[SIEM][Detection Engine] Increases the template limit for ECS mappings

## Summary Increases the template limit for ECS mappings from default of 1k to 10k. This mirrors auditbeat, winlogbeat, filebeat, etc.. - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ### For maintainers
elastic · May 8, 2020 · 4d32610 · 4d32610
1 parent 808e025
commit 4d32610
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/index/get_signals_template.test.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/index/get_signals_template.test.ts
@@ -7,10 +7,18 @@
 import { getSignalsTemplate } from './get_signals_template';
 
 describe('get_signals_template', () => {
-  test('it should set the lifecycle name and the rollover alias to be the name of the index passed in', () => {
+  test('it should set the lifecycle "name" and "rollover_alias" to be the name of the index passed in', () => {
     const template = getSignalsTemplate('test-index');
     expect(template.settings).toEqual({
-      index: { lifecycle: { name: 'test-index', rollover_alias: 'test-index' } },
+      index: {
+        lifecycle: {
+          name: 'test-index',
+          rollover_alias: 'test-index',
+        },
+      },
+      mapping: {
+        total_fields: { limit: 10000 },
+      },
     });
   });
 
@@ -28,4 +36,9 @@ describe('get_signals_template', () => {
     const template = getSignalsTemplate('test-index');
     expect(typeof template.mappings.properties.signal).toEqual('object');
   });
+
+  test('it should have a "total_fields" section that is at least 10k in size', () => {
+    const template = getSignalsTemplate('test-index');
+    expect(template.settings.mapping.total_fields.limit).toBeGreaterThanOrEqual(10000);
+  });
 });
diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/index/get_signals_template.ts
@@ -17,6 +17,11 @@ export const getSignalsTemplate = (index: string) => {
           rollover_alias: index,
         },
       },
+      mapping: {
+        total_fields: {
+          limit: 10000,
+        },
+      },
     },
     index_patterns: [`${index}-*`],
     mappings: ecsMapping.mappings,