[9.2] [Security Assistant] Fix Index Entry form field suggestions for nested and multi-fields (#239453) (#241387)

# Backport

This will backport the following commits from `main` to `9.2`:
- [[Security Assistant] Fix Index Entry form field suggestions for
nested and multi-fields
(#239453)](#239453)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Garrett
Spong","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-10-30T21:22:53Z","message":"[Security
Assistant] Fix Index Entry form field suggestions for nested and
multi-fields (#239453)\n\n### **Summary**\nFixes
[#239429](#239429) where\nthe
Security Assistant Index Entry form was showing incorrect
field\nsuggestions, missing searchable fields that exist as multi-fields
or\nnested properties in Elasticsearch mappings.\n\n### **Problem**\nThe
field suggestion logic was too restrictive, only showing fields
with\nroot-level `type: 'text'` or `type: 'semantic_text'`. This
missed:\n- Multi-fields like `executable.text` (text field within a
keyword\nfield's `fields` property)\n- Nested object properties
containing text fields\n- Complex mapping structures with searchable
fields at various nesting\nlevels\n\n### **Solution**\n- **Created
comprehensive field extraction utility**\n(`field_extraction_utils.ts`)
that recursively processes Elasticsearch\nmappings\n- **Extracts all
searchable fields** including those in nested objects\nand multi-field
properties\n- **Maintains full field paths** (e.g.,
`executable.text`,\n`Events.process.command_line`)\n- **Preserves type
information** for proper UI badge display\n- **Handles edge cases** like
empty properties, missing types, and\ncomplex nesting\n\n### **Key
Changes**\n1. **New utility functions:**\n- `extractSearchableFields()`
- finds text/semantic_text fields at any\nnesting level\n-
`extractAllFields()` - finds all fields regardless of type (for
output\nfield options)\n\n2. **Updated IndexEntryEditor:**\n - Replaced
restrictive filtering with comprehensive field extraction\n - Now shows
all discoverable searchable fields with proper paths\n - Maintains
existing UI behavior and data structure\n\n3. **Comprehensive test
coverage:**\n - 14 test cases covering reported scenarios and edge
cases\n - Tests multi-fields, nested objects, complex structures\n -
Validates the exact issue scenario from the GitHub report\n\n4.
**Updated Stress Test Mappings script**\n- Updated
`stess_test_mappings.js` to generate mappings that will\nexercise this
scenario\n\n### **Before/After**\n**Before:** Only showed `Events`
(root-level field names only) \n**After:** Shows
`Events.executable.text`,\n`Events.process.command_line`, etc. (full
field paths)\n\n**Before:** Missed `executable.text` multi-field
\n**After:** Correctly discovers and displays `executable.text`
with\nproper type badge\n\n### **Files Changed**\n-
`field_extraction_utils.ts` - New comprehensive field
extraction\nutility\n- `field_extraction_utils.test.ts` - Comprehensive
test suite (14 test\ncases)\n- `index_entry_editor.tsx` - Updated to use
new field extraction logic\n\n---\n\n*Built with assistance from Cursor
and Claude-4 Sonnet*\n\n### Test instructions\n\n1. Setup KB\n2. Load
some test data (like the oh-my-malware alerts or run updated\n`yarn
stress-test-mappings` script)\n3. Go to create an `Index Entry` and
verify the `Field` and `Output\nField` suggestions display as described
above\n\n<p align=\"center\">\n<img
width=\"300\"\nsrc=\"https://github.com/user-attachments/assets/912851e8-76a4-4cca-9c00-78fa5c485f4a\"\n/>
<img
width=\"300\"\nsrc=\"https://github.com/user-attachments/assets/7793146b-5d79-4e6d-ad0b-91fadd8faff7\"\n/>\n</p>
\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions.
\n\nReviewers should verify this PR satisfies this list as well.\n\n-
[X] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [X] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[X] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"76fa30846a14301cd14c2d4a5f7e567b598afdac","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Feature:Security
Assistant","Team:Security Generative
AI","backport:version","v9.1.0","v9.2.0","v9.3.0"],"title":"[Security
Assistant] Fix Index Entry form field suggestions for nested and
multi-fields","number":239453,"url":"https://github.com/elastic/kibana/pull/239453","mergeCommit":{"message":"[Security
Assistant] Fix Index Entry form field suggestions for nested and
multi-fields (#239453)\n\n### **Summary**\nFixes
[#239429](#239429) where\nthe
Security Assistant Index Entry form was showing incorrect
field\nsuggestions, missing searchable fields that exist as multi-fields
or\nnested properties in Elasticsearch mappings.\n\n### **Problem**\nThe
field suggestion logic was too restrictive, only showing fields
with\nroot-level `type: 'text'` or `type: 'semantic_text'`. This
missed:\n- Multi-fields like `executable.text` (text field within a
keyword\nfield's `fields` property)\n- Nested object properties
containing text fields\n- Complex mapping structures with searchable
fields at various nesting\nlevels\n\n### **Solution**\n- **Created
comprehensive field extraction utility**\n(`field_extraction_utils.ts`)
that recursively processes Elasticsearch\nmappings\n- **Extracts all
searchable fields** including those in nested objects\nand multi-field
properties\n- **Maintains full field paths** (e.g.,
`executable.text`,\n`Events.process.command_line`)\n- **Preserves type
information** for proper UI badge display\n- **Handles edge cases** like
empty properties, missing types, and\ncomplex nesting\n\n### **Key
Changes**\n1. **New utility functions:**\n- `extractSearchableFields()`
- finds text/semantic_text fields at any\nnesting level\n-
`extractAllFields()` - finds all fields regardless of type (for
output\nfield options)\n\n2. **Updated IndexEntryEditor:**\n - Replaced
restrictive filtering with comprehensive field extraction\n - Now shows
all discoverable searchable fields with proper paths\n - Maintains
existing UI behavior and data structure\n\n3. **Comprehensive test
coverage:**\n - 14 test cases covering reported scenarios and edge
cases\n - Tests multi-fields, nested objects, complex structures\n -
Validates the exact issue scenario from the GitHub report\n\n4.
**Updated Stress Test Mappings script**\n- Updated
`stess_test_mappings.js` to generate mappings that will\nexercise this
scenario\n\n### **Before/After**\n**Before:** Only showed `Events`
(root-level field names only) \n**After:** Shows
`Events.executable.text`,\n`Events.process.command_line`, etc. (full
field paths)\n\n**Before:** Missed `executable.text` multi-field
\n**After:** Correctly discovers and displays `executable.text`
with\nproper type badge\n\n### **Files Changed**\n-
`field_extraction_utils.ts` - New comprehensive field
extraction\nutility\n- `field_extraction_utils.test.ts` - Comprehensive
test suite (14 test\ncases)\n- `index_entry_editor.tsx` - Updated to use
new field extraction logic\n\n---\n\n*Built with assistance from Cursor
and Claude-4 Sonnet*\n\n### Test instructions\n\n1. Setup KB\n2. Load
some test data (like the oh-my-malware alerts or run updated\n`yarn
stress-test-mappings` script)\n3. Go to create an `Index Entry` and
verify the `Field` and `Output\nField` suggestions display as described
above\n\n<p align=\"center\">\n<img
width=\"300\"\nsrc=\"https://github.com/user-attachments/assets/912851e8-76a4-4cca-9c00-78fa5c485f4a\"\n/>
<img
width=\"300\"\nsrc=\"https://github.com/user-attachments/assets/7793146b-5d79-4e6d-ad0b-91fadd8faff7\"\n/>\n</p>
\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions.
\n\nReviewers should verify this PR satisfies this list as well.\n\n-
[X] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [X] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[X] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"76fa30846a14301cd14c2d4a5f7e567b598afdac"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.2"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/239453","number":239453,"mergeCommit":{"message":"[Security
Assistant] Fix Index Entry form field suggestions for nested and
multi-fields (#239453)\n\n### **Summary**\nFixes
[#239429](#239429) where\nthe
Security Assistant Index Entry form was showing incorrect
field\nsuggestions, missing searchable fields that exist as multi-fields
or\nnested properties in Elasticsearch mappings.\n\n### **Problem**\nThe
field suggestion logic was too restrictive, only showing fields
with\nroot-level `type: 'text'` or `type: 'semantic_text'`. This
missed:\n- Multi-fields like `executable.text` (text field within a
keyword\nfield's `fields` property)\n- Nested object properties
containing text fields\n- Complex mapping structures with searchable
fields at various nesting\nlevels\n\n### **Solution**\n- **Created
comprehensive field extraction utility**\n(`field_extraction_utils.ts`)
that recursively processes Elasticsearch\nmappings\n- **Extracts all
searchable fields** including those in nested objects\nand multi-field
properties\n- **Maintains full field paths** (e.g.,
`executable.text`,\n`Events.process.command_line`)\n- **Preserves type
information** for proper UI badge display\n- **Handles edge cases** like
empty properties, missing types, and\ncomplex nesting\n\n### **Key
Changes**\n1. **New utility functions:**\n- `extractSearchableFields()`
- finds text/semantic_text fields at any\nnesting level\n-
`extractAllFields()` - finds all fields regardless of type (for
output\nfield options)\n\n2. **Updated IndexEntryEditor:**\n - Replaced
restrictive filtering with comprehensive field extraction\n - Now shows
all discoverable searchable fields with proper paths\n - Maintains
existing UI behavior and data structure\n\n3. **Comprehensive test
coverage:**\n - 14 test cases covering reported scenarios and edge
cases\n - Tests multi-fields, nested objects, complex structures\n -
Validates the exact issue scenario from the GitHub report\n\n4.
**Updated Stress Test Mappings script**\n- Updated
`stess_test_mappings.js` to generate mappings that will\nexercise this
scenario\n\n### **Before/After**\n**Before:** Only showed `Events`
(root-level field names only) \n**After:** Shows
`Events.executable.text`,\n`Events.process.command_line`, etc. (full
field paths)\n\n**Before:** Missed `executable.text` multi-field
\n**After:** Correctly discovers and displays `executable.text`
with\nproper type badge\n\n### **Files Changed**\n-
`field_extraction_utils.ts` - New comprehensive field
extraction\nutility\n- `field_extraction_utils.test.ts` - Comprehensive
test suite (14 test\ncases)\n- `index_entry_editor.tsx` - Updated to use
new field extraction logic\n\n---\n\n*Built with assistance from Cursor
and Claude-4 Sonnet*\n\n### Test instructions\n\n1. Setup KB\n2. Load
some test data (like the oh-my-malware alerts or run updated\n`yarn
stress-test-mappings` script)\n3. Go to create an `Index Entry` and
verify the `Field` and `Output\nField` suggestions display as described
above\n\n<p align=\"center\">\n<img
width=\"300\"\nsrc=\"https://github.com/user-attachments/assets/912851e8-76a4-4cca-9c00-78fa5c485f4a\"\n/>
<img
width=\"300\"\nsrc=\"https://github.com/user-attachments/assets/7793146b-5d79-4e6d-ad0b-91fadd8faff7\"\n/>\n</p>
\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions.
\n\nReviewers should verify this PR satisfies this list as well.\n\n-
[X] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [X] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[X] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by:
kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"76fa30846a14301cd14c2d4a5f7e567b598afdac"}}]}]
BACKPORT-->

Co-authored-by: Garrett Spong <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>

Author: 3 people

x-pack/platform/packages/shared/kbn-elastic-assistant/impl/knowledge_base/knowledge_base_settings_management/field_extraction_utils.test.ts

@@ -0,0 +1,338 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { extractSearchableFields, extractAllFields } from './field_extraction_utils';
+
+describe('field_extraction_utils', () => {
+  describe('extractSearchableFields', () => {
+    it('should return empty array when mappings is undefined', () => {
+      const result = extractSearchableFields({});
+      expect(result).toEqual([]);
+    });
+
+    it('should return empty array when properties is undefined', () => {
+      const result = extractSearchableFields({ mappings: {} });
+      expect(result).toEqual([]);
+    });
+
+    it('should extract simple text fields', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            title: { type: 'text' as const },
+            description: { type: 'text' as const },
+            category: { type: 'keyword' as const },
+          },
+        },
+      };
+
+      const result = extractSearchableFields(mappings);
+      expect(result).toEqual([
+        { name: 'title', type: 'text', fullPath: 'title' },
+        { name: 'description', type: 'text', fullPath: 'description' },
+      ]);
+    });
+
+    it('should extract semantic_text fields', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            content: { type: 'semantic_text' as const, inference_id: 'my-model' },
+            summary: { type: 'text' as const },
+          },
+        },
+      };
+
+      const result = extractSearchableFields(mappings);
+      expect(result).toEqual([
+        { name: 'content', type: 'semantic_text', fullPath: 'content' },
+        { name: 'summary', type: 'text', fullPath: 'summary' },
+      ]);
+    });
+
+    it('should extract multi-fields (fields property)', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            executable: {
+              type: 'keyword' as const,
+              ignore_above: 1024,
+              fields: {
+                caseless: {
+                  type: 'keyword' as const,
+                  ignore_above: 1024,
+                  normalizer: 'lowercase',
+                },
+                text: {
+                  type: 'text' as const,
+                },
+              },
+            },
+          },
+        },
+      };
+
+      const result = extractSearchableFields(mappings);
+      expect(result).toEqual([{ name: 'text', type: 'text', fullPath: 'executable.text' }]);
+    });
+
+    it('should extract nested object properties', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            user: {
+              type: 'object' as const,
+              properties: {
+                name: { type: 'text' as const },
+                email: { type: 'keyword' as const },
+                profile: {
+                  type: 'object' as const,
+                  properties: {
+                    bio: { type: 'text' as const },
+                    age: { type: 'integer' as const },
+                  },
+                },
+              },
+            },
+          },
+        },
+      };
+
+      const result = extractSearchableFields(mappings);
+      expect(result).toEqual([
+        { name: 'name', type: 'text', fullPath: 'user.name' },
+        { name: 'bio', type: 'text', fullPath: 'user.profile.bio' },
+      ]);
+    });
+
+    it('should handle complex nested structures with multi-fields', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            Events: {
+              type: 'object' as const,
+              properties: {
+                executable: {
+                  type: 'keyword' as const,
+                  ignore_above: 1024,
+                  fields: {
+                    caseless: {
+                      type: 'keyword' as const,
+                      ignore_above: 1024,
+                      normalizer: 'lowercase',
+                    },
+                    text: {
+                      type: 'text' as const,
+                    },
+                  },
+                },
+                process: {
+                  type: 'object' as const,
+                  properties: {
+                    name: {
+                      type: 'keyword' as const,
+                      fields: {
+                        text: { type: 'text' as const },
+                      },
+                    },
+                    command_line: { type: 'text' as const },
+                  },
+                },
+              },
+            },
+          },
+        },
+      };
+
+      const result = extractSearchableFields(mappings);
+      expect(result).toEqual([
+        { name: 'text', type: 'text', fullPath: 'Events.executable.text' },
+        { name: 'text', type: 'text', fullPath: 'Events.process.name.text' },
+        { name: 'command_line', type: 'text', fullPath: 'Events.process.command_line' },
+      ]);
+    });
+
+    it('should handle the reported issue scenario', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            executable: {
+              type: 'keyword' as const,
+              ignore_above: 1024,
+              fields: {
+                caseless: {
+                  type: 'keyword' as const,
+                  ignore_above: 1024,
+                  normalizer: 'lowercase',
+                },
+                text: {
+                  type: 'text' as const,
+                },
+              },
+            },
+          },
+        },
+      };
+
+      const result = extractSearchableFields(mappings);
+      expect(result).toHaveLength(1);
+      expect(result[0]).toEqual({
+        name: 'text',
+        type: 'text',
+        fullPath: 'executable.text',
+      });
+    });
+  });
+
+  describe('extractAllFields', () => {
+    it('should extract all field types', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            title: { type: 'text' as const },
+            category: { type: 'keyword' as const },
+            count: { type: 'integer' as const },
+            timestamp: { type: 'date' as const },
+          },
+        },
+      };
+
+      const result = extractAllFields(mappings);
+      expect(result).toEqual([
+        { name: 'title', type: 'text', fullPath: 'title' },
+        { name: 'category', type: 'keyword', fullPath: 'category' },
+        { name: 'count', type: 'integer', fullPath: 'count' },
+        { name: 'timestamp', type: 'date', fullPath: 'timestamp' },
+      ]);
+    });
+
+    it('should extract all multi-fields regardless of type', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            executable: {
+              type: 'keyword' as const,
+              ignore_above: 1024,
+              fields: {
+                caseless: {
+                  type: 'keyword' as const,
+                  ignore_above: 1024,
+                  normalizer: 'lowercase',
+                },
+                text: {
+                  type: 'text' as const,
+                },
+              },
+            },
+          },
+        },
+      };
+
+      const result = extractAllFields(mappings);
+      expect(result).toEqual([
+        { name: 'executable', type: 'keyword', fullPath: 'executable' },
+        { name: 'caseless', type: 'keyword', fullPath: 'executable.caseless' },
+        { name: 'text', type: 'text', fullPath: 'executable.text' },
+      ]);
+    });
+
+    it('should extract all nested fields regardless of type', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            Events: {
+              type: 'object' as const,
+              properties: {
+                executable: { type: 'keyword' as const },
+                process: {
+                  type: 'object' as const,
+                  properties: {
+                    pid: { type: 'integer' as const },
+                    name: { type: 'text' as const },
+                  },
+                },
+              },
+            },
+          },
+        },
+      };
+
+      const result = extractAllFields(mappings);
+      expect(result).toEqual([
+        { name: 'Events', type: 'object', fullPath: 'Events' },
+        { name: 'executable', type: 'keyword', fullPath: 'Events.executable' },
+        { name: 'process', type: 'object', fullPath: 'Events.process' },
+        { name: 'pid', type: 'integer', fullPath: 'Events.process.pid' },
+        { name: 'name', type: 'text', fullPath: 'Events.process.name' },
+      ]);
+    });
+  });
+
+  describe('edge cases', () => {
+    it('should handle fields without type property', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            validField: { type: 'text' as const },
+            // Object field without explicit type (valid in ES mappings)
+            objectWithoutType: {
+              properties: {
+                nestedText: { type: 'text' as const },
+              },
+            },
+          },
+        },
+      };
+
+      const searchableResult = extractSearchableFields(mappings);
+      const allResult = extractAllFields(mappings);
+
+      expect(searchableResult).toEqual([
+        { name: 'validField', type: 'text', fullPath: 'validField' },
+        { name: 'nestedText', type: 'text', fullPath: 'objectWithoutType.nestedText' },
+      ]);
+      expect(allResult).toEqual([
+        { name: 'validField', type: 'text', fullPath: 'validField' },
+        { name: 'nestedText', type: 'text', fullPath: 'objectWithoutType.nestedText' },
+      ]);
+    });
+
+    it('should handle empty properties objects', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            emptyObject: {
+              type: 'object' as const,
+              properties: {},
+            },
+            validField: { type: 'text' as const },
+          },
+        },
+      };
+
+      const result = extractSearchableFields(mappings);
+      expect(result).toEqual([{ name: 'validField', type: 'text', fullPath: 'validField' }]);
+    });
+
+    it('should handle empty fields objects', () => {
+      const mappings = {
+        mappings: {
+          properties: {
+            fieldWithEmptyFields: {
+              type: 'keyword' as const,
+              fields: {},
+            },
+            validField: { type: 'text' as const },
+          },
+        },
+      };
+
+      const result = extractSearchableFields(mappings);
+      expect(result).toEqual([{ name: 'validField', type: 'text', fullPath: 'validField' }]);
+    });
+  });
+});