[Security Solution] Add nested field inside of data provider

[XavierM]

Summary

This PR is to fix #89784, we will be able to drag/add nested query inside of the data provider.

To validate this PR id created this index like below and was able to drag and drop this field inside of the data provider

PUT test2
PUT test2/_mapping
{
  "dynamic": false,
  "properties": {
    "myNestedUserField": {
      "type": "nested",
      "properties": {
        "first": {
          "type": "text"
        },
        "last": {
          "type": "text"
        },
        "children": {
          "type": "nested",
          "properties": {
            "name": {
              "type": "text"
            }
          }
        },
        "married": {
          "properties": {
            "wife": {
              "type": "text"
            }
          }
        }
      }
    }
  }
}
POST test2/_doc
{
  "@timestamp": "2021-03-03T12:10:30Z",
  "myNestedUserField": [
    {
      "first" : "Xavier7",
      "last" :  "M",
      "children": [ { "name": "flore"}, { "name": "ingrid"}],
      "married": [{ "wife": "andrea"}]
    },
    {
      "first" : "Kevin6",
      "last" :  "Q"
    }
  ]
}

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[rylnd]

I did not do a code review, but rather reviewed behavior.

1. Generated enriched alerts via these steps:
   

2. Send e.g. matched.atomic to the timeline, and observe that timeline is now filtered to only those events:
   

3. Add a non-overlapping field and see results increase:
   

4. Move the non-overlapping field to AND and see results drop to 0:
   

So far so good; the one thing that did not work was sending a nested date field to timeline; it seems not to generate any filter at all:

So: one minor bug with date fields, hopefully; otherwise things look great!

[XavierM]

It looks like that nested date type are not supported in discover too

I am going to create a ticket in Kibana for that

[rylnd]

Approving as nested date fields appears to be a separate issue, and this PR still improves current behavior.

[rylnd]

@XavierM @kqualters-elastic I'm not seeing an issue with dates in Discover with the mapped threat.indicator.first_seen field:

Exact value:

Range:

[rylnd]

Just pulled down the latest (1ad9be5) and confirmed that the date bug has been fixed:

The above screenshot demonstrates that the date filtering works in conjunction with a normal filter; previously the number of events returned was in the thousands. Moving either filter to an OR also correctly expands the number of results.

LGTM

[cnasikas]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: bc17782
• Storybooks Preview

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	7.8MB	7.8MB	+1.5KB

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[kibanamachine]

💚 Backport successful

✅ 7.12 / #94080

Successful backport PRs will be merged automatically after passing CI.