[Security Solution] [Analyzer] Use doc .value in analyzer sorting scr…

…ipt query instead of source (elastic#192607) ## Summary As part of the logsdb changes, it seems that this analyzer query was no longer working when synthetic source was enabled, as it was using a field from _source directly, we can do the same thing via doc. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
maryam-saeidi · Sep 25, 2024 · 29b1800 · 29b1800
1 parent 7f69827
commit 29b1800
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts
@@ -90,7 +90,7 @@ export class DescendantsQuery extends BaseResolverQuery {
   private queryWithAncestryArray(nodes: NodeID[], ancestryField: string, size: number): JsonObject {
     return {
       _source: false,
-      fields: this.resolverFields,
+      fields: [...this.resolverFields, ancestryField],
       size,
       collapse: {
         field: this.schema.id,
@@ -109,7 +109,10 @@ export class DescendantsQuery extends BaseResolverQuery {
                */
               source: `
                 Map ancestryToIndex = [:];
-                List sourceAncestryArray = params._source.${ancestryField};
+                if (doc['${ancestryField}'].size() == 0) {
+                  return -1;
+                }
+                List sourceAncestryArray = doc['${ancestryField}'];
                 int length = sourceAncestryArray.length;
                 for (int i = 0; i < length; i++) {
                   ancestryToIndex[sourceAncestryArray[i]] = i;

diff --git a/...on_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/tree.ts b/...on_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/tree.ts
@@ -467,11 +467,11 @@ export default function ({ getService }: FtrProviderContext) {
           .expect(200);
         verifyTree({
           expectations: [
-            { origin: tree.origin.id, nodeExpectations: { descendantLevels: 1, descendants: 1 } },
+            { origin: tree.origin.id, nodeExpectations: { descendantLevels: 2, descendants: 2 } },
             // the origin's grandparent should only have the origin's parent as a descendant
             {
               origin: originGrandparent,
-              nodeExpectations: { descendantLevels: 1, descendants: 1 },
+              nodeExpectations: { descendantLevels: 0, descendants: 0 },
             },
           ],
           response: body,