[Security Solution][Detections] Truncate lastFailureMessage for siem-detection-engine-rule-status documents

[banderror]

Ticket: #109815

Summary

Background: siem-detection-engine-rule-status documents stores the lastFailureMessage a string which is indexed as type: "text" but some failure messages are so large that these documents are up to 26MB. These large documents cause migrations to fail because a batch of 1000 documents easily exceed Elasticsearch's http.max_content_length which defaults to 100mb.

This PR truncates lastFailureMessage and lastSuccessMessage in the following cases:

1. When we write new or update existing status SOs:
   • The lists of errors/warnings are deduped -> truncated to max 20 items -> joined to a string
   • The resulting strings are truncated to max 10240 characters
2. When we migrate siem-detection-engine-rule-status SOs to 7.15.2:
   • The two message fields are truncated to max 10240 characters

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[banderror]

@rudolf @spong @xcrzx this fix is ready for the 2nd review! 🙏

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 236009c
• Storybooks Preview

Metrics [docs]

✅ unchanged

History

• 💔 Build #160783 failed 8946be27914d37e4a7062702050d212ebb1a942c
• 💚 Build #158500 succeeded 5b25da2c384a37a5adcdeb7a13bb6b9dd177a74d
• 💚 Build #153517 succeeded cd02610ceb83c1eecdcb4d5d762ea35a55573e6b

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @banderror

[rudolf]

Using Record<string, unknown> doesn't really add any type safety. Could you use IRuleStatusSOAttributes https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/lib/detection_engine/rules/types.ts#L113-L125

Don't have to block on this, but I think this is a good pattern to adopt for migrations.

[banderror]

In general IRuleStatusSOAttributes would correspond to the current (target for this migration) interface, not to the previous interface (prior to migration). Although in this particular case no changes to IRuleStatusSOAttributes have been made, it doesn't mean we wouldn't change it in the future. Any substantial change to the TS interface in a future version would keep this function statically typed but it would not be safe anymore - we'd need to adjust the code of the migration function to conform to the changed interface, thus making the function prone to bugs. Maintaining history of these interfaces (like IRuleStatusSOAttributes_v15_1 etc) would help keeping it fully statically typed and correct, but we don't do this and effort/value ratio of this seems to be too high. Specifying target SO attributes (MigratedAttributes) as IRuleStatusSOAttributes is actually prone to the same issues.

I think unless we start maintaining a history of TS interfaces for the SO attributes, introducing type safety here actually means introducing risk of making migrations incorrect in the future.

Also, we'll likely get rid of this SO type very soon.

[xcrzx]

Thank you for the changes, Georgii👍
We could address outstanding questions separately, this PR LGTM!

[kibanamachine]

💔 Backport failed

Status	Branch	Result
✅	7.x
❌	7.15	Commit could not be cherrypicked due to conflicts

Successful backport PRs will be merged automatically after passing CI.

To backport manually run:
node scripts/backport --pr 112257

[banderror]

I 👀 the failed backport, will manually make it.

UPD: #115166