From 478d138c321c7b0c108854c6c9ae9618ea3fe85a Mon Sep 17 00:00:00 2001
From: Chris Donaher <christopher.donaher@elastic.co>
Date: Fri, 29 Oct 2021 13:47:31 -0600
Subject: [PATCH] Send Endpoint Alert _id field up as insights docs track that
 on status changes (#116687)

* Send Endpoint Alert _id field up as insights docs track that on status changes

* Added test to make sure top-level underscore-prefixed fields are allowed

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../security_solution/server/lib/telemetry/filters.test.ts     | 3 +++
 .../plugins/security_solution/server/lib/telemetry/filters.ts  | 1 +
 2 files changed, 4 insertions(+)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filters.test.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filters.test.ts
index 4844a10d99f9..926816149d25 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/filters.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/filters.test.ts
@@ -10,6 +10,7 @@ import { copyAllowlistedFields } from './filters';
 describe('Security Telemetry filters', () => {
   describe('allowlistEventFields', () => {
     const allowlist = {
+      _id: true,
       a: true,
       b: true,
       c: {
@@ -19,12 +20,14 @@ describe('Security Telemetry filters', () => {
 
     it('filters top level', () => {
       const event = {
+        _id: 'id',
         a: 'a',
         a1: 'a1',
         b: 'b',
         b1: 'b1',
       };
       expect(copyAllowlistedFields(allowlist, event)).toStrictEqual({
+        _id: 'id',
         a: 'a',
         b: 'b',
       });
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts
index e0955c9508f8..b3316458365d 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/filters.ts
@@ -105,6 +105,7 @@ const allowlistBaseEventFields: AllowlistFields = {
 // blindly. Object contents means that we only copy the fields that appear explicitly in
 // the sub-object.
 export const allowlistEventFields: AllowlistFields = {
+  _id: true,
   '@timestamp': true,
   agent: true,
   Endpoint: true,