dhurley14 · dhurley14 · Jun 16, 2021 · Jun 9, 2021
diff --git a/x-pack/plugins/rule_registry/README.md b/x-pack/plugins/rule_registry/README.md
@@ -27,9 +27,7 @@ On plugin setup, rule type producers can create the index template as follows:
 ```ts
 // get the FQN of the component template. All assets are prefixed with the configured `index` value, which is `.alerts` by default.
 
-const componentTemplateName = plugins.ruleRegistry.getFullAssetName(
-  'apm-mappings'
-);
+const componentTemplateName = plugins.ruleRegistry.getFullAssetName('apm-mappings');
 
 // if write is disabled, don't install these templates
 if (!plugins.ruleRegistry.isWriteEnabled()) {
@@ -73,14 +71,10 @@ await plugins.ruleRegistry.createOrUpdateComponentTemplate({
 await plugins.ruleRegistry.createOrUpdateIndexTemplate({
   name: plugins.ruleRegistry.getFullAssetName('apm-index-template'),
   body: {
-    index_patterns: [
-      plugins.ruleRegistry.getFullAssetName('observability-apm*'),
-    ],
+    index_patterns: [plugins.ruleRegistry.getFullAssetName('observability-apm*')],
     composed_of: [
       // Technical component template, required
-      plugins.ruleRegistry.getFullAssetName(
-        TECHNICAL_COMPONENT_TEMPLATE_NAME
-      ),
+      plugins.ruleRegistry.getFullAssetName(TECHNICAL_COMPONENT_TEMPLATE_NAME),
       componentTemplateName,
     ],
   },
@@ -107,8 +101,7 @@ await ruleDataClient.getWriter().bulk({
 // to read data, simply call ruleDataClient.getReader().search:
 const response = await ruleDataClient.getReader().search({
   body: {
-    query: {
-    },
+    query: {},
     size: 100,
     fields: ['*'],
     collapse: {
@@ -135,6 +128,7 @@ The following fields are defined in the technical field component template and s
 - `rule.name`: the name of the rule (as specified by the user).
 - `rule.category`: the name of the rule type (as defined by the rule type producer)
 - `kibana.rac.alert.producer`: the producer of the rule type. Usually a Kibana plugin. e.g., `APM`.
+- `kibana.rac.alert.owner`: the feature which produced the alert. Usually a Kibana feature id like `apm`, `siem`...
 - `kibana.rac.alert.id`: the id of the alert, that is unique within the context of the rule execution it was created in. E.g., for a rule that monitors latency for all services in all environments, this might be `opbeans-java:production`.
 - `kibana.rac.alert.uuid`: the unique identifier for the alert during its lifespan. If an alert recovers (or closes), this identifier is re-generated when it is opened again.
 - `kibana.rac.alert.status`: the status of the alert. Can be `open` or `closed`.
@@ -148,3 +142,16 @@ The following fields are defined in the technical field component template and s
 - `kibana.rac.alert.ancestors`: the array of ancestors (if any) for the alert.
 - `kibana.rac.alert.depth`: the depth of the alert in the ancestral tree (default 0).
 - `kibana.rac.alert.building_block_type`: the building block type of the alert (default undefined).
+
+# Alerts as data
+
+Alerts as data can be interacted with using the AlertsClient api found in `x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts`
+
+This api includes public methods such as
+
+[x] getFullAssetName
+[x] getAlertsIndex
+[x] get
+[x] update
+[ ] bulkUpdate (TODO)
+[ ] find (TODO)
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -74,6 +74,7 @@ export class AlertsClient {
     );
   }
 
+  // pull concrete index name off of document
   private async fetchAlert({ id, indexName }: GetAlertParams): Promise<ParsedTechnicalFields> {
     try {
       const result = await this.esClient.get<ParsedTechnicalFields>({

diff --git a/x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh b/x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh
@@ -15,7 +15,9 @@ cd ./hunter && sh ./post_detections_role.sh && sh ./post_detections_user.sh
 cd ../observer && sh ./post_detections_role.sh && sh ./post_detections_user.sh
 cd ..
 
+# curl get_index script
+
 # Example: ./find_rules.sh
 curl -v -k \
  -u $USER:changeme \
- -X GET "${KIBANA_URL}${SPACE_URL}/api/rac/alerts?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm" | jq .
+ -X GET "${KIBANA_URL}${SPACE_URL}/api/rac/alerts?id=NoxgpHkBqbdrfX07MqXV&indexName=.alerts-observability-apm" | jq .
diff --git a/x-pack/test/api_integration/apis/security_solution/events.ts b/x-pack/test/api_integration/apis/security_solution/events.ts
@@ -7,6 +7,11 @@
 
 import expect from '@kbn/expect';
 
+import { secOnly } from '../../../rule_registry/common/lib/authentication/users';
+import {
+  createSpacesAndUsers,
+  deleteSpacesAndUsers,
+} from '../../../rule_registry/common/lib/authentication/';
 import {
   Direction,
   TimelineEventsQueries,
@@ -407,10 +412,21 @@ export default function ({ getService }: FtrProviderContext) {
   const retry = getService('retry');
   const esArchiver = getService('esArchiver');
   const supertest = getService('supertest');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
 
   describe('Timeline', () => {
-    before(() => esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'));
-    after(() => esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'));
+    // before(() => esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'));
+    // after(() => esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'));
+    before(async () => {
+      await esArchiver.load('auditbeat/hosts');
+      await esArchiver.load('rule_registry/alerts');
+      await createSpacesAndUsers(getService);
+    });
+    after(async () => {
+      await esArchiver.unload('auditbeat/hosts');
+      await esArchiver.load('rule_registry/alerts');
+      await deleteSpacesAndUsers(getService);
+    });
 
     it('Make sure that we get Timeline data', async () => {
       await retry.try(async () => {
@@ -454,6 +470,46 @@ export default function ({ getService }: FtrProviderContext) {
       });
     });
 
+    it.skip('Make sure that we get Timeline data using the hunter role and do not receive observability alerts', async () => {
+      await retry.try(async () => {
+        const resp = await supertestWithoutAuth
+          .post('/internal/search/securitySolutionTimelineSearchStrategy/')
+          .auth(secOnly.username, secOnly.password)
+          .set('kbn-xsrf', 'true')
+          .set('Content-Type', 'application/json')
+          .send({
+            defaultIndex: ['.alerts*'], // query both .alerts-observability-apm and .alerts-security-solution
+            docValueFields: DOC_VALUE_FIELDS,
+            factoryQueryType: TimelineEventsQueries.all,
+            fieldRequested: FIELD_REQUESTED,
+            fields: [],
+            filterQuery: FILTER_VALUE,
+            pagination: {
+              activePage: 0,
+              querySize: 25,
+            },
+            language: 'kuery',
+            sort: [
+              {
+                field: '@timestamp',
+                direction: Direction.desc,
+                type: 'number',
+              },
+            ],
+            timerange: {
+              from: FROM,
+              to: TO,
+              interval: '12h',
+            },
+          })
+          .expect(200);
+
+        const timeline = resp.body;
+
+        expect(timeline.totalCount).to.be(1);
+      });
+    });
+
     it('Make sure that pagination is working in Timeline query', async () => {
       await retry.try(async () => {
         const resp = await supertest

diff --git a/x-pack/test/api_integration/config.ts b/x-pack/test/api_integration/config.ts
@@ -14,7 +14,7 @@ export async function getApiIntegrationConfig({ readConfigFile }: FtrConfigProvi
   );
 
   return {
-    testFiles: [require.resolve('./apis')],
+    testFiles: [require.resolve('./apis/security_solution/events')],
     services,
     servers: xPackFunctionalTestsConfig.get('servers'),
     security: xPackFunctionalTestsConfig.get('security'),

diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
@@ -4,10 +4,25 @@
     "index": ".alerts-observability-apm",
     "id": "NoxgpHkBqbdrfX07MqXV",
     "source": {
+      "@timestamp": "2020-12-16T15:16:18.570Z",
       "rule.id": "apm.error_rate",
       "message": "hello world 1",
       "kibana.rac.alert.owner": "apm",
       "kibana.rac.alert.status": "open"
     }
   }
 }
+{
+  "type": "doc",
+  "value": {
+    "index": ".alerts-security-solution",
+    "id": "020202",
+    "source": {
+      "@timestamp": "2020-12-16T15:16:18.570Z",
+      "rule.id": "siem.signals",
+      "message": "hello world security",
+      "kibana.rac.alert.owner": "siem",
+      "kibana.rac.alert.status": "open"
+    }
+  }
+}
diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/mappings.json b/x-pack/test/functional/es_archives/rule_registry/alerts/mappings.json
@@ -21,3 +21,27 @@
     }
   }
 }
+
+{
+  "type": "index",
+  "value": {
+    "index": ".alerts-security-solution",
+    "mappings": {
+      "properties": {
+        "message": {
+          "type": "text",
+          "fields": {
+            "keyword": {
+              "type": "keyword",
+              "ignore_above": 256
+            }
+          }
+        },
+        "kibana.rac.alert.owner": {
+          "type": "keyword",
+          "ignore_above": 256
+        }
+      }
+    }
+  }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -74,6 +74,7 @@ export class AlertsClient { @@
         );
       }
+      // pull concrete index name off of document
       private async fetchAlert({ id, indexName }: GetAlertParams): Promise<ParsedTechnicalFields> {
         try {
           const result = await this.esClient.get<ParsedTechnicalFields>({
@@ Expand Down @@