[8.18] Unflatten doc before applying filterlist (#235988) (#236007)

# Backport

This will backport the following commits from `main` to `8.18`:
- [Unflatten doc before applying filterlist
(#235988)](#235988)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Sebastián
Zaffarano","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-22T21:01:28Z","message":"Unflatten
doc before applying filterlist (#235988)\n\n## Summary\n\nDue that some
documents have dots in the fieldnames,
e.g.,\n`kibana.alert.original_event.kind` is a single field and not
`{\"kibana\":\n{ \"alert\": ... } }`, we need to unflatten those fields
before applying\nthe filterlist.\n\n### Checklist\n\nCheck the PR
satisfies following conditions. \n\nReviewers should verify this PR
satisfies this list as well.\n\n- [ ] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[ ] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*`
labels.","sha":"7200a319006788333f60036756d171535a41ec07","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport:all-open","v9.2.0"],"title":"Unflatten
doc before applying
filterlist","number":235988,"url":"https://github.com/elastic/kibana/pull/235988","mergeCommit":{"message":"Unflatten
doc before applying filterlist (#235988)\n\n## Summary\n\nDue that some
documents have dots in the fieldnames,
e.g.,\n`kibana.alert.original_event.kind` is a single field and not
`{\"kibana\":\n{ \"alert\": ... } }`, we need to unflatten those fields
before applying\nthe filterlist.\n\n### Checklist\n\nCheck the PR
satisfies following conditions. \n\nReviewers should verify this PR
satisfies this list as well.\n\n- [ ] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[ ] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*`
labels.","sha":"7200a319006788333f60036756d171535a41ec07"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/235988","number":235988,"mergeCommit":{"message":"Unflatten
doc before applying filterlist (#235988)\n\n## Summary\n\nDue that some
documents have dots in the fieldnames,
e.g.,\n`kibana.alert.original_event.kind` is a single field and not
`{\"kibana\":\n{ \"alert\": ... } }`, we need to unflatten those fields
before applying\nthe filterlist.\n\n### Checklist\n\nCheck the PR
satisfies following conditions. \n\nReviewers should verify this PR
satisfies this list as well.\n\n- [ ] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[
]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas
added for features that require explanation or tutorials\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] If a plugin
configuration key changed, check if it needs to be\nallowlisted in the
cloud and added to the
[docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\nchanges have been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n-
[ ] Review the
[backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand
apply applicable `backport:*`
labels.","sha":"7200a319006788333f60036756d171535a41ec07"}}]}]
BACKPORT-->

Co-authored-by: Sebastián Zaffarano <[email protected]>

Author: kibanamachine

x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/diagnostic/health_diagnostic_utils.test.ts

@@ -27,6 +27,20 @@ describe('Security Solution - Health Diagnostic Queries - utils', () => {
       });
     });
 
+    test('should keep fields marked with KEEP action in flat doc', async () => {
+      const data = [{ 'kibana.alert.rule.name': 'Endpoint Security (Elastic Defend)' }];
+      const rules = {
+        'user.name': Action.KEEP,
+        'kibana.alert.rule.name': Action.KEEP,
+      };
+
+      const result = await applyFilterlist(data, rules, mockSalt);
+
+      expect(result).toEqual([
+        { kibana: { alert: { rule: { name: 'Endpoint Security (Elastic Defend)' } } } },
+      ]);
+    });
+
     test('should keep fields marked with KEEP action', async () => {
       const data = [{ user: { name: 'john', email: '[email protected]' } }];
       const rules = {
@@ -98,31 +112,6 @@ describe('Security Solution - Health Diagnostic Queries - utils', () => {
       expect((result[0] as any).meta.host.ip).not.toBe('192.168.1.1');
     });
 
-    test('should handle arrays of documents', async () => {
-      const data = [
-        [
-          { user: 'alice', token: 'abc123' },
-          { user: 'bob', token: 'xyz789' },
-        ],
-      ];
-      const rules = {
-        user: Action.KEEP,
-        token: Action.MASK,
-      };
-
-      const result = await applyFilterlist(data, rules, mockSalt);
-
-      expect(result).toHaveLength(1);
-      expect(Array.isArray(result[0])).toBe(true);
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const docs = result[0] as any[];
-      expect(docs).toHaveLength(2);
-      expect(docs[0].user).toBe('alice');
-      expect(docs[1].user).toBe('bob');
-      expect(docs[0].token).not.toBe('abc123');
-      expect(docs[1].token).not.toBe('xyz789');
-    });
-
     test('should handle arrays of complex documents', async () => {
       const data = [
         {
@@ -301,30 +290,6 @@ describe('Security Solution - Health Diagnostic Queries - utils', () => {
       ]);
     });
 
-    test('should handle mixed document types', async () => {
-      const data = [
-        { type: 'user', name: 'john', password: 'secret' },
-        [{ type: 'admin', name: 'admin', token: 'admin123' }],
-      ];
-      const rules = {
-        name: Action.KEEP,
-        password: Action.MASK,
-        token: Action.MASK,
-      };
-
-      const result = await applyFilterlist(data, rules, mockSalt);
-
-      expect(result).toHaveLength(2);
-      expect(result[0]).toMatchObject({ name: 'john' });
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      expect((result[0] as any).password).not.toBe('secret');
-      expect(Array.isArray(result[1])).toBe(true);
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const adminDocs = result[1] as any[];
-      expect(adminDocs[0].name).toBe('admin');
-      expect(adminDocs[0].token).not.toBe('admin123');
-    });
-
     test('should handle numeric and boolean values', async () => {
       const data = [
         {

x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/diagnostic/health_diagnostic_utils.ts

@@ -13,6 +13,8 @@ import {
   type HealthDiagnosticQuery,
   type HealthDiagnosticQueryStats,
 } from './health_diagnostic_service.types';
+import { unflatten } from '../helpers';
+import type { AnyObject } from '../types';
 
 export function shouldExecute(startDate: Date, endDate: Date, interval: Interval): boolean {
   const nextDate = intervalFromDate(startDate, interval);
@@ -131,7 +133,8 @@ export async function applyFilterlist(
     }
   };
 
-  for (const doc of data) {
+  for (const rawDoc of data) {
+    const doc = unflatten(rawDoc as AnyObject);
     if (Array.isArray(doc)) {
       const docs = doc as unknown[];
       const result = await Promise.all(