[Security Solution] [Attack discovery] [Security AI Assistant] Update…

… default Anonymization settings (elastic#182531)

## [Security Solution] [Attack discovery] [Security AI Assistant] Update default Anonymization settings

### Summary

This PR updates the default Anonymization settings used by Attack discovery and the Security AI Assistant.

### Desk testing

Note: If you have an existing `8.14 BC` / `main` deployment, the following steps are required to desk test the fix:

1) In the existing deployment, navigate to Stack Management > AI Assistant > Elastic AI Assistant for Security

2) Click the Anonymization tab, and take a screenshot of the `Allowed` and `Anonymized` counts. It may look something like the following example:

![anonymization_defaults_before](https://github.com/elastic/kibana/assets/4459398/27ab13d4-5ad7-435c-8c92-51f9a93f04f4)

3) Filter the fields by `_id`

**Expected result**

- The (before) configuration of the `_id` field looks like the screenshot below:
![_id_field_before](https://github.com/elastic/kibana/assets/4459398/e10a29b2-c681-45f6-87ea-cdc3f6b6468f)
- The `_id` field is Allowed: `[x] Allowed`
- The `_id` field is Anonymized: `Anonymized: Yes`

(The above are the old defaults for the `_id` field.)

4) In Dev Tools, delete the existing anonymization defaults, and associated index template:

```
DELETE /_data_stream/.kibana-elastic-ai-assistant-anonymization-fields-default
DELETE /_index_template/.kibana-elastic-ai-assistant-index-template-anonymization-fields
```

5) Stop Kibana

6) Start Kibana running the PR branch (with the new defaults)

**Expected result**

The new `.kibana-elastic-ai-assistant-anonymization-fields-default` data stream is created at startup

7) Once again, navigate to Stack Management > AI Assistant > Elastic AI Assistant for Security

8) Once again, click the Anonymization tab, compare the screenshot of the `Allowed` and `Anonymized` counts with the previous screenshot

**Expected result**

- The counts have been updated, per the example screenshot below:

![anonymization_defaults_after](https://github.com/elastic/kibana/assets/4459398/589d0aa8-7077-4dfc-89de-df0ffa85ac6c)

9) Once again, filter the fields by `_id`

**Expected results**

- The (after) configuration of the `_id` field looks like the screenshot below:
![_id_field_after](https://github.com/elastic/kibana/assets/4459398/b5ed2901-99f4-4981-97c8-10012d33930c)
- The `_id` field is Allowed: `[x] Allowed`
- The `_id` field is NOT Anonymized: `Anonymized: No`

(The above are the new defaults for the `_id` field.)

x-pack/plugins/elastic_assistant/common/anonymization/index.ts

@@ -15,21 +15,23 @@ export const DEFAULT_ALLOW = [
   'destination.ip',
   'dns.question.name',
   'dns.question.type',
-  'event.action',
   'event.category',
   'event.dataset',
   'event.module',
   'event.outcome',
-  'event.type',
   'file.Ext.original.path',
   'file.hash.sha256',
   'file.name',
   'file.path',
+  'group.id',
+  'group.name',
+  'host.asset.criticality',
   'host.name',
+  'host.os.name',
+  'host.os.version',
   'host.risk.calculated_level',
   'host.risk.calculated_score_norm',
   'kibana.alert.original_time',
-  'kibana.alert.last_detected',
   'kibana.alert.risk_score',
   'kibana.alert.rule.description',
   'kibana.alert.rule.name',
@@ -46,29 +48,61 @@ export const DEFAULT_ALLOW = [
   'kibana.alert.rule.threat.technique.subtechnique.reference',
   'kibana.alert.severity',
   'kibana.alert.workflow_status',
+  'message',
+  'network.protocol',
   'process.args',
+  'process.code_signature.exists',
+  'process.code_signature.signing_id',
+  'process.code_signature.status',
+  'process.code_signature.subject_name',
+  'process.code_signature.trusted',
   'process.command_line',
   'process.executable',
-  'process.Ext.token.integrity_level_name',
-  'process.entity_id',
   'process.exit_code',
+  'process.Ext.memory_region.bytes_compressed_present',
+  'process.Ext.memory_region.malware_signature.all_names',
+  'process.Ext.memory_region.malware_signature.primary.matches',
+  'process.Ext.memory_region.malware_signature.primary.signature.name',
+  'process.Ext.token.integrity_level_name',
   'process.hash.md5',
   'process.hash.sha1',
-  'process.name',
   'process.hash.sha256',
+  'process.name',
   'process.parent.args',
   'process.parent.args_count',
   'process.parent.code_signature.exists',
   'process.parent.code_signature.status',
   'process.parent.code_signature.subject_name',
   'process.parent.code_signature.trusted',
   'process.parent.command_line',
-  'process.parent.entity_id',
   'process.parent.executable',
+  'process.parent.name',
+  'process.pe.original_file_name',
   'process.pid',
   'process.working_directory',
-  'network.protocol',
+  'Ransomware.feature',
+  'Ransomware.files.data',
+  'Ransomware.files.entropy',
+  'Ransomware.files.extension',
+  'Ransomware.files.metrics',
+  'Ransomware.files.operation',
+  'Ransomware.files.path',
+  'Ransomware.files.score',
+  'Ransomware.version',
+  'rule.name',
+  'rule.reference',
   'source.ip',
+  'threat.framework',
+  'threat.tactic.id',
+  'threat.tactic.name',
+  'threat.tactic.reference',
+  'threat.technique.id',
+  'threat.technique.name',
+  'threat.technique.reference',
+  'threat.technique.subtechnique.id',
+  'threat.technique.subtechnique.name',
+  'threat.technique.subtechnique.reference',
+  'user.asset.criticality',
   'user.domain',
   'user.name',
   'user.risk.calculated_level',
@@ -77,18 +111,8 @@ export const DEFAULT_ALLOW = [
 
 /** By default, these fields will be anonymized */
 export const DEFAULT_ALLOW_REPLACEMENT = [
-  '_id', // the document's _id is replaced with an anonymized value
-  'cloud.availability_zone',
-  'cloud.provider',
-  'cloud.region',
-  'destination.ip',
-  'file.Ext.original.path',
-  'file.name',
-  'file.path',
   'host.ip', // not a default allow field, but anonymized by default
   'host.name',
-  'source.ip',
-  'user.domain',
   'user.name',
 ];