[Security Solution][Detection Engine] Nested fields with dots in the name can't be used in exceptions

[marshallmain]

When adding an exception, if a nested field has sub-fields with dots in the name, e.g. hash.sha256 (or there are multiple levels of sub-fields) then the UI presents only the last part of the sub-field name (sha256)as an option. Attempting to select sha256 does not work.

Mapping

PUT test
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "event.category": {
        "type": "keyword"
      },
      "my_nested_field": {
        "type": "nested",
        "properties": {
          "hash": {
            "properties": {
              "sha256": {
                "type": "keyword",
                "ignore_above": 1024
              }
            }
          },
          "name": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "path": {
            "type": "keyword",
            "ignore_above": 1024
          }
        }
      }
    }
  }
}

Steps to Repro

1. Create an index with the mapping above
2. Create a query rule that uses the created index as its source index. The rule query and other settings do not matter.
3. Open the "Add Exception" flyout for the rule
4. Click "Add nested condition" and select my_nested_field.hash.sha256 as the field
   my_nested_field will be added as the nested field, but hash.sha256 will not be added as the sub-field. In the sub-field dropdown, sha256 is shown but selecting it there doesn't work either.

If other my_nested_field.path is selected instead, you can see that path is automatically added as the sub-field.

[AryanBagade]

@yctercero if its available for external contributors can i work on it?

[yctercero]

@AryanBagade yes, absolutely! Please reach out to us if you have any questions or need help with it. We'd be happy to review any proposed solutions.