[Security Solution][Attacks/Alerts][Setup and miscellaneous] alert document mapping change

[PhilippeOberti]

Summary

We need to add a new field on the alert document to be able to store attack ids.
See this internal RFC

Acceptance criteria

• should have a field available for us to know which attack(s) an alert belongs to

Questions

• Are we sure this is the direction we want to take?
• What should we name this new field?

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[mikecote]

I don't have access to the RFC but after chatting with @paulewing , one possible field name that would work is kibana.alert.attack_ids.

[PhilippeOberti]

I don't have access to the RFC but after chatting with @paulewing , one possible field name that would work is kibana.alert.attack_ids.

Thanks @mikecote!! I just finished the RFC and made it visible to anyone at Elastic. Feel free to read and comment!
I'm not sure yet who would be the best people to review and approve. I'll ask @michaelolo24 what he thinks :)