From d659ee6f2eb04e81b240db137996aa2a4c4378b1 Mon Sep 17 00:00:00 2001
From: Marshall Main <55718608+marshallmain@users.noreply.github.com>
Date: Wed, 30 Nov 2022 07:50:16 -0800
Subject: [PATCH] [Security Solution][Alerts] Don't use maxSignals for topHits
 agg size (#146564)

## Summary

Addresses https://github.com/elastic/kibana/issues/146494

We only need the first document from the bucket to create the alert, not
`maxSignals` documents. If `maxSignals` was greater than 100, this
caused an error in the search.
---
 .../__snapshots__/build_group_by_field_aggregation.test.ts.snap | 2 +-
 .../alert_suppression/build_group_by_field_aggregation.ts       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap
index f1f3e409217f8..a46533db938f3 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/__snapshots__/build_group_by_field_aggregation.test.ts.snap
@@ -16,7 +16,7 @@ Object {
       },
       "topHits": Object {
         "top_hits": Object {
-          "size": 100,
+          "size": 1,
           "sort": Array [
             Object {
               "kibana.combined_timestamp": Object {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts
index 88b2c4f450862..af0821de31146 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/alert_suppression/build_group_by_field_aggregation.ts
@@ -31,7 +31,7 @@ export const buildGroupByFieldAggregation = ({
     aggs: {
       topHits: {
         top_hits: {
-          size: maxSignals,
+          size: 1,
           sort: [
             {
               [aggregatableTimestampField]: {