From 77021f586c49c341475fcf2fda28494bc46443db Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Mon, 4 Oct 2021 20:04:32 -0400
Subject: [PATCH] Fix issue with incorrect policy response attachment.
 (#113430) (#113850)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Pete Hampton <pjhampton@users.noreply.github.com>
---
 .../security_solution/server/lib/telemetry/receiver.ts   | 2 +-
 .../server/lib/telemetry/tasks/endpoint.ts               | 9 +++------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts
index 8b715b8e8d585..038b7687784f4 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts
@@ -84,7 +84,7 @@ export class TelemetryReceiver {
           policy_responses: {
             terms: {
               size: this.max_records,
-              field: 'Endpoint.policy.applied.id',
+              field: 'agent.id',
             },
             aggs: {
               latest_response: {
diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/endpoint.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/endpoint.ts
index 2cebbc0af69c1..0c066deea17d9 100644
--- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/endpoint.ts
+++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/endpoint.ts
@@ -190,13 +190,11 @@ export class TelemetryEndpointTask {
      *
      * As the policy id + policy version does not exist on the Endpoint Metrics document
      * we need to fetch information about the Fleet Agent and sync the metrics document
-     * with the Fleet agent's policy data.
+     * with the Agent's policy data.
      *
-     * 7.14 ~ An issue was created with the Endpoint agent team to add the policy id +
-     * policy version to the metrics document to circumvent and refactor away from
-     * this expensive join operation.
      */
     const agentsResponse = endpointData.fleetAgentsResponse;
+
     if (agentsResponse === undefined) {
       this.logger.debug('no fleet agent information available');
       return 0;
@@ -286,7 +284,7 @@ export class TelemetryEndpointTask {
           policyConfig = endpointPolicyCache.get(policyInformation) || null;
 
           if (policyConfig) {
-            failedPolicy = policyResponses.get(policyConfig?.id);
+            failedPolicy = policyResponses.get(endpointAgentId);
           }
         }
 
@@ -294,7 +292,6 @@ export class TelemetryEndpointTask {
 
         return {
           '@timestamp': executeTo,
-          agent_id: fleetAgentId,
           endpoint_id: endpointAgentId,
           endpoint_version: endpoint.endpoint_version,
           endpoint_package_version: policyConfig?.package?.version || null,