From 29b18003ad3d81c62f7adb74d124b1e116343e6e Mon Sep 17 00:00:00 2001
From: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com>
Date: Wed, 25 Sep 2024 02:31:05 -0400
Subject: [PATCH] [Security Solution] [Analyzer] Use doc .value in analyzer
 sorting script query instead of source (#192607)

## Summary

As part of the logsdb changes, it seems that this analyzer query was no
longer working when synthetic source was enabled, as it was using a
field from _source directly, we can do the same thing via doc.

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---
 .../endpoint/routes/resolver/tree/queries/descendants.ts   | 7 +++++--
 .../resolver/trial_license_complete_tier/tree.ts           | 4 ++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts
index 5f19beba4e71d2..dcce3bb64d298a 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/queries/descendants.ts
@@ -90,7 +90,7 @@ export class DescendantsQuery extends BaseResolverQuery {
   private queryWithAncestryArray(nodes: NodeID[], ancestryField: string, size: number): JsonObject {
     return {
       _source: false,
-      fields: this.resolverFields,
+      fields: [...this.resolverFields, ancestryField],
       size,
       collapse: {
         field: this.schema.id,
@@ -109,7 +109,10 @@ export class DescendantsQuery extends BaseResolverQuery {
                */
               source: `
                 Map ancestryToIndex = [:];
-                List sourceAncestryArray = params._source.${ancestryField};
+                if (doc['${ancestryField}'].size() == 0) {
+                  return -1;
+                }
+                List sourceAncestryArray = doc['${ancestryField}'];
                 int length = sourceAncestryArray.length;
                 for (int i = 0; i < length; i++) {
                   ancestryToIndex[sourceAncestryArray[i]] = i;
diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/tree.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/tree.ts
index 8d7aa70f679bd1..8ecfab9335a793 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/tree.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/tree.ts
@@ -467,11 +467,11 @@ export default function ({ getService }: FtrProviderContext) {
           .expect(200);
         verifyTree({
           expectations: [
-            { origin: tree.origin.id, nodeExpectations: { descendantLevels: 1, descendants: 1 } },
+            { origin: tree.origin.id, nodeExpectations: { descendantLevels: 2, descendants: 2 } },
             // the origin's grandparent should only have the origin's parent as a descendant
             {
               origin: originGrandparent,
-              nodeExpectations: { descendantLevels: 1, descendants: 1 },
+              nodeExpectations: { descendantLevels: 0, descendants: 0 },
             },
           ],
           response: body,