[8.10] [Security Solution] formatAlertForNotificationActions fails to…

… merge dot and object notations correctly (elastic#164075) (elastic#164140)

# Backport

This will backport the following commits from `main` to `8.10`:
- [[Security Solution] formatAlertForNotificationActions fails to merge
dot and object notations correctly
(elastic#164075)](elastic#164075)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-08-17T08:39:24Z","message":"[Security
Solution] formatAlertForNotificationActions fails to merge dot and
object notations correctly (elastic#164075)\n\n## Summary\r\n\r\nOriginal
ticket: elastic#163844\r\n\r\nThese changes fix the issue with the incorrect
`expandDottedObject`\r\nfunctionality which instead of merging objects
would replace with the\r\nlatest version of
it.","sha":"a50b33032359410e7ee93e65a6cff58e00205856","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:
SecuritySolution","ci:cloud-deploy","Team:Detection
Engine","v8.10.0","v8.11.0"],"number":164075,"url":"https://github.com/elastic/kibana/pull/164075","mergeCommit":{"message":"[Security
Solution] formatAlertForNotificationActions fails to merge dot and
object notations correctly (elastic#164075)\n\n## Summary\r\n\r\nOriginal
ticket: elastic#163844\r\n\r\nThese changes fix the issue with the incorrect
`expandDottedObject`\r\nfunctionality which instead of merging objects
would replace with the\r\nlatest version of
it.","sha":"a50b33032359410e7ee93e65a6cff58e00205856"}},"sourceBranch":"main","suggestedTargetBranches":["8.11"],"targetPullRequestStates":[{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/164075","number":164075,"mergeCommit":{"message":"[Security
Solution] formatAlertForNotificationActions fails to merge dot and
object notations correctly (elastic#164075)\n\n## Summary\r\n\r\nOriginal
ticket: elastic#163844\r\n\r\nThese changes fix the issue with the incorrect
`expandDottedObject`\r\nfunctionality which instead of merging objects
would replace with the\r\nlatest version of
it.","sha":"a50b33032359410e7ee93e65a6cff58e00205856"}},{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Ievgen Sorokopud <[email protected]>

x-pack/plugins/security_solution/common/utils/expand_dotted.test.ts

@@ -134,4 +134,24 @@ describe('Expand Dotted', () => {
       },
     });
   });
+  it('should merge objects when field represented as an object followed by similar dotted field', () => {
+    const dottedObj = {
+      kibana: { test2: 'b', test3: 'c' },
+      'kibana.test1': 'a',
+      'kibana.test3': 'd',
+    };
+    expect(expandDottedObject(dottedObj)).toEqual({
+      kibana: { test1: 'a', test2: 'b', test3: 'd' },
+    });
+  });
+  it('should merge objects when dotted field followed by similar field represented as an object', () => {
+    const dottedObj = {
+      'kibana.test1': 'a',
+      'kibana.test3': 'd',
+      kibana: { test2: 'b', test3: 'c' },
+    };
+    expect(expandDottedObject(dottedObj)).toEqual({
+      kibana: { test1: 'a', test2: 'b', test3: 'c' },
+    });
+  });
 });

x-pack/plugins/security_solution/common/utils/expand_dotted.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { setWith } from 'lodash';
+import { merge, setWith } from 'lodash';
 
 /*
  * Expands an object with "dotted" fields to a nested object with unflattened fields.
@@ -47,7 +47,7 @@ export const expandDottedObject = (
     const isOneElementArray =
       changeArrayOfLengthOneToString && Array.isArray(value) && value.length === 1;
 
-    setWith(returnObj, key, isOneElementArray ? value[0] : value, Object);
+    merge(returnObj, setWith({}, key, isOneElementArray ? value[0] : value, Object));
   });
   return returnObj;
 };

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/schedule_notification_actions.test.ts

@@ -149,4 +149,67 @@ describe('schedule_notification_actions', () => {
       })
     );
   });
+
+  describe('formatAlertsForNotificationActions', () => {
+    it('should properly format alerts with the field represented as an object followed by similar dotted field', () => {
+      const signals = [
+        {
+          'kibana.alert.uuid': '1',
+          user: {
+            risk: {
+              calculated_level: 'Unknown',
+              calculated_score_norm: 5,
+            },
+          },
+          'user.name': 'my-user',
+        },
+      ];
+      expect(formatAlertsForNotificationActions(signals)).toEqual([
+        {
+          kibana: {
+            alert: {
+              uuid: '1',
+            },
+          },
+          user: {
+            risk: {
+              calculated_level: 'Unknown',
+              calculated_score_norm: 5,
+            },
+            name: 'my-user',
+          },
+        },
+      ]);
+    });
+    it('should properly format alerts with the dotted field followed by similar field represented as an object', () => {
+      const signals = [
+        {
+          'kibana.alert.uuid': '1',
+          'user.name': 'my-user',
+          user: {
+            risk: {
+              calculated_level: 'Unknown',
+              calculated_score_norm: 5,
+            },
+          },
+        },
+      ];
+      expect(formatAlertsForNotificationActions(signals)).toEqual([
+        {
+          kibana: {
+            alert: {
+              uuid: '1',
+            },
+          },
+          user: {
+            risk: {
+              calculated_level: 'Unknown',
+              calculated_score_norm: 5,
+            },
+            name: 'my-user',
+          },
+        },
+      ]);
+    });
+  });
 });