[8.8] [Security Solution][Alerts] Format alerts for per-alert action …

…context variables (elastic#155829) (elastic#156009)

# Backport

This will backport the following commits from `main` to `8.8`:
- [[Security Solution][Alerts] Format alerts for per-alert action
context variables
(elastic#155829)](elastic#155829)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-04-26T16:16:41Z","message":"[Security
Solution][Alerts] Format alerts for per-alert action context variables
(elastic#155829)\n\n## Summary\r\n\r\nCloses
[elastic#155812](https://github.com/elastic/kibana/issues/155812)\r\n\r\nIn
elastic#155384, detection rules
were\r\nswitched to support per-alert actions. When passing the
context\r\nvariable, it was suggested that we should be calling
formatAlert to\r\nformat the alert for notifications, however doing that
causes some test\r\nfailures because formatAlert is fairly heavyweight
and bunch of tests\r\nwere timing out.\r\n\r\nThanks to @marshallmain we
have this much faster `expandDottedObject`\r\nthat solves the issue with
the very slow
`formatAlert`.","sha":"8f597207a222f02b1c7664bc555a9f6e744bc4aa","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport:skip","v8.8.0"],"number":155829,"url":"https://github.com/elastic/kibana/pull/155829","mergeCommit":{"message":"[Security
Solution][Alerts] Format alerts for per-alert action context variables
(elastic#155829)\n\n## Summary\r\n\r\nCloses
[elastic#155812](https://github.com/elastic/kibana/issues/155812)\r\n\r\nIn
elastic#155384, detection rules
were\r\nswitched to support per-alert actions. When passing the
context\r\nvariable, it was suggested that we should be calling
formatAlert to\r\nformat the alert for notifications, however doing that
causes some test\r\nfailures because formatAlert is fairly heavyweight
and bunch of tests\r\nwere timing out.\r\n\r\nThanks to @marshallmain we
have this much faster `expandDottedObject`\r\nthat solves the issue with
the very slow
`formatAlert`.","sha":"8f597207a222f02b1c7664bc555a9f6e744bc4aa"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/155829","number":155829,"mergeCommit":{"message":"[Security
Solution][Alerts] Format alerts for per-alert action context variables
(elastic#155829)\n\n## Summary\r\n\r\nCloses
[elastic#155812](https://github.com/elastic/kibana/issues/155812)\r\n\r\nIn
elastic#155384, detection rules
were\r\nswitched to support per-alert actions. When passing the
context\r\nvariable, it was suggested that we should be calling
formatAlert to\r\nformat the alert for notifications, however doing that
causes some test\r\nfailures because formatAlert is fairly heavyweight
and bunch of tests\r\nwere timing out.\r\n\r\nThanks to @marshallmain we
have this much faster `expandDottedObject`\r\nthat solves the issue with
the very slow
`formatAlert`.","sha":"8f597207a222f02b1c7664bc555a9f6e744bc4aa"}}]}]
BACKPORT-->

Co-authored-by: Kibana Machine <[email protected]>

x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts

@@ -195,7 +195,7 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper
                         start: Date.parse(alert[TIMESTAMP]),
                         end: Date.parse(alert[TIMESTAMP]),
                       }),
-                      alerts: [alert],
+                      alerts: [formatAlert?.(alert) ?? alert],
                     })
                 );
 
@@ -387,7 +387,7 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper
                         start: Date.parse(alert[TIMESTAMP]),
                         end: Date.parse(alert[TIMESTAMP]),
                       }),
-                      alerts: [alert],
+                      alerts: [formatAlert?.(alert) ?? alert],
                     })
                 );
 

x-pack/plugins/security_solution/common/utils/expand_dotted.test.ts

@@ -70,6 +70,18 @@ describe('Expand Dotted', () => {
     });
   });
 
+  it('overwrites earlier fields when later fields conflict', () => {
+    const simpleDottedObj = {
+      'kibana.test.1': 'the spice must flow',
+      'kibana.test': 2,
+    };
+    expect(expandDottedObject(simpleDottedObj)).toEqual({
+      kibana: {
+        test: 2,
+      },
+    });
+  });
+
   it('expands non dotted field without changing it other than reference', () => {
     const simpleDottedObj = {
       test: { value: '123' },

x-pack/plugins/security_solution/common/utils/expand_dotted.ts

@@ -5,16 +5,7 @@
  * 2.0.
  */
 
-import { merge } from '@kbn/std';
-
-const expandDottedField = (dottedFieldName: string, val: unknown): object => {
-  const parts = dottedFieldName.split('.');
-  if (parts.length === 1) {
-    return { [parts[0]]: val };
-  } else {
-    return { [parts[0]]: expandDottedField(parts.slice(1).join('.'), val) };
-  }
-};
+import { setWith } from 'lodash';
 
 /*
  * Expands an object with "dotted" fields to a nested object with unflattened fields.
@@ -48,8 +39,9 @@ export const expandDottedObject = (dottedObj: object) => {
   if (Array.isArray(dottedObj)) {
     return dottedObj;
   }
-  return Object.entries(dottedObj).reduce(
-    (acc, [key, val]) => merge(acc, expandDottedField(key, val)),
-    {}
-  );
+  const returnObj = {};
+  Object.entries(dottedObj).forEach(([key, value]) => {
+    setWith(returnObj, key, value, Object);
+  });
+  return returnObj;
 };