[Security_solution][Detections] Refactor signal ancestry to allow mul…

…tiple parents (elastic#76531) * Refactors signal ancestry to allow multiple parents * Fix depth calculation for 7.10+ signals on pre-7.10 signals * Comment build_signal functions * Rename buildAncestorsSignal to buildAncestors * Update detection engine depth test scripts and docs * Update halting test readme * Match up rule ids in readme * Continue populating signal.parent along with signal.parents * pr comments Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
marshallmain · Sep 14, 2020 · 7104a98 · 7104a98
1 parent b965c21
commit 7104a98
Show file tree

Hide file tree

Showing 17 changed files with 568 additions and 481 deletions.
diff --git a/...k/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json b/...k/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json
@@ -22,11 +22,33 @@
               }
             }
           },
+          "parents": {
+            "properties": {
+              "rule": {
+                "type": "keyword"
+              },
+              "index": {
+                "type": "keyword"
+              },
+              "id": {
+                "type": "keyword"
+              },
+              "type": {
+                "type": "keyword"
+              },
+              "depth": {
+                "type": "long"
+              }
+            }
+          },
           "ancestors": {
             "properties": {
               "rule": {
                 "type": "keyword"
               },
+              "index": {
+                "type": "keyword"
+              },
               "id": {
                 "type": "keyword"
               },
@@ -299,6 +321,9 @@
           },
           "threshold_count": {
             "type": "float"
+          },
+          "depth": {
+            "type": "integer"
           }
         }
       }