[Entity Store] Filter out CCS indices (elastic#253644)

orouz · web-flow · commit 122857b731b8 · 2026-02-19T12:48:06.000+01:00
diff --git a/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction_client.test.ts b/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction_client.test.ts
@@ -546,6 +546,39 @@ describe('LogsExtractionClient', () => {
       });
     });
 
+    it('should filter out cross-cluster search (CCS) remote indices', async () => {
+      const mockEsqlResponse: ESQLSearchResponse = {
+        columns: [
+          { name: '@timestamp', type: 'date' },
+          { name: HASHED_ID_FIELD, type: 'keyword' },
+        ],
+        values: [['2024-01-02T10:00:00.000Z', 'hash1']],
+      };
+
+      const mockDataView = {
+        getIndexPattern: jest
+          .fn()
+          .mockReturnValue('logs-*,remote_cluster:logs-*,other:filebeat-*,metrics-*'),
+      };
+
+      mockEngineDescriptorClient.findOrThrow.mockResolvedValue(
+        createMockEngineDescriptor('user') as Awaited<
+          ReturnType<EngineDescriptorClient['findOrThrow']>
+        >
+      );
+      mockDataViewsService.get.mockResolvedValue(mockDataView as any);
+      mockExecuteEsqlQuery.mockResolvedValue(mockEsqlResponse);
+      mockIngestEntities.mockResolvedValue(undefined);
+
+      const result = await client.extractLogs('user');
+
+      expect(result.success).toBe(true);
+      expect(result.success && result.scannedIndices).toContain('logs-*');
+      expect(result.success && result.scannedIndices).toContain('metrics-*');
+      expect(result.success && result.scannedIndices).not.toContain('remote_cluster:logs-*');
+      expect(result.success && result.scannedIndices).not.toContain('other:filebeat-*');
+    });
+
     it('should fallback to logs-* when data view is not found', async () => {
       const mockEsqlResponse: ESQLSearchResponse = {
         columns: [
diff --git a/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction_client.ts b/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction_client.ts
@@ -9,6 +9,7 @@ import type { Logger } from '@kbn/logging';
 import moment from 'moment';
 import { SavedObjectsErrorHelpers, type ElasticsearchClient } from '@kbn/core/server';
 import type { DataViewsService } from '@kbn/data-views-plugin/common';
+import { isCCSRemoteIndexName } from '@kbn/es-query';
 import type {
   EntityType,
   ManagedEntityDefinition,
@@ -319,7 +320,7 @@ export class LogsExtractionClient {
       const cleanIndices = secSolDataView
         .getIndexPattern()
         .split(',')
-        .filter((index) => index !== alertsIndex);
+        .filter((index) => index !== alertsIndex && !isCCSRemoteIndexName(index));
       indexPatterns.push(...cleanIndices);
     } catch (error) {
       this.logger.warn(
