[SIEM] Network TLS table using wrong fields for drag and drop to timelines

[antcodd]

Kibana version:
7.7.0

Elasticsearch version:
7.7.0

Server OS version:
CentOS 7

Browser version:
Chrome 83

Browser OS version:
Ubuntu 18.04

Original install method (e.g. download page, yum, from source, etc.):
Official Elastic Docker containers

Describe the bug:
#60854 changed TLS table on the Network tab to use ECS fields, however somehow the fields used during drag and drop were not updated and continue to use the old fields.

As Packetbeat has not used the old field names since 7.6, fields in the TLS table dragged to a Timeline will not return any results. This differs from the behaviour in Kibana 7.6 where the TLS table was not populated as both the table and the drag and drop were using the old field names.

The same problem may also apply to the Process fields that were also updated in the same PR, not tested.

Steps to reproduce:

1. Configure SIEM and Packetbeat and send some TLS traffic
   2.Send som TLS traffic
   3.Open the TLS tab on the Network tab in SIEM
   4.Drag a certificate issuer
   5.Observe that the field expanded is tls.server_certificate.issuer
   6.Drag the field to a timeline
2. Open the timeline and see no results as the incorrect field was used.
3. Edit the filter and change the filter field to tls.server.issuer and see the expected results.

Expected behavior:
Field used for display in TLS tab and dragging to the timeline are the same, and use ECS fields.

Any additional context:
I also note that the fields in the row renderers themselves, such as certificate fingerprint, were not updated so do not display.

See also: #60026, #43649, #60854

Migrating version labels to description:
Affected versions include: v7.7.0, v7.8.0, v8.0.0

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[FrankHassanabad]

ECS Ref:
https://www.elastic.co/guide/en/ecs/current/ecs-tls.html

Existing Drag and Drop fields -> New Drag and Drop fields

tls.fingerprints.ja3.hash -> tls.server.ja3s

Ref:
https://github.com/elastic/beats/blob/master/packetbeat/tests/system/golden/established_tls-expected.json#L25

tls.server_certificate.not_after -> tls.server.not_after

Ref:
https://github.com/elastic/beats/blob/master/packetbeat/tests/system/golden/established_tls-expected.json#L196

tls.server_certificate.fingerprint.sha1 -> tls.server.hash.sha1

Ref: https://github.com/elastic/beats/blob/master/packetbeat/tests/system/golden/established_tls-expected.json#L194

You can do an inspect on the TLS table to see the values being populated for the table and the drag and drop just needs to be updated:

{
  "aggs": {
    "count": {
      "cardinality": {
        "field": "tls.server.hash.sha1"
      }
    },
    "sha1": {
      "terms": {
        "field": "tls.server.hash.sha1",
        "size": 10,
        "order": {
          "_key": "desc"
        }
      },
      "aggs": {
        "issuers": {
          "terms": {
            "field": "tls.server.issuer"
          }
        },
        "subjects": {
          "terms": {
            "field": "tls.server.subject"
          }
        },
        "not_after": {
          "terms": {
            "field": "tls.server.not_after"
          }
        },
        "ja3": {
          "terms": {
            "field": "tls.server.ja3s"
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_all": {}
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1591630737935,
              "lte": 1591717137935
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": false
}