[BUG] Get Mappings View API incorrectly returns ECS path for OCSF fields

[jowg-amazon]

What is the bug?
SAP queries are not transformed correctly (with index name and monitor id) when the field in the index is not mapped correctly. There is a bug when a custom rule is created with a raw field name and an index with either raw fields or ocsf fields. The mappings view API returns the ecs name in the alias path instead of the correct ocsf or raw field name even when the ecs format is not present in the index.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Create an index with ocsf or raw field field types
2. Create a custom rule with a raw field name(s) in the rule
3. Create a detector with new index and custom rule
4. During detector creation under field mappings see the incorrect ecs path in the data source field for the field specified in the custom rule
5. Can also see this incorrect path in the get Mappings View API for this index/log type

What is the expected behavior?
The mappings view API should return the ocsf or the raw field path if a new rule is created using a raw field.

What is your host/environment?

• OS: 2.12
• Version [e.g. 22]
• Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.