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.
    */

x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/schemas/attack_discovery/attack_discovery_alert.schema.yaml

@@ -37,6 +37,21 @@ components:
         connectorName:
           description: The (human readable) name of the connector that generated the attack discovery
           type: string
+        alertStart:
+          description: The optional time the attack discovery alert was created
+          type: string
+        alertUpdatedAt:
+          description: The optional time the attack discovery alert was last updated
+          type: string
+        alertUpdatedByUserId:
+          description: The optional id of the user who last updated the attack discovery alert
+          type: string
+        alertUpdatedByUserName:
+          description: The optional username of the user who updated the attack discovery alert
+          type: string
+        alertWorkflowStatusUpdatedAt:
+          description: The optional time the attack discovery alert workflow status was last updated
+          type: string
         detailsMarkdown:
           description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.
           type: string

x-pack/platform/plugins/shared/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts

@@ -324,6 +324,23 @@ describe('mappingFromFieldMap', () => {
                   type: 'date_range',
                   format: 'epoch_millis||strict_date_optional_time',
                 },
+                updated_at: {
+                  type: 'date',
+                },
+                updated_by: {
+                  properties: {
+                    user: {
+                      properties: {
+                        id: {
+                          type: 'keyword',
+                        },
+                        name: {
+                          type: 'keyword',
+                        },
+                      },
+                    },
+                  },
+                },
                 url: {
                   ignore_above: 2048,
                   index: false,

x-pack/platform/plugins/shared/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts

@@ -324,6 +324,21 @@ it('matches snapshot', () => {
         "required": false,
         "type": "date_range",
       },
+      "kibana.alert.updated_at": Object {
+        "array": false,
+        "required": false,
+        "type": "date",
+      },
+      "kibana.alert.updated_by.user.id": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
+      "kibana.alert.updated_by.user.name": Object {
+        "array": false,
+        "required": false,
+        "type": "keyword",
+      },
       "kibana.alert.url": Object {
         "array": false,
         "ignore_above": 2048,