elastic/kibana

[Security Solution][Detection Engine] Nested fields with dots in the name can't be used in exceptions

Open

#244966 opened on Dec 2, 2025

View on GitHub
 (2 comments) (0 reactions) (1 assignee)TypeScript (19,065 stars) (8,021 forks)batch import
Feature:Rule ExceptionsTeam:Detection Enginebugeffort:lowgood first issueurgency:normalvalue:high

Description

When adding an exception, if a nested field has sub-fields with dots in the name, e.g. hash.sha256 (or there are multiple levels of sub-fields) then the UI presents only the last part of the sub-field name (sha256)as an option. Attempting to select sha256 does not work.

Mapping

PUT test
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "event.category": {
        "type": "keyword"
      },
      "my_nested_field": {
        "type": "nested",
        "properties": {
          "hash": {
            "properties": {
              "sha256": {
                "type": "keyword",
                "ignore_above": 1024
              }
            }
          },
          "name": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "path": {
            "type": "keyword",
            "ignore_above": 1024
          }
        }
      }
    }
  }
}

Steps to Repro

  1. Create an index with the mapping above
  2. Create a query rule that uses the created index as its source index. The rule query and other settings do not matter.
  3. Open the "Add Exception" flyout for the rule
  4. Click "Add nested condition" and select my_nested_field.hash.sha256 as the field my_nested_field will be added as the nested field, but hash.sha256 will not be added as the sub-field. In the sub-field dropdown, sha256 is shown but selecting it there doesn't work either.

If other my_nested_field.path is selected instead, you can see that path is automatically added as the sub-field.

Contributor guide

Tech stack
typescriptreact
Domain
securityfrontend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Elasticsearch nested mappingsKibana development environmentReact/TypeScript basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
45
Research direction
Investigate the 'Add Exception' flyout component in the Kibana Security Solution. The issue likely lies in how the nested field dropdown handles dot separated field names. Check the field selector logic in the UI components that parse nested field paths. Also verify the mapping of nested fields with dots in the index pattern.