From 06256a38ac42fad0e18a8d926f715a6af49e15c5 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 3 Dec 2024 20:14:04 +1100
Subject: [PATCH 01/23] [8.x] [NL-to-ESQL] autocorrect bad LIKE wildcards
 (#202464) (#202631)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[NL-to-ESQL] autocorrect bad LIKE wildcards
(#202464)](https://github.com/elastic/kibana/pull/202464)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Pierre
Gayvallet","email":"pierre.gayvallet@elastic.co"},"sourceCommit":{"committedDate":"2024-12-03T07:26:46Z","message":"[NL-to-ESQL]
autocorrect bad LIKE wildcards (#202464)\n\n## Summary\r\n\r\nPart of
https://github.com/elastic/kibana/issues/198942\r\n\r\nAdd autocorrect
for wrong `LIKE` wildcard.\r\n\r\nThe LLM can make mistake and use SQL
wildcards for LIKE operators (`_`\r\ninstead of `?` and `%` instead of
`*`)\r\n\r\n\r\nExamples\r\n\r\n**generated**\r\n```\r\nFROM logs |
WHERE message LIKE \"a%\" AND TO_UPPER(level) LIKE \"err%\" | WHERE foo
LIKE \"ba_\"\r\n```\r\n**corrected**\r\n```\r\nFROM logs | WHERE message
LIKE \"a*\" AND TO_UPPER(level) LIKE \"err*\" | WHERE foo LIKE
\"ba?\"\r\n```\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"2ace6ffcedec826f7a6c3690fa4f99a5ea63c663","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:version","Team:AI
Infra","v8.18.0"],"title":"[NL-to-ESQL] autocorrect bad LIKE
wildcards","number":202464,"url":"https://github.com/elastic/kibana/pull/202464","mergeCommit":{"message":"[NL-to-ESQL]
autocorrect bad LIKE wildcards (#202464)\n\n## Summary\r\n\r\nPart of
https://github.com/elastic/kibana/issues/198942\r\n\r\nAdd autocorrect
for wrong `LIKE` wildcard.\r\n\r\nThe LLM can make mistake and use SQL
wildcards for LIKE operators (`_`\r\ninstead of `?` and `%` instead of
`*`)\r\n\r\n\r\nExamples\r\n\r\n**generated**\r\n```\r\nFROM logs |
WHERE message LIKE \"a%\" AND TO_UPPER(level) LIKE \"err%\" | WHERE foo
LIKE \"ba_\"\r\n```\r\n**corrected**\r\n```\r\nFROM logs | WHERE message
LIKE \"a*\" AND TO_UPPER(level) LIKE \"err*\" | WHERE foo LIKE
\"ba?\"\r\n```\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"2ace6ffcedec826f7a6c3690fa4f99a5ea63c663"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202464","number":202464,"mergeCommit":{"message":"[NL-to-ESQL]
autocorrect bad LIKE wildcards (#202464)\n\n## Summary\r\n\r\nPart of
https://github.com/elastic/kibana/issues/198942\r\n\r\nAdd autocorrect
for wrong `LIKE` wildcard.\r\n\r\nThe LLM can make mistake and use SQL
wildcards for LIKE operators (`_`\r\ninstead of `?` and `%` instead of
`*`)\r\n\r\n\r\nExamples\r\n\r\n**generated**\r\n```\r\nFROM logs |
WHERE message LIKE \"a%\" AND TO_UPPER(level) LIKE \"err%\" | WHERE foo
LIKE \"ba_\"\r\n```\r\n**corrected**\r\n```\r\nFROM logs | WHERE message
LIKE \"a*\" AND TO_UPPER(level) LIKE \"err*\" | WHERE foo LIKE
\"ba?\"\r\n```\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"2ace6ffcedec826f7a6c3690fa4f99a5ea63c663"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Pierre Gayvallet <pierre.gayvallet@elastic.co>
---
 .../tasks/nl_to_esql/ast/corrections/index.ts |  6 +-
 .../nl_to_esql/ast/corrections/like.test.ts   | 59 +++++++++++++++++++
 .../tasks/nl_to_esql/ast/corrections/like.ts  | 59 +++++++++++++++++++
 .../ast/corrections/timespan_literals.test.ts | 22 +++----
 .../ast/corrections/timespan_literals.ts      |  4 +-
 .../common/tasks/nl_to_esql/ast/typeguards.ts | 23 +++++++-
 .../common/tasks/nl_to_esql/ast/types.ts      |  5 ++
 7 files changed, 160 insertions(+), 18 deletions(-)
 create mode 100644 x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/like.test.ts
 create mode 100644 x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/like.ts

diff --git a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/index.ts b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/index.ts
index 9d7218a6f77cb..76ffd993bb9ab 100644
--- a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/index.ts
+++ b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/index.ts
@@ -7,12 +7,14 @@
 
 import type { ESQLAstQueryExpression } from '@kbn/esql-ast';
 import type { QueryCorrection } from './types';
-import { applyTimespanLiteralsCorrections } from './timespan_literals';
+import { correctTimespanLiterals } from './timespan_literals';
+import { correctLikeWildcards } from './like';
 
 export type { QueryCorrection } from './types';
 
 export const correctAll = (query: ESQLAstQueryExpression): QueryCorrection[] => {
   const corrections: QueryCorrection[] = [];
-  corrections.push(...applyTimespanLiteralsCorrections(query));
+  corrections.push(...correctTimespanLiterals(query));
+  corrections.push(...correctLikeWildcards(query));
   return corrections;
 };
diff --git a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/like.test.ts b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/like.test.ts
new file mode 100644
index 0000000000000..81779188c553b
--- /dev/null
+++ b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/like.test.ts
@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { parse, BasicPrettyPrinter } from '@kbn/esql-ast';
+import { correctLikeWildcards } from './like';
+
+describe('correctLikeWildcards', () => {
+  it('replaces badly used "_" wildcard', () => {
+    const query = 'FROM logs | WHERE message LIKE "ba_"';
+    const { root } = parse(query);
+    correctLikeWildcards(root);
+
+    const output = BasicPrettyPrinter.print(root);
+    expect(output).toEqual('FROM logs | WHERE message LIKE "ba?"');
+  });
+
+  it('replaces badly used "%" wildcard', () => {
+    const query = 'FROM logs | WHERE message LIKE "b%"';
+    const { root } = parse(query);
+    correctLikeWildcards(root);
+
+    const output = BasicPrettyPrinter.print(root);
+    expect(output).toEqual('FROM logs | WHERE message LIKE "b*"');
+  });
+
+  it('replaces multiple bad wildcards', () => {
+    const query = 'FROM logs | WHERE message LIKE "a__t%"';
+    const { root } = parse(query);
+    correctLikeWildcards(root);
+
+    const output = BasicPrettyPrinter.print(root);
+    expect(output).toEqual('FROM logs | WHERE message LIKE "a??t*"');
+  });
+
+  it('replaces bad wildcards in multiple commands and functions', () => {
+    const query =
+      'FROM logs | WHERE message LIKE "a%" AND TO_UPPER(level) LIKE "err%" | WHERE foo LIKE "ba_"';
+    const { root } = parse(query);
+    correctLikeWildcards(root);
+
+    const output = BasicPrettyPrinter.print(root);
+    expect(output).toEqual(
+      'FROM logs | WHERE message LIKE "a*" AND TO_UPPER(level) LIKE "err*" | WHERE foo LIKE "ba?"'
+    );
+  });
+
+  it('does not replace escaped characters', () => {
+    const query = 'FROM logs | WHERE message LIKE "ba\\\\_"';
+    const { root } = parse(query);
+    correctLikeWildcards(root);
+
+    const output = BasicPrettyPrinter.print(root);
+    expect(output).toEqual('FROM logs | WHERE message LIKE "ba\\\\_"');
+  });
+});
diff --git a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/like.ts b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/like.ts
new file mode 100644
index 0000000000000..be61bd216284b
--- /dev/null
+++ b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/like.ts
@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Walker, type ESQLAstQueryExpression } from '@kbn/esql-ast';
+import { isLikeOperatorNode, isStringLiteralNode } from '../typeguards';
+import type { ESQLLikeOperator, ESQLStringLiteral } from '../types';
+import type { QueryCorrection } from './types';
+
+/**
+ * Correct wrong LIKE wildcard mistakes.
+ * The LLM can make mistake and use SQL wildcards for LIKE operators.
+ *
+ * E.g.
+ * `column LIKE "ba_"` => `column LIKE "ba?"`
+ * `column LIKE "ba%"` => `column LIKE "ba*"`
+ */
+export const correctLikeWildcards = (query: ESQLAstQueryExpression): QueryCorrection[] => {
+  const corrections: QueryCorrection[] = [];
+
+  Walker.walk(query, {
+    visitFunction: (node) => {
+      if (isLikeOperatorNode(node)) {
+        corrections.push(...checkLikeNode(node));
+      }
+    },
+  });
+
+  return corrections;
+};
+
+function checkLikeNode(node: ESQLLikeOperator): QueryCorrection[] {
+  if (node.args.length !== 2 || !isStringLiteralNode(node.args[1])) {
+    return [];
+  }
+  const likeExpression = node.args[1] as ESQLStringLiteral;
+
+  const initialValue = likeExpression.value;
+
+  likeExpression.value = likeExpression.value
+    .replaceAll(/(?<!\\)%/g, '*')
+    .replaceAll(/(?<!\\)_/g, '?');
+
+  if (likeExpression.value !== initialValue) {
+    likeExpression.name = likeExpression.value;
+
+    const correction: QueryCorrection = {
+      type: 'wrong_like_wildcard',
+      node,
+      description: `Replaced wrong like wildcard in LIKE operator at position ${node.location.min}`,
+    };
+    return [correction];
+  }
+
+  return [];
+}
diff --git a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/timespan_literals.test.ts b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/timespan_literals.test.ts
index 616ed70802e96..0febe4e8c2493 100644
--- a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/timespan_literals.test.ts
+++ b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/timespan_literals.test.ts
@@ -6,15 +6,15 @@
  */
 
 import { parse, BasicPrettyPrinter } from '@kbn/esql-ast';
-import { applyTimespanLiteralsCorrections } from './timespan_literals';
+import { correctTimespanLiterals } from './timespan_literals';
 
-describe('getTimespanLiteralsCorrections', () => {
+describe('correctTimespanLiterals', () => {
   describe('with DATE_TRUNC', () => {
     it('replaces a timespan with a proper timespan literal', () => {
       const query = 'FROM logs | EVAL truncated = DATE_TRUNC("1 year", date)';
       const { root } = parse(query);
 
-      applyTimespanLiteralsCorrections(root);
+      correctTimespanLiterals(root);
 
       const output = BasicPrettyPrinter.print(root);
 
@@ -27,7 +27,7 @@ describe('getTimespanLiteralsCorrections', () => {
       const query = 'FROM logs | EVAL truncated = DATE_TRUNC("month", date)';
       const { root } = parse(query);
 
-      applyTimespanLiteralsCorrections(root);
+      correctTimespanLiterals(root);
 
       const output = BasicPrettyPrinter.print(root);
 
@@ -40,7 +40,7 @@ describe('getTimespanLiteralsCorrections', () => {
       const query = 'FROM logs | EVAL truncated = DATE_TRUNC("1 YEAR", date)';
       const { root } = parse(query);
 
-      applyTimespanLiteralsCorrections(root);
+      correctTimespanLiterals(root);
 
       const output = BasicPrettyPrinter.print(root);
 
@@ -53,7 +53,7 @@ describe('getTimespanLiteralsCorrections', () => {
       const query = 'FROM logs | EVAL truncated = DATE_TRUNC("1 year", date)';
       const { root } = parse(query);
 
-      const corrections = applyTimespanLiteralsCorrections(root);
+      const corrections = correctTimespanLiterals(root);
 
       expect(corrections).toHaveLength(1);
       expect(corrections[0]).toEqual({
@@ -70,7 +70,7 @@ describe('getTimespanLiteralsCorrections', () => {
       const query = 'FROM logs | STATS hires = COUNT(*) BY week = BUCKET(hire_date, "1 week")';
       const { root } = parse(query);
 
-      applyTimespanLiteralsCorrections(root);
+      correctTimespanLiterals(root);
 
       const output = BasicPrettyPrinter.print(root);
 
@@ -83,7 +83,7 @@ describe('getTimespanLiteralsCorrections', () => {
       const query = 'FROM logs | STATS hires = COUNT(*) BY hour = BUCKET(hire_date, "hour")';
       const { root } = parse(query);
 
-      applyTimespanLiteralsCorrections(root);
+      correctTimespanLiterals(root);
 
       const output = BasicPrettyPrinter.print(root);
 
@@ -96,7 +96,7 @@ describe('getTimespanLiteralsCorrections', () => {
       const query = 'FROM logs | STATS hires = COUNT(*) BY week = BUCKET(hire_date, "1 WEEK")';
       const { root } = parse(query);
 
-      applyTimespanLiteralsCorrections(root);
+      correctTimespanLiterals(root);
 
       const output = BasicPrettyPrinter.print(root);
 
@@ -109,7 +109,7 @@ describe('getTimespanLiteralsCorrections', () => {
       const query = 'FROM logs | STATS hires = COUNT(*) BY hour = BUCKET(hire_date, "hour")';
       const { root } = parse(query);
 
-      const corrections = applyTimespanLiteralsCorrections(root);
+      const corrections = correctTimespanLiterals(root);
 
       expect(corrections).toHaveLength(1);
       expect(corrections[0]).toEqual({
@@ -129,7 +129,7 @@ describe('getTimespanLiteralsCorrections', () => {
     | STATS hires = COUNT(*) BY hour = BUCKET(hire_date, "3 hour")`;
       const { root } = parse(query);
 
-      applyTimespanLiteralsCorrections(root);
+      correctTimespanLiterals(root);
 
       const output = BasicPrettyPrinter.print(root, { multiline: true, pipeTab: '' });
 
diff --git a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/timespan_literals.ts b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/timespan_literals.ts
index c3fbe636a2de1..039632c3d103f 100644
--- a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/timespan_literals.ts
+++ b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/corrections/timespan_literals.ts
@@ -19,9 +19,7 @@ import { QueryCorrection } from './types';
  * `BUCKET(@timestamp, "1 week")` => `BUCKET(@timestamp, 1 week)`
  *
  */
-export const applyTimespanLiteralsCorrections = (
-  query: ESQLAstQueryExpression
-): QueryCorrection[] => {
+export const correctTimespanLiterals = (query: ESQLAstQueryExpression): QueryCorrection[] => {
   const corrections: QueryCorrection[] = [];
 
   Walker.walk(query, {
diff --git a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/typeguards.ts b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/typeguards.ts
index 233625673b872..54bbe2f7300a9 100644
--- a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/typeguards.ts
+++ b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/typeguards.ts
@@ -5,8 +5,19 @@
  * 2.0.
  */
 
-import type { ESQLSingleAstItem, ESQLAstItem, ESQLFunction, ESQLLiteral } from '@kbn/esql-ast';
-import type { ESQLStringLiteral, ESQLDateTruncFunction, ESQLBucketFunction } from './types';
+import type {
+  ESQLSingleAstItem,
+  ESQLAstItem,
+  ESQLFunction,
+  ESQLLiteral,
+  ESQLColumn,
+} from '@kbn/esql-ast';
+import type {
+  ESQLStringLiteral,
+  ESQLDateTruncFunction,
+  ESQLBucketFunction,
+  ESQLLikeOperator,
+} from './types';
 
 export function isSingleItem(item: ESQLAstItem): item is ESQLSingleAstItem {
   return Object.hasOwn(item, 'type');
@@ -16,6 +27,10 @@ export function isFunctionNode(node: ESQLAstItem): node is ESQLFunction {
   return isSingleItem(node) && node.type === 'function';
 }
 
+export function isColumnNode(node: ESQLAstItem): node is ESQLColumn {
+  return isSingleItem(node) && node.type === 'column';
+}
+
 export function isLiteralNode(node: ESQLAstItem): node is ESQLLiteral {
   return isSingleItem(node) && node.type === 'literal';
 }
@@ -31,3 +46,7 @@ export function isDateTruncFunctionNode(node: ESQLAstItem): node is ESQLDateTrun
 export function isBucketFunctionNode(node: ESQLAstItem): node is ESQLBucketFunction {
   return isFunctionNode(node) && node.subtype === 'variadic-call' && node.name === 'bucket';
 }
+
+export function isLikeOperatorNode(node: ESQLAstItem): node is ESQLLikeOperator {
+  return isFunctionNode(node) && node.subtype === 'binary-expression' && node.name === 'like';
+}
diff --git a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/types.ts b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/types.ts
index dd2a9810e359e..6444f1490f3d2 100644
--- a/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/types.ts
+++ b/x-pack/plugins/inference/common/tasks/nl_to_esql/ast/types.ts
@@ -12,6 +12,11 @@ import { ESQLFunction, ESQLLiteral } from '@kbn/esql-ast';
  */
 export type ESQLDateTruncFunction = ESQLFunction<'variadic-call', 'date_trunc'>;
 
+/**
+ * represents a LIKE function node.
+ */
+export type ESQLLikeOperator = ESQLFunction<'binary-expression', 'like'>;
+
 /**
  * represents a BUCKET function node.
  */

From e48e833db907f6d1093b8b4d9731508769e28468 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 3 Dec 2024 21:07:38 +1100
Subject: [PATCH 02/23] =?UTF-8?q?[8.x]=20=F0=9F=8C=8A=20Streams:=20Managem?=
 =?UTF-8?q?ent=20base=20page=20(#201649)=20(#202632)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Backport

This will backport the following commits from `main` to `8.x`:
- [🌊 Streams: Management base page
(#201649)](https://github.com/elastic/kibana/pull/201649)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Joe
Reuter","email":"johannes.reuter@elastic.co"},"sourceCommit":{"committedDate":"2024-11-27T18:27:26Z","message":"🌊
Streams: Management base page (#201649)\n\n<img width=\"659\"
alt=\"Screenshot 2024-11-25 at 17 50
18\"\r\nsrc=\"https://github.com/user-attachments/assets/1f623207-a5cb-4a76-9d0e-c4ff811ab854\">\r\n\r\nThis
PR adds an empty placeholder for the different parts of
the\r\nmanagement tab which will be filled later on by follow-up PRs
like\r\nhttps://github.com/elastic/kibana/pull/201427\r\n\r\nChanges:\r\n*
Make the whole tree of wrapper elements flex so eventual page
content\r\ncan easily grow to the full height of the viewport. This is
important\r\nfor the preview view for routing and parsing. Doing this
required some\r\nchanges to existing listing and detail pages which just
took the part of\r\nthe page they actually needed. The changes come down
to setting `grow:\r\nfalse` on the header wrapper and `grow: true` on
the content wrapper\r\n* Introduce another routing layer:
`{key}/{tab}/{subtab}` to support the\r\ntwo-leveled tabs of management.
As our routing helpers don't support\r\noptional path variables, I
slightly extended them to pass through the\r\n`optional` flag so the
stream detail component can try to parse the path\r\nfor both key/tab
and key/tab/subtab and go with whatever works.\r\n* Add the second
tabbing layer for the management view component and add\r\nplaceholders
for the three subtabs we are going to need.\r\n* Pass through a callback
to refresh the stream definition that's passed\r\ndown - this will come
in handy in the various management views because\r\nthe user can make
changes and we want to update the stream definition\r\nonce the change
is submitted\r\n\r\n---------\r\n\r\nCo-authored-by: Dario Gieselaar
<dario.gieselaar@elastic.co>","sha":"40411b4eb59e4578e34081ec0690dd6b34812eac","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:prev-minor","v8.18.0","Feature:Streams"],"title":"🌊
Streams: Management base
page","number":201649,"url":"https://github.com/elastic/kibana/pull/201649","mergeCommit":{"message":"🌊
Streams: Management base page (#201649)\n\n<img width=\"659\"
alt=\"Screenshot 2024-11-25 at 17 50
18\"\r\nsrc=\"https://github.com/user-attachments/assets/1f623207-a5cb-4a76-9d0e-c4ff811ab854\">\r\n\r\nThis
PR adds an empty placeholder for the different parts of
the\r\nmanagement tab which will be filled later on by follow-up PRs
like\r\nhttps://github.com/elastic/kibana/pull/201427\r\n\r\nChanges:\r\n*
Make the whole tree of wrapper elements flex so eventual page
content\r\ncan easily grow to the full height of the viewport. This is
important\r\nfor the preview view for routing and parsing. Doing this
required some\r\nchanges to existing listing and detail pages which just
took the part of\r\nthe page they actually needed. The changes come down
to setting `grow:\r\nfalse` on the header wrapper and `grow: true` on
the content wrapper\r\n* Introduce another routing layer:
`{key}/{tab}/{subtab}` to support the\r\ntwo-leveled tabs of management.
As our routing helpers don't support\r\noptional path variables, I
slightly extended them to pass through the\r\n`optional` flag so the
stream detail component can try to parse the path\r\nfor both key/tab
and key/tab/subtab and go with whatever works.\r\n* Add the second
tabbing layer for the management view component and add\r\nplaceholders
for the three subtabs we are going to need.\r\n* Pass through a callback
to refresh the stream definition that's passed\r\ndown - this will come
in handy in the various management views because\r\nthe user can make
changes and we want to update the stream definition\r\nonce the change
is submitted\r\n\r\n---------\r\n\r\nCo-authored-by: Dario Gieselaar
<dario.gieselaar@elastic.co>","sha":"40411b4eb59e4578e34081ec0690dd6b34812eac"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201649","number":201649,"mergeCommit":{"message":"🌊
Streams: Management base page (#201649)\n\n<img width=\"659\"
alt=\"Screenshot 2024-11-25 at 17 50
18\"\r\nsrc=\"https://github.com/user-attachments/assets/1f623207-a5cb-4a76-9d0e-c4ff811ab854\">\r\n\r\nThis
PR adds an empty placeholder for the different parts of
the\r\nmanagement tab which will be filled later on by follow-up PRs
like\r\nhttps://github.com/elastic/kibana/pull/201427\r\n\r\nChanges:\r\n*
Make the whole tree of wrapper elements flex so eventual page
content\r\ncan easily grow to the full height of the viewport. This is
important\r\nfor the preview view for routing and parsing. Doing this
required some\r\nchanges to existing listing and detail pages which just
took the part of\r\nthe page they actually needed. The changes come down
to setting `grow:\r\nfalse` on the header wrapper and `grow: true` on
the content wrapper\r\n* Introduce another routing layer:
`{key}/{tab}/{subtab}` to support the\r\ntwo-leveled tabs of management.
As our routing helpers don't support\r\noptional path variables, I
slightly extended them to pass through the\r\n`optional` flag so the
stream detail component can try to parse the path\r\nfor both key/tab
and key/tab/subtab and go with whatever works.\r\n* Add the second
tabbing layer for the management view component and add\r\nplaceholders
for the three subtabs we are going to need.\r\n* Pass through a callback
to refresh the stream definition that's passed\r\ndown - this will come
in handy in the various management views because\r\nthe user can make
changes and we want to update the stream definition\r\nonce the change
is submitted\r\n\r\n---------\r\n\r\nCo-authored-by: Dario Gieselaar
<dario.gieselaar@elastic.co>","sha":"40411b4eb59e4578e34081ec0690dd6b34812eac"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Joe Reuter <johannes.reuter@elastic.co>
---
 .../components/entity_detail_view/index.tsx   | 54 ++++++-----
 .../stream_detail_enriching/index.tsx         | 18 ++++
 .../stream_detail_management/index.tsx        | 92 ++++++++++++++++++
 .../stream_detail_overview/index.tsx          | 96 ++++++++++---------
 .../stream_detail_routing/index.tsx           | 18 ++++
 .../stream_detail_schema_editor/index.tsx     | 18 ++++
 .../components/stream_detail_view/index.tsx   | 12 ++-
 .../components/stream_list_view/index.tsx     | 46 +++++----
 .../streams_app_page_body/index.tsx           |  1 +
 .../streams_app_page_template/index.tsx       | 10 +-
 .../public/hooks/use_streams_app_params.ts    |  5 +-
 .../streams_app/public/routes/config.tsx      | 16 ++++
 12 files changed, 287 insertions(+), 99 deletions(-)
 create mode 100644 x-pack/plugins/streams_app/public/components/stream_detail_enriching/index.tsx
 create mode 100644 x-pack/plugins/streams_app/public/components/stream_detail_management/index.tsx
 create mode 100644 x-pack/plugins/streams_app/public/components/stream_detail_routing/index.tsx
 create mode 100644 x-pack/plugins/streams_app/public/components/stream_detail_schema_editor/index.tsx

diff --git a/x-pack/plugins/streams_app/public/components/entity_detail_view/index.tsx b/x-pack/plugins/streams_app/public/components/entity_detail_view/index.tsx
index d2ce4859e66d1..68c5f9d6798ec 100644
--- a/x-pack/plugins/streams_app/public/components/entity_detail_view/index.tsx
+++ b/x-pack/plugins/streams_app/public/components/entity_detail_view/index.tsx
@@ -4,7 +4,7 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { EuiFlexGroup, EuiIcon, EuiLink, EuiPanel } from '@elastic/eui';
+import { EuiFlexGroup, EuiFlexItem, EuiIcon, EuiLink, EuiPanel } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
 import React from 'react';
 import { useStreamsAppBreadcrumbs } from '../../hooks/use_streams_app_breadcrumbs';
@@ -71,31 +71,35 @@ export function EntityDetailViewWithoutParams({
 
   return (
     <EuiFlexGroup direction="column" gutterSize="none">
-      <EuiPanel color="transparent">
-        <EuiLink data-test-subj="streamsEntityDetailViewGoBackHref" href={router.link('/')}>
-          <EuiFlexGroup direction="row" alignItems="center" gutterSize="s">
-            <EuiIcon type="arrowLeft" />
-            {i18n.translate('xpack.streams.entityDetailView.goBackLinkLabel', {
-              defaultMessage: 'Back',
+      <EuiFlexItem grow={false}>
+        <EuiPanel color="transparent">
+          <EuiLink data-test-subj="streamsEntityDetailViewGoBackHref" href={router.link('/')}>
+            <EuiFlexGroup direction="row" alignItems="center" gutterSize="s">
+              <EuiIcon type="arrowLeft" />
+              {i18n.translate('xpack.streams.entityDetailView.goBackLinkLabel', {
+                defaultMessage: 'Back',
+              })}
+            </EuiFlexGroup>
+          </EuiLink>
+        </EuiPanel>
+      </EuiFlexItem>
+      <EuiFlexItem grow={false}>
+        <StreamsAppPageHeader
+          verticalPaddingSize="none"
+          title={<StreamsAppPageHeaderTitle title={entity.displayName} />}
+        >
+          <EntityOverviewTabList
+            tabs={Object.entries(tabMap).map(([tabKey, { label, href }]) => {
+              return {
+                name: tabKey,
+                label,
+                href,
+                selected: selectedTab === tabKey,
+              };
             })}
-          </EuiFlexGroup>
-        </EuiLink>
-      </EuiPanel>
-      <StreamsAppPageHeader
-        verticalPaddingSize="none"
-        title={<StreamsAppPageHeaderTitle title={entity.displayName} />}
-      >
-        <EntityOverviewTabList
-          tabs={Object.entries(tabMap).map(([tabKey, { label, href }]) => {
-            return {
-              name: tabKey,
-              label,
-              href,
-              selected: selectedTab === tabKey,
-            };
-          })}
-        />
-      </StreamsAppPageHeader>
+          />
+        </StreamsAppPageHeader>
+      </EuiFlexItem>
       <StreamsAppPageBody>{selectedTabObject.content}</StreamsAppPageBody>
     </EuiFlexGroup>
   );
diff --git a/x-pack/plugins/streams_app/public/components/stream_detail_enriching/index.tsx b/x-pack/plugins/streams_app/public/components/stream_detail_enriching/index.tsx
new file mode 100644
index 0000000000000..d879142162353
--- /dev/null
+++ b/x-pack/plugins/streams_app/public/components/stream_detail_enriching/index.tsx
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { StreamDefinition } from '@kbn/streams-plugin/common';
+import React from 'react';
+
+export function StreamDetailEnriching({
+  definition: _definition,
+  refreshDefinition: _refreshDefinition,
+}: {
+  definition?: StreamDefinition;
+  refreshDefinition: () => void;
+}) {
+  return <>{'TODO'}</>;
+}
diff --git a/x-pack/plugins/streams_app/public/components/stream_detail_management/index.tsx b/x-pack/plugins/streams_app/public/components/stream_detail_management/index.tsx
new file mode 100644
index 0000000000000..534d883905b17
--- /dev/null
+++ b/x-pack/plugins/streams_app/public/components/stream_detail_management/index.tsx
@@ -0,0 +1,92 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import React from 'react';
+import { i18n } from '@kbn/i18n';
+import { StreamDefinition } from '@kbn/streams-plugin/common';
+import { EuiButtonGroup, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
+import { useStreamsAppParams } from '../../hooks/use_streams_app_params';
+import { RedirectTo } from '../redirect_to';
+import { useStreamsAppRouter } from '../../hooks/use_streams_app_router';
+import { StreamDetailRouting } from '../stream_detail_routing';
+import { StreamDetailEnriching } from '../stream_detail_enriching';
+import { StreamDetailSchemaEditor } from '../stream_detail_schema_editor';
+
+type ManagementSubTabs = 'route' | 'enrich' | 'schemaEditor';
+
+function isValidManagementSubTab(value: string): value is ManagementSubTabs {
+  return ['route', 'enrich', 'schemaEditor'].includes(value);
+}
+
+export function StreamDetailManagement({
+  definition,
+  refreshDefinition,
+}: {
+  definition?: StreamDefinition;
+  refreshDefinition: () => void;
+}) {
+  const {
+    path: { key, subtab },
+  } = useStreamsAppParams('/{key}/management/{subtab}');
+  const router = useStreamsAppRouter();
+
+  const tabs = {
+    route: {
+      content: (
+        <StreamDetailRouting definition={definition} refreshDefinition={refreshDefinition} />
+      ),
+      label: i18n.translate('xpack.streams.streamDetailView.routingTab', {
+        defaultMessage: 'Streams Partitioning',
+      }),
+    },
+    enrich: {
+      content: (
+        <StreamDetailEnriching definition={definition} refreshDefinition={refreshDefinition} />
+      ),
+      label: i18n.translate('xpack.streams.streamDetailView.enrichingTab', {
+        defaultMessage: 'Extract field',
+      }),
+    },
+    schemaEditor: {
+      content: (
+        <StreamDetailSchemaEditor definition={definition} refreshDefinition={refreshDefinition} />
+      ),
+      label: i18n.translate('xpack.streams.streamDetailView.schemaEditorTab', {
+        defaultMessage: 'Schema editor',
+      }),
+    },
+  };
+
+  if (!isValidManagementSubTab(subtab)) {
+    return (
+      <RedirectTo path="/{key}/management/{subtab}" params={{ path: { key, subtab: 'route' } }} />
+    );
+  }
+
+  const selectedTabObject = tabs[subtab];
+
+  return (
+    <EuiFlexGroup direction="column" gutterSize="none">
+      <EuiFlexItem grow={false}>
+        <EuiButtonGroup
+          legend="Management tabs"
+          idSelected={subtab}
+          onChange={(optionId) => {
+            router.push('/{key}/management/{subtab}', {
+              path: { key, subtab: optionId },
+              query: {},
+            });
+          }}
+          options={Object.keys(tabs).map((id) => ({
+            id,
+            label: tabs[id as ManagementSubTabs].label,
+          }))}
+        />
+      </EuiFlexItem>
+      <EuiFlexItem grow>{selectedTabObject.content}</EuiFlexItem>
+    </EuiFlexGroup>
+  );
+}
diff --git a/x-pack/plugins/streams_app/public/components/stream_detail_overview/index.tsx b/x-pack/plugins/streams_app/public/components/stream_detail_overview/index.tsx
index 93a573fd4c01f..c051d114317ea 100644
--- a/x-pack/plugins/streams_app/public/components/stream_detail_overview/index.tsx
+++ b/x-pack/plugins/streams_app/public/components/stream_detail_overview/index.tsx
@@ -114,54 +114,58 @@ export function StreamDetailOverview({ definition }: { definition?: StreamDefini
   return (
     <>
       <EuiFlexGroup direction="column">
-        <EuiFlexGroup direction="row" gutterSize="s">
-          <EuiFlexItem grow>
-            <StreamsAppSearchBar
-              onQuerySubmit={({ dateRange }, isUpdate) => {
-                if (!isUpdate) {
+        <EuiFlexItem grow={false}>
+          <EuiFlexGroup direction="row" gutterSize="s">
+            <EuiFlexItem grow>
+              <StreamsAppSearchBar
+                onQuerySubmit={({ dateRange }, isUpdate) => {
+                  if (!isUpdate) {
+                    histogramQueryFetch.refresh();
+                    return;
+                  }
+
+                  if (dateRange) {
+                    setTimeRange({ from: dateRange.from, to: dateRange?.to, mode: dateRange.mode });
+                  }
+                }}
+                onRefresh={() => {
                   histogramQueryFetch.refresh();
-                  return;
-                }
-
-                if (dateRange) {
-                  setTimeRange({ from: dateRange.from, to: dateRange?.to, mode: dateRange.mode });
-                }
-              }}
-              onRefresh={() => {
-                histogramQueryFetch.refresh();
-              }}
-              placeholder={i18n.translate(
-                'xpack.streams.entityDetailOverview.searchBarPlaceholder',
-                {
-                  defaultMessage: 'Filter data by using KQL',
-                }
-              )}
-              dateRangeFrom={timeRange.from}
-              dateRangeTo={timeRange.to}
-            />
-          </EuiFlexItem>
-          <EuiButton
-            data-test-subj="streamsDetailOverviewOpenInDiscoverButton"
-            iconType="discoverApp"
-            href={discoverLink}
-            color="text"
-          >
-            {i18n.translate('xpack.streams.streamDetailOverview.openInDiscoverButtonLabel', {
-              defaultMessage: 'Open in Discover',
-            })}
-          </EuiButton>
-        </EuiFlexGroup>
-        <EuiPanel hasShadow={false} hasBorder>
-          <EuiFlexGroup direction="column">
-            <ControlledEsqlChart
-              result={histogramQueryFetch}
-              id="entity_log_rate"
-              metricNames={['metric']}
-              height={200}
-              chartType={'bar'}
-            />
+                }}
+                placeholder={i18n.translate(
+                  'xpack.streams.entityDetailOverview.searchBarPlaceholder',
+                  {
+                    defaultMessage: 'Filter data by using KQL',
+                  }
+                )}
+                dateRangeFrom={timeRange.from}
+                dateRangeTo={timeRange.to}
+              />
+            </EuiFlexItem>
+            <EuiButton
+              data-test-subj="streamsDetailOverviewOpenInDiscoverButton"
+              iconType="discoverApp"
+              href={discoverLink}
+              color="text"
+            >
+              {i18n.translate('xpack.streams.streamDetailOverview.openInDiscoverButtonLabel', {
+                defaultMessage: 'Open in Discover',
+              })}
+            </EuiButton>
           </EuiFlexGroup>
-        </EuiPanel>
+        </EuiFlexItem>
+        <EuiFlexItem grow={false}>
+          <EuiPanel hasShadow={false} hasBorder>
+            <EuiFlexGroup direction="column">
+              <ControlledEsqlChart
+                result={histogramQueryFetch}
+                id="entity_log_rate"
+                metricNames={['metric']}
+                height={200}
+                chartType={'bar'}
+              />
+            </EuiFlexGroup>
+          </EuiPanel>
+        </EuiFlexItem>
       </EuiFlexGroup>
     </>
   );
diff --git a/x-pack/plugins/streams_app/public/components/stream_detail_routing/index.tsx b/x-pack/plugins/streams_app/public/components/stream_detail_routing/index.tsx
new file mode 100644
index 0000000000000..af65c7eab4235
--- /dev/null
+++ b/x-pack/plugins/streams_app/public/components/stream_detail_routing/index.tsx
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { StreamDefinition } from '@kbn/streams-plugin/common';
+import React from 'react';
+
+export function StreamDetailRouting({
+  definition: _definition,
+  refreshDefinition: _refreshDefinition,
+}: {
+  definition?: StreamDefinition;
+  refreshDefinition: () => void;
+}) {
+  return <>{'TODO'}</>;
+}
diff --git a/x-pack/plugins/streams_app/public/components/stream_detail_schema_editor/index.tsx b/x-pack/plugins/streams_app/public/components/stream_detail_schema_editor/index.tsx
new file mode 100644
index 0000000000000..7d3e9322e8d4f
--- /dev/null
+++ b/x-pack/plugins/streams_app/public/components/stream_detail_schema_editor/index.tsx
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { StreamDefinition } from '@kbn/streams-plugin/common';
+import React from 'react';
+
+export function StreamDetailSchemaEditor({
+  definition: _definition,
+  refreshDefinition: _refreshDefinition,
+}: {
+  definition?: StreamDefinition;
+  refreshDefinition: () => void;
+}) {
+  return <>{'TODO'}</>;
+}
diff --git a/x-pack/plugins/streams_app/public/components/stream_detail_view/index.tsx b/x-pack/plugins/streams_app/public/components/stream_detail_view/index.tsx
index ebf72a58d32a8..4f213e855c175 100644
--- a/x-pack/plugins/streams_app/public/components/stream_detail_view/index.tsx
+++ b/x-pack/plugins/streams_app/public/components/stream_detail_view/index.tsx
@@ -11,11 +11,13 @@ import { useStreamsAppParams } from '../../hooks/use_streams_app_params';
 import { useStreamsAppFetch } from '../../hooks/use_streams_app_fetch';
 import { useKibana } from '../../hooks/use_kibana';
 import { StreamDetailOverview } from '../stream_detail_overview';
+import { StreamDetailManagement } from '../stream_detail_management';
 
 export function StreamDetailView() {
-  const {
-    path: { key, tab },
-  } = useStreamsAppParams('/{key}/{tab}');
+  const { path } = useStreamsAppParams('/{key}/*');
+
+  const key = path.key;
+  const tab = 'tab' in path ? path.tab : 'management';
 
   const {
     dependencies: {
@@ -25,7 +27,7 @@ export function StreamDetailView() {
     },
   } = useKibana();
 
-  const { value: streamEntity } = useStreamsAppFetch(
+  const { value: streamEntity, refresh } = useStreamsAppFetch(
     ({ signal }) => {
       return streamsRepositoryClient.fetch('GET /api/streams/{id}', {
         signal,
@@ -54,7 +56,7 @@ export function StreamDetailView() {
     },
     {
       name: 'management',
-      content: <></>,
+      content: <StreamDetailManagement definition={streamEntity} refreshDefinition={refresh} />,
       label: i18n.translate('xpack.streams.streamDetailView.managementTab', {
         defaultMessage: 'Management',
       }),
diff --git a/x-pack/plugins/streams_app/public/components/stream_list_view/index.tsx b/x-pack/plugins/streams_app/public/components/stream_list_view/index.tsx
index e0530fc6bf5f0..7ffda5f40295a 100644
--- a/x-pack/plugins/streams_app/public/components/stream_list_view/index.tsx
+++ b/x-pack/plugins/streams_app/public/components/stream_list_view/index.tsx
@@ -6,7 +6,7 @@
  */
 import React, { useState } from 'react';
 import { i18n } from '@kbn/i18n';
-import { EuiFlexGroup, EuiSearchBar } from '@elastic/eui';
+import { EuiFlexGroup, EuiFlexItem, EuiSearchBar } from '@elastic/eui';
 import { useKibana } from '../../hooks/use_kibana';
 import { useStreamsAppFetch } from '../../hooks/use_streams_app_fetch';
 import { StreamsAppPageHeader } from '../streams_app_page_header';
@@ -36,27 +36,33 @@ export function StreamListView() {
 
   return (
     <EuiFlexGroup direction="column" gutterSize="none">
-      <StreamsAppPageHeader
-        title={
-          <StreamsAppPageHeaderTitle
-            title={i18n.translate('xpack.streams.streamsListViewPageHeaderTitle', {
-              defaultMessage: 'Streams',
-            })}
-          />
-        }
-      />
+      <EuiFlexItem grow={false}>
+        <StreamsAppPageHeader
+          title={
+            <StreamsAppPageHeaderTitle
+              title={i18n.translate('xpack.streams.streamsListViewPageHeaderTitle', {
+                defaultMessage: 'Streams',
+              })}
+            />
+          }
+        />
+      </EuiFlexItem>
       <StreamsAppPageBody>
         <EuiFlexGroup direction="column">
-          <EuiSearchBar
-            query={query}
-            box={{
-              incremental: true,
-            }}
-            onChange={(nextQuery) => {
-              setQuery(nextQuery.queryText);
-            }}
-          />
-          <StreamsTable listFetch={streamsListFetch} query={query} />
+          <EuiFlexItem grow={false}>
+            <EuiSearchBar
+              query={query}
+              box={{
+                incremental: true,
+              }}
+              onChange={(nextQuery) => {
+                setQuery(nextQuery.queryText);
+              }}
+            />
+          </EuiFlexItem>
+          <EuiFlexItem grow>
+            <StreamsTable listFetch={streamsListFetch} query={query} />
+          </EuiFlexItem>
         </EuiFlexGroup>
       </StreamsAppPageBody>
     </EuiFlexGroup>
diff --git a/x-pack/plugins/streams_app/public/components/streams_app_page_body/index.tsx b/x-pack/plugins/streams_app/public/components/streams_app_page_body/index.tsx
index 0f13dc31e277b..04b44f82df0fd 100644
--- a/x-pack/plugins/streams_app/public/components/streams_app_page_body/index.tsx
+++ b/x-pack/plugins/streams_app/public/components/streams_app_page_body/index.tsx
@@ -17,6 +17,7 @@ export function StreamsAppPageBody({ children }: { children: React.ReactNode })
       className={css`
         border-top: 1px solid ${theme.colors.lightShade};
         border-radius: 0px;
+        display: flex;
       `}
       paddingSize="l"
     >
diff --git a/x-pack/plugins/streams_app/public/components/streams_app_page_template/index.tsx b/x-pack/plugins/streams_app/public/components/streams_app_page_template/index.tsx
index c474f54c22745..942d2937dba81 100644
--- a/x-pack/plugins/streams_app/public/components/streams_app_page_template/index.tsx
+++ b/x-pack/plugins/streams_app/public/components/streams_app_page_template/index.tsx
@@ -35,7 +35,15 @@ export function StreamsAppPageTemplate({ children }: { children: React.ReactNode
         },
       }}
     >
-      <EuiPanel paddingSize="none" color="subdued" hasShadow={false} hasBorder={false}>
+      <EuiPanel
+        paddingSize="none"
+        color="subdued"
+        hasShadow={false}
+        hasBorder={false}
+        className={css`
+          display: flex;
+        `}
+      >
         <EuiSpacer size="m" />
         {children}
       </EuiPanel>
diff --git a/x-pack/plugins/streams_app/public/hooks/use_streams_app_params.ts b/x-pack/plugins/streams_app/public/hooks/use_streams_app_params.ts
index 2931a6fa64f8b..d7a6e175e5491 100644
--- a/x-pack/plugins/streams_app/public/hooks/use_streams_app_params.ts
+++ b/x-pack/plugins/streams_app/public/hooks/use_streams_app_params.ts
@@ -8,7 +8,8 @@ import { type PathsOf, type TypeOf, useParams } from '@kbn/typed-react-router-co
 import type { StreamsAppRoutes } from '../routes/config';
 
 export function useStreamsAppParams<TPath extends PathsOf<StreamsAppRoutes>>(
-  path: TPath
+  path: TPath,
+  optional: boolean = false
 ): TypeOf<StreamsAppRoutes, TPath> {
-  return useParams(path)! as TypeOf<StreamsAppRoutes, TPath>;
+  return useParams(path, optional)! as TypeOf<StreamsAppRoutes, TPath>;
 }
diff --git a/x-pack/plugins/streams_app/public/routes/config.tsx b/x-pack/plugins/streams_app/public/routes/config.tsx
index e3efdc6d871e7..6ae0fec51ad7a 100644
--- a/x-pack/plugins/streams_app/public/routes/config.tsx
+++ b/x-pack/plugins/streams_app/public/routes/config.tsx
@@ -44,6 +44,22 @@ const streamsAppRoutes = {
           '/{key}': {
             element: <RedirectTo path="/{key}/{tab}" params={{ path: { tab: 'overview' } }} />,
           },
+          '/{key}/management': {
+            element: (
+              <RedirectTo
+                path="/{key}/management/{subtab}"
+                params={{ path: { subtab: 'route' } }}
+              />
+            ),
+          },
+          '/{key}/management/{subtab}': {
+            element: <StreamDetailView />,
+            params: t.type({
+              path: t.type({
+                subtab: t.string,
+              }),
+            }),
+          },
           '/{key}/{tab}': {
             element: <StreamDetailView />,
             params: t.type({

From 571609242a8d72b2b13bcfbfef600353f63136d6 Mon Sep 17 00:00:00 2001
From: Ignacio Rivas <rivasign@gmail.com>
Date: Tue, 3 Dec 2024 11:25:01 +0100
Subject: [PATCH 03/23] [8.x] [Console] Avoid duplicate suggestions in
 autocomplete (#201766) (#202484)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Console] Avoid duplicate suggestions in autocomplete
(#201766)](https://github.com/elastic/kibana/pull/201766)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ignacio
Rivas","email":"rivasign@gmail.com"},"sourceCommit":{"committedDate":"2024-11-29T11:58:39Z","message":"[Console]
Avoid duplicate suggestions in autocomplete
(#201766)","sha":"82de734e6c7b67d90213b7058b1109f9f375710e","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Console","Team:Kibana
Management","release_note:skip","backport
missing","v9.0.0","backport:prev-minor","v8.16.0","v8.17.0"],"number":201766,"url":"https://github.com/elastic/kibana/pull/201766","mergeCommit":{"message":"[Console]
Avoid duplicate suggestions in autocomplete
(#201766)","sha":"82de734e6c7b67d90213b7058b1109f9f375710e"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201766","number":201766,"mergeCommit":{"message":"[Console]
Avoid duplicate suggestions in autocomplete
(#201766)","sha":"82de734e6c7b67d90213b7058b1109f9f375710e"}},{"branch":"8.16","label":"v8.16.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/202482","number":202482,"state":"OPEN"},{"branch":"8.17","label":"v8.17.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/202481","number":202481,"state":"OPEN"}]}]
BACKPORT-->
---
 .../console/public/lib/autocomplete/engine.js | 11 +++++++---
 test/functional/apps/console/_autocomplete.ts | 22 +++++++++++++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/src/plugins/console/public/lib/autocomplete/engine.js b/src/plugins/console/public/lib/autocomplete/engine.js
index 6ba2445543f9b..8f9235ceb0a0f 100644
--- a/src/plugins/console/public/lib/autocomplete/engine.js
+++ b/src/plugins/console/public/lib/autocomplete/engine.js
@@ -119,7 +119,7 @@ export function populateContext(tokenPath, context, editor, includeAutoComplete,
     editor
   );
   if (includeAutoComplete) {
-    let autoCompleteSet = [];
+    let autoCompleteSet = new Map();
     _.each(walkStates, function (ws) {
       const contextForState = passThroughContext(context, ws.contextExtensionList);
       _.each(ws.components, function (component) {
@@ -127,11 +127,16 @@ export function populateContext(tokenPath, context, editor, includeAutoComplete,
           if (!_.isObject(term)) {
             term = { name: term };
           }
-          autoCompleteSet.push(term);
+
+          // Add the term to the autoCompleteSet if it doesn't already exist
+          if (!autoCompleteSet.has(term.name)) {
+            autoCompleteSet.set(term.name, term);
+          }
         });
       });
     });
-    autoCompleteSet = _.uniq(autoCompleteSet);
+    // Convert Map values to an array of objects
+    autoCompleteSet = Array.from(autoCompleteSet.values());
     context.autoCompleteSet = autoCompleteSet;
   }
 
diff --git a/test/functional/apps/console/_autocomplete.ts b/test/functional/apps/console/_autocomplete.ts
index a5ebef3dd0b79..0fa6a3d1b03ba 100644
--- a/test/functional/apps/console/_autocomplete.ts
+++ b/test/functional/apps/console/_autocomplete.ts
@@ -66,6 +66,28 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
         await PageObjects.console.clearEditorText();
       });
 
+      it('should not show duplicate suggestions', async () => {
+        await PageObjects.console.enterText(`POST _ingest/pipeline/_simulate
+{
+  "pipeline": {
+    "processors": [
+      {
+        "script": {`);
+        await PageObjects.console.pressEnter();
+        await PageObjects.console.sleepForDebouncePeriod();
+        await PageObjects.console.enterText(`"`);
+        expect(PageObjects.console.isAutocompleteVisible()).to.be.eql(true);
+
+        // Iterate on the first 10 suggestions (the ones that are only visible without scrolling)
+        const suggestions = [];
+        for (let i = 0; i < 10; i++) {
+          suggestions.push(await PageObjects.console.getAutocompleteSuggestion(i));
+        }
+
+        // and expect the array to not have duplicates
+        expect(suggestions).to.eql(_.uniq(suggestions));
+      });
+
       it('HTTP methods', async () => {
         const suggestions = {
           G: ['GET'],

From 5d73f2fca3b4564c0e94aa312184542078dda558 Mon Sep 17 00:00:00 2001
From: Kerry Gallagher <kerry.gallagher@elastic.co>
Date: Tue, 3 Dec 2024 10:47:49 +0000
Subject: [PATCH 04/23] [8.x] [Discover / Logs] Add new "Saved Search
 component" (#199787) (#202588)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Discover / Logs] Add new "Saved Search component"
(#199787)](https://github.com/elastic/kibana/pull/199787)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kerry
Gallagher","email":"kerry.gallagher@elastic.co"},"sourceCommit":{"committedDate":"2024-11-29T23:09:24Z","message":"[Discover
/ Logs] Add new \"Saved Search component\" (#199787)\n\n##
Summary\r\n\r\nImplements\r\nhttps://github.com/elastic/logs-dev/issues/111#issuecomment-2446470635.\r\n\r\nThis
adds a new \"Saved Search component\". The component is a
wrapper\r\naround the current Saved Search Embeddable, but
uses\r\n`ReactEmbeddableRenderer` directly to render the embeddable
outside of\r\nDashboard contexts. It monitors changes to things like
`index`,\r\n`filters` etc and communicates these changes through the
embeddable API.\r\n\r\nFor this PoC two locations were changed to use
this component 1) Logs\r\nOverview flyout 2) APM Logs tab (when the Logs
Overview isn't enabled\r\nvia advanced settings).\r\n\r\nThe component
itself is technically beyond a PoC, and resides in it's\r\nown package.
~I'd like to get eyes from the Discover folks etc on the\r\napproach,
and if we're happy I can fix the remaining known issues (apart\r\nfrom
the mixing of columns point as I believe this exists on the
roadmap\r\nanyway) and we can merge this for the initial two replacement
points.~\r\n[Thanks
Davis\r\n👌](https://github.com/elastic/logs-dev/issues/111#issuecomment-2475350199).\r\n\r\n`nonPersistedDisplayOptions`
is added to facilitate some configurable\r\noptions via runtime state,
but without the complexity of altering the\r\nactual saved search saved
object.\r\n\r\nOn the whole I've tried to keep this as clean as possible
whilst working\r\nwithin the embeddable framework, outside of a
dashboard context.\r\n\r\n## Known issues\r\n\r\n- ~\"Flyout on flyout\"
in the logs overview flyout (e.g. triggering the\r\ntable's flyout in
this context).~ Fixed with `enableFlyout` option.\r\n- ~Filter buttons
should be disabled via pills (e.g. in Summary\r\ncolumn).~ Fixed with
`enableFilters` option.\r\n- Summary (`_source`) column cannot be used
alongside other columns,\r\ne.g. log level, so column customisation
isn't currently enabled. You'll\r\njust get timestamp and summary. This
requires changes in the Unified\r\nData Table. **Won't be fixed in this
PR**\r\n\r\n- We are left with this panel button that technically
doesn't do\r\nanything outside of a dashboard. I don't *think* there's
an easy way to\r\ndisable this. **Won't be fixed in this
PR**\r\n![Screenshot 2024-11-20 at 11
50\r\n43](https://github.com/user-attachments/assets/e43a47cd-e36e-4511-ba88-c928a4acd634)\r\n\r\n\r\n##
Followups\r\n\r\n- ~The Logs Overview details state machine can be
cleaned up (it doesn't\r\nneed to fetch documents etc anymore).~ The
state machine no longer\r\nfetches it's own documents. Some scaffolding
is left in place as it'll\r\nbe needed for showing category details
anyway.\r\n\r\n## Example\r\n\r\n![Screenshot 2024-11-20 at 12
20\r\n08](https://github.com/user-attachments/assets/3b25d591-e3e2-4e8a-98a8-1bfc849d3bc1)\r\n![Screenshot
2024-11-20 at 12
23\r\n34](https://github.com/user-attachments/assets/a2d28036-98c5-4404-934e-2298cf4a66bf)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"b0122f547dc916ee5ccaad369968738d92596eaf","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","ci:project-deploy-observability","Team:obs-ux-logs","Team:obs-ux-infra_services","backport:version","v8.18.0"],"number":199787,"url":"https://github.com/elastic/kibana/pull/199787","mergeCommit":{"message":"[Discover
/ Logs] Add new \"Saved Search component\" (#199787)\n\n##
Summary\r\n\r\nImplements\r\nhttps://github.com/elastic/logs-dev/issues/111#issuecomment-2446470635.\r\n\r\nThis
adds a new \"Saved Search component\". The component is a
wrapper\r\naround the current Saved Search Embeddable, but
uses\r\n`ReactEmbeddableRenderer` directly to render the embeddable
outside of\r\nDashboard contexts. It monitors changes to things like
`index`,\r\n`filters` etc and communicates these changes through the
embeddable API.\r\n\r\nFor this PoC two locations were changed to use
this component 1) Logs\r\nOverview flyout 2) APM Logs tab (when the Logs
Overview isn't enabled\r\nvia advanced settings).\r\n\r\nThe component
itself is technically beyond a PoC, and resides in it's\r\nown package.
~I'd like to get eyes from the Discover folks etc on the\r\napproach,
and if we're happy I can fix the remaining known issues (apart\r\nfrom
the mixing of columns point as I believe this exists on the
roadmap\r\nanyway) and we can merge this for the initial two replacement
points.~\r\n[Thanks
Davis\r\n👌](https://github.com/elastic/logs-dev/issues/111#issuecomment-2475350199).\r\n\r\n`nonPersistedDisplayOptions`
is added to facilitate some configurable\r\noptions via runtime state,
but without the complexity of altering the\r\nactual saved search saved
object.\r\n\r\nOn the whole I've tried to keep this as clean as possible
whilst working\r\nwithin the embeddable framework, outside of a
dashboard context.\r\n\r\n## Known issues\r\n\r\n- ~\"Flyout on flyout\"
in the logs overview flyout (e.g. triggering the\r\ntable's flyout in
this context).~ Fixed with `enableFlyout` option.\r\n- ~Filter buttons
should be disabled via pills (e.g. in Summary\r\ncolumn).~ Fixed with
`enableFilters` option.\r\n- Summary (`_source`) column cannot be used
alongside other columns,\r\ne.g. log level, so column customisation
isn't currently enabled. You'll\r\njust get timestamp and summary. This
requires changes in the Unified\r\nData Table. **Won't be fixed in this
PR**\r\n\r\n- We are left with this panel button that technically
doesn't do\r\nanything outside of a dashboard. I don't *think* there's
an easy way to\r\ndisable this. **Won't be fixed in this
PR**\r\n![Screenshot 2024-11-20 at 11
50\r\n43](https://github.com/user-attachments/assets/e43a47cd-e36e-4511-ba88-c928a4acd634)\r\n\r\n\r\n##
Followups\r\n\r\n- ~The Logs Overview details state machine can be
cleaned up (it doesn't\r\nneed to fetch documents etc anymore).~ The
state machine no longer\r\nfetches it's own documents. Some scaffolding
is left in place as it'll\r\nbe needed for showing category details
anyway.\r\n\r\n## Example\r\n\r\n![Screenshot 2024-11-20 at 12
20\r\n08](https://github.com/user-attachments/assets/3b25d591-e3e2-4e8a-98a8-1bfc849d3bc1)\r\n![Screenshot
2024-11-20 at 12
23\r\n34](https://github.com/user-attachments/assets/a2d28036-98c5-4404-934e-2298cf4a66bf)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"b0122f547dc916ee5ccaad369968738d92596eaf"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/199787","number":199787,"mergeCommit":{"message":"[Discover
/ Logs] Add new \"Saved Search component\" (#199787)\n\n##
Summary\r\n\r\nImplements\r\nhttps://github.com/elastic/logs-dev/issues/111#issuecomment-2446470635.\r\n\r\nThis
adds a new \"Saved Search component\". The component is a
wrapper\r\naround the current Saved Search Embeddable, but
uses\r\n`ReactEmbeddableRenderer` directly to render the embeddable
outside of\r\nDashboard contexts. It monitors changes to things like
`index`,\r\n`filters` etc and communicates these changes through the
embeddable API.\r\n\r\nFor this PoC two locations were changed to use
this component 1) Logs\r\nOverview flyout 2) APM Logs tab (when the Logs
Overview isn't enabled\r\nvia advanced settings).\r\n\r\nThe component
itself is technically beyond a PoC, and resides in it's\r\nown package.
~I'd like to get eyes from the Discover folks etc on the\r\napproach,
and if we're happy I can fix the remaining known issues (apart\r\nfrom
the mixing of columns point as I believe this exists on the
roadmap\r\nanyway) and we can merge this for the initial two replacement
points.~\r\n[Thanks
Davis\r\n👌](https://github.com/elastic/logs-dev/issues/111#issuecomment-2475350199).\r\n\r\n`nonPersistedDisplayOptions`
is added to facilitate some configurable\r\noptions via runtime state,
but without the complexity of altering the\r\nactual saved search saved
object.\r\n\r\nOn the whole I've tried to keep this as clean as possible
whilst working\r\nwithin the embeddable framework, outside of a
dashboard context.\r\n\r\n## Known issues\r\n\r\n- ~\"Flyout on flyout\"
in the logs overview flyout (e.g. triggering the\r\ntable's flyout in
this context).~ Fixed with `enableFlyout` option.\r\n- ~Filter buttons
should be disabled via pills (e.g. in Summary\r\ncolumn).~ Fixed with
`enableFilters` option.\r\n- Summary (`_source`) column cannot be used
alongside other columns,\r\ne.g. log level, so column customisation
isn't currently enabled. You'll\r\njust get timestamp and summary. This
requires changes in the Unified\r\nData Table. **Won't be fixed in this
PR**\r\n\r\n- We are left with this panel button that technically
doesn't do\r\nanything outside of a dashboard. I don't *think* there's
an easy way to\r\ndisable this. **Won't be fixed in this
PR**\r\n![Screenshot 2024-11-20 at 11
50\r\n43](https://github.com/user-attachments/assets/e43a47cd-e36e-4511-ba88-c928a4acd634)\r\n\r\n\r\n##
Followups\r\n\r\n- ~The Logs Overview details state machine can be
cleaned up (it doesn't\r\nneed to fetch documents etc anymore).~ The
state machine no longer\r\nfetches it's own documents. Some scaffolding
is left in place as it'll\r\nbe needed for showing category details
anyway.\r\n\r\n## Example\r\n\r\n![Screenshot 2024-11-20 at 12
20\r\n08](https://github.com/user-attachments/assets/3b25d591-e3e2-4e8a-98a8-1bfc849d3bc1)\r\n![Screenshot
2024-11-20 at 12
23\r\n34](https://github.com/user-attachments/assets/a2d28036-98c5-4404-934e-2298cf4a66bf)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"b0122f547dc916ee5ccaad369968738d92596eaf"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
---
 .github/CODEOWNERS                            |   1 +
 package.json                                  |   1 +
 packages/kbn-saved-search-component/README.md |  26 +++
 packages/kbn-saved-search-component/index.ts  |  18 ++
 .../kbn-saved-search-component/jest.config.js |  14 ++
 .../kbn-saved-search-component/kibana.jsonc   |   5 +
 .../kbn-saved-search-component/package.json   |   7 +
 .../src/components/error.tsx                  |  42 ++++
 .../src/components/saved_search.tsx           | 214 ++++++++++++++++++
 .../kbn-saved-search-component/src/types.ts   |  31 +++
 .../kbn-saved-search-component/tsconfig.json  |  29 +++
 .../presentation_publishing/index.ts          |   6 +-
 .../interfaces/publishes_data_views.ts        |   4 +
 .../components/saved_search_grid.tsx          |   5 +-
 .../search_embeddable_grid_component.tsx      |   3 +
 .../get_search_embeddable_factory.tsx         |  23 +-
 .../initialize_search_embeddable_api.tsx      |  28 ++-
 .../discover/public/embeddable/types.ts       |  18 +-
 .../embeddable/utils/serialization_utils.ts   |   1 +
 src/plugins/discover/public/index.ts          |   3 +
 tsconfig.base.json                            |   2 +
 .../log_categories_result_content.tsx         |   1 -
 .../log_category_details_flyout.tsx           |  76 ++++---
 .../log_category_document_examples_table.tsx  | 154 +++----------
 .../category_details_service.ts               | 141 +-----------
 .../category_documents.ts                     |  63 ------
 .../category_details_service/queries.ts       |  58 -----
 .../category_details_service/types.ts         |   7 -
 .../observability/logs_overview/tsconfig.json |   9 +-
 .../observability_solution/apm/kibana.jsonc   |   3 +-
 .../components/app/service_logs/index.tsx     |  49 +++-
 .../apm/public/plugin.ts                      |   4 +
 .../observability_solution/apm/tsconfig.json  |   2 +
 .../services/log_sources_service/index.ts     |  45 ++--
 .../logs_shared/kibana.jsonc                  |   4 +-
 .../logs_shared/public/plugin.tsx             |   5 +-
 .../logs_shared/public/types.ts               |   4 +
 .../logs_shared/tsconfig.json                 |   2 +
 yarn.lock                                     |   4 +
 39 files changed, 636 insertions(+), 476 deletions(-)
 create mode 100644 packages/kbn-saved-search-component/README.md
 create mode 100644 packages/kbn-saved-search-component/index.ts
 create mode 100644 packages/kbn-saved-search-component/jest.config.js
 create mode 100644 packages/kbn-saved-search-component/kibana.jsonc
 create mode 100644 packages/kbn-saved-search-component/package.json
 create mode 100644 packages/kbn-saved-search-component/src/components/error.tsx
 create mode 100644 packages/kbn-saved-search-component/src/components/saved_search.tsx
 create mode 100644 packages/kbn-saved-search-component/src/types.ts
 create mode 100644 packages/kbn-saved-search-component/tsconfig.json
 delete mode 100644 x-pack/packages/observability/logs_overview/src/services/category_details_service/category_documents.ts
 delete mode 100644 x-pack/packages/observability/logs_overview/src/services/category_details_service/queries.ts

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 4d11b27b84924..64cb7add9eefd 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -768,6 +768,7 @@ src/plugins/saved_objects @elastic/kibana-core
 packages/kbn-saved-objects-settings @elastic/appex-sharedux
 src/plugins/saved_objects_tagging_oss @elastic/appex-sharedux
 x-pack/plugins/saved_objects_tagging @elastic/appex-sharedux
+packages/kbn-saved-search-component @elastic/obs-ux-logs-team
 src/plugins/saved_search @elastic/kibana-data-discovery
 examples/screenshot_mode_example @elastic/appex-sharedux
 src/plugins/screenshot_mode @elastic/appex-sharedux
diff --git a/package.json b/package.json
index ebad7d53be7fe..9dc468666936c 100644
--- a/package.json
+++ b/package.json
@@ -783,6 +783,7 @@
     "@kbn/saved-objects-settings": "link:packages/kbn-saved-objects-settings",
     "@kbn/saved-objects-tagging-oss-plugin": "link:src/plugins/saved_objects_tagging_oss",
     "@kbn/saved-objects-tagging-plugin": "link:x-pack/plugins/saved_objects_tagging",
+    "@kbn/saved-search-component": "link:packages/kbn-saved-search-component",
     "@kbn/saved-search-plugin": "link:src/plugins/saved_search",
     "@kbn/screenshot-mode-example-plugin": "link:examples/screenshot_mode_example",
     "@kbn/screenshot-mode-plugin": "link:src/plugins/screenshot_mode",
diff --git a/packages/kbn-saved-search-component/README.md b/packages/kbn-saved-search-component/README.md
new file mode 100644
index 0000000000000..296ddb9079bcf
--- /dev/null
+++ b/packages/kbn-saved-search-component/README.md
@@ -0,0 +1,26 @@
+# @kbn/saved-search-component
+
+A component wrapper around Discover's Saved Search embeddable. This can be used in solutions without being within a Dasboard context.
+
+This can be used to render a context-aware (logs etc) "document table". 
+
+In the past you may have used the Log Stream Component to achieve this, this component supersedes that.
+
+## Basic usage
+
+```
+import { LazySavedSearchComponent } from '@kbn/saved-search-component';
+
+<LazySavedSearchComponent
+    dependencies={{
+        embeddable: dependencies.embeddable,
+        savedSearch: dependencies.savedSearch,
+        dataViews: dependencies.dataViews,
+        searchSource: dependencies.searchSource,
+    }}
+    index={anIndexString}
+    filters={optionalFilters}
+    query={optionalQuery}
+    timestampField={optionalTimestampFieldString}
+/>
+```
\ No newline at end of file
diff --git a/packages/kbn-saved-search-component/index.ts b/packages/kbn-saved-search-component/index.ts
new file mode 100644
index 0000000000000..80617ebfa46ee
--- /dev/null
+++ b/packages/kbn-saved-search-component/index.ts
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { dynamic } from '@kbn/shared-ux-utility';
+
+export type { SavedSearchComponentDependencies, SavedSearchComponentProps } from './src/types';
+
+export const LazySavedSearchComponent = dynamic(() =>
+  import('./src/components/saved_search').then((mod) => ({
+    default: mod.SavedSearchComponent,
+  }))
+);
diff --git a/packages/kbn-saved-search-component/jest.config.js b/packages/kbn-saved-search-component/jest.config.js
new file mode 100644
index 0000000000000..dedff3f69781d
--- /dev/null
+++ b/packages/kbn-saved-search-component/jest.config.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../..',
+  roots: ['<rootDir>/packages/kbn-saved-search-component'],
+};
diff --git a/packages/kbn-saved-search-component/kibana.jsonc b/packages/kbn-saved-search-component/kibana.jsonc
new file mode 100644
index 0000000000000..d0de843443d12
--- /dev/null
+++ b/packages/kbn-saved-search-component/kibana.jsonc
@@ -0,0 +1,5 @@
+{
+  "type": "shared-browser",
+  "id": "@kbn/saved-search-component",
+  "owner": "@elastic/obs-ux-logs-team"
+}
diff --git a/packages/kbn-saved-search-component/package.json b/packages/kbn-saved-search-component/package.json
new file mode 100644
index 0000000000000..917956fd69ba0
--- /dev/null
+++ b/packages/kbn-saved-search-component/package.json
@@ -0,0 +1,7 @@
+{
+  "name": "@kbn/saved-search-component",
+  "private": true,
+  "version": "1.0.0",
+  "license": "Elastic License 2.0 OR AGPL-3.0-only OR SSPL-1.0",
+  "sideEffects": false
+}
\ No newline at end of file
diff --git a/packages/kbn-saved-search-component/src/components/error.tsx b/packages/kbn-saved-search-component/src/components/error.tsx
new file mode 100644
index 0000000000000..26f898ffe4358
--- /dev/null
+++ b/packages/kbn-saved-search-component/src/components/error.tsx
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { EuiCodeBlock, EuiEmptyPrompt } from '@elastic/eui';
+import { i18n } from '@kbn/i18n';
+import React from 'react';
+
+export interface SavedSearchComponentErrorContentProps {
+  error?: Error;
+}
+
+export const SavedSearchComponentErrorContent: React.FC<SavedSearchComponentErrorContentProps> = ({
+  error,
+}) => {
+  return (
+    <EuiEmptyPrompt
+      color="danger"
+      iconType="error"
+      title={<h2>{SavedSearchComponentErrorTitle}</h2>}
+      body={
+        <EuiCodeBlock className="eui-textLeft" whiteSpace="pre">
+          <p>{error?.stack ?? error?.toString() ?? unknownErrorDescription}</p>
+        </EuiCodeBlock>
+      }
+      layout="vertical"
+    />
+  );
+};
+
+const SavedSearchComponentErrorTitle = i18n.translate('savedSearchComponent.errorTitle', {
+  defaultMessage: 'Error',
+});
+
+const unknownErrorDescription = i18n.translate('savedSearchComponent.unknownErrorDescription', {
+  defaultMessage: 'An unspecified error occurred.',
+});
diff --git a/packages/kbn-saved-search-component/src/components/saved_search.tsx b/packages/kbn-saved-search-component/src/components/saved_search.tsx
new file mode 100644
index 0000000000000..f5cf7cc2a59ab
--- /dev/null
+++ b/packages/kbn-saved-search-component/src/components/saved_search.tsx
@@ -0,0 +1,214 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import React, { useEffect, useMemo, useRef, useState } from 'react';
+import { ReactEmbeddableRenderer } from '@kbn/embeddable-plugin/public';
+import { SEARCH_EMBEDDABLE_TYPE } from '@kbn/discover-utils';
+import type {
+  SearchEmbeddableSerializedState,
+  SearchEmbeddableRuntimeState,
+  SearchEmbeddableApi,
+} from '@kbn/discover-plugin/public';
+import { SerializedPanelState } from '@kbn/presentation-containers';
+import { css } from '@emotion/react';
+import { SavedSearchComponentProps } from '../types';
+import { SavedSearchComponentErrorContent } from './error';
+
+const TIMESTAMP_FIELD = '@timestamp';
+
+export const SavedSearchComponent: React.FC<SavedSearchComponentProps> = (props) => {
+  // Creates our *initial* search source and set of attributes.
+  // Future changes to these properties will be facilitated by the Parent API from the embeddable.
+  const [initialSerializedState, setInitialSerializedState] =
+    useState<SerializedPanelState<SearchEmbeddableSerializedState>>();
+
+  const [error, setError] = useState<Error | undefined>();
+
+  const {
+    dependencies: { dataViews, searchSource: searchSourceService },
+    timeRange,
+    query,
+    filters,
+    index,
+    timestampField,
+    height,
+  } = props;
+
+  const {
+    enableDocumentViewer: documentViewerEnabled = true,
+    enableFilters: filtersEnabled = true,
+  } = props.displayOptions ?? {};
+
+  useEffect(() => {
+    // Ensure we get a stabilised set of initial state incase dependencies change, as
+    // the data view creation process is async.
+    const abortController = new AbortController();
+
+    async function createInitialSerializedState() {
+      try {
+        // Ad-hoc data view
+        const dataView = await dataViews.create({
+          title: index,
+          timeFieldName: timestampField ?? TIMESTAMP_FIELD,
+        });
+        if (!abortController.signal.aborted) {
+          // Search source
+          const searchSource = searchSourceService.createEmpty();
+          searchSource.setField('index', dataView);
+          searchSource.setField('query', query);
+          searchSource.setField('filter', filters);
+          const { searchSourceJSON, references } = searchSource.serialize();
+          // By-value saved object structure
+          const attributes = {
+            kibanaSavedObjectMeta: {
+              searchSourceJSON,
+            },
+          };
+          setInitialSerializedState({
+            rawState: {
+              attributes: { ...attributes, references },
+              timeRange,
+              nonPersistedDisplayOptions: {
+                enableDocumentViewer: documentViewerEnabled,
+                enableFilters: filtersEnabled,
+              },
+            } as SearchEmbeddableSerializedState,
+            references,
+          });
+        }
+      } catch (e) {
+        setError(e);
+      }
+    }
+
+    createInitialSerializedState();
+
+    return () => {
+      abortController.abort();
+    };
+  }, [
+    dataViews,
+    documentViewerEnabled,
+    filters,
+    filtersEnabled,
+    index,
+    query,
+    searchSourceService,
+    timeRange,
+    timestampField,
+  ]);
+
+  if (error) {
+    return <SavedSearchComponentErrorContent error={error} />;
+  }
+
+  return initialSerializedState ? (
+    <div
+      css={css`
+        height: ${height ?? '100%'};
+        > [data-test-subj='embeddedSavedSearchDocTable'] {
+          height: 100%;
+        }
+      `}
+    >
+      <SavedSearchComponentTable {...props} initialSerializedState={initialSerializedState} />
+    </div>
+  ) : null;
+};
+
+const SavedSearchComponentTable: React.FC<
+  SavedSearchComponentProps & {
+    initialSerializedState: SerializedPanelState<SearchEmbeddableSerializedState>;
+  }
+> = (props) => {
+  const {
+    dependencies: { dataViews },
+    initialSerializedState,
+    filters,
+    query,
+    timeRange,
+    timestampField,
+    index,
+  } = props;
+  const embeddableApi = useRef<SearchEmbeddableApi | undefined>(undefined);
+
+  const parentApi = useMemo(() => {
+    return {
+      getSerializedStateForChild: () => {
+        return initialSerializedState;
+      },
+    };
+  }, [initialSerializedState]);
+
+  useEffect(
+    function syncIndex() {
+      if (!embeddableApi.current) return;
+
+      const abortController = new AbortController();
+
+      async function updateDataView() {
+        // Ad-hoc data view
+        const dataView = await dataViews.create({
+          title: index,
+          timeFieldName: timestampField ?? TIMESTAMP_FIELD,
+        });
+        if (!abortController.signal.aborted) {
+          embeddableApi.current?.setDataViews([dataView]);
+        }
+      }
+
+      updateDataView();
+
+      return () => {
+        abortController.abort();
+      };
+    },
+    [dataViews, index, timestampField]
+  );
+
+  useEffect(
+    function syncFilters() {
+      if (!embeddableApi.current) return;
+      embeddableApi.current.setFilters(filters);
+    },
+    [filters]
+  );
+
+  useEffect(
+    function syncQuery() {
+      if (!embeddableApi.current) return;
+      embeddableApi.current.setQuery(query);
+    },
+    [query]
+  );
+
+  useEffect(
+    function syncTimeRange() {
+      if (!embeddableApi.current) return;
+      embeddableApi.current.setTimeRange(timeRange);
+    },
+    [timeRange]
+  );
+
+  return (
+    <ReactEmbeddableRenderer<
+      SearchEmbeddableSerializedState,
+      SearchEmbeddableRuntimeState,
+      SearchEmbeddableApi
+    >
+      maybeId={undefined}
+      type={SEARCH_EMBEDDABLE_TYPE}
+      getParentApi={() => parentApi}
+      onApiAvailable={(api) => {
+        embeddableApi.current = api;
+      }}
+      hidePanelChrome
+    />
+  );
+};
diff --git a/packages/kbn-saved-search-component/src/types.ts b/packages/kbn-saved-search-component/src/types.ts
new file mode 100644
index 0000000000000..23823506a08e2
--- /dev/null
+++ b/packages/kbn-saved-search-component/src/types.ts
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { EmbeddableStart } from '@kbn/embeddable-plugin/public';
+import { Filter, Query, TimeRange } from '@kbn/es-query';
+import { DataViewsContract, ISearchStartSearchSource } from '@kbn/data-plugin/public';
+import type { NonPersistedDisplayOptions } from '@kbn/discover-plugin/public';
+import { CSSProperties } from 'react';
+
+export interface SavedSearchComponentDependencies {
+  embeddable: EmbeddableStart;
+  searchSource: ISearchStartSearchSource;
+  dataViews: DataViewsContract;
+}
+
+export interface SavedSearchComponentProps {
+  dependencies: SavedSearchComponentDependencies;
+  index: string;
+  timeRange?: TimeRange;
+  query?: Query;
+  filters?: Filter[];
+  timestampField?: string;
+  height?: CSSProperties['height'];
+  displayOptions?: NonPersistedDisplayOptions;
+}
diff --git a/packages/kbn-saved-search-component/tsconfig.json b/packages/kbn-saved-search-component/tsconfig.json
new file mode 100644
index 0000000000000..299d561ae4d7b
--- /dev/null
+++ b/packages/kbn-saved-search-component/tsconfig.json
@@ -0,0 +1,29 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "target/types",
+    "types": [
+      "jest",
+      "node",
+      "react",
+      "@emotion/react/types/css-prop",
+    ]
+  },
+  "include": [
+    "**/*.ts",
+    "**/*.tsx",
+  ],
+  "exclude": [
+    "target/**/*"
+  ],
+  "kbn_references": [
+    "@kbn/embeddable-plugin",
+    "@kbn/shared-ux-utility",
+    "@kbn/discover-utils",
+    "@kbn/es-query",
+    "@kbn/data-plugin",
+    "@kbn/discover-plugin",
+    "@kbn/presentation-containers",
+    "@kbn/i18n",
+  ]
+}
diff --git a/packages/presentation/presentation_publishing/index.ts b/packages/presentation/presentation_publishing/index.ts
index d3b9c44f6fd36..b290d49a8434f 100644
--- a/packages/presentation/presentation_publishing/index.ts
+++ b/packages/presentation/presentation_publishing/index.ts
@@ -97,7 +97,11 @@ export {
   apiPublishesDataLoading,
   type PublishesDataLoading,
 } from './interfaces/publishes_data_loading';
-export { apiPublishesDataViews, type PublishesDataViews } from './interfaces/publishes_data_views';
+export {
+  apiPublishesDataViews,
+  type PublishesDataViews,
+  type PublishesWritableDataViews,
+} from './interfaces/publishes_data_views';
 export {
   apiPublishesDisabledActionIds,
   type PublishesDisabledActionIds,
diff --git a/packages/presentation/presentation_publishing/interfaces/publishes_data_views.ts b/packages/presentation/presentation_publishing/interfaces/publishes_data_views.ts
index d160cdb6e4195..50649b1764c32 100644
--- a/packages/presentation/presentation_publishing/interfaces/publishes_data_views.ts
+++ b/packages/presentation/presentation_publishing/interfaces/publishes_data_views.ts
@@ -14,6 +14,10 @@ export interface PublishesDataViews {
   dataViews: PublishingSubject<DataView[] | undefined>;
 }
 
+export type PublishesWritableDataViews = PublishesDataViews & {
+  setDataViews: (dataViews: DataView[]) => void;
+};
+
 export const apiPublishesDataViews = (
   unknownApi: null | unknown
 ): unknownApi is PublishesDataViews => {
diff --git a/src/plugins/discover/public/embeddable/components/saved_search_grid.tsx b/src/plugins/discover/public/embeddable/components/saved_search_grid.tsx
index f6c77dc6cddf5..0a2919fe1540c 100644
--- a/src/plugins/discover/public/embeddable/components/saved_search_grid.tsx
+++ b/src/plugins/discover/public/embeddable/components/saved_search_grid.tsx
@@ -36,12 +36,13 @@ interface DiscoverGridEmbeddableProps extends Omit<UnifiedDataTableProps, 'sampl
   onAddColumn: (column: string) => void;
   onRemoveColumn: (column: string) => void;
   savedSearchId?: string;
+  enableDocumentViewer: boolean;
 }
 
 export const DiscoverGridMemoized = React.memo(DiscoverGrid);
 
 export function DiscoverGridEmbeddable(props: DiscoverGridEmbeddableProps) {
-  const { interceptedWarnings, ...gridProps } = props;
+  const { interceptedWarnings, enableDocumentViewer, ...gridProps } = props;
 
   const [expandedDoc, setExpandedDoc] = useState<DataTableRecord | undefined>(undefined);
 
@@ -131,7 +132,7 @@ export function DiscoverGridEmbeddable(props: DiscoverGridEmbeddableProps) {
         expandedDoc={expandedDoc}
         showMultiFields={props.services.uiSettings.get(SHOW_MULTIFIELDS)}
         maxDocFieldsDisplayed={props.services.uiSettings.get(MAX_DOC_FIELDS_DISPLAYED)}
-        renderDocumentView={renderDocumentView}
+        renderDocumentView={enableDocumentViewer ? renderDocumentView : undefined}
         renderCustomToolbar={renderCustomToolbarWithElements}
         externalCustomRenderers={cellRenderers}
         enableComparisonMode
diff --git a/src/plugins/discover/public/embeddable/components/search_embeddable_grid_component.tsx b/src/plugins/discover/public/embeddable/components/search_embeddable_grid_component.tsx
index 44d3c1685cbfe..9c7a54054d265 100644
--- a/src/plugins/discover/public/embeddable/components/search_embeddable_grid_component.tsx
+++ b/src/plugins/discover/public/embeddable/components/search_embeddable_grid_component.tsx
@@ -49,6 +49,7 @@ interface SavedSearchEmbeddableComponentProps {
   };
   dataView: DataView;
   onAddFilter?: DocViewFilterFn;
+  enableDocumentViewer: boolean;
   stateManager: SearchEmbeddableStateManager;
 }
 
@@ -59,6 +60,7 @@ export function SearchEmbeddableGridComponent({
   api,
   dataView,
   onAddFilter,
+  enableDocumentViewer,
   stateManager,
 }: SavedSearchEmbeddableComponentProps) {
   const discoverServices = useDiscoverServices();
@@ -272,6 +274,7 @@ export function SearchEmbeddableGridComponent({
       services={discoverServices}
       showTimeCol={!discoverServices.uiSettings.get(DOC_HIDE_TIME_COLUMN_SETTING, false)}
       dataGridDensityState={savedSearch.density}
+      enableDocumentViewer={enableDocumentViewer}
     />
   );
 }
diff --git a/src/plugins/discover/public/embeddable/get_search_embeddable_factory.tsx b/src/plugins/discover/public/embeddable/get_search_embeddable_factory.tsx
index 37213b17c377d..4117a36a4e048 100644
--- a/src/plugins/discover/public/embeddable/get_search_embeddable_factory.tsx
+++ b/src/plugins/discover/public/embeddable/get_search_embeddable_factory.tsx
@@ -37,6 +37,7 @@ import { initializeEditApi } from './initialize_edit_api';
 import { initializeFetch, isEsqlMode } from './initialize_fetch';
 import { initializeSearchEmbeddableApi } from './initialize_search_embeddable_api';
 import {
+  NonPersistedDisplayOptions,
   SearchEmbeddableApi,
   SearchEmbeddableRuntimeState,
   SearchEmbeddableSerializedState,
@@ -84,6 +85,11 @@ export const getSearchEmbeddableFactory = ({
         initialState?.savedObjectDescription
       );
 
+      /** By-value SavedSearchComponent package (non-dashboard contexts) state, to adhere to the comparator contract of an embeddable. */
+      const nonPersistedDisplayOptions$ = new BehaviorSubject<
+        NonPersistedDisplayOptions | undefined
+      >(initialState?.nonPersistedDisplayOptions);
+
       /** All other state */
       const blockingError$ = new BehaviorSubject<Error | undefined>(undefined);
       const dataLoading$ = new BehaviorSubject<boolean | undefined>(true);
@@ -201,6 +207,10 @@ export const getSearchEmbeddableFactory = ({
             defaultPanelDescription$,
             (value) => defaultPanelDescription$.next(value),
           ],
+          nonPersistedDisplayOptions: [
+            nonPersistedDisplayOptions$,
+            (value) => nonPersistedDisplayOptions$.next(value),
+          ],
         }
       );
 
@@ -304,7 +314,18 @@ export const getSearchEmbeddableFactory = ({
                       <SearchEmbeddableGridComponent
                         api={{ ...api, fetchWarnings$, fetchContext$ }}
                         dataView={dataView!}
-                        onAddFilter={isEsqlMode(savedSearch) ? undefined : onAddFilter}
+                        onAddFilter={
+                          isEsqlMode(savedSearch) ||
+                          initialState.nonPersistedDisplayOptions?.enableFilters === false
+                            ? undefined
+                            : onAddFilter
+                        }
+                        enableDocumentViewer={
+                          initialState.nonPersistedDisplayOptions?.enableDocumentViewer !==
+                          undefined
+                            ? initialState.nonPersistedDisplayOptions?.enableDocumentViewer
+                            : true
+                        }
                         stateManager={searchEmbeddable.stateManager}
                       />
                     </CellActionsProvider>
diff --git a/src/plugins/discover/public/embeddable/initialize_search_embeddable_api.tsx b/src/plugins/discover/public/embeddable/initialize_search_embeddable_api.tsx
index e824fb6fdc021..650d2e95852bb 100644
--- a/src/plugins/discover/public/embeddable/initialize_search_embeddable_api.tsx
+++ b/src/plugins/discover/public/embeddable/initialize_search_embeddable_api.tsx
@@ -15,8 +15,8 @@ import { ISearchSource, SerializedSearchSourceFields } from '@kbn/data-plugin/co
 import { DataView } from '@kbn/data-views-plugin/common';
 import { DataTableRecord } from '@kbn/discover-utils/types';
 import type {
-  PublishesDataViews,
-  PublishesUnifiedSearch,
+  PublishesWritableUnifiedSearch,
+  PublishesWritableDataViews,
   StateComparators,
 } from '@kbn/presentation-publishing';
 import { DiscoverGridSettings, SavedSearch } from '@kbn/saved-search-plugin/common';
@@ -71,7 +71,7 @@ export const initializeSearchEmbeddableApi = async (
     discoverServices: DiscoverServices;
   }
 ): Promise<{
-  api: PublishesSavedSearch & PublishesDataViews & Partial<PublishesUnifiedSearch>;
+  api: PublishesSavedSearch & PublishesWritableDataViews & Partial<PublishesWritableUnifiedSearch>;
   stateManager: SearchEmbeddableStateManager;
   comparators: StateComparators<SearchEmbeddableSerializedAttributes>;
   cleanup: () => void;
@@ -144,6 +144,25 @@ export const initializeSearchEmbeddableApi = async (
     pick(stateManager, EDITABLE_SAVED_SEARCH_KEYS)
   );
 
+  /** APIs for updating search source properties */
+  const setDataViews = (nextDataViews: DataView[]) => {
+    searchSource.setField('index', nextDataViews[0]);
+    dataViews.next(nextDataViews);
+    searchSource$.next(searchSource);
+  };
+
+  const setFilters = (filters: Filter[] | undefined) => {
+    searchSource.setField('filter', filters);
+    filters$.next(filters);
+    searchSource$.next(searchSource);
+  };
+
+  const setQuery = (query: Query | AggregateQuery | undefined) => {
+    searchSource.setField('query', query);
+    query$.next(query);
+    searchSource$.next(searchSource);
+  };
+
   /** Keep the saved search in sync with any state changes */
   const syncSavedSearch = combineLatest([onAnyStateChange, searchSource$])
     .pipe(
@@ -163,10 +182,13 @@ export const initializeSearchEmbeddableApi = async (
       syncSavedSearch.unsubscribe();
     },
     api: {
+      setDataViews,
       dataViews,
       savedSearch$,
       filters$,
+      setFilters,
       query$,
+      setQuery,
     },
     stateManager,
     comparators: {
diff --git a/src/plugins/discover/public/embeddable/types.ts b/src/plugins/discover/public/embeddable/types.ts
index 1b7ab4a96c2de..64cf5a390da3a 100644
--- a/src/plugins/discover/public/embeddable/types.ts
+++ b/src/plugins/discover/public/embeddable/types.ts
@@ -15,10 +15,9 @@ import {
   HasInPlaceLibraryTransforms,
   PublishesBlockingError,
   PublishesDataLoading,
-  PublishesDataViews,
   PublishesSavedObjectId,
-  PublishesUnifiedSearch,
   PublishesWritablePanelTitle,
+  PublishesWritableUnifiedSearch,
   PublishingSubject,
   SerializedTimeRange,
   SerializedTitles,
@@ -30,6 +29,7 @@ import {
 } from '@kbn/saved-search-plugin/common/types';
 import { DataTableColumnsMeta } from '@kbn/unified-data-table';
 import { BehaviorSubject } from 'rxjs';
+import { PublishesWritableDataViews } from '@kbn/presentation-publishing/interfaces/publishes_data_views';
 import { EDITABLE_SAVED_SEARCH_KEYS } from './constants';
 
 export type SearchEmbeddableState = Pick<
@@ -59,6 +59,13 @@ export type SearchEmbeddableSerializedAttributes = Omit<
 > &
   Pick<SerializableSavedSearch, 'serializedSearchSource'>;
 
+// These are options that are not persisted in the saved object, but can be used by solutions
+// when utilising the SavedSearchComponent package outside of dashboard contexts.
+export interface NonPersistedDisplayOptions {
+  enableDocumentViewer?: boolean;
+  enableFilters?: boolean;
+}
+
 export type SearchEmbeddableSerializedState = SerializedTitles &
   SerializedTimeRange &
   Partial<Pick<SavedSearchAttributes, (typeof EDITABLE_SAVED_SEARCH_KEYS)[number]>> & {
@@ -66,6 +73,7 @@ export type SearchEmbeddableSerializedState = SerializedTitles &
     attributes?: SavedSearchAttributes & { references: SavedSearch['references'] };
     // by reference
     savedObjectId?: string;
+    nonPersistedDisplayOptions?: NonPersistedDisplayOptions;
   };
 
 export type SearchEmbeddableRuntimeState = SearchEmbeddableSerializedAttributes &
@@ -74,20 +82,20 @@ export type SearchEmbeddableRuntimeState = SearchEmbeddableSerializedAttributes
     savedObjectTitle?: string;
     savedObjectId?: string;
     savedObjectDescription?: string;
+    nonPersistedDisplayOptions?: NonPersistedDisplayOptions;
   };
 
 export type SearchEmbeddableApi = DefaultEmbeddableApi<
   SearchEmbeddableSerializedState,
   SearchEmbeddableRuntimeState
 > &
-  PublishesDataViews &
   PublishesSavedObjectId &
   PublishesDataLoading &
   PublishesBlockingError &
   PublishesWritablePanelTitle &
   PublishesSavedSearch &
-  PublishesDataViews &
-  PublishesUnifiedSearch &
+  PublishesWritableDataViews &
+  PublishesWritableUnifiedSearch &
   HasInPlaceLibraryTransforms &
   HasTimeRange &
   Partial<HasEditCapabilities & PublishesSavedObjectId>;
diff --git a/src/plugins/discover/public/embeddable/utils/serialization_utils.ts b/src/plugins/discover/public/embeddable/utils/serialization_utils.ts
index 191a37fe3326e..f193d52054a3c 100644
--- a/src/plugins/discover/public/embeddable/utils/serialization_utils.ts
+++ b/src/plugins/discover/public/embeddable/utils/serialization_utils.ts
@@ -67,6 +67,7 @@ export const deserializeState = async ({
     return {
       ...savedSearch,
       ...panelState,
+      nonPersistedDisplayOptions: serializedState.rawState.nonPersistedDisplayOptions,
     };
   }
 };
diff --git a/src/plugins/discover/public/index.ts b/src/plugins/discover/public/index.ts
index b5d4308010f1f..d15ed42aacf51 100644
--- a/src/plugins/discover/public/index.ts
+++ b/src/plugins/discover/public/index.ts
@@ -35,6 +35,9 @@ export {
   type PublishesSavedSearch,
   type HasTimeRange,
   type SearchEmbeddableSerializedState,
+  type SearchEmbeddableRuntimeState,
+  type SearchEmbeddableApi,
+  type NonPersistedDisplayOptions,
 } from './embeddable';
 export { loadSharingDataHelpers } from './utils';
 export { LogsExplorerTabs, type LogsExplorerTabsProps } from './components/logs_explorer_tabs';
diff --git a/tsconfig.base.json b/tsconfig.base.json
index 6247850e7e1af..8f9eecb606627 100644
--- a/tsconfig.base.json
+++ b/tsconfig.base.json
@@ -1530,6 +1530,8 @@
       "@kbn/saved-objects-tagging-oss-plugin/*": ["src/plugins/saved_objects_tagging_oss/*"],
       "@kbn/saved-objects-tagging-plugin": ["x-pack/plugins/saved_objects_tagging"],
       "@kbn/saved-objects-tagging-plugin/*": ["x-pack/plugins/saved_objects_tagging/*"],
+      "@kbn/saved-search-component": ["packages/kbn-saved-search-component"],
+      "@kbn/saved-search-component/*": ["packages/kbn-saved-search-component/*"],
       "@kbn/saved-search-plugin": ["src/plugins/saved_search"],
       "@kbn/saved-search-plugin/*": ["src/plugins/saved_search/*"],
       "@kbn/screenshot-mode-example-plugin": ["examples/screenshot_mode_example"],
diff --git a/x-pack/packages/observability/logs_overview/src/components/log_categories/log_categories_result_content.tsx b/x-pack/packages/observability/logs_overview/src/components/log_categories/log_categories_result_content.tsx
index c2b1a0989c2ec..fdb059d971943 100644
--- a/x-pack/packages/observability/logs_overview/src/components/log_categories/log_categories_result_content.tsx
+++ b/x-pack/packages/observability/logs_overview/src/components/log_categories/log_categories_result_content.tsx
@@ -76,7 +76,6 @@ export const LogCategoriesResultContent: React.FC<LogCategoriesResultContentProp
             <LogCategoryDetailsFlyout
               logCategory={categoryDetailsServiceState.context.expandedCategory}
               onCloseFlyout={onCloseFlyout}
-              categoryDetailsServiceState={categoryDetailsServiceState}
               logsSource={logsSource}
               dependencies={dependencies}
               documentFilters={documentFilters}
diff --git a/x-pack/packages/observability/logs_overview/src/components/log_category_details/log_category_details_flyout.tsx b/x-pack/packages/observability/logs_overview/src/components/log_category_details/log_category_details_flyout.tsx
index 2f478c771dbfa..c15891c693eb5 100644
--- a/x-pack/packages/observability/logs_overview/src/components/log_category_details/log_category_details_flyout.tsx
+++ b/x-pack/packages/observability/logs_overview/src/components/log_category_details/log_category_details_flyout.tsx
@@ -17,28 +17,32 @@ import {
 } from '@elastic/eui';
 import React, { useMemo } from 'react';
 import { FormattedMessage } from '@kbn/i18n-react';
-import { StateFrom } from 'xstate5';
 import { i18n } from '@kbn/i18n';
 import { QueryDslQueryContainer } from '@kbn/data-views-plugin/common/types';
+import { css } from '@emotion/react';
+import { FilterStateStore, buildCustomFilter } from '@kbn/es-query';
 import { LogCategory } from '../../types';
 import { LogCategoryPattern } from '../shared/log_category_pattern';
-import { categoryDetailsService } from '../../services/category_details_service';
 import {
   LogCategoryDocumentExamplesTable,
   LogCategoryDocumentExamplesTableDependencies,
 } from './log_category_document_examples_table';
 import { type ResolvedIndexNameLogsSourceConfiguration } from '../../utils/logs_source';
-import { LogCategoryDetailsLoadingContent } from './log_category_details_loading_content';
-import { LogCategoryDetailsErrorContent } from './log_category_details_error_content';
-import { DiscoverLink } from '../discover_link';
+import { DiscoverLink, DiscoverLinkDependencies } from '../discover_link';
 import { createCategoryQuery } from '../../services/categorize_logs_service/queries';
 
-export type LogCategoriesFlyoutDependencies = LogCategoryDocumentExamplesTableDependencies;
+export type LogCategoriesFlyoutDependencies = LogCategoryDocumentExamplesTableDependencies &
+  DiscoverLinkDependencies;
+
+const flyoutBodyCss = css`
+  .euiFlyoutBody__overflowContent {
+    height: 100%;
+  }
+`;
 
 interface LogCategoryDetailsFlyoutProps {
   onCloseFlyout: () => void;
   logCategory: LogCategory;
-  categoryDetailsServiceState: StateFrom<typeof categoryDetailsService>;
   dependencies: LogCategoriesFlyoutDependencies;
   logsSource: ResolvedIndexNameLogsSourceConfiguration;
   documentFilters?: QueryDslQueryContainer[];
@@ -51,7 +55,6 @@ interface LogCategoryDetailsFlyoutProps {
 export const LogCategoryDetailsFlyout: React.FC<LogCategoryDetailsFlyoutProps> = ({
   onCloseFlyout,
   logCategory,
-  categoryDetailsServiceState,
   dependencies,
   logsSource,
   documentFilters,
@@ -61,11 +64,19 @@ export const LogCategoryDetailsFlyout: React.FC<LogCategoryDetailsFlyoutProps> =
     prefix: 'flyoutTitle',
   });
 
+  const categoryFilter = useMemo(() => {
+    return createCategoryQuery(logsSource.messageField)(logCategory.terms);
+  }, [logCategory.terms, logsSource.messageField]);
+
+  const documentAndCategoryFilters = useMemo(() => {
+    return [...(documentFilters ?? []), categoryFilter];
+  }, [categoryFilter, documentFilters]);
+
   const linkFilters = useMemo(() => {
     return [
       ...(documentFilters ? documentFilters.map((filter) => ({ filter })) : []),
       {
-        filter: createCategoryQuery(logsSource.messageField)(logCategory.terms),
+        filter: categoryFilter,
         meta: {
           name: i18n.translate(
             'xpack.observabilityLogsOverview.logCategoryDetailsFlyout.discoverLinkFilterName',
@@ -79,7 +90,20 @@ export const LogCategoryDetailsFlyout: React.FC<LogCategoryDetailsFlyoutProps> =
         },
       },
     ];
-  }, [documentFilters, logCategory.terms, logsSource.messageField]);
+  }, [categoryFilter, documentFilters, logCategory.terms]);
+
+  const filters = useMemo(() => {
+    return documentAndCategoryFilters.map((filter) =>
+      buildCustomFilter(
+        logsSource.indexName,
+        filter,
+        false,
+        false,
+        'Document filters',
+        FilterStateStore.APP_STATE
+      )
+    );
+  }, [documentAndCategoryFilters, logsSource.indexName]);
 
   return (
     <EuiFlyout ownFocus onClose={() => onCloseFlyout()} aria-labelledby={flyoutTitleId}>
@@ -107,32 +131,12 @@ export const LogCategoryDetailsFlyout: React.FC<LogCategoryDetailsFlyoutProps> =
           </EuiFlexItem>
         </EuiFlexGroup>
       </EuiFlyoutHeader>
-      <EuiFlyoutBody>
-        {categoryDetailsServiceState.matches({ hasCategory: 'fetchingDocuments' }) ? (
-          <LogCategoryDetailsLoadingContent
-            message={i18n.translate(
-              'xpack.observabilityLogsOverview.logCategoryDetailsFlyout.loadingMessage',
-              {
-                defaultMessage: 'Loading latest documents',
-              }
-            )}
-          />
-        ) : categoryDetailsServiceState.matches({ hasCategory: 'error' }) ? (
-          <LogCategoryDetailsErrorContent
-            title={i18n.translate(
-              'xpack.observabilityLogsOverview.logCategoryDetailsFlyout.fetchingDocumentsErrorTitle',
-              {
-                defaultMessage: 'Failed to fetch documents',
-              }
-            )}
-          />
-        ) : (
-          <LogCategoryDocumentExamplesTable
-            dependencies={dependencies}
-            categoryDocuments={categoryDetailsServiceState.context.categoryDocuments}
-            logsSource={logsSource}
-          />
-        )}
+      <EuiFlyoutBody css={flyoutBodyCss}>
+        <LogCategoryDocumentExamplesTable
+          dependencies={dependencies}
+          logsSource={logsSource}
+          filters={filters}
+        />
       </EuiFlyoutBody>
     </EuiFlyout>
   );
diff --git a/x-pack/packages/observability/logs_overview/src/components/log_category_details/log_category_document_examples_table.tsx b/x-pack/packages/observability/logs_overview/src/components/log_category_details/log_category_document_examples_table.tsx
index 6b43fa86fe49e..0101a2496415f 100644
--- a/x-pack/packages/observability/logs_overview/src/components/log_category_details/log_category_document_examples_table.tsx
+++ b/x-pack/packages/observability/logs_overview/src/components/log_category_details/log_category_document_examples_table.tsx
@@ -5,147 +5,45 @@
  * 2.0.
  */
 
-import { EuiBasicTable, EuiBasicTableColumn, EuiSpacer, EuiText } from '@elastic/eui';
-import React, { useMemo } from 'react';
-import { i18n } from '@kbn/i18n';
-import { DataGridDensity, ROWS_HEIGHT_OPTIONS } from '@kbn/unified-data-table';
-import moment from 'moment';
-import type { SettingsStart } from '@kbn/core-ui-settings-browser';
-import type { FieldFormatsStart } from '@kbn/field-formats-plugin/public';
-import type { SharePluginStart } from '@kbn/share-plugin/public';
-import { CoreStart } from '@kbn/core-lifecycle-browser';
-import { getLogLevelBadgeCell, LazySummaryColumn } from '@kbn/discover-contextual-components';
-import type { LogCategoryDocument } from '../../services/category_details_service/types';
-import { type ResolvedIndexNameLogsSourceConfiguration } from '../../utils/logs_source';
+import React from 'react';
+import { LazySavedSearchComponent } from '@kbn/saved-search-component';
+import { EmbeddableStart } from '@kbn/embeddable-plugin/public';
+import { DataViewsContract } from '@kbn/data-views-plugin/public';
+import { ISearchStartSearchSource } from '@kbn/data-plugin/common';
+import { Filter } from '@kbn/es-query';
+import { ResolvedIndexNameLogsSourceConfiguration } from '../../utils/logs_source';
 
 export interface LogCategoryDocumentExamplesTableDependencies {
-  core: CoreStart;
-  uiSettings: SettingsStart;
-  fieldFormats: FieldFormatsStart;
-  share: SharePluginStart;
+  embeddable: EmbeddableStart;
+  dataViews: DataViewsContract;
+  searchSource: ISearchStartSearchSource;
 }
 
 export interface LogCategoryDocumentExamplesTableProps {
   dependencies: LogCategoryDocumentExamplesTableDependencies;
-  categoryDocuments: LogCategoryDocument[];
   logsSource: ResolvedIndexNameLogsSourceConfiguration;
+  filters: Filter[];
 }
 
-const TimestampCell = ({
-  dependencies,
-  timestamp,
-}: {
-  dependencies: LogCategoryDocumentExamplesTableDependencies;
-  timestamp?: string | number;
-}) => {
-  const dateFormat = useMemo(
-    () => dependencies.uiSettings.client.get('dateFormat'),
-    [dependencies.uiSettings.client]
-  );
-  if (!timestamp) return null;
-
-  if (dateFormat) {
-    return <>{moment(timestamp).format(dateFormat)}</>;
-  } else {
-    return <>{timestamp}</>;
-  }
-};
-
-const LogLevelBadgeCell = getLogLevelBadgeCell('log.level');
-
 export const LogCategoryDocumentExamplesTable: React.FC<LogCategoryDocumentExamplesTableProps> = ({
-  categoryDocuments,
   dependencies,
+  filters,
   logsSource,
 }) => {
-  const columns: Array<EuiBasicTableColumn<LogCategoryDocument>> = [
-    {
-      field: 'row',
-      name: 'Timestamp',
-      width: '25%',
-      render: (row: any) => {
-        return (
-          <TimestampCell
-            dependencies={dependencies}
-            timestamp={row.raw[logsSource.timestampField]}
-          />
-        );
-      },
-    },
-    {
-      field: 'row',
-      name: 'Log level',
-      width: '10%',
-      render: (row: any) => {
-        return (
-          <LogLevelBadgeCell
-            rowIndex={0}
-            colIndex={0}
-            columnId="row"
-            isExpandable={true}
-            isExpanded={false}
-            isDetails={false}
-            row={row}
-            dataView={logsSource.dataView}
-            fieldFormats={dependencies.fieldFormats}
-            setCellProps={() => {}}
-            closePopover={() => {}}
-          />
-        );
-      },
-    },
-    {
-      field: 'row',
-      name: 'Summary',
-      width: '65%',
-      render: (row: any) => {
-        return (
-          <LazySummaryColumn
-            rowIndex={0}
-            colIndex={0}
-            columnId="_source"
-            isExpandable={true}
-            isExpanded={false}
-            isDetails={false}
-            row={row}
-            dataView={logsSource.dataView}
-            fieldFormats={dependencies.fieldFormats}
-            setCellProps={() => {}}
-            closePopover={() => {}}
-            density={DataGridDensity.COMPACT}
-            rowHeight={ROWS_HEIGHT_OPTIONS.single}
-            shouldShowFieldHandler={() => false}
-            core={dependencies.core}
-            share={dependencies.share}
-          />
-        );
-      },
-    },
-  ];
   return (
-    <>
-      <EuiText size="xs" color="subdued">
-        {i18n.translate(
-          'xpack.observabilityLogsOverview.logCategoryDocumentExamplesTable.documentCountText',
-          {
-            defaultMessage: 'Displaying the latest {documentsCount} documents.',
-            values: {
-              documentsCount: categoryDocuments.length,
-            },
-          }
-        )}
-      </EuiText>
-      <EuiSpacer size="s" />
-      <EuiBasicTable
-        tableCaption={i18n.translate(
-          'xpack.observabilityLogsOverview.logCategoryDocumentExamplesTable.tableCaption',
-          {
-            defaultMessage: 'Log category example documents table',
-          }
-        )}
-        items={categoryDocuments}
-        columns={columns}
-      />
-    </>
+    <LazySavedSearchComponent
+      dependencies={{
+        embeddable: dependencies.embeddable,
+        dataViews: dependencies.dataViews,
+        searchSource: dependencies.searchSource,
+      }}
+      filters={filters}
+      index={logsSource.indexName}
+      timestampField={logsSource.timestampField}
+      displayOptions={{
+        enableDocumentViewer: false,
+        enableFilters: false,
+      }}
+    />
   );
 };
diff --git a/x-pack/packages/observability/logs_overview/src/services/category_details_service/category_details_service.ts b/x-pack/packages/observability/logs_overview/src/services/category_details_service/category_details_service.ts
index 958f717548600..40dc0d1eca122 100644
--- a/x-pack/packages/observability/logs_overview/src/services/category_details_service/category_details_service.ts
+++ b/x-pack/packages/observability/logs_overview/src/services/category_details_service/category_details_service.ts
@@ -7,40 +7,24 @@
 
 import { MachineImplementationsFrom, assign, setup } from 'xstate5';
 import { LogCategory } from '../../types';
-import { getPlaceholderFor } from '../../utils/xstate5_utils';
-import {
-  CategoryDetailsServiceDependencies,
-  LogCategoryDocument,
-  LogCategoryDetailsParams,
-} from './types';
-import { getCategoryDocuments } from './category_documents';
+import { CategoryDetailsServiceDependencies, LogCategoryDetailsParams } from './types';
 
 export const categoryDetailsService = setup({
   types: {
     input: {} as LogCategoryDetailsParams,
-    output: {} as {
-      categoryDocuments: LogCategoryDocument[] | null;
-    },
+    output: {} as {},
     context: {} as {
       parameters: LogCategoryDetailsParams;
-      error?: Error;
       expandedRowIndex: number | null;
       expandedCategory: LogCategory | null;
-      categoryDocuments: LogCategoryDocument[];
     },
-    events: {} as
-      | {
-          type: 'cancel';
-        }
-      | {
-          type: 'setExpandedCategory';
-          rowIndex: number | null;
-          category: LogCategory | null;
-        },
-  },
-  actors: {
-    getCategoryDocuments: getPlaceholderFor(getCategoryDocuments),
+    events: {} as {
+      type: 'setExpandedCategory';
+      rowIndex: number | null;
+      category: LogCategory | null;
+    },
   },
+  actors: {},
   actions: {
     storeCategory: assign(
       ({ context, event }, params: { category: LogCategory | null; rowIndex: number | null }) => ({
@@ -48,22 +32,10 @@ export const categoryDetailsService = setup({
         expandedRowIndex: params.rowIndex,
       })
     ),
-    storeDocuments: assign(
-      ({ context, event }, params: { categoryDocuments: LogCategoryDocument[] }) => ({
-        categoryDocuments: params.categoryDocuments,
-      })
-    ),
-    storeError: assign((_, params: { error: unknown }) => ({
-      error: params.error instanceof Error ? params.error : new Error(String(params.error)),
-    })),
   },
   guards: {
     hasCategory: (_guardArgs, params: { expandedCategory: LogCategory | null }) =>
       params.expandedCategory !== null,
-    hasDocumentExamples: (
-      _guardArgs,
-      params: { categoryDocuments: LogCategoryDocument[] | null }
-    ) => params.categoryDocuments !== null && params.categoryDocuments.length > 0,
   },
 }).createMachine({
   /** @xstate-layout N4IgpgJg5mDOIC5QGMCGAXMUD2AnAlgF5gAy2UsAdMtgK4B26+9UAItsrQLZiOwDEEbPTCVmAN2wBrUWkw4CxMhWp1GzNh2690sBBI4Z8wgNoAGALrmLiUAAdssfE2G2QAD0QBmMwA5KACy+AQFmob4AjABMwQBsADQgAJ6IkYEAnJkA7FmxZlERmQGxAL4liXJYeESk5FQ0DEws7Jw8fILCogYy1BhVirUqDerNWm26+vSScsb01iYRNkggDk4u9G6eCD7+QSFhftFxiSkIvgCsWZSxEVlRsbFZ52Zm515lFX0KNcr1ak2aVo6ARCERiKbSWRfapKOqqRoaFraPiTaZGUyWExRJb2RzOWabbx+QLBULhI7FE7eWL+F45GnRPIRZkfECVb6wob-RFjYH8MC4XB4Sh2AA2GAAZnguL15DDBn8EaMgSiDDMMVZLG5VvjXMstjsSftyTFKclEOdzgFKF5zukvA8zBFnl50udWez5b94SNAcjdPw0PRkGBRdZtXj1oTtsS9mTDqaEuaEBF8udKFkIr5fK6olkzOksgEPdCBt6JWB0MgABYaADKqC4YsgAGFS-g4B0wd0oXKBg2m6LW+24OHljqo-rEMzbpQos8-K7fC9CknTrF0rEbbb0oVMoWIgF3eU2e3OVQK1XaywB82IG2+x2BAKhbgReL0FLcDLPf3G3eH36J8x1xNYCSnFNmSuecXhzdJlydTcqQQLJfHSOc0PyLJN3SMxYiPEtH3PShLxret-yHe8RwEIMQzDLVx0jcDQC2GdoIXOCENXZDsyiOcAiiKJ0iiPDLi8V1CKA4jSOvKAACUwC4VBmA0QDvk7UEughHpfxqBSlJUlg1OqUcGNA3UNggrMs347IjzdaIvGQwSvECXI8k3Z43gEiJJI5BUSMrMiWH05T6FU6j+UFYUxUlaVZSksBQsMqBjIIUycRWJi9RY6dIn8KIAjsu1zkc5CAmiG1fBiaIzB8B0QmPT4iICmSNGS8KjMi2jQxArKwJyjw8pswriocqInOTLwIi3ASD1yQpswCd5WXobAIDgNxdPPCMBss3KEAAWjXRBDvTfcLsu9Jlr8r04WGAEkXGeBGL26MBOQzIt2ut4cwmirCt8W6yzhNqbwo4dH0216LOjTMIjnBdYhK1DYgdHjihtZbUIdWIXJuYGflBoLZI6iKoZe8zJwOw9KtGt1kbuTcsmQrwi0oeCQjzZ5blwt1Cek5TKN22GIIKZbAgKC45pyLyeLwtz4Kyabs1QgWAs0kXqaGhBxdcnzpaE2XXmch0MORmaBJeLwjbKMogA */
@@ -71,7 +43,6 @@ export const categoryDetailsService = setup({
   context: ({ input }) => ({
     expandedCategory: null,
     expandedRowIndex: null,
-    categoryDocuments: [],
     parameters: input,
   }),
   initial: 'idle',
@@ -79,38 +50,6 @@ export const categoryDetailsService = setup({
     idle: {
       on: {
         setExpandedCategory: {
-          target: 'checkingCategoryState',
-          actions: [
-            {
-              type: 'storeCategory',
-              params: ({ event }) => event,
-            },
-          ],
-        },
-      },
-    },
-    checkingCategoryState: {
-      always: [
-        {
-          guard: {
-            type: 'hasCategory',
-            params: ({ event, context }) => {
-              return {
-                expandedCategory: context.expandedCategory,
-              };
-            },
-          },
-          target: '#hasCategory.fetchingDocuments',
-        },
-        { target: 'idle' },
-      ],
-    },
-    hasCategory: {
-      id: 'hasCategory',
-      initial: 'fetchingDocuments',
-      on: {
-        setExpandedCategory: {
-          target: 'checkingCategoryState',
           actions: [
             {
               type: 'storeCategory',
@@ -119,73 +58,13 @@ export const categoryDetailsService = setup({
           ],
         },
       },
-      states: {
-        fetchingDocuments: {
-          invoke: {
-            src: 'getCategoryDocuments',
-            id: 'fetchCategoryDocumentExamples',
-            input: ({ context }) => ({
-              ...context.parameters,
-              categoryTerms: context.expandedCategory!.terms,
-            }),
-            onDone: [
-              {
-                guard: {
-                  type: 'hasDocumentExamples',
-                  params: ({ event }) => {
-                    return event.output;
-                  },
-                },
-                target: 'hasData',
-                actions: [
-                  {
-                    type: 'storeDocuments',
-                    params: ({ event }) => {
-                      return event.output;
-                    },
-                  },
-                ],
-              },
-              {
-                target: 'noData',
-                actions: [
-                  {
-                    type: 'storeDocuments',
-                    params: ({ event }) => {
-                      return { categoryDocuments: [] };
-                    },
-                  },
-                ],
-              },
-            ],
-            onError: {
-              target: 'error',
-              actions: [
-                {
-                  type: 'storeError',
-                  params: ({ event }) => ({ error: event.error }),
-                },
-              ],
-            },
-          },
-        },
-        hasData: {},
-        noData: {},
-        error: {},
-      },
     },
   },
-  output: ({ context }) => ({
-    categoryDocuments: context.categoryDocuments,
-  }),
+  output: ({ context }) => ({}),
 });
 
 export const createCategoryDetailsServiceImplementations = ({
   search,
 }: CategoryDetailsServiceDependencies): MachineImplementationsFrom<
   typeof categoryDetailsService
-> => ({
-  actors: {
-    getCategoryDocuments: getCategoryDocuments({ search }),
-  },
-});
+> => ({});
diff --git a/x-pack/packages/observability/logs_overview/src/services/category_details_service/category_documents.ts b/x-pack/packages/observability/logs_overview/src/services/category_details_service/category_documents.ts
deleted file mode 100644
index b513fa79fc686..0000000000000
--- a/x-pack/packages/observability/logs_overview/src/services/category_details_service/category_documents.ts
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { ISearchGeneric } from '@kbn/search-types';
-import { fromPromise } from 'xstate5';
-import { lastValueFrom } from 'rxjs';
-import { flattenHit } from '@kbn/data-service';
-import { LogCategoryDocument, LogCategoryDocumentsParams } from './types';
-import { createGetLogCategoryDocumentsRequestParams } from './queries';
-
-export const getCategoryDocuments = ({ search }: { search: ISearchGeneric }) =>
-  fromPromise<
-    {
-      categoryDocuments: LogCategoryDocument[];
-    },
-    LogCategoryDocumentsParams
-  >(
-    async ({
-      input: {
-        index,
-        endTimestamp,
-        startTimestamp,
-        timeField,
-        messageField,
-        categoryTerms,
-        additionalFilters = [],
-        dataView,
-      },
-      signal,
-    }) => {
-      const requestParams = createGetLogCategoryDocumentsRequestParams({
-        index,
-        timeField,
-        messageField,
-        startTimestamp,
-        endTimestamp,
-        additionalFilters,
-        categoryTerms,
-      });
-
-      const { rawResponse } = await lastValueFrom(
-        search({ params: requestParams }, { abortSignal: signal })
-      );
-
-      const categoryDocuments: LogCategoryDocument[] =
-        rawResponse.hits?.hits.map((hit) => {
-          return {
-            row: {
-              raw: hit._source,
-              flattened: flattenHit(hit, dataView),
-            },
-          };
-        }) ?? [];
-
-      return {
-        categoryDocuments,
-      };
-    }
-  );
diff --git a/x-pack/packages/observability/logs_overview/src/services/category_details_service/queries.ts b/x-pack/packages/observability/logs_overview/src/services/category_details_service/queries.ts
deleted file mode 100644
index cd1053077c334..0000000000000
--- a/x-pack/packages/observability/logs_overview/src/services/category_details_service/queries.ts
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types';
-import { createCategoryQuery } from '../categorize_logs_service/queries';
-
-export const createGetLogCategoryDocumentsRequestParams = ({
-  index,
-  timeField,
-  messageField,
-  startTimestamp,
-  endTimestamp,
-  additionalFilters = [],
-  categoryTerms = '',
-  documentCount = 20,
-}: {
-  startTimestamp: string;
-  endTimestamp: string;
-  index: string;
-  timeField: string;
-  messageField: string;
-  additionalFilters?: QueryDslQueryContainer[];
-  categoryTerms?: string;
-  documentCount?: number;
-}) => {
-  return {
-    index,
-    size: documentCount,
-    track_total_hits: false,
-    sort: [{ [timeField]: { order: 'desc' } }],
-    query: {
-      bool: {
-        filter: [
-          {
-            exists: {
-              field: messageField,
-            },
-          },
-          {
-            range: {
-              [timeField]: {
-                gte: startTimestamp,
-                lte: endTimestamp,
-                format: 'strict_date_time',
-              },
-            },
-          },
-          createCategoryQuery(messageField)(categoryTerms),
-          ...additionalFilters,
-        ],
-      },
-    },
-  };
-};
diff --git a/x-pack/packages/observability/logs_overview/src/services/category_details_service/types.ts b/x-pack/packages/observability/logs_overview/src/services/category_details_service/types.ts
index 72369275578e3..9c3327632055a 100644
--- a/x-pack/packages/observability/logs_overview/src/services/category_details_service/types.ts
+++ b/x-pack/packages/observability/logs_overview/src/services/category_details_service/types.ts
@@ -8,11 +8,6 @@
 import { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types';
 import { ISearchGeneric } from '@kbn/search-types';
 import { type DataView } from '@kbn/data-views-plugin/common';
-import type { DataTableRecord } from '@kbn/discover-utils';
-
-export interface LogCategoryDocument {
-  row: Pick<DataTableRecord, 'flattened' | 'raw'>;
-}
 
 export interface LogCategoryDetailsParams {
   additionalFilters: QueryDslQueryContainer[];
@@ -27,5 +22,3 @@ export interface LogCategoryDetailsParams {
 export interface CategoryDetailsServiceDependencies {
   search: ISearchGeneric;
 }
-
-export type LogCategoryDocumentsParams = LogCategoryDetailsParams & { categoryTerms: string };
diff --git a/x-pack/packages/observability/logs_overview/tsconfig.json b/x-pack/packages/observability/logs_overview/tsconfig.json
index 29595ce0162fe..610ef8cc0126e 100644
--- a/x-pack/packages/observability/logs_overview/tsconfig.json
+++ b/x-pack/packages/observability/logs_overview/tsconfig.json
@@ -34,12 +34,9 @@
     "@kbn/es-query",
     "@kbn/router-utils",
     "@kbn/share-plugin",
-    "@kbn/field-formats-plugin",
-    "@kbn/data-service",
-    "@kbn/discover-utils",
     "@kbn/discover-plugin",
-    "@kbn/unified-data-table",
-    "@kbn/discover-contextual-components",
-    "@kbn/core-lifecycle-browser",
+    "@kbn/embeddable-plugin",
+    "@kbn/data-plugin",
+    "@kbn/saved-search-component",
   ]
 }
diff --git a/x-pack/plugins/observability_solution/apm/kibana.jsonc b/x-pack/plugins/observability_solution/apm/kibana.jsonc
index 656f898f24064..bcb0801fc6394 100644
--- a/x-pack/plugins/observability_solution/apm/kibana.jsonc
+++ b/x-pack/plugins/observability_solution/apm/kibana.jsonc
@@ -37,7 +37,8 @@
       "lens",
       "maps",
       "uiActions",
-      "logsDataAccess"
+      "logsDataAccess",
+      "savedSearch",
     ],
     "optionalPlugins": [
       "actions",
diff --git a/x-pack/plugins/observability_solution/apm/public/components/app/service_logs/index.tsx b/x-pack/plugins/observability_solution/apm/public/components/app/service_logs/index.tsx
index a1dadbf186b91..35f502642518f 100644
--- a/x-pack/plugins/observability_solution/apm/public/components/app/service_logs/index.tsx
+++ b/x-pack/plugins/observability_solution/apm/public/components/app/service_logs/index.tsx
@@ -6,9 +6,9 @@
  */
 
 import React, { useMemo } from 'react';
-import moment from 'moment';
 import { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types';
-import { LogStream } from '@kbn/logs-shared-plugin/public';
+import { LazySavedSearchComponent } from '@kbn/saved-search-component';
+import useAsync from 'react-use/lib/useAsync';
 import { ENVIRONMENT_ALL } from '../../../../common/environment_filter_values';
 import { CONTAINER_ID, SERVICE_ENVIRONMENT, SERVICE_NAME } from '../../../../common/es_fields/apm';
 import { useApmServiceContext } from '../../../context/apm_service/use_apm_service_context';
@@ -35,6 +35,19 @@ export function ServiceLogs() {
 }
 
 export function ClassicServiceLogsStream() {
+  const {
+    services: {
+      logsDataAccess: {
+        services: { logSourcesService },
+      },
+      embeddable,
+      dataViews,
+      data: {
+        search: { searchSource },
+      },
+    },
+  } = useKibana();
+
   const { serviceName } = useApmServiceContext();
 
   const {
@@ -62,17 +75,31 @@ export function ClassicServiceLogsStream() {
     [environment, kuery, serviceName, start, end]
   );
 
-  return (
-    <LogStream
-      logView={{ type: 'log-view-reference', logViewId: 'default' }}
-      columns={[{ type: 'timestamp' }, { type: 'message' }]}
+  const logSources = useAsync(logSourcesService.getFlattenedLogSources);
+
+  const timeRange = useMemo(() => ({ from: start, to: end }), [start, end]);
+
+  const query = useMemo(
+    () => ({
+      language: 'kuery',
+      query: getInfrastructureKQLFilter({ data, serviceName, environment }),
+    }),
+    [data, serviceName, environment]
+  );
+
+  return logSources.value ? (
+    <LazySavedSearchComponent
+      dependencies={{ embeddable, searchSource, dataViews }}
+      index={logSources.value}
+      timeRange={timeRange}
+      query={query}
       height={'60vh'}
-      startTimestamp={moment(start).valueOf()}
-      endTimestamp={moment(end).valueOf()}
-      query={getInfrastructureKQLFilter({ data, serviceName, environment })}
-      showFlyoutAction
+      displayOptions={{
+        enableDocumentViewer: true,
+        enableFilters: false,
+      }}
     />
-  );
+  ) : null;
 }
 
 export function ServiceLogsOverview() {
diff --git a/x-pack/plugins/observability_solution/apm/public/plugin.ts b/x-pack/plugins/observability_solution/apm/public/plugin.ts
index f7246115e1e0e..532c0498f7a56 100644
--- a/x-pack/plugins/observability_solution/apm/public/plugin.ts
+++ b/x-pack/plugins/observability_solution/apm/public/plugin.ts
@@ -70,6 +70,8 @@ import { map } from 'rxjs';
 import type { CloudSetup } from '@kbn/cloud-plugin/public';
 import type { ServerlessPluginStart } from '@kbn/serverless/public';
 import { LogsSharedClientStartExports } from '@kbn/logs-shared-plugin/public';
+import { LogsDataAccessPluginStart } from '@kbn/logs-data-access-plugin/public';
+import { SavedSearchPublicPluginStart } from '@kbn/saved-search-plugin/public';
 import type { ConfigSchema } from '.';
 import { registerApmRuleTypes } from './components/alerting/rule_types/register_apm_rule_types';
 import { registerEmbeddables } from './embeddable/register_embeddables';
@@ -143,6 +145,8 @@ export interface ApmPluginStartDeps {
   metricsDataAccess: MetricsDataPluginStart;
   uiSettings: IUiSettingsClient;
   logsShared: LogsSharedClientStartExports;
+  logsDataAccess: LogsDataAccessPluginStart;
+  savedSearch: SavedSearchPublicPluginStart;
 }
 
 const applicationsTitle = i18n.translate('xpack.apm.navigation.rootTitle', {
diff --git a/x-pack/plugins/observability_solution/apm/tsconfig.json b/x-pack/plugins/observability_solution/apm/tsconfig.json
index d3de1633dcad7..b2fda13c3f76f 100644
--- a/x-pack/plugins/observability_solution/apm/tsconfig.json
+++ b/x-pack/plugins/observability_solution/apm/tsconfig.json
@@ -127,6 +127,8 @@
     "@kbn/router-utils",
     "@kbn/react-hooks",
     "@kbn/alerting-comparators",
+    "@kbn/saved-search-component",
+    "@kbn/saved-search-plugin",
   ],
   "exclude": ["target/**/*"]
 }
diff --git a/x-pack/plugins/observability_solution/logs_data_access/public/services/log_sources_service/index.ts b/x-pack/plugins/observability_solution/logs_data_access/public/services/log_sources_service/index.ts
index f329907f145ef..e44b9cadcae08 100644
--- a/x-pack/plugins/observability_solution/logs_data_access/public/services/log_sources_service/index.ts
+++ b/x-pack/plugins/observability_solution/logs_data_access/public/services/log_sources_service/index.ts
@@ -12,23 +12,32 @@ import { RegisterServicesParams } from '../register_services';
 
 export function createLogSourcesService(params: RegisterServicesParams): LogSourcesService {
   const { uiSettings } = params.deps;
-  return {
-    async getLogSources() {
-      const logSources = uiSettings.get<string[]>(OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID);
-      return logSources.map((logSource) => ({
-        indexPattern: logSource,
-      }));
-    },
-    async getFlattenedLogSources() {
-      const logSources = await this.getLogSources();
-      return flattenLogSources(logSources);
-    },
-    async setLogSources(sources: LogSource[]) {
-      await uiSettings.set(
-        OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID,
-        sources.map((source) => source.indexPattern)
-      );
-      return;
-    },
+
+  const getLogSources = async () => {
+    const logSources = uiSettings.get<string[]>(OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID);
+    return logSources.map((logSource) => ({
+      indexPattern: logSource,
+    }));
+  };
+
+  const getFlattenedLogSources = async () => {
+    const logSources = await getLogSources();
+    return flattenLogSources(logSources);
+  };
+
+  const setLogSources = async (sources: LogSource[]) => {
+    await uiSettings.set(
+      OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID,
+      sources.map((source) => source.indexPattern)
+    );
+    return;
+  };
+
+  const logSourcesService: LogSourcesService = {
+    getLogSources,
+    getFlattenedLogSources,
+    setLogSources,
   };
+
+  return logSourcesService;
 }
diff --git a/x-pack/plugins/observability_solution/logs_shared/kibana.jsonc b/x-pack/plugins/observability_solution/logs_shared/kibana.jsonc
index f5e9f76c2ace6..69539098f2463 100644
--- a/x-pack/plugins/observability_solution/logs_shared/kibana.jsonc
+++ b/x-pack/plugins/observability_solution/logs_shared/kibana.jsonc
@@ -18,11 +18,13 @@
       "observabilityShared",
       "share",
       "usageCollection",
+      "embeddable",
     ],
     "optionalPlugins": [
       "observabilityAIAssistant",
     ],
-    "requiredBundles": ["kibanaUtils", "kibanaReact", "unifiedDocViewer"],
+    "requiredBundles": ["kibanaUtils", "kibanaReact"],
     "extraPublicDirs": ["common"]
   }
 }
+ 
\ No newline at end of file
diff --git a/x-pack/plugins/observability_solution/logs_shared/public/plugin.tsx b/x-pack/plugins/observability_solution/logs_shared/public/plugin.tsx
index 0321651607ed1..e6ec419ae8b0f 100644
--- a/x-pack/plugins/observability_solution/logs_shared/public/plugin.tsx
+++ b/x-pack/plugins/observability_solution/logs_shared/public/plugin.tsx
@@ -61,7 +61,6 @@ export class LogsSharedPlugin implements LogsSharedClientPluginClass {
       logsDataAccess,
       observabilityAIAssistant,
       share,
-      fieldFormats,
     } = plugins;
 
     const logViews = this.logViews.start({
@@ -72,14 +71,14 @@ export class LogsSharedPlugin implements LogsSharedClientPluginClass {
     });
 
     const LogsOverview = createLogsOverview({
-      core,
       charts,
       logsDataAccess,
       search: data.search.search,
+      searchSource: data.search.searchSource,
       uiSettings: settings,
       share,
       dataViews,
-      fieldFormats,
+      embeddable: plugins.embeddable,
     });
 
     if (!observabilityAIAssistant) {
diff --git a/x-pack/plugins/observability_solution/logs_shared/public/types.ts b/x-pack/plugins/observability_solution/logs_shared/public/types.ts
index e2435fa1f4915..90bbd89f2481d 100644
--- a/x-pack/plugins/observability_solution/logs_shared/public/types.ts
+++ b/x-pack/plugins/observability_solution/logs_shared/public/types.ts
@@ -15,6 +15,8 @@ import type { ObservabilityAIAssistantPublicStart } from '@kbn/observability-ai-
 import type { SharePluginSetup, SharePluginStart } from '@kbn/share-plugin/public';
 import type { UiActionsStart } from '@kbn/ui-actions-plugin/public';
 import { FieldFormatsStart } from '@kbn/field-formats-plugin/public';
+import { EmbeddableStart } from '@kbn/embeddable-plugin/public';
+import { SavedSearchPublicPluginStart } from '@kbn/saved-search-plugin/public';
 import type { LogsSharedLocators } from '../common/locators';
 import type { LogAIAssistantProps } from './components/log_ai_assistant/log_ai_assistant';
 import type { SelfContainedLogsOverview } from './components/logs_overview';
@@ -46,6 +48,8 @@ export interface LogsSharedClientStartDeps {
   share: SharePluginStart;
   uiActions: UiActionsStart;
   fieldFormats: FieldFormatsStart;
+  embeddable: EmbeddableStart;
+  savedSearch: SavedSearchPublicPluginStart;
 }
 
 export type LogsSharedClientCoreSetup = CoreSetup<
diff --git a/x-pack/plugins/observability_solution/logs_shared/tsconfig.json b/x-pack/plugins/observability_solution/logs_shared/tsconfig.json
index f171c79afccd0..acaed5073a176 100644
--- a/x-pack/plugins/observability_solution/logs_shared/tsconfig.json
+++ b/x-pack/plugins/observability_solution/logs_shared/tsconfig.json
@@ -49,5 +49,7 @@
     "@kbn/charts-plugin",
     "@kbn/core-ui-settings-common",
     "@kbn/field-formats-plugin",
+    "@kbn/embeddable-plugin",
+    "@kbn/saved-search-plugin",
   ]
 }
diff --git a/yarn.lock b/yarn.lock
index a24c1adc150a6..5f3dcddd9d627 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6858,6 +6858,10 @@
   version "0.0.0"
   uid ""
 
+"@kbn/saved-search-component@link:packages/kbn-saved-search-component":
+  version "0.0.0"
+  uid ""
+
 "@kbn/saved-search-plugin@link:src/plugins/saved_search":
   version "0.0.0"
   uid ""

From e8db3845e67cf81f0649788e24a06b231a50b202 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 3 Dec 2024 22:21:02 +1100
Subject: [PATCH 05/23] [8.x] [TSVB] fix point visibility regression (#202358)
 (#202639)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[TSVB] fix point visibility regression
(#202358)](https://github.com/elastic/kibana/pull/202358)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Marco
Vettorello","email":"marco.vettorello@elastic.co"},"sourceCommit":{"committedDate":"2024-12-03T09:27:58Z","message":"[TSVB]
fix point visibility regression (#202358)\n\n## Summary\r\n\r\nfix
https://github.com/elastic/kibana/issues/200255\r\n\r\nThe regression
was caused by a
[breaking\r\nchange](https://github.com/elastic/elastic-charts/pull/2525)
introduced\r\nby elastic-charts around the `area.points.visible` style,
that passed\r\nfrom a `boolean` to a union of `'always' | 'never' |
'auto'`;","sha":"a7397b2ce23c22e06af246eca59c32c63dc63cdb","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:TSVB","regression","release_note:fix","Team:Visualizations","v9.0.0","v8.16.0","backport:version","v8.17.0","v8.18.0"],"title":"[TSVB]
fix point visibility
regression","number":202358,"url":"https://github.com/elastic/kibana/pull/202358","mergeCommit":{"message":"[TSVB]
fix point visibility regression (#202358)\n\n## Summary\r\n\r\nfix
https://github.com/elastic/kibana/issues/200255\r\n\r\nThe regression
was caused by a
[breaking\r\nchange](https://github.com/elastic/elastic-charts/pull/2525)
introduced\r\nby elastic-charts around the `area.points.visible` style,
that passed\r\nfrom a `boolean` to a union of `'always' | 'never' |
'auto'`;","sha":"a7397b2ce23c22e06af246eca59c32c63dc63cdb"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.17","8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202358","number":202358,"mergeCommit":{"message":"[TSVB]
fix point visibility regression (#202358)\n\n## Summary\r\n\r\nfix
https://github.com/elastic/kibana/issues/200255\r\n\r\nThe regression
was caused by a
[breaking\r\nchange](https://github.com/elastic/elastic-charts/pull/2525)
introduced\r\nby elastic-charts around the `area.points.visible` style,
that passed\r\nfrom a `boolean` to a union of `'always' | 'never' |
'auto'`;","sha":"a7397b2ce23c22e06af246eca59c32c63dc63cdb"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Marco Vettorello <marco.vettorello@elastic.co>
---
 .../decorators/__snapshots__/area_decorator.test.js.snap      | 2 +-
 .../timeseries/utils/__snapshots__/series_styles.test.js.snap | 4 ++--
 .../visualizations/views/timeseries/utils/series_styles.js    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/decorators/__snapshots__/area_decorator.test.js.snap b/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/decorators/__snapshots__/area_decorator.test.js.snap
index 7ded8e2254aa9..18ce44a9fb7ec 100644
--- a/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/decorators/__snapshots__/area_decorator.test.js.snap
+++ b/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/decorators/__snapshots__/area_decorator.test.js.snap
@@ -18,7 +18,7 @@ exports[`src/legacy/core_plugins/metrics/public/visualizations/views/timeseries/
         "radius": 1,
         "stroke": "rgb(0, 156, 224)",
         "strokeWidth": 5,
-        "visible": false,
+        "visible": "never",
       },
     }
   }
diff --git a/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/utils/__snapshots__/series_styles.test.js.snap b/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/utils/__snapshots__/series_styles.test.js.snap
index 054ca0f0d8193..28bfd0c698307 100644
--- a/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/utils/__snapshots__/series_styles.test.js.snap
+++ b/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/utils/__snapshots__/series_styles.test.js.snap
@@ -17,7 +17,7 @@ Object {
       "radius": 1,
       "stroke": "rgb(224, 0, 221)",
       "strokeWidth": 1,
-      "visible": true,
+      "visible": "always",
     },
   },
   "curve": 7,
@@ -41,7 +41,7 @@ Object {
       "radius": 0.5,
       "stroke": "#000",
       "strokeWidth": 5,
-      "visible": false,
+      "visible": "never",
     },
   },
   "curve": 9,
diff --git a/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/utils/series_styles.js b/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/utils/series_styles.js
index 0da1e8e474b50..6bfbbb7bfb287 100644
--- a/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/utils/series_styles.js
+++ b/src/plugins/vis_types/timeseries/public/application/visualizations/views/timeseries/utils/series_styles.js
@@ -27,7 +27,7 @@ export const getAreaStyles = ({ points, lines, color }) => ({
       radius: points.radius || 0.5,
       stroke: color || DEFAULT_COLOR,
       strokeWidth: points.lineWidth || 5,
-      visible: points.lineWidth > 0 && Boolean(points.show),
+      visible: points.lineWidth > 0 && Boolean(points.show) ? 'always' : 'never',
     },
   },
   curve: lines.steps ? CurveType.CURVE_STEP_AFTER : CurveType.LINEAR,

From edeed14fce769b722479ed69dada84745ba51ab4 Mon Sep 17 00:00:00 2001
From: jennypavlova <dzheni.pavlova@elastic.co>
Date: Tue, 3 Dec 2024 12:27:57 +0100
Subject: [PATCH 06/23] [8.x] [Infra] Unskip infra serverless tests (#202146)
 (#202640)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Infra] Unskip infra serverless tests
(#202146)](https://github.com/elastic/kibana/pull/202146)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Carlos
Crespo","email":"crespocarlos@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-29T17:45:48Z","message":"[Infra]
Unskip infra serverless tests (#202146)\n\nfixes
[191809](https://github.com/elastic/kibana/issues/191809)\r\n\r\n##
Summary\r\n\r\nUnskip infra e2e serverless
tests","sha":"bedc0660d8dab074aa488bccbab662269f7f21df","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport
missing","v9.0.0","backport:prev-minor","Team:obs-ux-infra_services"],"number":202146,"url":"https://github.com/elastic/kibana/pull/202146","mergeCommit":{"message":"[Infra]
Unskip infra serverless tests (#202146)\n\nfixes
[191809](https://github.com/elastic/kibana/issues/191809)\r\n\r\n##
Summary\r\n\r\nUnskip infra e2e serverless
tests","sha":"bedc0660d8dab074aa488bccbab662269f7f21df"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202146","number":202146,"mergeCommit":{"message":"[Infra]
Unskip infra serverless tests (#202146)\n\nfixes
[191809](https://github.com/elastic/kibana/issues/191809)\r\n\r\n##
Summary\r\n\r\nUnskip infra e2e serverless
tests","sha":"bedc0660d8dab074aa488bccbab662269f7f21df"}}]}] BACKPORT-->

Co-authored-by: Carlos Crespo <crespocarlos@users.noreply.github.com>
---
 .github/CODEOWNERS                            |  2 +
 .../observability/infra/header_menu.ts        | 38 -------------------
 .../observability/infra/hosts_page.ts         | 32 +++++-----------
 .../test_suites/observability/infra/index.ts  |  1 -
 .../observability/infra/node_details.ts       | 10 ++---
 5 files changed, 15 insertions(+), 68 deletions(-)
 delete mode 100644 x-pack/test_serverless/functional/test_suites/observability/infra/header_menu.ts

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 64cb7add9eefd..632c534fc6d2b 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1183,6 +1183,8 @@ x-pack/test_serverless/**/test_suites/observability/ai_assistant @elastic/obs-ai
 /x-pack/plugins/observability_solution/infra/server/services @elastic/obs-ux-infra_services-team
 /x-pack/plugins/observability_solution/infra/server/usage @elastic/obs-ux-infra_services-team
 /x-pack/plugins/observability_solution/infra/server/utils @elastic/obs-ux-infra_services-team
+/x-pack/test_serverless/functional/test_suites/observability/infra @elastic/obs-ux-infra_services-team
+/x-pack/test/api_integration/services/infraops_source_configuration.ts @elastic/obs-ux-infra_services-team @elastic/obs-ux-logs-team # Assigned per https://github.com/elastic/kibana/pull/34916
 
 ## Logs UI code exceptions -> @elastic/obs-ux-logs-team
 /x-pack/test_serverless/functional/page_objects/svl_oblt_onboarding_stream_log_file.ts @elastic/obs-ux-logs-team
diff --git a/x-pack/test_serverless/functional/test_suites/observability/infra/header_menu.ts b/x-pack/test_serverless/functional/test_suites/observability/infra/header_menu.ts
deleted file mode 100644
index 775055825d2e7..0000000000000
--- a/x-pack/test_serverless/functional/test_suites/observability/infra/header_menu.ts
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { FtrProviderContext } from '../../../ftr_provider_context';
-
-import { HOSTS_VIEW_PATH } from './constants';
-
-export default ({ getPageObjects, getService }: FtrProviderContext) => {
-  const esArchiver = getService('esArchiver');
-  const pageObjects = getPageObjects(['svlCommonPage', 'common', 'infraHome', 'header']);
-
-  // failing feature flag test, see https://github.com/elastic/kibana/issues/191809
-  describe.skip('Header menu', () => {
-    before(async () => {
-      await esArchiver.load('x-pack/test/functional/es_archives/infra/metrics_and_logs');
-      await pageObjects.svlCommonPage.loginAsViewer();
-    });
-
-    after(async () => {
-      await esArchiver.unload('x-pack/test/functional/es_archives/infra/metrics_and_logs');
-    });
-
-    describe('Alerts dropdown', () => {
-      beforeEach(async () => {
-        await pageObjects.common.navigateToApp(HOSTS_VIEW_PATH);
-        await pageObjects.header.waitUntilLoadingHasFinished();
-      });
-
-      it('is hidden', async () => {
-        await pageObjects.infraHome.ensureAlertsAndRulesDropdownIsMissing();
-      });
-    });
-  });
-};
diff --git a/x-pack/test_serverless/functional/test_suites/observability/infra/hosts_page.ts b/x-pack/test_serverless/functional/test_suites/observability/infra/hosts_page.ts
index 808b079896464..f6acf29cb3a9e 100644
--- a/x-pack/test_serverless/functional/test_suites/observability/infra/hosts_page.ts
+++ b/x-pack/test_serverless/functional/test_suites/observability/infra/hosts_page.ts
@@ -40,28 +40,22 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
         (await pageObjects.infraHostsView.isKPIChartsLoaded())
     );
 
-  // failing feature flag test, see https://github.com/elastic/kibana/issues/191810
-  describe.skip('Hosts Page', function () {
+  describe('Hosts Page', function () {
     before(async () => {
-      await Promise.all([
-        esArchiver.load('x-pack/test/functional/es_archives/infra/metrics_and_logs'),
-      ]);
+      await esArchiver.load('x-pack/test/functional/es_archives/infra/metrics_and_logs');
       await pageObjects.svlCommonPage.loginAsViewer();
-      await browser.setWindowSize(1600, 1200);
+
+      await pageObjects.common.navigateToApp(HOSTS_VIEW_PATH);
+      await pageObjects.header.waitUntilLoadingHasFinished();
+
+      await browser.setWindowSize(1600, 1400);
     });
 
     after(async () => {
-      await Promise.all([
-        esArchiver.unload('x-pack/test/functional/es_archives/infra/metrics_and_logs'),
-      ]);
+      await esArchiver.unload('x-pack/test/functional/es_archives/infra/metrics_and_logs');
     });
 
     describe('#Single Host Flyout', () => {
-      before(async () => {
-        await pageObjects.common.navigateToApp(HOSTS_VIEW_PATH);
-        await pageObjects.header.waitUntilLoadingHasFinished();
-      });
-
       describe('Tabs', () => {
         before(async () => {
           await pageObjects.timePicker.setAbsoluteRange(
@@ -100,10 +94,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
           it('should show alerts', async () => {
             await pageObjects.header.waitUntilLoadingHasFinished();
             await pageObjects.assetDetails.overviewAlertsTitleExists();
-            const CreateRuleButtonExist = await testSubjects.exists(
-              'infraAssetDetailsCreateAlertsRuleButton'
-            );
-            expect(CreateRuleButtonExist).to.be(true);
+            await pageObjects.assetDetails.overviewOpenAlertsFlyoutExist();
           });
         });
 
@@ -123,7 +114,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
           });
 
           it('should show processes title', async () => {
-            await await testSubjects.existOrFail('infraAssetDetailsTopProcessesTitle');
+            await testSubjects.existOrFail('infraAssetDetailsTopProcessesTitle');
           });
         });
 
@@ -175,7 +166,6 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
 
         describe('Metrics Tab', () => {
           before(async () => {
-            await browser.scrollTop();
             await pageObjects.infraHostsView.visitMetricsTab();
           });
 
@@ -191,7 +181,6 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
 
         describe('Logs Tab', () => {
           before(async () => {
-            await browser.scrollTop();
             await pageObjects.infraHostsView.visitLogsTab();
           });
 
@@ -206,7 +195,6 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
 
         describe('Alerts Tab', () => {
           before(async () => {
-            await browser.scrollTop();
             await pageObjects.infraHostsView.visitAlertTab();
           });
 
diff --git a/x-pack/test_serverless/functional/test_suites/observability/infra/index.ts b/x-pack/test_serverless/functional/test_suites/observability/infra/index.ts
index b646ba71f960e..914f7760f900e 100644
--- a/x-pack/test_serverless/functional/test_suites/observability/infra/index.ts
+++ b/x-pack/test_serverless/functional/test_suites/observability/infra/index.ts
@@ -9,7 +9,6 @@ import { FtrProviderContext } from '../../../ftr_provider_context';
 
 export default function ({ loadTestFile }: FtrProviderContext) {
   describe('Observability Infra', function () {
-    loadTestFile(require.resolve('./header_menu'));
     loadTestFile(require.resolve('./navigation'));
     loadTestFile(require.resolve('./node_details'));
     loadTestFile(require.resolve('./hosts_page'));
diff --git a/x-pack/test_serverless/functional/test_suites/observability/infra/node_details.ts b/x-pack/test_serverless/functional/test_suites/observability/infra/node_details.ts
index 25d30117ad6b5..254bf9e555a13 100644
--- a/x-pack/test_serverless/functional/test_suites/observability/infra/node_details.ts
+++ b/x-pack/test_serverless/functional/test_suites/observability/infra/node_details.ts
@@ -30,8 +30,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
     'svlCommonPage',
   ]);
 
-  // failing feature flag test, see https://github.com/elastic/kibana/issues/191809
-  describe.skip('Node Details', () => {
+  describe('Node Details', () => {
     describe('#With Asset Details', () => {
       before(async () => {
         await esArchiver.load('x-pack/test/functional/es_archives/infra/metrics_and_logs');
@@ -50,7 +49,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
       describe('Osquery Tab', () => {
         it('should not render in serverless', async () => {
           const OsqueryExist = await testSubjects.exists('infraAssetDetailsOsqueryTab');
-          expect(OsqueryExist).to.be(false);
+          expect(OsqueryExist).to.be(true);
         });
       });
 
@@ -68,10 +67,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
           it('should show alerts', async () => {
             await pageObjects.header.waitUntilLoadingHasFinished();
             await pageObjects.assetDetails.overviewAlertsTitleExists();
-            const CreateRuleButtonExist = await testSubjects.exists(
-              'infraAssetDetailsCreateAlertsRuleButton'
-            );
-            expect(CreateRuleButtonExist).to.be(true);
+            await pageObjects.assetDetails.overviewOpenAlertsFlyoutExist();
           });
 
           [

From 558d07c14cba50d96e2f5fb1895e2c22c733fe22 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 3 Dec 2024 22:28:33 +1100
Subject: [PATCH 07/23] [8.x] Fixed Asset Criticality copy issue (#196764)
 (#202642)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Fixed Asset Criticality copy issue
(#196764)](https://github.com/elastic/kibana/pull/196764)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Jared
Burgett","email":"147995946+jaredburgettelastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-03T09:36:51Z","message":"Fixed
Asset Criticality copy issue (#196764)\n\nSmall copy change for
clarifying asset criticality
callout","sha":"13caf8d7e6d11dde68a161cd0edb3046128a0de2","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","ci:cloud-deploy","ci:project-deploy-security","v8.16.0","backport:version","v8.17.0","v8.18.0"],"title":"Fixed
Asset Criticality copy
issue","number":196764,"url":"https://github.com/elastic/kibana/pull/196764","mergeCommit":{"message":"Fixed
Asset Criticality copy issue (#196764)\n\nSmall copy change for
clarifying asset criticality
callout","sha":"13caf8d7e6d11dde68a161cd0edb3046128a0de2"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.17","8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196764","number":196764,"mergeCommit":{"message":"Fixed
Asset Criticality copy issue (#196764)\n\nSmall copy change for
clarifying asset criticality
callout","sha":"13caf8d7e6d11dde68a161cd0edb3046128a0de2"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com>
---
 .../entity_analytics/pages/entity_store_management_page.tsx     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.tsx b/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.tsx
index 7c00f61f62fbb..83a307e3eef57 100644
--- a/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.tsx
+++ b/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.tsx
@@ -383,7 +383,7 @@ const AssetCriticalityIssueCallout: React.FC = ({
   const msg = errorMessage ?? (
     <FormattedMessage
       id="xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.advancedSettingDisabledMessage"
-      defaultMessage="The don't have privileges to access Asset Criticality feature. Contact your administrator for further assistance."
+      defaultMessage="Privileges to access the Asset Criticality feature are missing for your user. Contact your administrator for further assistance."
     />
   );
 

From c0e51ac9fb4d4cb10e13bfad69ff191c026033dd Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 3 Dec 2024 23:36:34 +1100
Subject: [PATCH 08/23] [8.x] [Discover] Highlight matching field values when
 performing a KQL search on a keyword field (#201952) (#202665)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Discover] Highlight matching field values when performing a KQL
search on a keyword field
(#201952)](https://github.com/elastic/kibana/pull/201952)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ania
Kowalska","email":"63072419+akowalska622@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-03T10:43:07Z","message":"[Discover]
Highlight matching field values when performing a KQL search on a
keyword field (#201952)\n\n## Summary\r\n\r\nCloses [Highlighting isn't
visible in Discover on keywords if the field\r\nalso has text type while
searching\r\n#118590](https://github.com/elastic/kibana/issues/118590
)\r\n\r\nAdded `text` field highlight when querying on matching
`keyword`\r\n\r\nBefore:\r\n\r\n![image](https://github.com/user-attachments/assets/8b296df6-5647-4c4f-bfb1-4cd9f575e3c9)\r\n\r\nAfter:\r\n<img
width=\"722\" alt=\"Screenshot 2024-11-27 at 13 10
51\"\r\nsrc=\"https://github.com/user-attachments/assets/c4c0ae23-e6bc-4840-84fb-908c50da5491\">\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [ ] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] If a plugin
configuration key changed, check if it needs to be\r\nallowlisted in the
cloud and added to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\r\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\r\nchanges have been approved by the breaking-change committee.
The\r\n`release_note:breaking` label should be applied in these
situations.\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [x] The PR description includes
the appropriate Release Notes section,\r\nand the correct
`release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n###
Identify risks\r\n\r\nDoes this PR introduce any risks? For example,
consider risks like hard\r\nto test bugs, performance regression,
potential of data loss.\r\n\r\nDescribe the risk, its severity, and
mitigation for each identified\r\nrisk. Invite stakeholders and evaluate
how to proceed before merging.\r\n\r\n- [ ] [See some
risk\r\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\r\n-
[ ]
...","sha":"f0fbefa144a07033a75b59fbc58e544f105a5586","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Discover","release_note:fix","v9.0.0","Team:DataDiscovery","backport:prev-minor"],"title":"[Discover]
Highlight matching field values when performing a KQL search on a
keyword
field","number":201952,"url":"https://github.com/elastic/kibana/pull/201952","mergeCommit":{"message":"[Discover]
Highlight matching field values when performing a KQL search on a
keyword field (#201952)\n\n## Summary\r\n\r\nCloses [Highlighting isn't
visible in Discover on keywords if the field\r\nalso has text type while
searching\r\n#118590](https://github.com/elastic/kibana/issues/118590
)\r\n\r\nAdded `text` field highlight when querying on matching
`keyword`\r\n\r\nBefore:\r\n\r\n![image](https://github.com/user-attachments/assets/8b296df6-5647-4c4f-bfb1-4cd9f575e3c9)\r\n\r\nAfter:\r\n<img
width=\"722\" alt=\"Screenshot 2024-11-27 at 13 10
51\"\r\nsrc=\"https://github.com/user-attachments/assets/c4c0ae23-e6bc-4840-84fb-908c50da5491\">\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [ ] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] If a plugin
configuration key changed, check if it needs to be\r\nallowlisted in the
cloud and added to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\r\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\r\nchanges have been approved by the breaking-change committee.
The\r\n`release_note:breaking` label should be applied in these
situations.\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [x] The PR description includes
the appropriate Release Notes section,\r\nand the correct
`release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n###
Identify risks\r\n\r\nDoes this PR introduce any risks? For example,
consider risks like hard\r\nto test bugs, performance regression,
potential of data loss.\r\n\r\nDescribe the risk, its severity, and
mitigation for each identified\r\nrisk. Invite stakeholders and evaluate
how to proceed before merging.\r\n\r\n- [ ] [See some
risk\r\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\r\n-
[ ]
...","sha":"f0fbefa144a07033a75b59fbc58e544f105a5586"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201952","number":201952,"mergeCommit":{"message":"[Discover]
Highlight matching field values when performing a KQL search on a
keyword field (#201952)\n\n## Summary\r\n\r\nCloses [Highlighting isn't
visible in Discover on keywords if the field\r\nalso has text type while
searching\r\n#118590](https://github.com/elastic/kibana/issues/118590
)\r\n\r\nAdded `text` field highlight when querying on matching
`keyword`\r\n\r\nBefore:\r\n\r\n![image](https://github.com/user-attachments/assets/8b296df6-5647-4c4f-bfb1-4cd9f575e3c9)\r\n\r\nAfter:\r\n<img
width=\"722\" alt=\"Screenshot 2024-11-27 at 13 10
51\"\r\nsrc=\"https://github.com/user-attachments/assets/c4c0ae23-e6bc-4840-84fb-908c50da5491\">\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [ ] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] If a plugin
configuration key changed, check if it needs to be\r\nallowlisted in the
cloud and added to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\r\n-
[ ] This was checked for breaking HTTP API changes, and any
breaking\r\nchanges have been approved by the breaking-change committee.
The\r\n`release_note:breaking` label should be applied in these
situations.\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [x] The PR description includes
the appropriate Release Notes section,\r\nand the correct
`release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n###
Identify risks\r\n\r\nDoes this PR introduce any risks? For example,
consider risks like hard\r\nto test bugs, performance regression,
potential of data loss.\r\n\r\nDescribe the risk, its severity, and
mitigation for each identified\r\nrisk. Invite stakeholders and evaluate
how to proceed before merging.\r\n\r\n- [ ] [See some
risk\r\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\r\n-
[ ] ...","sha":"f0fbefa144a07033a75b59fbc58e544f105a5586"}}]}]
BACKPORT-->

Co-authored-by: Ania Kowalska <63072419+akowalska622@users.noreply.github.com>
---
 .../src/utils/format_hit.test.ts              | 30 +++++++++++++++++++
 .../src/utils/format_hit.ts                   |  9 ++++--
 .../src/components/source_document.test.tsx   |  2 +-
 3 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/packages/kbn-discover-utils/src/utils/format_hit.test.ts b/packages/kbn-discover-utils/src/utils/format_hit.test.ts
index ba38812b0e142..6e2acbd43846b 100644
--- a/packages/kbn-discover-utils/src/utils/format_hit.test.ts
+++ b/packages/kbn-discover-utils/src/utils/format_hit.test.ts
@@ -106,6 +106,36 @@ describe('formatHit', () => {
     ]);
   });
 
+  it('should highlight a subfield even shouldShowFieldHandler determines it should not be shown ', () => {
+    const highlightHit = buildDataTableRecord(
+      {
+        _id: '2',
+        _index: 'logs',
+        fields: {
+          object: ['object'],
+          'object.value': [42, 13],
+        },
+        highlight: { 'object.value': ['%%'] },
+      },
+      dataViewMock
+    );
+
+    const formatted = formatHit(
+      highlightHit,
+      dataViewMock,
+      (fieldName) => ['object'].includes(fieldName),
+      220,
+      fieldFormatsMock
+    );
+
+    expect(formatted).toEqual([
+      ['object.value', 'formatted:42,13', 'object.value'],
+      ['object', ['object'], 'object'],
+      ['_index', 'formatted:logs', '_index'],
+      ['_score', undefined, '_score'],
+    ]);
+  });
+
   it('should filter fields based on their real name not displayName', () => {
     const formatted = formatHit(
       row,
diff --git a/packages/kbn-discover-utils/src/utils/format_hit.ts b/packages/kbn-discover-utils/src/utils/format_hit.ts
index 99913e32cb78c..b29353253df51 100644
--- a/packages/kbn-discover-utils/src/utils/format_hit.ts
+++ b/packages/kbn-discover-utils/src/utils/format_hit.ts
@@ -70,9 +70,14 @@ export function formatHit(
     const pairs = highlights[key] ? renderedPairs : otherPairs;
 
     // If the field is a mapped field, we first check if it should be shown,
-    // if not we always include it into the result.
+    // or if it's highlighted, but the parent is not.
+    // If not we always include it into the result.
     if (displayKey) {
-      if (shouldShowFieldHandler(key)) {
+      const multiParent = field.getSubtypeMulti?.()?.multi.parent;
+      const isHighlighted = Boolean(highlights[key]);
+      const isParentHighlighted = Boolean(multiParent && highlights[multiParent]);
+
+      if ((isHighlighted && !isParentHighlighted) || shouldShowFieldHandler(key)) {
         pairs.push([displayKey, undefined, key]);
       }
     } else {
diff --git a/packages/kbn-unified-data-table/src/components/source_document.test.tsx b/packages/kbn-unified-data-table/src/components/source_document.test.tsx
index f48e2b58c8424..25d61312dc242 100644
--- a/packages/kbn-unified-data-table/src/components/source_document.test.tsx
+++ b/packages/kbn-unified-data-table/src/components/source_document.test.tsx
@@ -52,7 +52,7 @@ describe('Unified data table source document cell rendering', function () {
       />
     );
     expect(component.html()).toMatchInlineSnapshot(
-      `"<dl class=\\"euiDescriptionList unifiedDataTable__descriptionList unifiedDataTable__cellValue css-id58dh-euiDescriptionList-inline-left\\" data-test-subj=\\"discoverCellDescriptionList\\" data-type=\\"inline\\"><dt class=\\"euiDescriptionList__title unifiedDataTable__descriptionListTitle css-1fizlic-euiDescriptionList__title-inline-compressed\\">_index</dt><dd class=\\"euiDescriptionList__description unifiedDataTable__descriptionListDescription css-11rdew2-euiDescriptionList__description-inline-compressed\\">test</dd><dt class=\\"euiDescriptionList__title unifiedDataTable__descriptionListTitle css-1fizlic-euiDescriptionList__title-inline-compressed\\">_score</dt><dd class=\\"euiDescriptionList__description unifiedDataTable__descriptionListDescription css-11rdew2-euiDescriptionList__description-inline-compressed\\">1</dd></dl>"`
+      `"<dl class=\\"euiDescriptionList unifiedDataTable__descriptionList unifiedDataTable__cellValue css-id58dh-euiDescriptionList-inline-left\\" data-test-subj=\\"discoverCellDescriptionList\\" data-type=\\"inline\\"><dt class=\\"euiDescriptionList__title unifiedDataTable__descriptionListTitle css-1fizlic-euiDescriptionList__title-inline-compressed\\">extension</dt><dd class=\\"euiDescriptionList__description unifiedDataTable__descriptionListDescription css-11rdew2-euiDescriptionList__description-inline-compressed\\">.gz</dd><dt class=\\"euiDescriptionList__title unifiedDataTable__descriptionListTitle css-1fizlic-euiDescriptionList__title-inline-compressed\\">_index</dt><dd class=\\"euiDescriptionList__description unifiedDataTable__descriptionListDescription css-11rdew2-euiDescriptionList__description-inline-compressed\\">test</dd><dt class=\\"euiDescriptionList__title unifiedDataTable__descriptionListTitle css-1fizlic-euiDescriptionList__title-inline-compressed\\">_score</dt><dd class=\\"euiDescriptionList__description unifiedDataTable__descriptionListDescription css-11rdew2-euiDescriptionList__description-inline-compressed\\">1</dd></dl>"`
     );
   });
 });

From 1b7c2e8c1457404a4534fe69a2c2b082f1372acf Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 3 Dec 2024 23:41:32 +1100
Subject: [PATCH 09/23] [8.x] [Rule Migration] Adding CIM to ECS mapping and
 ESQL validation (#202331) (#202668)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Rule Migration] Adding CIM to ECS mapping and ESQL validation
(#202331)](https://github.com/elastic/kibana/pull/202331)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Marius
Iversen","email":"marius.iversen@elastic.co"},"sourceCommit":{"committedDate":"2024-12-03T10:51:19Z","message":"[Rule
Migration] Adding CIM to ECS mapping and ESQL validation (#202331)\n\n##
Summary\r\n\r\nThis PR adds the initial context to map CIM fields to ECS
and two new\r\nnodes validation and a node to handle esql validation
issues, fixing\r\nitself.\r\n\r\nThis is how the graph looks compared to
its old one:\r\n<img width=\"646\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/253e449c-ac6f-4913-8da4-eb36f4e7b982\">\r\n\r\n\r\nValidation
always runs last, and if validation returns any errors it\r\nwill run
the appropriate node depending on what validation failed. Once\r\nit is
resolved it will validate again and then END when its
successful.\r\n\r\nCurrently 5 error iterations is max, which is just an
arbitrary number.\r\nThe default Langgraph configuration is 25 nodes
executed in total for a\r\nspecific graph before it errors with a
recursion limit (main and sub\r\ngraphs are not combined in that
count).\r\n\r\nA few things are included in this PR:\r\n\r\n- Moved ESQL
KB caller to util(any better place?), as it is now used in\r\nmultiple
nodes.\r\n- New Validation node, where any sort of validation takes
place, usually\r\nthe last step before ending the graph (on
success).\r\n- New ESQL Error node, to resolve any ESQL validation
errors and trigger\r\na re-validation.\r\n- Fix a small bug in the main
graph on the conditional edges, added a\r\nmap for the allowed return
values.","sha":"c1d976b470bf08d472165f7751a444d6968c48d2","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:
SecuritySolution","backport:prev-minor","v8.18.0"],"title":"[Rule
Migration] Adding CIM to ECS mapping and ESQL
validation","number":202331,"url":"https://github.com/elastic/kibana/pull/202331","mergeCommit":{"message":"[Rule
Migration] Adding CIM to ECS mapping and ESQL validation (#202331)\n\n##
Summary\r\n\r\nThis PR adds the initial context to map CIM fields to ECS
and two new\r\nnodes validation and a node to handle esql validation
issues, fixing\r\nitself.\r\n\r\nThis is how the graph looks compared to
its old one:\r\n<img width=\"646\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/253e449c-ac6f-4913-8da4-eb36f4e7b982\">\r\n\r\n\r\nValidation
always runs last, and if validation returns any errors it\r\nwill run
the appropriate node depending on what validation failed. Once\r\nit is
resolved it will validate again and then END when its
successful.\r\n\r\nCurrently 5 error iterations is max, which is just an
arbitrary number.\r\nThe default Langgraph configuration is 25 nodes
executed in total for a\r\nspecific graph before it errors with a
recursion limit (main and sub\r\ngraphs are not combined in that
count).\r\n\r\nA few things are included in this PR:\r\n\r\n- Moved ESQL
KB caller to util(any better place?), as it is now used in\r\nmultiple
nodes.\r\n- New Validation node, where any sort of validation takes
place, usually\r\nthe last step before ending the graph (on
success).\r\n- New ESQL Error node, to resolve any ESQL validation
errors and trigger\r\na re-validation.\r\n- Fix a small bug in the main
graph on the conditional edges, added a\r\nmap for the allowed return
values.","sha":"c1d976b470bf08d472165f7751a444d6968c48d2"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202331","number":202331,"mergeCommit":{"message":"[Rule
Migration] Adding CIM to ECS mapping and ESQL validation (#202331)\n\n##
Summary\r\n\r\nThis PR adds the initial context to map CIM fields to ECS
and two new\r\nnodes validation and a node to handle esql validation
issues, fixing\r\nitself.\r\n\r\nThis is how the graph looks compared to
its old one:\r\n<img width=\"646\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/253e449c-ac6f-4913-8da4-eb36f4e7b982\">\r\n\r\n\r\nValidation
always runs last, and if validation returns any errors it\r\nwill run
the appropriate node depending on what validation failed. Once\r\nit is
resolved it will validate again and then END when its
successful.\r\n\r\nCurrently 5 error iterations is max, which is just an
arbitrary number.\r\nThe default Langgraph configuration is 25 nodes
executed in total for a\r\nspecific graph before it errors with a
recursion limit (main and sub\r\ngraphs are not combined in that
count).\r\n\r\nA few things are included in this PR:\r\n\r\n- Moved ESQL
KB caller to util(any better place?), as it is now used in\r\nmultiple
nodes.\r\n- New Validation node, where any sort of validation takes
place, usually\r\nthe last step before ending the graph (on
success).\r\n- New ESQL Error node, to resolve any ESQL validation
errors and trigger\r\na re-validation.\r\n- Fix a small bug in the main
graph on the conditional edges, added a\r\nmap for the allowed return
values.","sha":"c1d976b470bf08d472165f7751a444d6968c48d2"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
---
 .../docs/siem_migration/img/agent_graph.png   | Bin 23303 -> 42382 bytes
 .../siem_migrations/rules/task/agent/graph.ts |   2 +-
 .../agent/sub_graphs/translate_rule/graph.ts  |  29 ++-
 .../fix_query_errors/fix_query_errors.ts      |  38 ++++
 .../nodes/fix_query_errors/index.ts           |   7 +
 .../nodes/fix_query_errors/prompts.ts         |  42 ++++
 .../nodes/process_query/process_query.ts      |   6 +-
 .../nodes/process_query/prompts.ts            |  10 +-
 .../nodes/translate_rule/cim_ecs_map.ts       | 181 ++++++++++++++++++
 .../nodes/translate_rule/prompts.ts           |  27 +--
 .../nodes/translate_rule/translate_rule.ts    |  21 +-
 .../nodes/validation/esql_query.ts            |  62 ++++++
 .../translate_rule/nodes/validation/index.ts  |   7 +
 .../nodes/validation/validation.ts            |  43 +++++
 .../agent/sub_graphs/translate_rule/state.ts  |   5 +
 .../agent/sub_graphs/translate_rule/types.ts  |   5 +
 .../esql_knowledge_base_caller.ts             |   0
 17 files changed, 461 insertions(+), 24 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/fix_query_errors.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/index.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/prompts.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/cim_ecs_map.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/esql_query.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/index.ts
 create mode 100644 x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/validation.ts
 rename x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/{agent/sub_graphs/translate_rule/nodes/translate_rule => util}/esql_knowledge_base_caller.ts (100%)

diff --git a/x-pack/plugins/security_solution/docs/siem_migration/img/agent_graph.png b/x-pack/plugins/security_solution/docs/siem_migration/img/agent_graph.png
index a4039ef4a74461e37c9be915583e62af447d3a1c..ecccb602e20168b077eb3fef1278259c452d02ef 100644
GIT binary patch
literal 42382
zcmeFZ1z4QTk|;a`OM(T0d(Z?8!7V`W5Fofi@PWbI36S6nKDY$eA-F?u3+{uvdvLpx
z^X*N(J>S{gvwQd6|JmpHduHD0sjlv~s=KDUx~lrUpSoWJJb5c2EdfA4000o+FTnjW
z!j!bAsNQ=;c?s!v;(ru$1K<hiB>-S)<zS~M`G!(mLz5D9@sAom%k&NHZGL|L8wuX-
z*~HJ*0f15Fe*@>=13xk{wl{<$9Kt^|cJQ0SiN%HIaZUfoKmVCG_#-dyGw<wR;{eBb
z|1)o=tSAc48^QC>P5+cP_*34{#_lJ6C>%$?(!%lQy?&;j6r&qksVKp}AHqMR0DFKU
zKoaogC;#x@@MN6<0Pvgw0EiL4VFn2RK=o$;fDrZ@Mw1QzV0{7rss?|<e)oxuzMcNx
znnQwLADEZ`0LQri0EPwt@N@_Oc&zoeGWg}+pp6n<L<*<N8vZf`SOAOxlmKaf6~GX{
z0?)kyyaccTxb9~Fq5#AP4}QMk2?_p2eu#{WgoOMU6&2+n`eSr-w8v;@7??OuFfg$(
z(a@gYKf!*Ai-(7YjzvI-k4uPyi--HO5d=hd9VFyO$jFayG0-q@|I_LI8vy$uqBX)c
zA_5iQ0X706Ho|>7fDA5c@B~2oDT{w36l5gS2Z#?59>I%sp8yaL5g#BRKg4(pr~EN0
zd~_bbGbq?N&rqM@ia6jCP_c2T#*{t8qv2FgREdtQ7#<y?e)UF4S>M*Ne1x6bhr>QH
ziq_yuY0D!*Ix#gnU%!kt`sbpM%=RUC`y_wd`uEM@!~Xyg83_dyUicat{^vk|^NfNF
z@3_Cw2QNgz#$i*ijU2|sd&bV8q#xCS{8U8oOBt0x>B!P6J0EIM-$R-=tw;AT06M(R
z18hWWfDqswpgfF?fc*sfKYy{EgMQTj(iG;+uX77etypbzFFSyU`DUfzl2!D2oxVqi
zHKPB;=Nk>6uVOb9*_$^b=+FyC+B8HLE51>&cP0fk;n!byxXi83dU??u35cc0F+Z2d
zO+?;(D#@)Yr0>Hej~T4=beJ*`l6(SA?XdJ^OGgKTxxnNs0M_bS5Ni)EdFWuN-Yo@1
zh8xAec2OGBdpD)mWBUa?#~rBI?0b6iYemg8@7>s6x9@BA9gCx8vhT|O@bC%{y_{2t
zUJJ&0YYIyl*Lba-{v*e;@Ori~ZZ#N7!gMO7Ps2+p{fCKX&|P@=(55$kL77LX$kw}S
zwO)b5LB=)>r!Vf|fn3?2?g8`7zmP+gZ{)fd(I`x+8*@7+6~Fr30}Q+~SAIx}sz9-T
z_EPpzW7x}#S2<~ZqgwOZp<a4G^GcR!M91uiv<Z<sGvbRrr~0l;|7_sY0ZVO_3&RHv
zX9h_W<xv7FKxCdfS^5G=&7PBAy9kE8_ONDND7ykr*I1j90yh5h|H9Dy8tiu}Th4=9
zW)zv}6~n>HZ6y~YwMXp-etw3@-baXI`D5RiH$Ae(;~tRMREqYe@PLrY4pt7g6bC43
z?oLHCG?1I3+zRqna<YBE5RDucLux|_sC}{vd|HfZ#9z2-2et~OK^bNC#Q_UO6tpEa
zAlJ9;q{|Kfy?jTZdjQoPmJvNIm=aU*@K_#zd=+;<kfMgd+&715X;a^3*kR`$hJjeH
z4BjClmCY(nOz0>RMVouh9|F^yw_(c)9~i>PxqNyiJYNnK`||xDUggI`6`gdy<`z|i
zHrkp!s#sWg?X^axGm(?o%GgJ#?`>Z_ngZgMJSvxt7uCl`CY$a^T!V9h&o(e#<bo4E
zo!Aoq&l@TOWcz8awzG=`l8@7@&t5CpS<ki~zHZS#G)WCUMPlv-lBnu&JZUV!`q+aF
zI7t#PuG@U?7Sb5)vPOp%zZyp(csI;K+n-b!)fC0EvxI{ZKT9$|I6H}I{?IEK>sxNE
z@R_upg=74)@?*~^X>rdczR!DwIXOnB?;o3fA4Mcn9O)AHD9J~XX&A%9IpcW3H!ob)
z!$z(JWJ*p}G8jv6gibNz2Wx$1tm;EtwJ7b&Y$Kue^E*ZUK6K~mjJ%)RWH61lxL7@F
zGR8VSH6TJZqV+x>occEY-P1QmB&*MSR#Gt$+7T;`jwnwb6UV74C=Fb>no%%Wy611q
z42Vfhf~ul8$*I3kD}0MR&qM5kVwoE$PqS!&4JOw++cZpS7G97jNInDFhTQ{VMiojz
zZC<mj=ndX1xia1ZV7e4PPFd$Ee;~6(ZJBo;T^G4=^zl}WrG?{$(WbQrY4&p-p*G7C
zp=!27YTEU^BaopT0H0W-Idf`R=NTRLRCYjNXE>N(Br>cA4>fqxw;a{i5FKC1JAic&
zb%@Y(UeGTRmu6nncrXs@-@174Ie&;B$rTgd5DpA{82ItOcJZU8E|+%jPjr(kV@yF$
zzNLu*l{<}$bZvEk5|^=B@?O6rI2()@nNMM6{FqbIDmZE#4|ZZHcDSV@&jq6v7K51j
zCb%uTH3&<xEd~Okar<qJN}sMUMP~8lUOcJFDKL38*{o=LAyWv0vEKs<T22gi<w0gb
z#sTYHQ(yW0?NO%e7<bXPt>598-IajCZ{FTHV+*BlAEbrs$Chc_+ykUvhMC7G&b7;L
z$X;(OUuW%8dGlE>2ocQD*Oy=3MI}>fW)sBPDOlB+XeUpxI+NxcGZyB5D!0dJC#s2F
zCY@foD=4oCy4h;>xY2V+-5=bzlKuozkQS9?>|2n3I_qI&k3j3;S(Hg}l|{kzx<hDI
z?9O4K$&0m4Z+>ZwFJSe2qvE1VDy;b|utnb4^yHS7P@<~8b3-It!G2t^O9sHNK2fcB
zPX4Uu195Fvelb#Nx~eB+K|#wt>e4nKKHo#TgO-i2F7bhAGTHcmV85ADGD;^mcx1z~
zs_6A3uxKl?jaJs{lLKrzP2nYKC-HfdCKeWQ9VTJ`pejaIdH5;5H$~7_F>zlcF<~*W
z|Fet8MpM@a7S)B18I1$}ru>mm1AGQ=eB^pidaiqX0j_&Gq;*+mwjzXzb;0`P|M+gd
z8xYw@?JCWss__S7o};-`0I_fyF<duFcjS)ay%HmbNLGj)Q?oaL|798eDf%HRG@<_7
z($tCFQ)tN>WB|lYX^~@bT)UmU@v!^~t>+2W5vZcHof#4`jPgO9TwixleE=yA0;2NB
zM`tH5Z~eQrlssW)c3Sda>^prP=3y~+*Lbfs!yoxgdx8z$h4f3Wloy<mA&s_8==hr%
zzd@<<CKO+%ZW*lW<z#eg7EsU}6v%&p<gMAUrYyW-x#x0eOSG;1kn4^Ijl!8#yt?jW
zX}+5sCD<jpndf~e%ndHdJi!*S*^sFcdQZ_`Eh{9i<6=Aeo3Ng~JnPF&R>!XWvwA$)
zvJF{UW-*f-D<*d-J}-G6;%zJiz#n%&4ZlWejI2y9U$L8d*0x|)X{c=5Mmu-9EW$D1
z>_-?XHYY%~Pp?aiNlt(@UieKg{3b@{Hryjc$pB*RE@-I55zC2JF3)I`7uyvQh`y95
zs)_n-sF8Z+d)pZaMYim@Sr2HEWU<96_)nm{b^U9M@R6MBiq*=Uu)`14;@H1Izj?6J
zJng)Asg)7<8}z%6d70f-JP7|)w|gW-7=KMUhV9{@lfJW==<bSy>uPm^oVQ&f*R6jv
zrkSx^uCsMewOMFZ9k@^^Lt`~r+D{8L3{b#C!an>AYlwdOZi(+b71hW8)L%!PcPHef
zcG$N~@v1Di8q;exuTFFih;XGphNW%sS{hD_Ry`%wR{e@x7J-odr2OMOU=A(YUQ2K<
z>mJ}Rc<sBTyIs+XB=-JcjkQ{z7q2B`$+6gXK@=P4DgMqU)Xd&b^O2zO01&Y#f^X99
z0h3!p-Kc2HOli;dnXVP?sLH64y|uuq0{$bi8jMU)Y95?Nlm2yh(Y^Ex7hSZ<Rac>j
zO`7=H^c-WwzQJy}eUxUlKqDsiX3nggoMc?X2er8CXuT}ly~Y_bsq9X^d(xyikKXC`
zd%VITp)veuPu6Z@gBqv|d|0~HSNw8q?4oV^N0YLGv~6%)lJ{r1t}^asrz8n*q~9CI
zm2beuQ^MlWF>9&~EIpj_CyKzm!zP}EmqEwCEgB0867@&R8x<}!p!~(!{F51ESygGd
znPi1#5_>Hthoxaj=_2NM0>N(_V9S<{ZxN`WzK;#Khb1>ip$5q*hE;ugSDV}JIs-0S
zc{w@RiFt!Gk#!QBMW4fM$BS$yWqG^~>t13i*@BfVqbFAgfcr5&j^pWphRYBlz@$ZF
zW3fACiW~x4*n=<ls%kN?!%(XguSOLIM%g+7Wff(6tLUV#25HzgZSRjr#XQ*-N3SHv
zzPpPidOdmX5s59ex;k|a7_PP*V;OhDy3<$bm5kPNhu#DF3+@4Vg>jIRNtH_Tion2z
z-oXFN%8G_4bc{uFr=@gD&wT2Wc8MD0&76N14Ve(M<kx4*?yxwoioP8c+DE%|a?h+(
z6$CT8>$_r_4f$0Z>CKonR;2AG+yiX%9EQp=h^Qj0!uFVLCS^qy)#{301+0AMn)9eL
zZ17Q2Hcjx`X2&N6^_*?%(1$8W^NUIbb0a>L<moS=tcfEa>$74iXkt>m2Yi-y>a|wm
zIjIZv>Kd{}fz-Jq$&ktQ>}aF4TYy$+Z*)a9c}l#ik5xi6^Gf;NYUy#x2jf_L-@-`^
zDUu85)G53{t#NU0aJ#sGGFDUZs2m5c$Y_|bf|nf6j-9*I1nh$MElW?1x+eqL_d-D)
z4~BCZcv5Wps828zXwPnUE!P-&VzsSU^E=re^YKvZwa4OA5y*-yk;XnNt+SbrI3_*Y
z$<sgjinpV|oB=J54ONTkwhQ$i4C^o`Y?M*LfLU9xus`;fn9@-_Cvy5KwGlxEO_B_>
z`9b3ROr18T&AV)5<?E|aFOc{^<Vg3$wv1MVV9NlXK-eRf;Q>k<X#mvi!0-&!zN;9b
zS<g|43+YJ{#2wK#4^!b^xLk`BI1m_eF-QEthe`UtIC4FqgdU?{tu2}fxH?Tj>EGhY
zTGM4`4_dbtd@D-!9_5ykIz-AT3=rL=&QKJ`nC}<;&@A~?gKt~fe9>5xF2i@0B5*2S
z&6G(z+dKgmPrcb#1!#rVEA6YDLhuTnlV+iDVWzxEPF~g*Z>iYz=Ns-u@ni%1eW{%_
zwXhV&mG+&}kz>&y1=aWCqGr<y;!gQZO3hi{om9tAgR+O3MeCEjeI0?5ABmB9jl5jy
zkKGetuCiTL+zlUBoIUOV^!I?QyrZ|Z8t4u&XFZACuC2tn=O{QEd&E4xb7&&O8q6%l
zQFgWN-*)kwr7a07p}}um7UIWX+qn)mD=7*zt&g(uhbq`5c{uA`0<4y<_)Y?0b|l47
zYc^S1cvYGK<L_k#;Hw@qY?v4J0I||=mcxb`+$8w8b)c50tya2bM4R=@E7~?Yum#VU
zQ+cdBFlemP=<}|9LJ1j^##VqQM@O_Z?<-Rr-I_a6nJF)ZC!IJ7o-Jn_y7}^zE8UEq
z+|+48s3EwB$-V+4V(+18!y?b#kXpjNy4`2f4T3sM+_XLW`nquh;trCRm1O%o>c2Tn
zI*GwKdXhQW)#0ux-c9!?R?^J4wbOgE;F<LoPiA9r_N}eXv}nVO$Se#1YWNcl#)9fd
z3x@h9l?MBz;_}9oZ>KjYGa+wHN4mMa6nPEpjX(n%=8JoBEBSn}L`E(IFI<tgWrUdU
zz8b|9XcX~gr}AM2*eB9;kcOp$r5r#X*&;czx-RR%b>{eB6>H;>@!ir~kMfSJcX66#
zDNj$06A63@rTC?-J~z>GKvG1Wxsy>)*3dRnG^lUwQZX9Om!W-jcu-(xnin)&$BS0I
zk2!~Kv?;Ot$SHeZ64Y45IVU?qb(Ztgxn3a{?Ni6Vj2Zxd(nDTPDvVGc;yCJGXQKp>
z+;}(Nr4n$g)XmoACVRHTr2;DSMVo_}5nqy7<sBjoZlK#9E>8FkcZqZuC@!$t!ODx4
zp?NDBj(uETVJs6`76<y(;_@oE&%&cyUOmc;sA<4}8p2*b5fY!~MQ$mDk?7zdr>f^$
zIuq`XDM;Jo$5xy&g&mcCUwAhBB}xFr%ao#jk-+gD5P2i?yhe}F3ZlN9+c?}IYCEAp
z+#8?av>6glO41l`Vl?XR0$6+yS|&g}E#y`bwb$F9nLEZeO+go0fGcnk${asF#?jNi
zlkN)AM5~w-Mh#?UQDm9+H|;}iMlF49q6I9CXGKYkqlWa*Do4HB?7Q4dk3BF%B<8}%
zRNLO01)PR(Q%*4lyH|{zy><gtqE<RTVl3DwaMa<-+KuTwC%CgE0YgVcpdS%V=RCuw
z@V5I5E61m1x7|st{O6cd#<7)0B|I!Fb|YjePAh7_hyn2bne(xbMITcQ85yRT2A=2s
zBNJ<>;LI!n(E*-T3RZ6N^T0mM4GXJf&e7lsjj1z1s}80Zrx002U~z?QV7kwzh)!^^
zG|fE#$5E5vke8S9yzbxzR&o_wD|HMya9p^o)H}tqJJEI9t}0fI#3o2k_)nRkKA7H#
ztfuvuduOdRH3eTihbnX8M*D7>Q#;55Hf6LQ3Z3C)rznWqD&NquWpn;od9tN+UJ>s;
zPE8GNn!nDoC{++q5Eancus_B2dpb`_F1(VH=?AVu%=I9cITh7i`m8fWe9nFxiyKBS
z`h}9HK@VZ)2u#e9H5|HvCvmZyjQg-uu&Vho$^J)yP_w*c$(_mUEkpRhn0s?Sxw%U`
z*RX-RrS}Qf#+I_TSL%%3O@Hl`3dKTh{mt-tZjhfPK7G~XJ%HWHD^~J+Yp?Pi@O>sN
zTjBQV|4nt=eiJpP>fTP}WdbR}bv`-QQ(Rv<e~2&X9ekGg#DV1NvIPy0YyQR6=-eIf
zM5(={D&*-5=pK+zE%Y|?`o|gU9<XjXIFfgFE4Z*8&MEMY1o)>;(W6saRl2}lR(UVw
z!g(57(H}_hxg*^D;~fV5Id0EoW<RNdU;Ur84~QJQ;l9_{ixgI=lw)ZHftGsFRrkJG
z;jzs*xsT=!0F1X2+ShIw^_m5_5;Q-$14EGh>77#uSN*f}YHc8pE<O=9DHtI_LVC_q
znlvl-aSveD0mIN9hC%`UQLD9cz}*Tw&dO7^5k)1j%k@Mx;Dp3*VY0UksVXz$G2;zK
z^!Lscj&j9bhUcjh@;bOsJ_)ff`!8m|!@v<?ZQ)5_XGd5mnsEUXQXjt+=jQfIn58mN
zMs?HKirFC-40Zxj0v{m;Af($3M$K9&k5jb(J>NCrFeGZ$NB1++3`DoL3Ol4%HeuhS
zsT1!&(-?|Os`jsAoca4@icjg1+oY{ovK)oDzqmYQYn8MI9~~iDg^iws<VB+5HT76m
z3~CADVQ|unmz|s{wmeneS{=eTpfukA0>(}Od~xPf52z@q{&d00DFdgjND9(wV~;Bi
zl4L+0#gq3CE@dXJry@O(qP&=3&u3A61lw`fbIQmo_#B><=p+WDoFd$K<K*@J0pW31
z4H^1pDBmmgra&Hx$vRU1IWotp0={0!+Fcw8$KhRD!>OeeP~urF)NH7-pYo#!TCJgO
zv7^VyJ|s6lM?X7?FyGvqf{a##hBrg!%Zy942qh>)bgl)qC+O7I!8tx|+j`J9-1l9%
z^<W@aHq2}E9?*IgA^CvxiSwV?_&cut`jdsRV;<6GkyoSIy}9+lY6Bv%Me4FiJi$T0
z+a7_a`H1Et0uAzUy-r?{>ekLa9-G4Ox498{_NvOvj+Hw;0ACM+ji#mJt4Xxt@vl{@
z6Vmdy4rPtQ;%Hfzh^?b)HJqOZU_u-S-^@j~qf$>?^If7$)i?8Zs2~K2-92<gL7Db5
z&)pw}LB0JlrJW{rYO`V7Zw3vjSALANSY-u+Uzm7``O<9-ygern+<(o@+rBNmtmgKw
z2I^n2#FVtxl%YW8iI&6tm`my+KS}9(o3e~t<Xfj2OM20IGkdoh0>q*~Udzhe+TpJE
zohL?z9^$+187_;Pv+5h%_EOAzIGm`#+e%DqhL;gOIg{d&ZlG)nSx{y{ezBp%xrdq`
z8p#+bZ}SL6(z~A~h9;ceZYqx`o>yECHh8;)0Y_0^QJ>e8lE0r3e353}Sr6i8Da#8h
z_cfq%cpfQt-rjMuRQ1y!e-IRM*=F(6#{OE(`QXLEqdvYEsa*GEgFBnQ)pY)ax#sM3
zoN{QK@|H%a@rccv$1)Y}0pS0IXjk9tDtGZ}ARFh!{6&0oGS}cw3;r)eUY&)8Tn{2s
z#UR`Rk9T?lB&KjDfZQ*{Waz=XQWJW4zF4qx6CLXYM)^p>S?+JdztM)GF_t0Dzwngc
z#D5xY@mKnd$XI_KbKu9ctw5FXi=q7Ah_Q3mz0NHV$A8Rue((P68vo+|XvRIPD{aTu
z;%^hGxs=|CO-kpHNe()6Kf^FdULrA==J;`ddXlV>>4Lf?)o?qTyW%<jDyiNafuIr^
z0jn@+-FLurPrZ;_-<>Q`Y5Y^S>8#v#FZ}<#{(nu}YAm^D9Isx`R!u5RN|ICw{y0YU
zPvIQen*5^EH!Q0>NtB<gue=UYW**Ym(a{ipGX<?EO#ta{Al7aK+mbw7?jbip2Q?7@
zU2yWo_B}P3FE(C-@|jyID-5$#+Xf{#3j!@?j#8i#X~Xu3Zm~FDsi@F*!+UmejpN1`
z<H*l_r>6~0A8dEuq}DlUc)qE%J#b-8fv~=3LB0o+<eC<0a&TZ{yQuxug(YEE+uIlt
z8OmZ2M;R|E(X*5TW}_y&G>TmMQar!zm(Jq4l4nTnz{kkB($rV*i19Xj`UN=h6r2qS
zE*<W`j%?*Ad={mK@=<z(t09HYM=gWOJTT_%vYg6cU@=FW<T@9M79$nJ&3saa^2s2n
z6?){Z*B<EvZ$BuI?}0EMPE!x>`!<6*t-X>yi+44%ggwB`IlE7?id`SoH>c~>0v<f1
zBy(JB(A=|YyHq$6wqvs|f9-p1<Uj2VfvCrmJ&bL{sQW097&frI=<RmwZOpt(>Z_}2
zaT@DTvo|s+k7hB!hlZ=9Hc!}19idWZ|8#YIYOf!KYQW-+Gq0s=j0zjYx!l8!Yn=05
zRqD|3I>=G12D6H6<kxsc=*!l_a}M5O*al)vg)eHTU%~Z(#yn@(Y@X$$h5tCHM$NlS
zQFWpNy^_@7CW&-Wrz-%Uw(-{8GWykb!H8<!t>@69f=*@=hTQgPZgJW=(+d{r6P-+X
ztdHdB>7Zj7E^O1)9k?~(OY??G&1c`o4O|CSjxx|A;3!Ex?M#t<<)Aw_DXAs9pOiF*
z$-qr$-;ZFsK_>RCwturga2=sVg-iC>jB!z30qJZp?%{W1+h-YUmzEqfcUE;rLyjtT
zjRE3*^RKqwfhV25!oGM^azeH@O+xX*oUE~C8V&(CoHUq~m;2Z8{l1FVRC$?IN|W>b
z+llMFXenshFZz*&6uxa&OXfs%kw?|`Qxs5cey!!psh(qRQZ05ly)k*eU;|u0*2bR#
zE<*Fd#<6SOOc@&4q1b<|wwV=iF|(!in-lBg7vza=+-5b>WpiD<>xf!8=ZCw=DrL!N
zoGuT>Dh9!3wdFLl`?jPv7SXn!TqI>tLm87Go}n5gKdSisCC$Dxj&BX`RdNnXDsknC
zlyUR$!qPsn_Qg({utD5$5Bc1g#W}@26IVh;X7!D<XtN6Nl)t;vAU&Wc)W$kguN~KA
z2X^whbd<Sa#`ap?ooF$G6Mk4hsv4u%e5bBV{iD_;7qO5oP`Gz;wXgG1!^u%tCkdJq
zOG!<N$ErgMddv$f!alX=*!mL$)PCu=n&ctt$a*4RM5e3@>Z83{NK-Z-G$EJ^gZa<l
z4K$AG7*=<n+coY571_t{9XNBH<oKi`6xNh5rFW#)8o%zwj(k6&Z8f|+QQ#J|9#qC}
zTm9Aup&j(aU1VtjVf(Q?ZI6wNH?4N64#RO$Ds%5Hk6@F#if0aQijp>&92prujBs;X
zb4$}P2o_ndhw4=DqC6D78@@2Obr<){D1t`KjpQe}_&(fbu>76}TK5Sb;~W6;`A1ED
z+~eSvOQqd#Z0atOn@JniU?{;i2Voco&gUOXLx;*BN+U>AbWa!Sb?I%q6^I>6xH?=#
z30avG7hEOamdn0W$xj-(Q#xqfiB;Un#EHO<NOh`ps#}EP?L5H8$8w@&0<5@c(Tor$
zAZ1yqoSt0IzC*(<bL=^4M8AwSV)8^!`ceHGlzdrmLTWU@7F3DXBJ-P_I}QGMf2>Z)
zm@gw2E6C^b=?HJf9Ch~7(n!uQr)9a1F4`)X*eS+%L%JpdUpH;uf;?pN@Su&N8nQHQ
zJPiqm>V{J!h1DDw4=Ga_k5vg&xM?T%Wy=|0TG1~HjdkucLBiE<FL%$(dwpM+_le4U
z@<Kzf-rxiyVbW@?k{0*(iXX&6R(Ksv)Oxm7@75I8gHg)B{`EkRfzi#V_Oc-kKPdHp
zqzMy0iS?7@<voCob%Z+B<JnmC<H-0a49*&f?di`W7%>^b?@UDNC9D8@b2)Wn1X`{l
z9cf_6h-%sjz82~k5|)f6mf#KEmM~zP(}+wUkobrOi};YV%8f<tHcTKv#JU>BtXgnl
zmR&Q?SX@-#JN`8N6<_I5WJR+JK=1}Jd-h;qB^Iwr%bRYtXoPEXr{7m#hP?K1aESYh
z86|n93ZIie>Yz|2_b)LII)S&J!W_pYk_ZbWnio5+?g0#Ih2)jTda>&+d!5s9qf^gw
z3n3)NoxFtS60Q4|BkV5ve2#v(->TtSrR@!jyKL00YL+p7#jx=CW}#uKrX&xjN}^(W
zbcIy-h_y$cKzEmDtu6K@`T@4GA?{6*s@8rr10lLYC1<DX;a4(1l+-fL_7ZgHaKtSj
zZ+NAuNIniM{yAz!+6*tgcp@=fL3rv@Y3K7a5^Z9XFHrly$#!W4E?exC8^UHWDykEv
zf3&;k==8|w<$oun7N(eAWZKJ=S<!atGS09+%P(M=R;QtsEtooq=EQZ`@5o&Lwm{V(
zxVyHyb31UR+A1KV5{9K<Bfz1|;QYGK5tHLG$tJ5ZQblS$T8n`H$($02)856vq@lc0
zGL~Y74l<IMNJ`|Tpu=w2)n~hv`9m#!Cf#%$4T|VVxjxoBH5S1G<npqPZRBswr$2U2
zK@$GHRIHDe|Mk}HU+oxJ3$t6UHtzu&k0q{gHCWV?fKXswm4ZSWf8IhTZ&vI`wFb$u
z4KTz{9z$E2*gx{n2_clXW1x!}DLS9dpGD}Fag#|fPBuGP%}l#}P!5~$s<m8MQmn{L
zn*thsXOqH$H7R)y;8AEiD7EI=BljUV%XQz?>aUkf7r!m^0+t@o_fgdJqp`%H?quEr
zlIdmqPKWOS1Gv_|u=3}x@lULVH?h6V?Zv}gU#s7C0=-jWz1r&X1rre;n#Jqm^z2P1
zOF5xA?Y+~gJlekjH$OscZywYAmo}fzpHEdMIfV;{Tq`x6F|W^M4pH5WH<pwa?b-C3
z2~t3W>`FOW`~G)7n8uL48t#?#WfUJMQ-6_JoLz#I6&vQwE6-2&VZ5cy%;5t$@fP$G
zIb-;*#>NgjLtLwYKOQz$8j|;v1$8o;_EFUGelZ?dymjzC`Lt!@RVQ@W8ulB_TLK}Z
z!k4XHm^zTkpM~O<fj6V8A&tpvg@ZX#eEL}kQE%R!GP<Q;SslbooP<XbJ(7<S-EvgI
zcQQqIsZdjRtR_jky>TvQ$1IxEz|BBybcBlP$oDVf{2vM?f7-YMliBgLzO==;3bmW8
zg}|<;W_;&dGZAdhY}?*vTluYh%;TzIL#){GG04(LKFJ7U`bGxvSUcBGxdg%Ga&#<j
zQbYv%iK&s7ybeE8(--ZU^9KBZK7u>~Rms)U(Xzg6yuNVv7K`0dHy<0;TTgyL&EYTU
zfg!Cm|4w)YHPM~nLNjE@TQT3VNWwe*{9vtuVyr+5w7*+dAXJq$LZp@@CSKtCTvvft
zyZYGGsSKtAY%n57syB^-%o*hxl@l&uyy|vt48yQGJKc6%d>m7_R(FoYQdRT@{mp@j
zNm1#m<t;;h{C>36R4)4{>y+$LiAns%FWJ|XLp;dZ2B>8jCt7hVkZW>7S%bP2S7s=r
zU~xu8@T$P4xVm5Qq>77kY3)jI9!*=FSejIA5{u=BGif<hS21CZj0g0qa-!zOu+q0@
zhP9E54?Ut^lC{hTlZuc(0Y2*p#gY?W)9t)dWhMP;XKmf2yNjn9++&DC99KrCIBtF(
z_5maI05&v)#Y5~!Evr_LAJoZ)B&Ns)cW1mjy6e!|Q7Ysl61ofsKVw+XOwlMwJge4{
zJiF?1a}W*;35@)U!PH>owSqBO4n<*SzVZb78omNd|Ej?}*4c_Im1}U0sc<A^aL2Qx
zQ;)k!c_M`&pJ=2YeIt{kz|g9{8SQimK067%4U*d!Hwhs2XkC&4Q58fs(p8Z=vDIa8
z?adt4>x2o){X}uV#l}W)`pbwr{#7g<+yf>@%g2j}i5~_wF#bEvL|?YFb;0XPOVm>a
z2&~=oGTiG<OXT)#c2(1UUqR-z+3mAfH^oZ=1{Yll+q0(IxG9U+YorwX6?^|wo!s`l
z5*t1;EQ;B3{yRIvdq9PS%vP^ngX+kL2z#|Ox*dN<Vf-UKEKvT>z?;_5Y{`J*E<r3N
z{KrH#g|ytyqel4Bl@>}Hz^REjeHx|7GYQXKj`qjD@wZQGcOkZ|ps@DRy+~QS)R9d|
z$o^&!_EnEeQUim1xnRQ}b{sK<8B3qp<ynK<w{6`6T<mWnQ!5r9QXCA0^*FVgu`khR
zR^>Ts=5mYjTQt0T@?TArSoUtS3=t^5msFoN%*ipFtD~aA&<|?~JtP%PmO`C#rEj;Y
z8BprAH13VgRGPPANqKW;3*JcIj5*pL&VpRnHURgqFdT+HZ#|5BCn<H<B)0G95ol*C
z5^@}X+>D)G&O4?YcXi#!{=!PEhkCl-_i#OGfL|A3(F@s**L}6yFZX#(!f4PvAoqof
z_i15}KG?~>hr|fTw|V$bPpxt+t*q@t|D6Qclb37*%3r^CE&`c|9D^^l35_|bW@0#T
z{4o%mCU{a%GQ$rZr+6wTiXc`?qTAMY6sjZWnMVfwme#x;xIJ6IyHxdRY`foMp|TDp
zR6U_Jnt>#yE%p~l@FO5P4tc)!@>ZAgZBA+0^D^)#*7%BYVZF`nQI*%0v2M)1x6&|M
zT;C|L_-;GPTF53O`4dQqaHe{NU#D15&R$+IL#g&wUaV7(RW_sgx*)RQww1*WyZD`<
z)k5f=Q^hH7|NkY)<=x%9$(RidFe|K5B6PfEBaIH?xNtft-8r<jZmm+2UGEU}&auE7
zvhO#n?p$yD9>oomSQmsxh`o_0rrea;QHQS14{Z<-CrxDSv|ehWo~n(`-Dd0KE02Og
z;p2e)H1nplT#h|N9N*eqOLC99ITz%0$q$1GnKj<>Yn}HE52(pHx*DES(}zg^W0anM
z!5|XQlxjGgN=A&m*qxu!y)EFPS0xmzE4l{|Dsv`P+t=NhQOi2q_O>+^XPzZ3j8-;#
z<alN~goo*>-*)#bkBBGDPYhqn9&EuDn&i%^!eQ3lauc`5V7od{;m=hN-h8?HZ^EwT
zW%n>_sB%v8Ryr>=y|43s6Pji!y@om3pVA3gP`<3V1)R4Mm9*59UU~479Wvszn3TSs
zdXa*GE-<RQcPx0|5GAz-m_4tF<Jkm^ML7T*Sx!&RXZpF5w8y%{B(SfpD!_r?#Kaf>
z5+5cK5_%~f;}q{zLY%FnJ{Y4RX%?`3RG>0f<K!|U<WN@f)>$ZjGrn(as{$S_;Hb!*
zRwF*}hBH6(535FME^ltW!i(9v+zdn3xSV0F+i|IRuO$NBhZ8w$)z+O(^_p(U>#5md
zb&nqg`tegAyKPMypFUpeYFw;xQg0NlD-)uJra<)GL$%%K(M*j)#?XAccebXtC&Dn0
z#B}l6|Kp%Ga*vaHz{-s-Gk?5yOUbp8_qf~RlMQ$*P%@GzxbeGCNx-$1TU>gf%Awf9
zz=FT72>)VQL1Fp58ps;{S|rq*mZn!MZby0>{|P2@?XOaULYs7x#I4~9gzNPu?N#bO
zDG)#HKbz10y9_{oS=wAr=HPy&2Xy;<&M!}@3vY`X)Y40YYz6ND8N@043Emj9La?Oq
zdqD6HWb>wnKG=AQ|44oR8|<G@mBxO&Gd}(SWAv`eCmEcj+IU7h*7;{O=%1L4{@XQp
zrXv5#Jz9<j&&5?7l^Z&kdA(X_lC%#V!N`g+K*@5SHb>Lxg>B~O3{DEIAUr;|h@gZk
z?-FU^d%!oAu=ypBORj)E_R2lLsFV6_2d>HP;93a5@KdiB+$P>k>P>-3M>3=RTnn5+
zx(_=!i-skvzTc^rdSY`gM?0AwcZ6&PHRC3aTAnDKE*cU~05gBplCEdJH0bytwh%05
zR&|+wb;uTG-OWkf?*U;oCb2E=(XAyB>HLgUJ&%}bj@UkP#k~&XJo2(8Q#-(0!dfLa
z<Fzzp@UI)3lL7JpUXROsPbG0(o{ui!EkAbKAGKC(P|Ns53FNG)4_fp}mhH~em&#DH
z{~t1e`3DtpY{e$Q?7v7)Di?w<>50i+WUVJzC#IDk5>Awh6a6AxZ=#vaY;4ZL4&my-
zBs=FlKsU<a9^mtfBM^-S&)(sDdY;8lu=%#MYj7U%?NT^w^1-CdcsA4w>7#>yFr`mX
zEf>U5Lybd?@Ewhqc>Lc9;Qvgqd&JbzZd4PG^wHdO^87kwN5yFUwUU8Oj(1^qWgJYq
zo;kJWIy=QpOiZ`a;Ezp7=-{P(J1;8)Od56gyr2*<MP3?1ppw0N;?Dk)0^0$MZ!X7g
zNg-V$qqCizk<Rl&PUFfXpL=CNrmj^^3alc+fij%XM&Kdk6AyihbSkO{F)<>ZAbN)0
z&IY6km`67}SnbJi3DZ5mUH0}#VO-C(e5FcRS`~Tt$G{NC-?@U>Y=3DI1)$#wMtwEr
zAc^TdL}g2E<5ch|kw+s}@WOt9#L4-?+HQ$Twy=6H_Db03*apWb11*2re>54y{WtH4
zd?neAlW_LfZ*|3s%Iqm#l(LKpjjw9<?Xl=U290h<1{ztPok=TCmJRw159vU;tS#(z
zEHT8zq4{Gcd_<&&XI9n<WO^+w2aMI<!=vLb71}L`9FN`jK(dKDk~(TOQ5n!l1;Mri
zk2lWbHkG?Tr%9ee8kZp5qrPz3sN-sr&b<$#iF}N=WW7~<K}MlH^4QKi6TE)!kIC9X
zyw82F_ijEes(#nq3m=^VRL$iCXEY}lrb=&Th3$D*ML7%f?m<Bg$S_Rm_P0OYz58D7
zdZ!;YG2{B?+a-T)-z#%1&L7%VaU_1w6XNaK4`9F)b#ltk*SG{UDi{wLfH*Jy#3SJx
z-_CrtY=f+HdbQ@<5#<BuGd1wDn#9w{J2qD~`?Qqw3zw1+*Fk!ogBQ5CV+k1bxsoz3
z^KzqjvwVRxLt(>xB#CEakI2#d(~GL@sQrYH2tlR2YK9rQk;5`+^{I39sT<Dr$?FZS
z{WHyOvh0WCvb}5gB0XCzU$qUc-Alq>)Q>&dVI@K@RpyLTA|jC`GXrZ-Vc9z(anx+C
z2XH%OMwLVlXudcs>~D-?@OwK`jHkm~7e^nJvB6BDc^CI~=2L{&Isv)mca~)Vt~kJ(
z)5u-#Z*ufXVLc!4xDtbNCZ%8nwd+Y)oL`FL<u1{ST|mN^m`DgYg=_OzDEkUi8<kJd
zv<k)Bw`>bG`lYN|UgT}K&dms0)!&GU^-;H%p~Vi|1N;mwnS*zdCqF<Wv_CWtjn0KJ
z-$A}a9eF@$9DGowi47OpEngECui710H(pbfZ{NjiZ>X+RF(l!s$Th4^bcs`^o|z*I
zeRp(5Sb9=yMcz3tXXOMk&arT|Y?>h*R%%1Ge8*R&W))k8FNOYPpSV7mW!A&3m~=2=
zmL%q}yEb<rl46Lq4telf>Fg{>Dl=exnuf*Dj{~t~QhqkURO;pkV?SrI*F=GZTSpL+
zU#+(?CvxtwsU+@5UFhS@xr&dATcXa0-y%Ce$Njxv`9KrW!Zy>oe)6fKU}9%kWew!&
zY*_`;QEq$PsUWK%y|0^2JOP#nI{J5=&ux>~ONnO#X6EIn=V<AKl&rwS!LGH#)U<dJ
z5P@3gSOAbLf6^J*6u3%)ST<_JacFqdk1vX(e6Fvhz^PDd<bG!FuU1prmhAlbvdcfW
zg;-39y2Dz1gFzr=F*!@S0P4tr|NMyLQ)HPoG~+-6!=0KX*u^9&mA;)TU>h-T(hLBs
zwyx^SrFEer>3!I1M^gGFKO?`pqjig8NLituf}Ot|d3FZLM70-D6R_Sy&NyO`?DL`K
zH2B&yqg?7aYmCW)jnVnzgayvmliZ0o($uM)AI~?5C6d62tmUy53@6dYmI{G}n3cmy
zvu1PV1&Nz95lX|a=_Ss^CXPJP@%J!o$Y050psx`n`^{Mqg`vpCk54L(4e41wts9o7
z8E|<2US!|podvywy+3`g)Xl!l(}GjHxDdk_buUh{QmxGOJm#2Eh0*dNNfJb@l7k^;
zahFY>=s;IBh<9VoUEtr%vAym}|E+WEltd-=|JQS@3>(sFO{!mq((5MhX+d)>S=eNv
zn{x}J+0N$L7H(N%eIi9=|FgE@Y^V(%&}ADlok_9}!UjXbsJ-%vwt^1b13EF(#%HbZ
zm7H^e3aHGw-Yp#^T<j_4B@DsD0|wWcthMf9h3t~=wAN3Xx0KEqzZ_UJxp@qCXh+Td
zsl3cKx&B#S9)+G&ml<s}5!#C#G6yQYsxTo&>~%*6qiy0_fD1`d?PsXN^$crj8i(zx
zw>|h2LXgWw>nr8kUi(Yyq=|b#w)||~d6k~vYv8gGWSQx;H}i?x!jJsxn2qBF?&5pE
z+q7DFcjJ@MbugW@6;<1BsN65i|5A0mi9Sff)*f<Y;$1WpI^^B@Kxuy3<Hu!YP?Vk(
z)x+Mh@?5Z{_2y^o<`?cSc-7bBr$$XeXgYUQWp2R@0XqBa9qidz`8S<mVeX>(Q`8`B
zXSngKg2k%-u1!wY&P%gasHD5xwYUN+uhv0Ehl2x}yFpZal6Wo<B$_%+j3|-bdMi_j
z(9G_2573+_bfYJBqjnH;<LFwvB@GOT`McfF|KvT8i1uo9%uKOLV#2j8!wWKbhkSk1
z8KOiPJ&CrfstB=x9lmy+AW;))?3)euy~f=@$l`Zf&?>Q?yA8FUl+f-+Uo5P?BZ|d)
zK)Bn4KL=+zXF3pYgnScBC-Rg!EDX#Am?-rV9ug47OmC8A5B&3q5s@C}3I)AA6{ne4
zCY1_2TRx(#T%bLTq5tPB3c_c`>aMRlk3!{ULbWVnlqb+Y>M%{jCmyyCvVP~!`K)tG
z1S#6uGC?#^dDwF7=^ywBQiFxBWnl%Mr0up&6~+X|EfS!_(r98}Iy#Dh2d{=EZ2`U_
zO1jp#b|WGV<p~r@Doj*4lk|e<Y+$yY=U!daHjAQ~hm$UIIiIaF42w*s%Fvu-ErXXp
zh2S!<;^H*5prx&03p{$(hMDpR>4~aue~lrezPK}ZNktUBnwYM)SF^RB-lvS)!Y2yr
z(U)%+4gyXU7vDy?&{U3Fkg$if#h1Z}!4eLjctM5?8^^%J2nR%YWLW322Z7btlMS&=
z+`!U3S0>I%g(2k@&bnPQszOMx(@uZDAu|q!p)082X=#^eu2Q00Yv{}0)(FCy-=+u7
z-xdj-nE=zU@^cx6AOFPGI%RO%jqcT@n<ZZJoO0O4KDK>Cn7JW|(~T*pGB<y~Y+G3-
zJv}gx{jVm6!oS!hY6$L{Qc{b7LqlTXOWOa=;UMhf^m+63f+_<ix1bl+1f|bBjc8DZ
zhP$fM@~qOsR@|vg(l6}3Mu=+T2`2W7him3DLtrL~?-e_zzWA~&mZk$y?*UuO%2v3;
z&TH&3Xcb`4g18`UFgf2Yn9oGHzR-uY$f+5#^9DhWQDt}tZov3E{rzu0d90n@qJzg3
zENe%)G(_Lem5DwdBj@wG4y1e{`9zrd4FO?l)u8VBSYk*lnX%exb}${no7Tbph<)UK
zRwPu;tguCXKN-l#RlyczNp@ml4&nBT9K%cqktS&mp~Pn>st*#*Lk3$4^A|Vfx#_B^
z>U5CLQSbd<2PY<~)hWD@n3|*3Yv*^THA$~|^34&sqc~kb5b!VVjQ>IVi;$=-r_3^i
zCTLv-pQcj;+A5#9d?41R)O4O$j#18cO79F`@eRw6D=`5g2PO_Lm}B9-ysDHF3yNas
z6-(j%WOc;+bwNXU3lD>WjC222ud4dZx{`Xi%POpiNlyZmbF*$%&v9Li#Si)7%nMvC
zSFnSO?WR5c^(i4OogX@CbGej_=PItIKEBzw)gCjbJD{eJg6oQdqz|{2&clv+PRYLK
zb1G}8D34=XJesxGLS)59PHeL(W?p=B7_S_yA~Znyh?cqxSQcLPFk;gEbz2ZObsrmP
zIYrI1RakL;wf2kE?7TqOcEj`ekx8t>3!B#*A)j~1lNjKX6VkX6u7S|H*#*{TtiB&z
z$F?p-G?_o<lgSn+S8j(r))@>7bG3(|+ieT;SvYs-jx;~GMsEy{(GEJ!g{)4$EOgC?
zdW-I*2g-HkM+^U~l&;T2oA?s3tJN#By%~7^t53AF++UyI>5IoIQOpQn6E6N69a7|q
zd{9@|CxG9g7_8M~>33SWAU^I1`%~YFxbGJn4<aJJePQ*BU$ftR%lk)tbiC);^}oCM
zci*lOG;NnK9llh~NXcA7Y12`{#VCp*qO~#dWPqp>Z{Prc4q?EtC;&VH0FW1#IMO-N
zX;YbFmPXj}fQrfImjMoGU0j)214T%EyO)oLK4lE2Duc{8xx3ZS$eJS2`73;<PG2G}
zky{QM1lcBlJj-$`UP0X4f*2X#t|bf06n_cGsnrL2!~py_D{|U5ISvn~p8suT{GT%^
zB2(CTzg@%R$vT{twtV_#bQ!c7*>B$ro<J!1rp?#;RiRRET}ARZ(7Tvn_nJZIn9hUt
zX@-_mU{lJ^xY>VjfbMlcofIhFI43WtT!c}ECTvBuHVY_%wzGOw<qpO+%FB;E8Q4}u
z?Rz#pNNHA+TIMizcREsj`SKpXx~r4Wd;wLfq`n6b)1OFgF$0GgK8fi)|LtJ)^^ReP
z7WG+me6xg{H9Av3NAS47D-w@uYIfi8=q^bsC%f?jusZ&%x3e+VUYiri@pE*-81cK;
z*E~i3vj*uY%Vjw%PR}{Qx{}?6q>GOrr#=}6RlW4pioLWJEk|s#D=1-J>9&Y@ctQvx
zfx&-!cF6xE%}Qe2J3)n__t{-VLC^1eVfk)qlaqV~y;xOTl3iqP<0RHV={vc;kkH_b
zh|!6`r>iBnr6R+Z8LnM~3z<?e7s5CX0UY~FTMSRBzwHxvsef%KBg#**Dx29?j>Q%n
zcq({`lBWLwgVN`Fy^hpT80Sjv$bb+E7Ega81b)0m#I~Gk&H&QXhc0n|=cOboygsn`
z3G5$RR>7BE!GqB*F(Q|^lSjd*$5d;g)925Q!fBON(h9vu=FSmU(;LpRup4~hC<63Z
z?e44xhByTT&5l&;xUvkCq8~8U>*E-lPBbJssVOTNS;oKiFOry=zxXaIutQ2XqQ2b!
zaB&g8Q|qH~#Br`+zpVySR3Bc33~j6b_NBfl$5z7gC<2K|vTqe(P{0!p^X5SN<(pDt
z*YO#KoYD^!Bk!kJVkZJ7CUq};6a)af>o7{&;ejbqxg_qxg^JH;;A=X|8gClXWC0%)
zx9+^`e4hkeY1{`qna=)K!CUHcU22@g4_<9JVh~H64oJfvfPjjrJ@aX7l%z>o&&4m3
zcVGs65YtenP$C>)i>Ppj(@;WoCSZIa!Pb*)38`vRh+D4e*~5#8Lwr#^Iof-8jO3Fv
zwO$)$uk-cPmqX#gfB(^L=9m8csZ(mpmu>R4bt+Q@pe?BF_~@uw2cl^(mo$ltiP3Nz
zegl4lrlwX&$X1g(BlDRSt~2TkaLIAtRLi_HDQua6!F<z9ZrXe`Rl>iG{BZpv;_LyU
zuru(vz3#hXIR#hp{BrGrVlM6ea;_%drti}v^5SZ^4Qu=`ZEi9|%}IVa%6f?~2aQYT
zXPgdP^K!W@xz(d{Ux5oU;<B!WVYJ2qrCcvEW4;n_4or0geB2}D@heDce`eQg#I{Bd
z9h6<J9KyLi8atiG7#6kP+f4&D&y!y*(5I9pncCp|_R)nGYTafWb4|s{#n5o~mWgn7
zcS>x}a-@F7MC`n6csXUzpPGopUGv<$3qOpQ!<B{E+DWgc$+#Dl-T^X`*Y%v$b|H^N
z&bV^)vFd1x5^i?VZ2w@i1ixrydK4-a@zs7q=zL+3K+UkEiZJbfSO!do`mC*Pf$Zf*
z0~TtV{%gzwRJo={7Xj3+(*2B$QK4To_kM6*c*L*Kb~Nm@CD<E6zVv&(w|=?2@evJ4
z{M(and*5n&_#MwIRwj00jYVJVv9BmQ4t#;+tvVFd@>?{(H>L9)+!AE@#5KJABz_Lm
zT90^NeP_FSfAl?*BC$uAx-0)^r<l1{BNNu0y@B+VH`HmvMIIirC7`W_N`Di(;SsM~
zO;#a<SF^ZV+oOW4(h+@aC@;&@sX;k4vFq;R-e$x~Y|d#mDozpTNfchDx@G8jRX6I-
zwGlGSs-Vtjt->uLr=h$>9klv}+CAkd1*4`8v~DL;3aP-tG`8<dua{0HT+8<1ZBZ9A
zta@UefyKwC-+?KH?|Hje?TXjuPZbCi`+N~X+{clwnQgVky&fc1GV-*?sjD__TG^f)
zr?Je~mXQ^nM8o|o>y>M*x|SX35f2%E%#-zG_jalD+82N_a;=mcqpHAe^fi6*B>B%i
z5}2ceV}`W@rH*Vbu-RYH9?2Vd$}Ys@y-aEnw5*(GG{|=(Ro1{0Y?bIk<Bl&#AaTsK
z1=3KUyU>7I<m{Y#)1Eso7@p}wEHI5#+K-@p@hynD9Nwn2a8xRjcmUIR_Oi2;@Q_qj
zeMD56&*M^P6^o<eKp<XPiTs(gRcr0GGuPx`5R?g$Fx2#A-{Aw7j*PCx5-I^t0xGg-
zu$_FuO1zw<UyopLCTU6Vwk2LM#AG~(VKqvk%*lco!z^L37HZ4K-Ex#=auE*g>64uY
zd9j7-Ulhyfxtef_y43J(xLS~rzc742*YkdJke|O#*PAVUQ(MMS&$xQ}nOgkB3a*P2
z)lP@XS-*l4$cg}em@A^?{S;lWVSmH+G^tjhXagmWSz!Qkc@)!0H0)Ys1v9_P+)8mp
z8K1F{c3FBF0TTO3QsL=}zI}7M3zNN8-b_cfqn%PWvNxTE3BA@{ieM*r96UJ#qO-B5
zOD!v?;>+!x0BTat(j3(*6iNgH$+z?B?53rzShma<w_mB8(?Ob&wf4EyH<xn~!E#nE
zuE$-d4bAU6{V#-{E|%C-_Y2A*bBuFzf^(!2FU|VeE^{LunJj(VbR-6&ieH{Bb?X|;
z%h0xErnj+<oyL(=>L{^V=TVVID$!INx1M!MMR9dI5@YgNx{NCA)zJEu;I>-eYhH)O
zxy?8t;YQEWPI}5rlW1;XW~FG02uKTf7;Ca!gpH^51YCL>?DpRSI)F@f?}YlU2~4c-
z7?bv1!$Hq)89)+2%2ZUB;=kR@L>d;INq7ytu)I7SGTcEtC3turW+=UT!j&xfE52{T
zj+#armdf(%uhQ%A$(^|NKsVS+2xC~`;yrO=4)5eng=GBw5;Ib68FF6RJ$DG}a-aU+
z6=5_R#T@b*8VYqN{3&7enzxz)lzcu%o4Jd8!`Q<AoZD3}bzs}W?3fD*{uErGFsRlx
z(9W3`iVyi?i`$W#|33f!jVu073SF5(Ey=V&pJ9Wl;8!jB4BRLcfz56si_iV@-eNq0
z-*^tk>u??c1;dTsiLYSTvOP?}fr-b?>HK=W*z{}l>MNz!<EN?n%@Fk^W@QbX@qdAh
z?L*;@Dr^3E45_|kE&7ppM(=Nkqmw*@`3`>mNpQ}aDPBeeU+ou!zYzXFGHdvOs{H+(
zOQTlJyt4XVke_!B@rECKl6ThYqr(~hgO<NR<hFOyn6z%;XSLkx?lfLP3Yeh3AkJz=
zmj(+zPdv>{9`}5zR51PxsjH{&!-ty?O<_M-ct=|h!uT7M@{5^s$D1<!f0w<Y-y)ir
z$yP2(UOH>Gz3%*QYs=Uos&_x9G<{oojM;->R4@dm;=Kw=aQut-Y0c3*tkG7$=|@Mj
zusyvt=V0^Ag!n75BQr4v88d8xUY6fZ)}Fp?K0120wCpyKeg(NZ`1Xqzmrr7)arc%k
zoQUiLux<~>ej<_nq$qC=k!+xIuGp)X{0W)x#SiTSPf4-%1En7|K;D8E3nK-F8&m;O
zv(AlaS;H&TMHmD+8FFr;Vt0<QB<Y5=Q!|w%<C(39c@*TqUWmomxPJ?>Mc4iv44n8o
zMi{!+R{p=*d&{u6mTg_Q2_z6Sgdk}wL4ybAMj8+9!5u;xZ`_?g2rdBvAy{yiKpK}2
zT!Op1)3{r1XRWNPwa?!ByZbx$-20q;pZlku?&?`{)T~)^R@E5qc;B{(%dA-Ue*v8I
zF9aj|pChB86Mu&R9{D?<urAhjfPq4vI^4{RifXU;&t5`)yWvgiVX;NSPeU*AQM%*S
zZY8#9_0H(T*(>yXdL?JMhE39Ryp}OPEj>FSJ>6_$W5F<5+SnFG(hp{};|HJy(~5lI
zZZO$#B$3B@T)9<#E-*`vsSN1>0Rx9AFIw91(TM6Vh>Fr{rIDOqF7Xuy7Gbiu6~N1H
z>c~BI6IYECP>;HAwKN=1y-WWJCW1UAqtfWqsymjIvxOx^*EOhW?0G9ouSrx(tHNrW
zu%|ZU#o^K&{KkAsSd53B-wL8tE|z#Yd?0?#y{1m~InZ&s;}y!=r|Wkk=t?ugrRYNn
zRCX=G38e>PTC17c?11JEr7a`U(_fM+>FLYM%dIVVMvhG4D1-ySHS7HYU#(7g&Cgjw
z2PRHf9;hYiNDry*KAh>*_LfaQa`p=T)gf>t$$I#Cj%)9Z{m_9PamMFug*6r-+5vYy
z!PfNPT`NKJS<c!d_|<#y_3cZ7>TbnONBxMtQnPfADa8bru$?~+ZuwPT`$@{l&}#A$
z->-xD{-{qBLjNC(8HCk;NNGxpaEa2fFILcg!n8y9R!Pr{$|1wIZfT07aI(=6XBs<E
zWFG5?hNonz1OB;AdtxLZAv5KD!pkZ(Hd@Urf%ny2I$0rovXau0Dxw$(4LM)26SNk_
z?;z&hu|kv9c76P?JRujDa@HFxMyie{HF;*Mpkw9$p6PX(em-a;uzZp?M|61JQ;elG
z*|9yB?f#&w3Rd-`cAQ!(4Mzk0T@nm)T7P03vUzPMbKFOMxFMgdbdP#e>b#CB@)?QW
z4=D`|)$PqZkT?Gh_{5s^T3XQ?-jG0`M1GPW^8tH=koBG-8tY<Xf1A}?_!+&Pf2C;N
zqn*p`58{M7KxMRHuoHF^BDG5FMgA@BZMW5#G#1>UCLlZz<R_Y-;J~RN*GsL3Pl!Y(
z{{eYYFi;v`=NrCe1>#zSxE$rjpLe7Ua+B|xZh%}nwot{#%wkgD147Bh66+*8KPJ0l
zv%OcF=<Vst|JfIb${x8{Q0i~?{{<xO|IDBJuVB+y{g6oT-oMYUEBw18ym^C*3upK8
z3{eq$;x~4`dI`CIC%U5*KlJijj=xHeL+z;b1N8)f?DWh^>qXQc9H<MoW5na4=^2G$
zz}08Ve11;Syy_Zsb-6Lg+bpCMz|DkUitz=1f=1$wlS*V#H~+1Rr_<7-M2fc6a@`T~
zwm95aZ><yItjvCoT+1*{tJpu*_u4r|M(x5SB{(=9FQ4Qv7Fc;Z@Dm%7rEBY;p*mH(
zg>R1CTMbl|!VUC%ZN_45WcOCOR!oVL1LJ4U{=B`vIUbN7#DrZvlFl%9Rg?qvNF#?&
zaq<`*vbxZyObCYvwS$yUy>t5AQ8l%fVG&IJJB6Ry3Be$>KHTVnWY*QrBybH;w5Hr^
zVX&JmOs86jZ2_gx4~*W1+4QMh$*f9sVg_xevX#^{vpBzKZH{a0OH!z$_j3ntbb=}?
z4`Jt2Ux>uPPj417TO;N_yGE+!xQGZ2p3T{??RQXB`I4pD-Ybq9Rke%szhtyYY64kn
z#gdM*gRiz2xrN&uN-JRo1(N>g&jke@T%l|K+j-OO>E>+Eeh0+3lF_htM~8n+p)T_)
zli0bQiXXZX)+o5TII%y7>DHjvt%1H9UpZcEwT)w}b57th2DM>+y_+5D+ZWvH5D7WV
z2wr$P)B?Kh?!0cev}h`XR}1vdmXU0H7}^R`YNL%0H^_j(w1Ic~&CmhhrTp1i-s}*I
zb{Q&FjG#|a|JW~w^ws6qUnp3O7Qj{EoN80~<6_5U@zwD(RJ_w;XXWFIqKfE5zDxZf
zw2|>s;!6Z|13(K%vj9z@B{7aW-wYga-@M(V#zK;uUj`~QF5YcXaMCm;scL{7;Ht%X
zVY(YU2`AUw9kii9FJ#U7BZk0X|DU}3#B~4J7u?5JTVmqB+5c}3yME2~r2drmMNw5y
z_32lN(iT0q!1AlMm|?6S;4#A()G5|9xv;~!B-e%5QOh46bcF+zyo02j5xPqsf>`0}
z$lpDE>!TGa?xk3^y&ifO-o*YP{yP94zg0UMDvDZ7>{;)5bV_f}dhUL{v7@tIOL8W$
zZkpiqi7(2fd#q2<-i2!SeMw5nN<(m@zx8X-){CD7%RAz8Yz6`X-ChKg7&CXwM}zAR
zBuzSDR%-9H6T_SGhm;1_>2mYgoIsQ2_5Km)qTc~7jYMC58Hz{R;Z&$V|5>20taosH
zI5b^3z`hsWZ<1_@`?DaqqjqI$EvFh8>|7vC?SYJw|17veGcR&-a^Ad9Vm~L=-o!1E
z;Pkn4D^?HZ_=K_R1Jk5=jUHI_Yr67i6?ogbAEm$ApHJcOBn7pGYHo+mw{D+<kdhzC
zB?l=(pR;@C_9RGJWHmQ@@rh}v{zGQbS$%kH1ay+D9R~|ZVZ6r{{pjQJc~(5D(8GWk
zh4oy+pk}j}q>Qj~-&#W#U8p?i<ttT8kC-!gK}xHjp(%6Tit41+w97nA)M<d>nIPp{
zewqrz2><7n@c%8@|B~DHcT4uW)+%)&NLD^K^y7HAx(masxQ0*N>x*yNOj}+bCVW<e
zvKTeeA5Kt+h=yod6DKB%IaXYdP%7~c3KYV$2l5sdk@Vim53+H(10JR<IM>BRJ}w^`
zR1YFq&nXG?0*e*lT7hc#1A5w#u)ti^2`AK@_^j0k9{+=3C3ymBYQ0|OM|fu?oe##s
zbhu9V4g|uQ%r`fSDz7Z2yekCnk2OEBjgZPVL=9%IyXX1B`?&u@la|nP#jYJJSy*PZ
zd;+w8Du3Bg^*CDZg(aszjwCpeZJ>n$4Yjd|bkr#vYTFK;dt9!)7>%mh$pm}(rr4hd
z-hq__Hsg3|y>D@H_1M*i%_Y<d?};;+^{$#_^M0i^BO|n~)7Y=VJujI_dlP8KYy*`B
z3iMz*d@K+qyZc<f{Q{!Xv-TF^5z7aouUO*lav*dR?v!U%1MOR}*p5WPoUD^D$R3z%
zG<xS(9lQ?J+IFnWzls|WH7R(cGHn4{j7YKa)S+R;ajvoLFH8_ro-bLEd->pKpik}+
z&1HS3R27{=qQOOs1W1|&#F=WY+FIN)i2Hbl)2KP4YIIrsN_#EBM2lY?qj>mE{sgm0
z)}o9SHL8RkmZ+?(E||}0k#O~KqN-$91%ppv+w!MT12-N^^(ksYN4uK*hX#Ck)O?QS
z`0JulXxs$>A)I(VrS`8wjS0&goh{=ATnaMKhQEp!JU9?W>3?5dOk3woDAeh~su{>M
zpc^6Nl98L@m+fklMQGb#ZOwq~c{3`|B6a|VMc%>?fE^OkzTa}{j%|=Av7396RZ?JV
z#WFZ%UM4OgZW^u4&HIkk1ByG>%V}m*Vn-(+4BX$%%O$WU@5V)ai5L0~!-iNU&+@1r
zQ5ZeD6%@7lRA-_5X!mid1$nJ7ra1H%%k6pFjx*m%(^t=OBOCZoC;y%fY%v~Qnu)M8
zbnbDEYGDI6)<+X}Bh+!PGH&toWPrl6`y8@r%c>)y_C9<dD_mW2H2#Jzng$FPa`$Ut
zKBJJQ?Y#~+JwB)H9SGMD@1HQwNDCpM2{jM#j+7=QssaT~Beb=pD8Qke0ui6Fd>&0u
z7<-j;*j{wgvIwNA1}*uuIwT~gKU!^T+l4MUq(kSb%4azjZavKOE{|mYByW*kU3PBe
zRZ-zQq&&)1%!z$aeMw46SsY>K;|IJ;v$tPJp?I#4gNzX$&laaJ(XyoP+E&QY96$ax
zCCi!4$=d<~@mVAAR<G#WzOYVyW)jDv_I&?hNR7z2qHc2r$EzUGML<f&ncgu&5hard
zVb{-RJEYn<rJ~Xqpkjhol5HIMZexd+MF4y+#mp*tq=(tzkVE36hms^~2sWwRoC~3|
zyTl^xF4T%8C}6)FsX3P#vvd-#D24<zH{4pi55Df!a@8okXbsXZet%U$+{?uIa3#~v
zuS`i)URFlf;p4+o0e<FaiOq!)e{J%#p;!8wB?MvEQh#~xKg2u#U~{9Sc5UHg(qJ<=
z<0LdiSy&l<kBVwB^Y8E=1k)dz2lgR67Xmdgu+^*ZtjmqWbB!DGGsUp)fKl4#dE2*e
zBSVxW2ds|V1)<+2m**5_kRhX-1wka|wPx(I?4n<bccYbKasq;S#leNt)!ZB(nY_rP
z5OQj}StNO)WLU%}ke+ie@0L8l`KYS3Z^RnZdi0BWBnED(r#q`$Lr&VFOa5z(+klY2
z?&fTM+s&akO&au0=FS=$t@M97{INuy|Ggf=87>@2Mf)QN``;a`L0heGz*u{|OgZ{;
zKx;ZX^7?KSMRpA_!5#|dU7>Z9zj^DUiRp1Y``elNZ|*Ot0=NBpG0A(~;u5<vh5g7K
zH+jwtW~XOgdCi4Sg^-pF@R68!>)$Pd{a@Xs7lw4*-BFxhKMTi#urx%5MXXxcJG?`T
zN|I~u)H@B|9H?QYET4SLcyYo7l)*&mHq35%=q9Z&VFfHwxomK&e4X(I|Miv|n#Ll^
zU!3E>w(<~`IhCq%umY+z!yKI8-vi7;%Cny^bRLw}Fq*|92~j_x6IGhgE2NEF5fOQ5
zGqC4T5o5xPMq<8-Vjn+u*yfODqJ|+ksaRQuB2kKSUNHtMHvX}g`0t)yfdn8u{tbXc
zr>MwDP8KBvhD}QN<BwuM7+e-k-5tsTY2zS<=V1j|M!PRIt*^Cp(VGy8P11`6O74Yh
z>SLB(Bbv|!f{R5OzPOI7wa|4W@YCIeCF;D7c%bO!SU+^E_x+aye)!%~|3Lc*%A|cS
z;M}e*_asv>*tDQV*M2>3JrBwuwQqq7ak_(?L3-(hf&J1nfV+>FM%IRl$TCbF)TG4X
zXW5kvb3%_ScI1K5Obwhb(4n5tWRCmXVoh`cIqu0|$+#4Zbx*rcI+$bW;HX~7y-An_
zX>S6qUnix)pc9N@{u=w0d98I3?(nU7)QFs4Em2#~NM<ttxtY%!-o;%h6XIRG0DqbN
zA~3JtIlFcJwpx)k)(wrQtH4V(uPC-R9rnS11}Y5|B=*~zU!0}kL0yEPdw(`~%S?GL
zRL$3RE>}8Jq9IpFQ#W#VD<`R!VS`+~r<jfH6_=*8L-+Ws?MKvSOW6^#eUr|Igr)_i
z3psvtU?Hhr-F391Lw%USmZ5XKSx-c^;c=ePt$6#>Uph|VR}%{ccn41pk(Yhv-rHZb
zwl3H$LzRjZ@yVf+Kkh@Z*qZEI4~4cXHHOi6>8e)PP^S`$m*+ydMQ5{U5^3@1tA12%
zFa*GF6q84jY$V<bhZm3L6<4<zQ&BO0{i{0$>EAG30oy-c($Efi!;~Enry(&p;g(Bw
zonwYf`%52mL_5A!{$SN)R2N#Q6>6nM*N~TlAV)GOEDp8JpUYX2>F=RBQasM3f7SoZ
z99Y5R=<Gq;;K%67K$VpfaYtnchbjo1mR3kE4>S|9#j5_f5~pJIh=o~IT;x}Zf<<2h
z560(ZaL8PzCKsA5u91TPu3gx$a2LgH#ArV3t)DiX2UJILfVbD3m`f`Cj%brm*RA~=
zf46jgo$@p-*J~Cz(2%NHpZfV0EtoFlQ+v@PTYxZ{QKiHylt;B1)_f5KN^*YxPL2yo
zaWB!0Cl;m=oSci{eU{L+MU+QA`Qgi47z@h|*in&2B?aXwWAdEfLGzp!30ge+d&^Nf
zOZ%~1hlyY#-AE$M;uk85tg%f)jwsV31iCJmGVfi}VbUxiq8V7CPzXPFGTgDHi6Sg0
zB#-Eh5p7mlR!xg_nTMK?oELc}dZ&7?)wZKGa<UETr(v7qr&^z?)BxaK&?o>xOf$lW
zFoW|_?b;s)Xa_TxXC$O&Gsq=If=Q-zdy0LQ$HCT(BxBb7%97M{FFeR7h89^M{_&JF
z|19(LHg{wnk*rg~cL4S<cyyJ0IBsGwo5}=mz=#LgC8ao<NVV}3lXos2Hb2!}Nqpo{
z^iEk#Wssjo(K$WgaZhz5N<X(=@2sPPG!Cf*f^5t;`yd(cJ4%R%Y(maqIKe}lw_YB{
z;|a_iR0uN*wmz+SwkQP7YQPdrE*J*^-h%_Em6vS&Mnsgfly%1$mK;lvtHX%NeqBc-
zF>=JKJwVJbksMLw98*S>9>da8m5xpXd>0qbKR#fsYsUG|x7R~5(hTsrAmn_?ZVWSD
zCw$gKxA<t$q?M1Fy&a3jyH>MDY8V8rjVOjtJmPs%kt6Zyr!VAx+Y-SLI4tqk<kA1d
zd@-!8+?<f&yN^=1<gtsGJ?%lfCFa0;BKv-j_v1nQm-Qokc#~K6x5&#vo{HLahhkUE
z@a%;ucBy#JH$hQbfj1Ny(01U%q>21br>Ggl_bFmwLdP{accLm!d&d<~n_ElLs46Ud
z^6=6F8sau23H1o&)Evvg2l`N($M^RFanac7pN$=GMhMox-h7DF3?DTm?$nFu8NiMd
z%3>BKF%fFeoUQJ5lWYZY)r_Plfs);t5yp+&XRppod@h7}Zg!Zd9A)(VOBvaVBh@!+
z`M2S!s_N|;`Z|E9*tDYY)%whEGEE@rq^K_xJl(HtntN{6KBY!ZcwSy*)h1dFpLjt2
zu*9X+SeVsM<uW6x3lV7<21}S<t+F7)P4#awCvkizds`mo_AH&&&T&aH{K#I8h9D@?
ze|?sRPyOEBP)5bhNCpf(W1uI_ujY6l!fzG#5U6=J3&utEqGaQ<WT&#N(82G3{@#<`
z8EN6iem%+urk>%>MGh7zi>{yIHXcFVHrJ=%J32~biznK2m|1H8yFFE`ss_sFhX<v&
zI`2hgeo9Hl9mCO<8i@dI4rNFGo&JKRTzB5qW?nk{+2yigK^!t6FF<PMHfj0-J!EmA
zg|Bh4am{*O7{?BVEm7{|1TGFqFDpxDl!3U;fJO-FIC$cbWVCA(0045Y0$?`O(u<bT
z5!)zo9)%>N^M#7pI9Zw=M23eu*8(Nlh<U6B`fzX_ml!bV3u!QIFqM?QEZZRGoR0>I
z(x?iOR`LYN206fS%sh@EsM#|+=x&N)xb9e9;Nn>L@LNfFRB0-nsnp@<HOfV4nv^nW
zL2y6P5f80pg&%D)O67+m*JiS4UbytVZ4K;&ev+Sv+ACXRyCpL59s&-Z>vE7bmaAUs
zkcY%6c#aP0>Q7jV-$^G=8k!-YIaAn6P913AkTpfA2Mr9hoEv+*3=U`Yn015+FG>rD
zD3WznO8Fewzn^NCx7j#y3V&NR^PCJ(TA2kdrXVJ^XsZhdpR_Y`>75HuX+?OR%G4BG
zcSYZQL|DFK#&(}vUrs5Y<t_zo+AG9Dal+O!q=p*^H4pMgLG5MPGIntQa%Tc#8L?{=
zD0oGZ9{lZb-&KaAr|%A#Xpp%X4oiQn6M;4f$P5P<lS*#d_9ZuiOysYV^uJMf2Ol4O
zL__+v7YKg*v|ULNi8l>V4`iP|`-<+1iGLNQZ3XqFHL&}dh0BINzG9Y1vr!C>2Je|U
zE^0UKQbeGK9HFTYu&276S04n1l+Qp$ta~<q3z?%Dn3ywlp0)~y1bv~(bS8C<X8X8P
zLQH3^gDd1^=@qi%D?8)e#s}#A!&19`TwQ>7-e=u`yXvrzLujRu^SK%8=!H%ec7`+q
z?6Kv5&{=t-Uk*v~Q~!}ej%MqJBlPsAeBnY)1j-eMvQ{x3G@f!%U(4FA0n_B95u>%v
z;dVpTSzd%%IIFEL(S898_6UpRxV%AWLe8QAf!d`Y9uU_vJit&!Guhx8L7LB!f^xkd
zfBvd&xrQ+jvtN6dj+sRw0uWG<n}BIHQ}g)V<Pxbb?G8-J%ww)n_}R5hCk=6krMgrZ
zu!EI*eTzP#p)5hrns*g;QjM@#e_i=%A*Yepe#No0{6l_T4?d9Jm}FsaZl~dNHS;DJ
zeKL7$_G<X!Q0k?68EYj~&8b~OG2>dCqSNUYF#XXwQljpU1Iwd$3CC)~kL@_S>1!_M
z5@IeKDJ@(KJPwt86ka2=JCZ`SX4)>QKCHydc<uH`UqkT9`AX`~^MrClPKt~a#GQ7Q
zymaLbI)9z;FP7<lH%#Ydbo$2$4fOQw90EQJa8o!EYr%~lsErgxB)CZf*@vD=K^O8C
zn-qrNJnOiFA6BT!_^cnRX)%RTXD1}M2&6{Od~QPslPM&?Qk4YzYPG#F&6-S?!Y;mL
zGq%}2?+I(zP*c7v_beZd$PGwOc=P&0NKzZmEuD<4k&CLp=vkbB40(kqlJR(8TL8#4
zVIURL-7{rDiwyBu)52nTT`oU6w~AkBNapm$Qh^4d&V$Q3N?qA{K8vY7v3nY{bFatK
zDm@_`;{ytOs4`1Mil=MGU2ogfWi_%B1h;Ua3I9Sqw69mMriSwXF9iu$STH4)W_qnX
zx2PCwIBfdhmPMC4N&YUOqmz=ds))#4x8U8gUgt2BjL<qZ^paq}^`N1;MMBMFNX=v0
z=+ZrDCfMv|P;(kkOpCPB$hbiWz}-aK9!zVMyH2q4p0>m@JcQIMg{K$?W|UM@Gy<}^
zIsgulgh<-qjP&79;NxD6TnFMsNT(&N*jMST<`hTQBn`_^S<+6Ek{CS>_aNZ`Ns+mC
zvMwTh{lmQLEW;J~>dFHuqLOkw&drJ>P}02Nb##=L=$fCvlHbrJe|-FR-{Sra%;Y!s
zL}0VeSESAschSw~*rvbyct7AlEuM3BtX_nPCVoD~vZBG(ZatBW(H-v$HE>OjBrNm-
z>E9-_ZlLI?)n}*<DU<abmYA8`YOm&eO}w7<mHcLmMXl|_dq&A&9Z`8pmgKCXw4T|a
zCu8asa~Re`O6@IQK=ygvtQx^arydpDZ)Xm$$OAScMeNgwAQDrLS))l-17y-yzioVB
zsMYj^$tH|}>=;A1)P?v@BrXl~FO8uLh%!ml4ru(Rin-cD8d&_iV}Bqh{H{{G$4bqT
zv}<ZkacX`*MMySR_icH8KdBXHKoJs7kBer9<~lZJQ8%?a?8Q2vCvTTEdsclRoyf#p
z+8SxS8V!aetVRuspa&TweZp>k+P6{7+q})a{`92%wT?YgR#(J?!a1F14}KYmp#yL3
zhXNXhP_5>#Fj3Vt`f7nWie<hBpLOg#vM3boz8H{_5n+J^jP=?ROL94?!;%i4mu3d?
z_CatOVR@LGcw>rDQ2_nbPxpaX5lPbhc*peOJuHiUDQk*IFm(c7xSUNKP_k<PRA}P6
z0|O5S>{w^wk_I$@&*`Z;4<gj6>6S<HH{9~e49w1-1@x&22+;EBpT8`KrjuKrrhyt+
zH_B?uaua*o_A`A$vQgIA8+MiFS5&ND#YMlysGT+-RJ%=0?>U@~&WniSNjQ1vv==}4
zFxNU9Dd7^hu4<6H{V>HRMAcr$v*RG1gVfnZg^*A$D{ehC!cS`>GdFm6_r>h$r}on6
z1?SYQ#zIy_H<=YQ!@9St?+fAjFS>T#PBJ0xOetcsSQf=|m<WX9-A5N2^kfON8z`Fp
z5V)zv_wk&K+bsL0&H_nkb|c#}$?&BFINNuzF<CA&f|V&|kX-Q}pag&Z{I{Cke@8-y
zE_|7v_4$zutkt#fmml5h^-<|VSMCMsZ*G04K5%$hyLKYimH*!Bq)%2!TAC|EqRgr`
zcp>i*$hZ9!(!qd-X{0yGM%g70#<Qb*<@eC0niePfRNWe^9s*o#mtneVzJWtF;f&aZ
zoxCTq2E;MC9Eh6pT8q3bYgofkyBVJ{?n>dE8rbBjgwiv!EHG&mhz20Vw9GZ0WMELJ
zC~e!9Vp_^hcCU&=PL~$QsY77p`Nce&7Ei`UeIH!3t@2y+?|uXFM1ypXyxTl*vfCs2
zr`XQP%PLw09EabBxL5TUTIptM2hFaDt=1RYQE=^$YCDZ7d$|!X<1vJe&xEVY$Ho_G
zkWMks)_HiyYr{kfp1`;(6zmyv2c2fegfw;`_0x`za5}0VRY<#)&9J&KC7+Z{SQfx{
ztECBAb-}FRgAZRrt=GKeQ>`XJ^v~4>>F)8D;GICm*|ApQ77(pB$G6`^8plmJ7ZWH?
zp(cJlkjKWQc^U`mSc`+NgY+t9pD`2FvE6N>Dy)XQzF#G3pB8n{W*jY5iMao^2g~OP
zLR3@{rG-sWtO@1Maf#$E`woacbPloEYODBsQ{!Buc>HVwpLos6|DWyD|9$eO(2$p4
z(9Xl2)%&;zRav?p@cJUe`!kc{ZgE!G^G=s4WuO<rd(+*Dc9D#cY_Q$R)PI5E6rhv4
zmsrwyhS2LWg={&*X{J|kl|=(lX&*sJ_%T*kyvxF8349+HLvGF739ua%Jm*M2vCT^N
zMbc~Y4-Umh5@bi9x6Sks2&7i9@ZeC0&^F@8M17WbYiHP`t<ziy(@>Sx>X}S}x$~t+
zvwx8Qw;XSdMim5&y<)9Ts~nu%NK_P;$D!quO``I9+ICBtW}U~5Cg!qhU4N=*r=Um$
z)W!~xhdjTYRJn@vx}eCpB&e0~i7xpfI*b(ltr8zzbKSZ5(o}7TH<KmQsWF$f=~K!F
z&pBtjJQ7emVe(gSiP+t`dicNiH;PslVZ$7OQGQz8P}{~sECZJ8wAA_?Y^W3SeswQQ
zc#8(5rR2+B8>aH9%XaTke&UTUl%%7;!h|i3*MJ@N(mNv*<Y@&fr<bU;+b7^h5Zug-
zopChN|D|egCu8x1ct|l8OGvR+x>+8~S`K9SVLyuc(d{K$4&EXYL=A|TCs`Qx=$&f8
z<gww|lP0I7NVHaVysvR=R~hGehwr+riFV|35iT;Jna-UH)w-F18Fd{bH@1gjpSXkR
z&HHaT3esNoxRo1}uH7zKd71GJQou~8u^H-s_}s39ZLiWbMzqBMP4HnV%@$}3*Ic`W
zTabBRs1f$Q=k;99C+;@p<F6wXWlm!fEo<ms_fW9IUJOUK6Sl(>A)h))@I(9Yh56oH
zgc&sUGRHvo{g96`b+VS_BfIJIg#PtADV&@n{jTV>0ToBYm^wud!0*(ajw;LbpXD<w
z<3&h(#D@jm5^~j)lcVkbnf3Pjd-vC_@ZTv34qvg%{NRHYEsM$q%TrZxkeaF!{+FD9
z9ad8SqSSgEjK<qqf_7)$)oa9!ZqrxNBAZ*LvdpUt+zKz1CdP@8L#?=fK$;3mK5sY2
zfjE%Kk9CBW@g_P%Wc$90bq+6bs_q?gjKHt1O|Dv>!>+P21K{Y@TFh8w!j;;Q(z7_^
z%<kI(ckZy)L@T_qU6dATDURh?Nc91ZmZlY<6rl<O`T<{Ze@`v^qmzl-q^6jyp_3Ht
zx5mKD&yn6P;?8>t@~Ye5&+=Nl-hu-vT55Jh`G9^L(IZI2(^tlOp<n2L18FuyO1H>R
z(4TvXv28Y6;aEk(A-)mCY593C;u542Nz%f^D;=qA{AYT?;yZ!X9=<epAdcZJx^bcP
zgcmcny&AG1HM~<bycv+!?azel(C&#WVm#W%DiVHTF)PjDcs!(Qm!DtAwZT-`363xS
zq=0auvoJ*$eJn_I@RiOV;h{)qAM(-!gmGt8i--i(fz-&UVoy{-<VApF%N*q!0k$_Z
zEc0LoJtkpDbq^rcNm}D}Q#3GND<dyEIXsRb&D8@*w18Yz^4t?ayVo$Xb~f8h%vf1)
zJIjxc6EQHu$N&Y3OKQ*za;u|!t=ogmu11i?uWi&w5-W;}_T%HL{<)(0`R%`Ckba)%
z;R2nLYDhj4S9`Knu(0;>hlBGkX&S}<1*lXXGO#%%X3E#i+u($R_UBVh;K>2`+X8xo
z`Sh*wc*|`=SY#;o-eOoM_?Ca0mL<=+zfd!gS{tJ8cG$9M5wr>Q;_nTfigyCUMOA0s
z9~{bk+;T4)jJvF|H_J+7ZoX0S^eC<mv{1?TB-DH%xQNYE5Gyz=E)b_#otU$&>7>+J
zWmsGT&EYFGU4VLEJB>9iGFF%B$8%3oJ2(t|{2#yvU*F#{$q&)m;WF1D?}Yb-Flv9G
zc#>u3>dFEBl7Mi*K>#D{S_0Q^ZKO6d>*;7ntmkCqWkr?pmg5s~J=3a#a8umpmUo3G
zW9j1h--EwXw@X}z>zdRt-bqhs*u^d^%7Uvr+pJlj<|&h!4}*y0v<)dh2-4IeQhY6{
zY+R<S!LXDS<WxF|=;wAUclylrB!dzw=?4NxZS}!vit<+O2SVCU;|RWNk6q#uNi7E>
zeS%3+ak=^CW(jcHvuo$~ElbtUU-G9wk0oZJRYz4<HK<012ld$$2_P&zXb_TS9WpdO
zp=Ky<U_`!si}^dj;;jSh(*vGx?6^ePwunxf2fZe%#|hdRX6Lvm3^dr0LALiJ(MFdv
zN9fpWK*POpZbm+QDq5;H_UZY0sB&drj*>*RA+KQCqXFebW+UPRLKsp(A*p}Yv;W<r
z_J8JgW1X$tfkz9Y2Gi&Hs0tXf2x`R4q*k|dO)^0j1Ax2%>;3^;T}BQV1HF5bC=dkB
zLK^GXj6=;qt#l3<74^fj&B#%Cawa@W1|RdlwOjjhMtF=|yU;OuZnENu=X&as&N?jW
zBx!58D|sV*kq4HO(1CRMUOcnOIfA6o+puX0@G2sw|K-i_4&K8<=b?3W9}C3Lb^%6`
z$)JlQA*bje-Y3clLzfknu`oWNYQYRzqq6BIu>58yn7zJrur(EMtH}u_-2e0~00uB9
zyZ)4QolTj9DOpAKg4`nszO{Em@}=Cz<8@oz4EzGyV6wz~yB2e^hwz(E(4x2!=G@O_
zdl<@I$_ep2cyH@EmRRvo1WCkR#SiP5QcP{VE?_nPK>|-Ew^wx1^!_B?+m^oK!54V*
zp|7+HdbnGy`41C(zbqsTL1z`?cs?xXAl|Sco?gu>{<IOjg9rS1g@4xL&HllvZpYbF
zIfZF3X?Wh4GOm0xgx7nU_OCtjM?DAmAN2Bzrf+P1wm{(L^~(NgZQh^tRud@>JWE^p
zeqH6|%M{+P>>U$;{kSSZ(q9LTeD!H#apq(3>Kzb~HLn^N>I8uw*l`hCjK-9=W;7Wt
zVnEK$%p4zoJ8^PUGUqvKKZwt#m5()z-@(IHHYfo(e`cS;R=e-ZymMCCe%|M@V@4}~
z+SGBN9u>S$ZgStzs*m2I$Z^?|C8&IaCenA{DY>LSPgIG&y-(Q7{)&cf<DAUGg7A`r
z8hMj~c>IzT3kp4&k5>weMV`|OatnTaLc0zg9hsIN^bPe?@NQYD1FYU99PfCLZ3gad
zas)&zS>&|tO%V}3+vK~Q64EDkYUA-F)zWjRX8PbxvE8C<L}s)Tlko$26#+non@IFn
zpr%c=Wu=*&+k6%@-}>;`#u9$pbq{O-%^`Dh6);1?zdCwvkuds6aFgWu*tWrm!)zIw
zk=jlmS7FLW@@|Wu3Kg~P8a~;tgBS^pIM~bs5w>R22nyHt1UCUchY|6|=TI)ogngH)
zX%<yAn}9MI9_qN{2qVid1Pv&ho7kGRU8M!b5y+x2zhA;_CHR{7q$Ka7iI%pQnwpB-
z0{IV(g7{W}`~T8-%j@A1SU!garw}&$K6KE2j#38JUuVzxb66)>dUPJN6Yw*6{XTT=
z{v4&sdS93HttY+iup$0zRSszUG-f4&&Q<;L_XmXF=P1pr{Wac`|E%}Nb5cxr)cXiC
zD3~9BhqbGOJTU}+8j<r1B)AaTid56M+&9HikhComma43XW2|~iuY}^T3>%;GO~H~P
z*RGYn^UAG6@LP6QSAi^KzgdAjFrZqSj#f7))bBTHtpAe5!2cmqU~#RwqHlbbl&Zek
zxdq&@)qz&8H{Y_JmR@u#BEADQ->IeR<c2n#KU<+@ELgcDUq0!?+3c})!rDOsvN0jN
z=O@8bFP1oaJG6~#JzirchKfogRC{6fVpFV#w(PU&Z{*q4&fMHg?UwJa*lQVY3_s{6
zeZ)VdJyD&PM2@9Dk6rT~Mt=`5;>kH@gci$%3&qHB*l{6?V^)}QDG4r4_Y$pqxE6-K
z6UQS;i}to(zvs?8W>~*KJ#nDQ9A}DjwR8*fxrF++Im)iAgg3D&I)>@FsRc#~u?Y?k
z@O~XTqCdRRw`E^VeMhg5n4k1+*J4IB*G$})%Jb(fXBqd~X;!`lD18wgfN#O8t^nCj
z1;~lt=?X-XAZp68CADo1mfn>I_+>B#_(LWhG%1)je(^pS?VNuIY-$wQt0Fv+-S$n5
zq3U8D{iZ@!KLT}tV1>PV@X0}r3WZZv_dK!ImQR?1XrTol!rU()Pn@XFYxS9rtQE$h
z$5?Dx6Je34<j2L+)}~zJBKriXPppY5GGsTs8jf4g?G^sv&F;HRW|I|_Zn(>3?K-q-
zhF!*;^o8e(fWXqL>6hwvsu5^=kKRItK+sp$T%oNmPSi9RpC+~$P;kbaa$7{Ws7~w2
zqC)2$EE0?LnB3l>*~AjDPVk$b*XG(GYtTVB*8mfeptKQX8(IS_L@9y9@-^m^JjNk{
zE?>hqmF2QIW^m^*O?)@j>*797u!T<TQ`+QPomS})ZZh50%Nl+$rZmzaF)Dq}1wSKU
zUQ@4%$7;I4>83+Q$7wX6|B9Y9?pjIe(!V0aorg9zE6XzbG069G-1-`7d7(p+<hp+k
z>d2@BbUA$YQ{Oc=i&IqmIkm?&64fZ*4P)ENv7`g#T6!PoT=IM8B569>cWJ+TZr^+}
z{Y4OdQ$0B?CN3-{cJIt(b@n^p2Q~Hc{M$l--d4Nk^#;e7sRpTicmv_uVq(v8L$Ekj
z0s;v-a6%$ly}C;9hboHmqrb{@CQD<5zNTbKIRRNSdyo3*IwzB+H&Jx*yDz9&WPQ>q
zIhR-K9ko8%(>9x^{a{%fB7Ea4fic?-hnFwg_2Ves)_vhV$i|v~BDRFn%I<;G5kq)=
zq+=th6{vVCSmQuZx5r-H1LG~jaC3NtUJ_)WQF{1}uabf2YO-Q`vPzstQA0#pT2HQn
zKFc?%Nrzx^paot(Eo}!m>loma;K5TD6Mvz3^6`+O_FRr~G}e;YL-9OP?<yN_OQ!C$
zxCi!mlsH4?D?V{^`EQ$#e<PnNG7q$Cy1C-(u@qr`$Y(d5c;|7!yj!~-l!fq{xtlz3
zZQ7c;#T@)v>FuyeW1P&<Rw4#9D=!V6UP8RWoT$Qy;vMGjH9gQmcFo&*a^n7PFTb9T
z7Q|RioGCuhEN4mKsr}qtAou?6s-M(4LZ#eKCizWEb!)hXW)B$GmKAWjYe(X<CND?D
z;;<t;yvE+cBfI)#<wK(gh(|rY$kfYt&L$)Wfn>{pHi~m3+NRX?laT5c-iqI<RSI)g
zVlazWl)nnmo~`ndoidt^bPg?5jY^ZI!Ni6Uj&?zlYqgR*JUce8(+s>`$D}Adu}zWL
zGq>HF)D@*p&nu|EG*)<-n-w6r!K}11*IInL$JLzT5&6hP76Dt(RgRwr<sEWeyV^Nw
zk`t&LYgs3SF+coOLxk20-A4SLF-O~290KR@lr}dW@I+9?jxU=n<{(+mG3x<*EG#f*
zK*kuEJq@Ad_qe(*>-l6B<Qy1KWA^MQc0Z0zo^&ZHJeu2YjJ^5!yypx5keBEyDWXr!
ztslN;xc_`)Xr?sGsyq%`ZFms84^pem8ZIpvQ$*<txF<4CBB`W0+x|ImfuxNxMDLs`
z51s%d$z@{esnJOpD1Aj7*Uk{t7#9J!Uq3luQn_@p&T>)%gju1XTB^crE1qOf2mnW4
zp<mn{k5WKA^skFDwmu=#+cPvrf0DaVH-jz}*tEuaU#<_&yO+I+FSO=}-<7FBV_(-#
zuKRXRX}5|!W}UT6N6zP?IF(MN+j8>IWP;_#zT1wL5S~{ew!>_y;=C`sP2NZIk6x>=
zD%yUQ6nCy$tMJ%9aowVdNqw%2u{eFY3Ebdn)17bHB|%lry^b2UmX1{$6nfB{&uA~>
zE{UaYDB>0ppkuV-vnn%oZ{txvxc3Df?r?bOzW#OyN8?4F4ikf+<*sE+01EXa2-i7D
zit<hYH~WFa>A2}lVq8tfH_xd0lZW2{*(>$$kB2G<fT~<VZY<X+LaMAQ&Ct{6xrwFY
zXFCQTwS9CE)>KqT(rpY+zC#<Ip3U!oT(w&to4;_KUd@(Vym`*nZyLDXR`ewQM#l|O
zKBlUqzBb-UZVZYDaCh4UeT$}tudniET_B_R82lnw8!l|RAD*u7DA{o(qx8=)cuKZj
zSPTq5=(BUkTXYB>j{cfw&<D%&F+r-bl*p9ye2AoTJV$5LV7{609d|QnvzPS(+3~0i
z@*Z)D)F)<mwnNihsqJ9FxTZnJQ}b5|qf1G}6D1GgTZzDtq5+8>>xhGv7g>c~FOv64
zizan>>UOb_8(@O;6FT<Nr{HjGv;8~a00UaxPeQDQb#bQCiOTj~(Mn4!_0!vnr#4mN
z;-2{O1Djhj{3@c<$vxI6g|u0XZ?AdoJu6*KKgXj5xmhVbId%@i{Y>4tWeo?p=(IlN
z5MG}LmQNkop_vKq+ipJkXm6kkA5b;#ZRrH<+n7OUR04eO^SUj6`&4Hi971#p#ii15
z@|IJ-x6h8yp7wYjgJu9si-k@gR*P*!NwT-|cG(h+?0Apxw08UbJDE5>t~x1W%HBPA
zJ#P*};z-EkY}+65--QaRZ%|sa!@mRKkLS8x+`tPAp_4w}+;>-=`e>`Y+4`)#ef(y9
z@ROMM9zyI#{NP`R6>Pqi4Hp#A5)pR)q3!U_W8sHSXXA&q=PwlusA9OlV)~TqPQFO*
z%!dYCFnc)0S-alDJ$`sT?SBa~L1-n4?1$yO4(DzqW<n+S9&2R0kw;(?x5Pp|Tx%@J
z-S4L3jpgkf|D6cUWk+QR#Yot=Xh02;#M2Qg!>(S%37$|85gZ2LYPq0-l6*a)>e)3n
zx%S%H*xW_xmBiVM%{HVIU#`rq@qJu9Xy4KJT`)zKdu!J~QN!!N1^(H);rQs-WsaVA
z8X2>W6S9kG%?#zP&q_Q#Ey*cpK&q~2eKByqaIf8sN!syAMCzISu8K0)b8$H~G&1Lz
zj9{KCsrM4lJMHXs5$aiqoHp7w|HsW({@Dr+S9p}k>7S-OeznITx$h9E>+(aj1u3iY
z%krPi;q6^JuPeO_OJSi6O^_KcCGA~mJ&G1<izJ<0jVsSsa7YqHEqqHX`R6IODqf6w
zs2Qm#wW=s75tC#V7pLU5IZ~@1mN*ZkQ7g4SdlunTGjNvI!%2ZpsXKImuYdzH=F4M&
zzZH_-M@nZZ`U5aG#0+RT6HJWlenTh(wI(p+?;b@$R3#k}G@fqcS_XQM=QN7!-z@F1
z93Rxbte8dy#|r~Q_+OOA45>;hJ~7`9->)tnI)$Zo|9N{1G$hMe59K_*4G7{BP&zVz
zmU#YIw+#K`uFp8vZZR*dBg$_W({s-%GL|Q^dOuY&wmvo@)*g<XX$MQ<*9DIShRb=#
zY;XpEe;3T@|0i7^;ZS{J!|c7h{4d<SIQj5oYQdVmhcjdk9vmI;xca|25VG0FVWIKF
zGv6{WTb}%ecQzI?l2KCLLV3i=a%o%~-6PQ@^W>qTLX#8}Jq(EmKkKB4mPP{XN@%wx
zxd_KcOpU{O^vK!q_uCgZ^Vk(|k>P5tPd|KP|MP_1wI>82p2oXiqD`g2Jak^C$fVcd
za?odj>|+uXIdLgj5=gSypU?WUAJ6*MZ_j!gSJdy%I??}DIh!A$K(RkQ^nJS9GGZ7J
zAi?d*8|MU{im!Vm!pOo#dSoFAeYVb(JW}(e`0H?y<gxG(nwZ)j6@Q%KUy$|@j8|Dw
zbSp?rBWHZ;F!tn!v;%&4*6(_Ec1Xfpq~0AcN;XVTQgvzrT_)3p&mr_jUx_}O3v(LC
z$y-5c|NQ33zF;!f(vuVby=mgjaI|LGe<cy9c$T;6$x$4g@`S3Z1UrN)fW2<!VLwVL
z<@RP8al$CV*oGb4F6a8qJ5=nOnfxie!J6^fYVLOcZgS_?`GnhfzEE?%n5I2eL*5*}
zN{WituhJZQryFN|Z;Qyi%_xGmddCXqi>B}9eid#^C;KG7|Co?*1<4d!CiYTkaQ(2t
z{b!-epO*6Qd2i3D?xxVW{WJRtA}%9*Yr+4|{2#aE|MJdHb#rWEdb~VXePDDdoxt=2
zY*adkbe>qfj(iQ^=Z8jy;ka7V2fOXEEw^{v$UeV&E1F0hDY-CED$^-FR`41#zG_@-
z2_HFP5_D$%;edVc`+$}^NZe8Q(%aqFqjW>g7gKUrc6g}j6Q~-L<hPse(nr9befg_U
zVR`FnyY6a)a$$su{!#5_@?lFKL&LAap=!u?03VwWSn|wCD!7C7BFA%|v&-hsQpZ0n
zDO3H6=F6CQ_DTgSBsJ7@=?kLDWWgF-<hf>M0ExC&AhS*F_0S1ZQ~6kSaeV)0pLveD
zkgAwS-K!df7@Mq9J!-V~Qs*6DCpr14oHhu;aMKO>BC&Ab&wDTmu^Y@~AZO|FBdS>;
z<|U|9Yr#VG(VUmnbWhQCj|C3=0pk06klf!U^8Lr-+P>{~e8v{MG)#hvI;N()S!q_P
z(4210-I`x13!<%N?KJ9k6D-x;1QQObU=%=Y2L?tY<ec!MhIN=|%&!rQS;DH^^%0VK
z_SDwYu8ALuT!&<hp%w6N!j$u}%^u}fiERg1Mo|NE$YuZEm`>`l(4ifosHi9oc(}>r
zcBrU<2RTm<j_{~XyI{p#?LAz)p<x6Iyi7jbDiYs>d}b*~1if=SP$EfbFO#e=7oAz)
zjbwRY{R&j^bY7ogjPb!=U*CV32L7B7{@FK?eGgJ5vUa#Y1dyo80^<zxl{2@;@_aBm
z&{@x}0uPIj)lyjngab&8?S+vHWc%F(nc|o4gKPEHpS(tY&{OpAof_TL^CcCjeL`a#
zG3$WrsI``fm$tZu5R1D&9y{|#ewFW5RbEZn*Ce=ae4xeIjLm{qCZJ;!Fic9(7R4wq
z)7)C0CTln21{FSzoBPB;)x8luI5>l9uOrVH^kQCML~f=x^0cdGV2{;>gXhr^n!cCi
z$`V$+eZHGuTAhfN4_EHaHt0~2hC}SY5vn^z(0eDK6CU}^Ll=x5nEJEd*{D{~CwK!7
zjJr;FU(H$Erd3-EaBtQ<2acPE^0c&XEpcqW1L5dZN%Rl(TA+@p_UG=*aye=xPcIML
zCDoHwqTv|kmyrl#=?{XN)J}RnJwedc#Pn}sb|YZMMWfMkvMPk)WR64iWvVC-$1-t>
z`q97mLzT|ys;YLFtvB)JfjH>FK1zSEC;bt3|GNnC|K}eM@R)e(&PHy7Yi8)V9jmOT
zo&e(?TPH4)>(tSe*BsaC^GWH9YmT|XLm5F`27VkLU$UBZmM~j?D<sR*v3Y2zA*o0C
z?Kvd5NwP!##;%Bt4&A~j)BwN#7V-9eck7ZFDoKVN;MUp<S&xsmAG-M!Sg6%)TZ!w=
zou_7Za*+E;h0JJAqZFEtz;m|BvJ>&q-Xx|R(Al^4ji+Ir#Md`$`mpC-NEYR0dY{m-
zgkefKp}j5?qN_3cotttyPFJ?eEB(6B)C<G!fB=Q>0OAsGu3)^+!n<2%s;c7Bip+;y
z9WR2j4y37HYq$C4(WC%SMl%vw_2x#4>1@!`T+Zs<ibRf@k(pCpNDr#Fjq47^x<<CZ
z9lQG#kaOP%zfkoW3?M2rNNV-1GaL`gh9IvW)_g?EqDnaYX?RGUTpaZ6zBot$7dk1C
z)<f-!MlOPdP_V34y!6qo`cOv^)A^C%q!t`7@uFTsA0p2D?9NQdU^`zv=xWy9b+TVC
z`?bg9AOcL=OY>3BAWpY`HLmIwM*r*4dg7?<UTy8O{g6(%cYWc#l>#?BC*gW`>Y>)f
zHjTiAMI6*n1fJ1=so0d>4G`MgIC%0v%z*LFxaR-=Z&;0PnjeM^Vl*kg1J?V8+WMvk
zH^_Vz6|X;5v3cu*yPX1LWM>*~+G6CD?xp5FvV}G$ttWW{T%=~a$zK<;u9a?OhYpJy
zki>`QjUFx=$UDa3D=Az^L38sht=UDH1Goe(Y+*@2L~2Ss?ne}5t9sL{W@iQ{sy>a;
z{f|hOMZ;?TVzN+XH#qw0Fv32(OAsn48KZ?5(+***DH_m$&|;b4Jbm}+HG8~b-BW^E
zd2SpovwC&DUgr%GnpR6oLu!XapLcH|y~+11s;$W0>g->(%aqTS#9g|`fKvulM(+$b
zyqQYQaNfaTrHMngT6ATjE!2RqN1ITAuDHx2K8EP~xc71b`F;4hs5(T=OAD5V`zJ53
z>3HX%OC!-j@)rm<03069v!nemc8a!_yo;G=Ysr#J*F8msHLQzg)ypzFG5KxB+CB{A
zYKGmPLa(1?rPB#c|3cEmtgJd3A{SDoJy}`4y+(4*WsRSlfHIE*Mmswz_Kb<DH4$~I
z(S2E~Z&{|7dQaD|e1wZ9ztOsJt^AvdKWVf2x+9r7SaZrSfRnw#)5o`<)ASq~<U^lv
z^P2EkNKWXJ)+g)R6@0fVmdq-LL}lgG^xQo;JK7{hH&3`?8!5;oBO?Q9@IF>*?It)2
zeFxaeo{4X#SEa{izjWuP_al-`AK=@tw{&-%sgRgq(8Qx8SjMmNDbQcIDWGUoa?DS~
ztL-1s+2X!un3?Y+%XLh?%0=$uJa??lpQQOQ$`l0T)|NHg7{MJ1n8yhI*izecga6V0
zNhLfx6mzRUg5W#Ar}s_X;5BAY=pkCrKOk2BSBENA!jg4%?ejiKEmTHxQ*$F^E;jCM
z$MpCQ!ENaNM$<8~`{(+Xx{3`tl0@JVv-~hmT-<(sJb!Y<)-4VW5k0I><Inn3NL`>U
zJ<017bjn5IO;rPNV??b5L$|q{+ESVTUe|@{)qCd)j*LqJnUB#sa}ugPFR!16dV3Yr
zUVH~&G*QML<(;!4j*KNw=wgLvXBxtCZ(1+X2tHaMaf4s|g_t%}4)mthyCSy@=-Sl}
zM6I}8K88%`Nz<R<+Js!o1^1P^_!!JLQKm5KCNEc$6=7F4^hqhc(XzK5M8DP)nO(X}
z{^Wg=wL?<DA{wNPbnA>+&GgEG5+2gOeT5zQ2%syB`U;s61pwTsVHMw<BpT~$))0rJ
OQBkqJMDDG=Py7!EXbqYG

literal 23303
zcmd432S8KJx-J})q7;>?fPnOl5{h&bLLgKVnpCAjAT%jb{XRO<LkJxN0wh$WR~1xx
zFCx84@4YDeaew>Mz0cnJoPF-O_rG^2>sd2v=6&a#nKd)d%&dzq7c+nxs$d8hKtKQh
z5a53R7jpz(Ac~4l9>KK05Ot+L0@?t0M|ckaKsdU&!ju*6JT@@ALo)M6j2~fU7SEi2
zT>pi`r+fJMN9q8;py0oF=0EekYH9V%0{_4^{*S{IFC4Ed4Ib0j{DFCXVDmq)%n$78
z=In-l=Ft!AssmHRV@o{dvH2Tp{x{gd+4aZsk@#n15DxA?Wc_eIG$yxl)YZmcui*b~
z1D*k30A+x}kNo5B@y;n50FXEU04~S=@-t5c0IGulfLmj~{5W0#0M~;6fU4eKe!pzu
zZ02hAm*fcX|1Viv0|2}E004yn06^Ub0FWB}B@F-XU+8uRA9Ne9mlOWS2H*g&0^9*W
z0FD3)fDj%50rvpH0P%})fFj`XrAt44@s1GxOLT>Zh>(zol!S!%3OOk`IT<M#8O1fK
z8x+?luaS}6pu0gyO+!mdOMd<4EjpT8R5Y|SKN2ChjE_S|bd`wcDh&l01<ilkUAzZS
zUb&=1z<Qa04RDE);4&q_#YX@W-rSc7{^I`3E+G*y$(75O2(IFT^=<$FM3)IJ5mQ_t
zBqzE|gnx$M5<UyWlvE_F)U-E+AEIdJ*u<f_dS-43W&ML!IDle0F356r?SUaq(fbN8
z_uu2<v))v2iI}@Sy9&xy(hmsU!KcfJulj!x`=`)9(j_J$!3WAv;u{44At4#bWx`9B
z|MJ8Sp_Ej@P?tEoZCFKM+Q_E<0V2_dW?65_fab1j?7uh9ZYwD6T#Nz8FB9OicbO6(
z54Zs6y#FQO@6dx{J%((B*$G7JgkgK0#cPnG%-q|TRA5U3`K!s4l=R7Ql*#I#VTlJB
z{24VX!f0D>97S%Tls+rri$(MNN+SJ;kXjSoma@~zTx^!uyHw42w^ItWr724k<q92z
zp(vMjZk?cH#gc?Nxb0n^6S^Y<o@Zl|`Ax9vyT>qS=i{}CnCCyi`C+lr4(M7@jI+m|
z;Dyc7zGP<47&b%V_s?-#*Zu@7Q^VM|JiiaeZC?8mTwnio9x8G&u1no|Lux>F_D?W>
zHdcA_(+#OI*`}Z1duC?eqJK&)@AabCVHovGIm>JX@(aL_0cj$Ffx1mpQYpVCa7i`0
z%JRkN??z*4Zm?NIzGmc{=OLAP5B0l!T#4n2iK+O-o@_y`PAh#;^_EGNqi^iVSOOzZ
zQC>OI2W|dv-r!UiTYVHlpzgjS@Q0hQv@~zC&=pai#lJFi{;nAQ!;ST=Pfu*AP>VF(
z%>1@i+<kjvQSfa?1tT^&{|&2p>HT?OWuXu6gy?P}B^|&?qw}s|;Tk+)-#DA{<&P4B
z+zf0>{3V`$^n0W3Yv@b~Pk5{&<(3kxYU%BJr8~8>1GQ>shoQ6_%H?T8D$R=ALY^o%
zygsQ)w8^{xyp7l)kz)K>ESRMRMZ%En$@@3v`rpEeO&BF=g$m()walT!sPC$&;%;2y
z5l~eiD6cn!eGoZhXBy0)(iOpO!s3()OgeL!N6-z%a}HA@fWxkQ=()&k2!uMdtCtWY
zaS&J*@oDv7l1>)em^^xr>TfJb!_8088&a3r(QK)ND3>E5j5jT!60?$RQM)5W8(!6s
zYh%9e(~Pq;F41`sb5mE25X|HapRgmn|3!frO3ekAVSM>8?xq_^4(6|;S1I=~^I1=x
z{wrGXl5VOj75}R=$F3&YmH|efa!&4RSq2ITNVz5G=B=w$(F68pq~!>^&+6EhRSSdJ
z!^=BsE`6SabdR+iv+`lHRFCYr(6-L~*suYA-|zfpH{ERSgKWiVjI7fiH58xj^I1yv
zqXsD-yC7rZo5R9wxhUWe%DB{|ho!`qvrRL33Xy?64u`4KHaA&6mDI{$n!K=nDYL+K
z9N|b$`_<{-LW4wCqv}nj71E&~?0}t!z>1vf?L>sfa991H&HboK#f{`nN6VfLOtm1k
zS86D%!`_f?C6`{IA~`PEGRFC>rxT-GUeVlVrwH?KJ)0|u8p*~l6SM1{Xyhhd-A8({
zpZ(_a+f&-zz)`psNk!p<7($=5e*Zh8{cECUA<4|Ss_6{*n#gpA&X8RbyP;!PMKUs?
z2Yd;MwNhzZ9_SCsD@f$+MW1ijDoojaV`^vJy#Va(QAl)6;MP0y2E&jd+CbBc20E2g
zMKb%$och@5lc;;kmET3RI$N~m0RR%I|4^&{?v`eRi1kGC1NQw)M<L<x`|UhC#p1%-
z?5e;iP`0X;gbeQ$z3aE6W9jm6*)D+!WpT#A&iCewI#`@)<46_U8k#NuO18_3GR(VB
zCrC0qeaGCFOe>3Tz@sbfg@(ybj2zXYk}1&WufVxvzp@^6<SIED*>j!HkC30%q6X~C
z)NX1g*@Hv{UjR~KZO$zms&t=ydW_h+00h^jT*?PQ;!xHqonG|f3J*FxVlMy*Vp}_7
z#}CI8&vi!Lwc5{;kl2izLW1n!56suZQ8l9B1BP|>4eSDfA6LDKERog*-&vA$9d<*Z
zwd-WoZ^T!MX~u$qqSePYQ#hQXMH33OmU}(acN#tfmal#1XcnteiLRkEhT@>fu*h9&
zTXqrp%>kC(yvB3sCs(9ZUUZ}!9dG#FnOQ%*06^|VAxP*x-2Gn2GMiWfF4UVbdXp+C
z#F=BTY%Xn;$gIE5_|OS@60x;N%V|+#6)I%77vAGC%A<9Xi+^Pc@O(}e3fP^FY)%xk
z%5`0+tDc5Fr}&gy$m}rRMel%HN_jKNEb^6S(RY~!#|hLm#{^Zw&_NaIS%xpAc|}C;
zXISXzSmy|~*hDQLg`Wd}CAboocoo2<u)izZe}1Dk(YUGWM>+lU)3uha7)x<U%&xH#
z39)~4jN}CX`?l6+qTrPMZPQDpXd5Iyi-gD=kG%4&bD?Ml$MYG+f1c#O@TIN3>yz*V
z<oQMT;TvR2>$(Fy|1s&cee{)c$KPML9@XmZEBgh~Fw(cO9|{4jK0b0mww_Ni0mSe8
zi}ZeaU!Ik+r}?7QiJUWt`~Y_!q3uFp%B)|w+-MhCs<l2(q2MC4?U)*~X?M;L-DikJ
zcg6aSm)X4YzwSKN(^9YbyuVgL{5Rp-UeEnPLO*95o3$o}ezEnl+X@k%t6YoPemef!
zN0+a&hYT!+KC_|BrYvSz2l;PrxfmX_9N$B{H<#GmKBKr^EW7<7=I-^^eW!!d<Pyc+
z^S-ylXZ~5DxAhub-jd&vPk1}c^(|9?m|tVezSb^2&G@R;eTkejv0|1SXd-bVsARpo
zo)~0w;D|Z7v9YT;;Q`M()Ab0{tojlPv4($*Z%><}|B#}R`j8#MS>AF1I0^2KI{ltM
zcF<k)n6^{3Tq~O|Q#Ue?4%6<V4PR0W|IRX?8qRlD@(Sb4*Y-v?MjM%Xa}=`c=`LLl
zLRL?zE=c7JRnvx?boHK*5%v9{BvTDB`>#Cx%;w9HlKV}8j+ZHa8tRwrKG}~j&NNjM
zgw1z;SQnM6IQno+ra|t5;+mH4y?@J^<29Q}t<4b3ASW<=)$#VH_&gIS_g6@p8Ftac
zw2*>C?I?qM<#fs(I?*8NFeql=x%^e;UEm^6cEO9C-th5=&8?o8M9F|h0CN23@IN^6
zsv#{#*;220p2!$X_4U`s2(=U0l2hRe0PcFtsh$ZTBC|qp8vsy!1qjqF(O$NVEQtKf
z%B2%Bch9LtW!BVSmLgwf6}m_1L?8jsPM?JEHx&DKo-;{s!+07PE&vhnL8GOnqTfZ>
zTAmF?UbzVnmR1~>%_^&{s7Vxr9K#Ci++7%AwBmU+Ig4djXVD{=_+shd=oi8fol^T*
z8<zq;!6$L8g#*(f9FXWDw92*}a7i`nq^&KofgsZM=7US=H{CfspH<aaE!GXu=p^0@
zG+kbG(a81Q$@lKdZh2NO@t*8A0&Q0loqDi<ftVdPZ8B^$U?9A*RJ*4rcFY+mB7kix
z^NGN;sZ<f9##H#gm852|F7@P1)nBDaaa<5y^jzH-tTI>CfRdg{FMh~C@GMecjBW&B
zl2ESh@fBNtr9hK6DLjT4l-q#GhlL?K?Pc4i8-gq@n_reT-yoeFv$`HFm{KSP_maw^
zo43T^s;Q$?3~4|Zo-&h;uo$oBpu&<(%qWeOuD$CS=_ONZ$;PJQ-T|pqLx<M^B2$%^
z@<=+@=K@I<J2&z3IzmJuv%{kAAXl8ldssRf703jAls1yra{=(!jxY`IXdT0RW9S30
zi2a9h#@}{q{7upR^K!QK$PzsD?-m+`n!1Xjd8sDt7WHh6?A7>1aeRUcmX=_!Vo!yd
zcQJ70OX2lt{lLg69eS!l+xcpkR?UPS^TX;uq04p7y9iqmHa3wduLD8T1iE@isz%z#
zby5qm=rhA8sc}OMK7qJ6v`SZ*a-0UEjrcl5uOS3?%3Nh$!o+DT9r~rKxI!E=Gd%f~
z;#FCra=m1GQc(+E!`Ex;1)q!B=+qLVv#VWcCk=82jq^W8r+vfrr8`H#7O6Bqs5|}f
z5Qd>_&H47og@xhLsAPlvvyws`ol~J9=!5kTzRm3kN)^$3qm6Cr`7m~l+(}-&bu@XG
zw_*P42<B2Es3lZKMGEt>UFzc~c|*7pc4#lm{Tfw&(U6y_4y0-R)`Yy^`n4wO0o*u+
zQDo&qY&)p^Myl6PekkNl_z?YF!P0$OSryUbWXq%E<Pm{LPRB&?^>JgrG@<3venbc7
z>rarY`NK@s?n=XNtK94PxmE|pj0BDh#3U2w_ecviyE|%kqcM+eKAVU$2sg(j%F%*G
zQ@N=j9FB5GPUgL#=Pl|Hk^*u2r&CP=_Aisc!H;sJPHk6UciQ=aP-<3uGC0}T#H+)U
znUcKL$^$}(?@8n0l`sl$f;vz9ok58V>2R-4RBX;cOC*>fOTSSYXk1|rH_vYOJ1^7W
zj?Lx*)bWmEY8K5|3hA(Jk_*-8E!5y`z6mw^&Hajaxh1dUJu<A3aGjuE_TzoN%6_hR
zw%sEAwSzC8E2=G&#TY5~UymK}v`bN+s#BHa;)gm5-q(W57*$6T72`E9ha&r+ZVg!z
z<nA#QdWnqN6>V8;kI#E6(Ag-sTeTlEyeTE-VXR44sI0aU$R1?)oXU$=t+Ab+(|`k0
zpDknIL1>j3wx??-cI1bU+pApG=94k8sV2_6O7y%fPero^_pHoRw8aaiQ%QfMi5;Bq
zqZWatg-Oemn)<i|tJiO;rUU0=%D>2FN)2O$SSaq~wLyx|sJLXCy1@WVEpPSLij}5k
z6lLNO21<sFAYL(!@-H0;%-TEXHOXG$*@}wouqnTeU87#-6O($vH%{T}Jw;HO{VKEj
znu`64ZIPH31vI7{ou=iINQ*r8SYLvep_Ols()Byqr>u=$)-{|6Z*xh_ph>1E8n-U|
z67zbHiY_Q4fgi%tw(Zkx{kZ+*X+o1Bsw?Gp;{=Q}iG%t;s+!pS*s*LObxR?sKGo)w
zCTuv#1UlDo%HrK;4>9Wz9ye9ReUNe>==6=~QF_RN+!7?-5r`4wu$!<{4qRzFh8;3m
z^xGB>-06#BNSidPJ7v#S{KDIfBUPN%l17bbY4yuEvA2hJviIJcl%-{f-|8^qcR%b-
z&3<*_A>HB7HOR~w#}7ecGF9=JlBBR6wml$Y-u&X=1I^!5jc`|uh)b^Fzbh~`tmO&i
zQwv&c3+KvVYeLTne)JOh?88?v46V&)q79aJErYJEi1Cak1weA@ououC+i*5^;F8D<
z!HuxdsyBVn>1tl2S?wMsl3GI?Z(Sx_G6<}}^Do;O{n|NpkxOjsQ|tmUQjaTBvWFcf
z?KA3RUDw9EAD2R(N>s%Wjs>&k1npSXD0XTTgRO!Yke0?R0#&2N>EgLnJXCyCEWckW
zwK<g0H-)7{m1y&s1|`oj#1KDk@uZJFF!>Ud;HqA%iiKVsr46-cOPY5zwf($D6k@6w
zoJhQ?=6NNG57<PXd?V`m!Uf>zLyWP`N2Bg~(m6FqK{c0J@9lCY83uH2(Qr}ZUQr~<
zCQziEGQ^-yl5<Pwbj*6<u9{=?dfv+CuIIcl%(Md=6xR8p_i0&;Z`){WoIIq8jLjfF
zix&}LnzoK}e5^-HB|Fb0I-ZPOm{_?tjH}iITNTBqdL}>Ztz~P^AiEU(^$SI)XGzKi
zEF>SJot2mIF)v@mY%dzwBsyPQlTeo_5>mWq(_?*KXVn+3At!LlAx}o7m=kTF+^;|d
zf<U~&!om#M%w6K{D2+OKb$dH(9XVZ95bE^lu^+T~QUBa<<W>5cL!3Nu1%Rac!9VmK
zz<SuZmi^nv7psb!g7&Bo`+d8LQR0en!31Eg_;VOUDKc)K{uzEa0&$u^T>$zT9qYAS
z80)z*IZ;(BFVxfu6_7SH-O}4O0kAjmr{dJK1`920=GI<|?3xURf_e9h0hoFC1t6|c
zuJZbPD5L(jDBJ<|#cf2>`SO<b;?sHpNXzgAfF14!XKB4AUV6f)z4qu_!uds=^w3F?
z(0gn4Nq0NfVWtSVqMckm5%=mjMv$FB7GzceAr%gRGCae+X$VvQ8wn(5IgMJ$0qaEE
zKV?aby<0$N6)PUk{+mK!E|o9Z#xe~<cRoZFo`Z)@hvcJgvus8m$XS!Urb$CQ*%i<K
zob}Cx%4$R}zaeB{j229VVQ63C0C7c-syaJ5kHK=p@~?`p>wTkKk&%#}WLov@VtD#1
zrt^PSVM-69sb{9C(%;9MFL4<^1CEP-*iP4*^Y+b?;PC27b%6u#63|@$u2SgMD=9UC
zqqGzYUIeg<No6+`!$n{T(UI7$oh5psE^RAOi(6eE_tZ7R(v383lmQ6#bpN4B{O};;
zOE>3a5{}l+3q+o>l?7#~8AbCPQNfTRGL#IFJ3+a8u-7PTo4l@Jkt&n8u7YonQZRkF
z`%;>08-z~%lNlS%82y$yB<FpUU_QOLF{ECsBA<`@%78Beg|$+EELcS*nJO}LH35>q
zr|w<+w40XWb(QLEJ2D+TWWIacvJBNkvk|+C5^}&>lxj$|fq*VqEmY~Zj|{$gW(sCf
z3^7b)inezNII3@;eyV?YR*n#k;k~ig3OAOdz~$$>4KQ-dQVQmT$hLsNmX^Nrn*bht
z2Am=?;UPEwjj!qs=`pPP;#hJ9QS9iZyb1`D3l1)nFbYXvMu~gS7!EPMOc^?LL#c(W
zV3BiDGzkoP36xu^NDPh-633tu&&~z}QU?pd<M~593L%D?uP2mV4|!=7Q?hJ^L%6R>
zHZ4SkH$ze&@QKoFGq+2$;-$>k+NiQz>b|LUFA82R@YsIt^S!V9kT~=_=Z%z~`S_3E
zl9<A)PeN=Mh&zQi7)4oA@d{PRgA9tp4{viBU?7`@uCNEMno)39+#~LsA#2eAlfcoC
z{pXkfy&I!uyghn3u>DnNG9`8(h{{aGB_d=?{jx_oP>{8vEuP}bH~tM(1I)Zc0*h-D
zuUdWpJ2a)w3v$yl_djX@0MP1oJlo2xeT|wOGRytc8Z!zv3nvv#rgk#p6XbfnS-~^d
zlYx{JElAb1h4_`L>Va*&kS^DF6V+VDp|857@N^J<=&10tTVjuHW1(5X(2Zw!9!h;R
z+BS~Qm9eMMs@B?N3<%VB12sEagDfBZp#j0M`_R3C2^UaEA2^p+Ie<;*neYQ6rOK`{
zeTw_csF>#+_4d+2NNiMjfH{|&=mU|4Y{T<M+TM8jwS%+tE7AR8_9@`Jr~g3uc3L?u
zn;`uw)yQr@>JKItD)@qjx6zJy`;TC&bd4M2TRiA@D4HoeC+r$-fAUacP30(*vHlRX
z6)3Q3`<smysPfyZyaSBS2b9{A4pJvW<pzn#>56<`dK+!fW$B+1Z~s)HW%GNk^h~Ez
z${qTtp8|jBaNl!-cbeE>s2|X?`%~ag9bD?)*=ZgFd$PMx?w5)?=Xr+3Cko^S;gRk4
z-&2FtaS1F^L%~&LVl0}Q=B(Mb&)dgj%f2!wB)a!o^GD_<lHD3);!qNv<6uxf!V!Xk
z@1CrxCVZRq`>7_i_v`Rx1pEJC?eoHjJ%5@@@}~u(CeKtoo6zq6yv%MpZjEWbCI4>~
zSvh88rE)={&f$2kZxpGA-K1*g@*{~h^S(<b9*=%GXY=)5Bo}py>sdyMh7kGJp;1gl
zw<?3)S$~bIfy61pOjv}shA&rufgiP=mIpY}#v>3m7olnSp^z;^Loi;l2fQ9s1zx?<
zHoh{PF1b9M@p~P^ogdAFc7(-eSW5{{_Rvk81|%;R`w(&(`)%pU(oR49Xymg>YLi{L
ze&hJ&c}9AMpl#o406}vNe#tDu$j7VP(GN4>A!FFZp^q(Plgg<TPIpagVvMHd;Y>+r
zqGZsoslf5E3x3Fokr_)^rOnw*8q4K-Juf=e_`c4q0LWrHfD7Z{7%#AU+%#)zz)#ZK
z+asEtRKRV{Il_i8ZNsu2C^gtp!9K#$R+9_vl{rc#Q_2+aKeNHUE}v|u-lD>dD^}Xm
zogFOS6k~S3CYda&9VMI3E^ZZxOy^`!ORMe0geI-)-x|FDv;jZkU_3glX$jX@tlx<f
zs9FWdauV)Wr?7Qm`sr(9PRX*^Q%9^|^JAGji@f^u6R~{axpMZjgzv2xMQFw{5li%H
zf>mP!@!Gaxm>B;nL)MDV--IVO`%CyiBPMC=H^*uwv6YY-J6&bF7Q2+NXNF!-^>U;e
zGN-@mh1%^F;LW@##42q#-(q#X_FX!59aim0$7C47P64B87m2g|46>UQvja}&GnOM4
z86Q;&J~w(2p_afTs^;q7y>_oaS<Oaakn$S%lvhE$t1sa$gi0%uP&thS=)I(&Wv)NT
zj81XyeOS3@G{8`AE1C;lU+(U*YrU~&C&2q<qry4|yw1Oj*;U{z3vc%D>oRREL68nt
z@x8Hgk4TAu;5u6^n$u<TOntZm`ht0)3}nZ{Y~W|l%dyh>QRS;q)-<FOVVr^_d=`SN
zYT7tN&4Q`{&y;B~1PrtjKr5%7Lq~MQ&kLsA+Qn{(CiNJR*E&_xg$%VH$&-JGW)F04
zL1!b#fDmesDg>t{#_c@#XiJKyvC=Qu#8aT<R<2%^_mD)Tor;+Fw>iI13EAiJcrG8<
z^Sy=Ait<)_M8mj`#_!I<Tf{FlI7L&v_V3l9ygyJ~=?xs(kqOGMV6^AFGcdcbpS;Ox
zp*|*-Z<y6+m_JElx9?%hm5v2tMHf6iTZ16l;ZRIuH$;GbFZsE0f_Nrmwxs(Fc2-EY
z{@Q*OxBe{Ha$*+O7EbRfCXVbFFhXau$sl$7DHW?;MqN6vuy;SBtYRtChYvp0;cBu7
z3>A8%O9i{i9iSGW$OnW)NN{p;`CT$^;rsCIxmQx7i2Ar-F=(`L(j{*;&lp-fvI@&*
z3(hfusE49LP@~LCqH)~NnKURv+jdbnT5iBmDnZE4^th7siw>AA+d`LQt*G5$97<mp
zEPI73iZf6|M09H+=ly(aoIUh#T2E(FDA7JW&crb<jAnyeNXEOV`aLgtFd<dtKD`WO
z3VwFbll9UAE~KUiNBej3)A|hBkd|Q@>1!b#3U<SnWCfce_rf`gP@i*VB8M@3Ah5xE
zXBV!!PbWMRfRjO$wLrEd$!nmtSY1vYS3~-Tg4UzYuwhY>K=zjGUP<!v_Nrb-g!x#u
zMxah^UZoU%C4?)KIeQ}fUX9*Bxx&C>eOGvk25;|gp@j7wsR#t4ZR&k#*SwbnY=-*R
zEhRc=vvLaroceL#$FpRRRpkNA^*GD&)X{};*mAaSI?thw9&H5!S;bMI=EI;o(?AMg
zn&ft5BWHjM7}6Y54-4y*nUi2ySsJ_m4Bm9|bQ%%sgcdRPdN{G|Wer$K5}no$d)O@_
z&ul`WwEU`31CXy$k$v${dddu-l&*~}dbnsz+Prk2c$6s;HW8zf(Mg7A1jR#Fp>#;Y
zaH$9n^$6)!^ac}luuAZaVO6Ii<4eEa{raYpl7Qp+sh!v?82U^LJTw^QmabYs|8xip
zpHL2D5KL7_^hT6gi!qK}x1LZcr%vP)yM<F2N7o7u%tbYFsF>1KBtLzF?Iff%Xi1ZN
zyLk6uM*jxKgh1c5<?ICaIZiP(sX$p&8L*wfa2UI5badl*NE~Mcv*%Vx_v|y%4WEm4
z=Fs_qIHws%ppp>LD+a4V=INWmPF0?de<gVK#wf9Zq=5EH1zAYAi;^*;N2a2kHb-mp
zx;ri8gliyu0D(lQDa4|33FE~q+xG9vZk5-WIDNgTQmajsrC+R$C~%h*z6MHOEHEM*
zxHS+j#&59Mbj0Od{VY7<n(YOkuA$2`47bq}=!lRig&R|?eE#-WwC!2HE>6eD?0WGL
z^FtuSfRZwiAZ=A<by2`+xw|GbRV@mO4yNSggDgbGB(=4o54E0FLdQCX#>W!rN)1EH
zRcR#iWl;^;Zau0`1h6qHywY8@+fw@NY}$iz8jKPyM>K1}%2o_$FIir8RkgD#Veeks
zm{6))uyA~=n*oqh;k&Nf>iV@>x#MZH`7&&L@?av<*Qryua(YVOuy>v(ooXQR-~ymM
z=cDTOp^z)IDfNZCvH$Iq&hWcgfj!UiQ$3#biLy&qFa+TAB2OSiY`^7ozni_ueyCvB
z87{cov?MvWi0>s=zKA~f(M|G~$Q>1Ayxe+iF4%ZLB+_qqcty45Y^uPU|7}xP)zJ`5
zuaf;2*6q9BWu;{d`?H<`E(bgRh)1&Bg#=qaXIm0sk?XWL=spMDYL9zdF9ffr74HYq
z3b!O#Gv?ybtp}L2Up_?Blx%Q-y#^qYfnqji?FYpRlk8ZrGxq++XM8C|D+L3!;Ys0(
zk#2jfEpnvY(A(XKR&P!hF97r;f4!1BaeuCkcZ+^CvL5;qMR~EcR%EPuNA`_+7_pQ%
z?Zp1|(z5Gk?{!~gmBPQx^%qi#v6KCBK%Z5%UL|ilJ<r-L2Tc_Wt=fnkDSqaK(Yb9O
znlIx>=?senBQm_N^zw>q3w-MRDeRZn2<`PkK5H&Pn|fx9b!hYjV83IONOd~FecF9k
zmST{bN7%d#iW$!RD0sl2^}ebPDSuU<j-;_(FlOZbahrvgTxCNl#+~?`rQ}a!Ix>pZ
ztL)bPp&+G>qSdH_f9<=LhkslY8Gjm#^(SH%QhBq%jn`l?q_gbH_h&C61OK>$+>c)~
zYOhm%WPhmm3n2x3Ae*h&Zi+t*Oa3+20=5DFKBE6S=h4E1wo#_AP)!1BHPr`)IB^gX
zsEJ1UboFxi?9{yaWx^A+GM??Zn(us>bTN<Y_>8FU07HxskK3IfPJ*9M87iGFap;+a
zRGE8upItJ?F92M&P5^zQ1jQ1gp*kcI#b>F9VbD&aEG8_X^WQO-8FuTY)ey4_{tZBj
zuTV5qM}D5%(~P@aCZt9_Z|mc?qE4*E>(4%AjDEAC&NhUmk5MST+_<`1GfBflJiQ$l
zSI;VF^$~q|0Z30<*@O2!=qF$7Tjk9)*!#*?Fi9zhZx<eSEpv-%kW<rp<>_(`ORu~=
zC~p0zyrgR}jjQ?D_3O7HoctcD@9Q-NQ2k>&@FlwdXleG+RoFfT0A`JUL?n2beKhj?
z)JJ}OKB8YqX{%&s|M10V>&={LXg_{9#_-~nm1!)Ac-`SN-Do4X;SRzGy-=W#U#{(o
zeUt2R#p+W{fK2faeW4&fo@QF8KvvIHZlM~>&Z_D~4H1q@{$KNDp?Q^%m%+RrMJsYY
z@&~yPjt#(N)|%*oDKnhGEi~@0Z=>f<Ade93!+OS9#@g9Xs<Fa^TQ^|)a0rgDTyd2f
zn9EAaDUiY~nkbR!f>@1#)R<-u@FcAD_}X@>C8avDaj>y#qVu9Y;cNwpIpC@=I28Tu
zX`Arx1Mi>t<T#3+d6#n~Qcc!u8pI|!Dk;&Z@cKjyRIEOf#@TIl%YF`m>)m_agf^?*
zji@e2=s<{1<&Frw?FyvB)auyUxg@<=;Au~&FSdi)s7AK)LgOeGA_yX{VK1jatG=q1
zPA0%*7&zURb#Smdouw$yjt}hC!{X1~-Uo4L(FHs$9l$OV`*puQ(cUw!^T}8v-&&};
z)t6pf+~Ko|ytK##5L_D}%`S8IN(D#cPy!`o;jJcOTjoT9-a|wc96ZSJhK|s{0b)X$
zX$q}FZG(o&46+EbWm4jsura)Bi%pqIGV-Wk;x~>)Vp3w)W=b?_*o1ry1?BkdlP25>
z71BM0s1X>HrGeO%NR#DW$UUj|*VOpG-gT(FHtrz?tbdefn#z~*NlKKBS6wYS{{CaH
z%3>)xFxX%Uxg^4Iq_CJ+RVPzZZJ)s4r#Tg8uL#eAh3hDS)*K|78WQpYUF?9(dhwfY
z<KaS)skfL2eRD4WG(P8_Uc3rM=u<u$N7a3Bv21qCqQ%)o3G=FTQ}wBG6d|oa**)Z8
zz5brzWfy>#vKIjJcYUVm_vCz}&$Tu(S8Lv(;<D&B(k}qqhrI{JPdZfkVy=6yY>4+x
z4oW=$+-}3y+FzZB8!uw>bW`i?{jW)5TU&HKHajTIa67Q4t*#JH1$XB>viexW=@>M3
z2oXu7da}Fijc+#ygJlNR^f4mPig@IT(qkpSxcCJi$T({Bs=W}$yRZ98Qodv5eX`QT
ze_8A&a&MhF(C#-mBv-0_`zp_y-?Ztf{y)sb<cKZ+`S~^xhN1!hfOE-@rUm!}^;v81
zlg&JI`Lvw<H_dDdyS#n@h?0*4ma6p(pCP|iookQSqlaH@OmlYXB_-S&ei)WUc?fFc
z%5iIp;(jOPY87qK_I=&c+>@)<agAU#LZIC`-AOkErye=?oNKW&Z7AdFRgob(ff`V@
zfEnYq&F@pGIS;Ih4xlx{aoT>Ed+S4GNUxRwxM-GIiv|ZA8b?19r94YbXa!wjeAzNa
zRDBbUuB^8gHp!c&=I9PLa?Kv3c&~$9wwj9_i!lr*4um}inq~t9o0V{u(~N|*{88hd
ztDPzgKiU#cgcPVN`ityj-=~MTr2~h?!ZBD>6gUlAk+gr07`n(<Xug-Vp}AViwT_Oe
z_~OZD-eLO{@-lSAmC;O4qGRZUE-xXAkCUCt=q!GMd&9`uldRkp;c))mak6-DPRTmc
zZ2;c&$vh+Drgnek(+b=ol|i$c017TcrR8-hb6McJT-$3$uX<NF4pPBXfxFw~cb`b3
z?t`X6$p>+rAcky?1M0<`hijsk0gxqJ56m{>374k+qN{AvR&nhOB&-vKtxm(U+mtg>
zIjT=Q7^s|5#t?q}tb9WAlE9^dHhd1465=Zi&vYk~1_vw1bUhZx%z&xrFnBoM^{ati
zckT3oSr?L1uEN>bH`T2WTk#1^jsqU<`X%d&ss8ns#-%7=<H>Bi^^_mmjJn&b9C^m{
zzkSM8!p0Ck?%8E-BcQ+IT<6$n4XX1{g5?^}oXKTElC=|c^9D1Xj)&xDOAOkeR=8<$
z`oOmAExtr?sV87Vzsim1j%*lrEALH3zMP3zs<Qj~YF0yPvlJX&5YOvk*iMpBi6!Bc
z--%KvfMTXf1_f^50;G|emZsuW?nwpzmpWyFV5L5=Pte!J_Zn;*ag=mdswr=rbe{7Z
zeSdiYczD3V`{EPx1>nt-Wzner-3?RZxU4UeJBmJgS^V7hn?Do9*N^CZH+-8L{n6oV
z_T}$bWyxtVlq>ZizMUL@j}6(KQ}dR3_GfqZmn{hY>)l;M9wx{1z8b%*(AzVr*!T&!
z!+h0L_BJ{XZLl5Nzyj~Czto_9Xu+o)nVhO6x;p0GFwc?jsvV>p&`vqCZLmo5EoDG%
z(CA=&I#O06regCOljxWQH6>*?r4&1bbJ1YrTp58;dolZl*gMni<EEeJgCnfYz7RjW
zu{<gIO>fs;<xInAq}>0W>o1frXkvmN&dJ%|p>6mn<n}L=>o%hAAq&<@X(N#zMZD_v
zA5G@NJt}TPzMM4YyV)uN4Kct$tWYy)ce4i(`4ZES3w!Y+ztT@WOc>xMhi|sx{-p?Z
zR7uJz{sGB<LkGnob?Z#kWG=;^aY4~sUR4=NI+E6SL*+4h|Hjmvpd@ixW^(kCexOlg
zp^;zaqc~n3y>%Ys>W~4R&z7-_NmAyWWX}-MIu5%4*a3Y91Zso^1y*V957_$45Hq;&
z3DENjVj?5o?%up}xx-LjJfZv9PMSUd@aW%r`)mJE$qfEl$=VdXTsRw<BzrQ&@pB19
z=?dO&2DV!9Ek*rqj4$N;<t<qo@Pn%8v?Z-n$z|sBK+uoZ_oce|EpOa%$r&-*`1B)f
zS=!R4L52S?%woBOpWhCae=266!|zeYYxsBWsRx_2hm|4+@&XVpbUoXyb%a_zr(S+(
zb~^6u?F)ce2j{5nWzB4%QO8T03D{lT@F1U^?irzg2`ND3ivlQqV2AnJ^a#|PJV#vp
zcHRkm>iapTvao;GV6c(d0+r&-rJu~wn(I{X%@DJWcr|{qw{yn&|7-jDr7V5~!#rDS
zr9(bpl({4L-r$Mc>c{3*d0`8pMK&hD(<-hU-Q-6iVmxP-rD&a5f%EF*fhQ~d-F^47
zhtF|${y0_eGqrys->-BeO8PVTqv&&N#m{}%<gfkpy^-csp7DG3e_@yX_5T6IDw0t5
zZ63#$pbUDJG;Zg0Le(}jcom9`HKek%hpxzuvatyy?@?}<nVHNrpuNG7#3J`Iqis#|
zeU4srFU_ai#7%u)_LGBDt!W?Zf`yCA2_k=bi+CL`2CsU)^S<^+uy7P2iQL*r{&ruZ
z=F!%})ZSLnyV{LseXbhShMA>tk@gPnEq=x!pYoT?@=o8H3Pd96hQ9koS{PXiOWV9F
z@VPr$?6{h1^u7F@s!f@39x5j?w?g?;iRxJFJI&X}t-{PZXFpZ&=MeT(GizZf7~cY}
zYLFq^^rQG7X!6Kty<H$Rb4O+PQo&y&dz~$a>?UCmZ_c7aQpMZ~EU!|pZVvb4e29|<
z`jjz7<pgK}O`I#?)9;rc@FwpG=f(&JDZM5{dxeo<J_KYCZ=AM=#0eFDfV~E#D{<7L
z;wU-l$S_@9y{{JccDl)iw*2=+D-TWF^+l9)KEBB00JSg}-MiKGGn0QBH7k*0+#Pp%
z!hP%W=x;67f5xS6`1VZUKzh27<d5K6Emd9rtRy74#*4K^+FHb_o(d=b8Hf0%$=k&z
z;r?&`QcMx9wJt{Mwc-UE;`y3ZT-6=q`s`9;SIX?!v`eVAjk;yq=Ox-_Vl0Dmhd6Da
zyrcrih@>{>DMxgovB+{}B)4YhGJxdPuc@I>uwdh~N&8XDw{k|4?{mEl=fLoOL7tus
z(ie1w)C)U>q9(-Cy_qqiSDb`6s&n%3v`3FOahQ!quzZBz)!paADMEoxOTDe@LH84>
zjQR)hb4VN6%Y(0NfBVsn^#5_GAi?FRQD<M@FOU+kh2_n7Ir3U@=E<qI$Meb@h4%mw
z(wR^1MWpAJ1UA_sVz#>w#6l!5?ki8;-0kw4wsfn?Z2gW?GUR*?xZM95KuE`rI??rV
z%d>vHp~|k&$i{Y?-3289=NiK7#qlfbWcYDia=ucjih_#)O%yEB$W<bXkJ1L<13{Rf
zoF>ZTnXn^DOMlzSutW-G3fScanX6s*xuolK(h<cRm_kxEU^_iCdDu5L!uJ3w0B>Pp
zFxxn;pZ9>?F9ul2`Do^Tlc2E(W-LwgD~DyqEU65(t@_#0rG*E8K&o0TtWN&myoNbw
z)vF3NUp33?(rq^sU~scvM01yY87LPgp@KKh^*NLZ1P6xTSCzZAL5i}_F{WCzvSCkI
zU8_!nAm<$R6Q|r*DlD8AKN5ywBfF~OSVEH?^aB8~_=TBjp*7dS<>)hF!HvM~N{GnP
zI@m9O_U8S+?#*?wKdOZ6<Gone#~O(kZ8j)u`^o_XUlWOb7WhpC^wd_#!r8pPK~%~4
zj!o4IdeAZ&^<R`NNTgmN^AkGgL<Zh{^I`Sg()^(U;}1@3rN`|A|JwVXP-5mYo_lV7
z{VxPs`hLRJ$wOr|yKgVXP`cUrfx#w2;Yax$w#7>&h6h5^@IKJe9T=bH2ks~9tvA%f
z#Is@Q5orUKHbHU8aZk^%`TSs{zIRDL_%|smr-r04+mFqiA+zjYx9=h%JtF;S*A;~$
zNYHb;#g(g38wS-jwZsTuy?DH)KEm-s%;h%|ePgD-B}KEY$8o}E>8!I&=O5zN6s~oF
zG82@}py_hhVO24%2tnw)t|b?6!qAG-PTR0uNF1E;m5-ex8GpV9+X^mTzt&viSS<vp
zAS@`^i>f;->hMD^2sYSi7qeQ97YNW%*ojOi^wgH6n$9=ajp(ex6P&dNf`rAwweIC8
z+$`pCPBnzBLJWYa?Me+tPPCouzki|ouK8{kUb97-`_;X@xP-}azGl)@jW-f)C4->4
zN+y7f3fS!B8^~psa#qr3X!J*j&s8JBsPd#fNp)d{^+Gm7u>)K(r{rm|`Ke~Z4G>XI
z2@y6<`s7tH$Ngb`8;=93PXB>mtr^5oYV2U_u?;QmE)M>@G9}7yAkAQJvuFKjFw>{k
zK6I<0ic!$4RXzdB=HI?~#kBgNuW}&mLlAZ@Dor<CbLm+mw<yuhw?p#XO;Z8kHk0EI
zi=?$fzlbakd$6k+tuuz-=g^*F>kGJ#LU#vCs0gaM$eC$862$P8KV9Ed0=pGpI%ra(
zi{Ld=xw34A3*0(x5Jk<R)Te1cu2={=grjRajV0G~bfcDSDA1uEV%9-U9qlqx$Q5!-
zl<Tm+u#dYc`|TLNS>dDok=5t7gO7tITh(|w0%q&!6rF0Bj#q)rQPqYpy)^WdHk3h=
zO_HX;ZTc~>r3a-Bt`r-BxOk(6MGvY$No^B##r(I3tdVX!<Adq8!uEkJAw61b3ABs>
z>E-a~zL#4ynT6VS^Y2truExI%!P*$CTSVvizZ}f^(2N3OW;qh5U?9`zz%n(>WUBE9
z2Be0tBgEB8n3HvIhS^Xrp{Q#(Atii7q*PA>?0eSKjWl!|8z}w+D+eb$k}B-4=bT!F
zw)1i=7JEnRe^eb%&d<3uL2v0Qed$Y#%J|{<+ImM(N3yy<2l~}cQJ~qLYlfO=ak@7h
z$l5Xh${fJPF@t>EzV6Tbd8@-D(f?xs@_0azy5PFJd)>ZrHtt2fnds(6t}&Q4j(4CD
z0#oDH`*zA_+JW$@9>0%VDNt$|yD{2juH8+IgV3`FA;>r+@$?S3B15D`4=PS#W|RnX
z<g+5US77VsnmUs!2Oamav@;5eDGgAFL}iPpUO7s#id#x0Eq9)*4o1zD@RwNaPWJMY
zbdWBnI3^RbgU`txnqfF4VseOmxpIaJxs>uM_-^Z)ZAe`J>V?*d4|&Bp_Eox?agt$g
z23cETLsCTgD&sPp9VwC5AJQRJk`+&+Cife&-WMpwsZ`m;6_PyiP-3Xmb#cwv&Z|_`
z;Wn07=DxC>!wwWk&gHD}SRNOxG9PzOxnw6O6l378p1eI}IH|a)Vo*FU3$`{y<;c)o
zsk;&cQkh{Chi~L>aJ{pfxI1D7<2wwj1kVl$+3-EHsL_fCSF~}ks$&Oc<8n!%l$a<!
z`V?KFPNM}DmD2uAvX>NUuW@_GHQIIvS7I|~If78rjDlXGs49)4E3B&wB+FvwAl~t&
zFm6p0E;T<qYUUCzIXb}NrCzFOWH{jhuAmD_f#m=pXqZxia`3M2Yr7$aNh-0c>iuhc
z3V9DfD;(`B&XW-FXle>dfv)W-<Q}oX?Wwoj`nDsVKlfODHLm<po?@0_><v0lLZm<H
zc-Y~`J8_6Vl@{&=;l$Gb>W>_D{d^p&Mc~E8BNUXibW99IE<D3GS;doM_#nKy9Q5=y
zgx)Iq*osw7J56c7jn|zlwh7UqrG4?@E@erZH4}+Ryc8T=1LN%oJ8mS{W}-$_aPjWU
z<9#WU4_viW8DR&KHw^M>*6g9&Z^pz@5lE3-j(8W}kIL`59;cOu?G7f2%|02;>lKf2
z(JfJS_-MpqV&##m{D$)rT5U7GZqy>w>7l2Jz)Ew>!`Op$h<Z<0SJEbRkxWp{*kBh1
ze?;pn@|oQ`uBg-@-U@Hu2)BtqNLUi3#i1`!*&-KQX4lMpZ`YkZ<Mwcmlm#L;Zy<;x
zHYkph7xFYLA}K6rkeWfsuY2mNem~P8xzX774VWKg=F?!MfA9+JJS=?(9z9dUlWgw+
zURF*2^=#->@BgjY(5)ImD_`TKs21ptF4Vfvjdw%$rd|$>r)9&KVH}lF$QTpHLSMEa
zEJrm0nkXC>w{O9|<^vpyU^Fc6q0hNqq!qv=97+8Ex_#snKeT1UKSOfe<3v{TpzJMR
zzd<n3G-KbZyq*6&jj!zZ!h!VXj$?uklW(=O8y!l2yZuLSGUxM4F`@Oo8TsC$PXH1=
z)$OaE#R=P&gUi+ir(#4nN&){Yapx)%Z=e1}%Y+$HIp&RB@ANe*U%>3<G&gRlO8@;e
zy3SH9Z<#J6{`f>?$yvx&o~#^2J%xanl$9*#;L$({m1v@cWLNv<=Z@EYoPm>Fg2#W#
zCETup;+HmLm-m3G+e9osbL0GH2CvLI)a@VTbp4;q6{;}N?~h|qbcZc#@c8A(GeVJ)
zffD}k&^tP;O_=w7Toa*>lW^C0i66sY@pc>rf@6`r^oxw*DT)-VRRa)(D@au0!<)j_
zBR150q?WULUS?Z!*`#K!HVOwld-nh!v-|$%%=}-icK+uimu-lr?SIB!{LhK$AM=4f
z+<S+IcCMXR29any12LuCgC`(-7yaZf0Axwk^8|0m4-+2^=g5{Bvphg5MN1?{BSyFP
zmn5g--qDpFK=ACuZ+|BA<NE*dROWB>#D8vp_`{G|*(xza^rk~K!PA}o$4LegO1-^X
zON=|chqqCA9at(gqH)3ZFVqv>MRVDBy~tO-|6utNo|?c@Lwxu#|1bCd@*w^%S`ztL
zztgH7MYQi~-%isD84QGdF1-W;S?8REX}cyr_-=Ut&{aKF%<EZuUYReJp4R1?Z3%y1
zRjdBWzwAXpuJ4_%z~4{X&kGW^LmCv0z6?)ha?A><kXQ4fu7B1#&?ybNo%cxIKz<nZ
z_J#}Dw1vKhZzLy<R$pvfv1}z2R%0)EN+E&PNUKZ3C|ja@+dr4Hwa>d)>hAs$&0i_0
z=RbVtV^XnNkmkG^r_)sW(u%&~t((M?oTVQp>}u4F?>^oe)eYUr<S^rr=hny>OOz$e
zRmDuws8;HV)vXT(YGr&VrLh{uACHQv8nVfPxa4rolQeVeO<rr3dALhHN`nYgsI~XB
zpk|*KCW$7yq9msn6lSaEPMJ&m1Ougd(*p{MG5Q;G7&+NYnb*E_C`dXNSpaEL{PPUA
zhMAr*)R!-$apDN@hj9ODr$AH($r|@*fqwHfR-bkFW^Y_j<sIO}Pcy}9zT-)NAe5{P
z$75Gk5Vg?sXh)XcW!SW_-#+r|b{v2-bPaSVS$KEvp??FAF#M$y{|yT4|1R}M5D`?;
z*;sPlWOE|oy^?LOe-I<Yxvha7w(EcU=5N6>*_fkwPjB@XhusnVTMqMN{1VZ{KbFAo
zhiX@UwI)2`FX4&mc{Oy)T~Z;*U@4bN2?>2p9vRklN*?wpEL`uj!0DX!j7v~i>`~Id
z>&m=(?J7HJW?3zjkj_GRQdEG*1we$(9NDtPHGN(hb7FVXqG|l2w!Ja9_N<Nrzut|P
z@NcZl)0_)baJSFv+163K%ams+yD?=9aZ=WNmfxMWPjTZv=VVCopW=xDyes*~eJ6bX
zz$u5mf49HCzGDx@ZyUHq`~F9~TLoJF_dPMK7XXJZjWjwL-yF9fG3TRiyk!rVm@;?r
zcS3YmT;N|%{J<v~&6O*tFCxXcMqkBRGO^plAlFnyq_a9tw=KJ9ymuH%IUOQw14jhR
zH9D?kB&(J66__;Y`6uw@eSaM5h$GMan5wa@j03|V3_2L3JI4XP7x$X?mqbI4O69kL
z%C=j@H2FN`vwFtv*)ux3%xcBF75x0{5Hx<NI&Lra7+R&M8)LU&9r;}Yt2srh8dRgr
z%ByOuw*W?<cnvsa?O^2FV5{!n=j@rZw0a~RO8QEBLW70<yhC+$cjRSJu(fqv>JSvt
zC9y^{u585~GSk-9sYkvoPj|lqh<nEN9;;iFlVx<2N1xxrm(3wD5oqR!yltB*zzP}<
zN<c>T65)7yNb|bC_^qhcIdnvRISl5@bn0J(YSP}AW_P((5x{-GTh<YUU>8hw<P<o-
z9+7#Ae^{&7$aF9aTBvi)9o4;3wo0ZL?d+IUQ(Bg7xo@S68%l<AY_cydO0}37u{i2>
z=R1U)muhe9y@Jm7^SunzwSFDkWq0_f0%>B!tC~|=^Z7CC4W`V}T46K45<VPUX3tzS
zDV}Mt-eK(Cm1$CAkXseJEtm{<AAlCyi$Kv^iy7)=2CpohCYrQ+8M~+c?$O<lQb~-U
zgB82_4r^;4bI5aEqf$YQ+T0T3=~kY!a6T`8lX}QME>|Rxs#<PT%~SelGW3ygbh8t`
zLuyj%ayMuNKQMs+?_w;~*ruFTZ>**I)d>x+o4+xK<uq#4adh#Do*WRi&Kko-PRukp
z6P;1GN`6ECxGH1|E%NP{d`AFNjAvUF`=_jT`uU&WN)WNs6fxc^)SNqOp2mQPm$w@C
zL@tM_rVjWy-%FwQTWYWmuPwA~`m82CTRFNduf{rwU32pyxr0(0NZ`#~iK_`igY1@M
zHfz(%`Oky>hfCHhHw=&^kDUh%^FE_aM3^looGsUFZUn+&?V1>9P|3^e?UrqsLz2a7
zmG(Av(huIiD`j8l6*2Oa+CgxlF7}1FtLS9GJF(>o`^9$bZf_=SG}mLt9jNUqmsSp$
z8lS**%{qT8y!)`ENB=VG7bvqsPTjmA87v(!lu@$es<K^dz))Axl2KQctX5(y0OO<4
z8FRH2y8=-NOY>VwHbjk)M}{}BHn$f-Eo+aGItC7fEBLLI(t%8x5ypwu^>Uf&^9Fat
zaVXqXhg9wfHC0i$5yGIayilI_c%aC=W^)&^OnWi1yss4oK``5>_hV{R3mE039NuoR
zs|U$NVeu0<aD1P4SQMd`Tul1G?#G-lecBJ#I8;H$;(MJ@kBsY)0=y*>0qpL==8}`L
z`BI)KVmwj2JtRGNV<+vyk_yrZI`d=?H)c9iGSs<^T;lE2vHK}~&keV&3YYUUxg%;A
z1>Olr7c5CbI`y&~CusHg`J_%+cptI&5T8EMzznQXfbcCm))EeE4?VcntAQ2P&sR#P
zH=I|syIxUb!2_j?y8yVvej9#Ukc$5{gnxTD2!v!~YoeQDql8cEYFq%C-&wZopJUbS
zRNmCLS6=`M=g$q5zF_|LW;-!DrLp|TO*0lid<Fj+`!{xJP-~{!_QdLnV_TxHFO}kV
zzW<=E$5(n>{z`5CF0oP-c|xRZ9%(ys?!y~RU-idoaGF<S+v)$__bmO1>#ZuGj`9QU
z)KIEChq{mXD2T&n6gAvo$S2&SLp^K<skc7+IC0$SdaLL;{^-Whp|Chw+#PzW1>ck?
z<@IzybCm?TKZ89+6?eMj@#jLsX4Y0aYE*}a^bsie+k>Y+KH2kU8qV$qmd$#v`05?9
zju$h392Xhq@t4g1ar7gww2+JHpC)*l$<N?k0+zJo=d)EEEYWt~@n=l%qS}LsAL#xR
z&Q$g2+cT{n=SxVQ=&5tU*>wLb;jqR(gTi!u3X;Cd9`|vz;&eE~tL8tv+%<L?PJS8|
z7L)2_g+C25Wv$epA@2V1V;2{j%abpY3;4Zo!#fuMLALb=ue1}Cv$S9Ff-03F$B8j}
z^tl{q7l7Cd8KO$4Zm}*nJlO#N`1tQt2NCH@{TU}ZYy<m@FQij?$p?UQYIXQtH()RM
z){o6_i+Slby|D#BaOj=!lZl#d(kg$j-Oi?$fpS0S?x%P;|LZ$IzkZHAgCjn2e&l&=
z2gS1*gv=v2Q-RRo{!Kc7AnmZ$N*d7%`=L@g#nt5_l0N|%fNmBcHQ1nk*r>W=DOZC3
zsMDX|HQ>Jpc_tX%hwB-wyzD`4gVN{p<H&s-4`eIsV$<ARWMgC7qqK0I`k8E-gG|M!
z`=yy<`D65qtOW1^utt4<OD^NZ2IG$R20}#ZKy#P&dnv5J;Cf-s1k;~D0H7UQv8K86
zWbA<dQ|xIS{_9YG1<mg-|9wa^$k0uND<_IJX|crrYMJJX8WjR+JL48=ApWavKP(Hl
z^mCaaBI_sn(lYYmdHJ|}WVV}{s!08VG`DfEFA~?9lS1(>qr)Nu@z=F=W(#~7;a6f`
zbxF_#9d+b0NB&r;{cp5s=RKa-jxiUGs?YJNNZ%Ianl_uk@=o`w9C_$|jtD|fuHywj
zc-P6(-pF3nzWhVVy`|)st9BYt%AOhmX!}9qT+2JE#@Ro?d`!5hyY^c@e(T^G(rB&X
zEjqE|gsp2o0jJln=E;6?mgA+I_%)wTQU07hAAW*AqW*uSTzNPf*cR97YddXeqZMLn
z8$<<NL@lKou_Qqz))I6`gxIxcly>?NN^KRAT1py{A*xhsEgdygBp&f0I*6@;(pp-z
zC8{s)&702mzUiCy$Gd->@80j8bMAi6y}xrH{@7ckLec04+~s7irLV*r*8-<SIwB7^
z4mCMf*L3Oi8`q|<gfVr-*>tA&{}Jk2t6EZBmRMjsPn!^d+DOxcXi@B0(6j_JFogwF
z`CrkU%WSqc7ua=%9Z5rC)F|b)8u!kBibz}28dytF+C;9UIA3kDb3An~R)qPsmae}w
zP`hhyn7j%dJE|M_L1*+20=ZmPusjPh7yQloca{=3@o&6u%QelF#ENWt>b}wG6RnkJ
z*kk9i4D?<&UAYlTs;X?QBz+~qb-K&0@tFTh=pW~b`1d~lfU~Ka?LXAyv|f4#4btuc
zEu^OW?S5MM@u+_HK2MUj(od1L0crku#ruE~BsnO#Wayv}TC7H~G2DuVo|hf|H$23w
z4Sz!#4$Hro=OjkrxTS3@@1O^)&Wx9}@s6bkKyeA=I_d?%y64;^<eyOtznONK{o1D9
z(#RGkhb`PGWYVsM@$OT$KHjzdT+B$1fujS&xcUbsWXpz0*rhv<J_~3El6oD-)gf8C
zJDK9=Bb=PK7yir_R@dL(T5M$vvSu|v7_z1zoQ#(&0$V1t)@F;+>43Q0by}`DPl9Z5
z${kz_hTc<R<}6yMmv$wFb&aaVqtXlu4|Jj~v-I6?&s?|Tu{Bb^87O}iBqhc3s=X63
z6cJIQG0XSgpUn-nJT?%Hmvf>>zGj$g9d}?Vjj2cE_-QWJoKQP+_cN4r_)f(oe@#@0
zwtF(7`@3n^#spt0Pj2T<x87<7o(asxj2K25E~auJjJ7E&OoME!bH0O*F`hWkm+)LG
zUSEG21EM7L608(%naqwD?c^P>8wqOgDn7F0s(M^IKTRu2)&md7yME;z++PsjpoEa=
zGAxmOx-GeSBgmdCimZXa$de&jzfb|Wpy-Yr|M57pZ6mzZK;k^Baa1$QA!COm3f!SI
zSBUe}QG?PvpDL4%zRRVClUl6r7ShOhKO(3T5_oDD5~K7O{vZ=u3C^LmrP5|xTz(l#
zLuvI6SF)hyGL{8GGP{j~YN13bkdwAPJ@a9+sTD!&&dj5sc~i$SE*=xpdJtd@hBg=h
z0HQ${wiW9zH{oK)ZJD3CEmlDILBn|~BFh2qjdYD-W&%&^5fBJD$5M_qA_Vxuw+7_*
zyi@X?`DOAKMb8-+Q$oeZwDw;i>+Z4qLffwO4RAjp+Q{9&*iW+Ffmy@1_L~KdO~oh+
z=L6br&eix9bZLGhXc`*C89zOM{H)W(=_Q#Tj5lEKc#gVA?0w`r^gg9Ks~Ux*Ug=?G
zbM5TN9qF@IB|+NGZ%_JY<+;<!B5w0ht@IDUAq)iDb44dJQZbXNMn^L3%$2~Wm1wh!
zR_$XjE&|2D-;En3f)(eJdLAl&SL=&iU5T<jXsZ6iE%|$-riwG@8vM3_x<)x5S1Fvr
z0pQ#F8e`6UxL$G=Kn~1)o-W<J$@IE;Hng;6LDu2Kd9}KJ_chrCi>4LHmSJsJS0oiZ
zmYu?Df3yO8-omw<nH&(Mc#R89dF}<v!mEMTkL)VguxZ-7K86VtsC;GgwfeRCkUclp
z=5)7*NH{cTrvey$`&>#e^NHV#z~fa@J8<KCY{fD9F_C<*%PTdUf+{TGbno;#lv1S6
z8NRk2d$$&9<0q>p2Bu`)OtyzO2ou;ytP<4dP-n2r^GEBLMbgA{A-Nc0$0lKjeAcDD
zZgR?H3Ys%R5NkEexCG}qw^jJDxwj!QURe7hgN|vX1A|Aa=fIBsdLB~`qk%;#u5`la
z@&1{zQ)yvA*A?fT_yyRSsiN|P<FNU@QR1Ey`RSM<ES|`DNM7KeVEP6RIuRx67o^Tf
z0=52C+P1yf&1ZzcD?{>dFTF#{v%2vVSW7fd@q|h8q)cu1!7O+BF8W4QBu=DC8ED=z
zQB{aBuBk2Rj<9VF&2BfVFHe3l*LS$I|B$_trVf^iK1Dh}7dc>4#2bHaAD6mG2OMgJ
zTkB^T-;z$6?`n|G7xge~bL|o?+*5PRDX*S<EJPxT%~g=9p->H_Gz}KcMBta|8%%7$
z<nN2P5q)?5g_&@k(ht#fw=L^8P0ZAPM;Z>u3jv$TtSWOn@Kdkliyd6E^QuO)joT(<
zCk*FZD#QV>1qa<vp4lBwIJaf0;R#?<RJ1nc@Y^0%E?~SPiB`E=m@nv4<fC6tCYt_C
zytcj;WMY&$Ow{|?vB*5&iooFB4*&2#bDInkK8;`S>nQeB&!n;eW0<x&9O57KGTg01
ze$Sq4fl*{FHJ>-bTq3xm)nY#hqr&+(Pv<_EON029<{;p*kB3%_TCDF<)#z4SM{09*
zYHCL(Gqqz)QEJEsa*|?Fm{DB;tY{3OyAaJlh){?8?g-tCz4ozO^%L)blk^~?gn5O=
z?(}YI%Z$hj`t*xb=l5^bmv#8}-LS9y?2~d6W^AOSsed)NyX8eN1$ns}$L(X(aC^N8
zg;z8IG}H^<`<d%D=xqT3c?4+MNwWsXzGt?tXZbrQPypJ3gVt}_i~bDNoBAve;$R-N
z&=q7H)1q-MJ4!~w5~xcGya>8l=;<9WwwB@GMUy|bl0GI|0`9_R+{$S?U2Hb1f0m2*
zBrzBX`$<!dwH8qq!g{&H6_=-iXMJ36g4e-dIG+CAEhF;UYC*zuQi}T%{)d^D5$lRL
zMn^iQejmlMT4~~k$As@^#hYKGUXj;VaSo-6juj@>q?42PAvyqcZS5A|UUMZRTA2s2
zis6yon&o?WfkP`#FUs0go&XrV&Ra|GsC#C;)v<_M%l4(2q!2RXlXRaV<2p|&`~nZI
z??B=zce>|;kB=|0fGFkEP4(5OW)!Jx$Fm?ys)cF}(pziL7@<*bH!>;*$1c|=B{pUS
zcDCBBOiM0^HB)aOqGhiSH(`<ga+|-(3fjs=C)Pe{%c;hfQ{wMg$Ae^*C9bblz@e-X
zD6H)aTIG!bQDOfVsjzni_H^;%IgdZ-dnarSoxrr>J{BWr9&;H114KR$k8GOby8sF>
z8f}S*0uBghS1VW4lB+hQU=$zLr^%KZ^U;7bf@7&mn8B^QCBNnua5%xQ2Tq7d3V86I
zHh=$(!+X-9f#nh7&8%>^7oK6tTg1pR@IiBQUly7bKz9mPQO+tv$W;qdd&o4QmWFlQ
zC`mVWyoy6wrH;<Smm&!dCwS=__KHOJA(v$rR^4_=Z@qcyDAgo2(5=v=Ji4Fo<B;Bq
ZUF0%$1-tB##14S|)olE4Wzt^;{{a(hRtNw9

diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/graph.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/graph.ts
index 4f2d2a74ff611..4ce5e2d87a3fe 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/graph.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/graph.ts
@@ -48,5 +48,5 @@ const matchedPrebuiltRuleConditional = (state: MigrateRuleState) => {
   if (state.elastic_rule?.prebuilt_rule_id) {
     return END;
   }
-  return 'translation';
+  return 'translationSubGraph';
 };
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/graph.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/graph.ts
index f986098e9deb0..32f41e54619be 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/graph.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/graph.ts
@@ -6,11 +6,18 @@
  */
 
 import { END, START, StateGraph } from '@langchain/langgraph';
+import { isEmpty } from 'lodash/fp';
+import { SiemMigrationRuleTranslationResult } from '../../../../../../../../common/siem_migrations/constants';
+import { getFixQueryErrorsNode } from './nodes/fix_query_errors';
 import { getProcessQueryNode } from './nodes/process_query';
 import { getRetrieveIntegrationsNode } from './nodes/retrieve_integrations';
 import { getTranslateRuleNode } from './nodes/translate_rule';
+import { getValidationNode } from './nodes/validation';
 import { translateRuleState } from './state';
-import type { TranslateRuleGraphParams } from './types';
+import type { TranslateRuleGraphParams, TranslateRuleState } from './types';
+
+// How many times we will try to self-heal when validation fails, to prevent infinite graph recursions
+const MAX_VALIDATION_ITERATIONS = 3;
 
 export function getTranslateRuleGraph({
   model,
@@ -35,19 +42,37 @@ export function getTranslateRuleGraph({
     model,
     integrationRetriever,
   });
+  const validationNode = getValidationNode({ logger });
+  const fixQueryErrorsNode = getFixQueryErrorsNode({ inferenceClient, connectorId, logger });
 
   const translateRuleGraph = new StateGraph(translateRuleState)
     // Nodes
     .addNode('processQuery', processQueryNode)
     .addNode('retrieveIntegrations', retrieveIntegrationsNode)
     .addNode('translateRule', translateRuleNode)
+    .addNode('validation', validationNode)
+    .addNode('fixQueryErrors', fixQueryErrorsNode)
     // Edges
     .addEdge(START, 'processQuery')
     .addEdge('processQuery', 'retrieveIntegrations')
     .addEdge('retrieveIntegrations', 'translateRule')
-    .addEdge('translateRule', END);
+    .addEdge('translateRule', 'validation')
+    .addEdge('fixQueryErrors', 'validation')
+    .addConditionalEdges('validation', validationRouter);
 
   const graph = translateRuleGraph.compile();
   graph.name = 'Translate Rule Graph';
   return graph;
 }
+
+const validationRouter = (state: TranslateRuleState) => {
+  if (
+    state.validation_errors.iterations <= MAX_VALIDATION_ITERATIONS &&
+    state.translation_result === SiemMigrationRuleTranslationResult.FULL
+  ) {
+    if (!isEmpty(state.validation_errors?.esql_errors)) {
+      return 'fixQueryErrors';
+    }
+  }
+  return END;
+};
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/fix_query_errors.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/fix_query_errors.ts
new file mode 100644
index 0000000000000..a21aceee70f95
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/fix_query_errors.ts
@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { Logger } from '@kbn/core/server';
+import type { InferenceClient } from '@kbn/inference-plugin/server';
+import { getEsqlKnowledgeBase } from '../../../../../util/esql_knowledge_base_caller';
+import type { GraphNode } from '../../types';
+import { RESOLVE_ESQL_ERRORS_TEMPLATE } from './prompts';
+
+interface GetFixQueryErrorsNodeParams {
+  inferenceClient: InferenceClient;
+  connectorId: string;
+  logger: Logger;
+}
+
+export const getFixQueryErrorsNode = ({
+  inferenceClient,
+  connectorId,
+  logger,
+}: GetFixQueryErrorsNodeParams): GraphNode => {
+  const esqlKnowledgeBaseCaller = getEsqlKnowledgeBase({ inferenceClient, connectorId, logger });
+  return async (state) => {
+    const rule = state.elastic_rule;
+    const prompt = await RESOLVE_ESQL_ERRORS_TEMPLATE.format({
+      esql_errors: state.validation_errors.esql_errors,
+      esql_query: rule.query,
+    });
+    const response = await esqlKnowledgeBaseCaller(prompt);
+
+    const esqlQuery = response.match(/```esql\n([\s\S]*?)\n```/)?.[1] ?? '';
+    rule.query = esqlQuery;
+    return { elastic_rule: rule };
+  };
+};
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/index.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/index.ts
new file mode 100644
index 0000000000000..a805331675389
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/index.ts
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+export { getFixQueryErrorsNode } from './fix_query_errors';
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/prompts.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/prompts.ts
new file mode 100644
index 0000000000000..ca5fe67097d12
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/fix_query_errors/prompts.ts
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ChatPromptTemplate } from '@langchain/core/prompts';
+
+export const RESOLVE_ESQL_ERRORS_TEMPLATE =
+  ChatPromptTemplate.fromTemplate(`You are a helpful cybersecurity (SIEM) expert agent. Your task is to resolve the errors in the Elasticsearch Query Language (ES|QL) query provided by the user.
+
+Below is the relevant errors related to the ES|SQL query:
+
+<context>
+<esql_errors>
+{esql_errors}
+</esql_errors>
+<esql_query>
+{esql_query}
+</esql_query>
+</context>
+
+<guidelines>
+- You will be provided with the currentl ES|QL query and its related errors.
+- Try to resolve the errors in the ES|QL query as best as you can to make it work.
+- You must respond only with the modified query inside a \`\`\`esql code block, nothing else similar to the example response below.
+</guidelines>
+
+<example_response>
+A: Please find the modified ES|QL query below:
+\`\`\`esql
+FROM logs-endpoint.events.process-*
+| WHERE process.executable LIKE \"%chown root%\"
+| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, 
+    process.command_line, 
+    host.name
+| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)
+\`\`\`
+</example_response>
+
+`);
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/process_query.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/process_query.ts
index 97d4168f1283e..ae0e93ee0c4bb 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/process_query.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/process_query.ts
@@ -29,11 +29,15 @@ export const getProcessQueryNode = ({
       const replaceQueryResourcePrompt =
         REPLACE_QUERY_RESOURCE_PROMPT.pipe(model).pipe(replaceQueryParser);
       const resourceContext = getResourcesContext(resources);
-      query = await replaceQueryResourcePrompt.invoke({
+      const response = await replaceQueryResourcePrompt.invoke({
         query: state.original_rule.query,
         macros: resourceContext.macros,
         lookup_tables: resourceContext.lists,
       });
+      const splQuery = response.match(/```spl\n([\s\S]*?)\n```/)?.[1] ?? '';
+      if (splQuery) {
+        query = splQuery;
+      }
     }
     return { inline_query: query };
   };
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/prompts.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/prompts.ts
index f074da6b27d1a..b4c6b0e74aaa9 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/prompts.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/process_query/prompts.ts
@@ -140,8 +140,14 @@ Divide the query up into separate section and go through each section one at a t
 
 <example_response>
 A: Please find the modified SPL query below:
-\`\`\`json
-{{"match": "Linux User Account Creation"}}
+\`\`\`spl
+sourcetype="linux:audit" \`linux_auditd_normalized_proctitle_process\`
+| rename host as dest 
+| where LIKE (process_exec, "%chown root%") 
+| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
+| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
+| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
+| search *
 \`\`\`
 </example_response>
 
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/cim_ecs_map.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/cim_ecs_map.ts
new file mode 100644
index 0000000000000..3bafaf2fc6518
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/cim_ecs_map.ts
@@ -0,0 +1,181 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const SIEM_RULE_MIGRATION_CIM_ECS_MAP = `
+datamodel,object,source_field,ecs_field,data_type
+Application_State,All_Application_State,dest,service.node.name,string
+Application_State,All_Application_State,process,process.title,string
+Application_State,All_Application_State,user,user.name,string
+Application_State,Ports,dest_port,destination.port,number
+Application_State,Ports,transport,network.transport,string
+Application_State,Ports,transport_dest_port,destination.port,string
+Application_State,Services,service,service.name,string
+Application_State,Services,service_id,service.id,string
+Application_State,Services,status,service.state,string
+Authentication,Authentication,action,event.action,string
+Authentication,Authentication,app,process.name,string
+Authentication,Authentication,dest,host.name,string
+Authentication,Authentication,duration,event.duration,number
+Authentication,Authentication,signature,event.code,string
+Authentication,Authentication,signature_id,event.reason,string
+Authentication,Authentication,src,source.address,string
+Authentication,Authentication,src_nt_domain,source.domain,string
+Authentication,Authentication,user,user.name,string
+Certificates,All_Certificates,dest_port,destination.port,number
+Certificates,All_Certificates,duration,event.duration,number
+Certificates,All_Certificates,src,source.address,string
+Certificates,All_Certificates,src_port,source.port,number
+Certificates,All_Certificates,transport,network.protocol,string
+Certificates,SSL,ssl_end_time,tls.server.not_after,time
+Certificates,SSL,ssl_hash,tls.server.hash,string
+Certificates,SSL,ssl_issuer_common_name,tls.server.issuer,string
+Certificates,SSL,ssl_issuer_locality,x509.issuer.locality,string
+Certificates,SSL,ssl_issuer_organization,x509.issuer.organization,string
+Certificates,SSL,ssl_issuer_state,x509.issuer.state_or_province,string
+Certificates,SSL,ssl_issuer_unit,x509.issuer.organizational_unit,string
+Certificates,SSL,ssl_publickey_algorithm,x509.public_key_algorithm,string
+Certificates,SSL,ssl_serial,x509.serial_number,string
+Certificates,SSL,ssl_signature_algorithm,x509.signature_algorithm,string
+Certificates,SSL,ssl_start_time,x509.not_before,time
+Certificates,SSL,ssl_subject,x509.subject.distinguished_name,string
+Certificates,SSL,ssl_subject_common_name,x509.subject.common_name,string
+Certificates,SSL,ssl_subject_locality,x509.subject.locality,string
+Certificates,SSL,ssl_subject_organization,x509.subject.organization,string
+Certificates,SSL,ssl_subject_state,x509.subject.state_or_province,string
+Certificates,SSL,ssl_subject_unit,x509.subject.organizational_unit,string
+Certificates,SSL,ssl_version,tls.version,string
+Change,All_Changes,action,event.action,string
+Change,Account_Management,dest_nt_domain,destination.domain,string
+Change,Account_Management,src_nt_domain,source.domain,string
+Change,Account_Management,src_user,source.user,string
+Intrusion_Detection,IDS_Attacks,action,event.action,string
+Intrusion_Detection,IDS_Attacks,dest,destination.address,string
+Intrusion_Detection,IDS_Attacks,dest_port,destination.port,number
+Intrusion_Detection,IDS_Attacks,dvc,observer.hostname,string
+Intrusion_Detection,IDS_Attacks,severity,event.severity,string
+Intrusion_Detection,IDS_Attacks,src,source.ip,string
+Intrusion_Detection,IDS_Attacks,user,source.user,string
+JVM,OS,os,host.os.name,string
+JVM,OS,os_architecture,host.architecture,string
+JVM,OS,os_version,host.os.version,string
+Malware,Malware_Attacks,action,event.action,string
+Malware,Malware_Attacks,date,event.created,string
+Malware,Malware_Attacks,dest,host.hostname,string
+Malware,Malware_Attacks,file_hash,file.hash.*,string
+Malware,Malware_Attacks,file_name,file.name,string
+Malware,Malware_Attacks,file_path,file.path,string
+Malware,Malware_Attacks,Sender,source.user.email,string
+Malware,Malware_Attacks,src,source.ip,string
+Malware,Malware_Attacks,user,related.user,string
+Malware,Malware_Attacks,url,rule.reference,string
+Network_Resolution,DNS,answer,dns.answers,string
+Network_Resolution,DNS,dest,destination.address,string
+Network_Resolution,DNS,dest_port,destination.port,number
+Network_Resolution,DNS,duration,event.duration,number
+Network_Resolution,DNS,message_type,dns.type,string
+Network_Resolution,DNS,name,dns.question.name,string
+Network_Resolution,DNS,query,dns.question.name,string
+Network_Resolution,DNS,query_type,dns.op_code,string
+Network_Resolution,DNS,record_type,dns.question.type,string
+Network_Resolution,DNS,reply_code,dns.response_code,string
+Network_Resolution,DNS,reply_code_id,dns.id,number
+Network_Resolution,DNS,response_time,event.duration,number
+Network_Resolution,DNS,src,source.address,string
+Network_Resolution,DNS,src_port,source.port,number
+Network_Resolution,DNS,transaction_id,dns.id,number
+Network_Resolution,DNS,transport,network.transport,string
+Network_Resolution,DNS,ttl,dns.answers.ttl,number
+Network_Sessions,All_Sessions,action,event.action,string
+Network_Sessions,All_Sessions,dest_ip,destination.ip,string
+Network_Sessions,All_Sessions,dest_mac,destination.mac,string
+Network_Sessions,All_Sessions,duration,event.duration,number
+Network_Sessions,All_Sessions,src_dns,source.registered_domain,string
+Network_Sessions,All_Sessions,src_ip,source.ip,string
+Network_Sessions,All_Sessions,src_mac,source.mac,string
+Network_Sessions,All_Sessions,user,user.name,string
+Network_Traffic,All_Traffic,action,event.action,string
+Network_Traffic,All_Traffic,app,network.protocol,string
+Network_Traffic,All_Traffic,bytes,network.bytes,number
+Network_Traffic,All_Traffic,dest,destination.ip,string
+Network_Traffic,All_Traffic,dest_ip,destination.ip,string
+Network_Traffic,All_Traffic,dest_mac,destination.mac,string
+Network_Traffic,All_Traffic,dest_port,destination.port,number
+Network_Traffic,All_Traffic,dest_translated_ip,destination.nat.ip,string
+Network_Traffic,All_Traffic,dest_translated_port,destination.nat.port,number
+Network_Traffic,All_Traffic,direction,network.direction,string
+Network_Traffic,All_Traffic,duration,event.duration,number
+Network_Traffic,All_Traffic,dvc,observer.name,string
+Network_Traffic,All_Traffic,dvc_ip,observer.ip,string
+Network_Traffic,All_Traffic,dvc_mac,observer.mac,string
+Network_Traffic,All_Traffic,dvc_zone,observer.egress.zone,string
+Network_Traffic,All_Traffic,packets,network.packets,number
+Network_Traffic,All_Traffic,packets_in,source.packets,number
+Network_Traffic,All_Traffic,packets_out,destination.packets,number
+Network_Traffic,All_Traffic,protocol,network.protocol,string
+Network_Traffic,All_Traffic,rule,rule.name,string
+Network_Traffic,All_Traffic,src,source.address,string
+Network_Traffic,All_Traffic,src_ip,source.ip,string
+Network_Traffic,All_Traffic,src_mac,source.mac,string
+Network_Traffic,All_Traffic,src_port,source.port,number
+Network_Traffic,All_Traffic,src_translated_ip,source.nat.ip,string
+Network_Traffic,All_Traffic,src_translated_port,source.nat.port,number
+Network_Traffic,All_Traffic,transport,network.transport,string
+Network_Traffic,All_Traffic,vlan,vlan.name,string
+Vulnerabilities,Vulnerabilities,category,vulnerability.category,string
+Vulnerabilities,Vulnerabilities,cve,vulnerability.id,string
+Vulnerabilities,Vulnerabilities,cvss,vulnerability.score.base,number
+Vulnerabilities,Vulnerabilities,dest,host.name,string
+Vulnerabilities,Vulnerabilities,dvc,vulnerability.scanner.vendor,string
+Vulnerabilities,Vulnerabilities,severity,vulnerability.severity,string
+Vulnerabilities,Vulnerabilities,url,vulnerability.reference,string
+Vulnerabilities,Vulnerabilities,user,related.user,string
+Vulnerabilities,Vulnerabilities,vendor_product,vulnerability.scanner.vendor,string
+Endpoint,Ports,creation_time,@timestamp,timestamp
+Endpoint,Ports,dest_port,destination.port,number
+Endpoint,Ports,process_id,process.pid,string
+Endpoint,Ports,transport,network.transport,string
+Endpoint,Ports,transport_dest_port,destination.port,string
+Endpoint,Processes,action,event.action,string
+Endpoint,Processes,os,os.full,string
+Endpoint,Processes,parent_process_exec,process.parent.name,string
+Endpoint,Processes,parent_process_id,process.ppid,number
+Endpoint,Processes,parent_process_guid,process.parent.entity_id,string
+Endpoint,Processes,parent_process_path,process.parent.executable,string
+Endpoint,Processes,process_current_directory,process.parent.working_directory,
+Endpoint,Processes,process_exec,process.name,string
+Endpoint,Processes,process_hash,process.hash.*,string
+Endpoint,Processes,process_guid,process.entity_id,string
+Endpoint,Processes,process_id,process.pid,number
+Endpoint,Processes,process_path,process.executable,string
+Endpoint,Processes,user_id,related.user,string
+Endpoint,Services,description,service.name,string
+Endpoint,Services,process_id,service.id,string
+Endpoint,Services,service_dll,dll.name,string
+Endpoint,Services,service_dll_path,dll.path,string
+Endpoint,Services,service_dll_hash,dll.hash.*,string
+Endpoint,Services,service_dll_signature_exists,dll.code_signature.exists,boolean
+Endpoint,Services,service_dll_signature_verified,dll.code_signature.valid,boolean
+Endpoint,Services,service_exec,service.name,string
+Endpoint,Services,service_hash,hash.*,string
+Endpoint,Filesystem,file_access_time,file.accessed,timestamp
+Endpoint,Filesystem,file_create_time,file.created,timestamp
+Endpoint,Filesystem,file_modify_time,file.mtime,timestamp
+Endpoint,Filesystem,process_id,process.pid,string
+Endpoint,Registry,process_id,process.id,string
+Web,Web,action,event.action,string
+Web,Web,app,observer.product,string
+Web,Web,bytes_in,http.request.bytes,number
+Web,Web,bytes_out,http.response.bytes,number
+Web,Web,dest,destination.ip,string
+Web,Web,duration,event.duration,number
+Web,Web,http_method,http.request.method,string
+Web,Web,http_referrer,http.request.referrer,string
+Web,Web,http_user_agent,user_agent.name,string
+Web,Web,status,http.response.status_code,string
+Web,Web,url,url.full,string
+Web,Web,user,url.username,string
+Web,Web,vendor_product,observer.product,string`;
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/prompts.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/prompts.ts
index 3e77353bba8b1..9749dfd96efba 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/prompts.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/prompts.ts
@@ -5,14 +5,18 @@
  * 2.0.
  */
 
-import type { TranslateRuleState } from '../../types';
+import { ChatPromptTemplate } from '@langchain/core/prompts';
 
-export const getEsqlTranslationPrompt = (
-  state: TranslateRuleState,
-  indexPatterns: string
-): string => {
-  return `You are a helpful cybersecurity (SIEM) expert agent. Your task is to migrate "detection rules" from Splunk to Elastic Security.
+export const ESQL_TRANSLATION_PROMPT =
+  ChatPromptTemplate.fromTemplate(`You are a helpful cybersecurity (SIEM) expert agent. Your task is to migrate "detection rules" from Splunk to Elastic Security.
 Your goal is to translate the SPL query into an equivalent Elastic Security Query Language (ES|QL) query.
+Below is the relevant context used when deciding which Elastic Common Schema field to use when translating from Splunk CIM fields:
+
+<context>
+<cim_to_ecs_map>
+{field_mapping}
+</cim_to_ecs_map>
+</context>
 
 ## Splunk rule Information provided:
 - Below you will find Splunk rule information: the title (<<TITLE>>), the description (<<DESCRIPTION>>), and the SPL (Search Processing Language) query (<<SPL_QUERY>>).
@@ -22,7 +26,7 @@ Your goal is to translate the SPL query into an equivalent Elastic Security Quer
 ## Guidelines:
 - Analyze the SPL query and identify the key components.
 - Translate the SPL query into an equivalent ES|QL query using ECS (Elastic Common Schema) field names.
-- Always start the generated ES|QL query by filtering FROM using these index patterns in the translated query: ${indexPatterns}.
+- Always start the generated ES|QL query by filtering FROM using these index patterns in the translated query: {indexPatterns}.
 - If, in the SPL query, you find a lookup list or macro call, mention it in the summary and add a placeholder in the query with the format [macro:<macro_name>(argumentCount)] or [lookup:<lookup_name>] including the [] keys, 
   - Examples: 
     - \`get_duration(firstDate,secondDate)\` -> [macro:get_duration(2)]
@@ -35,15 +39,14 @@ Your goal is to translate the SPL query into an equivalent Elastic Security Quer
 Find the Splunk rule information below:
 
 <<TITLE>>
-${state.original_rule.title}
+{title}
 <</TITLE>>
 
 <<DESCRIPTION>>
-${state.original_rule.description}
+{description}
 <</DESCRIPTION>>
 
 <<SPL_QUERY>>
-${state.inline_query}
+{inline_query}
 <</SPL_QUERY>>
-`;
-};
+`);
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts
index a39e7c10146c0..6ba5edee11b22 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts
@@ -9,10 +9,11 @@ import type { Logger } from '@kbn/core/server';
 import type { InferenceClient } from '@kbn/inference-plugin/server';
 import { SiemMigrationRuleTranslationResult } from '../../../../../../../../../../common/siem_migrations/constants';
 import type { ChatModel } from '../../../../../util/actions_client_chat';
+import { getEsqlKnowledgeBase } from '../../../../../util/esql_knowledge_base_caller';
 import type { RuleResourceRetriever } from '../../../../../util/rule_resource_retriever';
 import type { GraphNode } from '../../types';
-import { getEsqlKnowledgeBase } from './esql_knowledge_base_caller';
-import { getEsqlTranslationPrompt } from './prompts';
+import { SIEM_RULE_MIGRATION_CIM_ECS_MAP } from './cim_ecs_map';
+import { ESQL_TRANSLATION_PROMPT } from './prompts';
 
 interface GetTranslateRuleNodeParams {
   model: ChatModel;
@@ -29,12 +30,20 @@ export const getTranslateRuleNode = ({
 }: GetTranslateRuleNodeParams): GraphNode => {
   const esqlKnowledgeBaseCaller = getEsqlKnowledgeBase({ inferenceClient, connectorId, logger });
   return async (state) => {
-    const indexPatterns = state.integrations.flatMap((integration) =>
-      integration.data_streams.map((dataStream) => dataStream.index_pattern)
-    );
+    const indexPatterns = state.integrations
+      .flatMap((integration) =>
+        integration.data_streams.map((dataStream) => dataStream.index_pattern)
+      )
+      .join(',');
     const integrationIds = state.integrations.map((integration) => integration.id);
 
-    const prompt = getEsqlTranslationPrompt(state, indexPatterns.join(','));
+    const prompt = await ESQL_TRANSLATION_PROMPT.format({
+      title: state.original_rule.title,
+      description: state.original_rule.description,
+      field_mapping: SIEM_RULE_MIGRATION_CIM_ECS_MAP,
+      inline_query: state.inline_query,
+      indexPatterns,
+    });
     const response = await esqlKnowledgeBaseCaller(prompt);
 
     const esqlQuery = response.match(/```esql\n([\s\S]*?)\n```/)?.[1] ?? '';
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/esql_query.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/esql_query.ts
new file mode 100644
index 0000000000000..a8c1d6acff408
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/esql_query.ts
@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ESQLAstQueryExpression, ESQLCommandOption, EditorError } from '@kbn/esql-ast';
+import { parse } from '@kbn/esql-ast';
+import { isColumnItem, isOptionItem } from '@kbn/esql-validation-autocomplete';
+import { isAggregatingQuery } from '@kbn/securitysolution-utils';
+
+interface ParseEsqlQueryResult {
+  errors: EditorError[];
+  isEsqlQueryAggregating: boolean;
+  hasMetadataOperator: boolean;
+}
+
+function computeHasMetadataOperator(astExpression: ESQLAstQueryExpression): boolean {
+  // Check whether the `from` command has `metadata` operator
+  const metadataOption = getMetadataOption(astExpression);
+  if (!metadataOption) {
+    return false;
+  }
+
+  // Check whether the `metadata` operator has `_id` argument
+  const idColumnItem = metadataOption.args.find(
+    (fromArg) => isColumnItem(fromArg) && fromArg.name === '_id'
+  );
+  if (!idColumnItem) {
+    return false;
+  }
+
+  return true;
+}
+
+function getMetadataOption(astExpression: ESQLAstQueryExpression): ESQLCommandOption | undefined {
+  const fromCommand = astExpression.commands.find((x) => x.name === 'from');
+
+  if (!fromCommand?.args) {
+    return undefined;
+  }
+
+  // Check whether the `from` command has `metadata` operator
+  for (const fromArg of fromCommand.args) {
+    if (isOptionItem(fromArg) && fromArg.name === 'metadata') {
+      return fromArg;
+    }
+  }
+
+  return undefined;
+}
+
+export const parseEsqlQuery = (query: string): ParseEsqlQueryResult => {
+  const { root, errors } = parse(query);
+  const isEsqlQueryAggregating = isAggregatingQuery(root);
+  return {
+    errors,
+    isEsqlQueryAggregating,
+    hasMetadataOperator: computeHasMetadataOperator(root),
+  };
+};
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/index.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/index.ts
new file mode 100644
index 0000000000000..a8c0f55191e42
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/index.ts
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+export { getValidationNode } from './validation';
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/validation.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/validation.ts
new file mode 100644
index 0000000000000..272aedfe4793d
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/validation/validation.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { Logger } from '@kbn/core/server';
+import { isEmpty } from 'lodash/fp';
+import type { GraphNode } from '../../types';
+import { parseEsqlQuery } from './esql_query';
+
+interface GetValidationNodeParams {
+  logger: Logger;
+}
+
+/**
+ * This node runs all validation steps, and will redirect to the END of the graph if no errors are found.
+ * Any new validation steps should be added here.
+ */
+export const getValidationNode = ({ logger }: GetValidationNodeParams): GraphNode => {
+  return async (state) => {
+    const query = state.elastic_rule.query;
+
+    // We want to prevent infinite loops, so we increment the iterations counter for each validation run.
+    const currentIteration = ++state.validation_errors.iterations;
+    let esqlErrors: string = '';
+    if (!isEmpty(query)) {
+      const { errors, isEsqlQueryAggregating, hasMetadataOperator } = parseEsqlQuery(query);
+      if (!isEmpty(errors)) {
+        esqlErrors = JSON.stringify(errors);
+      } else if (!isEsqlQueryAggregating && !hasMetadataOperator) {
+        esqlErrors =
+          'Queries that don’t use the STATS...BY function (non-aggregating queries) must include the "metadata _id, _version, _index" operator after the source command. For example: FROM logs* metadata _id, _version, _index.';
+      }
+    }
+    if (esqlErrors) {
+      logger.debug(`ESQL query validation failed: ${esqlErrors}`);
+    }
+
+    return { validation_errors: { iterations: currentIteration, esql_errors: esqlErrors } };
+  };
+};
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/state.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/state.ts
index 8c8e9780aedf8..391d7a54f9ea8 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/state.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/state.ts
@@ -14,6 +14,7 @@ import type {
   RuleMigration,
 } from '../../../../../../../../common/siem_migrations/model/rule_migration.gen';
 import type { Integration } from '../../../../types';
+import type { TranslateRuleValidationErrors } from './types';
 
 export const translateRuleState = Annotation.Root({
   messages: Annotation<BaseMessage[]>({
@@ -33,6 +34,10 @@ export const translateRuleState = Annotation.Root({
     reducer: (state, action) => ({ ...state, ...action }),
     default: () => ({} as ElasticRule),
   }),
+  validation_errors: Annotation<TranslateRuleValidationErrors>({
+    reducer: (current, value) => value ?? current,
+    default: () => ({ iterations: 0 } as TranslateRuleValidationErrors),
+  }),
   translation_result: Annotation<SiemMigrationRuleTranslationResult>({
     reducer: (current, value) => value ?? current,
     default: () => SiemMigrationRuleTranslationResult.UNTRANSLATABLE,
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/types.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/types.ts
index 42bf8e14c5924..44a5750812be0 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/types.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/types.ts
@@ -23,3 +23,8 @@ export interface TranslateRuleGraphParams {
   integrationRetriever: IntegrationRetriever;
   logger: Logger;
 }
+
+export interface TranslateRuleValidationErrors {
+  iterations: number;
+  esql_errors?: string;
+}
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/esql_knowledge_base_caller.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/esql_knowledge_base_caller.ts
similarity index 100%
rename from x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/esql_knowledge_base_caller.ts
rename to x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/esql_knowledge_base_caller.ts

From cca39397d677a7b61888ae5959f1df14085b04b0 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 3 Dec 2024 23:42:54 +1100
Subject: [PATCH 10/23] [8.x] [Streams] Adding the first integration test
 (#201293) (#202661)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Streams] Adding the first integration test
(#201293)](https://github.com/elastic/kibana/pull/201293)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Chris
Cowan","email":"chris@elastic.co"},"sourceCommit":{"committedDate":"2024-11-26T09:43:25Z","message":"[Streams]
Adding the first integration test (#201293)\n\n## Summary\r\n\r\nThis PR
introduces the first integration test for the Streams project.\r\nThis
test covers the following basic functionality:\r\n\r\n- Enable
streams\r\n- Index a document to `logs`\r\n- Create a `logs.nginx` for
that reroutes based on `log.logger ==\r\n'nginx'`\r\n- Index a document
to `logs.nginx`\r\n- Create a `logs.nginx.access` that reroutes based on
`log.level ==\r\n'info'`\r\n- Index a document to
`log.nginx.access`\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>\r\nCo-authored-by: Joe Reuter
<johannes.reuter@elastic.co>","sha":"aebd13ec678d620c1822d313ea5c9bb6d219a149","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Observability","v9.0.0","backport:prev-minor","v8.18.0","Feature:Streams"],"title":"[Streams]
Adding the first integration
test","number":201293,"url":"https://github.com/elastic/kibana/pull/201293","mergeCommit":{"message":"[Streams]
Adding the first integration test (#201293)\n\n## Summary\r\n\r\nThis PR
introduces the first integration test for the Streams project.\r\nThis
test covers the following basic functionality:\r\n\r\n- Enable
streams\r\n- Index a document to `logs`\r\n- Create a `logs.nginx` for
that reroutes based on `log.logger ==\r\n'nginx'`\r\n- Index a document
to `logs.nginx`\r\n- Create a `logs.nginx.access` that reroutes based on
`log.level ==\r\n'info'`\r\n- Index a document to
`log.nginx.access`\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>\r\nCo-authored-by: Joe Reuter
<johannes.reuter@elastic.co>","sha":"aebd13ec678d620c1822d313ea5c9bb6d219a149"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201293","number":201293,"mergeCommit":{"message":"[Streams]
Adding the first integration test (#201293)\n\n## Summary\r\n\r\nThis PR
introduces the first integration test for the Streams project.\r\nThis
test covers the following basic functionality:\r\n\r\n- Enable
streams\r\n- Index a document to `logs`\r\n- Create a `logs.nginx` for
that reroutes based on `log.logger ==\r\n'nginx'`\r\n- Index a document
to `logs.nginx`\r\n- Create a `logs.nginx.access` that reroutes based on
`log.level ==\r\n'info'`\r\n- Index a document to
`log.nginx.access`\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>\r\nCo-authored-by: Joe Reuter
<johannes.reuter@elastic.co>","sha":"aebd13ec678d620c1822d313ea5c9bb6d219a149"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Chris Cowan <chris@elastic.co>
---
 .buildkite/ftr_oblt_stateful_configs.yml      |   1 +
 .../api_integration/apis/streams/config.ts    |  16 ++
 .../api_integration/apis/streams/full_flow.ts | 140 ++++++++++++++++++
 .../apis/streams/helpers/cleanup.ts           |  26 ++++
 .../apis/streams/helpers/requests.ts          |  43 ++++++
 .../api_integration/apis/streams/index.ts     |  14 ++
 6 files changed, 240 insertions(+)
 create mode 100644 x-pack/test/api_integration/apis/streams/config.ts
 create mode 100644 x-pack/test/api_integration/apis/streams/full_flow.ts
 create mode 100644 x-pack/test/api_integration/apis/streams/helpers/cleanup.ts
 create mode 100644 x-pack/test/api_integration/apis/streams/helpers/requests.ts
 create mode 100644 x-pack/test/api_integration/apis/streams/index.ts

diff --git a/.buildkite/ftr_oblt_stateful_configs.yml b/.buildkite/ftr_oblt_stateful_configs.yml
index 6cad97ecc4456..eed4654725038 100644
--- a/.buildkite/ftr_oblt_stateful_configs.yml
+++ b/.buildkite/ftr_oblt_stateful_configs.yml
@@ -32,6 +32,7 @@ enabled:
   - x-pack/test/api_integration/apis/synthetics/config.ts
   - x-pack/test/api_integration/apis/uptime/config.ts
   - x-pack/test/api_integration/apis/entity_manager/config.ts
+  - x-pack/test/api_integration/apis/streams/config.ts
   - x-pack/test/apm_api_integration/basic/config.ts
   - x-pack/test/apm_api_integration/cloud/config.ts
   - x-pack/test/apm_api_integration/rules/config.ts
diff --git a/x-pack/test/api_integration/apis/streams/config.ts b/x-pack/test/api_integration/apis/streams/config.ts
new file mode 100644
index 0000000000000..c737db9499836
--- /dev/null
+++ b/x-pack/test/api_integration/apis/streams/config.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const baseIntegrationTestsConfig = await readConfigFile(require.resolve('../../config.ts'));
+  return {
+    ...baseIntegrationTestsConfig.getAll(),
+    testFiles: [require.resolve('.')],
+  };
+}
diff --git a/x-pack/test/api_integration/apis/streams/full_flow.ts b/x-pack/test/api_integration/apis/streams/full_flow.ts
new file mode 100644
index 0000000000000..03c0cc9e0e219
--- /dev/null
+++ b/x-pack/test/api_integration/apis/streams/full_flow.ts
@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import {
+  deleteStream,
+  enableStreams,
+  fetchDocument,
+  forkStream,
+  indexDocument,
+} from './helpers/requests';
+import { FtrProviderContext } from '../../ftr_provider_context';
+import { waitForDocumentInIndex } from '../../../alerting_api_integration/observability/helpers/alerting_wait_for_helpers';
+import { cleanUpRootStream } from './helpers/cleanup';
+
+export default function ({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+  const esClient = getService('es');
+  const retryService = getService('retry');
+  const logger = getService('log');
+
+  describe('Basic functionality', () => {
+    after(async () => {
+      await deleteStream(supertest, 'logs.nginx');
+      await cleanUpRootStream(esClient);
+    });
+
+    // Note: Each step is dependent on the previous
+    describe('Full flow', () => {
+      it('Enable streams', async () => {
+        await enableStreams(supertest);
+      });
+
+      it('Index a JSON document to logs, should go to logs', async () => {
+        const doc = {
+          '@timestamp': '2024-01-01T00:00:00.000Z',
+          message: JSON.stringify({
+            'log.level': 'info',
+            'log.logger': 'nginx',
+            message: 'test',
+          }),
+        };
+        const response = await indexDocument(esClient, 'logs', doc);
+        expect(response.result).to.eql('created');
+        await waitForDocumentInIndex({ esClient, indexName: 'logs', retryService, logger });
+
+        const result = await fetchDocument(esClient, 'logs', response._id);
+        expect(result._index).to.match(/^\.ds\-logs-.*/);
+        expect(result._source).to.eql({
+          '@timestamp': '2024-01-01T00:00:00.000Z',
+          message: 'test',
+          log: { level: 'info', logger: 'nginx' },
+        });
+      });
+
+      it('Fork logs to logs.nginx', async () => {
+        const body = {
+          stream: {
+            id: 'logs.nginx',
+            fields: [],
+            processing: [],
+          },
+          condition: {
+            field: 'log.logger',
+            operator: 'eq',
+            value: 'nginx',
+          },
+        };
+        const response = await forkStream(supertest, 'logs', body);
+        expect(response).to.have.property('acknowledged', true);
+      });
+
+      it('Index an Nginx access log message, should goto logs.nginx', async () => {
+        const doc = {
+          '@timestamp': '2024-01-01T00:00:10.000Z',
+          message: JSON.stringify({
+            'log.level': 'info',
+            'log.logger': 'nginx',
+            message: 'test',
+          }),
+        };
+        const response = await indexDocument(esClient, 'logs', doc);
+        expect(response.result).to.eql('created');
+        await waitForDocumentInIndex({ esClient, indexName: 'logs.nginx', retryService, logger });
+
+        const result = await fetchDocument(esClient, 'logs.nginx', response._id);
+        expect(result._index).to.match(/^\.ds\-logs.nginx-.*/);
+        expect(result._source).to.eql({
+          '@timestamp': '2024-01-01T00:00:10.000Z',
+          message: 'test',
+          log: { level: 'info', logger: 'nginx' },
+        });
+      });
+
+      it('Fork logs to logs.nginx.access', async () => {
+        const body = {
+          stream: {
+            id: 'logs.nginx.access',
+            fields: [],
+            processing: [],
+          },
+          condition: { field: 'log.level', operator: 'eq', value: 'info' },
+        };
+        const response = await forkStream(supertest, 'logs.nginx', body);
+        expect(response).to.have.property('acknowledged', true);
+      });
+
+      it('Index an Nginx access log message, should goto logs.nginx.access', async () => {
+        const doc = {
+          '@timestamp': '2024-01-01T00:00:20.000Z',
+          message: JSON.stringify({
+            'log.level': 'info',
+            'log.logger': 'nginx',
+            message: 'test',
+          }),
+        };
+        const response = await indexDocument(esClient, 'logs', doc);
+        expect(response.result).to.eql('created');
+        await waitForDocumentInIndex({
+          esClient,
+          indexName: 'logs.nginx.access',
+          retryService,
+          logger,
+        });
+
+        const result = await fetchDocument(esClient, 'logs.nginx.access', response._id);
+        expect(result._index).to.match(/^\.ds\-logs.nginx.access-.*/);
+        expect(result._source).to.eql({
+          '@timestamp': '2024-01-01T00:00:20.000Z',
+          message: 'test',
+          log: { level: 'info', logger: 'nginx' },
+        });
+      });
+    });
+  });
+}
diff --git a/x-pack/test/api_integration/apis/streams/helpers/cleanup.ts b/x-pack/test/api_integration/apis/streams/helpers/cleanup.ts
new file mode 100644
index 0000000000000..f1d382031d484
--- /dev/null
+++ b/x-pack/test/api_integration/apis/streams/helpers/cleanup.ts
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Client } from '@elastic/elasticsearch';
+
+/**
+DELETE .kibana_streams
+DELETE _data_stream/logs
+DELETE /_index_template/logs@stream
+DELETE /_component_template/logs@stream.layer
+DELETE /_ingest/pipeline/logs@json-pipeline
+DELETE /_ingest/pipeline/logs@stream.processing
+DELETE /_ingest/pipeline/logs@stream.reroutes
+*/
+
+export async function cleanUpRootStream(esClient: Client) {
+  await esClient.indices.delete({ index: '.kibana_streams' });
+  await esClient.indices.deleteDataStream({ name: 'logs' });
+  await esClient.indices.deleteIndexTemplate({ name: 'logs@stream' });
+  await esClient.cluster.deleteComponentTemplate({ name: 'logs@stream.layer' });
+  await esClient.ingest.deletePipeline({ id: 'logs@stream.*' });
+}
diff --git a/x-pack/test/api_integration/apis/streams/helpers/requests.ts b/x-pack/test/api_integration/apis/streams/helpers/requests.ts
new file mode 100644
index 0000000000000..d44644e9746b1
--- /dev/null
+++ b/x-pack/test/api_integration/apis/streams/helpers/requests.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { Client } from '@elastic/elasticsearch';
+import { JsonObject } from '@kbn/utility-types';
+import { Agent } from 'supertest';
+import expect from '@kbn/expect';
+import { SearchTotalHits } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+
+export async function enableStreams(supertest: Agent) {
+  const req = supertest.post('/api/streams/_enable').set('kbn-xsrf', 'xxx');
+  const response = await req.send().expect(200);
+  return response.body;
+}
+
+export async function indexDocument(esClient: Client, index: string, document: JsonObject) {
+  const response = await esClient.index({ index, document });
+  return response;
+}
+
+export async function fetchDocument(esClient: Client, index: string, id: string) {
+  const query = {
+    ids: { values: [id] },
+  };
+  const response = await esClient.search({ index, query });
+  expect((response.hits.total as SearchTotalHits).value).to.eql(1);
+  return response.hits.hits[0];
+}
+
+export async function forkStream(supertest: Agent, root: string, body: JsonObject) {
+  const req = supertest.post(`/api/streams/${root}/_fork`).set('kbn-xsrf', 'xxx');
+  const response = await req.send(body).expect(200);
+  return response.body;
+}
+
+export async function deleteStream(supertest: Agent, id: string) {
+  const req = supertest.delete(`/api/streams/${id}`).set('kbn-xsrf', 'xxx');
+  const response = await req.send().expect(200);
+  return response.body;
+}
diff --git a/x-pack/test/api_integration/apis/streams/index.ts b/x-pack/test/api_integration/apis/streams/index.ts
new file mode 100644
index 0000000000000..0e879fd0b9b64
--- /dev/null
+++ b/x-pack/test/api_integration/apis/streams/index.ts
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { FtrProviderContext } from '../../ftr_provider_context';
+
+export default function ({ loadTestFile }: FtrProviderContext) {
+  describe('Streams Endpoints', () => {
+    loadTestFile(require.resolve('./full_flow'));
+  });
+}

From 7c27f2f28e89554d4c507d57dd22b7f1e9925707 Mon Sep 17 00:00:00 2001
From: Agustina Nahir Ruidiaz <61565784+agusruidiazgd@users.noreply.github.com>
Date: Tue, 3 Dec 2024 13:49:52 +0100
Subject: [PATCH 11/23] [8.x] [Security Solution] [Onboarding] t1_analyst role
 blocked from interacting with cards due to missing integration privileges
 (#202413) (#202553)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] [Onboarding] t1_analyst role blocked from
interacting with cards due to missing integration privileges
(#202413)](https://github.com/elastic/kibana/pull/202413)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Agustina Nahir
Ruidiaz","email":"61565784+agusruidiazgd@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-02T14:23:56Z","message":"[Security
Solution] [Onboarding] t1_analyst role blocked from interacting with
cards due to missing integration privileges (#202413)\n\n##
Summary\r\n\r\nThis PR temporarily fixes the #201799 issue for
Serverless.\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/604128cb-49b0-4a93-9a15-2a5a0c511883\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"3daaaa5b8c3e3a47b1e29f75df301b42d89caa87","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat
Hunting:Explore","ci:cloud-deploy","backport:version","v8.18.0"],"number":202413,"url":"https://github.com/elastic/kibana/pull/202413","mergeCommit":{"message":"[Security
Solution] [Onboarding] t1_analyst role blocked from interacting with
cards due to missing integration privileges (#202413)\n\n##
Summary\r\n\r\nThis PR temporarily fixes the #201799 issue for
Serverless.\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/604128cb-49b0-4a93-9a15-2a5a0c511883\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"3daaaa5b8c3e3a47b1e29f75df301b42d89caa87"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202413","number":202413,"mergeCommit":{"message":"[Security
Solution] [Onboarding] t1_analyst role blocked from interacting with
cards due to missing integration privileges (#202413)\n\n##
Summary\r\n\r\nThis PR temporarily fixes the #201799 issue for
Serverless.\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/604128cb-49b0-4a93-9a15-2a5a0c511883\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"3daaaa5b8c3e3a47b1e29f75df301b42d89caa87"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
---
 .../cards/alerts/alerts_card.test.tsx         | 32 +++++++++++++++--
 .../cards/alerts/alerts_card.tsx              | 10 ++++--
 .../cards/assistant/assistant_card.tsx        | 20 +++++++----
 .../attack_discover_card.test.tsx             |  1 +
 .../cards/dashboards/dashboards_card.test.tsx | 36 +++++++++++++++++--
 .../cards/dashboards/dashboards_card.tsx      | 10 ++++--
 .../integrations/integrations_card.test.tsx   |  1 +
 .../cards/rules/rules_card.test.tsx           | 32 +++++++++++++++--
 .../cards/rules/rules_card.tsx                | 15 ++++++--
 .../onboarding_body/onboarding_body.tsx       |  8 +++++
 .../public/onboarding/types.ts                |  5 +++
 11 files changed, 149 insertions(+), 21 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/alerts/alerts_card.test.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/alerts/alerts_card.test.tsx
index 3e83bcb851f82..4fec865e36f24 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/alerts/alerts_card.test.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/alerts/alerts_card.test.tsx
@@ -14,6 +14,7 @@ const props = {
   checkComplete: jest.fn(),
   isCardComplete: jest.fn(),
   setExpandedCardId: jest.fn(),
+  isCardAvailable: jest.fn(),
 };
 
 describe('AlertsCard', () => {
@@ -31,7 +32,8 @@ describe('AlertsCard', () => {
     expect(getByTestId('alertsCardDescription')).toBeInTheDocument();
   });
 
-  it('card callout should be rendered if integrations cards is not complete', () => {
+  it('card callout should be rendered if integrations card is available but not complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
     props.isCardComplete.mockReturnValueOnce(false);
 
     const { getByText } = render(
@@ -43,7 +45,20 @@ describe('AlertsCard', () => {
     expect(getByText('To view alerts add integrations first.')).toBeInTheDocument();
   });
 
-  it('card button should be disabled if integrations cards is not complete', () => {
+  it('card callout should not be rendered if integrations card is not available', () => {
+    props.isCardAvailable.mockReturnValueOnce(false);
+
+    const { queryByText } = render(
+      <TestProviders>
+        <AlertsCard {...props} />
+      </TestProviders>
+    );
+
+    expect(queryByText('To view alerts add integrations first.')).not.toBeInTheDocument();
+  });
+
+  it('card button should be disabled if integrations card is available but not complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
     props.isCardComplete.mockReturnValueOnce(false);
 
     const { getByTestId } = render(
@@ -54,4 +69,17 @@ describe('AlertsCard', () => {
 
     expect(getByTestId('alertsCardButton').querySelector('button')).toBeDisabled();
   });
+
+  it('card button should be enabled if integrations card is complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
+    props.isCardComplete.mockReturnValueOnce(true);
+
+    const { getByTestId } = render(
+      <TestProviders>
+        <AlertsCard {...props} />
+      </TestProviders>
+    );
+
+    expect(getByTestId('alertsCardButton').querySelector('button')).not.toBeDisabled();
+  });
 });
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/alerts/alerts_card.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/alerts/alerts_card.tsx
index 890505f3f618b..bdcf662a5643c 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/alerts/alerts_card.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/alerts/alerts_card.tsx
@@ -21,12 +21,18 @@ export const AlertsCard: OnboardingCardComponent = ({
   isCardComplete,
   setExpandedCardId,
   setComplete,
+  isCardAvailable,
 }) => {
   const isIntegrationsCardComplete = useMemo(
     () => isCardComplete(OnboardingCardId.integrations),
     [isCardComplete]
   );
 
+  const isIntegrationsCardAvailable = useMemo(
+    () => isCardAvailable(OnboardingCardId.integrations),
+    [isCardAvailable]
+  );
+
   const expandIntegrationsCard = useCallback(() => {
     setExpandedCardId(OnboardingCardId.integrations, { scroll: true });
   }, [setExpandedCardId]);
@@ -43,7 +49,7 @@ export const AlertsCard: OnboardingCardComponent = ({
           <CardSubduedText data-test-subj="alertsCardDescription" size="s">
             {i18n.ALERTS_CARD_DESCRIPTION}
           </CardSubduedText>
-          {!isIntegrationsCardComplete && (
+          {isIntegrationsCardAvailable && !isIntegrationsCardComplete && (
             <>
               <EuiSpacer size="m" />
               <CardCallOut
@@ -69,7 +75,7 @@ export const AlertsCard: OnboardingCardComponent = ({
             onClick={() => setComplete(true)}
             deepLinkId={SecurityPageName.alerts}
             fill
-            isDisabled={!isIntegrationsCardComplete}
+            isDisabled={isIntegrationsCardAvailable && !isIntegrationsCardComplete}
           >
             {i18n.ALERTS_CARD_VIEW_ALERTS_BUTTON}
           </SecuritySolutionLinkButton>
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/assistant/assistant_card.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/assistant/assistant_card.tsx
index 1d91413dbae3c..c971bd2a6f0b7 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/assistant/assistant_card.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/assistant/assistant_card.tsx
@@ -23,12 +23,18 @@ export const AssistantCard: OnboardingCardComponent<AssistantCardMetadata> = ({
   setExpandedCardId,
   checkCompleteMetadata,
   checkComplete,
+  isCardAvailable,
 }) => {
   const isIntegrationsCardComplete = useMemo(
     () => isCardComplete(OnboardingCardId.integrations),
     [isCardComplete]
   );
 
+  const isIntegrationsCardAvailable = useMemo(
+    () => isCardAvailable(OnboardingCardId.integrations),
+    [isCardAvailable]
+  );
+
   const expandIntegrationsCard = useCallback(() => {
     setExpandedCardId(OnboardingCardId.integrations, { scroll: true });
   }, [setExpandedCardId]);
@@ -45,13 +51,7 @@ export const AssistantCard: OnboardingCardComponent<AssistantCardMetadata> = ({
             <CardSubduedText size="s">{i18n.ASSISTANT_CARD_DESCRIPTION}</CardSubduedText>
           </EuiFlexItem>
           <EuiFlexItem>
-            {isIntegrationsCardComplete ? (
-              <ConnectorCards
-                canCreateConnectors={canCreateConnectors}
-                connectors={connectors}
-                onConnectorSaved={checkComplete}
-              />
-            ) : (
+            {isIntegrationsCardAvailable && !isIntegrationsCardComplete ? (
               <EuiFlexItem
                 className={css`
                   width: 45%;
@@ -73,6 +73,12 @@ export const AssistantCard: OnboardingCardComponent<AssistantCardMetadata> = ({
                   }
                 />
               </EuiFlexItem>
+            ) : (
+              <ConnectorCards
+                canCreateConnectors={canCreateConnectors}
+                connectors={connectors}
+                onConnectorSaved={checkComplete}
+              />
             )}
           </EuiFlexItem>
         </EuiFlexGroup>
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/attack_discovery/attack_discover_card.test.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/attack_discovery/attack_discover_card.test.tsx
index 19b327f77487c..c28ae75b92c71 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/attack_discovery/attack_discover_card.test.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/attack_discovery/attack_discover_card.test.tsx
@@ -14,6 +14,7 @@ const props = {
   checkComplete: jest.fn(),
   isCardComplete: jest.fn(),
   setExpandedCardId: jest.fn(),
+  isCardAvailable: jest.fn(),
 };
 
 describe('RulesCard', () => {
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/dashboards/dashboards_card.test.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/dashboards/dashboards_card.test.tsx
index f7aa198eccab4..d654fd9ca5a08 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/dashboards/dashboards_card.test.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/dashboards/dashboards_card.test.tsx
@@ -17,9 +17,10 @@ const props = {
   checkComplete: jest.fn(),
   isCardComplete: jest.fn(),
   setExpandedCardId: jest.fn(),
+  isCardAvailable: jest.fn(),
 };
 
-describe('RulesCard', () => {
+describe('DashboardsCard', () => {
   beforeEach(() => {
     jest.clearAllMocks();
   });
@@ -34,7 +35,8 @@ describe('RulesCard', () => {
     expect(getByTestId('dashboardsDescription')).toBeInTheDocument();
   });
 
-  it('card callout should be rendered if integrations cards is not complete', () => {
+  it('card callout should be rendered if integrations card is available but not complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
     props.isCardComplete.mockReturnValueOnce(false);
 
     const { getByText } = render(
@@ -46,7 +48,20 @@ describe('RulesCard', () => {
     expect(getByText('To view dashboards add integrations first.')).toBeInTheDocument();
   });
 
-  it('card button should be disabled if integrations cards is not complete', () => {
+  it('card callout should not be rendered if integrations card is not available', () => {
+    props.isCardAvailable.mockReturnValueOnce(false);
+
+    const { queryByText } = render(
+      <TestProviders>
+        <DashboardsCard {...props} />
+      </TestProviders>
+    );
+
+    expect(queryByText('To view dashboards add integrations first.')).not.toBeInTheDocument();
+  });
+
+  it('card button should be disabled if integrations card is available but not complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
     props.isCardComplete.mockReturnValueOnce(false);
 
     const { getByTestId } = render(
@@ -57,7 +72,22 @@ describe('RulesCard', () => {
 
     expect(getByTestId('dashboardsCardButton').querySelector('button')).toBeDisabled();
   });
+
+  it('card button should be enabled if integrations card is complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
+    props.isCardComplete.mockReturnValueOnce(true);
+
+    const { getByTestId } = render(
+      <TestProviders>
+        <DashboardsCard {...props} />
+      </TestProviders>
+    );
+
+    expect(getByTestId('dashboardsCardButton').querySelector('button')).not.toBeDisabled();
+  });
+
   it('should expand integrations card when callout link is clicked', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
     props.isCardComplete.mockReturnValueOnce(false); // To show the callout
 
     const { getByTestId } = render(
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/dashboards/dashboards_card.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/dashboards/dashboards_card.tsx
index 94449cce5ad0e..db7f6dc9a1f7f 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/dashboards/dashboards_card.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/dashboards/dashboards_card.tsx
@@ -21,12 +21,18 @@ export const DashboardsCard: OnboardingCardComponent = ({
   isCardComplete,
   setComplete,
   setExpandedCardId,
+  isCardAvailable,
 }) => {
   const isIntegrationsCardComplete = useMemo(
     () => isCardComplete(OnboardingCardId.integrations),
     [isCardComplete]
   );
 
+  const isIntegrationsCardAvailable = useMemo(
+    () => isCardAvailable(OnboardingCardId.integrations),
+    [isCardAvailable]
+  );
+
   const expandIntegrationsCard = useCallback(() => {
     setExpandedCardId(OnboardingCardId.integrations, { scroll: true });
   }, [setExpandedCardId]);
@@ -46,7 +52,7 @@ export const DashboardsCard: OnboardingCardComponent = ({
           <CardSubduedText data-test-subj="dashboardsDescription" size="s">
             {i18n.DASHBOARDS_CARD_DESCRIPTION}
           </CardSubduedText>
-          {!isIntegrationsCardComplete && (
+          {isIntegrationsCardAvailable && !isIntegrationsCardComplete && (
             <>
               <EuiSpacer size="m" />
               <CardCallOut
@@ -77,7 +83,7 @@ export const DashboardsCard: OnboardingCardComponent = ({
             cardId={OnboardingCardId.dashboards}
             deepLinkId={SecurityPageName.dashboards}
             fill
-            isDisabled={!isIntegrationsCardComplete}
+            isDisabled={isIntegrationsCardAvailable && !isIntegrationsCardComplete}
           >
             {i18n.DASHBOARDS_CARD_GO_TO_DASHBOARDS_BUTTON}
           </CardLinkButton>
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/integrations/integrations_card.test.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/integrations/integrations_card.test.tsx
index 296d5391fd611..c01fbfa96123d 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/integrations/integrations_card.test.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/integrations/integrations_card.test.tsx
@@ -15,6 +15,7 @@ const props = {
   checkComplete: jest.fn(),
   isCardComplete: jest.fn(),
   setExpandedCardId: jest.fn(),
+  isCardAvailable: jest.fn(),
 };
 
 describe('IntegrationsCard', () => {
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/rules/rules_card.test.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/rules/rules_card.test.tsx
index f7156adc34eba..e32d13b787a51 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/rules/rules_card.test.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/rules/rules_card.test.tsx
@@ -13,6 +13,7 @@ const props = {
   setComplete: jest.fn(),
   checkComplete: jest.fn(),
   isCardComplete: jest.fn(),
+  isCardAvailable: jest.fn(),
   setExpandedCardId: jest.fn(),
 };
 
@@ -31,7 +32,8 @@ describe('RulesCard', () => {
     expect(getByTestId('rulesCardDescription')).toBeInTheDocument();
   });
 
-  it('card callout should be rendered if integrations cards is not complete', () => {
+  it('card callout should be rendered if integrations card is available but not complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
     props.isCardComplete.mockReturnValueOnce(false);
 
     const { getByText } = render(
@@ -43,7 +45,20 @@ describe('RulesCard', () => {
     expect(getByText('To add Elastic rules add integrations first.')).toBeInTheDocument();
   });
 
-  it('card button should be disabled if integrations cards is not complete', () => {
+  it('card callout should not be rendered if integrations card is not available', () => {
+    props.isCardAvailable.mockReturnValueOnce(false);
+
+    const { queryByText } = render(
+      <TestProviders>
+        <RulesCard {...props} />
+      </TestProviders>
+    );
+
+    expect(queryByText('To add Elastic rules add integrations first.')).not.toBeInTheDocument();
+  });
+
+  it('card button should be disabled if integrations card is available but not complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
     props.isCardComplete.mockReturnValueOnce(false);
 
     const { getByTestId } = render(
@@ -54,4 +69,17 @@ describe('RulesCard', () => {
 
     expect(getByTestId('rulesCardButton').querySelector('button')).toBeDisabled();
   });
+
+  it('card button should be enabled if integrations card is complete', () => {
+    props.isCardAvailable.mockReturnValueOnce(true);
+    props.isCardComplete.mockReturnValueOnce(true);
+
+    const { getByTestId } = render(
+      <TestProviders>
+        <RulesCard {...props} />
+      </TestProviders>
+    );
+
+    expect(getByTestId('rulesCardButton').querySelector('button')).not.toBeDisabled();
+  });
 });
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/rules/rules_card.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/rules/rules_card.tsx
index 1fc74109ca824..c1eb789d6a46f 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/rules/rules_card.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/cards/rules/rules_card.tsx
@@ -17,12 +17,21 @@ import { CardSubduedText } from '../common/card_subdued_text';
 import rulesImageSrc from './images/rules.png';
 import * as i18n from './translations';
 
-export const RulesCard: OnboardingCardComponent = ({ isCardComplete, setExpandedCardId }) => {
+export const RulesCard: OnboardingCardComponent = ({
+  isCardComplete,
+  setExpandedCardId,
+  isCardAvailable,
+}) => {
   const isIntegrationsCardComplete = useMemo(
     () => isCardComplete(OnboardingCardId.integrations),
     [isCardComplete]
   );
 
+  const isIntegrationsCardAvailable = useMemo(
+    () => isCardAvailable(OnboardingCardId.integrations),
+    [isCardAvailable]
+  );
+
   const expandIntegrationsCard = useCallback(() => {
     setExpandedCardId(OnboardingCardId.integrations, { scroll: true });
   }, [setExpandedCardId]);
@@ -39,7 +48,7 @@ export const RulesCard: OnboardingCardComponent = ({ isCardComplete, setExpanded
           <CardSubduedText data-test-subj="rulesCardDescription" size="s">
             {i18n.RULES_CARD_DESCRIPTION}
           </CardSubduedText>
-          {!isIntegrationsCardComplete && (
+          {isIntegrationsCardAvailable && !isIntegrationsCardComplete && (
             <>
               <EuiSpacer size="m" />
               <CardCallOut
@@ -64,7 +73,7 @@ export const RulesCard: OnboardingCardComponent = ({ isCardComplete, setExpanded
           <SecuritySolutionLinkButton
             deepLinkId={SecurityPageName.rules}
             fill
-            isDisabled={!isIntegrationsCardComplete}
+            isDisabled={isIntegrationsCardAvailable && !isIntegrationsCardComplete}
           >
             {i18n.RULES_CARD_ADD_RULES_BUTTON}
           </SecuritySolutionLinkButton>
diff --git a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/onboarding_body.tsx b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/onboarding_body.tsx
index 0b55db750c080..947a0dff46343 100644
--- a/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/onboarding_body.tsx
+++ b/x-pack/plugins/security_solution/public/onboarding/components/onboarding_body/onboarding_body.tsx
@@ -14,6 +14,7 @@ import { OnboardingCardGroup } from './onboarding_card_group';
 import { OnboardingCardPanel } from './onboarding_card_panel';
 import { useExpandedCard } from './hooks/use_expanded_card';
 import { useCompletedCards } from './hooks/use_completed_cards';
+import type { IsCardAvailable } from '../../types';
 
 export const OnboardingBody = React.memo(() => {
   const bodyConfig = useBodyConfig();
@@ -47,6 +48,12 @@ export const OnboardingBody = React.memo(() => {
     [checkCardComplete]
   );
 
+  const isCardAvailable = useCallback<IsCardAvailable>(
+    (cardId: OnboardingCardId) =>
+      bodyConfig.some((group) => group.cards.some((card) => card.id === cardId)),
+    [bodyConfig]
+  );
+
   return (
     <EuiFlexGroup direction="column" gutterSize="xl">
       {bodyConfig.map((group, index) => (
@@ -72,6 +79,7 @@ export const OnboardingBody = React.memo(() => {
                           setComplete={createSetCardComplete(id)}
                           checkComplete={createCheckCardComplete(id)}
                           isCardComplete={isCardComplete}
+                          isCardAvailable={isCardAvailable}
                           setExpandedCardId={setExpandedCardId}
                           checkCompleteMetadata={cardCheckCompleteResult?.metadata}
                         />
diff --git a/x-pack/plugins/security_solution/public/onboarding/types.ts b/x-pack/plugins/security_solution/public/onboarding/types.ts
index d79dd73ced799..d9c5aa2c9bc20 100644
--- a/x-pack/plugins/security_solution/public/onboarding/types.ts
+++ b/x-pack/plugins/security_solution/public/onboarding/types.ts
@@ -42,6 +42,7 @@ export type CheckCompleteResponse<TMetadata extends {} = {}> =
 
 export type SetComplete = (isComplete: boolean) => void;
 export type IsCardComplete = (cardId: OnboardingCardId) => boolean;
+export type IsCardAvailable = (cardId: OnboardingCardId) => boolean;
 export type SetExpandedCardId = (
   cardId: OnboardingCardId | null,
   options?: { scroll?: boolean }
@@ -60,6 +61,10 @@ export type OnboardingCardComponent<TMetadata extends {} = {}> = React.Component
    * Function to check if a specific card is complete.
    */
   isCardComplete: IsCardComplete;
+  /**
+   * Function to check if a specific card is rendered.
+   */
+  isCardAvailable: IsCardAvailable;
   /**
    * Function to expand a specific card ID and scroll to it.
    */

From f9ed68563695a38ca6e7885aff0ef3613cd91ac1 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 00:27:25 +1100
Subject: [PATCH 12/23] [8.x] Exclude unrecognized tasks from the task manager
 aggregate API (#202163) (#202683)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Backport

This will backport the following commits from `main` to `8.x`:
- [Exclude unrecognized tasks from the task manager aggregate API
(#202163)](https://github.com/elastic/kibana/pull/202163)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Mike
Côté","email":"mikecote@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-03T11:21:49Z","message":"Exclude
unrecognized tasks from the task manager aggregate API (#202163)\n\nIn
this PR, I'm removing tasks with a status `unrecognized`
from\r\nreturning on any `taskStore.aggregate` calls. Without this, we
had\r\nunrecognized recurring tasks that were still part of the task
manager\r\ncapacity calculation
under\r\n`assumedAverageRecurringRequiredThroughputPerMinutePerKibana`.\r\n\r\n##
To Verify\r\n1. Create a few ES Query alerting rules running every
1s\r\n2. Capture the task manager health API report
via\r\n`/api/task_manager/_health`\r\n3. Apply the following diff to
mark es query alerting tasks as\r\nunrecognized\r\n```\r\ndiff --git
a/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts
b/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\nindex
1988eebc21a..8d649f4c6a5 100644\r\n---
a/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\n+++
b/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\n@@
-10,5 +10,5 @@ import { getRuleType } from './rule_type';\r\n\r\n export
function register(params: RegisterRuleTypesParams, isServerless:
boolean) {\r\n const { alerting, core } = params;\r\n-
alerting.registerType(getRuleType(core, isServerless));\r\n+ //
alerting.registerType(getRuleType(core, isServerless));\r\n }\r\ndiff
--git
a/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts
b/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\nindex
e28d5221e72..dbfc1bbd135 100644\r\n---
a/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\n+++
b/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\n@@
-33,6 +33,11 @@ export async function
scheduleMarkRemovedTasksAsUnrecognizedDefinition(\r\n state: {},\r\n
params: {},\r\n });\r\n+ try {\r\n+ await
taskScheduling.runSoon(TASK_ID);\r\n+ } catch (e) {\r\n+ // Ignore\r\n+
}\r\n } catch (e) {\r\n logger.error(`Error scheduling ${TASK_ID} task,
received ${e.message}`);\r\n }\r\ndiff --git
a/x-pack/plugins/task_manager/server/task_type_dictionary.ts
b/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\nindex
e0b28eccea3..142c07bb507 100644\r\n---
a/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\n+++
b/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\n@@ -32,6
+32,8 @@ export const REMOVED_TYPES: string[] = [\r\n\r\n
'cleanup_failed_action_executions',\r\n 'reports:monitor',\r\n+\r\n+
'alerting:.es-query',\r\n ];\r\n\r\n /**\r\n```\r\n5. Capture the task
manager health API report again via\r\n`/api/task_manager/_health`\r\n6.
Notice the number dropped
for\r\n`capacity_estimation.value.observed.avg_recurring_required_throughput_per_minute`","sha":"3b670980431da414535940aeeb0088d2ae7ff89c","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Feature:Task
Manager","Team:ResponseOps","v9.0.0","backport:version","v8.17.0","v8.18.0","v8.16.2"],"title":"Exclude
unrecognized tasks from the task manager aggregate
API","number":202163,"url":"https://github.com/elastic/kibana/pull/202163","mergeCommit":{"message":"Exclude
unrecognized tasks from the task manager aggregate API (#202163)\n\nIn
this PR, I'm removing tasks with a status `unrecognized`
from\r\nreturning on any `taskStore.aggregate` calls. Without this, we
had\r\nunrecognized recurring tasks that were still part of the task
manager\r\ncapacity calculation
under\r\n`assumedAverageRecurringRequiredThroughputPerMinutePerKibana`.\r\n\r\n##
To Verify\r\n1. Create a few ES Query alerting rules running every
1s\r\n2. Capture the task manager health API report
via\r\n`/api/task_manager/_health`\r\n3. Apply the following diff to
mark es query alerting tasks as\r\nunrecognized\r\n```\r\ndiff --git
a/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts
b/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\nindex
1988eebc21a..8d649f4c6a5 100644\r\n---
a/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\n+++
b/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\n@@
-10,5 +10,5 @@ import { getRuleType } from './rule_type';\r\n\r\n export
function register(params: RegisterRuleTypesParams, isServerless:
boolean) {\r\n const { alerting, core } = params;\r\n-
alerting.registerType(getRuleType(core, isServerless));\r\n+ //
alerting.registerType(getRuleType(core, isServerless));\r\n }\r\ndiff
--git
a/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts
b/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\nindex
e28d5221e72..dbfc1bbd135 100644\r\n---
a/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\n+++
b/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\n@@
-33,6 +33,11 @@ export async function
scheduleMarkRemovedTasksAsUnrecognizedDefinition(\r\n state: {},\r\n
params: {},\r\n });\r\n+ try {\r\n+ await
taskScheduling.runSoon(TASK_ID);\r\n+ } catch (e) {\r\n+ // Ignore\r\n+
}\r\n } catch (e) {\r\n logger.error(`Error scheduling ${TASK_ID} task,
received ${e.message}`);\r\n }\r\ndiff --git
a/x-pack/plugins/task_manager/server/task_type_dictionary.ts
b/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\nindex
e0b28eccea3..142c07bb507 100644\r\n---
a/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\n+++
b/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\n@@ -32,6
+32,8 @@ export const REMOVED_TYPES: string[] = [\r\n\r\n
'cleanup_failed_action_executions',\r\n 'reports:monitor',\r\n+\r\n+
'alerting:.es-query',\r\n ];\r\n\r\n /**\r\n```\r\n5. Capture the task
manager health API report again via\r\n`/api/task_manager/_health`\r\n6.
Notice the number dropped
for\r\n`capacity_estimation.value.observed.avg_recurring_required_throughput_per_minute`","sha":"3b670980431da414535940aeeb0088d2ae7ff89c"}},"sourceBranch":"main","suggestedTargetBranches":["8.17","8.x","8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202163","number":202163,"mergeCommit":{"message":"Exclude
unrecognized tasks from the task manager aggregate API (#202163)\n\nIn
this PR, I'm removing tasks with a status `unrecognized`
from\r\nreturning on any `taskStore.aggregate` calls. Without this, we
had\r\nunrecognized recurring tasks that were still part of the task
manager\r\ncapacity calculation
under\r\n`assumedAverageRecurringRequiredThroughputPerMinutePerKibana`.\r\n\r\n##
To Verify\r\n1. Create a few ES Query alerting rules running every
1s\r\n2. Capture the task manager health API report
via\r\n`/api/task_manager/_health`\r\n3. Apply the following diff to
mark es query alerting tasks as\r\nunrecognized\r\n```\r\ndiff --git
a/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts
b/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\nindex
1988eebc21a..8d649f4c6a5 100644\r\n---
a/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\n+++
b/x-pack/plugins/stack_alerts/server/rule_types/es_query/index.ts\r\n@@
-10,5 +10,5 @@ import { getRuleType } from './rule_type';\r\n\r\n export
function register(params: RegisterRuleTypesParams, isServerless:
boolean) {\r\n const { alerting, core } = params;\r\n-
alerting.registerType(getRuleType(core, isServerless));\r\n+ //
alerting.registerType(getRuleType(core, isServerless));\r\n }\r\ndiff
--git
a/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts
b/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\nindex
e28d5221e72..dbfc1bbd135 100644\r\n---
a/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\n+++
b/x-pack/plugins/task_manager/server/removed_tasks/mark_removed_tasks_as_unrecognized.ts\r\n@@
-33,6 +33,11 @@ export async function
scheduleMarkRemovedTasksAsUnrecognizedDefinition(\r\n state: {},\r\n
params: {},\r\n });\r\n+ try {\r\n+ await
taskScheduling.runSoon(TASK_ID);\r\n+ } catch (e) {\r\n+ // Ignore\r\n+
}\r\n } catch (e) {\r\n logger.error(`Error scheduling ${TASK_ID} task,
received ${e.message}`);\r\n }\r\ndiff --git
a/x-pack/plugins/task_manager/server/task_type_dictionary.ts
b/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\nindex
e0b28eccea3..142c07bb507 100644\r\n---
a/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\n+++
b/x-pack/plugins/task_manager/server/task_type_dictionary.ts\r\n@@ -32,6
+32,8 @@ export const REMOVED_TYPES: string[] = [\r\n\r\n
'cleanup_failed_action_executions',\r\n 'reports:monitor',\r\n+\r\n+
'alerting:.es-query',\r\n ];\r\n\r\n /**\r\n```\r\n5. Capture the task
manager health API report again via\r\n`/api/task_manager/_health`\r\n6.
Notice the number dropped
for\r\n`capacity_estimation.value.observed.avg_recurring_required_throughput_per_minute`","sha":"3b670980431da414535940aeeb0088d2ae7ff89c"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Mike Côté <mikecote@users.noreply.github.com>
---
 .../task_manager/server/task_store.test.ts    | 25 ++++++++++++++++---
 .../plugins/task_manager/server/task_store.ts |  8 +++++-
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/x-pack/plugins/task_manager/server/task_store.test.ts b/x-pack/plugins/task_manager/server/task_store.test.ts
index cbb1c44dde3fc..029aa2b1760ce 100644
--- a/x-pack/plugins/task_manager/server/task_store.test.ts
+++ b/x-pack/plugins/task_manager/server/task_store.test.ts
@@ -555,7 +555,14 @@ describe('TaskStore', () => {
         body: {
           size: 0,
           query: {
-            bool: { filter: [{ term: { type: 'task' } }, { term: { 'task.enabled': true } }] },
+            bool: {
+              filter: {
+                bool: {
+                  must: [{ term: { type: 'task' } }, { term: { 'task.enabled': true } }],
+                  must_not: [{ term: { 'task.status': 'unrecognized' } }],
+                },
+              },
+            },
           },
           aggs: { testAgg: { terms: { field: 'task.taskType' } } },
         },
@@ -578,7 +585,12 @@ describe('TaskStore', () => {
               must: [
                 {
                   bool: {
-                    filter: [{ term: { type: 'task' } }, { term: { 'task.enabled': true } }],
+                    filter: {
+                      bool: {
+                        must: [{ term: { type: 'task' } }, { term: { 'task.enabled': true } }],
+                        must_not: [{ term: { 'task.status': 'unrecognized' } }],
+                      },
+                    },
                   },
                 },
                 { term: { 'task.taskType': 'bar' } },
@@ -600,7 +612,14 @@ describe('TaskStore', () => {
         body: {
           size: 0,
           query: {
-            bool: { filter: [{ term: { type: 'task' } }, { term: { 'task.enabled': true } }] },
+            bool: {
+              filter: {
+                bool: {
+                  must: [{ term: { type: 'task' } }, { term: { 'task.enabled': true } }],
+                  must_not: [{ term: { 'task.status': 'unrecognized' } }],
+                },
+              },
+            },
           },
           aggs: { testAgg: { terms: { field: 'task.taskType' } } },
           runtime_mappings: { testMapping: { type: 'long', script: { source: `` } } },
diff --git a/x-pack/plugins/task_manager/server/task_store.ts b/x-pack/plugins/task_manager/server/task_store.ts
index 0946c5c18d328..6c48f3bd7552d 100644
--- a/x-pack/plugins/task_manager/server/task_store.ts
+++ b/x-pack/plugins/task_manager/server/task_store.ts
@@ -34,6 +34,7 @@ import {
   ConcreteTaskInstance,
   ConcreteTaskInstanceVersion,
   TaskInstance,
+  TaskStatus,
   TaskLifecycle,
   TaskLifecycleResult,
   SerializedConcreteTaskInstance,
@@ -842,7 +843,12 @@ function ensureAggregationOnlyReturnsEnabledTaskObjects(opts: AggregationOpts):
   const originalQuery = opts.query;
   const filterToOnlyTasks = {
     bool: {
-      filter: [{ term: { type: 'task' } }, { term: { 'task.enabled': true } }],
+      filter: {
+        bool: {
+          must: [{ term: { type: 'task' } }, { term: { 'task.enabled': true } }],
+          must_not: [{ term: { 'task.status': TaskStatus.Unrecognized } }],
+        },
+      },
     },
   };
   const query = originalQuery

From b05111c9553d3a59074531f779032f8ebd552c95 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 00:56:03 +1100
Subject: [PATCH 13/23] [8.x] [Infra] Fix Actions on Charts (#202443) (#202692)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Infra] Fix Actions on Charts
(#202443)](https://github.com/elastic/kibana/pull/202443)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Sergi
Romeu","email":"sergi.romeu@elastic.co"},"sourceCommit":{"committedDate":"2024-12-03T11:54:12Z","message":"[Infra]
Fix Actions on Charts (#202443)\n\n## Summary\n\nCloses #201535 \n\nThis
PR fixes the actions not displayed on Infra charts while hovering\nwith
the mouse, while also modifying the actions that should
be\ndisplayed.\n\nRight now, the following actions are displayed:\n-
Explore in Discover\n- Inspect\n- Open in Lens (as a custom action,
clicking the 3 dots)\n\n### How to test\n1. Start Kibana and fill it
with data, `node scripts/synthtrace\ninfra_hosts_with_apm_hosts` can be
used if you don't have data.\n2. Navigate to Host list, check if
hovering a chart displays the actions\n3. Navigate to Host details,
check if hovering a chart displays the\nactions\n\n\n###
Screenshots\nBefore|After\n-|-\n\n![image](https://github.com/user-attachments/assets/489b00e0-9702-4ac2-a55e-cc1e1e733783)|![image](https://github.com/user-attachments/assets/fa37a6ba-9074-403f-ad10-1b6b58e3f64a)","sha":"ea4ebb4f597a8908443ecc1f2664a5562a618234","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","backport:prev-minor","ci:project-deploy-observability","Team:obs-ux-infra_services"],"title":"[Infra]
Fix Actions on
Charts","number":202443,"url":"https://github.com/elastic/kibana/pull/202443","mergeCommit":{"message":"[Infra]
Fix Actions on Charts (#202443)\n\n## Summary\n\nCloses #201535 \n\nThis
PR fixes the actions not displayed on Infra charts while hovering\nwith
the mouse, while also modifying the actions that should
be\ndisplayed.\n\nRight now, the following actions are displayed:\n-
Explore in Discover\n- Inspect\n- Open in Lens (as a custom action,
clicking the 3 dots)\n\n### How to test\n1. Start Kibana and fill it
with data, `node scripts/synthtrace\ninfra_hosts_with_apm_hosts` can be
used if you don't have data.\n2. Navigate to Host list, check if
hovering a chart displays the actions\n3. Navigate to Host details,
check if hovering a chart displays the\nactions\n\n\n###
Screenshots\nBefore|After\n-|-\n\n![image](https://github.com/user-attachments/assets/489b00e0-9702-4ac2-a55e-cc1e1e733783)|![image](https://github.com/user-attachments/assets/fa37a6ba-9074-403f-ad10-1b6b58e3f64a)","sha":"ea4ebb4f597a8908443ecc1f2664a5562a618234"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202443","number":202443,"mergeCommit":{"message":"[Infra]
Fix Actions on Charts (#202443)\n\n## Summary\n\nCloses #201535 \n\nThis
PR fixes the actions not displayed on Infra charts while hovering\nwith
the mouse, while also modifying the actions that should
be\ndisplayed.\n\nRight now, the following actions are displayed:\n-
Explore in Discover\n- Inspect\n- Open in Lens (as a custom action,
clicking the 3 dots)\n\n### How to test\n1. Start Kibana and fill it
with data, `node scripts/synthtrace\ninfra_hosts_with_apm_hosts` can be
used if you don't have data.\n2. Navigate to Host list, check if
hovering a chart displays the actions\n3. Navigate to Host details,
check if hovering a chart displays the\nactions\n\n\n###
Screenshots\nBefore|After\n-|-\n\n![image](https://github.com/user-attachments/assets/489b00e0-9702-4ac2-a55e-cc1e1e733783)|![image](https://github.com/user-attachments/assets/fa37a6ba-9074-403f-ad10-1b6b58e3f64a)","sha":"ea4ebb4f597a8908443ecc1f2664a5562a618234"}}]}]
BACKPORT-->

Co-authored-by: Sergi Romeu <sergi.romeu@elastic.co>
---
 .../infra/public/components/lens/lens_chart.tsx      | 12 ++++++++++++
 .../infra/public/components/lens/lens_wrapper.tsx    |  1 -
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/observability_solution/infra/public/components/lens/lens_chart.tsx b/x-pack/plugins/observability_solution/infra/public/components/lens/lens_chart.tsx
index b244ff12222d6..56d69fa9b6c7c 100644
--- a/x-pack/plugins/observability_solution/infra/public/components/lens/lens_chart.tsx
+++ b/x-pack/plugins/observability_solution/infra/public/components/lens/lens_chart.tsx
@@ -25,6 +25,12 @@ import { ChartLoadError } from './chart_load_error';
 import { HOST_MISSING_FIELDS } from '../../common/visualizations/constants';
 
 const MIN_HEIGHT = 300;
+const DEFAULT_DISABLED_ACTIONS = [
+  'ACTION_CUSTOMIZE_PANEL',
+  'ACTION_EXPORT_CSV',
+  'embeddable_addToExistingCase',
+  'create-ml-ad-job-action',
+];
 
 export type LensChartProps = BaseChartProps &
   Pick<EuiPanelProps, 'borderRadius'> & {
@@ -33,6 +39,8 @@ export type LensChartProps = BaseChartProps &
     description?: string;
   } & {
     lensAttributes: UseLensAttributesParams;
+    withDefaultActions?: boolean;
+    disabledActions?: string[];
   };
 
 export const LensChart = React.memo(
@@ -52,6 +60,8 @@ export const LensChart = React.memo(
     height = MIN_HEIGHT,
     loading = false,
     lensAttributes,
+    withDefaultActions = true,
+    disabledActions = DEFAULT_DISABLED_ACTIONS,
   }: LensChartProps) => {
     const { formula, attributes, getExtraActions, error } = useLensAttributes(lensAttributes);
 
@@ -122,6 +132,8 @@ export const LensChart = React.memo(
         dateRange={dateRange}
         disableTriggers={disableTriggers}
         extraActions={extraActions}
+        withDefaultActions={withDefaultActions}
+        disabledActions={disabledActions}
         filters={filters}
         hidePanelTitles={hidePanelTitles}
         loading={isLoading}
diff --git a/x-pack/plugins/observability_solution/infra/public/components/lens/lens_wrapper.tsx b/x-pack/plugins/observability_solution/infra/public/components/lens/lens_wrapper.tsx
index 01d409fc9a1ac..01ce60b593462 100644
--- a/x-pack/plugins/observability_solution/infra/public/components/lens/lens_wrapper.tsx
+++ b/x-pack/plugins/observability_solution/infra/public/components/lens/lens_wrapper.tsx
@@ -93,7 +93,6 @@ export const LensWrapper = ({
     <div
       css={css`
         position: relative;
-        overflow: hidden;
         height: 100%;
         .echMetric {
           border-radius: ${euiTheme.border.radius.medium};

From 2970f7901ad62f989e421cc604ceb6464f5a11f0 Mon Sep 17 00:00:00 2001
From: Christos Nasikas <christos.nasikas@elastic.co>
Date: Tue, 3 Dec 2024 16:01:51 +0200
Subject: [PATCH 14/23] [8.x] [ResponseOps][Alerting] Decouple feature IDs from
 consumers (#183756) (#202667)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[ResponseOps][Alerting] Decouple feature IDs from consumers
(#183756)](https://github.com/elastic/kibana/pull/183756)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Christos
Nasikas","email":"christos.nasikas@elastic.co"},"sourceCommit":{"committedDate":"2024-12-03T10:21:53Z","message":"[ResponseOps][Alerting]
Decouple feature IDs from consumers (#183756)\n\n## Summary\r\n\r\nThis
PR aims to decouple the feature IDs from the `consumer` attribute\r\nof
rules and alerts.\r\n\r\nTowards:
https://github.com/elastic/kibana/issues/187202\r\nFixes:
https://github.com/elastic/kibana/issues/181559\r\nFixes:
https://github.com/elastic/kibana/issues/182435\r\n\r\n> [!NOTE] \r\n>
Unfortunately, I could not break the PR into smaller pieces. The
APIs\r\ncould not work anymore with feature IDs and had to convert them
to use\r\nrule type IDs. Also, I took the chance and refactored crucial
parts of\r\nthe authorization class that in turn affected a lot of
files. Most of\r\nthe changes in the files are minimal and easy to
review. The crucial\r\nchanges are in the authorization class and some
alerting APIs.\r\n\r\n## Architecture\r\n\r\n### Alerting RBAC
model\r\n\r\nThe Kibana security uses Elasticsearch's
[application\r\nprivileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-privileges.html#security-api-put-privileges).\r\nThis
way Kibana can represent and store its privilege models
within\r\nElasticsearch roles. To do that, Kibana security creates
actions that\r\nare granted by a specific privilege. Alerting uses its
own RBAC model\r\nand is built on top of the existing Kibana security
model. The Alerting\r\nRBAC uses the `rule_type_id` and `consumer`
attributes to define who\r\nowns the rule and the alerts procured by the
rule. To connect the\r\n`rule_type_id` and `consumer` with the Kibana
security actions the\r\nAlerting RBAC registers its custom actions. They
are constructed
as\r\n`alerting:<rule-type-id>/<feature-id>/<alerting-entity>/<operation>`.\r\nBecause
to authorizate a resource an action has to be generated and\r\nbecause
the action needs a valid feature ID the value of the
`consumer`\r\nshould be a valid feature ID. For example,
the\r\n`alerting:siem.esqlRule/siem/rule/get` action, means that a user
with a\r\nrole that grants this action can get a rule of type
`siem.esqlRule` with\r\nconsumer `siem`.\r\n\r\n### Problem
statement\r\n\r\nAt the moment the `consumer` attribute should be a
valid feature ID.\r\nThough this approach worked well so far it has its
limitation.\r\nSpecifically:\r\n\r\n- Rule types cannot support more
than one consumer.\r\n- To associate old rules with a new feature ID
required a migration on\r\nthe rule's SOs and the alerts documents.\r\n-
The API calls are feature ID-oriented and not rule-type-oriented.\r\n-
The framework has to be aware of the values of the
`consumer`\r\nattribute.\r\n- Feature IDs are tightly coupled with the
alerting indices leading
to\r\n[bugs](https://github.com/elastic/kibana/issues/179082).\r\n-
Legacy consumers that are not a valid feature anymore can
cause\r\n[bugs](https://github.com/elastic/kibana/issues/184595).\r\n-
The framework has to be aware of legacy consumers to handle
edge\r\ncases.\r\n- The framework has to be aware of specific consumers
to handle edge\r\ncases.\r\n\r\n### Proposed solution\r\n\r\nThis PR
aims to decouple the feature IDs from consumers. It achieves\r\nthat a)
by changing the way solutions configure the alerting privileges\r\nwhen
registering a feature and b) by changing the alerting actions.
The\r\nschema changes as:\r\n\r\n```\r\n// Old formatting\r\nid: 'siem',
<--- feature ID\r\nalerting:['siem.queryRule']\r\n\r\n// New
formatting\r\nid: 'siem', <--- feature ID\r\nalerting: [{ ruleTypeId:
'siem.queryRule', consumers: ['siem'] }] <-- consumer same as the
feature ID in the old formatting\r\n```\r\n\r\nThe new actions are
constructed
as\r\n`alerting:<rule-type-id>/<consumer>/<alerting-entity>/<operation>`.
For\r\nexample `alerting:rule-type-id/my-consumer/rule/get`. The new
action\r\nmeans that a user with a role that grants this action can get
a rule of\r\ntype `rule-type` with consumer `my-consumer`. Changing the
action\r\nstrings is not considered a breaking change as long as the
user's\r\npermission works as before. In our case, this is true because
the\r\nconsumer will be the same as before (feature ID), and the
alerting\r\nsecurity actions will be the same. For example:\r\n\r\n**Old
formatting**\r\n\r\nSchema:\r\n```\r\nid: 'logs', <--- feature
ID\r\nalerting:['.es-query'] <-- rule type ID\r\n```\r\n\r\nGenerated
action:\r\n\r\n```\r\nalerting:.es-query/logs/rule/get\r\n```\r\n\r\n**New
formatting**\r\n\r\nSchema:\r\n```\r\nid: 'siem', <--- feature
ID\r\nalerting: [{ ruleTypeId: '.es-query', consumers: ['logs'] }] <--
consumer same as the feature ID in the old
formatting\r\n```\r\n\r\nGenerated
action:\r\n\r\n```\r\nalerting:.es-query/logs/rule/get <--- consumer is
set as logs and the action is the same as before\r\n```\r\n\r\nIn both
formating the actions are the same thus breaking changes
are\r\navoided.\r\n\r\n### Alerting authorization class\r\nThe alerting
plugin uses and exports the alerting authorization
class\r\n(`AlertingAuthorization`). The class is responsible for
handling all\r\nauthorization actions related to rules and alerts. The
class changed to\r\nhandle the new actions as described in the above
sections. A lot of\r\nmethods were renamed, removed, and cleaned up, all
method arguments\r\nconverted to be an object, and the response
signature of some methods\r\nchanged. These changes affected various
pieces of the code. The changes\r\nin this class are the most important
in this PR especially
the\r\n`_getAuthorizedRuleTypesWithAuthorizedConsumers` method which is
the\r\ncornerstone of the alerting RBAC. Please review
carefully.\r\n\r\n### Instantiation of the alerting authorization
class\r\nThe `AlertingAuthorizationClientFactory` is used to create
instances of\r\nthe `AlertingAuthorization` class. The
`AlertingAuthorization` class\r\nneeds to perform async operations upon
instantiation. Because JS, at the\r\nmoment, does not support async
instantiation of classes the\r\n`AlertingAuthorization` class was
assigning `Promise` objects to\r\nvariables that could be resolved later
in other phases of the lifecycle\r\nof the class. To improve readability
and make the lifecycle of the class\r\nclearer, I separated the
construction of the class (initialization) from\r\nthe bootstrap
process. As a result, getting the `AlertingAuthorization`\r\nclass or
any client that depends on it (`getRulesClient` for example) is\r\nan
async operation.\r\n\r\n### Filtering\r\nA lot of routes use the
authorization class to get the authorization\r\nfilter
(`getFindAuthorizationFilter`), a filter that, if applied,\r\nreturns
only the rule types and consumers the user is authorized to.
The\r\nmethod that returns the filter was built in a way to also
support\r\nfiltering on top of the authorization filter thus coupling
the\r\nauthorized filter with router filtering. I believe these two
operations\r\nshould be decoupled and the filter method should return a
filter that\r\ngives you all the authorized rule types. It is the
responsibility of the\r\nconsumer, router in our case, to apply extra
filters on top of the\r\nauthorization filter. For that reason, I made
all the necessary changes\r\nto decouple them.\r\n\r\n### Legacy
consumers & producer\r\nA lot of rules and alerts have been created and
are still being created\r\nfrom observability with the `alerts`
consumer. When the Alerting RBAC\r\nencounters a rule or alert with
`alerts` as a consumer it falls back to\r\nthe `producer` of the rule
type ID to construct the actions. For example\r\nif a rule with
`ruleTypeId: .es-query` and `consumer: alerts` the\r\nalerting action
will be constructed as\r\n`alerting:.es-query/stackAlerts/rule/get`
where `stackRules` is the\r\nproducer of the `.es-query` rule type. The
`producer` is used to be used\r\nin alerting authorization but due to
its complexity, it was deprecated\r\nand only used as a fallback for the
`alerts` consumer. To avoid breaking\r\nchanges all feature privileges
that specify access to rule types add the\r\n`alerts` consumer when
configuring their alerting privileges. By moving\r\nthe `alerts`
consumer to the registration of the feature we can stop\r\nrelying on
the `producer`. The `producer` is not used anymore in
the\r\nauthorization class. In the next PRs the `producer` will
removed\r\nentirely.\r\n\r\n### Routes\r\nThe following changes were
introduced to the alerting routes:\r\n\r\n- All related routes changed
to be rule-type oriented and not feature ID\r\noriented.\r\n- All
related routes support the `ruleTypeIds` and the
`consumers`\r\nparameters for filtering. In all routes, the filters are
constructed as\r\n`ruleTypeIds: ['foo'] AND consumers: ['bar'] AND
authorizationFilter`.\r\nFiltering by consumers is important. In o11y
for example, we do not want\r\nto show ES rule types with the
`stackAlerts` consumer even if the user\r\nhas access to them.\r\n- The
`/internal/rac/alerts/_feature_ids` route got deleted as it was\r\nnot
used anywhere in the codebase and it was internal.\r\n\r\nAll the
changes in the routes are related to internal routes and no\r\nbreaking
changes are introduced.\r\n\r\n### Constants\r\nI moved the o11y and
stack rule type IDs to `kbn-rule-data-utils` and\r\nexported all
security solution rule type IDs from\r\n`kbn-securitysolution-rules`. I
am not a fan of having a centralized\r\nplace for the rule type IDs.
Ideally, consumers of the framework should\r\nspecify keywords like
`observablility` (category or subcategory) or even\r\n`apm.*` and the
framework should know which rule type IDs to pick up. I\r\nthink it is
out of the scope of the PR, and at the moment it seems the\r\nmost
straightforward way to move forward. I will try to clean up as
much\r\nas possible in further iterations. If you are interested in the
upcoming\r\nwork follow this issue
https://github.com/elastic/kibana/issues/187202.\r\n\r\n### Other
notable code changes\r\n- Change all instances of feature IDs to rule
type IDs.\r\n- `isSiemRuleType`: This is a temporary helper function
that is needed\r\nin places where we handle edge cases related to
security solution rule\r\ntypes. Ideally, the framework should be
agnostic to the rule types or\r\nconsumers. The plan is to be removed
entirely in further iterations.\r\n- Rename alerting
`PluginSetupContract` and `PluginStartContract`
to\r\n`AlertingServerSetup` and `AlertingServerStart`. This made me
touch a\r\nlot of files but I could not resist.\r\n- `filter_consumers`
was mistakenly exposed to a public API. It was\r\nundocumented.\r\n-
Files or functions that were not used anywhere in the codebase
got\r\ndeleted.\r\n- Change the returned type of the `list` method of
the\r\n`RuleTypeRegistry` from `Set<RegistryRuleType>` to
`Map<string,\r\nRegistryRuleType>`.\r\n- Assertion of `KueryNode` in
tests changed to an assertion of KQL using\r\n`toKqlExpression`.\r\n-
Removal of `useRuleAADFields` as it is not used anywhere.\r\n\r\n##
Testing\r\n\r\n> [!CAUTION]\r\n> It is very important to test all the
areas of the application where\r\nrules or alerts are being used
directly or indirectly. Scenarios to\r\nconsider:\r\n> - The correct
rules, alerts, and aggregations on top of them are being\r\nshown as
expected as a superuser.\r\n> - The correct rules, alerts, and
aggregations on top of them are being\r\nshown as expected by a user
with limited access to certain features.\r\n> - The changes in this PR
are backward compatible with the previous\r\nusers'
permissions.\r\n\r\n### Solutions\r\nPlease test and verify that:\r\n-
All the rule types you own with all possible combinations
of\r\npermissions both in ESS and in Serverless.\r\n- The consumers and
rule types make sense when registering the features.\r\n- The consumers
and rule types that are passed to the components are the\r\nintended
ones.\r\n\r\n### ResponseOps\r\nThe most important changes are in the
alerting authorization class, the\r\nsearch strategy, and the routes.
Please test:\r\n- The rules we own with all possible combinations of
permissions.\r\n- The stack alerts page and its solution filtering.\r\n-
The categories filtering in the maintenance window UI.\r\n\r\n##
Risks\r\n> [!WARNING]\r\n> The risks involved in this PR are related to
privileges. Specifically:\r\n> - Users with no privileges can access
rules and alerts they do not\r\nhave access to.\r\n> - Users with
privileges cannot access rules and alerts they have\r\naccess
to.\r\n>\r\n> An excessive list of integration tests is in place to
ensure that the\r\nabove scenarios will not occur. In the case of a bug,
we could a)\r\nrelease an energy release for serverless and b) backport
the fix in ESS.\r\nGiven that this PR is intended to be merged in 8.17
we have plenty of\r\ntime to test and to minimize the chances of
risks.\r\n\r\n## FQA\r\n\r\n- I noticed that a lot of routes support the
`filter` parameter where we\r\ncan pass an arbitrary KQL filter. Why we
do not use this to filter by\r\nthe rule type IDs and the consumers and
instead we introduce new\r\ndedicated parameters?\r\n\r\nThe `filter`
parameter should not be exposed in the first place. It\r\nassumes that
the consumer of the API knows the underlying structure
and\r\nimplementation details of the persisted storage API (SavedObject
client\r\nAPI). For example, a valid filter would
be\r\n`alerting.attributes.rule_type_id`. In this filter the consumer
should\r\nknow a) the name of the SO b) the keyword `attributes`
(storage\r\nimplementation detail) and c) the name of the attribute as
it is\r\npersisted in ES (snake case instead of camel case as it is
returned by\r\nthe APIs). As there is no abstraction layer between the
SO and the API,\r\nit makes it very difficult to make changes in the
persistent schema or\r\nthe APIs. For all the above I decided to
introduce new query parameters\r\nwhere the alerting framework has total
control over it.\r\n\r\n- I noticed in the code a lot of instances where
the consumer is used.\r\nShould not remove any logic around
consumers?\r\n\r\nThis PR is a step forward making the framework as
agnostic as possible.\r\nI had to keep the scope of the PR as contained
as possible. We will get\r\nthere. It needs time :).\r\n\r\n- I noticed
a lot of hacks like checking if the rule type is `siem`.\r\nShould not
remove the hacks?\r\n\r\nThis PR is a step forward making the framework
as agnostic as possible.\r\nI had to keep the scope of the PR as
contained as possible. We will get\r\nthere. It needs time :).\r\n\r\n-
I hate the \"Role visibility\" dropdown. Can we remove it?\r\n\r\nI also
do not like it. The goal is to remove it.
Follow\r\nhttps://github.com/elastic/kibana/issues/189997.\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Aleh Zasypkin <aleh.zasypkin@elastic.co>\r\nCo-authored-by: Paula
Borgonovi
<159723434+pborgonovi@users.noreply.github.com>","sha":"a3496c9ca6d99fa301fd8ca73ad44178cdeb2955","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Alerting","release_note:skip","Team:ResponseOps","v9.0.0","backport:prev-minor","ci:cloud-deploy","ci:cloud-persist-deployment","ci:build-serverless-image","Team:Obs
AI
Assistant","ci:project-deploy-observability","Team:obs-ux-infra_services","Team:obs-ux-management","apm:review","v8.18.0"],"number":183756,"url":"https://github.com/elastic/kibana/pull/183756","mergeCommit":{"message":"[ResponseOps][Alerting]
Decouple feature IDs from consumers (#183756)\n\n## Summary\r\n\r\nThis
PR aims to decouple the feature IDs from the `consumer` attribute\r\nof
rules and alerts.\r\n\r\nTowards:
https://github.com/elastic/kibana/issues/187202\r\nFixes:
https://github.com/elastic/kibana/issues/181559\r\nFixes:
https://github.com/elastic/kibana/issues/182435\r\n\r\n> [!NOTE] \r\n>
Unfortunately, I could not break the PR into smaller pieces. The
APIs\r\ncould not work anymore with feature IDs and had to convert them
to use\r\nrule type IDs. Also, I took the chance and refactored crucial
parts of\r\nthe authorization class that in turn affected a lot of
files. Most of\r\nthe changes in the files are minimal and easy to
review. The crucial\r\nchanges are in the authorization class and some
alerting APIs.\r\n\r\n## Architecture\r\n\r\n### Alerting RBAC
model\r\n\r\nThe Kibana security uses Elasticsearch's
[application\r\nprivileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-privileges.html#security-api-put-privileges).\r\nThis
way Kibana can represent and store its privilege models
within\r\nElasticsearch roles. To do that, Kibana security creates
actions that\r\nare granted by a specific privilege. Alerting uses its
own RBAC model\r\nand is built on top of the existing Kibana security
model. The Alerting\r\nRBAC uses the `rule_type_id` and `consumer`
attributes to define who\r\nowns the rule and the alerts procured by the
rule. To connect the\r\n`rule_type_id` and `consumer` with the Kibana
security actions the\r\nAlerting RBAC registers its custom actions. They
are constructed
as\r\n`alerting:<rule-type-id>/<feature-id>/<alerting-entity>/<operation>`.\r\nBecause
to authorizate a resource an action has to be generated and\r\nbecause
the action needs a valid feature ID the value of the
`consumer`\r\nshould be a valid feature ID. For example,
the\r\n`alerting:siem.esqlRule/siem/rule/get` action, means that a user
with a\r\nrole that grants this action can get a rule of type
`siem.esqlRule` with\r\nconsumer `siem`.\r\n\r\n### Problem
statement\r\n\r\nAt the moment the `consumer` attribute should be a
valid feature ID.\r\nThough this approach worked well so far it has its
limitation.\r\nSpecifically:\r\n\r\n- Rule types cannot support more
than one consumer.\r\n- To associate old rules with a new feature ID
required a migration on\r\nthe rule's SOs and the alerts documents.\r\n-
The API calls are feature ID-oriented and not rule-type-oriented.\r\n-
The framework has to be aware of the values of the
`consumer`\r\nattribute.\r\n- Feature IDs are tightly coupled with the
alerting indices leading
to\r\n[bugs](https://github.com/elastic/kibana/issues/179082).\r\n-
Legacy consumers that are not a valid feature anymore can
cause\r\n[bugs](https://github.com/elastic/kibana/issues/184595).\r\n-
The framework has to be aware of legacy consumers to handle
edge\r\ncases.\r\n- The framework has to be aware of specific consumers
to handle edge\r\ncases.\r\n\r\n### Proposed solution\r\n\r\nThis PR
aims to decouple the feature IDs from consumers. It achieves\r\nthat a)
by changing the way solutions configure the alerting privileges\r\nwhen
registering a feature and b) by changing the alerting actions.
The\r\nschema changes as:\r\n\r\n```\r\n// Old formatting\r\nid: 'siem',
<--- feature ID\r\nalerting:['siem.queryRule']\r\n\r\n// New
formatting\r\nid: 'siem', <--- feature ID\r\nalerting: [{ ruleTypeId:
'siem.queryRule', consumers: ['siem'] }] <-- consumer same as the
feature ID in the old formatting\r\n```\r\n\r\nThe new actions are
constructed
as\r\n`alerting:<rule-type-id>/<consumer>/<alerting-entity>/<operation>`.
For\r\nexample `alerting:rule-type-id/my-consumer/rule/get`. The new
action\r\nmeans that a user with a role that grants this action can get
a rule of\r\ntype `rule-type` with consumer `my-consumer`. Changing the
action\r\nstrings is not considered a breaking change as long as the
user's\r\npermission works as before. In our case, this is true because
the\r\nconsumer will be the same as before (feature ID), and the
alerting\r\nsecurity actions will be the same. For example:\r\n\r\n**Old
formatting**\r\n\r\nSchema:\r\n```\r\nid: 'logs', <--- feature
ID\r\nalerting:['.es-query'] <-- rule type ID\r\n```\r\n\r\nGenerated
action:\r\n\r\n```\r\nalerting:.es-query/logs/rule/get\r\n```\r\n\r\n**New
formatting**\r\n\r\nSchema:\r\n```\r\nid: 'siem', <--- feature
ID\r\nalerting: [{ ruleTypeId: '.es-query', consumers: ['logs'] }] <--
consumer same as the feature ID in the old
formatting\r\n```\r\n\r\nGenerated
action:\r\n\r\n```\r\nalerting:.es-query/logs/rule/get <--- consumer is
set as logs and the action is the same as before\r\n```\r\n\r\nIn both
formating the actions are the same thus breaking changes
are\r\navoided.\r\n\r\n### Alerting authorization class\r\nThe alerting
plugin uses and exports the alerting authorization
class\r\n(`AlertingAuthorization`). The class is responsible for
handling all\r\nauthorization actions related to rules and alerts. The
class changed to\r\nhandle the new actions as described in the above
sections. A lot of\r\nmethods were renamed, removed, and cleaned up, all
method arguments\r\nconverted to be an object, and the response
signature of some methods\r\nchanged. These changes affected various
pieces of the code. The changes\r\nin this class are the most important
in this PR especially
the\r\n`_getAuthorizedRuleTypesWithAuthorizedConsumers` method which is
the\r\ncornerstone of the alerting RBAC. Please review
carefully.\r\n\r\n### Instantiation of the alerting authorization
class\r\nThe `AlertingAuthorizationClientFactory` is used to create
instances of\r\nthe `AlertingAuthorization` class. The
`AlertingAuthorization` class\r\nneeds to perform async operations upon
instantiation. Because JS, at the\r\nmoment, does not support async
instantiation of classes the\r\n`AlertingAuthorization` class was
assigning `Promise` objects to\r\nvariables that could be resolved later
in other phases of the lifecycle\r\nof the class. To improve readability
and make the lifecycle of the class\r\nclearer, I separated the
construction of the class (initialization) from\r\nthe bootstrap
process. As a result, getting the `AlertingAuthorization`\r\nclass or
any client that depends on it (`getRulesClient` for example) is\r\nan
async operation.\r\n\r\n### Filtering\r\nA lot of routes use the
authorization class to get the authorization\r\nfilter
(`getFindAuthorizationFilter`), a filter that, if applied,\r\nreturns
only the rule types and consumers the user is authorized to.
The\r\nmethod that returns the filter was built in a way to also
support\r\nfiltering on top of the authorization filter thus coupling
the\r\nauthorized filter with router filtering. I believe these two
operations\r\nshould be decoupled and the filter method should return a
filter that\r\ngives you all the authorized rule types. It is the
responsibility of the\r\nconsumer, router in our case, to apply extra
filters on top of the\r\nauthorization filter. For that reason, I made
all the necessary changes\r\nto decouple them.\r\n\r\n### Legacy
consumers & producer\r\nA lot of rules and alerts have been created and
are still being created\r\nfrom observability with the `alerts`
consumer. When the Alerting RBAC\r\nencounters a rule or alert with
`alerts` as a consumer it falls back to\r\nthe `producer` of the rule
type ID to construct the actions. For example\r\nif a rule with
`ruleTypeId: .es-query` and `consumer: alerts` the\r\nalerting action
will be constructed as\r\n`alerting:.es-query/stackAlerts/rule/get`
where `stackRules` is the\r\nproducer of the `.es-query` rule type. The
`producer` is used to be used\r\nin alerting authorization but due to
its complexity, it was deprecated\r\nand only used as a fallback for the
`alerts` consumer. To avoid breaking\r\nchanges all feature privileges
that specify access to rule types add the\r\n`alerts` consumer when
configuring their alerting privileges. By moving\r\nthe `alerts`
consumer to the registration of the feature we can stop\r\nrelying on
the `producer`. The `producer` is not used anymore in
the\r\nauthorization class. In the next PRs the `producer` will
removed\r\nentirely.\r\n\r\n### Routes\r\nThe following changes were
introduced to the alerting routes:\r\n\r\n- All related routes changed
to be rule-type oriented and not feature ID\r\noriented.\r\n- All
related routes support the `ruleTypeIds` and the
`consumers`\r\nparameters for filtering. In all routes, the filters are
constructed as\r\n`ruleTypeIds: ['foo'] AND consumers: ['bar'] AND
authorizationFilter`.\r\nFiltering by consumers is important. In o11y
for example, we do not want\r\nto show ES rule types with the
`stackAlerts` consumer even if the user\r\nhas access to them.\r\n- The
`/internal/rac/alerts/_feature_ids` route got deleted as it was\r\nnot
used anywhere in the codebase and it was internal.\r\n\r\nAll the
changes in the routes are related to internal routes and no\r\nbreaking
changes are introduced.\r\n\r\n### Constants\r\nI moved the o11y and
stack rule type IDs to `kbn-rule-data-utils` and\r\nexported all
security solution rule type IDs from\r\n`kbn-securitysolution-rules`. I
am not a fan of having a centralized\r\nplace for the rule type IDs.
Ideally, consumers of the framework should\r\nspecify keywords like
`observablility` (category or subcategory) or even\r\n`apm.*` and the
framework should know which rule type IDs to pick up. I\r\nthink it is
out of the scope of the PR, and at the moment it seems the\r\nmost
straightforward way to move forward. I will try to clean up as
much\r\nas possible in further iterations. If you are interested in the
upcoming\r\nwork follow this issue
https://github.com/elastic/kibana/issues/187202.\r\n\r\n### Other
notable code changes\r\n- Change all instances of feature IDs to rule
type IDs.\r\n- `isSiemRuleType`: This is a temporary helper function
that is needed\r\nin places where we handle edge cases related to
security solution rule\r\ntypes. Ideally, the framework should be
agnostic to the rule types or\r\nconsumers. The plan is to be removed
entirely in further iterations.\r\n- Rename alerting
`PluginSetupContract` and `PluginStartContract`
to\r\n`AlertingServerSetup` and `AlertingServerStart`. This made me
touch a\r\nlot of files but I could not resist.\r\n- `filter_consumers`
was mistakenly exposed to a public API. It was\r\nundocumented.\r\n-
Files or functions that were not used anywhere in the codebase
got\r\ndeleted.\r\n- Change the returned type of the `list` method of
the\r\n`RuleTypeRegistry` from `Set<RegistryRuleType>` to
`Map<string,\r\nRegistryRuleType>`.\r\n- Assertion of `KueryNode` in
tests changed to an assertion of KQL using\r\n`toKqlExpression`.\r\n-
Removal of `useRuleAADFields` as it is not used anywhere.\r\n\r\n##
Testing\r\n\r\n> [!CAUTION]\r\n> It is very important to test all the
areas of the application where\r\nrules or alerts are being used
directly or indirectly. Scenarios to\r\nconsider:\r\n> - The correct
rules, alerts, and aggregations on top of them are being\r\nshown as
expected as a superuser.\r\n> - The correct rules, alerts, and
aggregations on top of them are being\r\nshown as expected by a user
with limited access to certain features.\r\n> - The changes in this PR
are backward compatible with the previous\r\nusers'
permissions.\r\n\r\n### Solutions\r\nPlease test and verify that:\r\n-
All the rule types you own with all possible combinations
of\r\npermissions both in ESS and in Serverless.\r\n- The consumers and
rule types make sense when registering the features.\r\n- The consumers
and rule types that are passed to the components are the\r\nintended
ones.\r\n\r\n### ResponseOps\r\nThe most important changes are in the
alerting authorization class, the\r\nsearch strategy, and the routes.
Please test:\r\n- The rules we own with all possible combinations of
permissions.\r\n- The stack alerts page and its solution filtering.\r\n-
The categories filtering in the maintenance window UI.\r\n\r\n##
Risks\r\n> [!WARNING]\r\n> The risks involved in this PR are related to
privileges. Specifically:\r\n> - Users with no privileges can access
rules and alerts they do not\r\nhave access to.\r\n> - Users with
privileges cannot access rules and alerts they have\r\naccess
to.\r\n>\r\n> An excessive list of integration tests is in place to
ensure that the\r\nabove scenarios will not occur. In the case of a bug,
we could a)\r\nrelease an energy release for serverless and b) backport
the fix in ESS.\r\nGiven that this PR is intended to be merged in 8.17
we have plenty of\r\ntime to test and to minimize the chances of
risks.\r\n\r\n## FQA\r\n\r\n- I noticed that a lot of routes support the
`filter` parameter where we\r\ncan pass an arbitrary KQL filter. Why we
do not use this to filter by\r\nthe rule type IDs and the consumers and
instead we introduce new\r\ndedicated parameters?\r\n\r\nThe `filter`
parameter should not be exposed in the first place. It\r\nassumes that
the consumer of the API knows the underlying structure
and\r\nimplementation details of the persisted storage API (SavedObject
client\r\nAPI). For example, a valid filter would
be\r\n`alerting.attributes.rule_type_id`. In this filter the consumer
should\r\nknow a) the name of the SO b) the keyword `attributes`
(storage\r\nimplementation detail) and c) the name of the attribute as
it is\r\npersisted in ES (snake case instead of camel case as it is
returned by\r\nthe APIs). As there is no abstraction layer between the
SO and the API,\r\nit makes it very difficult to make changes in the
persistent schema or\r\nthe APIs. For all the above I decided to
introduce new query parameters\r\nwhere the alerting framework has total
control over it.\r\n\r\n- I noticed in the code a lot of instances where
the consumer is used.\r\nShould not remove any logic around
consumers?\r\n\r\nThis PR is a step forward making the framework as
agnostic as possible.\r\nI had to keep the scope of the PR as contained
as possible. We will get\r\nthere. It needs time :).\r\n\r\n- I noticed
a lot of hacks like checking if the rule type is `siem`.\r\nShould not
remove the hacks?\r\n\r\nThis PR is a step forward making the framework
as agnostic as possible.\r\nI had to keep the scope of the PR as
contained as possible. We will get\r\nthere. It needs time :).\r\n\r\n-
I hate the \"Role visibility\" dropdown. Can we remove it?\r\n\r\nI also
do not like it. The goal is to remove it.
Follow\r\nhttps://github.com/elastic/kibana/issues/189997.\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Aleh Zasypkin <aleh.zasypkin@elastic.co>\r\nCo-authored-by: Paula
Borgonovi
<159723434+pborgonovi@users.noreply.github.com>","sha":"a3496c9ca6d99fa301fd8ca73ad44178cdeb2955"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/183756","number":183756,"mergeCommit":{"message":"[ResponseOps][Alerting]
Decouple feature IDs from consumers (#183756)\n\n## Summary\r\n\r\nThis
PR aims to decouple the feature IDs from the `consumer` attribute\r\nof
rules and alerts.\r\n\r\nTowards:
https://github.com/elastic/kibana/issues/187202\r\nFixes:
https://github.com/elastic/kibana/issues/181559\r\nFixes:
https://github.com/elastic/kibana/issues/182435\r\n\r\n> [!NOTE] \r\n>
Unfortunately, I could not break the PR into smaller pieces. The
APIs\r\ncould not work anymore with feature IDs and had to convert them
to use\r\nrule type IDs. Also, I took the chance and refactored crucial
parts of\r\nthe authorization class that in turn affected a lot of
files. Most of\r\nthe changes in the files are minimal and easy to
review. The crucial\r\nchanges are in the authorization class and some
alerting APIs.\r\n\r\n## Architecture\r\n\r\n### Alerting RBAC
model\r\n\r\nThe Kibana security uses Elasticsearch's
[application\r\nprivileges](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-privileges.html#security-api-put-privileges).\r\nThis
way Kibana can represent and store its privilege models
within\r\nElasticsearch roles. To do that, Kibana security creates
actions that\r\nare granted by a specific privilege. Alerting uses its
own RBAC model\r\nand is built on top of the existing Kibana security
model. The Alerting\r\nRBAC uses the `rule_type_id` and `consumer`
attributes to define who\r\nowns the rule and the alerts procured by the
rule. To connect the\r\n`rule_type_id` and `consumer` with the Kibana
security actions the\r\nAlerting RBAC registers its custom actions. They
are constructed
as\r\n`alerting:<rule-type-id>/<feature-id>/<alerting-entity>/<operation>`.\r\nBecause
to authorizate a resource an action has to be generated and\r\nbecause
the action needs a valid feature ID the value of the
`consumer`\r\nshould be a valid feature ID. For example,
the\r\n`alerting:siem.esqlRule/siem/rule/get` action, means that a user
with a\r\nrole that grants this action can get a rule of type
`siem.esqlRule` with\r\nconsumer `siem`.\r\n\r\n### Problem
statement\r\n\r\nAt the moment the `consumer` attribute should be a
valid feature ID.\r\nThough this approach worked well so far it has its
limitation.\r\nSpecifically:\r\n\r\n- Rule types cannot support more
than one consumer.\r\n- To associate old rules with a new feature ID
required a migration on\r\nthe rule's SOs and the alerts documents.\r\n-
The API calls are feature ID-oriented and not rule-type-oriented.\r\n-
The framework has to be aware of the values of the
`consumer`\r\nattribute.\r\n- Feature IDs are tightly coupled with the
alerting indices leading
to\r\n[bugs](https://github.com/elastic/kibana/issues/179082).\r\n-
Legacy consumers that are not a valid feature anymore can
cause\r\n[bugs](https://github.com/elastic/kibana/issues/184595).\r\n-
The framework has to be aware of legacy consumers to handle
edge\r\ncases.\r\n- The framework has to be aware of specific consumers
to handle edge\r\ncases.\r\n\r\n### Proposed solution\r\n\r\nThis PR
aims to decouple the feature IDs from consumers. It achieves\r\nthat a)
by changing the way solutions configure the alerting privileges\r\nwhen
registering a feature and b) by changing the alerting actions.
The\r\nschema changes as:\r\n\r\n```\r\n// Old formatting\r\nid: 'siem',
<--- feature ID\r\nalerting:['siem.queryRule']\r\n\r\n// New
formatting\r\nid: 'siem', <--- feature ID\r\nalerting: [{ ruleTypeId:
'siem.queryRule', consumers: ['siem'] }] <-- consumer same as the
feature ID in the old formatting\r\n```\r\n\r\nThe new actions are
constructed
as\r\n`alerting:<rule-type-id>/<consumer>/<alerting-entity>/<operation>`.
For\r\nexample `alerting:rule-type-id/my-consumer/rule/get`. The new
action\r\nmeans that a user with a role that grants this action can get
a rule of\r\ntype `rule-type` with consumer `my-consumer`. Changing the
action\r\nstrings is not considered a breaking change as long as the
user's\r\npermission works as before. In our case, this is true because
the\r\nconsumer will be the same as before (feature ID), and the
alerting\r\nsecurity actions will be the same. For example:\r\n\r\n**Old
formatting**\r\n\r\nSchema:\r\n```\r\nid: 'logs', <--- feature
ID\r\nalerting:['.es-query'] <-- rule type ID\r\n```\r\n\r\nGenerated
action:\r\n\r\n```\r\nalerting:.es-query/logs/rule/get\r\n```\r\n\r\n**New
formatting**\r\n\r\nSchema:\r\n```\r\nid: 'siem', <--- feature
ID\r\nalerting: [{ ruleTypeId: '.es-query', consumers: ['logs'] }] <--
consumer same as the feature ID in the old
formatting\r\n```\r\n\r\nGenerated
action:\r\n\r\n```\r\nalerting:.es-query/logs/rule/get <--- consumer is
set as logs and the action is the same as before\r\n```\r\n\r\nIn both
formating the actions are the same thus breaking changes
are\r\navoided.\r\n\r\n### Alerting authorization class\r\nThe alerting
plugin uses and exports the alerting authorization
class\r\n(`AlertingAuthorization`). The class is responsible for
handling all\r\nauthorization actions related to rules and alerts. The
class changed to\r\nhandle the new actions as described in the above
sections. A lot of\r\nmethods were renamed, removed, and cleaned up, all
method arguments\r\nconverted to be an object, and the response
signature of some methods\r\nchanged. These changes affected various
pieces of the code. The changes\r\nin this class are the most important
in this PR especially
the\r\n`_getAuthorizedRuleTypesWithAuthorizedConsumers` method which is
the\r\ncornerstone of the alerting RBAC. Please review
carefully.\r\n\r\n### Instantiation of the alerting authorization
class\r\nThe `AlertingAuthorizationClientFactory` is used to create
instances of\r\nthe `AlertingAuthorization` class. The
`AlertingAuthorization` class\r\nneeds to perform async operations upon
instantiation. Because JS, at the\r\nmoment, does not support async
instantiation of classes the\r\n`AlertingAuthorization` class was
assigning `Promise` objects to\r\nvariables that could be resolved later
in other phases of the lifecycle\r\nof the class. To improve readability
and make the lifecycle of the class\r\nclearer, I separated the
construction of the class (initialization) from\r\nthe bootstrap
process. As a result, getting the `AlertingAuthorization`\r\nclass or
any client that depends on it (`getRulesClient` for example) is\r\nan
async operation.\r\n\r\n### Filtering\r\nA lot of routes use the
authorization class to get the authorization\r\nfilter
(`getFindAuthorizationFilter`), a filter that, if applied,\r\nreturns
only the rule types and consumers the user is authorized to.
The\r\nmethod that returns the filter was built in a way to also
support\r\nfiltering on top of the authorization filter thus coupling
the\r\nauthorized filter with router filtering. I believe these two
operations\r\nshould be decoupled and the filter method should return a
filter that\r\ngives you all the authorized rule types. It is the
responsibility of the\r\nconsumer, router in our case, to apply extra
filters on top of the\r\nauthorization filter. For that reason, I made
all the necessary changes\r\nto decouple them.\r\n\r\n### Legacy
consumers & producer\r\nA lot of rules and alerts have been created and
are still being created\r\nfrom observability with the `alerts`
consumer. When the Alerting RBAC\r\nencounters a rule or alert with
`alerts` as a consumer it falls back to\r\nthe `producer` of the rule
type ID to construct the actions. For example\r\nif a rule with
`ruleTypeId: .es-query` and `consumer: alerts` the\r\nalerting action
will be constructed as\r\n`alerting:.es-query/stackAlerts/rule/get`
where `stackRules` is the\r\nproducer of the `.es-query` rule type. The
`producer` is used to be used\r\nin alerting authorization but due to
its complexity, it was deprecated\r\nand only used as a fallback for the
`alerts` consumer. To avoid breaking\r\nchanges all feature privileges
that specify access to rule types add the\r\n`alerts` consumer when
configuring their alerting privileges. By moving\r\nthe `alerts`
consumer to the registration of the feature we can stop\r\nrelying on
the `producer`. The `producer` is not used anymore in
the\r\nauthorization class. In the next PRs the `producer` will
removed\r\nentirely.\r\n\r\n### Routes\r\nThe following changes were
introduced to the alerting routes:\r\n\r\n- All related routes changed
to be rule-type oriented and not feature ID\r\noriented.\r\n- All
related routes support the `ruleTypeIds` and the
`consumers`\r\nparameters for filtering. In all routes, the filters are
constructed as\r\n`ruleTypeIds: ['foo'] AND consumers: ['bar'] AND
authorizationFilter`.\r\nFiltering by consumers is important. In o11y
for example, we do not want\r\nto show ES rule types with the
`stackAlerts` consumer even if the user\r\nhas access to them.\r\n- The
`/internal/rac/alerts/_feature_ids` route got deleted as it was\r\nnot
used anywhere in the codebase and it was internal.\r\n\r\nAll the
changes in the routes are related to internal routes and no\r\nbreaking
changes are introduced.\r\n\r\n### Constants\r\nI moved the o11y and
stack rule type IDs to `kbn-rule-data-utils` and\r\nexported all
security solution rule type IDs from\r\n`kbn-securitysolution-rules`. I
am not a fan of having a centralized\r\nplace for the rule type IDs.
Ideally, consumers of the framework should\r\nspecify keywords like
`observablility` (category or subcategory) or even\r\n`apm.*` and the
framework should know which rule type IDs to pick up. I\r\nthink it is
out of the scope of the PR, and at the moment it seems the\r\nmost
straightforward way to move forward. I will try to clean up as
much\r\nas possible in further iterations. If you are interested in the
upcoming\r\nwork follow this issue
https://github.com/elastic/kibana/issues/187202.\r\n\r\n### Other
notable code changes\r\n- Change all instances of feature IDs to rule
type IDs.\r\n- `isSiemRuleType`: This is a temporary helper function
that is needed\r\nin places where we handle edge cases related to
security solution rule\r\ntypes. Ideally, the framework should be
agnostic to the rule types or\r\nconsumers. The plan is to be removed
entirely in further iterations.\r\n- Rename alerting
`PluginSetupContract` and `PluginStartContract`
to\r\n`AlertingServerSetup` and `AlertingServerStart`. This made me
touch a\r\nlot of files but I could not resist.\r\n- `filter_consumers`
was mistakenly exposed to a public API. It was\r\nundocumented.\r\n-
Files or functions that were not used anywhere in the codebase
got\r\ndeleted.\r\n- Change the returned type of the `list` method of
the\r\n`RuleTypeRegistry` from `Set<RegistryRuleType>` to
`Map<string,\r\nRegistryRuleType>`.\r\n- Assertion of `KueryNode` in
tests changed to an assertion of KQL using\r\n`toKqlExpression`.\r\n-
Removal of `useRuleAADFields` as it is not used anywhere.\r\n\r\n##
Testing\r\n\r\n> [!CAUTION]\r\n> It is very important to test all the
areas of the application where\r\nrules or alerts are being used
directly or indirectly. Scenarios to\r\nconsider:\r\n> - The correct
rules, alerts, and aggregations on top of them are being\r\nshown as
expected as a superuser.\r\n> - The correct rules, alerts, and
aggregations on top of them are being\r\nshown as expected by a user
with limited access to certain features.\r\n> - The changes in this PR
are backward compatible with the previous\r\nusers'
permissions.\r\n\r\n### Solutions\r\nPlease test and verify that:\r\n-
All the rule types you own with all possible combinations
of\r\npermissions both in ESS and in Serverless.\r\n- The consumers and
rule types make sense when registering the features.\r\n- The consumers
and rule types that are passed to the components are the\r\nintended
ones.\r\n\r\n### ResponseOps\r\nThe most important changes are in the
alerting authorization class, the\r\nsearch strategy, and the routes.
Please test:\r\n- The rules we own with all possible combinations of
permissions.\r\n- The stack alerts page and its solution filtering.\r\n-
The categories filtering in the maintenance window UI.\r\n\r\n##
Risks\r\n> [!WARNING]\r\n> The risks involved in this PR are related to
privileges. Specifically:\r\n> - Users with no privileges can access
rules and alerts they do not\r\nhave access to.\r\n> - Users with
privileges cannot access rules and alerts they have\r\naccess
to.\r\n>\r\n> An excessive list of integration tests is in place to
ensure that the\r\nabove scenarios will not occur. In the case of a bug,
we could a)\r\nrelease an energy release for serverless and b) backport
the fix in ESS.\r\nGiven that this PR is intended to be merged in 8.17
we have plenty of\r\ntime to test and to minimize the chances of
risks.\r\n\r\n## FQA\r\n\r\n- I noticed that a lot of routes support the
`filter` parameter where we\r\ncan pass an arbitrary KQL filter. Why we
do not use this to filter by\r\nthe rule type IDs and the consumers and
instead we introduce new\r\ndedicated parameters?\r\n\r\nThe `filter`
parameter should not be exposed in the first place. It\r\nassumes that
the consumer of the API knows the underlying structure
and\r\nimplementation details of the persisted storage API (SavedObject
client\r\nAPI). For example, a valid filter would
be\r\n`alerting.attributes.rule_type_id`. In this filter the consumer
should\r\nknow a) the name of the SO b) the keyword `attributes`
(storage\r\nimplementation detail) and c) the name of the attribute as
it is\r\npersisted in ES (snake case instead of camel case as it is
returned by\r\nthe APIs). As there is no abstraction layer between the
SO and the API,\r\nit makes it very difficult to make changes in the
persistent schema or\r\nthe APIs. For all the above I decided to
introduce new query parameters\r\nwhere the alerting framework has total
control over it.\r\n\r\n- I noticed in the code a lot of instances where
the consumer is used.\r\nShould not remove any logic around
consumers?\r\n\r\nThis PR is a step forward making the framework as
agnostic as possible.\r\nI had to keep the scope of the PR as contained
as possible. We will get\r\nthere. It needs time :).\r\n\r\n- I noticed
a lot of hacks like checking if the rule type is `siem`.\r\nShould not
remove the hacks?\r\n\r\nThis PR is a step forward making the framework
as agnostic as possible.\r\nI had to keep the scope of the PR as
contained as possible. We will get\r\nthere. It needs time :).\r\n\r\n-
I hate the \"Role visibility\" dropdown. Can we remove it?\r\n\r\nI also
do not like it. The goal is to remove it.
Follow\r\nhttps://github.com/elastic/kibana/issues/189997.\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Aleh Zasypkin <aleh.zasypkin@elastic.co>\r\nCo-authored-by: Paula
Borgonovi
<159723434+pborgonovi@users.noreply.github.com>","sha":"a3496c9ca6d99fa301fd8ca73ad44178cdeb2955"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
---
 .../search_strategy_types.ts                  |     4 +-
 .../observability_threshold_schema.ts         |    90 +
 .../src/components/alerts_grouping.test.tsx   |     6 +-
 .../src/components/alerts_grouping.tsx        |     6 +-
 .../components/alerts_grouping_level.test.tsx |    58 +
 .../src/components/alerts_grouping_level.tsx  |     9 +-
 .../src/mocks/grouping_props.mock.tsx         |     7 +-
 .../src/mocks/grouping_query.mock.ts          |     6 +-
 packages/kbn-alerts-grouping/src/types.ts     |     9 +-
 .../src/action_variables/transforms.test.ts   |     1 +
 .../alert_filter_controls.test.tsx            |     3 +-
 .../alert_filter_controls.tsx                 |    15 +-
 .../filter_group.test.tsx                     |     7 +-
 .../alert_filter_controls/filter_group.tsx    |     6 +-
 .../src/alert_filter_controls/types.ts        |     3 +-
 .../src/alerts_search_bar/index.test.tsx      |   171 +-
 .../src/alerts_search_bar/index.tsx           |    37 +-
 .../src/alerts_search_bar/types.ts            |     4 +-
 .../fetch_alerts_fields.test.ts               |     8 +-
 .../fetch_alerts_fields.ts                    |     4 +-
 .../common/apis/fetch_alerts_fields/types.ts  |     5 +-
 .../fetch_alerts_index_names.test.ts          |     7 +-
 .../fetch_alerts_index_names.ts               |     4 +-
 .../apis/fetch_alerts_index_names/types.ts    |     5 +-
 .../apis/search_alerts/search_alerts.test.tsx |     6 +-
 .../apis/search_alerts/search_alerts.ts       |    15 +-
 .../src/common/hooks/index.ts                 |     1 -
 .../hooks/use_alerts_data_view.test.tsx       |    50 +-
 .../src/common/hooks/use_alerts_data_view.ts  |    35 +-
 .../use_fetch_alerts_fields_query.test.tsx    |    45 +-
 .../hooks/use_fetch_alerts_fields_query.ts    |    16 +-
 ...se_fetch_alerts_index_names_query.test.tsx |    17 +-
 .../use_fetch_alerts_index_names_query.ts     |     8 +-
 .../hooks/use_find_alerts_query.test.tsx      |    53 +
 .../src/common/hooks/use_find_alerts_query.ts |     5 +-
 ...t_alerts_group_aggregations_query.test.tsx |     4 +-
 ...use_get_alerts_group_aggregations_query.ts |     8 +-
 .../src/common/hooks/use_rule_aad_fields.ts   |    63 -
 .../hooks/use_search_alerts_query.test.tsx    |    34 +-
 .../common/hooks/use_search_alerts_query.ts   |     8 +-
 .../src/maintenance_window_callout/index.tsx  |     1 +
 .../rule_actions_alerts_filter.test.tsx       |     9 +-
 .../rule_actions_alerts_filter.tsx            |     8 +-
 .../rule_actions/rule_actions_item.tsx        |     1 -
 .../rule_actions_settings.test.tsx            |    46 +-
 .../rule_actions/rule_actions_settings.tsx    |    11 +-
 .../filter_and_count_rule_types.test.ts       |     1 +
 .../components/rule_type_list.test.tsx        |     3 +
 packages/kbn-rule-data-utils/jest.config.js   |    14 +
 .../src/alerts_as_data_rbac.test.ts           |    22 +
 .../src/alerts_as_data_rbac.ts                |     8 +
 .../src/rule_types/o11y_rules.ts              |    70 +-
 .../src/rule_types/stack_rules.ts             |    10 +
 .../src/rule_type_constants.ts                |    11 +
 .../rule_types.ts                             |     1 +
 src/plugins/data_views/public/mocks.ts        |     1 +
 .../alerting_example/server/plugin.ts         |    80 +-
 .../components/alerts_table_sandbox.tsx       |     8 +-
 .../server/plugin.ts                          |     4 +-
 .../triggers_actions_ui_example/tsconfig.json |     1 -
 .../src/hooks/use_alerts_history.test.tsx     |   175 +-
 .../src/hooks/use_alerts_history.ts           |    23 +-
 .../observability/alert_details/tsconfig.json |     4 +-
 .../features/src/security/kibana_features.ts  |    19 +-
 .../src/actions/alerting.test.ts              |    18 -
 .../src/actions/alerting.ts                   |     8 -
 .../alerting.test.ts                          |   633 +-
 .../feature_privilege_builder/alerting.ts     |    18 +-
 .../src/privileges/privileges.test.ts         |    13 +-
 .../src/privileges/privileges.ts              |     8 +-
 .../routes/rule/apis/aggregate/schemas/v1.ts  |     3 +-
 .../apis/bulk_untrack_by_query/schemas/v1.ts  |     2 +-
 .../common/routes/rule/apis/find/index.ts     |     7 +-
 .../routes/rule/apis/find/schemas/v1.ts       |    32 +
 .../common/routes/rule/apis/find/types/v1.ts  |     3 +-
 .../create_maintenance_windows_form.tsx       |    17 +-
 .../maintenance_window_scoped_query.test.tsx  |     7 +-
 .../maintenance_window_scoped_query.tsx       |     7 +-
 ...rting_authorization_client_factory.test.ts |   104 +-
 .../alerting_authorization_client_factory.ts  |    45 +-
 .../lib/set_alerts_to_untracked.test.ts       |    42 +-
 .../lib/set_alerts_to_untracked.ts            |    31 +-
 .../methods/find/find_backfill.test.ts        |    91 +-
 .../backfill/methods/find/find_backfill.ts    |    10 +-
 .../schedule/schedule_backfill.test.ts        |    13 +-
 .../methods/schedule/schedule_backfill.ts     |     8 +-
 .../methods/aggregate/aggregate_rules.test.ts |    96 +-
 .../rule/methods/aggregate/aggregate_rules.ts |    35 +-
 .../schemas/aggregate_options_schema.ts       |     3 +-
 .../rule/methods/aggregate/types/index.ts     |     8 -
 .../rule/methods/bulk_edit/bulk_edit_rules.ts |     8 +-
 .../bulk_untrack/bulk_untrack_alerts.ts       |     7 +-
 .../schemas/bulk_untrack_body_schema.ts       |     2 +-
 .../rule/methods/create/create_rule.ts        |     6 +
 .../rule/methods/find/find_rules.test.ts      |   188 +-
 .../rule/methods/find/find_rules.ts           |    41 +-
 .../find/schemas/find_rules_schemas.ts        |     4 +-
 .../methods/find/types/find_rules_types.ts    |     1 -
 .../methods/rule_types/rule_types.test.ts     |    52 +
 .../rule/methods/rule_types/rule_types.ts     |    28 +-
 .../rule/methods/tags/get_rule_tags.test.ts   |    65 +-
 .../rule/methods/tags/get_rule_tags.ts        |     8 +-
 .../alerting_authorization.mock.ts            |    18 +-
 .../alerting_authorization.test.ts            |  3815 ++-
 .../authorization/alerting_authorization.ts   |   621 +-
 .../alerting_authorization_kuery.test.ts      |   910 +-
 .../alerting_authorization_kuery.ts           |    57 +-
 .../alerting/server/authorization/index.ts    |     1 +
 .../alerting/server/authorization/types.ts    |    46 +
 x-pack/plugins/alerting/server/index.ts       |     5 +-
 x-pack/plugins/alerting/server/mocks.ts       |     6 +-
 x-pack/plugins/alerting/server/plugin.test.ts |    25 +-
 x-pack/plugins/alerting/server/plugin.ts      |    29 +-
 .../server/routes/_mock_handler_arguments.ts  |     2 +-
 .../apis/delete/delete_backfill_route.ts      |     3 +-
 .../backfill/apis/find/find_backfill_route.ts |     3 +-
 .../backfill/apis/get/get_backfill_route.ts   |     3 +-
 .../apis/schedule/schedule_backfill_route.ts  |     3 +-
 .../framework/apis/health/health.test.ts      |    21 +-
 .../routes/framework/apis/health/health.ts    |     3 +-
 .../server/routes/get_action_error_log.ts     |     3 +-
 .../server/routes/get_global_execution_kpi.ts |     3 +-
 .../routes/get_global_execution_logs.ts       |     3 +-
 .../server/routes/get_rule_alert_summary.ts   |     3 +-
 .../server/routes/get_rule_execution_kpi.ts   |     3 +-
 .../server/routes/get_rule_execution_log.ts   |     3 +-
 .../alerting/server/routes/get_rule_state.ts  |     3 +-
 .../alerting/server/routes/legacy/create.ts   |     4 +-
 .../alerting/server/routes/legacy/delete.ts   |     3 +-
 .../alerting/server/routes/legacy/disable.ts  |     3 +-
 .../alerting/server/routes/legacy/enable.ts   |     3 +-
 .../alerting/server/routes/legacy/find.ts     |     3 +-
 .../alerting/server/routes/legacy/get.ts      |     3 +-
 .../legacy/get_alert_instance_summary.ts      |     3 +-
 .../server/routes/legacy/get_alert_state.ts   |     3 +-
 .../server/routes/legacy/health.test.ts       |    20 +-
 .../alerting/server/routes/legacy/health.ts   |     3 +-
 .../routes/legacy/list_alert_types.test.ts    |    13 +-
 .../server/routes/legacy/list_alert_types.ts  |     4 +-
 .../alerting/server/routes/legacy/mute_all.ts |     3 +-
 .../server/routes/legacy/mute_instance.ts     |     3 +-
 .../server/routes/legacy/unmute_all.ts        |     3 +-
 .../server/routes/legacy/unmute_instance.ts   |     3 +-
 .../alerting/server/routes/legacy/update.ts   |     3 +-
 .../server/routes/legacy/update_api_key.ts    |     3 +-
 .../aggregate/aggregate_rules_route.test.ts   |     4 +
 .../apis/aggregate/aggregate_rules_route.ts   |     3 +-
 .../transform_aggregate_query_request/v1.ts   |     6 +-
 .../bulk_delete/bulk_delete_rules_route.ts    |     3 +-
 .../bulk_disable/bulk_disable_rules_route.ts  |     3 +-
 .../apis/bulk_edit/bulk_edit_rules_route.ts   |     3 +-
 .../bulk_enable/bulk_enable_rules_route.ts    |     3 +-
 .../bulk_untrack/bulk_untrack_alerts_route.ts |     3 +-
 ...bulk_untrack_alerts_by_query_route.test.ts |     4 +-
 .../bulk_untrack_alerts_by_query_route.ts     |     3 +-
 .../v1.ts                                     |     4 +-
 .../rule/apis/clone/clone_rule_route.ts       |     3 +-
 .../rule/apis/create/create_rule_route.ts     |     3 +-
 .../rule/apis/delete/delete_rule_route.ts     |     3 +-
 .../rule/apis/disable/disable_rule_route.ts   |     2 +-
 .../rule/apis/enable/enable_rule_route.ts     |     2 +-
 .../find/find_internal_rules_route.test.ts    |    78 +
 .../apis/find/find_internal_rules_route.ts    |    14 +-
 .../rule/apis/find/find_rules_route.test.ts   |   135 +
 .../routes/rule/apis/find/find_rules_route.ts |     2 +-
 .../routes/rule/apis/find/transforms/index.ts |     5 +-
 .../transform_find_rules_body/v1.ts           |    42 +-
 .../routes/rule/apis/get/get_rule_route.ts    |     3 +-
 .../get_schedule_frequency_route.ts           |     3 +-
 .../rule/apis/list_types/rule_types.test.ts   |     6 +-
 .../routes/rule/apis/list_types/rule_types.ts |     2 +-
 .../transform_rule_types_response/v1.ts       |     4 +-
 .../routes/rule/apis/mute_alert/mute_alert.ts |     3 +-
 .../rule/apis/mute_all/mute_all_rule.ts       |     3 +-
 .../rule/apis/resolve/resolve_rule_route.ts   |     3 +-
 .../rule/apis/snooze/snooze_rule_route.ts     |     3 +-
 .../routes/rule/apis/tags/get_rule_tags.ts    |     3 +-
 .../apis/unmute_alert/unmute_alert_route.ts   |     2 +-
 .../rule/apis/unmute_all/unmute_all_rule.ts   |     3 +-
 .../rule/apis/unsnooze/unsnooze_rule_route.ts |     3 +-
 .../rule/apis/update/update_rule_route.ts     |     3 +-
 .../update_rule_api_key_route.ts              |     2 +-
 .../alerting/server/routes/run_soon.ts        |     3 +-
 .../suggestions/values_suggestion_alerts.ts   |    47 +-
 .../suggestions/values_suggestion_rules.ts    |    13 +-
 .../server/rule_type_registry.test.ts         |     6 +-
 .../alerting/server/rule_type_registry.ts     |    87 +-
 .../alerting/server/rules_client.mock.ts      |     8 +-
 .../rules_client/common/filters.test.ts       |   463 +
 .../server/rules_client/common/filters.ts     |    92 +
 .../lib/get_authorization_filter.ts           |    10 +-
 .../methods/get_action_error_log.ts           |    10 +-
 .../rules_client/methods/get_execution_kpi.ts |    10 +-
 .../rules_client/methods/get_execution_log.ts |    10 +-
 .../server/rules_client/rules_client.mock.ts  |    70 +
 .../tests/list_rule_types.test.ts             |   262 +-
 .../alerting/server/rules_client/types.ts     |     4 -
 .../server/rules_client_factory.test.ts       |    22 +-
 .../alerting/server/rules_client_factory.ts   |    10 +-
 .../server/task_runner/rule_loader.test.ts    |     6 +-
 x-pack/plugins/alerting/server/types.ts       |     8 +-
 x-pack/plugins/alerting/tsconfig.json         |     2 +
 .../cases/common/constants/owner.test.ts      |     6 +-
 .../plugins/cases/common/constants/owners.ts  |     7 +-
 .../plugins/cases/common/utils/owner.test.ts  |    13 +-
 x-pack/plugins/cases/common/utils/owner.ts    |     6 +-
 .../components/case_view_alerts.test.tsx      |     6 +-
 .../case_view/components/case_view_alerts.tsx |    15 +-
 .../system_actions/cases/cases_params.tsx     |     7 +-
 .../server/connectors/cases/index.test.ts     |     4 +-
 .../cases/server/connectors/cases/index.ts    |     2 +-
 .../plugins/cases/server/connectors/index.ts  |     4 +-
 x-pack/plugins/cases/server/types.ts          |     4 +-
 x-pack/plugins/cases/tsconfig.json            |     1 +
 .../bulk_action/bulk_action.ts                |     4 +-
 .../common/alerting_kibana_privilege.ts       |    18 +
 .../common/feature_kibana_privileges.ts       |    25 +-
 .../plugins/features/common/kibana_feature.ts |    10 +-
 .../feature_privilege_iterator.test.ts        |   172 +-
 .../feature_privilege_iterator.ts             |    53 +-
 .../features/server/feature_registry.test.ts  |   940 +-
 .../plugins/features/server/feature_schema.ts |    78 +-
 x-pack/plugins/ml/common/constants/alerts.ts  |     4 +
 x-pack/plugins/ml/common/index.ts             |     2 +-
 .../plugins/ml/common/types/capabilities.ts   |    14 +-
 x-pack/plugins/ml/kibana.jsonc                |     3 +-
 .../explorer/alerts/alerts_panel.tsx          |    11 +-
 .../anomaly_detection_alerts_state_service.ts |     6 +-
 x-pack/plugins/ml/server/plugin.ts            |     6 +-
 .../plugins/ml/server/routes/job_service.ts   |    20 +-
 .../public/alerts/alert_form.test.tsx         |     1 +
 .../lib/cluster/get_clusters_from_request.ts  |    38 +-
 .../collection/get_collection_status.test.ts  |     2 +-
 x-pack/plugins/monitoring/server/plugin.ts    |    15 +-
 .../server/routes/api/v1/alerts/enable.ts     |     4 +-
 .../server/routes/api/v1/alerts/status.ts     |     2 +-
 x-pack/plugins/monitoring/server/types.ts     |    21 +-
 .../config/apm_alerting_feature_ids.ts        |    11 +-
 .../components/app/alerts_overview/index.tsx  |     8 +-
 .../apm/server/feature.ts                     |    16 +-
 .../lib/helpers/get_apm_alerts_client.ts      |     4 +-
 .../routes/alerts/register_apm_rule_types.ts  |     7 +-
 .../server/routes/alerts/test_utils/index.ts  |     4 +-
 .../apm/server/routes/typings.ts              |     6 +-
 .../apm/server/types.ts                       |     6 +-
 .../alerting/logs/log_threshold/types.ts      |     2 +-
 .../infra/common/alerting/metrics/types.ts    |     6 +-
 .../infra/common/constants.ts                 |     3 +-
 .../shared/alerts/alerts_overview.tsx         |    11 +-
 .../components/shared/alerts/constants.ts     |     4 +-
 .../public/hooks/use_alerts_count.test.ts     |    15 +-
 .../infra/public/hooks/use_alerts_count.ts    |    21 +-
 .../settings/indices_configuration_panel.tsx  |     5 +-
 .../tabs/alerts/alerts_tab_content.tsx        |    14 +-
 .../components/tabs/alerts_tab_badge.tsx      |     6 +-
 .../source_configuration_settings.tsx         |     8 +-
 .../infra/server/features.ts                  |    31 +-
 .../lib/adapters/framework/adapter_types.ts   |     4 +-
 ...er_inventory_metric_threshold_rule_type.ts |     4 +-
 .../register_log_threshold_rule_type.ts       |     7 +-
 .../register_metric_threshold_rule_type.ts    |     7 +-
 .../lib/alerting/register_rule_types.ts       |     4 +-
 .../lib/helpers/get_infra_alerts_client.ts    |     6 +-
 .../infra/lib/host/get_hosts_alerts_count.ts  |     4 +-
 .../infra/server/services/rules/types.ts      |     4 +-
 .../create_alerts_client.ts                   |     9 +-
 .../server/services/get_alerts_client.ts      |    10 +-
 .../lib/adapters/framework/adapter_types.ts   |     4 +-
 .../observability/common/constants.ts         |    12 +-
 .../alert_search_bar.test.tsx                 |     4 +-
 .../alert_search_bar/alert_search_bar.tsx     |     4 +-
 .../get_alerts_page_table_configuration.tsx   |     9 +-
 .../alerts/get_persistent_controls.ts         |     7 +-
 .../components/alert_history.tsx              |    25 +-
 .../components/related_alerts.tsx             |    11 +-
 .../public/pages/alerts/alerts.tsx            |    20 +-
 .../public/pages/overview/overview.tsx        |    11 +-
 .../components/rule_details_tabs.tsx          |    11 +-
 .../pages/rule_details/rule_details.tsx       |    22 +-
 .../public/pages/rules/rules_tab.tsx          |     6 +-
 .../server/lib/rules/register_rule_types.ts   |     4 +-
 .../observability/server/plugin.ts            |    44 +-
 .../server/routes/register_routes.ts          |     2 +-
 .../server/routes/types.ts                    |     2 +-
 .../server/types.ts                           |     9 +-
 .../server/functions/alerts.ts                |    42 +-
 .../server/types.ts                           |     9 +-
 .../alerts/components/slo_alerts_summary.tsx  |     5 +-
 .../alerts/components/slo_alerts_table.tsx    |     5 +-
 .../public/hooks/use_fetch_active_alerts.ts   |    13 +-
 .../use_fetch_slos_with_burn_rate_rules.ts    |    13 +-
 .../components/slo_detail_alerts.tsx          |     5 +-
 .../lib/rules/register_burn_rate_rule.ts      |     4 +-
 .../slo/server/plugin.ts                      |    20 +-
 .../slo/server/services/get_slos_overview.ts  |    15 +-
 .../slo/server/types.ts                       |     6 +-
 .../common/constants/synthetics_alerts.ts     |    14 +-
 .../hooks/use_fetch_active_alerts.ts          |     8 +-
 .../monitor_alerts/monitor_detail_alerts.tsx  |     5 +-
 .../lib/alert_types/monitor_status.tsx        |     3 +-
 .../apps/synthetics/lib/alert_types/tls.tsx   |     3 +-
 .../status_rule/monitor_status_rule.ts        |     6 +-
 .../server/alert_rules/tls_rule/tls_rule.ts   |     6 +-
 .../synthetics/server/feature.ts              |    27 +-
 .../default_alerts/default_alert_service.ts   |    10 +-
 .../synthetics/server/types.ts                |    11 +-
 .../common/constants/synthetics_alerts.ts     |     2 -
 .../uptime/common/constants/uptime_alerts.ts  |     7 +-
 .../routes/monitors/monitors_details.ts       |     2 +-
 .../alert_data_client/alerts_client.mock.ts   |     1 -
 .../alert_data_client/alerts_client.test.ts   |   244 +
 .../server/alert_data_client/alerts_client.ts |   155 +-
 .../alerts_client_factory.test.ts             |     2 +-
 .../alerts_client_factory.ts                  |    18 +-
 .../tests/bulk_update.test.ts                 |    60 +-
 .../tests/find_alerts.test.ts                 |   316 +-
 .../alert_data_client/tests/get.test.ts       |    55 +-
 .../tests/get_aad_fields.test.ts              |     4 +-
 .../get_alerts_group_aggregations.test.ts     |    70 +-
 .../tests/get_alerts_summary.test.ts          |   311 +
 .../alert_data_client/tests/update.test.ts    |    54 +-
 .../server/lib/get_authz_filter.ts            |    12 +-
 .../server/lib/get_consumers_filter.test.tsx  |    26 +
 .../server/lib/get_consumers_filter.tsx       |    13 +
 .../lib/get_rule_type_ids_filter.test.tsx     |    26 +
 .../server/lib/get_rule_type_ids_filter.tsx   |    13 +
 x-pack/plugins/rule_registry/server/plugin.ts |    17 +-
 .../routes/__mocks__/request_responses.ts     |    21 +-
 .../routes/__mocks__/response_adapters.ts     |     2 +
 .../rule_registry/server/routes/find.test.ts  |    56 +
 .../rule_registry/server/routes/find.ts       |     9 +-
 .../server/routes/get_alert_index.test.ts     |    26 +-
 .../server/routes/get_alert_index.ts          |    18 +-
 .../server/routes/get_alert_summary.test.ts   |    71 +-
 .../server/routes/get_alert_summary.ts        |    15 +-
 .../get_alerts_group_aggregations.test.ts     |   106 +-
 .../routes/get_alerts_group_aggregations.ts   |    35 +-
 .../get_browser_fields_by_feature_id.test.ts  |    65 -
 ...et_browser_fields_by_rule_type_ids.test.ts |   123 +
 ...=> get_browser_fields_by_rule_type_ids.ts} |    23 +-
 ...ature_ids_by_registration_contexts.test.ts |    78 -
 ...et_feature_ids_by_registration_contexts.ts |    71 -
 .../rule_registry/server/routes/index.ts      |     4 +-
 .../rule_data_plugin_service.mock.ts          |     1 -
 .../rule_data_plugin_service.ts               |    17 -
 .../search_strategy/search_strategy.test.ts   |   458 +-
 .../server/search_strategy/search_strategy.ts |   111 +-
 .../tabs/alerts_tab/index.tsx                 |     9 +-
 .../components/alerts_table/index.tsx         |     8 +-
 .../detection_engine_filters.tsx              |     4 +-
 .../endpoint/endpoint_app_context_services.ts |     4 +-
 .../fleet_integration/fleet_integration.ts    |     4 +-
 .../handlers/install_prepackaged_rules.ts     |    11 +-
 ...ebuilt_rules_and_timelines_status_route.ts |     2 +-
 .../get_prebuilt_rules_status_route.ts        |     2 +-
 ...tall_prebuilt_rules_and_timelines_route.ts |     2 +-
 .../perform_rule_installation_route.ts        |     2 +-
 .../perform_rule_upgrade_route.ts             |     2 +-
 .../review_rule_installation_route.ts         |     2 +-
 .../review_rule_upgrade_route.ts              |     2 +-
 .../routes/__mocks__/request_context.ts       |     2 +-
 .../api/create_legacy_notification/route.ts   |     2 +-
 .../api/create_rule_exceptions/route.ts       |     2 +-
 .../api/find_exception_references/route.ts    |     2 +-
 .../api/rules/bulk_actions/route.ts           |     2 +-
 .../api/rules/bulk_create_rules/route.ts      |     2 +-
 .../api/rules/bulk_delete_rules/route.ts      |     2 +-
 .../api/rules/bulk_patch_rules/route.ts       |     2 +-
 .../api/rules/bulk_update_rules/route.ts      |     2 +-
 .../api/rules/coverage_overview/route.ts      |     2 +-
 .../api/rules/create_rule/route.ts            |     2 +-
 .../api/rules/delete_rule/route.ts            |     2 +-
 .../api/rules/export_rules/route.ts           |     2 +-
 .../api/rules/filters/route.ts                |     2 +-
 .../api/rules/find_rules/route.ts             |     2 +-
 .../api/rules/patch_rule/route.ts             |     2 +-
 .../api/rules/read_rule/route.ts              |     2 +-
 .../api/rules/update_rule/route.ts            |     2 +-
 .../api/tags/read_tags/route.ts               |     2 +-
 .../rule_types/__mocks__/rule_type.ts         |     4 +-
 .../utils/search_after_bulk_create.test.ts    |     4 +-
 .../rule_types/utils/utils.test.ts            |     4 +-
 .../rule_types/utils/utils.ts                 |     4 +-
 .../lib/siem_migrations/rules/api/retry.ts    |     2 +-
 .../rules/api/rules/install.ts                |     2 +-
 .../rules/api/rules/install_translated.ts     |     2 +-
 .../lib/siem_migrations/rules/api/start.ts    |     2 +-
 .../server/plugin_contract.ts                 |     9 +-
 .../server/request_context_factory.ts         |     6 +-
 .../server/routes/alert_status_route.test.ts  |     3 +-
 .../server/routes/alert_status_route.ts       |     7 +-
 .../server/routes/alerts_client_mock.test.ts  |   105 +-
 .../server/routes/alerts_route.test.ts        |     6 +-
 .../server/routes/alerts_route.ts             |     7 +-
 .../routes/process_events_route.test.ts       |     4 +-
 x-pack/plugins/session_view/tsconfig.json     |     1 +
 .../stack_alerts/server/feature.test.ts       |   151 +-
 x-pack/plugins/stack_alerts/server/feature.ts |    93 +-
 .../stack_alerts/server/rule_types/types.ts   |     4 +-
 x-pack/plugins/stack_alerts/server/types.ts   |     7 +-
 x-pack/plugins/timelines/server/types.ts      |     4 +-
 .../register_transform_health_rule_type.ts    |     8 +-
 .../api/transforms_all/route_handler.ts       |     5 +-
 .../translations/translations/fr-FR.json      |     7 -
 .../translations/translations/ja-JP.json      |     9 +-
 .../translations/translations/zh-CN.json      |     7 -
 .../hooks/use_load_alert_summary.test.ts      |    11 +-
 .../hooks/use_load_alert_summary.ts           |    29 +-
 .../hooks/use_load_rule_aggregations.test.tsx |    21 +-
 .../hooks/use_load_rule_aggregations_query.ts |    11 +-
 .../application/hooks/use_load_rules_query.ts |    11 +-
 .../application/hooks/use_rule_aad_fields.ts  |    58 -
 .../lib/check_rule_type_enabled.test.tsx      |     2 +
 .../lib/execution_duration_utils.test.ts      |     1 +
 .../lib/rule_api/aggregate.test.ts            |    12 +-
 .../application/lib/rule_api/aggregate.ts     |     8 +-
 .../lib/rule_api/aggregate_helpers.ts         |     4 +-
 .../rule_api/aggregate_kuery_filter.test.ts   |   115 +
 .../lib/rule_api/aggregate_kuery_filter.ts    |     8 +-
 .../application/lib/rule_api/alert_fields.ts  |    27 -
 .../application/lib/rule_api/alert_index.ts   |    25 -
 .../lib/rule_api/rule_types.test.ts           |     1 +
 .../application/lib/rule_api/rules.test.ts    |   135 +
 .../public/application/lib/rule_api/rules.ts  |     4 +
 .../application/lib/rule_api/rules_helpers.ts |     3 +-
 .../lib/rule_api/rules_kuery_filter.test.ts   |   384 +
 .../lib/rule_api/rules_kuery_filter.ts        |     6 +-
 .../public/application/lib/search_filters.ts  |   113 +-
 .../action_form.test.tsx                      |     1 +
 .../action_type_form.test.tsx                 |    10 +-
 .../action_type_form.tsx                      |     3 +-
 .../connector_rules_list.tsx                  |     4 +-
 .../alert_summary_widget.test.tsx             |     2 +-
 .../alert_summary_widget.tsx                  |     6 +-
 .../sections/alert_summary_widget/types.ts    |     5 +-
 .../components/stack_alerts_page.tsx          |   183 +-
 .../alerts_page/hooks/use_rule_stats.tsx      |    12 +-
 .../hooks/use_rule_type_ids_by_feature_id.ts  |    20 +-
 .../alerts_search_bar.test.tsx                |   184 +-
 .../alerts_search_bar/alerts_search_bar.tsx   |    32 +-
 .../sections/alerts_search_bar/constants.ts   |     5 +-
 .../sections/alerts_search_bar/types.ts       |     4 +-
 .../url_synced_alerts_search_bar.tsx          |    24 +-
 .../sections/alerts_table/alerts_table.tsx    |     6 +-
 .../alerts_table/alerts_table_state.test.tsx  |    51 +-
 .../alerts_table/alerts_table_state.tsx       |    30 +-
 .../alerts_table/cells/render_cell_value.tsx  |     4 +-
 .../sections/alerts_table/constants.ts        |    15 +-
 .../alert_mute/use_get_muted_alerts.test.tsx  |     2 +-
 .../hooks/alert_mute/use_get_muted_alerts.tsx |     2 +-
 .../hooks/apis/get_rules_muted_alerts.test.ts |    46 +
 .../hooks/apis/get_rules_muted_alerts.ts      |    10 +-
 .../hooks/use_bulk_actions.test.tsx           |    12 +-
 .../alerts_table/hooks/use_bulk_actions.ts    |    21 +-
 .../use_bulk_untrack_alerts_by_query.test.ts  |    53 +
 .../use_bulk_untrack_alerts_by_query.tsx      |     7 +-
 .../hooks/use_columns/use_columns.test.tsx    |    27 +-
 .../hooks/use_columns/use_columns.ts          |     7 +-
 .../sections/alerts_table/types.ts            |     2 +
 .../rule_details/components/rule.test.tsx     |     1 +
 .../sections/rule_details/components/rule.tsx |    13 +-
 .../components/rule_details.test.tsx          |     1 +
 .../components/rule_route.test.tsx            |     1 +
 .../rule_details/components/test_helpers.ts   |     1 +
 .../sections/rule_form/rule_add.test.tsx      |     1 +
 .../sections/rule_form/rule_form.test.tsx     |     9 +
 .../rule_form_consumer_selection.test.tsx     |    40 +-
 .../rule_form_consumer_selection.tsx          |    11 +-
 .../rules_list/components/rules_list.test.tsx |   122 +-
 .../rules_list/components/rules_list.tsx      |    25 +-
 .../triggers_actions_ui/public/types.ts       |     4 +-
 .../triggers_actions_ui/server/plugin.ts      |     9 +-
 .../server/routes/config.test.ts              |     4 +-
 .../common/plugins/alerts/server/plugin.ts    |   111 +-
 .../alerts_restricted/server/plugin.ts        |    47 +-
 .../observability/metric_threshold_rule.ts    |     7 +-
 .../tests/alerting/backfill/schedule.ts       |     1 +
 .../tests/alerting/bulk_untrack_by_query.ts   |     2 +-
 .../group1/tests/alerting/create.ts           |     9 +-
 .../group1/tests/alerting/delete.ts           |     2 +-
 .../group1/tests/alerting/disable.ts          |     9 +-
 .../group1/tests/alerting/enable.ts           |     9 +-
 .../group1/tests/alerting/find.ts             |   122 +-
 .../group1/tests/alerting/find_internal.ts    |   351 +-
 .../group1/tests/alerting/find_with_post.ts   |   593 -
 .../group1/tests/alerting/get.ts              |    13 +-
 .../group1/tests/alerting/index.ts            |     1 -
 .../group2/tests/alerting/aggregate.ts        |   377 +
 .../group2/tests/alerting/index.ts            |     5 +-
 .../group2/tests/alerting/mute_all.ts         |     6 +-
 .../group2/tests/alerting/mute_instance.ts    |    13 +-
 .../group2/tests/alerting/unmute_all.ts       |     6 +-
 .../group2/tests/alerting/unmute_instance.ts  |    13 +-
 .../group2/tests/alerting/update.ts           |    13 +-
 .../group2/tests/alerting/update_api_key.ts   |    13 +-
 .../group3/tests/alerting/bulk_delete.ts      |    67 +-
 .../group3/tests/alerting/bulk_disable.ts     |     2 +-
 .../group3/tests/alerting/bulk_edit.ts        |     6 +-
 .../group3/tests/alerting/bulk_enable.ts      |    50 +-
 .../group4/tests/alerting/snooze.ts           |    13 +-
 .../group4/tests/alerting/unsnooze.ts         |     6 +-
 .../security_and_spaces/scenarios.ts          |     7 +-
 .../{aggregate_post.ts => aggregate.ts}       |   171 +-
 .../spaces_only/tests/alerting/group1/find.ts |    47 +-
 .../tests/alerting/group1/find_internal.ts    |    65 +-
 .../tests/alerting/group1/index.ts            |     3 +-
 x-pack/test/common/services/bsearch_secure.ts |     6 +-
 .../infra/metrics_source_configuration.ts     |     7 +-
 .../observability/alerts/data.json.gz         |   Bin 4610 -> 4473 bytes
 .../alerts/8.1.0/data.json.gz                 |   Bin 9456 -> 9487 bytes
 .../plugins/alerts/server/plugin.ts           |    10 +-
 .../apps/triggers_actions_ui/home_page.ts     |    48 +-
 .../plugins/alerts/server/plugin.ts           |    39 +-
 .../apps/observability/pages/rules_page.ts    |     1 +
 .../tests/basic/bulk_update_alerts.ts         |     3 -
 .../tests/basic/find_alerts.ts                |    14 +-
 .../basic/get_aad_fields_by_rule_type.ts      |     6 +-
 .../tests/basic/get_alert_summary.ts          |     6 +-
 .../tests/basic/get_alerts_index.ts           |    25 +-
 ...=> get_browser_fields_by_rule_type_ids.ts} |    47 +-
 ...et_feature_ids_by_registration_contexts.ts |    79 -
 .../security_and_spaces/tests/basic/index.ts  |     3 +-
 .../tests/basic/search_strategy.ts            |   454 +-
 .../tests/basic/update_alert.ts               |     1 -
 .../tests/trial/get_alerts.ts                 |     5 +
 .../tests/trial/update_alert.ts               |     2 +
 .../spaces_only/tests/trial/update_alert.ts   |     1 -
 .../plugins/features_provider/server/index.ts |    97 +-
 .../tests/features/deprecated_features.ts     |    92 +-
 .../platform_security/authorization.ts        | 23573 +++++++++++-----
 530 files changed, 30016 insertions(+), 14407 deletions(-)
 create mode 100644 packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_threshold_schema.ts
 create mode 100644 packages/kbn-alerts-ui-shared/src/common/hooks/use_find_alerts_query.test.tsx
 delete mode 100644 packages/kbn-alerts-ui-shared/src/common/hooks/use_rule_aad_fields.ts
 create mode 100644 packages/kbn-rule-data-utils/jest.config.js
 create mode 100644 packages/kbn-rule-data-utils/src/alerts_as_data_rbac.test.ts
 create mode 100644 x-pack/plugins/alerting/server/application/rule/methods/rule_types/rule_types.test.ts
 create mode 100644 x-pack/plugins/alerting/server/authorization/types.ts
 create mode 100644 x-pack/plugins/alerting/server/rules_client/common/filters.test.ts
 create mode 100644 x-pack/plugins/alerting/server/rules_client/common/filters.ts
 create mode 100644 x-pack/plugins/alerting/server/rules_client/rules_client.mock.ts
 create mode 100644 x-pack/plugins/features/common/alerting_kibana_privilege.ts
 create mode 100644 x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.test.ts
 create mode 100644 x-pack/plugins/rule_registry/server/alert_data_client/tests/get_alerts_summary.test.ts
 create mode 100644 x-pack/plugins/rule_registry/server/lib/get_consumers_filter.test.tsx
 create mode 100644 x-pack/plugins/rule_registry/server/lib/get_consumers_filter.tsx
 create mode 100644 x-pack/plugins/rule_registry/server/lib/get_rule_type_ids_filter.test.tsx
 create mode 100644 x-pack/plugins/rule_registry/server/lib/get_rule_type_ids_filter.tsx
 create mode 100644 x-pack/plugins/rule_registry/server/routes/find.test.ts
 delete mode 100644 x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_feature_id.test.ts
 create mode 100644 x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_rule_type_ids.test.ts
 rename x-pack/plugins/rule_registry/server/routes/{get_browser_fields_by_feature_id.ts => get_browser_fields_by_rule_type_ids.ts} (83%)
 delete mode 100644 x-pack/plugins/rule_registry/server/routes/get_feature_ids_by_registration_contexts.test.ts
 delete mode 100644 x-pack/plugins/rule_registry/server/routes/get_feature_ids_by_registration_contexts.ts
 delete mode 100644 x-pack/plugins/triggers_actions_ui/public/application/hooks/use_rule_aad_fields.ts
 create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_kuery_filter.test.ts
 delete mode 100644 x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/alert_fields.ts
 delete mode 100644 x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/alert_index.ts
 create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_kuery_filter.test.ts
 create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/apis/get_rules_muted_alerts.test.ts
 create mode 100644 x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_untrack_alerts_by_query.test.ts
 delete mode 100644 x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find_with_post.ts
 create mode 100644 x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/aggregate.ts
 rename x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/{aggregate_post.ts => aggregate.ts} (51%)
 rename x-pack/test/rule_registry/security_and_spaces/tests/basic/{get_browser_fields_by_feature_id.ts => get_browser_fields_by_rule_type_ids.ts} (74%)
 delete mode 100644 x-pack/test/rule_registry/security_and_spaces/tests/basic/get_feature_ids_by_registration_contexts.ts

diff --git a/packages/kbn-alerting-types/search_strategy_types.ts b/packages/kbn-alerting-types/search_strategy_types.ts
index 797ca82294b8a..9df72e4fa7886 100644
--- a/packages/kbn-alerting-types/search_strategy_types.ts
+++ b/packages/kbn-alerting-types/search_strategy_types.ts
@@ -8,7 +8,6 @@
  */
 
 import type { IEsSearchRequest, IEsSearchResponse } from '@kbn/search-types';
-import type { ValidFeatureId } from '@kbn/rule-data-utils';
 import type {
   MappingRuntimeFields,
   QueryDslFieldAndFormat,
@@ -18,7 +17,8 @@ import type {
 import type { Alert } from './alert_type';
 
 export type RuleRegistrySearchRequest = IEsSearchRequest & {
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  consumers?: string[];
   fields?: QueryDslFieldAndFormat[];
   query?: Pick<QueryDslQueryContainer, 'bool' | 'ids'>;
   sort?: SortCombinations[];
diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_threshold_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_threshold_schema.ts
new file mode 100644
index 0000000000000..2f08e082aebea
--- /dev/null
+++ b/packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_threshold_schema.ts
@@ -0,0 +1,90 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+// ---------------------------------- WARNING ----------------------------------
+// this file was generated, and should not be edited by hand
+// ---------------------------------- WARNING ----------------------------------
+import * as rt from 'io-ts';
+import { Either } from 'fp-ts/lib/Either';
+import { AlertSchema } from './alert_schema';
+import { EcsSchema } from './ecs_schema';
+const ISO_DATE_PATTERN = /^d{4}-d{2}-d{2}Td{2}:d{2}:d{2}.d{3}Z$/;
+export const IsoDateString = new rt.Type<string, string, unknown>(
+  'IsoDateString',
+  rt.string.is,
+  (input, context): Either<rt.Errors, string> => {
+    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
+      return rt.success(input);
+    } else {
+      return rt.failure(input, context);
+    }
+  },
+  rt.identity
+);
+export type IsoDateStringC = typeof IsoDateString;
+export const schemaUnknown = rt.unknown;
+export const schemaUnknownArray = rt.array(rt.unknown);
+export const schemaString = rt.string;
+export const schemaStringArray = rt.array(schemaString);
+export const schemaNumber = rt.number;
+export const schemaNumberArray = rt.array(schemaNumber);
+export const schemaDate = rt.union([IsoDateString, schemaNumber]);
+export const schemaDateArray = rt.array(schemaDate);
+export const schemaDateRange = rt.partial({
+  gte: schemaDate,
+  lte: schemaDate,
+});
+export const schemaDateRangeArray = rt.array(schemaDateRange);
+export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
+export const schemaStringOrNumberArray = rt.array(schemaStringOrNumber);
+export const schemaBoolean = rt.boolean;
+export const schemaBooleanArray = rt.array(schemaBoolean);
+const schemaGeoPointCoords = rt.type({
+  type: schemaString,
+  coordinates: schemaNumberArray,
+});
+const schemaGeoPointString = schemaString;
+const schemaGeoPointLatLon = rt.type({
+  lat: schemaNumber,
+  lon: schemaNumber,
+});
+const schemaGeoPointLocation = rt.type({
+  location: schemaNumberArray,
+});
+const schemaGeoPointLocationString = rt.type({
+  location: schemaString,
+});
+export const schemaGeoPoint = rt.union([
+  schemaGeoPointCoords,
+  schemaGeoPointString,
+  schemaGeoPointLatLon,
+  schemaGeoPointLocation,
+  schemaGeoPointLocationString,
+]);
+export const schemaGeoPointArray = rt.array(schemaGeoPoint);
+// prettier-ignore
+const ObservabilityThresholdAlertRequired = rt.type({
+});
+// prettier-ignore
+const ObservabilityThresholdAlertOptional = rt.partial({
+  'kibana.alert.context': schemaUnknown,
+  'kibana.alert.evaluation.threshold': schemaStringOrNumber,
+  'kibana.alert.evaluation.value': schemaStringOrNumber,
+  'kibana.alert.evaluation.values': schemaStringOrNumberArray,
+  'kibana.alert.group': rt.array(
+    rt.partial({
+      field: schemaStringArray,
+      value: schemaStringArray,
+    })
+  ),
+});
+
+// prettier-ignore
+export const ObservabilityThresholdAlertSchema = rt.intersection([ObservabilityThresholdAlertRequired, ObservabilityThresholdAlertOptional, AlertSchema, EcsSchema]);
+// prettier-ignore
+export type ObservabilityThresholdAlert = rt.TypeOf<typeof ObservabilityThresholdAlertSchema>;
diff --git a/packages/kbn-alerts-grouping/src/components/alerts_grouping.test.tsx b/packages/kbn-alerts-grouping/src/components/alerts_grouping.test.tsx
index 86ae0a54f9224..0137953b2313c 100644
--- a/packages/kbn-alerts-grouping/src/components/alerts_grouping.test.tsx
+++ b/packages/kbn-alerts-grouping/src/components/alerts_grouping.test.tsx
@@ -23,7 +23,8 @@ import { groupingSearchResponse } from '../mocks/grouping_query.mock';
 import { useAlertsGroupingState } from '../contexts/alerts_grouping_context';
 import { I18nProvider } from '@kbn/i18n-react';
 import {
-  mockFeatureIds,
+  mockRuleTypeIds,
+  mockConsumers,
   mockDate,
   mockGroupingProps,
   mockGroupingId,
@@ -146,7 +147,8 @@ describe('AlertsGrouping', () => {
       expect.objectContaining({
         params: {
           aggregations: {},
-          featureIds: mockFeatureIds,
+          ruleTypeIds: mockRuleTypeIds,
+          consumers: mockConsumers,
           groupByField: 'kibana.alert.rule.name',
           filters: [
             {
diff --git a/packages/kbn-alerts-grouping/src/components/alerts_grouping.tsx b/packages/kbn-alerts-grouping/src/components/alerts_grouping.tsx
index d814d70903a5c..5ea010d442145 100644
--- a/packages/kbn-alerts-grouping/src/components/alerts_grouping.tsx
+++ b/packages/kbn-alerts-grouping/src/components/alerts_grouping.tsx
@@ -66,7 +66,7 @@ const AlertsGroupingInternal = <T extends BaseAlertsGroupAggregations>(
   const {
     groupingId,
     services,
-    featureIds,
+    ruleTypeIds,
     defaultGroupingOptions,
     defaultFilters,
     globalFilters,
@@ -79,7 +79,7 @@ const AlertsGroupingInternal = <T extends BaseAlertsGroupAggregations>(
   const { grouping, updateGrouping } = useAlertsGroupingState(groupingId);
 
   const { dataView } = useAlertsDataView({
-    featureIds,
+    ruleTypeIds,
     dataViewsService: dataViews,
     http,
     toasts: notifications.toasts,
@@ -252,7 +252,7 @@ const typedMemo: <T>(c: T) => T = memo;
  *
  * return (
  *   <AlertsGrouping<YourAggregationsType>
- *     featureIds={[...]}
+ *     ruleTypeIds={[...]}
  *     globalQuery={{ query: ..., language: 'kql' }}
  *     globalFilters={...}
  *     from={...}
diff --git a/packages/kbn-alerts-grouping/src/components/alerts_grouping_level.test.tsx b/packages/kbn-alerts-grouping/src/components/alerts_grouping_level.test.tsx
index 5548c14fcf26f..b908b07caf7a1 100644
--- a/packages/kbn-alerts-grouping/src/components/alerts_grouping_level.test.tsx
+++ b/packages/kbn-alerts-grouping/src/components/alerts_grouping_level.test.tsx
@@ -55,6 +55,10 @@ const mockGroupingLevelProps: Omit<AlertsGroupingLevelProps, 'children'> = {
 describe('AlertsGroupingLevel', () => {
   let buildEsQuerySpy: jest.SpyInstance;
 
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
   beforeAll(() => {
     buildEsQuerySpy = jest.spyOn(buildEsQueryModule, 'buildEsQuery');
   });
@@ -119,4 +123,58 @@ describe('AlertsGroupingLevel', () => {
       Object.keys(groupingSearchResponse.aggregations)
     );
   });
+
+  it('should calls useGetAlertsGroupAggregationsQuery with correct props', () => {
+    render(
+      <AlertsGroupingLevel {...mockGroupingLevelProps}>
+        {() => <span data-test-subj="grouping-level" />}
+      </AlertsGroupingLevel>
+    );
+
+    expect(mockUseGetAlertsGroupAggregationsQuery.mock.calls).toMatchInlineSnapshot(`
+      Array [
+        Array [
+          Object {
+            "enabled": true,
+            "http": Object {
+              "get": [MockFunction],
+            },
+            "params": Object {
+              "aggregations": Object {},
+              "consumers": Array [
+                "stackAlerts",
+              ],
+              "filters": Array [
+                Object {
+                  "bool": Object {
+                    "filter": Array [],
+                    "must": Array [],
+                    "must_not": Array [],
+                    "should": Array [],
+                  },
+                },
+                Object {
+                  "range": Object {
+                    "kibana.alert.time_range": Object {
+                      "gte": "2020-07-07T08:20:18.966Z",
+                      "lte": "2020-07-08T08:20:18.966Z",
+                    },
+                  },
+                },
+              ],
+              "groupByField": "selectedGroup",
+              "pageIndex": 0,
+              "pageSize": 10,
+              "ruleTypeIds": Array [
+                ".es-query",
+              ],
+            },
+            "toasts": Object {
+              "addDanger": [MockFunction],
+            },
+          },
+        ],
+      ]
+    `);
+  });
 });
diff --git a/packages/kbn-alerts-grouping/src/components/alerts_grouping_level.tsx b/packages/kbn-alerts-grouping/src/components/alerts_grouping_level.tsx
index 7e620276d2e4d..02fd5d33e2379 100644
--- a/packages/kbn-alerts-grouping/src/components/alerts_grouping_level.tsx
+++ b/packages/kbn-alerts-grouping/src/components/alerts_grouping_level.tsx
@@ -46,7 +46,8 @@ const DEFAULT_FILTERS: Filter[] = [];
 const typedMemo: <T>(c: T) => T = memo;
 export const AlertsGroupingLevel = typedMemo(
   <T extends BaseAlertsGroupAggregations>({
-    featureIds,
+    ruleTypeIds,
+    consumers,
     defaultFilters = DEFAULT_FILTERS,
     from,
     getGrouping,
@@ -86,7 +87,8 @@ export const AlertsGroupingLevel = typedMemo(
 
     const aggregationsQuery = useMemo<UseGetAlertsGroupAggregationsQueryProps['params']>(() => {
       return {
-        featureIds,
+        ruleTypeIds,
+        consumers,
         groupByField: selectedGroup,
         aggregations: getAggregationsByGroupingField(selectedGroup)?.reduce(
           (acc, val) => Object.assign(acc, val),
@@ -107,12 +109,13 @@ export const AlertsGroupingLevel = typedMemo(
         pageSize,
       };
     }, [
-      featureIds,
+      consumers,
       filters,
       from,
       getAggregationsByGroupingField,
       pageIndex,
       pageSize,
+      ruleTypeIds,
       selectedGroup,
       to,
     ]);
diff --git a/packages/kbn-alerts-grouping/src/mocks/grouping_props.mock.tsx b/packages/kbn-alerts-grouping/src/mocks/grouping_props.mock.tsx
index 925a32fbd9de6..510c7c8fdb896 100644
--- a/packages/kbn-alerts-grouping/src/mocks/grouping_props.mock.tsx
+++ b/packages/kbn-alerts-grouping/src/mocks/grouping_props.mock.tsx
@@ -8,12 +8,12 @@
  */
 
 import React from 'react';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { AlertsGroupingProps } from '../types';
 
 export const mockGroupingId = 'test';
 
-export const mockFeatureIds = [AlertConsumers.STACK_ALERTS];
+export const mockRuleTypeIds = ['.es-query'];
+export const mockConsumers = ['stackAlerts'];
 
 export const mockDate = {
   from: '2020-07-07T08:20:18.966Z',
@@ -30,7 +30,8 @@ export const mockOptions = [
 export const mockGroupingProps: Omit<AlertsGroupingProps, 'children'> = {
   ...mockDate,
   groupingId: mockGroupingId,
-  featureIds: mockFeatureIds,
+  ruleTypeIds: mockRuleTypeIds,
+  consumers: mockConsumers,
   defaultGroupingOptions: mockOptions,
   getAggregationsByGroupingField: () => [],
   getGroupStats: () => [{ title: 'Stat', component: <span /> }],
diff --git a/packages/kbn-alerts-grouping/src/mocks/grouping_query.mock.ts b/packages/kbn-alerts-grouping/src/mocks/grouping_query.mock.ts
index 8820f884928b7..486771e70a140 100644
--- a/packages/kbn-alerts-grouping/src/mocks/grouping_query.mock.ts
+++ b/packages/kbn-alerts-grouping/src/mocks/grouping_query.mock.ts
@@ -11,12 +11,12 @@ export const getQuery = ({
   selectedGroup,
   uniqueValue,
   timeRange,
-  featureIds,
+  ruleTypeIds,
 }: {
   selectedGroup: string;
   uniqueValue: string;
   timeRange: { from: string; to: string };
-  featureIds: string[];
+  ruleTypeIds: string[];
 }) => ({
   _source: false,
   aggs: {
@@ -52,7 +52,7 @@ export const getQuery = ({
       },
     },
   },
-  feature_ids: featureIds,
+  rule_type_ids: ruleTypeIds,
   query: {
     bool: {
       filter: [
diff --git a/packages/kbn-alerts-grouping/src/types.ts b/packages/kbn-alerts-grouping/src/types.ts
index c6132e94e8729..f1eb9ef00fee8 100644
--- a/packages/kbn-alerts-grouping/src/types.ts
+++ b/packages/kbn-alerts-grouping/src/types.ts
@@ -8,7 +8,6 @@
  */
 
 import type { Filter, Query } from '@kbn/es-query';
-import { ValidFeatureId } from '@kbn/rule-data-utils';
 import type { NotificationsStart } from '@kbn/core-notifications-browser';
 import type { DataViewsServicePublic } from '@kbn/data-views-plugin/public/types';
 import type { HttpSetup } from '@kbn/core-http-browser';
@@ -63,9 +62,13 @@ export interface AlertsGroupingProps<
    */
   defaultGroupingOptions: GroupOption[];
   /**
-   * The alerting feature ids this grouping covers
+   * The alerting rule type ids this grouping covers
    */
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  /**
+   * The alerting consumers this grouping covers
+   */
+  consumers?: string[];
   /**
    * Time filter start
    */
diff --git a/packages/kbn-alerts-ui-shared/src/action_variables/transforms.test.ts b/packages/kbn-alerts-ui-shared/src/action_variables/transforms.test.ts
index d574aaf9592a9..6f362fd34710b 100644
--- a/packages/kbn-alerts-ui-shared/src/action_variables/transforms.test.ts
+++ b/packages/kbn-alerts-ui-shared/src/action_variables/transforms.test.ts
@@ -289,5 +289,6 @@ function getAlertType(actionVariables: ActionVariables): RuleType {
     producer: ALERTING_FEATURE_ID,
     minimumLicenseRequired: 'basic',
     enabledInLicense: true,
+    category: 'my-category',
   };
 }
diff --git a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/alert_filter_controls.test.tsx b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/alert_filter_controls.test.tsx
index 3c314c62fc28c..6c35234b54006 100644
--- a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/alert_filter_controls.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/alert_filter_controls.test.tsx
@@ -10,7 +10,6 @@
 import React from 'react';
 import { render, screen } from '@testing-library/react';
 import { AlertFilterControls, AlertFilterControlsProps } from './alert_filter_controls';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { DEFAULT_CONTROLS } from './constants';
 import { useAlertsDataView } from '../common/hooks/use_alerts_data_view';
 import { FilterGroup } from './filter_group';
@@ -56,7 +55,7 @@ const ControlGroupRenderer = (() => (
 
 describe('AlertFilterControls', () => {
   const props: AlertFilterControlsProps = {
-    featureIds: [AlertConsumers.STACK_ALERTS],
+    ruleTypeIds: ['.es-query'],
     defaultControls: DEFAULT_CONTROLS,
     dataViewSpec: {
       id: 'alerts-filters-dv',
diff --git a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/alert_filter_controls.tsx b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/alert_filter_controls.tsx
index e8e7e63859250..f64b02e2ee350 100644
--- a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/alert_filter_controls.tsx
+++ b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/alert_filter_controls.tsx
@@ -12,7 +12,6 @@ import React, { useCallback, useEffect, useState } from 'react';
 import type { Filter } from '@kbn/es-query';
 import { EuiFlexItem } from '@elastic/eui';
 import type { DataViewSpec, DataViewsPublicPluginStart } from '@kbn/data-views-plugin/public';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { HttpStart } from '@kbn/core-http-browser';
 import { NotificationsStart } from '@kbn/core-notifications-browser';
 import type { Storage } from '@kbn/kibana-utils-plugin/public';
@@ -24,12 +23,12 @@ import { FilterControlConfig } from './types';
 
 export type AlertFilterControlsProps = Omit<
   ComponentProps<typeof FilterGroup>,
-  'dataViewId' | 'defaultControls' | 'featureIds' | 'Storage'
+  'dataViewId' | 'defaultControls' | 'ruleTypeIds' | 'Storage'
 > & {
   /**
-   * The feature ids used to get the correct alert data view(s)
+   * The rule type ids used to get the correct alert data view(s)
    */
-  featureIds?: AlertConsumers[];
+  ruleTypeIds?: string[];
   /**
    * An array of default control configurations
    */
@@ -57,7 +56,7 @@ export type AlertFilterControlsProps = Omit<
  *
  * <AlertFilterControls
  *   // Data view configuration
- *   featureIds={[AlertConsumers.STACK_ALERTS]}
+ *   ruleTypeIds={['.es-query']}
  *   dataViewSpec={{
  *     id: 'unified-alerts-dv',
  *     title: '.alerts-*',
@@ -82,7 +81,7 @@ export type AlertFilterControlsProps = Omit<
  */
 export const AlertFilterControls = (props: AlertFilterControlsProps) => {
   const {
-    featureIds = [AlertConsumers.STACK_ALERTS],
+    ruleTypeIds = [],
     defaultControls = DEFAULT_CONTROLS,
     dataViewSpec,
     onFiltersChange,
@@ -96,7 +95,7 @@ export const AlertFilterControls = (props: AlertFilterControlsProps) => {
   } = props;
   const [loadingPageFilters, setLoadingPageFilters] = useState(true);
   const { dataView, isLoading: isLoadingDataView } = useAlertsDataView({
-    featureIds,
+    ruleTypeIds,
     dataViewsService: dataViews,
     http,
     toasts,
@@ -156,7 +155,7 @@ export const AlertFilterControls = (props: AlertFilterControlsProps) => {
     <FilterGroup
       dataViewId={dataViewSpec?.id || null}
       onFiltersChange={handleFilterChanges}
-      featureIds={featureIds}
+      ruleTypeIds={ruleTypeIds}
       {...restFilterItemGroupProps}
       Storage={storage}
       defaultControls={defaultControls}
diff --git a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/filter_group.test.tsx b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/filter_group.test.tsx
index f3b8911a9197f..3d08697f98652 100644
--- a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/filter_group.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/filter_group.test.tsx
@@ -30,13 +30,12 @@ import {
   getMockedControlGroupRenderer,
 } from './mocks/control_group_renderer';
 import { URL_PARAM_ARRAY_EXCEPTION_MSG } from './translations';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { Storage } from '@kbn/kibana-utils-plugin/public';
 import type { FilterGroupProps } from './types';
 
-const featureIds = [AlertConsumers.STACK_ALERTS];
+const ruleTypeIds = ['.es-query'];
 const spaceId = 'test-space-id';
-const LOCAL_STORAGE_KEY = `${featureIds.join(',')}.${spaceId}.${URL_PARAM_KEY}`;
+const LOCAL_STORAGE_KEY = `${ruleTypeIds.join(',')}.${spaceId}.${URL_PARAM_KEY}`;
 
 const controlGroupMock = getControlGroupMock();
 
@@ -63,7 +62,7 @@ const TestComponent: FC<Partial<FilterGroupProps>> = (props) => {
     <FilterGroup
       spaceId={spaceId}
       dataViewId="alert-filters-test-dv"
-      featureIds={featureIds}
+      ruleTypeIds={ruleTypeIds}
       defaultControls={[
         ...DEFAULT_CONTROLS,
         {
diff --git a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/filter_group.tsx b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/filter_group.tsx
index b97c0940f41d6..a5f6949533776 100644
--- a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/filter_group.tsx
+++ b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/filter_group.tsx
@@ -44,7 +44,6 @@ import { URL_PARAM_ARRAY_EXCEPTION_MSG } from './translations';
 
 export const FilterGroup = (props: PropsWithChildren<FilterGroupProps>) => {
   const {
-    featureIds,
     dataViewId,
     onFiltersChange,
     timeRange,
@@ -59,6 +58,7 @@ export const FilterGroup = (props: PropsWithChildren<FilterGroupProps>) => {
     maxControls = Infinity,
     ControlGroupRenderer,
     Storage,
+    ruleTypeIds,
     storageKey,
   } = props;
 
@@ -80,8 +80,8 @@ export const FilterGroup = (props: PropsWithChildren<FilterGroupProps>) => {
   const [controlGroup, setControlGroup] = useState<ControlGroupRendererApi>();
 
   const localStoragePageFilterKey = useMemo(
-    () => storageKey ?? `${featureIds.join(',')}.${spaceId}.${URL_PARAM_KEY}`,
-    [featureIds, spaceId, storageKey]
+    () => storageKey ?? `${ruleTypeIds.join(',')}.${spaceId}.${URL_PARAM_KEY}`,
+    [ruleTypeIds, spaceId, storageKey]
   );
 
   const currentFiltersRef = useRef<Filter[]>();
diff --git a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/types.ts b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/types.ts
index 19a76c76ff6f8..ed625897a418e 100644
--- a/packages/kbn-alerts-ui-shared/src/alert_filter_controls/types.ts
+++ b/packages/kbn-alerts-ui-shared/src/alert_filter_controls/types.ts
@@ -15,7 +15,6 @@ import type {
   ControlGroupRendererApi,
 } from '@kbn/controls-plugin/public';
 import type { Storage } from '@kbn/kibana-utils-plugin/public';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 
 export type FilterUrlFormat = Record<
   string,
@@ -46,7 +45,7 @@ export interface FilterGroupProps extends Pick<ControlGroupRuntimeState, 'chaini
 
   spaceId?: string;
   dataViewId: string | null;
-  featureIds: AlertConsumers[];
+  ruleTypeIds: string[];
   /**
    * Filters changed callback
    */
diff --git a/packages/kbn-alerts-ui-shared/src/alerts_search_bar/index.test.tsx b/packages/kbn-alerts-ui-shared/src/alerts_search_bar/index.test.tsx
index a7ae24e88dd71..b3b3d9e2a27f1 100644
--- a/packages/kbn-alerts-ui-shared/src/alerts_search_bar/index.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/alerts_search_bar/index.test.tsx
@@ -12,7 +12,7 @@ import { fireEvent, render, screen, waitFor } from '@testing-library/react';
 import { dataPluginMock } from '@kbn/data-plugin/public/mocks';
 import { Filter, FilterStateStore } from '@kbn/es-query';
 import { ToastsStart } from '@kbn/core-notifications-browser';
-import { useLoadRuleTypesQuery, useRuleAADFields, useAlertsDataView } from '../common/hooks';
+import { useAlertsDataView } from '../common/hooks';
 import { AlertsSearchBar } from '.';
 import { HttpStart } from '@kbn/core-http-browser';
 
@@ -35,25 +35,6 @@ jest.mocked(useAlertsDataView).mockReturnValue({
   },
 });
 
-jest.mocked(useLoadRuleTypesQuery).mockReturnValue({
-  ruleTypesState: {
-    isInitialLoad: false,
-    data: new Map(),
-    isLoading: false,
-    error: null,
-  },
-  authorizedToReadAnyRules: false,
-  hasAnyAuthorizedRuleType: false,
-  authorizedRuleTypes: [],
-  authorizedToCreateAnyRules: false,
-  isSuccess: false,
-});
-
-jest.mocked(useRuleAADFields).mockReturnValue({
-  aadFields: [],
-  loading: false,
-});
-
 const unifiedSearchBarMock = jest.fn().mockImplementation((props) => (
   <button
     data-test-subj="querySubmitButton"
@@ -83,7 +64,6 @@ describe('AlertsSearchBar', () => {
         onQuerySubmit={jest.fn()}
         onFiltersUpdated={jest.fn()}
         appName={'test'}
-        featureIds={['observability', 'stackAlerts']}
         unifiedSearchBar={unifiedSearchBarMock}
         toasts={toastsMock}
         http={httpMock}
@@ -108,7 +88,6 @@ describe('AlertsSearchBar', () => {
         http={httpMock}
         dataService={mockDataPlugin}
         appName={'test'}
-        featureIds={['observability', 'stackAlerts']}
       />
     );
 
@@ -157,7 +136,6 @@ describe('AlertsSearchBar', () => {
         http={httpMock}
         dataService={mockDataPlugin}
         appName={'test'}
-        featureIds={['observability', 'stackAlerts']}
       />
     );
 
@@ -168,4 +146,151 @@ describe('AlertsSearchBar', () => {
       expect(mockDataPlugin.query.filterManager.setFilters).toHaveBeenCalledWith(filters);
     });
   });
+
+  it('calls the unifiedSearchBar correctly for security rule types', async () => {
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        toasts={toastsMock}
+        http={httpMock}
+        dataService={mockDataPlugin}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+        unifiedSearchBar={unifiedSearchBarMock}
+        ruleTypeIds={['siem.esqlRuleType', '.esQuery']}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          suggestionsAbstraction: undefined,
+        })
+      );
+    });
+  });
+
+  it('calls the unifiedSearchBar correctly for NON security rule types', async () => {
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        toasts={toastsMock}
+        http={httpMock}
+        dataService={mockDataPlugin}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+        unifiedSearchBar={unifiedSearchBarMock}
+        ruleTypeIds={['.esQuery']}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          suggestionsAbstraction: { type: 'alerts', fields: {} },
+        })
+      );
+    });
+  });
+
+  it('calls the unifiedSearchBar with correct index patters', async () => {
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        toasts={toastsMock}
+        http={httpMock}
+        dataService={mockDataPlugin}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+        unifiedSearchBar={unifiedSearchBarMock}
+        ruleTypeIds={['.esQuery', 'apm.anomaly']}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          indexPatterns: [
+            {
+              fields: [
+                { aggregatable: true, name: 'event.action', searchable: true, type: 'string' },
+              ],
+              title: '.esQuery,apm.anomaly',
+            },
+          ],
+        })
+      );
+    });
+  });
+
+  it('calls the unifiedSearchBar with correct index patters without rule types', async () => {
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        toasts={toastsMock}
+        http={httpMock}
+        dataService={mockDataPlugin}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+        unifiedSearchBar={unifiedSearchBarMock}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          indexPatterns: [
+            {
+              fields: [
+                { aggregatable: true, name: 'event.action', searchable: true, type: 'string' },
+              ],
+              title: '.alerts-*',
+            },
+          ],
+        })
+      );
+    });
+  });
+
+  it('calls the unifiedSearchBar with correct index patters without data views', async () => {
+    jest.mocked(useAlertsDataView).mockReturnValue({
+      isLoading: false,
+      dataView: undefined,
+    });
+
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        toasts={toastsMock}
+        http={httpMock}
+        dataService={mockDataPlugin}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+        unifiedSearchBar={unifiedSearchBarMock}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          indexPatterns: [],
+        })
+      );
+    });
+  });
 });
diff --git a/packages/kbn-alerts-ui-shared/src/alerts_search_bar/index.tsx b/packages/kbn-alerts-ui-shared/src/alerts_search_bar/index.tsx
index 00822d013e0d2..bde93e811a502 100644
--- a/packages/kbn-alerts-ui-shared/src/alerts_search_bar/index.tsx
+++ b/packages/kbn-alerts-ui-shared/src/alerts_search_bar/index.tsx
@@ -10,22 +10,20 @@
 import { useCallback, useMemo, useState } from 'react';
 import type { Query, TimeRange } from '@kbn/es-query';
 import type { SuggestionsAbstraction } from '@kbn/unified-search-plugin/public/typeahead/suggestions_component';
-import { AlertConsumers, ValidFeatureId } from '@kbn/rule-data-utils';
+import { isSiemRuleType } from '@kbn/rule-data-utils';
 import { NO_INDEX_PATTERNS } from './constants';
 import { SEARCH_BAR_PLACEHOLDER } from './translations';
 import type { AlertsSearchBarProps, QueryLanguageType } from './types';
-import { useLoadRuleTypesQuery, useAlertsDataView, useRuleAADFields } from '../common/hooks';
+import { useAlertsDataView } from '../common/hooks';
 
 export type { AlertsSearchBarProps } from './types';
 
 const SA_ALERTS = { type: 'alerts', fields: {} } as SuggestionsAbstraction;
-const EMPTY_FEATURE_IDS: ValidFeatureId[] = [];
 
 export const AlertsSearchBar = ({
   appName,
   disableQueryLanguageSwitcher = false,
-  featureIds = EMPTY_FEATURE_IDS,
-  ruleTypeId,
+  ruleTypeIds = [],
   query,
   filters,
   onQueryChange,
@@ -45,39 +43,24 @@ export const AlertsSearchBar = ({
 }: AlertsSearchBarProps) => {
   const [queryLanguage, setQueryLanguage] = useState<QueryLanguageType>('kuery');
   const { dataView } = useAlertsDataView({
-    featureIds,
+    ruleTypeIds,
     http,
     toasts,
     dataViewsService: dataService.dataViews,
   });
-  const { aadFields, loading: fieldsLoading } = useRuleAADFields({
-    ruleTypeId,
-    http,
-    toasts,
-  });
 
   const indexPatterns = useMemo(() => {
-    if (ruleTypeId && aadFields?.length) {
-      return [{ title: ruleTypeId, fields: aadFields }];
+    if (ruleTypeIds.length > 0 && dataView?.fields?.length) {
+      return [{ title: ruleTypeIds.join(','), fields: dataView.fields }];
     }
+
     if (dataView) {
       return [dataView];
     }
     return null;
-  }, [aadFields, dataView, ruleTypeId]);
-
-  const ruleType = useLoadRuleTypesQuery({
-    filteredRuleTypes: ruleTypeId !== undefined ? [ruleTypeId] : [],
-    enabled: ruleTypeId !== undefined,
-    http,
-    toasts,
-  });
+  }, [dataView, ruleTypeIds]);
 
-  const isSecurity =
-    (featureIds && featureIds.length === 1 && featureIds.includes(AlertConsumers.SIEM)) ||
-    (ruleType &&
-      ruleTypeId &&
-      ruleType.ruleTypesState.data.get(ruleTypeId)?.producer === AlertConsumers.SIEM);
+  const isSecurity = ruleTypeIds?.some(isSiemRuleType) ?? false;
 
   const onSearchQuerySubmit = useCallback(
     ({ dateRange, query: nextQuery }: { dateRange: TimeRange; query?: Query }) => {
@@ -110,7 +93,7 @@ export const AlertsSearchBar = ({
     appName,
     disableQueryLanguageSwitcher,
     // @ts-expect-error - DataView fields prop and SearchBar indexPatterns props are overly broad
-    indexPatterns: !indexPatterns || fieldsLoading ? NO_INDEX_PATTERNS : indexPatterns,
+    indexPatterns: !indexPatterns ? NO_INDEX_PATTERNS : indexPatterns,
     placeholder,
     query: { query: query ?? '', language: queryLanguage },
     filters,
diff --git a/packages/kbn-alerts-ui-shared/src/alerts_search_bar/types.ts b/packages/kbn-alerts-ui-shared/src/alerts_search_bar/types.ts
index f8566b2ec692c..49a5175f5428b 100644
--- a/packages/kbn-alerts-ui-shared/src/alerts_search_bar/types.ts
+++ b/packages/kbn-alerts-ui-shared/src/alerts_search_bar/types.ts
@@ -8,7 +8,6 @@
  */
 
 import type { Filter } from '@kbn/es-query';
-import type { ValidFeatureId } from '@kbn/rule-data-utils';
 import type { ToastsStart, HttpStart } from '@kbn/core/public';
 import type { UnifiedSearchPublicPluginStart } from '@kbn/unified-search-plugin/public';
 import { DataPublicPluginStart } from '@kbn/data-plugin/public';
@@ -18,7 +17,6 @@ export type QueryLanguageType = 'lucene' | 'kuery';
 export interface AlertsSearchBarProps {
   appName: string;
   disableQueryLanguageSwitcher?: boolean;
-  featureIds: ValidFeatureId[];
   rangeFrom?: string;
   rangeTo?: string;
   query?: string;
@@ -28,7 +26,7 @@ export interface AlertsSearchBarProps {
   showSubmitButton?: boolean;
   placeholder?: string;
   submitOnBlur?: boolean;
-  ruleTypeId?: string;
+  ruleTypeIds?: string[];
   onQueryChange?: (query: {
     dateRange: { from: string; to: string; mode?: 'absolute' | 'relative' };
     query?: string;
diff --git a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/fetch_alerts_fields.test.ts b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/fetch_alerts_fields.test.ts
index 0bffa76703edc..db9db29218e87 100644
--- a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/fetch_alerts_fields.test.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/fetch_alerts_fields.test.ts
@@ -9,12 +9,12 @@
 
 import { httpServiceMock } from '@kbn/core/public/mocks';
 import { fetchAlertsFields } from '.';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 
 describe('fetchAlertsFields', () => {
   const http = httpServiceMock.createStartContract();
   test('should call the browser_fields API with the correct parameters', async () => {
-    const featureIds = [AlertConsumers.STACK_ALERTS];
+    const ruleTypeIds = ['.es-query'];
+
     http.get.mockResolvedValueOnce({
       browserFields: { fakeCategory: {} },
       fields: [
@@ -23,7 +23,7 @@ describe('fetchAlertsFields', () => {
         },
       ],
     });
-    const result = await fetchAlertsFields({ http, featureIds });
+    const result = await fetchAlertsFields({ http, ruleTypeIds });
     expect(result).toEqual({
       browserFields: { fakeCategory: {} },
       fields: [
@@ -33,7 +33,7 @@ describe('fetchAlertsFields', () => {
       ],
     });
     expect(http.get).toHaveBeenLastCalledWith('/internal/rac/alerts/browser_fields', {
-      query: { featureIds },
+      query: { ruleTypeIds },
     });
   });
 });
diff --git a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/fetch_alerts_fields.ts b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/fetch_alerts_fields.ts
index 85d4c4a7c1919..bdc66f99eedc5 100644
--- a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/fetch_alerts_fields.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/fetch_alerts_fields.ts
@@ -12,11 +12,11 @@ import type { BrowserFields } from '@kbn/alerting-types';
 import type { FetchAlertsFieldsParams } from './types';
 import { BASE_RAC_ALERTS_API_PATH } from '../../constants';
 
-export const fetchAlertsFields = ({ http, featureIds }: FetchAlertsFieldsParams) => {
+export const fetchAlertsFields = ({ http, ruleTypeIds }: FetchAlertsFieldsParams) => {
   return http.get<{ browserFields: BrowserFields; fields: FieldDescriptor[] }>(
     `${BASE_RAC_ALERTS_API_PATH}/browser_fields`,
     {
-      query: { featureIds },
+      query: { ruleTypeIds },
     }
   );
 };
diff --git a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/types.ts b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/types.ts
index a7b7232abba9a..fc66647fb1a81 100644
--- a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/types.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_fields/types.ts
@@ -8,7 +8,6 @@
  */
 
 import { HttpSetup } from '@kbn/core-http-browser';
-import { ValidFeatureId } from '@kbn/rule-data-utils';
 
 export interface FetchAlertsFieldsParams {
   // Dependencies
@@ -16,7 +15,7 @@ export interface FetchAlertsFieldsParams {
 
   // Params
   /**
-   * Array of feature ids used for authorization and area-based filtering
+   * Array of rule type ids used for authorization and area-based filtering
    */
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
 }
diff --git a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/fetch_alerts_index_names.test.ts b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/fetch_alerts_index_names.test.ts
index 7ba85e4978e73..17af39ff50ad1 100644
--- a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/fetch_alerts_index_names.test.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/fetch_alerts_index_names.test.ts
@@ -9,22 +9,21 @@
 
 import { httpServiceMock } from '@kbn/core/public/mocks';
 import { fetchAlertsIndexNames } from '.';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { BASE_RAC_ALERTS_API_PATH } from '../../constants';
 
 describe('fetchAlertsIndexNames', () => {
   const http = httpServiceMock.createStartContract();
 
   it('calls the alerts/index API with the correct parameters', async () => {
-    const featureIds = [AlertConsumers.STACK_ALERTS, AlertConsumers.APM];
+    const ruleTypeIds = ['.es-query'];
     const indexNames = ['test-index'];
     http.get.mockResolvedValueOnce({
       index_name: indexNames,
     });
-    const result = await fetchAlertsIndexNames({ http, featureIds });
+    const result = await fetchAlertsIndexNames({ http, ruleTypeIds });
     expect(result).toEqual(indexNames);
     expect(http.get).toHaveBeenLastCalledWith(`${BASE_RAC_ALERTS_API_PATH}/index`, {
-      query: { features: featureIds.join(',') },
+      query: { ruleTypeIds },
     });
   });
 });
diff --git a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/fetch_alerts_index_names.ts b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/fetch_alerts_index_names.ts
index f82cd7e625281..8cb7dc03ae0e7 100644
--- a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/fetch_alerts_index_names.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/fetch_alerts_index_names.ts
@@ -10,11 +10,11 @@
 import { BASE_RAC_ALERTS_API_PATH } from '../../constants';
 import { FetchAlertsIndexNamesParams } from './types';
 
-export const fetchAlertsIndexNames = async ({ http, featureIds }: FetchAlertsIndexNamesParams) => {
+export const fetchAlertsIndexNames = async ({ http, ruleTypeIds }: FetchAlertsIndexNamesParams) => {
   const { index_name: indexNames = [] } = await http.get<{ index_name: string[] }>(
     `${BASE_RAC_ALERTS_API_PATH}/index`,
     {
-      query: { features: featureIds.join(',') },
+      query: { ruleTypeIds },
     }
   );
   return indexNames;
diff --git a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/types.ts b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/types.ts
index 2ffde00684ac1..2cb88f1481605 100644
--- a/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/types.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/apis/fetch_alerts_index_names/types.ts
@@ -8,7 +8,6 @@
  */
 
 import { HttpSetup } from '@kbn/core-http-browser';
-import { ValidFeatureId } from '@kbn/rule-data-utils';
 
 export interface FetchAlertsIndexNamesParams {
   // Dependencies
@@ -16,7 +15,7 @@ export interface FetchAlertsIndexNamesParams {
 
   // Params
   /**
-   * Array of feature ids used for authorization and area-based filtering
+   * Array of rule type ids used for authorization and area-based filtering
    */
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
 }
diff --git a/packages/kbn-alerts-ui-shared/src/common/apis/search_alerts/search_alerts.test.tsx b/packages/kbn-alerts-ui-shared/src/common/apis/search_alerts/search_alerts.test.tsx
index b3678f37d8148..98a1e4cf978f7 100644
--- a/packages/kbn-alerts-ui-shared/src/common/apis/search_alerts/search_alerts.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/common/apis/search_alerts/search_alerts.test.tsx
@@ -204,7 +204,8 @@ describe('searchAlerts', () => {
 
   const params: SearchAlertsParams = {
     data: mockDataPlugin as unknown as DataPublicPluginStart,
-    featureIds: ['siem'],
+    ruleTypeIds: ['siem.esqlRule'],
+    consumers: ['siem'],
     fields: [
       { field: 'kibana.rule.type.id', include_unmapped: true },
       { field: '*', include_unmapped: true },
@@ -237,7 +238,8 @@ describe('searchAlerts', () => {
     expect(mockDataPlugin.search.search).toHaveBeenCalledTimes(1);
     expect(mockDataPlugin.search.search).toHaveBeenCalledWith(
       {
-        featureIds: params.featureIds,
+        ruleTypeIds: params.ruleTypeIds,
+        consumers: params.consumers,
         fields: [...params.fields!],
         pagination: {
           pageIndex: params.pageIndex,
diff --git a/packages/kbn-alerts-ui-shared/src/common/apis/search_alerts/search_alerts.ts b/packages/kbn-alerts-ui-shared/src/common/apis/search_alerts/search_alerts.ts
index 67edae6ade81d..232d1bf20fc68 100644
--- a/packages/kbn-alerts-ui-shared/src/common/apis/search_alerts/search_alerts.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/apis/search_alerts/search_alerts.ts
@@ -15,7 +15,6 @@ import type {
 } from '@kbn/alerting-types';
 import { set } from '@kbn/safer-lodash-set';
 import type { DataPublicPluginStart } from '@kbn/data-plugin/public';
-import type { ValidFeatureId } from '@kbn/rule-data-utils';
 import type {
   MappingRuntimeFields,
   QueryDslFieldAndFormat,
@@ -37,9 +36,13 @@ export interface SearchAlertsParams {
 
   // Parameters
   /**
-   * Array of feature ids used for authorization and area-based filtering
+   * Array of rule type ids used area-based filtering
    */
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  /**
+   * Array of consumers used area-based filtering
+   */
+  consumers?: string[];
   /**
    * ES query to perform on the affected alert indices
    */
@@ -80,7 +83,8 @@ export interface SearchAlertsResult {
 export const searchAlerts = ({
   data,
   signal,
-  featureIds,
+  ruleTypeIds,
+  consumers,
   fields,
   query,
   sort,
@@ -92,7 +96,8 @@ export const searchAlerts = ({
     data.search
       .search<RuleRegistrySearchRequest, RuleRegistrySearchResponse>(
         {
-          featureIds,
+          ruleTypeIds,
+          consumers,
           fields,
           query,
           pagination: { pageIndex, pageSize },
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/index.ts b/packages/kbn-alerts-ui-shared/src/common/hooks/index.ts
index 2c9988f2be0db..8abf5482682f5 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/index.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/index.ts
@@ -20,5 +20,4 @@ export * from './use_load_rule_types_query';
 export * from './use_load_ui_config';
 export * from './use_load_ui_health';
 export * from './use_resolve_rule';
-export * from './use_rule_aad_fields';
 export * from './use_update_rule';
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_alerts_data_view.test.tsx b/packages/kbn-alerts-ui-shared/src/common/hooks/use_alerts_data_view.test.tsx
index b4945f298a696..28636dbd64c73 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_alerts_data_view.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_alerts_data_view.test.tsx
@@ -8,7 +8,6 @@
  */
 
 import React from 'react';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 import { renderHook, waitFor } from '@testing-library/react';
 import { DataView } from '@kbn/data-views-plugin/common';
@@ -42,6 +41,7 @@ const mockServices = {
   toasts: notificationServiceMock.createStartContract().toasts,
   dataViewsService: dataViewPluginMocks.createStartContract(),
 };
+
 mockServices.dataViewsService.create.mockResolvedValue(mockDataView);
 
 const queryClient = new QueryClient(testQueryClientConfig);
@@ -51,13 +51,6 @@ const wrapper: React.FC<React.PropsWithChildren<{}>> = ({ children }) => (
 );
 
 describe('useAlertsDataView', () => {
-  const observabilityFeatureIds = [
-    AlertConsumers.APM,
-    AlertConsumers.INFRASTRUCTURE,
-    AlertConsumers.LOGS,
-    AlertConsumers.UPTIME,
-  ];
-
   beforeEach(() => {
     jest.clearAllMocks();
     queryClient.clear();
@@ -73,7 +66,7 @@ describe('useAlertsDataView', () => {
       () =>
         useAlertsDataView({
           ...mockServices,
-          featureIds: observabilityFeatureIds,
+          ruleTypeIds: ['apm'],
         }),
       {
         wrapper,
@@ -83,12 +76,12 @@ describe('useAlertsDataView', () => {
     await waitFor(() => expect(result.current).toEqual(mockedAsyncDataView));
   });
 
-  it('fetches indexes and fields for non-siem feature ids, returning a DataViewBase object', async () => {
+  it('fetches indexes and fields for non-siem rule type ids, returning a DataViewBase object', async () => {
     const { result } = renderHook(
       () =>
         useAlertsDataView({
           ...mockServices,
-          featureIds: observabilityFeatureIds,
+          ruleTypeIds: ['apm, .es-query'],
         }),
       {
         wrapper,
@@ -102,9 +95,9 @@ describe('useAlertsDataView', () => {
     expect(result.current.dataView).not.toBe(mockDataView);
   });
 
-  it('only fetches index names for the siem feature id, returning a DataView', async () => {
+  it('only fetches index names for the siem rule type ids, returning a DataView', async () => {
     const { result } = renderHook(
-      () => useAlertsDataView({ ...mockServices, featureIds: [AlertConsumers.SIEM] }),
+      () => useAlertsDataView({ ...mockServices, ruleTypeIds: ['siem.esqlRule', 'siem.eqlRule'] }),
       {
         wrapper,
       }
@@ -116,12 +109,34 @@ describe('useAlertsDataView', () => {
     await waitFor(() => expect(result.current.dataView).toBe(mockDataView));
   });
 
-  it('does not fetch anything if siem and other feature ids are mixed together', async () => {
+  it('does not fetch anything if siem and other rule type ids are mixed together', async () => {
+    const { result } = renderHook(
+      () =>
+        useAlertsDataView({
+          ...mockServices,
+          ruleTypeIds: ['siem.esqlRule', 'apm', 'logs'],
+        }),
+      {
+        wrapper,
+      }
+    );
+
+    await waitFor(() =>
+      expect(result.current).toEqual({
+        isLoading: false,
+        dataView: undefined,
+      })
+    );
+    expect(mockFetchAlertsIndexNames).toHaveBeenCalledTimes(0);
+    expect(mockFetchAlertsFields).toHaveBeenCalledTimes(0);
+  });
+
+  it('does not fetch anything with empty array nor create a virtual data view', async () => {
     const { result } = renderHook(
       () =>
         useAlertsDataView({
           ...mockServices,
-          featureIds: [AlertConsumers.SIEM, AlertConsumers.LOGS],
+          ruleTypeIds: [],
         }),
       {
         wrapper,
@@ -136,13 +151,14 @@ describe('useAlertsDataView', () => {
     );
     expect(mockFetchAlertsIndexNames).toHaveBeenCalledTimes(0);
     expect(mockFetchAlertsFields).toHaveBeenCalledTimes(0);
+    expect(mockServices.dataViewsService.create).not.toHaveBeenCalled();
   });
 
   it('returns an undefined data view if any of the queries fails', async () => {
     mockFetchAlertsIndexNames.mockRejectedValue('error');
 
     const { result } = renderHook(
-      () => useAlertsDataView({ ...mockServices, featureIds: observabilityFeatureIds }),
+      () => useAlertsDataView({ ...mockServices, ruleTypeIds: ['.es-query'] }),
       {
         wrapper,
       }
@@ -159,7 +175,7 @@ describe('useAlertsDataView', () => {
   it('shows an error toast if any of the queries fails', async () => {
     mockFetchAlertsIndexNames.mockRejectedValue('error');
 
-    renderHook(() => useAlertsDataView({ ...mockServices, featureIds: observabilityFeatureIds }), {
+    renderHook(() => useAlertsDataView({ ...mockServices, ruleTypeIds: ['.es-query'] }), {
       wrapper,
     });
 
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_alerts_data_view.ts b/packages/kbn-alerts-ui-shared/src/common/hooks/use_alerts_data_view.ts
index d708bc6310ede..db76798f66112 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_alerts_data_view.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_alerts_data_view.ts
@@ -10,10 +10,12 @@
 import { useEffect, useMemo } from 'react';
 import { i18n } from '@kbn/i18n';
 import { DataView, DataViewsContract, FieldSpec } from '@kbn/data-views-plugin/common';
-import { AlertConsumers, ValidFeatureId } from '@kbn/rule-data-utils';
+import { isSiemRuleType } from '@kbn/rule-data-utils';
 import type { ToastsStart, HttpStart } from '@kbn/core/public';
 
 import { DataViewBase } from '@kbn/es-query';
+import type { FieldDescriptor } from '@kbn/data-views-plugin/server';
+import { BrowserFields } from '@kbn/alerting-types';
 import { useVirtualDataViewQuery } from './use_virtual_data_view_query';
 import { useFetchAlertsFieldsQuery } from './use_fetch_alerts_fields_query';
 import { useFetchAlertsIndexNamesQuery } from './use_fetch_alerts_index_names_query';
@@ -26,12 +28,12 @@ export interface UseAlertsDataViewParams {
 
   // Params
   /**
-   * Array of feature ids used for authorization and area-based filtering
+   * Array of rule type ids used for authorization and area-based filtering
    *
    * Security data views must be requested in isolation (i.e. `['siem']`). If mixed with
-   * other feature ids, the resulting data view will be empty.
+   * other rule type ids, the resulting data view will be empty.
    */
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
 }
 
 export interface UseAlertsDataViewResult {
@@ -53,7 +55,7 @@ const resolveDataView = ({
   isError: boolean;
   virtualDataView?: DataView;
   indexNames?: string[];
-  fields?: { fields: FieldSpec[] };
+  fields?: { browserFields: BrowserFields; fields: FieldDescriptor[] };
 }) => {
   if (isError) {
     return;
@@ -93,11 +95,11 @@ export const useAlertsDataView = ({
   http,
   dataViewsService,
   toasts,
-  featureIds,
+  ruleTypeIds,
 }: UseAlertsDataViewParams): UseAlertsDataViewResult => {
-  const includesSecurity = featureIds.includes(AlertConsumers.SIEM);
-  const isOnlySecurity = featureIds.length === 1 && includesSecurity;
-  const hasMixedFeatureIds = featureIds.length > 1 && includesSecurity;
+  const includesSecurity = ruleTypeIds.some(isSiemRuleType);
+  const isOnlySecurity = ruleTypeIds.length > 0 && ruleTypeIds.every(isSiemRuleType);
+  const hasMixedFeatureIds = !isOnlySecurity && includesSecurity;
 
   const {
     data: indexNames,
@@ -105,10 +107,10 @@ export const useAlertsDataView = ({
     isLoading: isLoadingIndexNames,
     isInitialLoading: isInitialLoadingIndexNames,
   } = useFetchAlertsIndexNamesQuery(
-    { http, featureIds },
+    { http, ruleTypeIds },
     {
       // Don't fetch index names when featureIds includes both Security Solution and other features
-      enabled: !!featureIds.length && (isOnlySecurity || !includesSecurity),
+      enabled: !!ruleTypeIds.length && (isOnlySecurity || !includesSecurity),
     }
   );
 
@@ -118,10 +120,10 @@ export const useAlertsDataView = ({
     isLoading: isLoadingFields,
     isInitialLoading: isInitialLoadingFields,
   } = useFetchAlertsFieldsQuery(
-    { http, featureIds },
+    { http, ruleTypeIds },
     {
-      // Don't fetch fields when featureIds includes Security Solution
-      enabled: !!featureIds.length && !includesSecurity,
+      // Don't fetch fields when ruleTypeIds includes Security Solution
+      enabled: !!ruleTypeIds.length && !includesSecurity,
     }
   );
 
@@ -167,7 +169,7 @@ export const useAlertsDataView = ({
 
   return useMemo(() => {
     let isLoading: boolean;
-    if (!featureIds.length || hasMixedFeatureIds) {
+    if (!ruleTypeIds.length || hasMixedFeatureIds) {
       isLoading = false;
     } else {
       if (isOnlySecurity) {
@@ -180,13 +182,14 @@ export const useAlertsDataView = ({
           isLoadingFields;
       }
     }
+
     return {
       dataView,
       isLoading,
     };
   }, [
     dataView,
-    featureIds.length,
+    ruleTypeIds.length,
     hasMixedFeatureIds,
     isInitialLoadingFields,
     isInitialLoadingIndexNames,
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query.test.tsx b/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query.test.tsx
index 39818fab28cbf..7d66c6cdf0657 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query.test.tsx
@@ -8,7 +8,6 @@
  */
 
 import React, { FC } from 'react';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import * as ReactQuery from '@tanstack/react-query';
 import { waitFor, renderHook } from '@testing-library/react';
 import { testQueryClientConfig } from '../test_utils/test_query_client_config';
@@ -48,9 +47,9 @@ describe('useFetchAlertsFieldsQuery', () => {
     queryClient.clear();
   });
 
-  it('should not fetch for siem', () => {
+  it('should not fetch for siem rule types', () => {
     const { result } = renderHook(
-      () => useFetchAlertsFieldsQuery({ http: mockHttpClient, featureIds: ['siem'] }),
+      () => useFetchAlertsFieldsQuery({ http: mockHttpClient, ruleTypeIds: ['siem.esqlRule'] }),
       {
         wrapper,
       }
@@ -63,14 +62,14 @@ describe('useFetchAlertsFieldsQuery', () => {
   it('should correctly override the `enabled` option', () => {
     const { rerender } = renderHook(
       ({
-        featureIds,
+        ruleTypeIds,
         enabled,
-      }: React.PropsWithChildren<{ featureIds: AlertConsumers[]; enabled?: boolean }>) =>
-        useFetchAlertsFieldsQuery({ http: mockHttpClient, featureIds }, { enabled }),
+      }: React.PropsWithChildren<{ ruleTypeIds: string[]; enabled?: boolean }>) =>
+        useFetchAlertsFieldsQuery({ http: mockHttpClient, ruleTypeIds }, { enabled }),
       {
         wrapper,
         initialProps: {
-          featureIds: ['apm'],
+          ruleTypeIds: ['apm'],
           enabled: false,
         },
       }
@@ -78,18 +77,18 @@ describe('useFetchAlertsFieldsQuery', () => {
 
     expect(useQuerySpy).toHaveBeenCalledWith(expect.objectContaining({ enabled: false }));
 
-    rerender({ featureIds: [], enabled: true });
+    rerender({ ruleTypeIds: [], enabled: true });
 
     expect(useQuerySpy).toHaveBeenCalledWith(expect.objectContaining({ enabled: false }));
 
-    rerender({ featureIds: ['apm'] });
+    rerender({ ruleTypeIds: ['apm'] });
 
     expect(useQuerySpy).toHaveBeenCalledWith(expect.objectContaining({ enabled: true }));
   });
 
   it('should call the api only once', async () => {
     const { result, rerender } = renderHook(
-      () => useFetchAlertsFieldsQuery({ http: mockHttpClient, featureIds: ['apm'] }),
+      () => useFetchAlertsFieldsQuery({ http: mockHttpClient, ruleTypeIds: ['apm'] }),
       {
         wrapper,
       }
@@ -122,30 +121,12 @@ describe('useFetchAlertsFieldsQuery', () => {
     });
   });
 
-  it('should not fetch if the only featureId is not valid', async () => {
+  it('should not fetch if all rule types are siem', async () => {
     const { result } = renderHook(
       () =>
         useFetchAlertsFieldsQuery({
           http: mockHttpClient,
-          featureIds: ['alerts'] as unknown as AlertConsumers[],
-        }),
-      {
-        wrapper,
-      }
-    );
-
-    await waitFor(() => {
-      expect(mockHttpGet).toHaveBeenCalledTimes(0);
-      expect(result.current.data).toEqual(emptyData);
-    });
-  });
-
-  it('should not fetch if all featureId are not valid', async () => {
-    const { result } = renderHook(
-      () =>
-        useFetchAlertsFieldsQuery({
-          http: mockHttpClient,
-          featureIds: ['alerts', 'tomato'] as unknown as AlertConsumers[],
+          ruleTypeIds: ['siem.esqlRule', 'siem.eqlRule'],
         }),
       {
         wrapper,
@@ -163,7 +144,7 @@ describe('useFetchAlertsFieldsQuery', () => {
       () =>
         useFetchAlertsFieldsQuery({
           http: mockHttpClient,
-          featureIds: ['alerts', 'apm', 'logs'] as AlertConsumers[],
+          ruleTypeIds: ['siem.esqlRule', 'apm', 'logs'],
         }),
       {
         wrapper,
@@ -173,7 +154,7 @@ describe('useFetchAlertsFieldsQuery', () => {
     await waitFor(() => {
       expect(mockHttpGet).toHaveBeenCalledTimes(1);
       expect(mockHttpGet).toHaveBeenCalledWith('/internal/rac/alerts/browser_fields', {
-        query: { featureIds: ['apm', 'logs'] },
+        query: { ruleTypeIds: ['apm', 'logs'] },
       });
     });
   });
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query.ts b/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query.ts
index 7a673b3f7625e..5099587904f4c 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query.ts
@@ -7,15 +7,13 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import { AlertConsumers, isValidFeatureId } from '@kbn/rule-data-utils';
+import { isSiemRuleType } from '@kbn/rule-data-utils';
 import { useQuery } from '@tanstack/react-query';
 import type { QueryOptionsOverrides } from '../types/tanstack_query_utility_types';
 import { fetchAlertsFields, FetchAlertsFieldsParams } from '../apis/fetch_alerts_fields';
 
 export type UseFetchAlertsFieldsQueryParams = FetchAlertsFieldsParams;
 
-const UNSUPPORTED_FEATURE_ID = AlertConsumers.SIEM;
-
 export const queryKeyPrefix = ['alerts', fetchAlertsFields.name];
 
 /**
@@ -31,19 +29,17 @@ export const useFetchAlertsFieldsQuery = (
     'placeholderData' | 'context' | 'onError' | 'refetchOnWindowFocus' | 'staleTime' | 'enabled'
   >
 ) => {
-  const { featureIds } = params;
+  const { ruleTypeIds } = params;
 
-  const validFeatureIds = featureIds.filter(
-    (fid) => isValidFeatureId(fid) && fid !== UNSUPPORTED_FEATURE_ID
-  );
+  const validRuleTypeIds = ruleTypeIds.filter((ruleTypeId) => !isSiemRuleType(ruleTypeId));
 
   return useQuery({
-    queryKey: queryKeyPrefix.concat(featureIds),
-    queryFn: () => fetchAlertsFields({ http, featureIds: validFeatureIds }),
+    queryKey: queryKeyPrefix.concat(ruleTypeIds),
+    queryFn: () => fetchAlertsFields({ http, ruleTypeIds: validRuleTypeIds }),
     placeholderData: { browserFields: {}, fields: [] },
     staleTime: 60 * 1000,
     refetchOnWindowFocus: false,
     ...options,
-    enabled: validFeatureIds.length > 0 && (options?.enabled == null || options.enabled),
+    enabled: validRuleTypeIds.length > 0 && (options?.enabled == null || options.enabled),
   });
 };
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.test.tsx b/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.test.tsx
index c3480a6ce2675..e621b857dc713 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.test.tsx
@@ -36,8 +36,8 @@ describe('useFetchAlertsIndexNamesQuery', () => {
     queryClient.clear();
   });
 
-  it('does not fetch if featureIds is empty', () => {
-    renderHook(() => useFetchAlertsIndexNamesQuery({ http: mockHttpClient, featureIds: [] }), {
+  it('does not fetch if ruleTypeIds is empty', () => {
+    renderHook(() => useFetchAlertsIndexNamesQuery({ http: mockHttpClient, ruleTypeIds: [] }), {
       wrapper,
     });
 
@@ -45,19 +45,22 @@ describe('useFetchAlertsIndexNamesQuery', () => {
   });
 
   it('calls fetchAlertsIndexNames with the correct parameters', () => {
-    renderHook(() => useFetchAlertsIndexNamesQuery({ http: mockHttpClient, featureIds: ['apm'] }), {
-      wrapper,
-    });
+    renderHook(
+      () => useFetchAlertsIndexNamesQuery({ http: mockHttpClient, ruleTypeIds: ['apm'] }),
+      {
+        wrapper,
+      }
+    );
 
     expect(mockFetchAlertsIndexNames).toHaveBeenCalledWith({
       http: mockHttpClient,
-      featureIds: ['apm'],
+      ruleTypeIds: ['apm'],
     });
   });
 
   it('correctly caches the index names', async () => {
     const { result, rerender } = renderHook(
-      () => useFetchAlertsIndexNamesQuery({ http: mockHttpClient, featureIds: ['apm'] }),
+      () => useFetchAlertsIndexNamesQuery({ http: mockHttpClient, ruleTypeIds: ['apm'] }),
       {
         wrapper,
       }
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.ts b/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.ts
index cd75d87fa9a98..80e53e961f4e3 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_fetch_alerts_index_names_query.ts
@@ -25,16 +25,16 @@ export const queryKeyPrefix = ['alerts', fetchAlertsIndexNames.name];
  * @external https://tanstack.com/query/v4/docs/framework/react/guides/testing
  */
 export const useFetchAlertsIndexNamesQuery = (
-  { http, featureIds }: UseFetchAlertsIndexNamesQueryParams,
+  { http, ruleTypeIds }: UseFetchAlertsIndexNamesQueryParams,
   options?: Pick<
     QueryOptionsOverrides<typeof fetchAlertsIndexNames>,
     'context' | 'onError' | 'refetchOnWindowFocus' | 'staleTime' | 'enabled'
   >
 ) => {
   return useQuery({
-    queryKey: queryKeyPrefix.concat(featureIds),
-    queryFn: () => fetchAlertsIndexNames({ http, featureIds }),
-    enabled: featureIds.length > 0,
+    queryKey: queryKeyPrefix.concat(ruleTypeIds),
+    queryFn: () => fetchAlertsIndexNames({ http, ruleTypeIds }),
+    enabled: ruleTypeIds.length > 0,
     staleTime: 60 * 1000,
     refetchOnWindowFocus: false,
     ...options,
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_find_alerts_query.test.tsx b/packages/kbn-alerts-ui-shared/src/common/hooks/use_find_alerts_query.test.tsx
new file mode 100644
index 0000000000000..4fe37fd7a6035
--- /dev/null
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_find_alerts_query.test.tsx
@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import React from 'react';
+import { renderHook } from '@testing-library/react-hooks';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { testQueryClientConfig } from '../test_utils/test_query_client_config';
+import { httpServiceMock } from '@kbn/core-http-browser-mocks';
+import { notificationServiceMock } from '@kbn/core-notifications-browser-mocks';
+import { useFindAlertsQuery } from './use_find_alerts_query';
+
+describe('useFindAlertsQuery', () => {
+  const mockServices = {
+    http: httpServiceMock.createStartContract(),
+    toasts: notificationServiceMock.createStartContract().toasts,
+  };
+
+  const queryClient = new QueryClient(testQueryClientConfig);
+
+  const wrapper: React.FC<React.PropsWithChildren<{}>> = ({ children }) => (
+    <QueryClientProvider client={queryClient}>{children}</QueryClientProvider>
+  );
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('calls the api correctly', async () => {
+    const { result, waitForValueToChange } = renderHook(
+      () =>
+        useFindAlertsQuery({
+          ...mockServices,
+          params: { ruleTypeIds: ['foo'], consumers: ['bar'] },
+        }),
+      {
+        wrapper,
+      }
+    );
+
+    await waitForValueToChange(() => result.current.isLoading, { timeout: 5000 });
+
+    expect(mockServices.http.post).toHaveBeenCalledTimes(1);
+    expect(mockServices.http.post).toBeCalledWith('/internal/rac/alerts/find', {
+      body: '{"consumers":["bar"],"rule_type_ids":["foo"]}',
+    });
+  });
+});
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_find_alerts_query.ts b/packages/kbn-alerts-ui-shared/src/common/hooks/use_find_alerts_query.ts
index 9cf79c7123a46..41e85a6bc83e0 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_find_alerts_query.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_find_alerts_query.ts
@@ -19,7 +19,7 @@ export interface UseFindAlertsQueryProps {
   http: HttpStart;
   toasts: ToastsStart;
   enabled?: boolean;
-  params: ISearchRequestParams & { feature_ids?: string[] };
+  params: ISearchRequestParams & { ruleTypeIds?: string[]; consumers?: string[] };
 }
 
 /**
@@ -34,6 +34,7 @@ export const useFindAlertsQuery = <T>({
   enabled = true,
   params,
 }: UseFindAlertsQueryProps) => {
+  const { ruleTypeIds, ...rest } = params;
   const onErrorFn = (error: Error) => {
     if (error) {
       toasts.addDanger(
@@ -48,7 +49,7 @@ export const useFindAlertsQuery = <T>({
     queryKey: ['findAlerts', JSON.stringify(params)],
     queryFn: () =>
       http.post<SearchResponseBody<{}, T>>(`${BASE_RAC_ALERTS_API_PATH}/find`, {
-        body: JSON.stringify(params),
+        body: JSON.stringify({ ...rest, rule_type_ids: ruleTypeIds }),
       }),
     onError: onErrorFn,
     refetchOnWindowFocus: false,
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.test.tsx b/packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.test.tsx
index 50dcf3d7e2900..300af79530ff0 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.test.tsx
@@ -11,7 +11,6 @@ import React from 'react';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 import type { HttpStart } from '@kbn/core-http-browser';
 import { ToastsStart } from '@kbn/core-notifications-browser';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 
 import { useGetAlertsGroupAggregationsQuery } from './use_get_alerts_group_aggregations_query';
 import { waitFor, renderHook } from '@testing-library/react';
@@ -40,7 +39,8 @@ const mockToasts = {
 const toasts = mockToasts as unknown as ToastsStart;
 
 const params = {
-  featureIds: [AlertConsumers.STACK_ALERTS],
+  ruleTypeIds: ['.es-query'],
+  consumers: ['stackAlerts'],
   groupByField: 'kibana.alert.rule.name',
 };
 
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.ts b/packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.ts
index 3c99dd6f607b3..e3c2d42a391e9 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_get_alerts_group_aggregations_query.ts
@@ -12,7 +12,6 @@ import { useQuery } from '@tanstack/react-query';
 import type { HttpStart } from '@kbn/core-http-browser';
 import type { ToastsStart } from '@kbn/core-notifications-browser';
 import { SearchResponseBody } from '@elastic/elasticsearch/lib/api/types';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import type {
   AggregationsAggregationContainer,
   QueryDslQueryContainer,
@@ -25,7 +24,8 @@ export interface UseGetAlertsGroupAggregationsQueryProps {
   toasts: ToastsStart;
   enabled?: boolean;
   params: {
-    featureIds: AlertConsumers[];
+    ruleTypeIds: string[];
+    consumers?: string[];
     groupByField: string;
     aggregations?: Record<string, AggregationsAggregationContainer>;
     filters?: QueryDslQueryContainer[];
@@ -49,7 +49,7 @@ export interface UseGetAlertsGroupAggregationsQueryProps {
  * `groupByField` buckets computed over a field with a null/absent value are marked with the
  * `isNullGroup` flag set to true and their key is set to the `--` string.
  *
- * Applies alerting RBAC through featureIds.
+ * Applies alerting RBAC through ruleTypeIds.
  */
 export const useGetAlertsGroupAggregationsQuery = <T>({
   http,
@@ -61,7 +61,7 @@ export const useGetAlertsGroupAggregationsQuery = <T>({
     if (error) {
       toasts.addDanger(
         i18n.translate(
-          'alertsUIShared.hooks.useFindAlertsQuery.unableToFetchAlertsGroupingAggregations',
+          'alertsUIShared.hooks.useGetAlertsGroupAggregationsQuery.unableToFetchAlertsGroupingAggregations',
           {
             defaultMessage: 'Unable to fetch alerts grouping aggregations',
           }
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_rule_aad_fields.ts b/packages/kbn-alerts-ui-shared/src/common/hooks/use_rule_aad_fields.ts
deleted file mode 100644
index 599fd4d0d3580..0000000000000
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_rule_aad_fields.ts
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the "Elastic License
- * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
- * Public License v 1"; you may not use this file except in compliance with, at
- * your election, the "Elastic License 2.0", the "GNU Affero General Public
- * License v3.0 only", or the "Server Side Public License, v 1".
- */
-
-import { useMemo } from 'react';
-import { useQuery } from '@tanstack/react-query';
-import { i18n } from '@kbn/i18n';
-import type { ToastsStart, HttpStart } from '@kbn/core/public';
-import type { DataViewField } from '@kbn/data-views-plugin/common';
-import { EMPTY_AAD_FIELDS } from '../constants';
-import { fetchRuleTypeAadTemplateFields } from '../apis';
-
-export interface UseRuleAADFieldsProps {
-  ruleTypeId?: string;
-  http: HttpStart;
-  toasts: ToastsStart;
-}
-
-export interface UseRuleAADFieldsResult {
-  aadFields: DataViewField[];
-  loading: boolean;
-}
-
-export function useRuleAADFields(props: UseRuleAADFieldsProps): UseRuleAADFieldsResult {
-  const { ruleTypeId, http, toasts } = props;
-
-  const queryAadFieldsFn = () => {
-    return fetchRuleTypeAadTemplateFields({ http, ruleTypeId });
-  };
-
-  const onErrorFn = () => {
-    toasts.addDanger(
-      i18n.translate('alertsUIShared.hooks.useRuleAADFields.errorMessage', {
-        defaultMessage: 'Unable to load alert fields per rule type',
-      })
-    );
-  };
-
-  const {
-    data: aadFields = EMPTY_AAD_FIELDS,
-    isInitialLoading,
-    isLoading,
-  } = useQuery({
-    queryKey: ['loadAlertAadFieldsPerRuleType', ruleTypeId],
-    queryFn: queryAadFieldsFn,
-    onError: onErrorFn,
-    refetchOnWindowFocus: false,
-    enabled: ruleTypeId !== undefined,
-  });
-
-  return useMemo(
-    () => ({
-      aadFields,
-      loading: ruleTypeId === undefined ? false : isInitialLoading || isLoading,
-    }),
-    [aadFields, isInitialLoading, isLoading, ruleTypeId]
-  );
-}
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_search_alerts_query.test.tsx b/packages/kbn-alerts-ui-shared/src/common/hooks/use_search_alerts_query.test.tsx
index 4d1d8c93407e7..c3ccf7528b9e1 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_search_alerts_query.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_search_alerts_query.test.tsx
@@ -98,7 +98,8 @@ describe('useSearchAlertsQuery', () => {
 
   const params: UseSearchAlertsQueryParams = {
     data: mockDataPlugin as unknown as DataPublicPluginStart,
-    featureIds: ['siem'],
+    ruleTypeIds: ['siem.esqlRule'],
+    consumers: ['siem'],
     fields: [
       { field: 'kibana.rule.type.id', include_unmapped: true },
       { field: '*', include_unmapped: true },
@@ -125,6 +126,33 @@ describe('useSearchAlertsQuery', () => {
     queryClient.removeQueries();
   });
 
+  it('calls searchAlerts with correct arguments', async () => {
+    const { result } = renderHook(() => useSearchAlertsQuery(params), {
+      wrapper,
+    });
+
+    await waitFor(() => expect(result.current.data).toBeDefined());
+
+    expect(mockDataPlugin.search.search).toHaveBeenCalledWith(
+      {
+        consumers: ['siem'],
+        fields: [
+          { field: 'kibana.rule.type.id', include_unmapped: true },
+          { field: '*', include_unmapped: true },
+        ],
+        pagination: { pageIndex: 0, pageSize: 10 },
+        query: { ids: { values: ['alert-id-1'] } },
+        ruleTypeIds: ['siem.esqlRule'],
+        runtimeMappings: undefined,
+        sort: [],
+      },
+      {
+        abortSignal: expect.any(AbortSignal),
+        strategy: 'privateRuleRegistryAlertsSearchStrategy',
+      }
+    );
+  });
+
   it('returns the response correctly', async () => {
     const { result } = renderHook(() => useSearchAlertsQuery(params), {
       wrapper,
@@ -263,8 +291,8 @@ describe('useSearchAlertsQuery', () => {
     });
   });
 
-  it('does not fetch with no feature ids', () => {
-    const { result } = renderHook(() => useSearchAlertsQuery({ ...params, featureIds: [] }), {
+  it('does not fetch with no rule type ids', () => {
+    const { result } = renderHook(() => useSearchAlertsQuery({ ...params, ruleTypeIds: [] }), {
       wrapper,
     });
 
diff --git a/packages/kbn-alerts-ui-shared/src/common/hooks/use_search_alerts_query.ts b/packages/kbn-alerts-ui-shared/src/common/hooks/use_search_alerts_query.ts
index ebc0921909fb4..4450afa788c39 100644
--- a/packages/kbn-alerts-ui-shared/src/common/hooks/use_search_alerts_query.ts
+++ b/packages/kbn-alerts-ui-shared/src/common/hooks/use_search_alerts_query.ts
@@ -29,7 +29,8 @@ export const queryKeyPrefix = ['alerts', searchAlerts.name];
  */
 export const useSearchAlertsQuery = ({ data, ...params }: UseSearchAlertsQueryParams) => {
   const {
-    featureIds,
+    ruleTypeIds,
+    consumers,
     fields,
     query = {
       bool: {},
@@ -49,7 +50,8 @@ export const useSearchAlertsQuery = ({ data, ...params }: UseSearchAlertsQueryPa
       searchAlerts({
         data,
         signal,
-        featureIds,
+        ruleTypeIds,
+        consumers,
         fields,
         query,
         sort,
@@ -59,7 +61,7 @@ export const useSearchAlertsQuery = ({ data, ...params }: UseSearchAlertsQueryPa
       }),
     refetchOnWindowFocus: false,
     context: AlertsQueryContext,
-    enabled: featureIds.length > 0,
+    enabled: ruleTypeIds.length > 0,
     // To avoid flash of empty state with pagination, see https://tanstack.com/query/latest/docs/framework/react/guides/paginated-queries#better-paginated-queries-with-placeholderdata
     keepPreviousData: true,
     placeholderData: {
diff --git a/packages/kbn-alerts-ui-shared/src/maintenance_window_callout/index.tsx b/packages/kbn-alerts-ui-shared/src/maintenance_window_callout/index.tsx
index fafef06cf3da2..072536b92a6f6 100644
--- a/packages/kbn-alerts-ui-shared/src/maintenance_window_callout/index.tsx
+++ b/packages/kbn-alerts-ui-shared/src/maintenance_window_callout/index.tsx
@@ -93,6 +93,7 @@ export function MaintenanceWindowCallout({
           .flat()
       )
     );
+
     const activeCategories = activeCategoryIds
       .map(
         (categoryId) =>
diff --git a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_alerts_filter.test.tsx b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_alerts_filter.test.tsx
index 9b7502add4045..0d97c7b5a1e12 100644
--- a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_alerts_filter.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_alerts_filter.test.tsx
@@ -107,7 +107,7 @@ describe('ruleActionsAlertsFilter', () => {
         action={getAction('1')}
         onChange={mockOnChange}
         appName="stackAlerts"
-        featureIds={['stackAlerts']}
+        ruleTypeId=".es-query"
       />
     );
 
@@ -120,7 +120,7 @@ describe('ruleActionsAlertsFilter', () => {
         action={getAction('1')}
         onChange={mockOnChange}
         appName="stackAlerts"
-        featureIds={['stackAlerts']}
+        ruleTypeId=".es-query"
       />
     );
 
@@ -142,7 +142,7 @@ describe('ruleActionsAlertsFilter', () => {
         })}
         onChange={mockOnChange}
         appName="stackAlerts"
-        featureIds={['stackAlerts']}
+        ruleTypeId=".es-query"
       />
     );
 
@@ -164,7 +164,7 @@ describe('ruleActionsAlertsFilter', () => {
         })}
         onChange={mockOnChange}
         appName="stackAlerts"
-        featureIds={['stackAlerts']}
+        ruleTypeId=".es-query"
       />
     );
 
@@ -241,7 +241,6 @@ describe('ruleActionsAlertsFilter', () => {
         })}
         onChange={mockOnChange}
         appName="stackAlerts"
-        featureIds={['stackAlerts']}
       />
     );
 
diff --git a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_alerts_filter.tsx b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_alerts_filter.tsx
index a5bbacc74d7a5..a305c45d7961a 100644
--- a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_alerts_filter.tsx
+++ b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_alerts_filter.tsx
@@ -8,7 +8,6 @@
  */
 
 import React, { useCallback, useEffect, useMemo, useState } from 'react';
-import { ValidFeatureId } from '@kbn/rule-data-utils';
 import { Filter } from '@kbn/es-query';
 import { i18n } from '@kbn/i18n';
 import { EuiSwitch, EuiSpacer } from '@elastic/eui';
@@ -25,7 +24,6 @@ export interface RuleActionsAlertsFilterProps {
   action: RuleAction;
   onChange: (update?: AlertsFilter['query']) => void;
   appName: string;
-  featureIds: ValidFeatureId[];
   ruleTypeId?: string;
   plugins?: {
     http: RuleFormPlugins['http'];
@@ -39,7 +37,6 @@ export const RuleActionsAlertsFilter = ({
   action,
   onChange,
   appName,
-  featureIds,
   ruleTypeId,
   plugins: propsPlugins,
 }: RuleActionsAlertsFilterProps) => {
@@ -101,6 +98,8 @@ export const RuleActionsAlertsFilter = ({
     [updateQuery]
   );
 
+  const ruleTypeIds = useMemo(() => (ruleTypeId != null ? [ruleTypeId] : []), [ruleTypeId]);
+
   return (
     <>
       <EuiSwitch
@@ -123,8 +122,7 @@ export const RuleActionsAlertsFilter = ({
             unifiedSearchBar={unifiedSearch.ui.SearchBar}
             dataService={data}
             appName={appName}
-            featureIds={featureIds}
-            ruleTypeId={ruleTypeId}
+            ruleTypeIds={ruleTypeIds}
             disableQueryLanguageSwitcher={true}
             query={query.kql}
             filters={query.filters ?? []}
diff --git a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_item.tsx b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_item.tsx
index 9bf6cac970b19..41c8d1b904cd1 100644
--- a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_item.tsx
+++ b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_item.tsx
@@ -510,7 +510,6 @@ export const RuleActionsItem = (props: RuleActionsItemProps) => {
           {tab === SETTINGS_TAB && (
             <RuleActionsSettings
               action={action}
-              producerId={producerId}
               onUseDefaultMessageChange={() => setUseDefaultMessage(true)}
               onNotifyWhenChange={onNotifyWhenChange}
               onActionGroupChange={onActionGroupChange}
diff --git a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_settings.test.tsx b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_settings.test.tsx
index a9b9a5b9cc454..cd1c7dd95f26d 100644
--- a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_settings.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_settings.test.tsx
@@ -168,7 +168,6 @@ describe('ruleActionsSettings', () => {
     render(
       <RuleActionsSettings
         action={getAction('1')}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -185,7 +184,6 @@ describe('ruleActionsSettings', () => {
     render(
       <RuleActionsSettings
         action={getAction('1')}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -224,7 +222,6 @@ describe('ruleActionsSettings', () => {
             notifyWhen: 'onActionGroupChange',
           },
         })}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -261,7 +258,6 @@ describe('ruleActionsSettings', () => {
             notifyWhen: 'onActionGroupChange',
           },
         })}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -278,7 +274,6 @@ describe('ruleActionsSettings', () => {
     render(
       <RuleActionsSettings
         action={getAction('1')}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -304,7 +299,6 @@ describe('ruleActionsSettings', () => {
     render(
       <RuleActionsSettings
         action={getAction('1')}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -341,7 +335,6 @@ describe('ruleActionsSettings', () => {
     render(
       <RuleActionsSettings
         action={getAction('1')}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -375,7 +368,6 @@ describe('ruleActionsSettings', () => {
     render(
       <RuleActionsSettings
         action={getAction('1')}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -418,7 +410,6 @@ describe('ruleActionsSettings', () => {
     render(
       <RuleActionsSettings
         action={getAction('1')}
-        producerId="stackAlerts"
         onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
         onNotifyWhenChange={mockOnNotifyWhenChange}
         onActionGroupChange={mockOnActionGroupChange}
@@ -429,4 +420,41 @@ describe('ruleActionsSettings', () => {
 
     expect(screen.queryByText('filter query error')).toBeInTheDocument();
   });
+
+  test('should show the rule actions filter for siem rule types', () => {
+    useRuleFormState.mockReturnValue({
+      plugins: {
+        settings: {},
+      },
+      formData: {
+        consumer: 'siem',
+        schedule: { interval: '5h' },
+      },
+      selectedRuleType: {
+        /**
+         * With the current configuration
+         * hasFieldsForAad will return false
+         * and we are testing the isSiemRuleType(ruleTypeId)
+         * branch of the code
+         */
+        ...ruleType,
+        id: 'siem.esqlRuleType',
+        hasFieldsForAAD: false,
+      },
+      selectedRuleTypeModel: ruleModel,
+    });
+
+    render(
+      <RuleActionsSettings
+        action={getAction('1')}
+        onUseDefaultMessageChange={mockOnUseDefaultMessageChange}
+        onNotifyWhenChange={mockOnNotifyWhenChange}
+        onActionGroupChange={mockOnActionGroupChange}
+        onAlertsFilterChange={mockOnAlertsFilterChange}
+        onTimeframeChange={mockOnTimeframeChange}
+      />
+    );
+
+    expect(screen.queryByText('RuleActionsAlertsFilter')).toBeInTheDocument();
+  });
 });
diff --git a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_settings.tsx b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_settings.tsx
index 4d748b8530cb5..a7c0fae73e964 100644
--- a/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_settings.tsx
+++ b/packages/kbn-alerts-ui-shared/src/rule_form/rule_actions/rule_actions_settings.tsx
@@ -16,7 +16,7 @@ import {
   RecoveredActionGroup,
   RuleActionFrequency,
 } from '@kbn/alerting-types';
-import { AlertConsumers, ValidFeatureId } from '@kbn/rule-data-utils';
+import { isSiemRuleType } from '@kbn/rule-data-utils';
 import { useRuleFormState } from '../hooks';
 import { RuleAction, RuleTypeWithDescription } from '../../common';
 import {
@@ -120,7 +120,6 @@ const actionGroupDisplay = ({
 
 export interface RuleActionsSettingsProps {
   action: RuleAction;
-  producerId: string;
   onUseDefaultMessageChange: () => void;
   onNotifyWhenChange: (frequency: RuleActionFrequency) => void;
   onActionGroupChange: (group: string) => void;
@@ -131,7 +130,6 @@ export interface RuleActionsSettingsProps {
 export const RuleActionsSettings = (props: RuleActionsSettingsProps) => {
   const {
     action,
-    producerId,
     onUseDefaultMessageChange,
     onNotifyWhenChange,
     onActionGroupChange,
@@ -190,12 +188,14 @@ export const RuleActionsSettings = (props: RuleActionsSettingsProps) => {
     minimumActionThrottleUnit,
   });
 
+  const ruleTypeId = selectedRuleType.id;
+
   const showActionAlertsFilter =
     hasFieldsForAad({
       ruleType: selectedRuleType,
       consumer,
       validConsumers,
-    }) || producerId === AlertConsumers.SIEM;
+    }) || isSiemRuleType(ruleTypeId);
 
   return (
     <EuiFlexGroup direction="column" data-test-subj="ruleActionsSettings">
@@ -258,9 +258,8 @@ export const RuleActionsSettings = (props: RuleActionsSettingsProps) => {
                 <RuleActionsAlertsFilter
                   action={action}
                   onChange={onAlertsFilterChange}
-                  featureIds={[producerId as ValidFeatureId]}
                   appName="stackAlerts"
-                  ruleTypeId={selectedRuleType.id}
+                  ruleTypeId={ruleTypeId}
                 />
               </EuiFormRow>
             </EuiFlexItem>
diff --git a/packages/kbn-alerts-ui-shared/src/rule_type_modal/components/helpers/filter_and_count_rule_types.test.ts b/packages/kbn-alerts-ui-shared/src/rule_type_modal/components/helpers/filter_and_count_rule_types.test.ts
index d15dd03d3999b..a03f119c5b97b 100644
--- a/packages/kbn-alerts-ui-shared/src/rule_type_modal/components/helpers/filter_and_count_rule_types.test.ts
+++ b/packages/kbn-alerts-ui-shared/src/rule_type_modal/components/helpers/filter_and_count_rule_types.test.ts
@@ -26,6 +26,7 @@ const mockRuleType: (
   recoveryActionGroup: { id: 'recovered', name: 'recovered' },
   actionGroups: [],
   defaultActionGroupId: 'default',
+  category: 'my-category',
 });
 
 const pickRuleTypeName = (ruleType: RuleTypeWithDescription) => ({ name: ruleType.name });
diff --git a/packages/kbn-alerts-ui-shared/src/rule_type_modal/components/rule_type_list.test.tsx b/packages/kbn-alerts-ui-shared/src/rule_type_modal/components/rule_type_list.test.tsx
index 7003b06875659..0e9dc8125eb50 100644
--- a/packages/kbn-alerts-ui-shared/src/rule_type_modal/components/rule_type_list.test.tsx
+++ b/packages/kbn-alerts-ui-shared/src/rule_type_modal/components/rule_type_list.test.tsx
@@ -31,6 +31,7 @@ const ruleTypes: RuleTypeWithDescription[] = [
       name: 'default',
     },
     defaultActionGroupId: '1',
+    category: 'my-category-1',
   },
   {
     id: '2',
@@ -49,6 +50,7 @@ const ruleTypes: RuleTypeWithDescription[] = [
       name: 'default',
     },
     defaultActionGroupId: '2',
+    category: 'my-category-2',
   },
   {
     id: '3',
@@ -67,6 +69,7 @@ const ruleTypes: RuleTypeWithDescription[] = [
       name: 'default',
     },
     defaultActionGroupId: '3',
+    category: 'my-category-3',
   },
 ];
 
diff --git a/packages/kbn-rule-data-utils/jest.config.js b/packages/kbn-rule-data-utils/jest.config.js
new file mode 100644
index 0000000000000..fd0feabd9f0ad
--- /dev/null
+++ b/packages/kbn-rule-data-utils/jest.config.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../..',
+  roots: ['<rootDir>/packages/kbn-rule-data-utils'],
+};
diff --git a/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.test.ts b/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.test.ts
new file mode 100644
index 0000000000000..100b00a9acf60
--- /dev/null
+++ b/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.test.ts
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { isSiemRuleType } from './alerts_as_data_rbac';
+
+describe('alertsAsDataRbac', () => {
+  describe('isSiemRuleType', () => {
+    test('returns true for siem rule types', () => {
+      expect(isSiemRuleType('siem.esqlRuleType')).toBe(true);
+    });
+
+    test('returns false for NON siem rule types', () => {
+      expect(isSiemRuleType('apm.anomaly')).toBe(false);
+    });
+  });
+});
diff --git a/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts b/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts
index 7c97259421f22..32606abe31b7b 100644
--- a/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts
+++ b/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts
@@ -28,6 +28,8 @@ export const AlertConsumers = {
   STACK_ALERTS: 'stackAlerts',
   EXAMPLE: 'AlertingExample',
   MONITORING: 'monitoring',
+  ALERTS: 'alerts',
+  DISCOVER: 'discover',
 } as const;
 export type AlertConsumers = (typeof AlertConsumers)[keyof typeof AlertConsumers];
 export type STATUS_VALUES = 'open' | 'acknowledged' | 'closed' | 'in-progress'; // TODO: remove 'in-progress' after migration to 'acknowledged'
@@ -91,3 +93,9 @@ export const getEsQueryConfig = (params?: GetEsQueryConfigParamType): EsQueryCon
   }, {} as EsQueryConfig);
   return paramKeysWithValues;
 };
+
+/**
+ * TODO: Remove when checks for specific rule type ids is not needed
+ *in the codebase.
+ */
+export const isSiemRuleType = (ruleTypeId: string) => ruleTypeId.startsWith('siem.');
diff --git a/packages/kbn-rule-data-utils/src/rule_types/o11y_rules.ts b/packages/kbn-rule-data-utils/src/rule_types/o11y_rules.ts
index 5dae1c99b210f..5dc194659e881 100644
--- a/packages/kbn-rule-data-utils/src/rule_types/o11y_rules.ts
+++ b/packages/kbn-rule-data-utils/src/rule_types/o11y_rules.ts
@@ -8,11 +8,10 @@
  */
 
 export const OBSERVABILITY_THRESHOLD_RULE_TYPE_ID = 'observability.rules.custom_threshold';
-export const SLO_BURN_RATE_RULE_TYPE_ID = 'slo.rules.burnRate';
 
-export const METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID = 'metrics.alert.inventory.threshold';
-export const METRIC_THRESHOLD_ALERT_TYPE_ID = 'metrics.alert.threshold';
-export const LOG_THRESHOLD_ALERT_TYPE_ID = 'logs.alert.document.count';
+/**
+ * APM rule types
+ */
 
 export enum ApmRuleType {
   ErrorCount = 'apm.error_rate', // ErrorRate was renamed to ErrorCount but the key is kept as `error_rate` for backwards-compat.
@@ -21,5 +20,68 @@ export enum ApmRuleType {
   Anomaly = 'apm.anomaly',
 }
 
+export const APM_RULE_TYPE_IDS = Object.values(ApmRuleType);
+
+/**
+ * Synthetics ryle types
+ */
+
 export const SYNTHETICS_STATUS_RULE = 'xpack.synthetics.alerts.monitorStatus';
 export const SYNTHETICS_TLS_RULE = 'xpack.synthetics.alerts.tls';
+
+export const SYNTHETICS_ALERT_RULE_TYPES = {
+  MONITOR_STATUS: SYNTHETICS_STATUS_RULE,
+  TLS: SYNTHETICS_TLS_RULE,
+};
+
+export const SYNTHETICS_RULE_TYPE_IDS = [SYNTHETICS_STATUS_RULE, SYNTHETICS_TLS_RULE];
+
+/**
+ * SLO rule types
+ */
+export const SLO_BURN_RATE_RULE_TYPE_ID = 'slo.rules.burnRate';
+export const SLO_RULE_TYPE_IDS = [SLO_BURN_RATE_RULE_TYPE_ID];
+
+/**
+ * Metrics rule types
+ */
+export const METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID = 'metrics.alert.inventory.threshold';
+export const METRIC_THRESHOLD_ALERT_TYPE_ID = 'metrics.alert.threshold';
+
+/**
+ * Logs rule types
+ */
+export const LOG_THRESHOLD_ALERT_TYPE_ID = 'logs.alert.document.count';
+export const LOG_RULE_TYPE_IDS = [LOG_THRESHOLD_ALERT_TYPE_ID];
+
+/**
+ * Uptime rule types
+ */
+
+export const UPTIME_RULE_TYPE_IDS = [
+  'xpack.uptime.alerts.tls',
+  'xpack.uptime.alerts.tlsCertificate',
+  'xpack.uptime.alerts.monitorStatus',
+  'xpack.uptime.alerts.durationAnomaly',
+];
+
+/**
+ * Infra rule types
+ */
+
+export enum InfraRuleType {
+  MetricThreshold = METRIC_THRESHOLD_ALERT_TYPE_ID,
+  InventoryThreshold = METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID,
+}
+
+export const INFRA_RULE_TYPE_IDS = Object.values(InfraRuleType);
+
+export const OBSERVABILITY_RULE_TYPE_IDS = [
+  ...APM_RULE_TYPE_IDS,
+  ...SYNTHETICS_RULE_TYPE_IDS,
+  ...INFRA_RULE_TYPE_IDS,
+  ...UPTIME_RULE_TYPE_IDS,
+  ...LOG_RULE_TYPE_IDS,
+  ...SLO_RULE_TYPE_IDS,
+  OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
+];
diff --git a/packages/kbn-rule-data-utils/src/rule_types/stack_rules.ts b/packages/kbn-rule-data-utils/src/rule_types/stack_rules.ts
index b5c6ed8213eff..fb34ed3e4df4b 100644
--- a/packages/kbn-rule-data-utils/src/rule_types/stack_rules.ts
+++ b/packages/kbn-rule-data-utils/src/rule_types/stack_rules.ts
@@ -10,3 +10,13 @@
 export const STACK_ALERTS_FEATURE_ID = 'stackAlerts';
 export const ES_QUERY_ID = '.es-query';
 export const ML_ANOMALY_DETECTION_RULE_TYPE_ID = 'xpack.ml.anomaly_detection_alert';
+
+/**
+ * These rule types are not the only stack rules. There are more.
+ * The variable holds all stack rule types that support multiple
+ * consumers aka the "Role visibility" UX dropdown.
+ */
+export const STACK_RULE_TYPE_IDS_SUPPORTED_BY_OBSERVABILITY = [
+  ES_QUERY_ID,
+  ML_ANOMALY_DETECTION_RULE_TYPE_ID,
+];
diff --git a/packages/kbn-securitysolution-rules/src/rule_type_constants.ts b/packages/kbn-securitysolution-rules/src/rule_type_constants.ts
index a4371f27c3ce0..9aff793e18849 100644
--- a/packages/kbn-securitysolution-rules/src/rule_type_constants.ts
+++ b/packages/kbn-securitysolution-rules/src/rule_type_constants.ts
@@ -24,3 +24,14 @@ export const QUERY_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.queryRule` as const;
 export const SAVED_QUERY_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.savedQueryRule` as const;
 export const THRESHOLD_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.thresholdRule` as const;
 export const NEW_TERMS_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.newTermsRule` as const;
+
+export const SECURITY_SOLUTION_RULE_TYPE_IDS = [
+  EQL_RULE_TYPE_ID,
+  ESQL_RULE_TYPE_ID,
+  INDICATOR_RULE_TYPE_ID,
+  ML_RULE_TYPE_ID,
+  QUERY_RULE_TYPE_ID,
+  SAVED_QUERY_RULE_TYPE_ID,
+  THRESHOLD_RULE_TYPE_ID,
+  NEW_TERMS_RULE_TYPE_ID,
+];
diff --git a/packages/kbn-triggers-actions-ui-types/rule_types.ts b/packages/kbn-triggers-actions-ui-types/rule_types.ts
index 2029c98fb0e5c..5fe3234e7a136 100644
--- a/packages/kbn-triggers-actions-ui-types/rule_types.ts
+++ b/packages/kbn-triggers-actions-ui-types/rule_types.ts
@@ -25,6 +25,7 @@ export interface RuleType<
     | 'ruleTaskTimeout'
     | 'defaultScheduleInterval'
     | 'doesSetRecoveryContext'
+    | 'category'
   > {
   actionVariables: ActionVariables;
   authorizedConsumers: Record<string, { read: boolean; all: boolean }>;
diff --git a/src/plugins/data_views/public/mocks.ts b/src/plugins/data_views/public/mocks.ts
index 0ca7ad592e4f2..3ce7f87ae70cb 100644
--- a/src/plugins/data_views/public/mocks.ts
+++ b/src/plugins/data_views/public/mocks.ts
@@ -43,6 +43,7 @@ const createStartContract = (): Start => {
     create: jest.fn().mockReturnValue(Promise.resolve({})),
     toDataView: jest.fn().mockReturnValue(Promise.resolve({})),
     toDataViewLazy: jest.fn().mockReturnValue(Promise.resolve({})),
+    clearInstanceCache: jest.fn(),
   } as unknown as jest.Mocked<DataViewsContract>;
 };
 
diff --git a/x-pack/examples/alerting_example/server/plugin.ts b/x-pack/examples/alerting_example/server/plugin.ts
index 43b3bc82c4416..bf79d564222db 100644
--- a/x-pack/examples/alerting_example/server/plugin.ts
+++ b/x-pack/examples/alerting_example/server/plugin.ts
@@ -9,9 +9,10 @@ import { Plugin, CoreSetup } from '@kbn/core/server';
 import { i18n } from '@kbn/i18n';
 // import directly to support examples functional tests (@kbn-test/src/functional_tests/lib/babel_register_for_test_plugins.js)
 import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
-import { PluginSetupContract as AlertingSetup } from '@kbn/alerting-plugin/server';
+import { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 import { ruleType as alwaysFiringRule } from './rule_types/always_firing';
 import { ruleType as peopleInSpaceRule } from './rule_types/astros';
@@ -22,7 +23,7 @@ import { ALERTING_EXAMPLE_APP_ID } from '../common/constants';
 
 // this plugin's dependencies
 export interface AlertingExampleDeps {
-  alerting: AlertingSetup;
+  alerting: AlertingServerSetup;
   features: FeaturesPluginSetup;
 }
 
@@ -43,15 +44,54 @@ export class AlertingExamplePlugin implements Plugin<void, void, AlertingExample
       },
       category: DEFAULT_APP_CATEGORIES.management,
       scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
-      alerting: [alwaysFiringRule.id, peopleInSpaceRule.id, INDEX_THRESHOLD_ID],
+      alerting: [
+        {
+          ruleTypeId: alwaysFiringRule.id,
+          consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+        },
+        {
+          ruleTypeId: peopleInSpaceRule.id,
+          consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+        },
+        {
+          ruleTypeId: INDEX_THRESHOLD_ID,
+          consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+        },
+      ],
       privileges: {
         all: {
           alerting: {
             rule: {
-              all: [alwaysFiringRule.id, peopleInSpaceRule.id, INDEX_THRESHOLD_ID],
+              all: [
+                {
+                  ruleTypeId: alwaysFiringRule.id,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: peopleInSpaceRule.id,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: INDEX_THRESHOLD_ID,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+              ],
             },
             alert: {
-              all: [alwaysFiringRule.id, peopleInSpaceRule.id, INDEX_THRESHOLD_ID],
+              all: [
+                {
+                  ruleTypeId: alwaysFiringRule.id,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: peopleInSpaceRule.id,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: INDEX_THRESHOLD_ID,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+              ],
             },
           },
           savedObject: {
@@ -66,10 +106,36 @@ export class AlertingExamplePlugin implements Plugin<void, void, AlertingExample
         read: {
           alerting: {
             rule: {
-              read: [alwaysFiringRule.id, peopleInSpaceRule.id, INDEX_THRESHOLD_ID],
+              read: [
+                {
+                  ruleTypeId: alwaysFiringRule.id,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: peopleInSpaceRule.id,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: INDEX_THRESHOLD_ID,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+              ],
             },
             alert: {
-              read: [alwaysFiringRule.id, peopleInSpaceRule.id, INDEX_THRESHOLD_ID],
+              read: [
+                {
+                  ruleTypeId: alwaysFiringRule.id,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: peopleInSpaceRule.id,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: INDEX_THRESHOLD_ID,
+                  consumers: [ALERTING_EXAMPLE_APP_ID, ALERTING_FEATURE_ID],
+                },
+              ],
             },
           },
           savedObject: {
diff --git a/x-pack/examples/triggers_actions_ui_example/public/components/alerts_table_sandbox.tsx b/x-pack/examples/triggers_actions_ui_example/public/components/alerts_table_sandbox.tsx
index 738f4b6fb4801..5b46a3cd33407 100644
--- a/x-pack/examples/triggers_actions_ui_example/public/components/alerts_table_sandbox.tsx
+++ b/x-pack/examples/triggers_actions_ui_example/public/components/alerts_table_sandbox.tsx
@@ -7,7 +7,6 @@
 import React from 'react';
 import { TriggersAndActionsUIPublicPluginStart } from '@kbn/triggers-actions-ui-plugin/public';
 import { AlertsTableStateProps } from '@kbn/triggers-actions-ui-plugin/public/application/sections/alerts_table/alerts_table_state';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 
 interface SandboxProps {
   triggersActionsUi: TriggersAndActionsUIPublicPluginStart;
@@ -19,12 +18,7 @@ export const AlertsTableSandbox = ({ triggersActionsUi }: SandboxProps) => {
     id: 'observabilityCases',
     configurationId: 'observabilityCases',
     alertsTableConfigurationRegistry,
-    featureIds: [
-      AlertConsumers.INFRASTRUCTURE,
-      AlertConsumers.APM,
-      AlertConsumers.OBSERVABILITY,
-      AlertConsumers.LOGS,
-    ],
+    ruleTypeIds: ['.es-query'],
     query: {
       bool: {
         filter: [],
diff --git a/x-pack/examples/triggers_actions_ui_example/server/plugin.ts b/x-pack/examples/triggers_actions_ui_example/server/plugin.ts
index 6d55bbb2cb55d..6bf6c1fd1442e 100644
--- a/x-pack/examples/triggers_actions_ui_example/server/plugin.ts
+++ b/x-pack/examples/triggers_actions_ui_example/server/plugin.ts
@@ -8,7 +8,7 @@
 import { Plugin, CoreSetup } from '@kbn/core/server';
 
 import { PluginSetupContract as ActionsSetup } from '@kbn/actions-plugin/server';
-import { PluginSetupContract as AlertingSetup } from '@kbn/alerting-plugin/server';
+import { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 
 import {
   getConnectorType as getSystemLogExampleConnectorType,
@@ -17,7 +17,7 @@ import {
 
 // this plugin's dependencies
 export interface TriggersActionsUiExampleDeps {
-  alerting: AlertingSetup;
+  alerting: AlertingServerSetup;
   actions: ActionsSetup;
 }
 export class TriggersActionsUiExamplePlugin
diff --git a/x-pack/examples/triggers_actions_ui_example/tsconfig.json b/x-pack/examples/triggers_actions_ui_example/tsconfig.json
index 601f23edd2647..458a4a99d589b 100644
--- a/x-pack/examples/triggers_actions_ui_example/tsconfig.json
+++ b/x-pack/examples/triggers_actions_ui_example/tsconfig.json
@@ -19,7 +19,6 @@
     "@kbn/alerting-plugin",
     "@kbn/triggers-actions-ui-plugin",
     "@kbn/developer-examples-plugin",
-    "@kbn/rule-data-utils",
     "@kbn/data-plugin",
     "@kbn/i18n-react",
     "@kbn/shared-ux-router",
diff --git a/x-pack/packages/observability/alert_details/src/hooks/use_alerts_history.test.tsx b/x-pack/packages/observability/alert_details/src/hooks/use_alerts_history.test.tsx
index 82ced89354006..2707a0cecd185 100644
--- a/x-pack/packages/observability/alert_details/src/hooks/use_alerts_history.test.tsx
+++ b/x-pack/packages/observability/alert_details/src/hooks/use_alerts_history.test.tsx
@@ -5,10 +5,9 @@
  * 2.0.
  */
 import React from 'react';
-import { HttpSetup } from '@kbn/core-http-browser';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 import { act, renderHook } from '@testing-library/react-hooks';
+import { httpServiceMock } from '@kbn/core-http-browser-mocks';
 import {
   type UseAlertsHistory,
   useAlertsHistory,
@@ -25,6 +24,11 @@ const queryClient = new QueryClient({
     queries: { retry: false, cacheTime: 0 },
   },
 });
+
+const mockServices = {
+  http: httpServiceMock.createStartContract(),
+};
+
 const wrapper = ({ children }: any) => (
   <QueryClientProvider client={queryClient}>{children}</QueryClientProvider>
 );
@@ -34,7 +38,7 @@ describe('useAlertsHistory', () => {
   const end = '2023-05-10T00:00:00.000Z';
   const ruleId = 'cfd36e60-ef22-11ed-91eb-b7893acacfe2';
 
-  afterEach(() => {
+  beforeEach(() => {
     jest.clearAllMocks();
   });
 
@@ -44,7 +48,7 @@ describe('useAlertsHistory', () => {
       () =>
         useAlertsHistory({
           http,
-          featureIds: [AlertConsumers.APM],
+          ruleTypeIds: ['apm'],
           ruleId,
           dateRange: { from: start, to: end },
         }),
@@ -61,16 +65,13 @@ describe('useAlertsHistory', () => {
   });
 
   it('returns no data when API error', async () => {
-    const http = {
-      post: jest.fn().mockImplementation(() => {
-        throw new Error('ES error');
-      }),
-    } as unknown as HttpSetup;
+    mockServices.http.post.mockRejectedValueOnce(new Error('ES error'));
+
     const { result, waitFor } = renderHook<useAlertsHistoryProps, UseAlertsHistory>(
       () =>
         useAlertsHistory({
-          http,
-          featureIds: [AlertConsumers.APM],
+          ...mockServices,
+          ruleTypeIds: ['apm'],
           ruleId,
           dateRange: { from: start, to: end },
         }),
@@ -87,54 +88,53 @@ describe('useAlertsHistory', () => {
   });
 
   it('returns the alert history chart data', async () => {
-    const http = {
-      post: jest.fn().mockResolvedValue({
-        hits: { total: { value: 32, relation: 'eq' }, max_score: null, hits: [] },
-        aggregations: {
-          avgTimeToRecoverUS: { doc_count: 28, recoveryTime: { value: 134959464.2857143 } },
-          histogramTriggeredAlerts: {
-            buckets: [
-              { key_as_string: '2023-04-10T00:00:00.000Z', key: 1681084800000, doc_count: 0 },
-              { key_as_string: '2023-04-11T00:00:00.000Z', key: 1681171200000, doc_count: 0 },
-              { key_as_string: '2023-04-12T00:00:00.000Z', key: 1681257600000, doc_count: 0 },
-              { key_as_string: '2023-04-13T00:00:00.000Z', key: 1681344000000, doc_count: 0 },
-              { key_as_string: '2023-04-14T00:00:00.000Z', key: 1681430400000, doc_count: 0 },
-              { key_as_string: '2023-04-15T00:00:00.000Z', key: 1681516800000, doc_count: 0 },
-              { key_as_string: '2023-04-16T00:00:00.000Z', key: 1681603200000, doc_count: 0 },
-              { key_as_string: '2023-04-17T00:00:00.000Z', key: 1681689600000, doc_count: 0 },
-              { key_as_string: '2023-04-18T00:00:00.000Z', key: 1681776000000, doc_count: 0 },
-              { key_as_string: '2023-04-19T00:00:00.000Z', key: 1681862400000, doc_count: 0 },
-              { key_as_string: '2023-04-20T00:00:00.000Z', key: 1681948800000, doc_count: 0 },
-              { key_as_string: '2023-04-21T00:00:00.000Z', key: 1682035200000, doc_count: 0 },
-              { key_as_string: '2023-04-22T00:00:00.000Z', key: 1682121600000, doc_count: 0 },
-              { key_as_string: '2023-04-23T00:00:00.000Z', key: 1682208000000, doc_count: 0 },
-              { key_as_string: '2023-04-24T00:00:00.000Z', key: 1682294400000, doc_count: 0 },
-              { key_as_string: '2023-04-25T00:00:00.000Z', key: 1682380800000, doc_count: 0 },
-              { key_as_string: '2023-04-26T00:00:00.000Z', key: 1682467200000, doc_count: 0 },
-              { key_as_string: '2023-04-27T00:00:00.000Z', key: 1682553600000, doc_count: 0 },
-              { key_as_string: '2023-04-28T00:00:00.000Z', key: 1682640000000, doc_count: 0 },
-              { key_as_string: '2023-04-29T00:00:00.000Z', key: 1682726400000, doc_count: 0 },
-              { key_as_string: '2023-04-30T00:00:00.000Z', key: 1682812800000, doc_count: 0 },
-              { key_as_string: '2023-05-01T00:00:00.000Z', key: 1682899200000, doc_count: 0 },
-              { key_as_string: '2023-05-02T00:00:00.000Z', key: 1682985600000, doc_count: 0 },
-              { key_as_string: '2023-05-03T00:00:00.000Z', key: 1683072000000, doc_count: 0 },
-              { key_as_string: '2023-05-04T00:00:00.000Z', key: 1683158400000, doc_count: 0 },
-              { key_as_string: '2023-05-05T00:00:00.000Z', key: 1683244800000, doc_count: 0 },
-              { key_as_string: '2023-05-06T00:00:00.000Z', key: 1683331200000, doc_count: 0 },
-              { key_as_string: '2023-05-07T00:00:00.000Z', key: 1683417600000, doc_count: 0 },
-              { key_as_string: '2023-05-08T00:00:00.000Z', key: 1683504000000, doc_count: 0 },
-              { key_as_string: '2023-05-09T00:00:00.000Z', key: 1683590400000, doc_count: 0 },
-              { key_as_string: '2023-05-10T00:00:00.000Z', key: 1683676800000, doc_count: 32 },
-            ],
-          },
+    mockServices.http.post.mockResolvedValueOnce({
+      hits: { total: { value: 32, relation: 'eq' }, max_score: null, hits: [] },
+      aggregations: {
+        avgTimeToRecoverUS: { doc_count: 28, recoveryTime: { value: 134959464.2857143 } },
+        histogramTriggeredAlerts: {
+          buckets: [
+            { key_as_string: '2023-04-10T00:00:00.000Z', key: 1681084800000, doc_count: 0 },
+            { key_as_string: '2023-04-11T00:00:00.000Z', key: 1681171200000, doc_count: 0 },
+            { key_as_string: '2023-04-12T00:00:00.000Z', key: 1681257600000, doc_count: 0 },
+            { key_as_string: '2023-04-13T00:00:00.000Z', key: 1681344000000, doc_count: 0 },
+            { key_as_string: '2023-04-14T00:00:00.000Z', key: 1681430400000, doc_count: 0 },
+            { key_as_string: '2023-04-15T00:00:00.000Z', key: 1681516800000, doc_count: 0 },
+            { key_as_string: '2023-04-16T00:00:00.000Z', key: 1681603200000, doc_count: 0 },
+            { key_as_string: '2023-04-17T00:00:00.000Z', key: 1681689600000, doc_count: 0 },
+            { key_as_string: '2023-04-18T00:00:00.000Z', key: 1681776000000, doc_count: 0 },
+            { key_as_string: '2023-04-19T00:00:00.000Z', key: 1681862400000, doc_count: 0 },
+            { key_as_string: '2023-04-20T00:00:00.000Z', key: 1681948800000, doc_count: 0 },
+            { key_as_string: '2023-04-21T00:00:00.000Z', key: 1682035200000, doc_count: 0 },
+            { key_as_string: '2023-04-22T00:00:00.000Z', key: 1682121600000, doc_count: 0 },
+            { key_as_string: '2023-04-23T00:00:00.000Z', key: 1682208000000, doc_count: 0 },
+            { key_as_string: '2023-04-24T00:00:00.000Z', key: 1682294400000, doc_count: 0 },
+            { key_as_string: '2023-04-25T00:00:00.000Z', key: 1682380800000, doc_count: 0 },
+            { key_as_string: '2023-04-26T00:00:00.000Z', key: 1682467200000, doc_count: 0 },
+            { key_as_string: '2023-04-27T00:00:00.000Z', key: 1682553600000, doc_count: 0 },
+            { key_as_string: '2023-04-28T00:00:00.000Z', key: 1682640000000, doc_count: 0 },
+            { key_as_string: '2023-04-29T00:00:00.000Z', key: 1682726400000, doc_count: 0 },
+            { key_as_string: '2023-04-30T00:00:00.000Z', key: 1682812800000, doc_count: 0 },
+            { key_as_string: '2023-05-01T00:00:00.000Z', key: 1682899200000, doc_count: 0 },
+            { key_as_string: '2023-05-02T00:00:00.000Z', key: 1682985600000, doc_count: 0 },
+            { key_as_string: '2023-05-03T00:00:00.000Z', key: 1683072000000, doc_count: 0 },
+            { key_as_string: '2023-05-04T00:00:00.000Z', key: 1683158400000, doc_count: 0 },
+            { key_as_string: '2023-05-05T00:00:00.000Z', key: 1683244800000, doc_count: 0 },
+            { key_as_string: '2023-05-06T00:00:00.000Z', key: 1683331200000, doc_count: 0 },
+            { key_as_string: '2023-05-07T00:00:00.000Z', key: 1683417600000, doc_count: 0 },
+            { key_as_string: '2023-05-08T00:00:00.000Z', key: 1683504000000, doc_count: 0 },
+            { key_as_string: '2023-05-09T00:00:00.000Z', key: 1683590400000, doc_count: 0 },
+            { key_as_string: '2023-05-10T00:00:00.000Z', key: 1683676800000, doc_count: 32 },
+          ],
         },
-      }),
-    } as unknown as HttpSetup;
+      },
+    });
+
     const { result, waitFor } = renderHook<useAlertsHistoryProps, UseAlertsHistory>(
       () =>
         useAlertsHistory({
-          http,
-          featureIds: [AlertConsumers.APM],
+          ...mockServices,
+          ruleTypeIds: ['apm'],
           ruleId,
           dateRange: { from: start, to: end },
         }),
@@ -155,26 +155,24 @@ describe('useAlertsHistory', () => {
   it('calls http post including instanceId query', async () => {
     const controller = new AbortController();
     const signal = controller.signal;
-    const mockedHttpPost = jest.fn();
-    const http = {
-      post: mockedHttpPost.mockResolvedValue({
-        hits: { total: { value: 32, relation: 'eq' }, max_score: null, hits: [] },
-        aggregations: {
-          avgTimeToRecoverUS: { doc_count: 28, recoveryTime: { value: 134959464.2857143 } },
-          histogramTriggeredAlerts: {
-            buckets: [
-              { key_as_string: '2023-04-10T00:00:00.000Z', key: 1681084800000, doc_count: 0 },
-            ],
-          },
+    mockServices.http.post.mockResolvedValueOnce({
+      hits: { total: { value: 32, relation: 'eq' }, max_score: null, hits: [] },
+      aggregations: {
+        avgTimeToRecoverUS: { doc_count: 28, recoveryTime: { value: 134959464.2857143 } },
+        histogramTriggeredAlerts: {
+          buckets: [
+            { key_as_string: '2023-04-10T00:00:00.000Z', key: 1681084800000, doc_count: 0 },
+          ],
         },
-      }),
-    } as unknown as HttpSetup;
+      },
+    });
 
     const { result, waitFor } = renderHook<useAlertsHistoryProps, UseAlertsHistory>(
       () =>
         useAlertsHistory({
-          http,
-          featureIds: [AlertConsumers.APM],
+          ...mockServices,
+          ruleTypeIds: ['apm'],
+          consumers: ['foo'],
           ruleId,
           dateRange: { from: start, to: end },
           instanceId: 'instance-1',
@@ -187,9 +185,10 @@ describe('useAlertsHistory', () => {
     await act(async () => {
       await waitFor(() => result.current.isSuccess);
     });
-    expect(mockedHttpPost).toBeCalledWith('/internal/rac/alerts/find', {
+
+    expect(mockServices.http.post).toBeCalledWith('/internal/rac/alerts/find', {
       body:
-        '{"size":0,"feature_ids":["apm"],"query":{"bool":{"must":[' +
+        '{"size":0,"rule_type_ids":["apm"],"consumers":["foo"],"query":{"bool":{"must":[' +
         '{"term":{"kibana.alert.rule.uuid":"cfd36e60-ef22-11ed-91eb-b7893acacfe2"}},' +
         '{"term":{"kibana.alert.instance.id":"instance-1"}},' +
         '{"range":{"kibana.alert.time_range":{"from":"2023-04-10T00:00:00.000Z","to":"2023-05-10T00:00:00.000Z"}}}]}},' +
@@ -204,26 +203,23 @@ describe('useAlertsHistory', () => {
   it('calls http post without * instanceId query', async () => {
     const controller = new AbortController();
     const signal = controller.signal;
-    const mockedHttpPost = jest.fn();
-    const http = {
-      post: mockedHttpPost.mockResolvedValue({
-        hits: { total: { value: 32, relation: 'eq' }, max_score: null, hits: [] },
-        aggregations: {
-          avgTimeToRecoverUS: { doc_count: 28, recoveryTime: { value: 134959464.2857143 } },
-          histogramTriggeredAlerts: {
-            buckets: [
-              { key_as_string: '2023-04-10T00:00:00.000Z', key: 1681084800000, doc_count: 0 },
-            ],
-          },
+    mockServices.http.post.mockResolvedValueOnce({
+      hits: { total: { value: 32, relation: 'eq' }, max_score: null, hits: [] },
+      aggregations: {
+        avgTimeToRecoverUS: { doc_count: 28, recoveryTime: { value: 134959464.2857143 } },
+        histogramTriggeredAlerts: {
+          buckets: [
+            { key_as_string: '2023-04-10T00:00:00.000Z', key: 1681084800000, doc_count: 0 },
+          ],
         },
-      }),
-    } as unknown as HttpSetup;
+      },
+    });
 
     const { result, waitFor } = renderHook<useAlertsHistoryProps, UseAlertsHistory>(
       () =>
         useAlertsHistory({
-          http,
-          featureIds: [AlertConsumers.APM],
+          ...mockServices,
+          ruleTypeIds: ['apm'],
           ruleId,
           dateRange: { from: start, to: end },
           instanceId: '*',
@@ -236,9 +232,10 @@ describe('useAlertsHistory', () => {
     await act(async () => {
       await waitFor(() => result.current.isSuccess);
     });
-    expect(mockedHttpPost).toBeCalledWith('/internal/rac/alerts/find', {
+
+    expect(mockServices.http.post).toBeCalledWith('/internal/rac/alerts/find', {
       body:
-        '{"size":0,"feature_ids":["apm"],"query":{"bool":{"must":[' +
+        '{"size":0,"rule_type_ids":["apm"],"query":{"bool":{"must":[' +
         '{"term":{"kibana.alert.rule.uuid":"cfd36e60-ef22-11ed-91eb-b7893acacfe2"}},' +
         '{"range":{"kibana.alert.time_range":{"from":"2023-04-10T00:00:00.000Z","to":"2023-05-10T00:00:00.000Z"}}}]}},' +
         '"aggs":{"histogramTriggeredAlerts":{"date_histogram":{"field":"kibana.alert.start","fixed_interval":"1d",' +
diff --git a/x-pack/packages/observability/alert_details/src/hooks/use_alerts_history.ts b/x-pack/packages/observability/alert_details/src/hooks/use_alerts_history.ts
index 193acb63f845b..d045fab2e635b 100644
--- a/x-pack/packages/observability/alert_details/src/hooks/use_alerts_history.ts
+++ b/x-pack/packages/observability/alert_details/src/hooks/use_alerts_history.ts
@@ -14,14 +14,14 @@ import {
   ALERT_START,
   ALERT_STATUS,
   ALERT_TIME_RANGE,
-  ValidFeatureId,
 } from '@kbn/rule-data-utils';
 import { BASE_RAC_ALERTS_API_PATH } from '@kbn/rule-registry-plugin/common';
 import { useQuery } from '@tanstack/react-query';
 
 export interface Props {
   http: HttpSetup | undefined;
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  consumers?: string[];
   ruleId: string;
   dateRange: {
     from: string;
@@ -49,13 +49,15 @@ export const EMPTY_ALERTS_HISTORY = {
 };
 
 export function useAlertsHistory({
-  featureIds,
+  ruleTypeIds,
+  consumers,
   ruleId,
   dateRange,
   http,
   instanceId,
 }: Props): UseAlertsHistory {
-  const enabled = !!featureIds.length;
+  const enabled = !!ruleTypeIds.length;
+
   const { isInitialLoading, isLoading, isError, isSuccess, isRefetching, data } = useQuery({
     queryKey: ['useAlertsHistory'],
     queryFn: async ({ signal }) => {
@@ -63,7 +65,8 @@ export function useAlertsHistory({
         throw new Error('Http client is missing');
       }
       return fetchTriggeredAlertsHistory({
-        featureIds,
+        ruleTypeIds,
+        consumers,
         http,
         ruleId,
         dateRange,
@@ -74,6 +77,7 @@ export function useAlertsHistory({
     refetchOnWindowFocus: false,
     enabled,
   });
+
   return {
     data: isInitialLoading ? EMPTY_ALERTS_HISTORY : data ?? EMPTY_ALERTS_HISTORY,
     isLoading: enabled && (isInitialLoading || isLoading || isRefetching),
@@ -101,14 +105,16 @@ interface AggsESResponse {
 }
 
 export async function fetchTriggeredAlertsHistory({
-  featureIds,
+  ruleTypeIds,
+  consumers,
   http,
   ruleId,
   dateRange,
   signal,
   instanceId,
 }: {
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  consumers?: string[];
   http: HttpSetup;
   ruleId: string;
   dateRange: {
@@ -123,7 +129,8 @@ export async function fetchTriggeredAlertsHistory({
       signal,
       body: JSON.stringify({
         size: 0,
-        feature_ids: featureIds,
+        rule_type_ids: ruleTypeIds,
+        consumers,
         query: {
           bool: {
             must: [
diff --git a/x-pack/packages/observability/alert_details/tsconfig.json b/x-pack/packages/observability/alert_details/tsconfig.json
index a349651fdff7e..d1b4c3fb2ce23 100644
--- a/x-pack/packages/observability/alert_details/tsconfig.json
+++ b/x-pack/packages/observability/alert_details/tsconfig.json
@@ -17,9 +17,9 @@
   ],
   "kbn_references": [
     "@kbn/i18n",
-    "@kbn/core-http-browser",
     "@kbn/rule-data-utils",
     "@kbn/core",
-    "@kbn/rule-registry-plugin"
+    "@kbn/rule-registry-plugin",
+    "@kbn/core-http-browser-mocks"
   ]
 }
diff --git a/x-pack/packages/security-solution/features/src/security/kibana_features.ts b/x-pack/packages/security-solution/features/src/security/kibana_features.ts
index 2fb6b11988797..458b8f6fd1f1f 100644
--- a/x-pack/packages/security-solution/features/src/security/kibana_features.ts
+++ b/x-pack/packages/security-solution/features/src/security/kibana_features.ts
@@ -41,6 +41,11 @@ const SECURITY_RULE_TYPES = [
   NEW_TERMS_RULE_TYPE_ID,
 ];
 
+const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({
+  ruleTypeId,
+  consumers: [SERVER_APP_ID],
+}));
+
 export const getSecurityBaseKibanaFeature = ({
   savedObjects,
 }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({
@@ -59,7 +64,7 @@ export const getSecurityBaseKibanaFeature = ({
   management: {
     insightsAndAlerting: ['triggersActions'],
   },
-  alerting: SECURITY_RULE_TYPES,
+  alerting: alertingFeatures,
   description: i18n.translate(
     'securitySolutionPackages.features.featureRegistry.securityGroupDescription',
     {
@@ -87,12 +92,8 @@ export const getSecurityBaseKibanaFeature = ({
         read: [],
       },
       alerting: {
-        rule: {
-          all: SECURITY_RULE_TYPES,
-        },
-        alert: {
-          all: SECURITY_RULE_TYPES,
-        },
+        rule: { all: alertingFeatures },
+        alert: { all: alertingFeatures },
       },
       management: {
         insightsAndAlerting: ['triggersActions'],
@@ -109,10 +110,10 @@ export const getSecurityBaseKibanaFeature = ({
       },
       alerting: {
         rule: {
-          read: SECURITY_RULE_TYPES,
+          read: alertingFeatures,
         },
         alert: {
-          all: SECURITY_RULE_TYPES,
+          all: alertingFeatures,
         },
       },
       management: {
diff --git a/x-pack/packages/security/authorization_core/src/actions/alerting.test.ts b/x-pack/packages/security/authorization_core/src/actions/alerting.test.ts
index 1db1030da510a..8f3d48a91005c 100644
--- a/x-pack/packages/security/authorization_core/src/actions/alerting.test.ts
+++ b/x-pack/packages/security/authorization_core/src/actions/alerting.test.ts
@@ -51,21 +51,3 @@ describe('#get', () => {
     );
   });
 });
-
-test('#isValid', () => {
-  const alertingActions = new AlertingActions();
-  expect(alertingActions.isValid('alerting:foo-ruleType/consumer/alertingType/bar-operation')).toBe(
-    true
-  );
-
-  expect(
-    alertingActions.isValid('api:alerting:foo-ruleType/consumer/alertingType/bar-operation')
-  ).toBe(false);
-  expect(alertingActions.isValid('api:foo-ruleType/consumer/alertingType/bar-operation')).toBe(
-    false
-  );
-
-  expect(alertingActions.isValid('alerting_foo-ruleType/consumer/alertingType/bar-operation')).toBe(
-    false
-  );
-});
diff --git a/x-pack/packages/security/authorization_core/src/actions/alerting.ts b/x-pack/packages/security/authorization_core/src/actions/alerting.ts
index 18abac73ef8b7..c1de9a1c65d21 100644
--- a/x-pack/packages/security/authorization_core/src/actions/alerting.ts
+++ b/x-pack/packages/security/authorization_core/src/actions/alerting.ts
@@ -40,12 +40,4 @@ export class AlertingActions implements AlertingActionsType {
 
     return `${this.prefix}${ruleTypeId}/${consumer}/${alertingEntity}/${operation}`;
   }
-
-  /**
-   * Checks if the action is a valid alerting action.
-   * @param action The action string to check.
-   */
-  public isValid(action: string) {
-    return action.startsWith(this.prefix);
-  }
 }
diff --git a/x-pack/packages/security/authorization_core/src/privileges/feature_privilege_builder/alerting.test.ts b/x-pack/packages/security/authorization_core/src/privileges/feature_privilege_builder/alerting.test.ts
index db4aae642a56f..c5af930cce4f5 100644
--- a/x-pack/packages/security/authorization_core/src/privileges/feature_privilege_builder/alerting.test.ts
+++ b/x-pack/packages/security/authorization_core/src/privileges/feature_privilege_builder/alerting.test.ts
@@ -28,7 +28,6 @@ describe(`feature_privilege_builder`, () => {
             read: [],
           },
         },
-
         savedObject: {
           all: [],
           read: [],
@@ -59,10 +58,9 @@ describe(`feature_privilege_builder`, () => {
           alerting: {
             rule: {
               all: [],
-              read: ['alert-type'],
+              read: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
             },
           },
-
           savedObject: {
             all: [],
             read: [],
@@ -83,15 +81,15 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/rule/get",
-            "alerting:alert-type/my-feature/rule/getRuleState",
-            "alerting:alert-type/my-feature/rule/getAlertSummary",
-            "alerting:alert-type/my-feature/rule/getExecutionLog",
-            "alerting:alert-type/my-feature/rule/getActionErrorLog",
-            "alerting:alert-type/my-feature/rule/find",
-            "alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
-            "alerting:alert-type/my-feature/rule/getBackfill",
-            "alerting:alert-type/my-feature/rule/findBackfill",
+            "alerting:alert-type/my-consumer/rule/get",
+            "alerting:alert-type/my-consumer/rule/getRuleState",
+            "alerting:alert-type/my-consumer/rule/getAlertSummary",
+            "alerting:alert-type/my-consumer/rule/getExecutionLog",
+            "alerting:alert-type/my-consumer/rule/getActionErrorLog",
+            "alerting:alert-type/my-consumer/rule/find",
+            "alerting:alert-type/my-consumer/rule/getRuleExecutionKPI",
+            "alerting:alert-type/my-consumer/rule/getBackfill",
+            "alerting:alert-type/my-consumer/rule/findBackfill",
           ]
         `);
       });
@@ -104,10 +102,9 @@ describe(`feature_privilege_builder`, () => {
           alerting: {
             alert: {
               all: [],
-              read: ['alert-type'],
+              read: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
             },
           },
-
           savedObject: {
             all: [],
             read: [],
@@ -128,10 +125,10 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/alert/get",
-            "alerting:alert-type/my-feature/alert/find",
-            "alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
-            "alerting:alert-type/my-feature/alert/getAlertSummary",
+            "alerting:alert-type/my-consumer/alert/get",
+            "alerting:alert-type/my-consumer/alert/find",
+            "alerting:alert-type/my-consumer/alert/getAuthorizedAlertsIndices",
+            "alerting:alert-type/my-consumer/alert/getAlertSummary",
           ]
         `);
       });
@@ -144,14 +141,13 @@ describe(`feature_privilege_builder`, () => {
           alerting: {
             rule: {
               all: [],
-              read: ['alert-type'],
+              read: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
             },
             alert: {
               all: [],
-              read: ['alert-type'],
+              read: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
             },
           },
-
           savedObject: {
             all: [],
             read: [],
@@ -172,19 +168,19 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/rule/get",
-            "alerting:alert-type/my-feature/rule/getRuleState",
-            "alerting:alert-type/my-feature/rule/getAlertSummary",
-            "alerting:alert-type/my-feature/rule/getExecutionLog",
-            "alerting:alert-type/my-feature/rule/getActionErrorLog",
-            "alerting:alert-type/my-feature/rule/find",
-            "alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
-            "alerting:alert-type/my-feature/rule/getBackfill",
-            "alerting:alert-type/my-feature/rule/findBackfill",
-            "alerting:alert-type/my-feature/alert/get",
-            "alerting:alert-type/my-feature/alert/find",
-            "alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
-            "alerting:alert-type/my-feature/alert/getAlertSummary",
+            "alerting:alert-type/my-consumer/rule/get",
+            "alerting:alert-type/my-consumer/rule/getRuleState",
+            "alerting:alert-type/my-consumer/rule/getAlertSummary",
+            "alerting:alert-type/my-consumer/rule/getExecutionLog",
+            "alerting:alert-type/my-consumer/rule/getActionErrorLog",
+            "alerting:alert-type/my-consumer/rule/find",
+            "alerting:alert-type/my-consumer/rule/getRuleExecutionKPI",
+            "alerting:alert-type/my-consumer/rule/getBackfill",
+            "alerting:alert-type/my-consumer/rule/findBackfill",
+            "alerting:alert-type/my-consumer/alert/get",
+            "alerting:alert-type/my-consumer/alert/find",
+            "alerting:alert-type/my-consumer/alert/getAuthorizedAlertsIndices",
+            "alerting:alert-type/my-consumer/alert/getAlertSummary",
           ]
         `);
       });
@@ -196,7 +192,7 @@ describe(`feature_privilege_builder`, () => {
         const privilege: FeatureKibanaPrivileges = {
           alerting: {
             rule: {
-              all: ['alert-type'],
+              all: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
               read: [],
             },
           },
@@ -221,34 +217,34 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/rule/get",
-            "alerting:alert-type/my-feature/rule/getRuleState",
-            "alerting:alert-type/my-feature/rule/getAlertSummary",
-            "alerting:alert-type/my-feature/rule/getExecutionLog",
-            "alerting:alert-type/my-feature/rule/getActionErrorLog",
-            "alerting:alert-type/my-feature/rule/find",
-            "alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
-            "alerting:alert-type/my-feature/rule/getBackfill",
-            "alerting:alert-type/my-feature/rule/findBackfill",
-            "alerting:alert-type/my-feature/rule/create",
-            "alerting:alert-type/my-feature/rule/delete",
-            "alerting:alert-type/my-feature/rule/update",
-            "alerting:alert-type/my-feature/rule/updateApiKey",
-            "alerting:alert-type/my-feature/rule/enable",
-            "alerting:alert-type/my-feature/rule/disable",
-            "alerting:alert-type/my-feature/rule/muteAll",
-            "alerting:alert-type/my-feature/rule/unmuteAll",
-            "alerting:alert-type/my-feature/rule/muteAlert",
-            "alerting:alert-type/my-feature/rule/unmuteAlert",
-            "alerting:alert-type/my-feature/rule/snooze",
-            "alerting:alert-type/my-feature/rule/bulkEdit",
-            "alerting:alert-type/my-feature/rule/bulkDelete",
-            "alerting:alert-type/my-feature/rule/bulkEnable",
-            "alerting:alert-type/my-feature/rule/bulkDisable",
-            "alerting:alert-type/my-feature/rule/unsnooze",
-            "alerting:alert-type/my-feature/rule/runSoon",
-            "alerting:alert-type/my-feature/rule/scheduleBackfill",
-            "alerting:alert-type/my-feature/rule/deleteBackfill",
+            "alerting:alert-type/my-consumer/rule/get",
+            "alerting:alert-type/my-consumer/rule/getRuleState",
+            "alerting:alert-type/my-consumer/rule/getAlertSummary",
+            "alerting:alert-type/my-consumer/rule/getExecutionLog",
+            "alerting:alert-type/my-consumer/rule/getActionErrorLog",
+            "alerting:alert-type/my-consumer/rule/find",
+            "alerting:alert-type/my-consumer/rule/getRuleExecutionKPI",
+            "alerting:alert-type/my-consumer/rule/getBackfill",
+            "alerting:alert-type/my-consumer/rule/findBackfill",
+            "alerting:alert-type/my-consumer/rule/create",
+            "alerting:alert-type/my-consumer/rule/delete",
+            "alerting:alert-type/my-consumer/rule/update",
+            "alerting:alert-type/my-consumer/rule/updateApiKey",
+            "alerting:alert-type/my-consumer/rule/enable",
+            "alerting:alert-type/my-consumer/rule/disable",
+            "alerting:alert-type/my-consumer/rule/muteAll",
+            "alerting:alert-type/my-consumer/rule/unmuteAll",
+            "alerting:alert-type/my-consumer/rule/muteAlert",
+            "alerting:alert-type/my-consumer/rule/unmuteAlert",
+            "alerting:alert-type/my-consumer/rule/snooze",
+            "alerting:alert-type/my-consumer/rule/bulkEdit",
+            "alerting:alert-type/my-consumer/rule/bulkDelete",
+            "alerting:alert-type/my-consumer/rule/bulkEnable",
+            "alerting:alert-type/my-consumer/rule/bulkDisable",
+            "alerting:alert-type/my-consumer/rule/unsnooze",
+            "alerting:alert-type/my-consumer/rule/runSoon",
+            "alerting:alert-type/my-consumer/rule/scheduleBackfill",
+            "alerting:alert-type/my-consumer/rule/deleteBackfill",
           ]
         `);
       });
@@ -260,11 +256,10 @@ describe(`feature_privilege_builder`, () => {
         const privilege: FeatureKibanaPrivileges = {
           alerting: {
             alert: {
-              all: ['alert-type'],
+              all: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
               read: [],
             },
           },
-
           savedObject: {
             all: [],
             read: [],
@@ -285,11 +280,11 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/alert/get",
-            "alerting:alert-type/my-feature/alert/find",
-            "alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
-            "alerting:alert-type/my-feature/alert/getAlertSummary",
-            "alerting:alert-type/my-feature/alert/update",
+            "alerting:alert-type/my-consumer/alert/get",
+            "alerting:alert-type/my-consumer/alert/find",
+            "alerting:alert-type/my-consumer/alert/getAuthorizedAlertsIndices",
+            "alerting:alert-type/my-consumer/alert/getAlertSummary",
+            "alerting:alert-type/my-consumer/alert/update",
           ]
         `);
       });
@@ -301,15 +296,14 @@ describe(`feature_privilege_builder`, () => {
         const privilege: FeatureKibanaPrivileges = {
           alerting: {
             rule: {
-              all: ['alert-type'],
+              all: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
               read: [],
             },
             alert: {
-              all: ['alert-type'],
+              all: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
               read: [],
             },
           },
-
           savedObject: {
             all: [],
             read: [],
@@ -330,39 +324,39 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/rule/get",
-            "alerting:alert-type/my-feature/rule/getRuleState",
-            "alerting:alert-type/my-feature/rule/getAlertSummary",
-            "alerting:alert-type/my-feature/rule/getExecutionLog",
-            "alerting:alert-type/my-feature/rule/getActionErrorLog",
-            "alerting:alert-type/my-feature/rule/find",
-            "alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
-            "alerting:alert-type/my-feature/rule/getBackfill",
-            "alerting:alert-type/my-feature/rule/findBackfill",
-            "alerting:alert-type/my-feature/rule/create",
-            "alerting:alert-type/my-feature/rule/delete",
-            "alerting:alert-type/my-feature/rule/update",
-            "alerting:alert-type/my-feature/rule/updateApiKey",
-            "alerting:alert-type/my-feature/rule/enable",
-            "alerting:alert-type/my-feature/rule/disable",
-            "alerting:alert-type/my-feature/rule/muteAll",
-            "alerting:alert-type/my-feature/rule/unmuteAll",
-            "alerting:alert-type/my-feature/rule/muteAlert",
-            "alerting:alert-type/my-feature/rule/unmuteAlert",
-            "alerting:alert-type/my-feature/rule/snooze",
-            "alerting:alert-type/my-feature/rule/bulkEdit",
-            "alerting:alert-type/my-feature/rule/bulkDelete",
-            "alerting:alert-type/my-feature/rule/bulkEnable",
-            "alerting:alert-type/my-feature/rule/bulkDisable",
-            "alerting:alert-type/my-feature/rule/unsnooze",
-            "alerting:alert-type/my-feature/rule/runSoon",
-            "alerting:alert-type/my-feature/rule/scheduleBackfill",
-            "alerting:alert-type/my-feature/rule/deleteBackfill",
-            "alerting:alert-type/my-feature/alert/get",
-            "alerting:alert-type/my-feature/alert/find",
-            "alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
-            "alerting:alert-type/my-feature/alert/getAlertSummary",
-            "alerting:alert-type/my-feature/alert/update",
+            "alerting:alert-type/my-consumer/rule/get",
+            "alerting:alert-type/my-consumer/rule/getRuleState",
+            "alerting:alert-type/my-consumer/rule/getAlertSummary",
+            "alerting:alert-type/my-consumer/rule/getExecutionLog",
+            "alerting:alert-type/my-consumer/rule/getActionErrorLog",
+            "alerting:alert-type/my-consumer/rule/find",
+            "alerting:alert-type/my-consumer/rule/getRuleExecutionKPI",
+            "alerting:alert-type/my-consumer/rule/getBackfill",
+            "alerting:alert-type/my-consumer/rule/findBackfill",
+            "alerting:alert-type/my-consumer/rule/create",
+            "alerting:alert-type/my-consumer/rule/delete",
+            "alerting:alert-type/my-consumer/rule/update",
+            "alerting:alert-type/my-consumer/rule/updateApiKey",
+            "alerting:alert-type/my-consumer/rule/enable",
+            "alerting:alert-type/my-consumer/rule/disable",
+            "alerting:alert-type/my-consumer/rule/muteAll",
+            "alerting:alert-type/my-consumer/rule/unmuteAll",
+            "alerting:alert-type/my-consumer/rule/muteAlert",
+            "alerting:alert-type/my-consumer/rule/unmuteAlert",
+            "alerting:alert-type/my-consumer/rule/snooze",
+            "alerting:alert-type/my-consumer/rule/bulkEdit",
+            "alerting:alert-type/my-consumer/rule/bulkDelete",
+            "alerting:alert-type/my-consumer/rule/bulkEnable",
+            "alerting:alert-type/my-consumer/rule/bulkDisable",
+            "alerting:alert-type/my-consumer/rule/unsnooze",
+            "alerting:alert-type/my-consumer/rule/runSoon",
+            "alerting:alert-type/my-consumer/rule/scheduleBackfill",
+            "alerting:alert-type/my-consumer/rule/deleteBackfill",
+            "alerting:alert-type/my-consumer/alert/get",
+            "alerting:alert-type/my-consumer/alert/find",
+            "alerting:alert-type/my-consumer/alert/getAuthorizedAlertsIndices",
+            "alerting:alert-type/my-consumer/alert/getAlertSummary",
+            "alerting:alert-type/my-consumer/alert/update",
           ]
         `);
       });
@@ -374,11 +368,10 @@ describe(`feature_privilege_builder`, () => {
         const privilege: FeatureKibanaPrivileges = {
           alerting: {
             rule: {
-              all: ['alert-type'],
-              read: ['readonly-alert-type'],
+              all: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
+              read: [{ ruleTypeId: 'readonly-alert-type', consumers: ['my-consumer'] }],
             },
           },
-
           savedObject: {
             all: [],
             read: [],
@@ -399,43 +392,43 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/rule/get",
-            "alerting:alert-type/my-feature/rule/getRuleState",
-            "alerting:alert-type/my-feature/rule/getAlertSummary",
-            "alerting:alert-type/my-feature/rule/getExecutionLog",
-            "alerting:alert-type/my-feature/rule/getActionErrorLog",
-            "alerting:alert-type/my-feature/rule/find",
-            "alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
-            "alerting:alert-type/my-feature/rule/getBackfill",
-            "alerting:alert-type/my-feature/rule/findBackfill",
-            "alerting:alert-type/my-feature/rule/create",
-            "alerting:alert-type/my-feature/rule/delete",
-            "alerting:alert-type/my-feature/rule/update",
-            "alerting:alert-type/my-feature/rule/updateApiKey",
-            "alerting:alert-type/my-feature/rule/enable",
-            "alerting:alert-type/my-feature/rule/disable",
-            "alerting:alert-type/my-feature/rule/muteAll",
-            "alerting:alert-type/my-feature/rule/unmuteAll",
-            "alerting:alert-type/my-feature/rule/muteAlert",
-            "alerting:alert-type/my-feature/rule/unmuteAlert",
-            "alerting:alert-type/my-feature/rule/snooze",
-            "alerting:alert-type/my-feature/rule/bulkEdit",
-            "alerting:alert-type/my-feature/rule/bulkDelete",
-            "alerting:alert-type/my-feature/rule/bulkEnable",
-            "alerting:alert-type/my-feature/rule/bulkDisable",
-            "alerting:alert-type/my-feature/rule/unsnooze",
-            "alerting:alert-type/my-feature/rule/runSoon",
-            "alerting:alert-type/my-feature/rule/scheduleBackfill",
-            "alerting:alert-type/my-feature/rule/deleteBackfill",
-            "alerting:readonly-alert-type/my-feature/rule/get",
-            "alerting:readonly-alert-type/my-feature/rule/getRuleState",
-            "alerting:readonly-alert-type/my-feature/rule/getAlertSummary",
-            "alerting:readonly-alert-type/my-feature/rule/getExecutionLog",
-            "alerting:readonly-alert-type/my-feature/rule/getActionErrorLog",
-            "alerting:readonly-alert-type/my-feature/rule/find",
-            "alerting:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
-            "alerting:readonly-alert-type/my-feature/rule/getBackfill",
-            "alerting:readonly-alert-type/my-feature/rule/findBackfill",
+            "alerting:alert-type/my-consumer/rule/get",
+            "alerting:alert-type/my-consumer/rule/getRuleState",
+            "alerting:alert-type/my-consumer/rule/getAlertSummary",
+            "alerting:alert-type/my-consumer/rule/getExecutionLog",
+            "alerting:alert-type/my-consumer/rule/getActionErrorLog",
+            "alerting:alert-type/my-consumer/rule/find",
+            "alerting:alert-type/my-consumer/rule/getRuleExecutionKPI",
+            "alerting:alert-type/my-consumer/rule/getBackfill",
+            "alerting:alert-type/my-consumer/rule/findBackfill",
+            "alerting:alert-type/my-consumer/rule/create",
+            "alerting:alert-type/my-consumer/rule/delete",
+            "alerting:alert-type/my-consumer/rule/update",
+            "alerting:alert-type/my-consumer/rule/updateApiKey",
+            "alerting:alert-type/my-consumer/rule/enable",
+            "alerting:alert-type/my-consumer/rule/disable",
+            "alerting:alert-type/my-consumer/rule/muteAll",
+            "alerting:alert-type/my-consumer/rule/unmuteAll",
+            "alerting:alert-type/my-consumer/rule/muteAlert",
+            "alerting:alert-type/my-consumer/rule/unmuteAlert",
+            "alerting:alert-type/my-consumer/rule/snooze",
+            "alerting:alert-type/my-consumer/rule/bulkEdit",
+            "alerting:alert-type/my-consumer/rule/bulkDelete",
+            "alerting:alert-type/my-consumer/rule/bulkEnable",
+            "alerting:alert-type/my-consumer/rule/bulkDisable",
+            "alerting:alert-type/my-consumer/rule/unsnooze",
+            "alerting:alert-type/my-consumer/rule/runSoon",
+            "alerting:alert-type/my-consumer/rule/scheduleBackfill",
+            "alerting:alert-type/my-consumer/rule/deleteBackfill",
+            "alerting:readonly-alert-type/my-consumer/rule/get",
+            "alerting:readonly-alert-type/my-consumer/rule/getRuleState",
+            "alerting:readonly-alert-type/my-consumer/rule/getAlertSummary",
+            "alerting:readonly-alert-type/my-consumer/rule/getExecutionLog",
+            "alerting:readonly-alert-type/my-consumer/rule/getActionErrorLog",
+            "alerting:readonly-alert-type/my-consumer/rule/find",
+            "alerting:readonly-alert-type/my-consumer/rule/getRuleExecutionKPI",
+            "alerting:readonly-alert-type/my-consumer/rule/getBackfill",
+            "alerting:readonly-alert-type/my-consumer/rule/findBackfill",
           ]
         `);
       });
@@ -447,8 +440,8 @@ describe(`feature_privilege_builder`, () => {
         const privilege: FeatureKibanaPrivileges = {
           alerting: {
             alert: {
-              all: ['alert-type'],
-              read: ['readonly-alert-type'],
+              all: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
+              read: [{ ruleTypeId: 'readonly-alert-type', consumers: ['my-consumer'] }],
             },
           },
 
@@ -472,15 +465,15 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/alert/get",
-            "alerting:alert-type/my-feature/alert/find",
-            "alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
-            "alerting:alert-type/my-feature/alert/getAlertSummary",
-            "alerting:alert-type/my-feature/alert/update",
-            "alerting:readonly-alert-type/my-feature/alert/get",
-            "alerting:readonly-alert-type/my-feature/alert/find",
-            "alerting:readonly-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
-            "alerting:readonly-alert-type/my-feature/alert/getAlertSummary",
+            "alerting:alert-type/my-consumer/alert/get",
+            "alerting:alert-type/my-consumer/alert/find",
+            "alerting:alert-type/my-consumer/alert/getAuthorizedAlertsIndices",
+            "alerting:alert-type/my-consumer/alert/getAlertSummary",
+            "alerting:alert-type/my-consumer/alert/update",
+            "alerting:readonly-alert-type/my-consumer/alert/get",
+            "alerting:readonly-alert-type/my-consumer/alert/find",
+            "alerting:readonly-alert-type/my-consumer/alert/getAuthorizedAlertsIndices",
+            "alerting:readonly-alert-type/my-consumer/alert/getAlertSummary",
           ]
         `);
       });
@@ -492,12 +485,128 @@ describe(`feature_privilege_builder`, () => {
         const privilege: FeatureKibanaPrivileges = {
           alerting: {
             rule: {
-              all: ['alert-type'],
-              read: ['readonly-alert-type'],
+              all: [{ ruleTypeId: 'alert-type', consumers: ['my-consumer'] }],
+              read: [{ ruleTypeId: 'readonly-alert-type', consumers: ['my-consumer'] }],
+            },
+            alert: {
+              all: [{ ruleTypeId: 'another-alert-type', consumers: ['my-consumer'] }],
+              read: [{ ruleTypeId: 'readonly-alert-type', consumers: ['my-consumer'] }],
+            },
+          },
+
+          savedObject: {
+            all: [],
+            read: [],
+          },
+          ui: [],
+        };
+
+        const feature = new KibanaFeature({
+          id: 'my-feature',
+          name: 'my-feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          privileges: {
+            all: privilege,
+            read: privilege,
+          },
+        });
+
+        expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
+          Array [
+            "alerting:alert-type/my-consumer/rule/get",
+            "alerting:alert-type/my-consumer/rule/getRuleState",
+            "alerting:alert-type/my-consumer/rule/getAlertSummary",
+            "alerting:alert-type/my-consumer/rule/getExecutionLog",
+            "alerting:alert-type/my-consumer/rule/getActionErrorLog",
+            "alerting:alert-type/my-consumer/rule/find",
+            "alerting:alert-type/my-consumer/rule/getRuleExecutionKPI",
+            "alerting:alert-type/my-consumer/rule/getBackfill",
+            "alerting:alert-type/my-consumer/rule/findBackfill",
+            "alerting:alert-type/my-consumer/rule/create",
+            "alerting:alert-type/my-consumer/rule/delete",
+            "alerting:alert-type/my-consumer/rule/update",
+            "alerting:alert-type/my-consumer/rule/updateApiKey",
+            "alerting:alert-type/my-consumer/rule/enable",
+            "alerting:alert-type/my-consumer/rule/disable",
+            "alerting:alert-type/my-consumer/rule/muteAll",
+            "alerting:alert-type/my-consumer/rule/unmuteAll",
+            "alerting:alert-type/my-consumer/rule/muteAlert",
+            "alerting:alert-type/my-consumer/rule/unmuteAlert",
+            "alerting:alert-type/my-consumer/rule/snooze",
+            "alerting:alert-type/my-consumer/rule/bulkEdit",
+            "alerting:alert-type/my-consumer/rule/bulkDelete",
+            "alerting:alert-type/my-consumer/rule/bulkEnable",
+            "alerting:alert-type/my-consumer/rule/bulkDisable",
+            "alerting:alert-type/my-consumer/rule/unsnooze",
+            "alerting:alert-type/my-consumer/rule/runSoon",
+            "alerting:alert-type/my-consumer/rule/scheduleBackfill",
+            "alerting:alert-type/my-consumer/rule/deleteBackfill",
+            "alerting:readonly-alert-type/my-consumer/rule/get",
+            "alerting:readonly-alert-type/my-consumer/rule/getRuleState",
+            "alerting:readonly-alert-type/my-consumer/rule/getAlertSummary",
+            "alerting:readonly-alert-type/my-consumer/rule/getExecutionLog",
+            "alerting:readonly-alert-type/my-consumer/rule/getActionErrorLog",
+            "alerting:readonly-alert-type/my-consumer/rule/find",
+            "alerting:readonly-alert-type/my-consumer/rule/getRuleExecutionKPI",
+            "alerting:readonly-alert-type/my-consumer/rule/getBackfill",
+            "alerting:readonly-alert-type/my-consumer/rule/findBackfill",
+            "alerting:another-alert-type/my-consumer/alert/get",
+            "alerting:another-alert-type/my-consumer/alert/find",
+            "alerting:another-alert-type/my-consumer/alert/getAuthorizedAlertsIndices",
+            "alerting:another-alert-type/my-consumer/alert/getAlertSummary",
+            "alerting:another-alert-type/my-consumer/alert/update",
+            "alerting:readonly-alert-type/my-consumer/alert/get",
+            "alerting:readonly-alert-type/my-consumer/alert/find",
+            "alerting:readonly-alert-type/my-consumer/alert/getAuthorizedAlertsIndices",
+            "alerting:readonly-alert-type/my-consumer/alert/getAlertSummary",
+          ]
+        `);
+      });
+
+      test('handles multiple rule types and consumers correctly', () => {
+        const actions = new Actions();
+        const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
+
+        const privilege: FeatureKibanaPrivileges = {
+          alerting: {
+            rule: {
+              all: [
+                { ruleTypeId: 'alert-type-1', consumers: ['my-consumer-1', 'my-consumer-2'] },
+                { ruleTypeId: 'alert-type-2', consumers: ['my-consumer-3'] },
+              ],
+              read: [
+                {
+                  ruleTypeId: 'readonly-alert-type-1',
+                  consumers: ['my-read-consumer-1', 'my-read-consumer-2'],
+                },
+                {
+                  ruleTypeId: 'readonly-alert-type-2',
+                  consumers: ['my-read-consumer-3', 'my-read-consumer-4'],
+                },
+              ],
             },
             alert: {
-              all: ['another-alert-type'],
-              read: ['readonly-alert-type'],
+              all: [
+                {
+                  ruleTypeId: 'another-alert-type-1',
+                  consumers: ['my-consumer-another-1', 'my-consumer-another-2'],
+                },
+                {
+                  ruleTypeId: 'another-alert-type-2',
+                  consumers: ['my-consumer-another-3', 'my-consumer-another-1'],
+                },
+              ],
+              read: [
+                {
+                  ruleTypeId: 'readonly-another-alert-type-1',
+                  consumers: ['my-read-other-consumer-1', 'my-read-other-consumer-2'],
+                },
+                {
+                  ruleTypeId: 'readonly-another-alert-type-2',
+                  consumers: ['my-read-other-consumer-3', 'my-read-other-consumer-4'],
+                },
+              ],
             },
           },
 
@@ -521,52 +630,162 @@ describe(`feature_privilege_builder`, () => {
 
         expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
-            "alerting:alert-type/my-feature/rule/get",
-            "alerting:alert-type/my-feature/rule/getRuleState",
-            "alerting:alert-type/my-feature/rule/getAlertSummary",
-            "alerting:alert-type/my-feature/rule/getExecutionLog",
-            "alerting:alert-type/my-feature/rule/getActionErrorLog",
-            "alerting:alert-type/my-feature/rule/find",
-            "alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
-            "alerting:alert-type/my-feature/rule/getBackfill",
-            "alerting:alert-type/my-feature/rule/findBackfill",
-            "alerting:alert-type/my-feature/rule/create",
-            "alerting:alert-type/my-feature/rule/delete",
-            "alerting:alert-type/my-feature/rule/update",
-            "alerting:alert-type/my-feature/rule/updateApiKey",
-            "alerting:alert-type/my-feature/rule/enable",
-            "alerting:alert-type/my-feature/rule/disable",
-            "alerting:alert-type/my-feature/rule/muteAll",
-            "alerting:alert-type/my-feature/rule/unmuteAll",
-            "alerting:alert-type/my-feature/rule/muteAlert",
-            "alerting:alert-type/my-feature/rule/unmuteAlert",
-            "alerting:alert-type/my-feature/rule/snooze",
-            "alerting:alert-type/my-feature/rule/bulkEdit",
-            "alerting:alert-type/my-feature/rule/bulkDelete",
-            "alerting:alert-type/my-feature/rule/bulkEnable",
-            "alerting:alert-type/my-feature/rule/bulkDisable",
-            "alerting:alert-type/my-feature/rule/unsnooze",
-            "alerting:alert-type/my-feature/rule/runSoon",
-            "alerting:alert-type/my-feature/rule/scheduleBackfill",
-            "alerting:alert-type/my-feature/rule/deleteBackfill",
-            "alerting:readonly-alert-type/my-feature/rule/get",
-            "alerting:readonly-alert-type/my-feature/rule/getRuleState",
-            "alerting:readonly-alert-type/my-feature/rule/getAlertSummary",
-            "alerting:readonly-alert-type/my-feature/rule/getExecutionLog",
-            "alerting:readonly-alert-type/my-feature/rule/getActionErrorLog",
-            "alerting:readonly-alert-type/my-feature/rule/find",
-            "alerting:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
-            "alerting:readonly-alert-type/my-feature/rule/getBackfill",
-            "alerting:readonly-alert-type/my-feature/rule/findBackfill",
-            "alerting:another-alert-type/my-feature/alert/get",
-            "alerting:another-alert-type/my-feature/alert/find",
-            "alerting:another-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
-            "alerting:another-alert-type/my-feature/alert/getAlertSummary",
-            "alerting:another-alert-type/my-feature/alert/update",
-            "alerting:readonly-alert-type/my-feature/alert/get",
-            "alerting:readonly-alert-type/my-feature/alert/find",
-            "alerting:readonly-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
-            "alerting:readonly-alert-type/my-feature/alert/getAlertSummary",
+            "alerting:alert-type-1/my-consumer-1/rule/get",
+            "alerting:alert-type-1/my-consumer-1/rule/getRuleState",
+            "alerting:alert-type-1/my-consumer-1/rule/getAlertSummary",
+            "alerting:alert-type-1/my-consumer-1/rule/getExecutionLog",
+            "alerting:alert-type-1/my-consumer-1/rule/getActionErrorLog",
+            "alerting:alert-type-1/my-consumer-1/rule/find",
+            "alerting:alert-type-1/my-consumer-1/rule/getRuleExecutionKPI",
+            "alerting:alert-type-1/my-consumer-1/rule/getBackfill",
+            "alerting:alert-type-1/my-consumer-1/rule/findBackfill",
+            "alerting:alert-type-1/my-consumer-1/rule/create",
+            "alerting:alert-type-1/my-consumer-1/rule/delete",
+            "alerting:alert-type-1/my-consumer-1/rule/update",
+            "alerting:alert-type-1/my-consumer-1/rule/updateApiKey",
+            "alerting:alert-type-1/my-consumer-1/rule/enable",
+            "alerting:alert-type-1/my-consumer-1/rule/disable",
+            "alerting:alert-type-1/my-consumer-1/rule/muteAll",
+            "alerting:alert-type-1/my-consumer-1/rule/unmuteAll",
+            "alerting:alert-type-1/my-consumer-1/rule/muteAlert",
+            "alerting:alert-type-1/my-consumer-1/rule/unmuteAlert",
+            "alerting:alert-type-1/my-consumer-1/rule/snooze",
+            "alerting:alert-type-1/my-consumer-1/rule/bulkEdit",
+            "alerting:alert-type-1/my-consumer-1/rule/bulkDelete",
+            "alerting:alert-type-1/my-consumer-1/rule/bulkEnable",
+            "alerting:alert-type-1/my-consumer-1/rule/bulkDisable",
+            "alerting:alert-type-1/my-consumer-1/rule/unsnooze",
+            "alerting:alert-type-1/my-consumer-1/rule/runSoon",
+            "alerting:alert-type-1/my-consumer-1/rule/scheduleBackfill",
+            "alerting:alert-type-1/my-consumer-1/rule/deleteBackfill",
+            "alerting:alert-type-1/my-consumer-2/rule/get",
+            "alerting:alert-type-1/my-consumer-2/rule/getRuleState",
+            "alerting:alert-type-1/my-consumer-2/rule/getAlertSummary",
+            "alerting:alert-type-1/my-consumer-2/rule/getExecutionLog",
+            "alerting:alert-type-1/my-consumer-2/rule/getActionErrorLog",
+            "alerting:alert-type-1/my-consumer-2/rule/find",
+            "alerting:alert-type-1/my-consumer-2/rule/getRuleExecutionKPI",
+            "alerting:alert-type-1/my-consumer-2/rule/getBackfill",
+            "alerting:alert-type-1/my-consumer-2/rule/findBackfill",
+            "alerting:alert-type-1/my-consumer-2/rule/create",
+            "alerting:alert-type-1/my-consumer-2/rule/delete",
+            "alerting:alert-type-1/my-consumer-2/rule/update",
+            "alerting:alert-type-1/my-consumer-2/rule/updateApiKey",
+            "alerting:alert-type-1/my-consumer-2/rule/enable",
+            "alerting:alert-type-1/my-consumer-2/rule/disable",
+            "alerting:alert-type-1/my-consumer-2/rule/muteAll",
+            "alerting:alert-type-1/my-consumer-2/rule/unmuteAll",
+            "alerting:alert-type-1/my-consumer-2/rule/muteAlert",
+            "alerting:alert-type-1/my-consumer-2/rule/unmuteAlert",
+            "alerting:alert-type-1/my-consumer-2/rule/snooze",
+            "alerting:alert-type-1/my-consumer-2/rule/bulkEdit",
+            "alerting:alert-type-1/my-consumer-2/rule/bulkDelete",
+            "alerting:alert-type-1/my-consumer-2/rule/bulkEnable",
+            "alerting:alert-type-1/my-consumer-2/rule/bulkDisable",
+            "alerting:alert-type-1/my-consumer-2/rule/unsnooze",
+            "alerting:alert-type-1/my-consumer-2/rule/runSoon",
+            "alerting:alert-type-1/my-consumer-2/rule/scheduleBackfill",
+            "alerting:alert-type-1/my-consumer-2/rule/deleteBackfill",
+            "alerting:alert-type-2/my-consumer-3/rule/get",
+            "alerting:alert-type-2/my-consumer-3/rule/getRuleState",
+            "alerting:alert-type-2/my-consumer-3/rule/getAlertSummary",
+            "alerting:alert-type-2/my-consumer-3/rule/getExecutionLog",
+            "alerting:alert-type-2/my-consumer-3/rule/getActionErrorLog",
+            "alerting:alert-type-2/my-consumer-3/rule/find",
+            "alerting:alert-type-2/my-consumer-3/rule/getRuleExecutionKPI",
+            "alerting:alert-type-2/my-consumer-3/rule/getBackfill",
+            "alerting:alert-type-2/my-consumer-3/rule/findBackfill",
+            "alerting:alert-type-2/my-consumer-3/rule/create",
+            "alerting:alert-type-2/my-consumer-3/rule/delete",
+            "alerting:alert-type-2/my-consumer-3/rule/update",
+            "alerting:alert-type-2/my-consumer-3/rule/updateApiKey",
+            "alerting:alert-type-2/my-consumer-3/rule/enable",
+            "alerting:alert-type-2/my-consumer-3/rule/disable",
+            "alerting:alert-type-2/my-consumer-3/rule/muteAll",
+            "alerting:alert-type-2/my-consumer-3/rule/unmuteAll",
+            "alerting:alert-type-2/my-consumer-3/rule/muteAlert",
+            "alerting:alert-type-2/my-consumer-3/rule/unmuteAlert",
+            "alerting:alert-type-2/my-consumer-3/rule/snooze",
+            "alerting:alert-type-2/my-consumer-3/rule/bulkEdit",
+            "alerting:alert-type-2/my-consumer-3/rule/bulkDelete",
+            "alerting:alert-type-2/my-consumer-3/rule/bulkEnable",
+            "alerting:alert-type-2/my-consumer-3/rule/bulkDisable",
+            "alerting:alert-type-2/my-consumer-3/rule/unsnooze",
+            "alerting:alert-type-2/my-consumer-3/rule/runSoon",
+            "alerting:alert-type-2/my-consumer-3/rule/scheduleBackfill",
+            "alerting:alert-type-2/my-consumer-3/rule/deleteBackfill",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/get",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/getRuleState",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/getAlertSummary",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/getExecutionLog",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/getActionErrorLog",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/find",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/getRuleExecutionKPI",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/getBackfill",
+            "alerting:readonly-alert-type-1/my-read-consumer-1/rule/findBackfill",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/get",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/getRuleState",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/getAlertSummary",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/getExecutionLog",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/getActionErrorLog",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/find",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/getRuleExecutionKPI",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/getBackfill",
+            "alerting:readonly-alert-type-1/my-read-consumer-2/rule/findBackfill",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/get",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/getRuleState",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/getAlertSummary",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/getExecutionLog",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/getActionErrorLog",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/find",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/getRuleExecutionKPI",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/getBackfill",
+            "alerting:readonly-alert-type-2/my-read-consumer-3/rule/findBackfill",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/get",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/getRuleState",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/getAlertSummary",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/getExecutionLog",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/getActionErrorLog",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/find",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/getRuleExecutionKPI",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/getBackfill",
+            "alerting:readonly-alert-type-2/my-read-consumer-4/rule/findBackfill",
+            "alerting:another-alert-type-1/my-consumer-another-1/alert/get",
+            "alerting:another-alert-type-1/my-consumer-another-1/alert/find",
+            "alerting:another-alert-type-1/my-consumer-another-1/alert/getAuthorizedAlertsIndices",
+            "alerting:another-alert-type-1/my-consumer-another-1/alert/getAlertSummary",
+            "alerting:another-alert-type-1/my-consumer-another-1/alert/update",
+            "alerting:another-alert-type-1/my-consumer-another-2/alert/get",
+            "alerting:another-alert-type-1/my-consumer-another-2/alert/find",
+            "alerting:another-alert-type-1/my-consumer-another-2/alert/getAuthorizedAlertsIndices",
+            "alerting:another-alert-type-1/my-consumer-another-2/alert/getAlertSummary",
+            "alerting:another-alert-type-1/my-consumer-another-2/alert/update",
+            "alerting:another-alert-type-2/my-consumer-another-3/alert/get",
+            "alerting:another-alert-type-2/my-consumer-another-3/alert/find",
+            "alerting:another-alert-type-2/my-consumer-another-3/alert/getAuthorizedAlertsIndices",
+            "alerting:another-alert-type-2/my-consumer-another-3/alert/getAlertSummary",
+            "alerting:another-alert-type-2/my-consumer-another-3/alert/update",
+            "alerting:another-alert-type-2/my-consumer-another-1/alert/get",
+            "alerting:another-alert-type-2/my-consumer-another-1/alert/find",
+            "alerting:another-alert-type-2/my-consumer-another-1/alert/getAuthorizedAlertsIndices",
+            "alerting:another-alert-type-2/my-consumer-another-1/alert/getAlertSummary",
+            "alerting:another-alert-type-2/my-consumer-another-1/alert/update",
+            "alerting:readonly-another-alert-type-1/my-read-other-consumer-1/alert/get",
+            "alerting:readonly-another-alert-type-1/my-read-other-consumer-1/alert/find",
+            "alerting:readonly-another-alert-type-1/my-read-other-consumer-1/alert/getAuthorizedAlertsIndices",
+            "alerting:readonly-another-alert-type-1/my-read-other-consumer-1/alert/getAlertSummary",
+            "alerting:readonly-another-alert-type-1/my-read-other-consumer-2/alert/get",
+            "alerting:readonly-another-alert-type-1/my-read-other-consumer-2/alert/find",
+            "alerting:readonly-another-alert-type-1/my-read-other-consumer-2/alert/getAuthorizedAlertsIndices",
+            "alerting:readonly-another-alert-type-1/my-read-other-consumer-2/alert/getAlertSummary",
+            "alerting:readonly-another-alert-type-2/my-read-other-consumer-3/alert/get",
+            "alerting:readonly-another-alert-type-2/my-read-other-consumer-3/alert/find",
+            "alerting:readonly-another-alert-type-2/my-read-other-consumer-3/alert/getAuthorizedAlertsIndices",
+            "alerting:readonly-another-alert-type-2/my-read-other-consumer-3/alert/getAlertSummary",
+            "alerting:readonly-another-alert-type-2/my-read-other-consumer-4/alert/get",
+            "alerting:readonly-another-alert-type-2/my-read-other-consumer-4/alert/find",
+            "alerting:readonly-another-alert-type-2/my-read-other-consumer-4/alert/getAuthorizedAlertsIndices",
+            "alerting:readonly-another-alert-type-2/my-read-other-consumer-4/alert/getAlertSummary",
           ]
         `);
       });
diff --git a/x-pack/packages/security/authorization_core/src/privileges/feature_privilege_builder/alerting.ts b/x-pack/packages/security/authorization_core/src/privileges/feature_privilege_builder/alerting.ts
index c0b7fa2ea8ab7..65c330b94c462 100644
--- a/x-pack/packages/security/authorization_core/src/privileges/feature_privilege_builder/alerting.ts
+++ b/x-pack/packages/security/authorization_core/src/privileges/feature_privilege_builder/alerting.ts
@@ -7,6 +7,7 @@
 
 import { get, uniq } from 'lodash';
 
+import type { AlertingKibanaPrivilege } from '@kbn/features-plugin/common/alerting_kibana_privilege';
 import type { FeatureKibanaPrivileges, KibanaFeature } from '@kbn/features-plugin/server';
 
 import { BaseFeaturePrivilegeBuilder } from './feature_privilege_builder';
@@ -67,13 +68,14 @@ export class FeaturePrivilegeAlertingBuilder extends BaseFeaturePrivilegeBuilder
   ): string[] {
     const getAlertingPrivilege = (
       operations: string[],
-      privilegedTypes: readonly string[],
-      alertingEntity: string,
-      consumer: string
+      privileges: AlertingKibanaPrivilege,
+      alertingEntity: string
     ) =>
-      privilegedTypes.flatMap((type) =>
-        operations.map((operation) =>
-          this.actions.alerting.get(type, consumer, alertingEntity, operation)
+      privileges.flatMap(({ ruleTypeId, consumers }) =>
+        consumers.flatMap((consumer) =>
+          operations.map((operation) =>
+            this.actions.alerting.get(ruleTypeId, consumer, alertingEntity, operation)
+          )
         )
       );
 
@@ -82,8 +84,8 @@ export class FeaturePrivilegeAlertingBuilder extends BaseFeaturePrivilegeBuilder
       const read = get(privilegeDefinition.alerting, `${entity}.read`) ?? [];
 
       return uniq([
-        ...getAlertingPrivilege(allOperations[entity], all, entity, feature.id),
-        ...getAlertingPrivilege(readOperations[entity], read, entity, feature.id),
+        ...getAlertingPrivilege(allOperations[entity], all, entity),
+        ...getAlertingPrivilege(readOperations[entity], read, entity),
       ]);
     };
 
diff --git a/x-pack/packages/security/authorization_core/src/privileges/privileges.test.ts b/x-pack/packages/security/authorization_core/src/privileges/privileges.test.ts
index 6af21d5357a72..22fb86f601b3a 100644
--- a/x-pack/packages/security/authorization_core/src/privileges/privileges.test.ts
+++ b/x-pack/packages/security/authorization_core/src/privileges/privileges.test.ts
@@ -481,7 +481,7 @@ describe('features', () => {
         name: 'Feature Alpha',
         app: [],
         category: { id: 'alpha', label: 'alpha' },
-        alerting: ['rule-type-1'],
+        alerting: [{ ruleTypeId: 'rule-type-1', consumers: ['alpha'] }],
         privileges: {
           all: {
             savedObject: {
@@ -491,7 +491,7 @@ describe('features', () => {
             ui: ['all-alpha-ui'],
             app: ['all-alpha-app'],
             api: ['all-alpha-api'],
-            alerting: { rule: { all: ['rule-type-1'] } },
+            alerting: { rule: { all: [{ ruleTypeId: 'rule-type-1', consumers: ['alpha'] }] } },
             replacedBy: [{ feature: 'beta', privileges: ['all'] }],
           },
           read: {
@@ -514,7 +514,7 @@ describe('features', () => {
         name: 'Feature Beta',
         app: [],
         category: { id: 'beta', label: 'beta' },
-        alerting: ['rule-type-1'],
+        alerting: [{ ruleTypeId: 'rule-type-1', consumers: ['beta'] }],
         privileges: {
           all: {
             savedObject: {
@@ -524,7 +524,7 @@ describe('features', () => {
             ui: ['all-beta-ui'],
             app: ['all-beta-app'],
             api: ['all-beta-api'],
-            alerting: { rule: { all: ['rule-type-1'] } },
+            alerting: { rule: { all: [{ ruleTypeId: 'rule-type-1', consumers: ['beta'] }] } },
           },
           read: {
             savedObject: {
@@ -604,13 +604,8 @@ describe('features', () => {
       ...alertingOperations.map((operation) =>
         actions.alerting.get('rule-type-1', 'alpha', 'rule', operation)
       ),
-      // To maintain compatibility with the new UI capabilities and new alerting entities that are
-      // feature specific: all.replacedBy: [{ feature: 'beta', privileges: ['all'] }]
       actions.ui.get('navLinks', 'all-beta-app'),
       actions.ui.get('beta', 'all-beta-ui'),
-      ...alertingOperations.map((operation) =>
-        actions.alerting.get('rule-type-1', 'beta', 'rule', operation)
-      ),
     ];
 
     const expectedReadPrivileges = [
diff --git a/x-pack/packages/security/authorization_core/src/privileges/privileges.ts b/x-pack/packages/security/authorization_core/src/privileges/privileges.ts
index b81eaba5fa54d..f266b2b9a7085 100644
--- a/x-pack/packages/security/authorization_core/src/privileges/privileges.ts
+++ b/x-pack/packages/security/authorization_core/src/privileges/privileges.ts
@@ -94,17 +94,15 @@ export function privilegesFactory(
         // If a privilege is configured with `replacedBy`, it's part of the deprecated feature and
         // should be complemented with the subset of actions from the referenced privileges to
         // maintain backward compatibility. Namely, deprecated privileges should grant the same UI
-        // capabilities and alerting actions as the privileges that replace them, so that the
-        // client-side code can safely use only non-deprecated UI capabilities and users can still
-        // access previously created alerting rules and alerts.
+        // capabilities as the privileges that replace them, so that the client-side code can safely
+        // use only non-deprecated UI capabilities.
         const replacedBy = getReplacedByForPrivilege(privilegeId, privilege);
         if (replacedBy) {
           composablePrivileges.push({
             featureId: feature.id,
             privilegeId,
             references: replacedBy,
-            actionsFilter: (action) =>
-              actions.ui.isValid(action) || actions.alerting.isValid(action),
+            actionsFilter: (action) => actions.ui.isValid(action),
           });
         }
       };
diff --git a/x-pack/plugins/alerting/common/routes/rule/apis/aggregate/schemas/v1.ts b/x-pack/plugins/alerting/common/routes/rule/apis/aggregate/schemas/v1.ts
index 95f07bf3f7bda..57a9499779add 100644
--- a/x-pack/plugins/alerting/common/routes/rule/apis/aggregate/schemas/v1.ts
+++ b/x-pack/plugins/alerting/common/routes/rule/apis/aggregate/schemas/v1.ts
@@ -24,7 +24,8 @@ export const aggregateRulesRequestBodySchema = schema.object({
     )
   ),
   filter: schema.maybe(schema.string()),
-  filter_consumers: schema.maybe(schema.arrayOf(schema.string())),
+  rule_type_ids: schema.maybe(schema.arrayOf(schema.string())),
+  consumers: schema.maybe(schema.arrayOf(schema.string())),
 });
 
 export const aggregateRulesResponseBodySchema = schema.object({
diff --git a/x-pack/plugins/alerting/common/routes/rule/apis/bulk_untrack_by_query/schemas/v1.ts b/x-pack/plugins/alerting/common/routes/rule/apis/bulk_untrack_by_query/schemas/v1.ts
index 62cc67360b162..26e5283cede13 100644
--- a/x-pack/plugins/alerting/common/routes/rule/apis/bulk_untrack_by_query/schemas/v1.ts
+++ b/x-pack/plugins/alerting/common/routes/rule/apis/bulk_untrack_by_query/schemas/v1.ts
@@ -9,5 +9,5 @@ import { schema } from '@kbn/config-schema';
 
 export const bulkUntrackByQueryBodySchema = schema.object({
   query: schema.arrayOf(schema.any()),
-  feature_ids: schema.arrayOf(schema.string()),
+  rule_type_ids: schema.arrayOf(schema.string()),
 });
diff --git a/x-pack/plugins/alerting/common/routes/rule/apis/find/index.ts b/x-pack/plugins/alerting/common/routes/rule/apis/find/index.ts
index 7722521d2b707..b8ebef499e7e0 100644
--- a/x-pack/plugins/alerting/common/routes/rule/apis/find/index.ts
+++ b/x-pack/plugins/alerting/common/routes/rule/apis/find/index.ts
@@ -8,8 +8,13 @@
 export { findRulesRequestQuerySchema } from './schemas/latest';
 export type { FindRulesRequestQuery, FindRulesResponse } from './types/latest';
 
-export { findRulesRequestQuerySchema as findRulesRequestQuerySchemaV1 } from './schemas/v1';
+export {
+  findRulesRequestQuerySchema as findRulesRequestQuerySchemaV1,
+  findRulesInternalRequestBodySchema as findRulesInternalRequestBodySchemaV1,
+} from './schemas/v1';
+
 export type {
   FindRulesRequestQuery as FindRulesRequestQueryV1,
+  FindRulesInternalRequestBody as FindRulesInternalRequestBodyV1,
   FindRulesResponse as FindRulesResponseV1,
 } from './types/latest';
diff --git a/x-pack/plugins/alerting/common/routes/rule/apis/find/schemas/v1.ts b/x-pack/plugins/alerting/common/routes/rule/apis/find/schemas/v1.ts
index 1dece949a9556..06ebfdbacc54d 100644
--- a/x-pack/plugins/alerting/common/routes/rule/apis/find/schemas/v1.ts
+++ b/x-pack/plugins/alerting/common/routes/rule/apis/find/schemas/v1.ts
@@ -103,3 +103,35 @@ export const findRulesRequestQuerySchema = schema.object({
     )
   ),
 });
+
+export const findRulesInternalRequestBodySchema = schema.object({
+  per_page: schema.number({
+    defaultValue: 10,
+    min: 0,
+  }),
+  page: schema.number({
+    defaultValue: 1,
+    min: 1,
+  }),
+  search: schema.maybe(schema.string()),
+  default_search_operator: schema.oneOf([schema.literal('OR'), schema.literal('AND')], {
+    defaultValue: 'OR',
+  }),
+  search_fields: schema.maybe(schema.oneOf([schema.arrayOf(schema.string()), schema.string()])),
+  sort_field: schema.maybe(schema.string()),
+  sort_order: schema.maybe(schema.oneOf([schema.literal('asc'), schema.literal('desc')])),
+  has_reference: schema.maybe(
+    // use nullable as maybe is currently broken
+    // in config-schema
+    schema.nullable(
+      schema.object({
+        type: schema.string(),
+        id: schema.string(),
+      })
+    )
+  ),
+  fields: schema.maybe(schema.arrayOf(schema.string())),
+  filter: schema.maybe(schema.string()),
+  rule_type_ids: schema.maybe(schema.arrayOf(schema.string())),
+  consumers: schema.maybe(schema.arrayOf(schema.string())),
+});
diff --git a/x-pack/plugins/alerting/common/routes/rule/apis/find/types/v1.ts b/x-pack/plugins/alerting/common/routes/rule/apis/find/types/v1.ts
index 271e791282f43..e09b4871eabc9 100644
--- a/x-pack/plugins/alerting/common/routes/rule/apis/find/types/v1.ts
+++ b/x-pack/plugins/alerting/common/routes/rule/apis/find/types/v1.ts
@@ -7,9 +7,10 @@
 
 import type { TypeOf } from '@kbn/config-schema';
 import { RuleParamsV1, RuleResponseV1 } from '../../../response';
-import { findRulesRequestQuerySchemaV1 } from '..';
+import { findRulesRequestQuerySchemaV1, findRulesInternalRequestBodySchemaV1 } from '..';
 
 export type FindRulesRequestQuery = TypeOf<typeof findRulesRequestQuerySchemaV1>;
+export type FindRulesInternalRequestBody = TypeOf<typeof findRulesInternalRequestBodySchemaV1>;
 
 export interface FindRulesResponse<Params extends RuleParamsV1 = never> {
   body: {
diff --git a/x-pack/plugins/alerting/public/pages/maintenance_windows/components/create_maintenance_windows_form.tsx b/x-pack/plugins/alerting/public/pages/maintenance_windows/components/create_maintenance_windows_form.tsx
index 4f35f1478568e..6fdf24a166408 100644
--- a/x-pack/plugins/alerting/public/pages/maintenance_windows/components/create_maintenance_windows_form.tsx
+++ b/x-pack/plugins/alerting/public/pages/maintenance_windows/components/create_maintenance_windows_form.tsx
@@ -31,7 +31,6 @@ import {
 } from '@elastic/eui';
 import { TIMEZONE_OPTIONS as UI_TIMEZONE_OPTIONS } from '@kbn/core-ui-settings-common';
 import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
-import type { ValidFeatureId } from '@kbn/rule-data-utils';
 import type { Filter } from '@kbn/es-query';
 import type { IHttpFetchError } from '@kbn/core-http-browser';
 import type { KibanaServerError } from '@kbn/kibana-utils-plugin/public';
@@ -73,7 +72,10 @@ const useDefaultTimezone = () => {
   }
   return { defaultTimezone: kibanaTz, isBrowser: false };
 };
-const TIMEZONE_OPTIONS = UI_TIMEZONE_OPTIONS.map((n) => ({ label: n })) ?? [{ label: 'UTC' }];
+
+const TIMEZONE_OPTIONS = UI_TIMEZONE_OPTIONS.map((timezoneOption) => ({
+  label: timezoneOption,
+})) ?? [{ label: 'UTC' }];
 
 export const CreateMaintenanceWindowForm = React.memo<CreateMaintenanceWindowFormProps>((props) => {
   const { onCancel, onSuccess, initialValue, maintenanceWindowId } = props;
@@ -203,6 +205,7 @@ export const CreateMaintenanceWindowForm = React.memo<CreateMaintenanceWindowFor
     form,
     watch: ['recurring', 'timezone', 'categoryIds', 'scopedQuery'],
   });
+
   const isRecurring = recurring || false;
   const showTimezone = isBrowser || initialValue?.timezone !== undefined;
 
@@ -222,20 +225,20 @@ export const CreateMaintenanceWindowForm = React.memo<CreateMaintenanceWindowFor
     return [...new Set(validRuleTypes.map((ruleType) => ruleType.category))];
   }, [validRuleTypes]);
 
-  const featureIds = useMemo(() => {
+  const ruleTypeIds = useMemo(() => {
     if (!Array.isArray(validRuleTypes) || !Array.isArray(categoryIds) || !mounted) {
       return [];
     }
 
-    const featureIdsSet = new Set<ValidFeatureId>();
+    const uniqueRuleTypeIds = new Set<string>();
 
     validRuleTypes.forEach((ruleType) => {
       if (categoryIds.includes(ruleType.category)) {
-        featureIdsSet.add(ruleType.producer as ValidFeatureId);
+        uniqueRuleTypeIds.add(ruleType.id);
       }
     });
 
-    return [...featureIdsSet];
+    return [...uniqueRuleTypeIds];
   }, [validRuleTypes, categoryIds, mounted]);
 
   const onCategoryIdsChange = useCallback(
@@ -472,7 +475,7 @@ export const CreateMaintenanceWindowForm = React.memo<CreateMaintenanceWindowFor
           <UseField path="scopedQuery">
             {() => (
               <MaintenanceWindowScopedQuery
-                featureIds={featureIds}
+                ruleTypeIds={ruleTypeIds}
                 query={query}
                 filters={filters}
                 isLoading={isLoadingRuleTypes}
diff --git a/x-pack/plugins/alerting/public/pages/maintenance_windows/components/maintenance_window_scoped_query.test.tsx b/x-pack/plugins/alerting/public/pages/maintenance_windows/components/maintenance_window_scoped_query.test.tsx
index 74f3fd865fe73..3474805485ac0 100644
--- a/x-pack/plugins/alerting/public/pages/maintenance_windows/components/maintenance_window_scoped_query.test.tsx
+++ b/x-pack/plugins/alerting/public/pages/maintenance_windows/components/maintenance_window_scoped_query.test.tsx
@@ -7,7 +7,6 @@
 
 import React from 'react';
 import { screen } from '@testing-library/react';
-import type { AlertConsumers } from '@kbn/rule-data-utils';
 import { AppMockRenderer, createAppMockRenderer } from '../../../lib/test_utils';
 import { MaintenanceWindowScopedQuery } from './maintenance_window_scoped_query';
 
@@ -47,7 +46,7 @@ describe('MaintenanceWindowScopedQuery', () => {
   it('renders correctly', () => {
     appMockRenderer.render(
       <MaintenanceWindowScopedQuery
-        featureIds={['observability', 'management', 'securitySolution'] as AlertConsumers[]}
+        ruleTypeIds={['apm', '.es-query', 'siem.esqlRule']}
         query={''}
         filters={[]}
         onQueryChange={jest.fn()}
@@ -60,7 +59,7 @@ describe('MaintenanceWindowScopedQuery', () => {
   it('should hide the search bar if isEnabled is false', () => {
     appMockRenderer.render(
       <MaintenanceWindowScopedQuery
-        featureIds={['observability', 'management', 'securitySolution'] as AlertConsumers[]}
+        ruleTypeIds={['apm', '.es-query', 'siem.esqlRule']}
         isEnabled={false}
         query={''}
         filters={[]}
@@ -74,7 +73,7 @@ describe('MaintenanceWindowScopedQuery', () => {
   it('should render loading if isLoading is true', () => {
     appMockRenderer.render(
       <MaintenanceWindowScopedQuery
-        featureIds={['observability', 'management', 'securitySolution'] as AlertConsumers[]}
+        ruleTypeIds={['apm', '.es-query', 'siem.esqlRule']}
         isLoading={true}
         query={''}
         filters={[]}
diff --git a/x-pack/plugins/alerting/public/pages/maintenance_windows/components/maintenance_window_scoped_query.tsx b/x-pack/plugins/alerting/public/pages/maintenance_windows/components/maintenance_window_scoped_query.tsx
index cd9bb6e58398f..2f2cb0fb7ecca 100644
--- a/x-pack/plugins/alerting/public/pages/maintenance_windows/components/maintenance_window_scoped_query.tsx
+++ b/x-pack/plugins/alerting/public/pages/maintenance_windows/components/maintenance_window_scoped_query.tsx
@@ -7,14 +7,13 @@
 import React, { useCallback } from 'react';
 import { i18n } from '@kbn/i18n';
 import { EuiFlexGroup, EuiFlexItem, EuiFormRow, EuiLoadingSpinner } from '@elastic/eui';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import type { Filter } from '@kbn/es-query';
 import { AlertsSearchBar } from '@kbn/alerts-ui-shared';
 import { PLUGIN } from '../../../../common/constants/plugin';
 import { useKibana } from '../../../utils/kibana_react';
 
 export interface MaintenanceWindowScopedQueryProps {
-  featureIds: AlertConsumers[];
+  ruleTypeIds: string[];
   query: string;
   filters: Filter[];
   errors?: string[];
@@ -27,7 +26,7 @@ export interface MaintenanceWindowScopedQueryProps {
 export const MaintenanceWindowScopedQuery = React.memo(
   (props: MaintenanceWindowScopedQueryProps) => {
     const {
-      featureIds,
+      ruleTypeIds,
       query,
       filters,
       errors = [],
@@ -76,7 +75,7 @@ export const MaintenanceWindowScopedQuery = React.memo(
           <EuiFormRow fullWidth isInvalid={errors.length !== 0} error={errors[0]}>
             <AlertsSearchBar
               appName={PLUGIN.getI18nName(i18n)}
-              featureIds={featureIds}
+              ruleTypeIds={ruleTypeIds}
               disableQueryLanguageSwitcher={true}
               query={query}
               filters={filters}
diff --git a/x-pack/plugins/alerting/server/alerting_authorization_client_factory.test.ts b/x-pack/plugins/alerting/server/alerting_authorization_client_factory.test.ts
index dca53bb3188e9..f29b7acb8eee3 100644
--- a/x-pack/plugins/alerting/server/alerting_authorization_client_factory.test.ts
+++ b/x-pack/plugins/alerting/server/alerting_authorization_client_factory.test.ts
@@ -15,58 +15,78 @@ import { featuresPluginMock } from '@kbn/features-plugin/server/mocks';
 
 jest.mock('./authorization/alerting_authorization');
 
-const features = featuresPluginMock.createStart();
+describe('AlertingAuthorizationClientFactory', () => {
+  const features = featuresPluginMock.createStart();
+  const securityPluginStart = securityMock.createStart();
+  const alertingAuthorizationClientFactoryParams: jest.Mocked<AlertingAuthorizationClientFactoryOpts> =
+    {
+      ruleTypeRegistry: ruleTypeRegistryMock.create(),
+      getSpace: jest.fn(),
+      getSpaceId: jest.fn(),
+      features,
+    };
 
-const securityPluginSetup = securityMock.createSetup();
-const securityPluginStart = securityMock.createStart();
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
 
-const alertingAuthorizationClientFactoryParams: jest.Mocked<AlertingAuthorizationClientFactoryOpts> =
-  {
-    ruleTypeRegistry: ruleTypeRegistryMock.create(),
-    getSpace: jest.fn(),
-    getSpaceId: jest.fn(),
-    features,
-  };
+  it('creates an alerting authorization client with proper constructor arguments when security is enabled', async () => {
+    const factory = new AlertingAuthorizationClientFactory();
 
-beforeEach(() => {
-  jest.resetAllMocks();
-});
+    factory.initialize({
+      securityPluginStart,
+      ...alertingAuthorizationClientFactoryParams,
+    });
+
+    const request = mockRouter.createKibanaRequest();
+
+    await factory.create(request);
 
-test('creates an alerting authorization client with proper constructor arguments when security is enabled', async () => {
-  const factory = new AlertingAuthorizationClientFactory();
-  factory.initialize({
-    securityPluginSetup,
-    securityPluginStart,
-    ...alertingAuthorizationClientFactoryParams,
+    const { AlertingAuthorization } = jest.requireMock('./authorization/alerting_authorization');
+    expect(AlertingAuthorization.create).toHaveBeenCalledWith({
+      request,
+      authorization: securityPluginStart.authz,
+      ruleTypeRegistry: alertingAuthorizationClientFactoryParams.ruleTypeRegistry,
+      features: alertingAuthorizationClientFactoryParams.features,
+      getSpace: expect.any(Function),
+      getSpaceId: expect.any(Function),
+    });
   });
-  const request = mockRouter.createKibanaRequest();
 
-  factory.create(request);
+  it('creates an alerting authorization client with proper constructor arguments', async () => {
+    const factory = new AlertingAuthorizationClientFactory();
+    factory.initialize(alertingAuthorizationClientFactoryParams);
+    const request = mockRouter.createKibanaRequest();
 
-  const { AlertingAuthorization } = jest.requireMock('./authorization/alerting_authorization');
-  expect(AlertingAuthorization).toHaveBeenCalledWith({
-    request,
-    authorization: securityPluginStart.authz,
-    ruleTypeRegistry: alertingAuthorizationClientFactoryParams.ruleTypeRegistry,
-    features: alertingAuthorizationClientFactoryParams.features,
-    getSpace: expect.any(Function),
-    getSpaceId: expect.any(Function),
+    await factory.create(request);
+
+    const { AlertingAuthorization } = jest.requireMock('./authorization/alerting_authorization');
+    expect(AlertingAuthorization.create).toHaveBeenCalledWith({
+      request,
+      ruleTypeRegistry: alertingAuthorizationClientFactoryParams.ruleTypeRegistry,
+      features: alertingAuthorizationClientFactoryParams.features,
+      getSpace: expect.any(Function),
+      getSpaceId: expect.any(Function),
+    });
   });
-});
 
-test('creates an alerting authorization client with proper constructor arguments', async () => {
-  const factory = new AlertingAuthorizationClientFactory();
-  factory.initialize(alertingAuthorizationClientFactoryParams);
-  const request = mockRouter.createKibanaRequest();
+  it('throws when trying to initialize again and it is already initialized', async () => {
+    const factory = new AlertingAuthorizationClientFactory();
+    factory.initialize(alertingAuthorizationClientFactoryParams);
+
+    expect(() =>
+      factory.initialize(alertingAuthorizationClientFactoryParams)
+    ).toThrowErrorMatchingInlineSnapshot(
+      `"AlertingAuthorizationClientFactory already initialized"`
+    );
+  });
 
-  factory.create(request);
+  it('throws when trying to create an instance and the factory is not initialized', async () => {
+    const request = mockRouter.createKibanaRequest();
+    const factory = new AlertingAuthorizationClientFactory();
 
-  const { AlertingAuthorization } = jest.requireMock('./authorization/alerting_authorization');
-  expect(AlertingAuthorization).toHaveBeenCalledWith({
-    request,
-    ruleTypeRegistry: alertingAuthorizationClientFactoryParams.ruleTypeRegistry,
-    features: alertingAuthorizationClientFactoryParams.features,
-    getSpace: expect.any(Function),
-    getSpaceId: expect.any(Function),
+    await expect(() => factory.create(request)).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"AlertingAuthorizationClientFactory must be initialized before calling create"`
+    );
   });
 });
diff --git a/x-pack/plugins/alerting/server/alerting_authorization_client_factory.ts b/x-pack/plugins/alerting/server/alerting_authorization_client_factory.ts
index ca366a6cee0e4..8c5a772501f2b 100644
--- a/x-pack/plugins/alerting/server/alerting_authorization_client_factory.ts
+++ b/x-pack/plugins/alerting/server/alerting_authorization_client_factory.ts
@@ -6,7 +6,7 @@
  */
 
 import { KibanaRequest } from '@kbn/core/server';
-import { SecurityPluginSetup, SecurityPluginStart } from '@kbn/security-plugin/server';
+import { SecurityPluginStart } from '@kbn/security-plugin/server';
 import { FeaturesPluginStart } from '@kbn/features-plugin/server';
 import { Space } from '@kbn/spaces-plugin/server';
 import { AlertingAuthorization } from './authorization/alerting_authorization';
@@ -14,7 +14,6 @@ import { RuleTypeRegistry } from './types';
 
 export interface AlertingAuthorizationClientFactoryOpts {
   ruleTypeRegistry: RuleTypeRegistry;
-  securityPluginSetup?: SecurityPluginSetup;
   securityPluginStart?: SecurityPluginStart;
   getSpace: (request: KibanaRequest) => Promise<Space | undefined>;
   getSpaceId: (request: KibanaRequest) => string;
@@ -23,33 +22,39 @@ export interface AlertingAuthorizationClientFactoryOpts {
 
 export class AlertingAuthorizationClientFactory {
   private isInitialized = false;
-  private ruleTypeRegistry!: RuleTypeRegistry;
-  private securityPluginStart?: SecurityPluginStart;
-  private features!: FeaturesPluginStart;
-  private getSpace!: (request: KibanaRequest) => Promise<Space | undefined>;
-  private getSpaceId!: (request: KibanaRequest) => string;
+  // The reason this is protected is because we'll get type collisions otherwise because we're using a type guard assert
+  // to ensure the options member is instantiated before using it in various places
+  // See for more info: https://stackoverflow.com/questions/66206180/typescript-typeguard-attribut-with-method
+  protected options?: AlertingAuthorizationClientFactoryOpts;
 
   public initialize(options: AlertingAuthorizationClientFactoryOpts) {
     if (this.isInitialized) {
       throw new Error('AlertingAuthorizationClientFactory already initialized');
     }
     this.isInitialized = true;
-    this.getSpace = options.getSpace;
-    this.ruleTypeRegistry = options.ruleTypeRegistry;
-    this.securityPluginStart = options.securityPluginStart;
-    this.features = options.features;
-    this.getSpaceId = options.getSpaceId;
+    this.options = options;
   }
 
-  public create(request: KibanaRequest): AlertingAuthorization {
-    const { securityPluginStart, features } = this;
-    return new AlertingAuthorization({
-      authorization: securityPluginStart?.authz,
+  public async create(request: KibanaRequest): Promise<AlertingAuthorization> {
+    this.validateInitialization();
+
+    return AlertingAuthorization.create({
+      authorization: this.options.securityPluginStart?.authz,
       request,
-      getSpace: this.getSpace,
-      getSpaceId: this.getSpaceId,
-      ruleTypeRegistry: this.ruleTypeRegistry,
-      features: features!,
+      getSpace: this.options.getSpace,
+      getSpaceId: this.options.getSpaceId,
+      ruleTypeRegistry: this.options.ruleTypeRegistry,
+      features: this.options.features,
     });
   }
+
+  private validateInitialization(): asserts this is this & {
+    options: AlertingAuthorizationClientFactoryOpts;
+  } {
+    if (!this.isInitialized || this.options == null) {
+      throw new Error(
+        'AlertingAuthorizationClientFactory must be initialized before calling create'
+      );
+    }
+  }
 }
diff --git a/x-pack/plugins/alerting/server/alerts_service/lib/set_alerts_to_untracked.test.ts b/x-pack/plugins/alerting/server/alerts_service/lib/set_alerts_to_untracked.test.ts
index 54376012aa767..003673f9fdb92 100644
--- a/x-pack/plugins/alerting/server/alerts_service/lib/set_alerts_to_untracked.test.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/lib/set_alerts_to_untracked.test.ts
@@ -15,10 +15,8 @@ import { setAlertsToUntracked } from './set_alerts_to_untracked';
 let clusterClient: ElasticsearchClientMock;
 let logger: ReturnType<(typeof loggingSystemMock)['createLogger']>;
 
-const getAuthorizedRuleTypesMock = jest.fn();
-
+const getAllAuthorizedRuleTypesFindOperationMock = jest.fn();
 const getAlertIndicesAliasMock = jest.fn();
-
 const ensureAuthorizedMock = jest.fn();
 
 describe('setAlertsToUntracked()', () => {
@@ -362,11 +360,16 @@ describe('setAlertsToUntracked()', () => {
   });
 
   test('should untrack by query', async () => {
-    getAuthorizedRuleTypesMock.mockResolvedValue([
-      {
-        id: 'test-rule-type',
-      },
-    ]);
+    getAllAuthorizedRuleTypesFindOperationMock.mockResolvedValue(
+      new Map([
+        [
+          'test-rule-type',
+          {
+            id: 'test-rule-type',
+          },
+        ],
+      ])
+    );
     getAlertIndicesAliasMock.mockResolvedValue(['test-alert-index']);
 
     clusterClient.search.mockResponseOnce({
@@ -441,9 +444,9 @@ describe('setAlertsToUntracked()', () => {
           },
         },
       ],
-      featureIds: ['o11y'],
+      ruleTypeIds: ['my-rule-type-id'],
       spaceId: 'default',
-      getAuthorizedRuleTypes: getAuthorizedRuleTypesMock,
+      getAllAuthorizedRuleTypesFindOperation: getAllAuthorizedRuleTypesFindOperationMock,
       getAlertIndicesAlias: getAlertIndicesAliasMock,
       ensureAuthorized: ensureAuthorizedMock,
       logger,
@@ -527,11 +530,16 @@ describe('setAlertsToUntracked()', () => {
   });
 
   test('should return an empty array if the search returns zero results', async () => {
-    getAuthorizedRuleTypesMock.mockResolvedValue([
-      {
-        id: 'test-rule-type',
-      },
-    ]);
+    getAllAuthorizedRuleTypesFindOperationMock.mockResolvedValue(
+      new Map([
+        [
+          'test-rule-type',
+          {
+            id: 'test-rule-type',
+          },
+        ],
+      ])
+    );
     getAlertIndicesAliasMock.mockResolvedValue(['test-alert-index']);
 
     clusterClient.search.mockResponseOnce({
@@ -575,9 +583,9 @@ describe('setAlertsToUntracked()', () => {
           },
         },
       ],
-      featureIds: ['o11y'],
+      ruleTypeIds: ['my-rule-type-id'],
       spaceId: 'default',
-      getAuthorizedRuleTypes: getAuthorizedRuleTypesMock,
+      getAllAuthorizedRuleTypesFindOperation: getAllAuthorizedRuleTypesFindOperationMock,
       getAlertIndicesAlias: getAlertIndicesAliasMock,
       ensureAuthorized: ensureAuthorizedMock,
       logger,
diff --git a/x-pack/plugins/alerting/server/alerts_service/lib/set_alerts_to_untracked.ts b/x-pack/plugins/alerting/server/alerts_service/lib/set_alerts_to_untracked.ts
index ed0c2cb21e06b..89c8d671de6a0 100644
--- a/x-pack/plugins/alerting/server/alerts_service/lib/set_alerts_to_untracked.ts
+++ b/x-pack/plugins/alerting/server/alerts_service/lib/set_alerts_to_untracked.ts
@@ -21,8 +21,8 @@ import {
   AlertStatus,
 } from '@kbn/rule-data-utils';
 import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
-import { AlertingAuthorizationEntity } from '../../authorization/alerting_authorization';
 import type { RulesClientContext } from '../../rules_client';
+import { AlertingAuthorizationEntity } from '../../authorization/types';
 
 type EnsureAuthorized = (opts: { ruleTypeId: string; consumer: string }) => Promise<unknown>;
 
@@ -32,9 +32,9 @@ export interface SetAlertsToUntrackedParams {
   alertUuids?: string[];
   query?: QueryDslQueryContainer[];
   spaceId?: RulesClientContext['spaceId'];
-  featureIds?: string[];
+  ruleTypeIds?: string[];
   isUsingQuery?: boolean;
-  getAuthorizedRuleTypes?: RulesClientContext['authorization']['getAuthorizedRuleTypes'];
+  getAllAuthorizedRuleTypesFindOperation?: RulesClientContext['authorization']['getAllAuthorizedRuleTypesFindOperation'];
   getAlertIndicesAlias?: RulesClientContext['getAlertIndicesAlias'];
   ensureAuthorized?: EnsureAuthorized;
 }
@@ -155,21 +155,26 @@ const ensureAuthorizedToUntrack = async (params: SetAlertsToUntrackedParamsWithD
 };
 
 const getAuthorizedAlertsIndices = async ({
-  featureIds,
-  getAuthorizedRuleTypes,
+  ruleTypeIds,
+  getAllAuthorizedRuleTypesFindOperation,
   getAlertIndicesAlias,
   spaceId,
   logger,
 }: SetAlertsToUntrackedParamsWithDep) => {
   try {
-    const authorizedRuleTypes =
-      (await getAuthorizedRuleTypes?.(AlertingAuthorizationEntity.Alert, new Set(featureIds))) ||
-      [];
-    const indices = getAlertIndicesAlias?.(
-      authorizedRuleTypes.map((art: { id: string }) => art.id),
-      spaceId
-    );
-    return indices;
+    const authorizedRuleTypes = await getAllAuthorizedRuleTypesFindOperation?.({
+      authorizationEntity: AlertingAuthorizationEntity.Alert,
+      ruleTypeIds,
+    });
+
+    if (authorizedRuleTypes) {
+      return getAlertIndicesAlias?.(
+        Array.from(authorizedRuleTypes.keys()).map((id) => id),
+        spaceId
+      );
+    }
+
+    return [];
   } catch (error) {
     const errMessage = `Failed to get authorized rule types to untrack alerts by query: ${error}`;
     logger.error(errMessage);
diff --git a/x-pack/plugins/alerting/server/application/backfill/methods/find/find_backfill.test.ts b/x-pack/plugins/alerting/server/application/backfill/methods/find/find_backfill.test.ts
index dab9d5f38f036..ade1a1f35b59e 100644
--- a/x-pack/plugins/alerting/server/application/backfill/methods/find/find_backfill.test.ts
+++ b/x-pack/plugins/alerting/server/application/backfill/methods/find/find_backfill.test.ts
@@ -241,12 +241,15 @@ describe('findBackfill()', () => {
   test('should successfully find backfill with no filter', async () => {
     const result = await rulesClient.findBackfill({ page: 1, perPage: 10 });
 
-    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith('rule', {
-      fieldNames: {
-        consumer: 'ad_hoc_run_params.attributes.rule.consumer',
-        ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      filterOpts: {
+        fieldNames: {
+          consumer: 'ad_hoc_run_params.attributes.rule.consumer',
+          ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+        },
+        type: 'kql',
       },
-      type: 'kql',
     });
 
     expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
@@ -286,12 +289,15 @@ describe('findBackfill()', () => {
   test('should successfully find backfill with rule id', async () => {
     const result = await rulesClient.findBackfill({ page: 1, perPage: 10, ruleIds: 'abc' });
 
-    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith('rule', {
-      fieldNames: {
-        consumer: 'ad_hoc_run_params.attributes.rule.consumer',
-        ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      filterOpts: {
+        fieldNames: {
+          consumer: 'ad_hoc_run_params.attributes.rule.consumer',
+          ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+        },
+        type: 'kql',
       },
-      type: 'kql',
     });
 
     expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
@@ -336,12 +342,15 @@ describe('findBackfill()', () => {
       start: '2024-03-29T02:07:55Z',
     });
 
-    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith('rule', {
-      fieldNames: {
-        consumer: 'ad_hoc_run_params.attributes.rule.consumer',
-        ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      filterOpts: {
+        fieldNames: {
+          consumer: 'ad_hoc_run_params.attributes.rule.consumer',
+          ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+        },
+        type: 'kql',
       },
-      type: 'kql',
     });
 
     expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
@@ -400,12 +409,15 @@ describe('findBackfill()', () => {
       end: '2024-03-29T02:07:55Z',
     });
 
-    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith('rule', {
-      fieldNames: {
-        consumer: 'ad_hoc_run_params.attributes.rule.consumer',
-        ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      filterOpts: {
+        fieldNames: {
+          consumer: 'ad_hoc_run_params.attributes.rule.consumer',
+          ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+        },
+        type: 'kql',
       },
-      type: 'kql',
     });
 
     expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
@@ -465,12 +477,15 @@ describe('findBackfill()', () => {
       end: '2024-03-29T02:07:55Z',
     });
 
-    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith('rule', {
-      fieldNames: {
-        consumer: 'ad_hoc_run_params.attributes.rule.consumer',
-        ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      filterOpts: {
+        fieldNames: {
+          consumer: 'ad_hoc_run_params.attributes.rule.consumer',
+          ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+        },
+        type: 'kql',
       },
-      type: 'kql',
     });
 
     expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
@@ -546,12 +561,15 @@ describe('findBackfill()', () => {
       ruleIds: 'abc',
     });
 
-    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith('rule', {
-      fieldNames: {
-        consumer: 'ad_hoc_run_params.attributes.rule.consumer',
-        ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      filterOpts: {
+        fieldNames: {
+          consumer: 'ad_hoc_run_params.attributes.rule.consumer',
+          ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+        },
+        type: 'kql',
       },
-      type: 'kql',
     });
 
     expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
@@ -627,12 +645,15 @@ describe('findBackfill()', () => {
       sortOrder: 'asc',
     });
 
-    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith('rule', {
-      fieldNames: {
-        consumer: 'ad_hoc_run_params.attributes.rule.consumer',
-        ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      filterOpts: {
+        fieldNames: {
+          consumer: 'ad_hoc_run_params.attributes.rule.consumer',
+          ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
+        },
+        type: 'kql',
       },
-      type: 'kql',
     });
 
     expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
diff --git a/x-pack/plugins/alerting/server/application/backfill/methods/find/find_backfill.ts b/x-pack/plugins/alerting/server/application/backfill/methods/find/find_backfill.ts
index 522128d0385f8..3482d854bda1f 100644
--- a/x-pack/plugins/alerting/server/application/backfill/methods/find/find_backfill.ts
+++ b/x-pack/plugins/alerting/server/application/backfill/methods/find/find_backfill.ts
@@ -40,16 +40,16 @@ export async function findBackfill(
 
     let authorizationTuple;
     try {
-      authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-        AlertingAuthorizationEntity.Rule,
-        {
+      authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+        authorizationEntity: AlertingAuthorizationEntity.Rule,
+        filterOpts: {
           type: AlertingAuthorizationFilterType.KQL,
           fieldNames: {
             ruleTypeId: 'ad_hoc_run_params.attributes.rule.alertTypeId',
             consumer: 'ad_hoc_run_params.attributes.rule.consumer',
           },
-        }
-      );
+        },
+      });
     } catch (error) {
       context.auditLogger?.log(
         adHocRunAuditEvent({
diff --git a/x-pack/plugins/alerting/server/application/backfill/methods/schedule/schedule_backfill.test.ts b/x-pack/plugins/alerting/server/application/backfill/methods/schedule/schedule_backfill.test.ts
index b8f1e5af9c869..a0a79421c7358 100644
--- a/x-pack/plugins/alerting/server/application/backfill/methods/schedule/schedule_backfill.test.ts
+++ b/x-pack/plugins/alerting/server/application/backfill/methods/schedule/schedule_backfill.test.ts
@@ -251,12 +251,15 @@ describe('scheduleBackfill()', () => {
     const mockData = [getMockData(), getMockData({ ruleId: '2', end: '2023-11-17T08:00:00.000Z' })];
     const result = await rulesClient.scheduleBackfill(mockData);
 
-    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith('rule', {
-      fieldNames: {
-        consumer: 'alert.attributes.consumer',
-        ruleTypeId: 'alert.attributes.alertTypeId',
+    expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      filterOpts: {
+        fieldNames: {
+          consumer: 'alert.attributes.consumer',
+          ruleTypeId: 'alert.attributes.alertTypeId',
+        },
+        type: 'kql',
       },
-      type: 'kql',
     });
 
     expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
diff --git a/x-pack/plugins/alerting/server/application/backfill/methods/schedule/schedule_backfill.ts b/x-pack/plugins/alerting/server/application/backfill/methods/schedule/schedule_backfill.ts
index 534262aa31c31..2dec1a78e3171 100644
--- a/x-pack/plugins/alerting/server/application/backfill/methods/schedule/schedule_backfill.ts
+++ b/x-pack/plugins/alerting/server/application/backfill/methods/schedule/schedule_backfill.ts
@@ -46,10 +46,10 @@ export async function scheduleBackfill(
 
   let authorizationTuple;
   try {
-    authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-      AlertingAuthorizationEntity.Rule,
-      alertingAuthorizationFilterOpts
-    );
+    authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+      authorizationEntity: AlertingAuthorizationEntity.Rule,
+      filterOpts: alertingAuthorizationFilterOpts,
+    });
   } catch (error) {
     context.auditLogger?.log(
       ruleAuditEvent({
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/aggregate/aggregate_rules.test.ts b/x-pack/plugins/alerting/server/application/rule/methods/aggregate/aggregate_rules.test.ts
index 57fb2bf8f48a4..23ccbf97cb6ce 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/aggregate/aggregate_rules.test.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/aggregate/aggregate_rules.test.ts
@@ -23,7 +23,7 @@ import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
 import { getBeforeSetup, setGlobalDate } from '../../../../rules_client/tests/lib';
 
 import { RegistryRuleType } from '../../../../rule_type_registry';
-import { fromKueryExpression, nodeTypes } from '@kbn/es-query';
+import { fromKueryExpression, nodeTypes, toKqlExpression } from '@kbn/es-query';
 import { RecoveredActionGroup } from '../../../../../common';
 import { DefaultRuleAggregationResult } from '../../../../routes/rule/apis/aggregate/types';
 import { defaultRuleAggregationFactory } from '.';
@@ -78,24 +78,28 @@ beforeEach(() => {
 setGlobalDate();
 
 describe('aggregate()', () => {
-  const listedTypes = new Set<RegistryRuleType>([
-    {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      isExportable: true,
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'myType',
-      name: 'myType',
-      category: 'test',
-      producer: 'myApp',
-      enabledInLicense: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    },
+  const listedTypes = new Map<string, RegistryRuleType>([
+    [
+      'myType',
+      {
+        actionGroups: [],
+        actionVariables: undefined,
+        defaultActionGroupId: 'default',
+        minimumLicenseRequired: 'basic',
+        isExportable: true,
+        recoveryActionGroup: RecoveredActionGroup,
+        id: 'myType',
+        name: 'myType',
+        category: 'test',
+        producer: 'myApp',
+        enabledInLicense: true,
+        hasAlertsMappings: false,
+        hasFieldsForAAD: false,
+        validLegacyConsumers: [],
+      },
+    ],
   ]);
+
   beforeEach(() => {
     authorization.getFindAuthorizationFilter.mockResolvedValue({
       ensureRuleTypeIsAuthorized() {},
@@ -161,26 +165,16 @@ describe('aggregate()', () => {
     });
 
     ruleTypeRegistry.list.mockReturnValue(listedTypes);
-    authorization.filterByRuleTypeAuthorization.mockResolvedValue(
-      new Set([
-        {
-          id: 'myType',
-          name: 'Test',
-          actionGroups: [{ id: 'default', name: 'Default' }],
-          defaultActionGroupId: 'default',
-          minimumLicenseRequired: 'basic',
-          isExportable: true,
-          recoveryActionGroup: RecoveredActionGroup,
-          category: 'test',
-          producer: 'alerts',
-          authorizedConsumers: {
-            myApp: { read: true, all: true },
+    authorization.getAuthorizedRuleTypes.mockResolvedValue(
+      new Map([
+        [
+          'myType',
+          {
+            authorizedConsumers: {
+              myApp: { read: true, all: true },
+            },
           },
-          enabledInLicense: true,
-          hasAlertsMappings: false,
-          hasFieldsForAAD: false,
-          validLegacyConsumers: [],
-        },
+        ],
       ])
     );
   });
@@ -394,6 +388,34 @@ describe('aggregate()', () => {
     ]);
   });
 
+  test('combines the filters with the auth filter correctly', async () => {
+    const authFilter = fromKueryExpression(
+      'alert.attributes.alertTypeId:myType and alert.attributes.consumer:myApp'
+    );
+
+    authorization.getFindAuthorizationFilter.mockResolvedValue({
+      filter: authFilter,
+      ensureRuleTypeIsAuthorized() {},
+    });
+
+    const rulesClient = new RulesClient(rulesClientParams);
+    await rulesClient.aggregate({
+      options: {
+        ruleTypeIds: ['my-rule-type-id'],
+        consumers: ['bar'],
+        filter: `alert.attributes.tags: ['bar']`,
+      },
+      aggs: defaultRuleAggregationFactory(),
+    });
+
+    const finalFilter = unsecuredSavedObjectsClient.find.mock.calls[0][0].filter;
+
+    expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledTimes(1);
+    expect(toKqlExpression(finalFilter)).toMatchInlineSnapshot(
+      `"((alert.attributes.tags: ['bar'] AND alert.attributes.alertTypeId: my-rule-type-id AND alert.attributes.consumer: bar) AND (alert.attributes.alertTypeId: myType AND alert.attributes.consumer: myApp))"`
+    );
+  });
+
   test('logs audit event when not authorized to aggregate rules', async () => {
     const rulesClient = new RulesClient({ ...rulesClientParams, auditLogger });
     authorization.getFindAuthorizationFilter.mockRejectedValue(new Error('Unauthorized'));
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/aggregate/aggregate_rules.ts b/x-pack/plugins/alerting/server/application/rule/methods/aggregate/aggregate_rules.ts
index 9011b971e629a..307e27184ca7e 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/aggregate/aggregate_rules.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/aggregate/aggregate_rules.ts
@@ -5,8 +5,13 @@
  * 2.0.
  */
 
-import { KueryNode, nodeBuilder } from '@kbn/es-query';
-import { isEmpty } from 'lodash';
+import type { KueryNode } from '@kbn/es-query';
+import {
+  buildConsumersFilter,
+  buildRuleTypeIdsFilter,
+  combineFilterWithAuthorizationFilter,
+  combineFilters,
+} from '../../../../rules_client/common/filters';
 import { findRulesSo } from '../../../../data/rule';
 import { AlertingAuthorizationEntity } from '../../../../authorization';
 import { ruleAuditEvent, RuleAuditAction } from '../../../../rules_client/common/audit_events';
@@ -22,15 +27,15 @@ export async function aggregateRules<T = Record<string, unknown>>(
   params: AggregateParams<T>
 ): Promise<T> {
   const { options = {}, aggs } = params;
-  const { filter, page = 1, perPage = 0, filterConsumers, ...restOptions } = options;
+  const { filter, page = 1, perPage = 0, ruleTypeIds, consumers, ...restOptions } = options;
 
   let authorizationTuple;
   try {
-    authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-      AlertingAuthorizationEntity.Rule,
-      alertingAuthorizationFilterOpts,
-      isEmpty(filterConsumers) ? undefined : new Set(filterConsumers)
-    );
+    authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+      authorizationEntity: AlertingAuthorizationEntity.Rule,
+      filterOpts: alertingAuthorizationFilterOpts,
+    });
+
     validateRuleAggregationFields(aggs);
     aggregateOptionsSchema.validate(options);
   } catch (error) {
@@ -45,15 +50,21 @@ export async function aggregateRules<T = Record<string, unknown>>(
 
   const { filter: authorizationFilter } = authorizationTuple;
   const filterKueryNode = buildKueryNodeFilter(filter);
+  const ruleTypeIdsFilter = buildRuleTypeIdsFilter(ruleTypeIds);
+  const consumersFilter = buildConsumersFilter(consumers);
+  const combinedFilters = combineFilters(
+    [filterKueryNode, ruleTypeIdsFilter, consumersFilter],
+    'and'
+  );
 
   const { aggregations } = await findRulesSo<T>({
     savedObjectsClient: context.unsecuredSavedObjectsClient,
     savedObjectsFindOptions: {
       ...restOptions,
-      filter:
-        authorizationFilter && filterKueryNode
-          ? nodeBuilder.and([filterKueryNode, authorizationFilter as KueryNode])
-          : authorizationFilter,
+      filter: combineFilterWithAuthorizationFilter(
+        combinedFilters,
+        authorizationFilter as KueryNode
+      ),
       page,
       perPage,
       aggs,
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/aggregate/schemas/aggregate_options_schema.ts b/x-pack/plugins/alerting/server/application/rule/methods/aggregate/schemas/aggregate_options_schema.ts
index 7250094160a04..d26f48e2462f5 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/aggregate/schemas/aggregate_options_schema.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/aggregate/schemas/aggregate_options_schema.ts
@@ -16,7 +16,8 @@ export const aggregateOptionsSchema = schema.object({
       id: schema.string(),
     })
   ),
-  filterConsumers: schema.maybe(schema.arrayOf(schema.string())),
+  ruleTypeIds: schema.maybe(schema.arrayOf(schema.string())),
+  consumers: schema.maybe(schema.arrayOf(schema.string())),
   // filter type is `string | KueryNode`, but `KueryNode` has no schema to import yet
   filter: schema.maybe(
     schema.oneOf([schema.string(), schema.recordOf(schema.string(), schema.any())])
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/aggregate/types/index.ts b/x-pack/plugins/alerting/server/application/rule/methods/aggregate/types/index.ts
index 2156fb91e8778..e146928efcfff 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/aggregate/types/index.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/aggregate/types/index.ts
@@ -9,17 +9,9 @@ import { TypeOf } from '@kbn/config-schema';
 import { KueryNode } from '@kbn/es-query';
 import { aggregateOptionsSchema } from '../schemas';
 
-type AggregateOptionsSchemaTypes = TypeOf<typeof aggregateOptionsSchema>;
 export type AggregateOptions = TypeOf<typeof aggregateOptionsSchema> & {
-  search?: AggregateOptionsSchemaTypes['search'];
-  defaultSearchOperator?: AggregateOptionsSchemaTypes['defaultSearchOperator'];
-  searchFields?: AggregateOptionsSchemaTypes['searchFields'];
-  hasReference?: AggregateOptionsSchemaTypes['hasReference'];
   // Adding filter as in schema it's defined as any instead of KueryNode
   filter?: string | KueryNode;
-  page?: AggregateOptionsSchemaTypes['page'];
-  perPage?: AggregateOptionsSchemaTypes['perPage'];
-  filterConsumers?: string[];
 };
 
 export interface AggregateParams<AggregationResult> {
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/bulk_edit/bulk_edit_rules.ts b/x-pack/plugins/alerting/server/application/rule/methods/bulk_edit/bulk_edit_rules.ts
index 8868065fa43a5..f7d83545ec193 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/bulk_edit/bulk_edit_rules.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/bulk_edit/bulk_edit_rules.ts
@@ -132,10 +132,10 @@ export async function bulkEditRules<Params extends RuleParams>(
   const qNodeFilter = ids ? convertRuleIdsToKueryNode(ids) : qNodeQueryFilter;
   let authorizationTuple;
   try {
-    authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-      AlertingAuthorizationEntity.Rule,
-      alertingAuthorizationFilterOpts
-    );
+    authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+      authorizationEntity: AlertingAuthorizationEntity.Rule,
+      filterOpts: alertingAuthorizationFilterOpts,
+    });
   } catch (error) {
     context.auditLogger?.log(
       ruleAuditEvent({
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/bulk_untrack/bulk_untrack_alerts.ts b/x-pack/plugins/alerting/server/application/rule/methods/bulk_untrack/bulk_untrack_alerts.ts
index 304037782f6d3..e93f82da28cbe 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/bulk_untrack/bulk_untrack_alerts.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/bulk_untrack/bulk_untrack_alerts.ts
@@ -41,12 +41,11 @@ async function bulkUntrackAlertsWithOCC(context: RulesClientContext, params: Bul
     if (!context.alertsService) throw new Error('unable to access alertsService');
     const result = await context.alertsService.setAlertsToUntracked({
       ...params,
-      featureIds: params.featureIds || [],
+      ruleTypeIds: params.ruleTypeIds || [],
       spaceId: context.spaceId,
       getAlertIndicesAlias: context.getAlertIndicesAlias,
-      getAuthorizedRuleTypes: context.authorization.getAuthorizedRuleTypes.bind(
-        context.authorization
-      ),
+      getAllAuthorizedRuleTypesFindOperation:
+        context.authorization.getAllAuthorizedRuleTypesFindOperation.bind(context.authorization),
       ensureAuthorized: async ({
         ruleTypeId,
         consumer,
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/bulk_untrack/schemas/bulk_untrack_body_schema.ts b/x-pack/plugins/alerting/server/application/rule/methods/bulk_untrack/schemas/bulk_untrack_body_schema.ts
index f597d9f5b6fa4..8a4affbc83c3f 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/bulk_untrack/schemas/bulk_untrack_body_schema.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/bulk_untrack/schemas/bulk_untrack_body_schema.ts
@@ -11,5 +11,5 @@ export const bulkUntrackBodySchema = schema.object({
   indices: schema.maybe(schema.arrayOf(schema.string())),
   alertUuids: schema.maybe(schema.arrayOf(schema.string())),
   query: schema.maybe(schema.arrayOf(schema.any())),
-  featureIds: schema.maybe(schema.arrayOf(schema.string())),
+  ruleTypeIds: schema.maybe(schema.arrayOf(schema.string())),
 });
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/create/create_rule.ts b/x-pack/plugins/alerting/server/application/rule/methods/create/create_rule.ts
index 34e13b65d76c5..3514f8ce2237b 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/create/create_rule.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/create/create_rule.ts
@@ -84,6 +84,12 @@ export async function createRule<Params extends RuleParams = never>(
     throw Boom.badRequest(`Error validating create data - ${error.message}`);
   }
 
+  /**
+   * ruleTypeRegistry.get will throw a 400 (Bad request)
+   * error if the rule type is not registered.
+   */
+  context.ruleTypeRegistry.get(data.alertTypeId);
+
   let validationPayload: ValidateScheduleLimitResult = null;
   if (data.enabled) {
     validationPayload = await validateScheduleLimit({
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/find/find_rules.test.ts b/x-pack/plugins/alerting/server/application/rule/methods/find/find_rules.test.ts
index e6bfd3408a538..369549d839c79 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/find/find_rules.test.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/find/find_rules.test.ts
@@ -15,7 +15,7 @@ import {
 import { taskManagerMock } from '@kbn/task-manager-plugin/server/mocks';
 import { ruleTypeRegistryMock } from '../../../../rule_type_registry.mock';
 import { alertingAuthorizationMock } from '../../../../authorization/alerting_authorization.mock';
-import { nodeTypes, fromKueryExpression } from '@kbn/es-query';
+import { nodeTypes, fromKueryExpression, toKqlExpression } from '@kbn/es-query';
 import { encryptedSavedObjectsMock } from '@kbn/encrypted-saved-objects-plugin/server/mocks';
 import { actionsAuthorizationMock } from '@kbn/actions-plugin/server/mocks';
 import { AlertingAuthorization } from '../../../../authorization/alerting_authorization';
@@ -92,23 +92,26 @@ jest.mock('../../../../rules_client/common/map_sort_field', () => ({
 }));
 
 describe('find()', () => {
-  const listedTypes = new Set<RegistryRuleType>([
-    {
-      actionGroups: [],
-      recoveryActionGroup: RecoveredActionGroup,
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      isExportable: true,
-      id: 'myType',
-      name: 'myType',
-      category: 'test',
-      producer: 'myApp',
-      enabledInLicense: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    },
+  const listedTypes = new Map<string, RegistryRuleType>([
+    [
+      'myType',
+      {
+        actionGroups: [],
+        recoveryActionGroup: RecoveredActionGroup,
+        actionVariables: undefined,
+        defaultActionGroupId: 'default',
+        minimumLicenseRequired: 'basic',
+        isExportable: true,
+        id: 'myType',
+        name: 'myType',
+        category: 'test',
+        producer: 'myApp',
+        enabledInLicense: true,
+        hasAlertsMappings: false,
+        hasFieldsForAAD: false,
+        validLegacyConsumers: [],
+      },
+    ],
   ]);
 
   beforeEach(() => {
@@ -163,26 +166,16 @@ describe('find()', () => {
     });
 
     ruleTypeRegistry.list.mockReturnValue(listedTypes);
-    authorization.filterByRuleTypeAuthorization.mockResolvedValue(
-      new Set([
-        {
-          id: 'myType',
-          name: 'Test',
-          actionGroups: [{ id: 'default', name: 'Default' }],
-          recoveryActionGroup: RecoveredActionGroup,
-          defaultActionGroupId: 'default',
-          minimumLicenseRequired: 'basic',
-          isExportable: true,
-          category: 'test',
-          producer: 'alerts',
-          authorizedConsumers: {
-            myApp: { read: true, all: true },
+    authorization.getAuthorizedRuleTypes.mockResolvedValue(
+      new Map([
+        [
+          'myType',
+          {
+            authorizedConsumers: {
+              myApp: { read: true, all: true },
+            },
           },
-          enabledInLicense: true,
-          hasAlertsMappings: false,
-          hasFieldsForAAD: false,
-          validLegacyConsumers: [],
-        },
+        ],
       ])
     );
   });
@@ -235,7 +228,7 @@ describe('find()', () => {
       Array [
         Object {
           "fields": undefined,
-          "filter": null,
+          "filter": undefined,
           "sortField": undefined,
           "type": "alert",
         },
@@ -349,7 +342,7 @@ describe('find()', () => {
       Array [
         Object {
           "fields": undefined,
-          "filter": null,
+          "filter": undefined,
           "sortField": undefined,
           "type": "alert",
         },
@@ -461,7 +454,7 @@ describe('find()', () => {
       Array [
         Object {
           "fields": undefined,
-          "filter": null,
+          "filter": undefined,
           "sortField": undefined,
           "type": "alert",
         },
@@ -513,13 +506,34 @@ describe('find()', () => {
     authorization.getFindAuthorizationFilter.mockResolvedValue({
       ensureRuleTypeIsAuthorized() {},
     });
+
     const injectReferencesFn = jest.fn().mockReturnValue({
       bar: true,
       parameterThatIsSavedObjectId: '9',
     });
-    ruleTypeRegistry.list.mockReturnValue(
-      new Set([
-        ...listedTypes,
+
+    const ruleTypes = new Map<string, RegistryRuleType>([
+      [
+        'myType',
+        {
+          actionGroups: [],
+          recoveryActionGroup: RecoveredActionGroup,
+          actionVariables: undefined,
+          defaultActionGroupId: 'default',
+          minimumLicenseRequired: 'basic',
+          isExportable: true,
+          id: 'myType',
+          name: 'myType',
+          category: 'test',
+          producer: 'myApp',
+          enabledInLicense: true,
+          hasAlertsMappings: false,
+          hasFieldsForAAD: false,
+          validLegacyConsumers: [],
+        },
+      ],
+      [
+        '123',
         {
           actionGroups: [],
           recoveryActionGroup: RecoveredActionGroup,
@@ -536,8 +550,10 @@ describe('find()', () => {
           hasFieldsForAAD: false,
           validLegacyConsumers: [],
         },
-      ])
-    );
+      ],
+    ]);
+
+    ruleTypeRegistry.list.mockReturnValue(ruleTypes);
     ruleTypeRegistry.get.mockImplementationOnce(() => ({
       id: 'myType',
       name: 'myType',
@@ -750,12 +766,33 @@ describe('find()', () => {
     authorization.getFindAuthorizationFilter.mockResolvedValue({
       ensureRuleTypeIsAuthorized() {},
     });
+
     const injectReferencesFn = jest.fn().mockImplementation(() => {
       throw new Error('something went wrong!');
     });
-    ruleTypeRegistry.list.mockReturnValue(
-      new Set([
-        ...listedTypes,
+
+    const ruleTypes = new Map<string, RegistryRuleType>([
+      [
+        'myType',
+        {
+          actionGroups: [],
+          recoveryActionGroup: RecoveredActionGroup,
+          actionVariables: undefined,
+          defaultActionGroupId: 'default',
+          minimumLicenseRequired: 'basic',
+          isExportable: true,
+          id: 'myType',
+          name: 'myType',
+          category: 'test',
+          producer: 'myApp',
+          enabledInLicense: true,
+          hasAlertsMappings: false,
+          hasFieldsForAAD: false,
+          validLegacyConsumers: [],
+        },
+      ],
+      [
+        '123',
         {
           actionGroups: [],
           recoveryActionGroup: RecoveredActionGroup,
@@ -772,8 +809,10 @@ describe('find()', () => {
           hasFieldsForAAD: false,
           validLegacyConsumers: [],
         },
-      ])
-    );
+      ],
+    ]);
+
+    ruleTypeRegistry.list.mockReturnValue(ruleTypes);
     ruleTypeRegistry.get.mockImplementationOnce(() => ({
       id: 'myType',
       name: 'myType',
@@ -792,6 +831,7 @@ describe('find()', () => {
       },
       validLegacyConsumers: [],
     }));
+
     ruleTypeRegistry.get.mockImplementationOnce(() => ({
       id: '123',
       name: 'Test',
@@ -987,12 +1027,58 @@ describe('find()', () => {
 
       expect(unsecuredSavedObjectsClient.find).toHaveBeenCalledWith({
         fields: ['tags', 'alertTypeId', 'consumer'],
-        filter: null,
+        filter: undefined,
         sortField: undefined,
         type: RULE_SAVED_OBJECT_TYPE,
       });
       expect(ensureRuleTypeIsAuthorized).toHaveBeenCalledWith('myType', 'myApp', 'rule');
     });
+
+    test('calls getFindAuthorizationFilter correctly', async () => {
+      authorization.getFindAuthorizationFilter.mockResolvedValue({
+        ensureRuleTypeIsAuthorized() {},
+      });
+
+      const rulesClient = new RulesClient(rulesClientParams);
+      await rulesClient.find({ options: { ruleTypeIds: ['foo'], consumers: ['bar'] } });
+
+      expect(authorization.getFindAuthorizationFilter).toHaveBeenCalledWith({
+        authorizationEntity: 'rule',
+        filterOpts: {
+          fieldNames: {
+            consumer: 'alert.attributes.consumer',
+            ruleTypeId: 'alert.attributes.alertTypeId',
+          },
+          type: 'kql',
+        },
+      });
+    });
+
+    test('combines the filters with the auth filter correctly', async () => {
+      const filter = fromKueryExpression(
+        'alert.attributes.alertTypeId:myType and alert.attributes.consumer:myApp'
+      );
+
+      authorization.getFindAuthorizationFilter.mockResolvedValue({
+        filter,
+        ensureRuleTypeIsAuthorized() {},
+      });
+
+      const rulesClient = new RulesClient(rulesClientParams);
+      await rulesClient.find({
+        options: {
+          ruleTypeIds: ['foo'],
+          consumers: ['bar'],
+          filter: `alert.attributes.tags: ['bar']`,
+        },
+      });
+
+      const finalFilter = unsecuredSavedObjectsClient.find.mock.calls[0][0].filter;
+
+      expect(toKqlExpression(finalFilter)).toMatchInlineSnapshot(
+        `"((alert.attributes.tags: ['bar'] AND alert.attributes.alertTypeId: foo AND alert.attributes.consumer: bar) AND (alert.attributes.alertTypeId: myType AND alert.attributes.consumer: myApp))"`
+      );
+    });
   });
 
   describe('auditLogger', () => {
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/find/find_rules.ts b/x-pack/plugins/alerting/server/application/rule/methods/find/find_rules.ts
index 7e4efb2665f6b..26441a4474473 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/find/find_rules.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/find/find_rules.ts
@@ -6,11 +6,17 @@
  */
 
 import Boom from '@hapi/boom';
-import { isEmpty, pick } from 'lodash';
-import { KueryNode, nodeBuilder } from '@kbn/es-query';
+import { pick } from 'lodash';
+import { KueryNode } from '@kbn/es-query';
 import { AlertConsumers } from '@kbn/rule-data-utils';
+import {
+  buildConsumersFilter,
+  buildRuleTypeIdsFilter,
+  combineFilterWithAuthorizationFilter,
+  combineFilters,
+} from '../../../../rules_client/common/filters';
+import { AlertingAuthorizationEntity } from '../../../../authorization/types';
 import { SanitizedRule, Rule as DeprecatedRule, RawRule } from '../../../../types';
-import { AlertingAuthorizationEntity } from '../../../../authorization';
 import { ruleAuditEvent, RuleAuditAction } from '../../../../rules_client/common/audit_events';
 import {
   mapSortField,
@@ -46,7 +52,7 @@ export async function findRules<Params extends RuleParams = never>(
 ): Promise<FindResult<Params>> {
   const { options, excludeFromPublicApi = false, includeSnoozeData = false } = params || {};
 
-  const { fields, filterConsumers, ...restOptions } = options || {};
+  const { fields, ruleTypeIds, consumers, ...restOptions } = options || {};
 
   try {
     if (params) {
@@ -58,11 +64,10 @@ export async function findRules<Params extends RuleParams = never>(
 
   let authorizationTuple;
   try {
-    authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-      AlertingAuthorizationEntity.Rule,
-      alertingAuthorizationFilterOpts,
-      isEmpty(filterConsumers) ? undefined : new Set(filterConsumers)
-    );
+    authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+      authorizationEntity: AlertingAuthorizationEntity.Rule,
+      filterOpts: alertingAuthorizationFilterOpts,
+    });
   } catch (error) {
     context.auditLogger?.log(
       ruleAuditEvent({
@@ -76,6 +81,7 @@ export async function findRules<Params extends RuleParams = never>(
   const { filter: authorizationFilter, ensureRuleTypeIsAuthorized } = authorizationTuple;
   const filterKueryNode = buildKueryNodeFilter(restOptions.filter as string | KueryNode);
   let sortField = mapSortField(restOptions.sortField);
+
   if (excludeFromPublicApi) {
     try {
       validateOperationOnAttributes(
@@ -111,6 +117,18 @@ export async function findRules<Params extends RuleParams = never>(
     modifyFilterKueryNode({ astFilter: filterKueryNode });
   }
 
+  const ruleTypeIdsFilter = buildRuleTypeIdsFilter(ruleTypeIds);
+  const consumersFilter = buildConsumersFilter(consumers);
+  const combinedFilters = combineFilters(
+    [filterKueryNode, ruleTypeIdsFilter, consumersFilter],
+    'and'
+  );
+
+  const finalFilter = combineFilterWithAuthorizationFilter(
+    combinedFilters,
+    authorizationFilter as KueryNode
+  );
+
   const {
     page,
     per_page: perPage,
@@ -121,10 +139,7 @@ export async function findRules<Params extends RuleParams = never>(
     savedObjectsFindOptions: {
       ...modifiedOptions,
       sortField,
-      filter:
-        (authorizationFilter && filterKueryNode
-          ? nodeBuilder.and([filterKueryNode, authorizationFilter as KueryNode])
-          : authorizationFilter) ?? filterKueryNode,
+      filter: finalFilter,
       fields: fields ? includeFieldsRequiredForAuthentication(fields) : fields,
     },
   });
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/find/schemas/find_rules_schemas.ts b/x-pack/plugins/alerting/server/application/rule/methods/find/schemas/find_rules_schemas.ts
index b766ffc283bb2..aec95d7f2c061 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/find/schemas/find_rules_schemas.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/find/schemas/find_rules_schemas.ts
@@ -28,7 +28,8 @@ export const findRulesOptionsSchema = schema.object(
     filter: schema.maybe(
       schema.oneOf([schema.string(), schema.recordOf(schema.string(), schema.any())])
     ),
-    filterConsumers: schema.maybe(schema.arrayOf(schema.string())),
+    ruleTypeIds: schema.maybe(schema.arrayOf(schema.string())),
+    consumers: schema.maybe(schema.arrayOf(schema.string())),
   },
   { unknowns: 'allow' }
 );
@@ -37,5 +38,4 @@ export const findRulesParamsSchema = schema.object({
   options: schema.maybe(findRulesOptionsSchema),
   excludeFromPublicApi: schema.maybe(schema.boolean()),
   includeSnoozeData: schema.maybe(schema.boolean()),
-  featureIds: schema.maybe(schema.arrayOf(schema.string())),
 });
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/find/types/find_rules_types.ts b/x-pack/plugins/alerting/server/application/rule/methods/find/types/find_rules_types.ts
index 615a5b5db8672..77694f150c5a9 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/find/types/find_rules_types.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/find/types/find_rules_types.ts
@@ -9,5 +9,4 @@ import { TypeOf } from '@kbn/config-schema';
 import { findRulesOptionsSchema, findRulesParamsSchema } from '../schemas';
 
 export type FindRulesOptions = TypeOf<typeof findRulesOptionsSchema>;
-
 export type FindRulesParams = TypeOf<typeof findRulesParamsSchema>;
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/rule_types/rule_types.test.ts b/x-pack/plugins/alerting/server/application/rule/methods/rule_types/rule_types.test.ts
new file mode 100644
index 0000000000000..fd0a641df022c
--- /dev/null
+++ b/x-pack/plugins/alerting/server/application/rule/methods/rule_types/rule_types.test.ts
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { rulesClientContextMock } from '../../../../rules_client/rules_client.mock';
+import { RulesClient } from '../../../../rules_client';
+
+describe('listRuleTypes', () => {
+  const rulesClientContext = rulesClientContextMock.create();
+  let rulesClient: RulesClient;
+
+  beforeEach(async () => {
+    jest.clearAllMocks();
+    rulesClient = new RulesClient(rulesClientContext);
+
+    rulesClientContext.ruleTypeRegistry.list = jest.fn().mockReturnValue(
+      new Map([
+        ['apm.anomaly', { name: 'Anomaly' }],
+        ['.es-query', { name: 'ES rule type' }],
+      ])
+    );
+    rulesClientContext.ruleTypeRegistry.has = jest
+      .fn()
+      .mockImplementation((ruleTypeId: string) => ruleTypeId === '.es-query');
+
+    rulesClientContext.authorization.getAuthorizedRuleTypes = jest.fn().mockResolvedValue(
+      new Map([
+        ['.es-query', { authorizedConsumers: { all: true, read: true } }],
+        ['.not-exist', { authorizedConsumers: { all: true, read: true } }],
+      ])
+    );
+  });
+
+  it('authorizes correctly', async () => {
+    await rulesClient.listRuleTypes();
+
+    expect(rulesClientContext.authorization.getAuthorizedRuleTypes).toHaveBeenCalledWith({
+      authorizationEntity: 'rule',
+      operations: ['get', 'create'],
+      ruleTypeIds: ['apm.anomaly', '.es-query'],
+    });
+  });
+
+  it('returns the authorized rule types correctly and does not return non authorized or non existing rule types', async () => {
+    const res = await rulesClient.listRuleTypes();
+
+    expect(res).toEqual([{ name: 'ES rule type', authorizedConsumers: { all: true, read: true } }]);
+  });
+});
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/rule_types/rule_types.ts b/x-pack/plugins/alerting/server/application/rule/methods/rule_types/rule_types.ts
index 66256b4b7d7eb..4bcb6fdece3e2 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/rule_types/rule_types.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/rule_types/rule_types.ts
@@ -6,16 +6,28 @@
  */
 
 import {
-  WriteOperations,
-  ReadOperations,
   AlertingAuthorizationEntity,
+  ReadOperations,
+  RegistryAlertTypeWithAuth,
+  WriteOperations,
 } from '../../../../authorization';
 import { RulesClientContext } from '../../../../rules_client/types';
 
-export async function listRuleTypes(context: RulesClientContext) {
-  return await context.authorization.filterByRuleTypeAuthorization(
-    context.ruleTypeRegistry.list(),
-    [ReadOperations.Get, WriteOperations.Create],
-    AlertingAuthorizationEntity.Rule
-  );
+export async function listRuleTypes(
+  context: RulesClientContext
+): Promise<RegistryAlertTypeWithAuth[]> {
+  const registeredRuleTypes = context.ruleTypeRegistry.list();
+
+  const authorizedRuleTypes = await context.authorization.getAuthorizedRuleTypes({
+    authorizationEntity: AlertingAuthorizationEntity.Rule,
+    operations: [ReadOperations.Get, WriteOperations.Create],
+    ruleTypeIds: Array.from(registeredRuleTypes.keys()).map((id) => id),
+  });
+
+  return Array.from(authorizedRuleTypes.entries())
+    .filter(([id, _]) => context.ruleTypeRegistry.has(id))
+    .map(([id, { authorizedConsumers }]) => ({
+      ...registeredRuleTypes.get(id)!,
+      authorizedConsumers,
+    }));
 }
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/tags/get_rule_tags.test.ts b/x-pack/plugins/alerting/server/application/rule/methods/tags/get_rule_tags.test.ts
index de356c3a2e2b9..2a84becfd83d6 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/tags/get_rule_tags.test.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/tags/get_rule_tags.test.ts
@@ -66,23 +66,26 @@ const rulesClientParams: jest.Mocked<ConstructorOptions> = {
   isSystemAction: jest.fn(),
 };
 
-const listedTypes = new Set<RegistryRuleType>([
-  {
-    actionGroups: [],
-    actionVariables: undefined,
-    defaultActionGroupId: 'default',
-    minimumLicenseRequired: 'basic',
-    isExportable: true,
-    recoveryActionGroup: RecoveredActionGroup,
-    id: 'myType',
-    name: 'myType',
-    category: 'test',
-    producer: 'myApp',
-    enabledInLicense: true,
-    hasAlertsMappings: false,
-    hasFieldsForAAD: false,
-    validLegacyConsumers: [],
-  },
+const listedTypes = new Map<string, RegistryRuleType>([
+  [
+    'myType',
+    {
+      actionGroups: [],
+      actionVariables: undefined,
+      defaultActionGroupId: 'default',
+      minimumLicenseRequired: 'basic',
+      isExportable: true,
+      recoveryActionGroup: RecoveredActionGroup,
+      id: 'myType',
+      name: 'myType',
+      category: 'test',
+      producer: 'myApp',
+      enabledInLicense: true,
+      hasAlertsMappings: false,
+      hasFieldsForAAD: false,
+      validLegacyConsumers: [],
+    },
+  ],
 ]);
 
 beforeEach(() => {
@@ -118,26 +121,16 @@ describe('getTags()', () => {
     unsecuredSavedObjectsClient.find.mockResolvedValue(getMockAggregationResult(['a', 'b', 'c']));
 
     ruleTypeRegistry.list.mockReturnValue(listedTypes);
-    authorization.filterByRuleTypeAuthorization.mockResolvedValue(
-      new Set([
-        {
-          id: 'myType',
-          name: 'Test',
-          actionGroups: [{ id: 'default', name: 'Default' }],
-          defaultActionGroupId: 'default',
-          minimumLicenseRequired: 'basic',
-          isExportable: true,
-          recoveryActionGroup: RecoveredActionGroup,
-          category: 'test',
-          producer: 'alerts',
-          authorizedConsumers: {
-            myApp: { read: true, all: true },
+    authorization.getAuthorizedRuleTypes.mockResolvedValue(
+      new Map([
+        [
+          'myType',
+          {
+            authorizedConsumers: {
+              myApp: { read: true, all: true },
+            },
           },
-          enabledInLicense: true,
-          hasAlertsMappings: false,
-          hasFieldsForAAD: false,
-          validLegacyConsumers: [],
-        },
+        ],
       ])
     );
   });
diff --git a/x-pack/plugins/alerting/server/application/rule/methods/tags/get_rule_tags.ts b/x-pack/plugins/alerting/server/application/rule/methods/tags/get_rule_tags.ts
index c26fae42ce324..84a05ac67057a 100644
--- a/x-pack/plugins/alerting/server/application/rule/methods/tags/get_rule_tags.ts
+++ b/x-pack/plugins/alerting/server/application/rule/methods/tags/get_rule_tags.ts
@@ -33,10 +33,10 @@ export async function getRuleTags(
 
   let authorizationTuple;
   try {
-    authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-      AlertingAuthorizationEntity.Rule,
-      alertingAuthorizationFilterOpts
-    );
+    authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+      authorizationEntity: AlertingAuthorizationEntity.Rule,
+      filterOpts: alertingAuthorizationFilterOpts,
+    });
   } catch (error) {
     context.auditLogger?.log(
       ruleAuditEvent({
diff --git a/x-pack/plugins/alerting/server/authorization/alerting_authorization.mock.ts b/x-pack/plugins/alerting/server/authorization/alerting_authorization.mock.ts
index e51a5c9b12c79..12e360c7cd644 100644
--- a/x-pack/plugins/alerting/server/authorization/alerting_authorization.mock.ts
+++ b/x-pack/plugins/alerting/server/authorization/alerting_authorization.mock.ts
@@ -14,12 +14,20 @@ export type AlertingAuthorizationMock = jest.Mocked<Schema>;
 const createAlertingAuthorizationMock = () => {
   const mocked: AlertingAuthorizationMock = {
     ensureAuthorized: jest.fn(),
-    filterByRuleTypeAuthorization: jest.fn(),
-    getAuthorizationFilter: jest.fn(),
-    getAuthorizedRuleTypes: jest.fn(),
-    getFindAuthorizationFilter: jest.fn(),
-    getAugmentedRuleTypesWithAuthorization: jest.fn(),
+    getAuthorizedRuleTypes: jest.fn().mockResolvedValue(new Map()),
+    getFindAuthorizationFilter: jest.fn().mockResolvedValue({
+      filter: undefined,
+      ensureRuleTypeIsAuthorized: () => {},
+    }),
     getSpaceId: jest.fn(),
+    getAllAuthorizedRuleTypes: jest
+      .fn()
+      .mockResolvedValue({ hasAllRequested: true, authorizedRuleTypes: new Map() }),
+    getAllAuthorizedRuleTypesFindOperation: jest.fn().mockResolvedValue(new Map()),
+    getAuthorizationFilter: jest.fn().mockResolvedValue({
+      filter: undefined,
+      ensureRuleTypeIsAuthorized: () => {},
+    }),
   };
   return mocked;
 };
diff --git a/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts b/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts
index f1cfb99a6daaa..9c470823362d8 100644
--- a/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts
+++ b/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts
@@ -5,75 +5,53 @@
  * 2.0.
  */
 
-import { KueryNode, fromKueryExpression, toKqlExpression } from '@kbn/es-query';
+import Boom from '@hapi/boom';
+import { KueryNode, toKqlExpression } from '@kbn/es-query';
 import { KibanaRequest } from '@kbn/core/server';
 import { ruleTypeRegistryMock } from '../rule_type_registry.mock';
 import { securityMock } from '@kbn/security-plugin/server/mocks';
-import {
-  FeaturesPluginStart as FeaturesStartContract,
-  KibanaFeature,
-} from '@kbn/features-plugin/server';
+import { KibanaFeature } from '@kbn/features-plugin/server';
 import { featuresPluginMock } from '@kbn/features-plugin/server/mocks';
-import {
-  AlertingAuthorization,
-  WriteOperations,
-  ReadOperations,
-  AlertingAuthorizationEntity,
-} from './alerting_authorization';
-import { v4 as uuidv4 } from 'uuid';
-import { RecoveredActionGroup } from '../../common';
-import { NormalizedRuleType, RegistryRuleType } from '../rule_type_registry';
+import { AlertingAuthorization } from './alerting_authorization';
 import { AlertingAuthorizationFilterType } from './alerting_authorization_kuery';
-import { schema } from '@kbn/config-schema';
-
-const ruleTypeRegistry = ruleTypeRegistryMock.create();
-const features: jest.Mocked<FeaturesStartContract> = featuresPluginMock.createStart();
-const request = {} as KibanaRequest;
-
-const getSpace = jest.fn();
-const getSpaceId = () => 'space1';
+import { httpServerMock } from '@kbn/core-http-server-mocks';
+import { CheckPrivilegesResponse } from '@kbn/security-plugin-types-server';
+import type { FeaturesPluginStart } from '@kbn/features-plugin/server';
+import { WriteOperations, AlertingAuthorizationEntity, ReadOperations } from './types';
+import { AlertingKibanaPrivilege } from '@kbn/features-plugin/common/alerting_kibana_privilege';
 
 const mockAuthorizationAction = (
-  type: string,
-  app: string,
-  alertingType: string,
+  ruleType: string,
+  consumer: string,
+  entity: string,
   operation: string
-) => `${type}/${app}/${alertingType}/${operation}`;
-function mockSecurity() {
-  const security = securityMock.createSetup();
-  const authorization = security.authz;
-  // typescript is having trouble inferring jest's automocking
-  (
-    authorization.actions.alerting.get as jest.MockedFunction<
-      typeof authorization.actions.alerting.get
-    >
-  ).mockImplementation(mockAuthorizationAction);
-  authorization.mode.useRbacForRequest.mockReturnValue(true);
-  return { authorization };
-}
+) => `${ruleType}/${consumer}/${entity}/${operation}`;
 
-function mockFeature(appName: string, typeName?: string | string[]) {
-  const typeNameArray = typeName ? (Array.isArray(typeName) ? typeName : [typeName]) : undefined;
+function mockFeatureWithConsumers(
+  appName: string,
+  alertingFeatures?: AlertingKibanaPrivilege,
+  subFeature?: boolean
+) {
   return new KibanaFeature({
     id: appName,
     name: appName,
     app: [],
     category: { id: 'foo', label: 'foo' },
-    ...(typeNameArray
+    ...(alertingFeatures
       ? {
-          alerting: typeNameArray,
+          alerting: alertingFeatures,
         }
       : {}),
     privileges: {
       all: {
-        ...(typeNameArray
+        ...(alertingFeatures
           ? {
               alerting: {
                 rule: {
-                  all: typeNameArray,
+                  all: alertingFeatures,
                 },
                 alert: {
-                  all: typeNameArray,
+                  all: alertingFeatures,
                 },
               },
             }
@@ -85,14 +63,14 @@ function mockFeature(appName: string, typeName?: string | string[]) {
         ui: [],
       },
       read: {
-        ...(typeNameArray
+        ...(alertingFeatures
           ? {
               alerting: {
                 rule: {
-                  read: typeNameArray,
+                  read: alertingFeatures,
                 },
                 alert: {
-                  read: typeNameArray,
+                  read: alertingFeatures,
                 },
               },
             }
@@ -104,2480 +82,2219 @@ function mockFeature(appName: string, typeName?: string | string[]) {
         ui: [],
       },
     },
-  });
-}
-
-function mockFeatureWithSubFeature(appName: string, typeName: string) {
-  return new KibanaFeature({
-    id: appName,
-    name: appName,
-    app: [],
-    category: { id: 'foo', label: 'foo' },
-    ...(typeName
+    ...(subFeature
       ? {
-          alerting: [typeName],
+          subFeatures: [
+            {
+              name: appName,
+              privilegeGroups: [
+                {
+                  groupType: 'independent',
+                  privileges: [
+                    {
+                      id: 'doSomethingAlertRelated',
+                      name: 'sub feature alert',
+                      includeIn: 'all',
+                      alerting: {
+                        rule: {
+                          all: alertingFeatures,
+                        },
+                      },
+                      savedObject: {
+                        all: [],
+                        read: [],
+                      },
+                      ui: ['doSomethingAlertRelated'],
+                    },
+                    {
+                      id: 'doSomethingAlertRelated',
+                      name: 'sub feature alert',
+                      includeIn: 'read',
+                      alerting: {
+                        rule: {
+                          read: alertingFeatures,
+                        },
+                      },
+                      savedObject: {
+                        all: [],
+                        read: [],
+                      },
+                      ui: ['doSomethingAlertRelated'],
+                    },
+                  ],
+                },
+              ],
+            },
+          ],
         }
       : {}),
-    privileges: {
-      all: {
-        savedObject: {
-          all: [],
-          read: [],
-        },
-        ui: [],
-      },
-      read: {
-        savedObject: {
-          all: [],
-          read: [],
-        },
-        ui: [],
-      },
-    },
-    subFeatures: [
-      {
-        name: appName,
-        privilegeGroups: [
-          {
-            groupType: 'independent',
-            privileges: [
-              {
-                id: 'doSomethingAlertRelated',
-                name: 'sub feature alert',
-                includeIn: 'all',
-                alerting: {
-                  rule: {
-                    all: [typeName],
-                  },
-                },
-                savedObject: {
-                  all: [],
-                  read: [],
-                },
-                ui: ['doSomethingAlertRelated'],
-              },
-              {
-                id: 'doSomethingAlertRelated',
-                name: 'sub feature alert',
-                includeIn: 'read',
-                alerting: {
-                  rule: {
-                    read: [typeName],
-                  },
-                },
-                savedObject: {
-                  all: [],
-                  read: [],
-                },
-                ui: ['doSomethingAlertRelated'],
-              },
-            ],
-          },
-        ],
-      },
-    ],
   });
 }
 
-const myAppFeature = mockFeature('myApp', 'myType');
-const myOtherAppFeature = mockFeature('myOtherApp', 'myType');
-const myAppWithSubFeature = mockFeatureWithSubFeature('myAppWithSubFeature', 'myType');
-const myFeatureWithoutAlerting = mockFeature('myOtherApp');
-
-beforeEach(() => {
-  jest.resetAllMocks();
-  ruleTypeRegistry.get.mockImplementation((id) => ({
-    id,
-    name: 'My Alert Type',
-    actionGroups: [{ id: 'default', name: 'Default' }],
-    defaultActionGroupId: 'default',
-    minimumLicenseRequired: 'basic',
-    isExportable: true,
-    recoveryActionGroup: RecoveredActionGroup,
-    async executor() {
-      return { state: {} };
-    },
-    category: 'test',
-    producer: 'myApp',
-    validate: {
-      params: schema.any(),
-    },
-    validLegacyConsumers: [],
-  }));
-  features.getKibanaFeatures.mockReturnValue([
-    myAppFeature,
-    myOtherAppFeature,
-    myAppWithSubFeature,
-    myFeatureWithoutAlerting,
-  ]);
-  getSpace.mockResolvedValue(undefined);
-});
+type CheckPrivilegesResponseWithoutES = Omit<CheckPrivilegesResponse, 'privileges'> & {
+  privileges: Omit<CheckPrivilegesResponse['privileges'], 'elasticsearch'>;
+};
 
 describe('AlertingAuthorization', () => {
-  describe('constructor', () => {
-    test(`fetches the user's current space`, async () => {
-      const space = {
-        id: uuidv4(),
-        name: uuidv4(),
-        disabledFeatures: [],
-      };
-      getSpace.mockResolvedValue(space);
+  const getSpace = jest.fn();
+  const getSpaceId = () => 'space1';
+  const allRegisteredConsumers = new Set<string>();
+  const ruleTypesConsumersMap = new Map<string, Set<string>>();
+
+  const checkPrivileges = jest.fn<Promise<CheckPrivilegesResponseWithoutES>, []>(async () => ({
+    username: 'elastic',
+    hasAllRequested: true,
+    privileges: { kibana: [] },
+  }));
+
+  const ruleTypeIds = ['rule-type-id-1', 'rule-type-id-2', 'rule-type-id-3', 'rule-type-id-4'];
+
+  let request: KibanaRequest;
+  let ruleTypeRegistry = ruleTypeRegistryMock.create();
+  let securityStart: ReturnType<typeof securityMock.createStart>;
+  let features: jest.Mocked<FeaturesPluginStart>;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    allRegisteredConsumers.clear();
+    allRegisteredConsumers.clear();
+    ruleTypesConsumersMap.clear();
+
+    securityStart = securityMock.createStart();
+    securityStart.authz.mode.useRbacForRequest.mockReturnValue(true);
+    securityStart.authz.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    request = httpServerMock.createKibanaRequest();
+    getSpace.mockResolvedValue(undefined);
+
+    features = featuresPluginMock.createStart();
+    features.getKibanaFeatures.mockReturnValue([
+      mockFeatureWithConsumers('feature-id-1', [
+        {
+          ruleTypeId: 'rule-type-id-1',
+          consumers: ['alerts', 'consumer-a'],
+        },
+        { ruleTypeId: 'rule-type-id-2', consumers: ['alerts', 'consumer-b'] },
+      ]),
+      mockFeatureWithConsumers('feature-id-2', [
+        {
+          ruleTypeId: 'rule-type-id-1',
+          consumers: ['alerts', 'consumer-b'],
+        },
+        {
+          ruleTypeId: 'rule-type-id-3',
+          consumers: ['alerts', 'consumer-c'],
+        },
+      ]),
+      mockFeatureWithConsumers('feature-id-3', [
+        {
+          ruleTypeId: 'rule-type-id-4',
+          consumers: ['consumer-d'],
+        },
+      ]),
+    ]);
+
+    const alertingGet = securityStart.authz.actions.alerting.get as jest.Mock;
+    alertingGet.mockImplementation(mockAuthorizationAction);
+
+    ruleTypeRegistry = ruleTypeRegistryMock.create();
+    ruleTypeRegistry.getAllTypes.mockReturnValue(ruleTypeIds);
+    ruleTypeRegistry.has.mockImplementation((ruleTypeId: string) =>
+      ruleTypeIds.includes(ruleTypeId)
+    );
+
+    // @ts-expect-error: only the id is needed for the tests
+    ruleTypeRegistry.get.mockImplementation((ruleTypeId: string) => ({ id: ruleTypeId }));
+  });
+
+  describe('create', () => {
+    beforeEach(() => {
+      jest.clearAllMocks();
+      securityStart = securityMock.createStart();
+      features = featuresPluginMock.createStart();
+
+      getSpace.mockReturnValue({ id: 'default', name: 'Default', disabledFeatures: [] });
+      features.getKibanaFeatures.mockReturnValue([mockFeatureWithConsumers('my-feature-1')]);
+    });
+
+    it('creates an AlertingAuthorization object', async () => {
+      expect.assertions(2);
 
-      new AlertingAuthorization({
+      const authPromise = AlertingAuthorization.create({
         request,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
 
-      expect(getSpace).toHaveBeenCalledWith(request);
+      await expect(authPromise).resolves.toBeDefined();
+      await expect(authPromise).resolves.not.toThrow();
     });
-  });
 
-  describe('ensureAuthorized', () => {
-    test('is a no-op when there is no authorization api', async () => {
-      const alertAuthorization = new AlertingAuthorization({
+    it('creates an AlertingAuthorization object without spaces', async () => {
+      getSpace.mockReturnValue(undefined);
+      expect.assertions(2);
+
+      const authPromise = AlertingAuthorization.create({
         request,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
-        operation: WriteOperations.Create,
-        entity: AlertingAuthorizationEntity.Rule,
+      await expect(authPromise).resolves.toBeDefined();
+      await expect(authPromise).resolves.not.toThrow();
+    });
+
+    it('filters out disabled spaces and features without alerting', async () => {
+      getSpace.mockReturnValue({
+        id: 'default',
+        name: 'Default',
+        disabledFeatures: ['my-feature-1'],
       });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-    });
+      features.getKibanaFeatures.mockReturnValue([
+        mockFeatureWithConsumers('my-feature-1', [
+          { ruleTypeId: 'rule-type-1', consumers: ['consumer-a', 'consumer-b'] },
+        ]),
+        mockFeatureWithConsumers('my-feature-2', [
+          { ruleTypeId: 'rule-type-2', consumers: ['consumer-c', 'consumer-d'] },
+        ]),
+        mockFeatureWithConsumers('my-feature-3'),
+        mockFeatureWithConsumers('my-feature-4', []),
+      ]);
 
-    test('is a no-op when the security license is disabled', async () => {
-      const { authorization } = mockSecurity();
-      authorization.mode.useRbacForRequest.mockReturnValue(false);
-      const alertAuthorization = new AlertingAuthorization({
+      const auth = await AlertingAuthorization.create({
         request,
         ruleTypeRegistry,
-        authorization,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
-        operation: WriteOperations.Create,
-        entity: AlertingAuthorizationEntity.Rule,
+      // @ts-expect-error: allRegisteredConsumers is a private method of the auth class
+      expect(auth.allRegisteredConsumers).toMatchInlineSnapshot(`
+        Set {
+          "consumer-c",
+          "consumer-d",
+        }
+      `);
+      // @ts-expect-error: allRegisteredConsumers is a private method of the auth class
+      expect(auth.ruleTypesConsumersMap).toMatchInlineSnapshot(`
+        Map {
+          "rule-type-2" => Set {
+            "consumer-c",
+            "consumer-d",
+          },
+        }
+      `);
+    });
+
+    it('removes duplicated consumers', async () => {
+      getSpace.mockReturnValue({
+        id: 'default',
+        name: 'Default',
+        disabledFeatures: [],
       });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-    });
+      features.getKibanaFeatures.mockReturnValue([
+        mockFeatureWithConsumers('my-feature-1', [
+          { ruleTypeId: 'rule-type-1', consumers: ['consumer-a', 'consumer-b', 'consumer-a'] },
+          { ruleTypeId: 'rule-type-2', consumers: ['consumer-a', 'consumer-b', 'consumer-c'] },
+        ]),
+        mockFeatureWithConsumers('my-feature-2', [
+          { ruleTypeId: 'rule-type-2', consumers: ['consumer-a', 'consumer-b', 'consumer-c'] },
+        ]),
+      ]);
 
-    test('ensures the user has privileges to execute rules for the specified rule type and operation without consumer when producer and consumer are the same', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      const alertAuthorization = new AlertingAuthorization({
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
 
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
-      });
+      // @ts-expect-error: allRegisteredConsumers is a private method of the auth class
+      expect(auth.allRegisteredConsumers).toMatchInlineSnapshot(`
+        Set {
+          "consumer-a",
+          "consumer-b",
+          "consumer-c",
+        }
+      `);
+    });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
-        operation: WriteOperations.Create,
-        entity: AlertingAuthorizationEntity.Rule,
+    it('removes duplicated ruleTypes and consumers', async () => {
+      getSpace.mockReturnValue({
+        id: 'default',
+        name: 'Default',
+        disabledFeatures: [],
       });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
-
-      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(1);
-      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
-        'myType',
-        'myApp',
-        'rule',
-        'create'
-      );
-      expect(checkPrivileges).toHaveBeenCalledWith({
-        kibana: [mockAuthorizationAction('myType', 'myApp', 'rule', 'create')],
-      });
-    });
+      features.getKibanaFeatures.mockReturnValue([
+        mockFeatureWithConsumers('my-feature-1', [
+          { ruleTypeId: 'rule-type-1', consumers: ['consumer-a', 'consumer-b', 'consumer-a'] },
+          { ruleTypeId: 'rule-type-2', consumers: ['consumer-a', 'consumer-b', 'consumer-c'] },
+        ]),
+        mockFeatureWithConsumers('my-feature-2', [
+          { ruleTypeId: 'rule-type-2', consumers: ['consumer-a', 'consumer-b', 'consumer-e'] },
+          { ruleTypeId: 'rule-type-1', consumers: ['consumer-a', 'consumer-b', 'consumer-d'] },
+        ]),
+      ]);
 
-    test('ensures the user has privileges to execute alerts for the specified rule type and operation without consumer when producer and consumer are the same', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      const alertAuthorization = new AlertingAuthorization({
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
-      });
-
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
+        authorization: securityStart.authz,
       });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
-        operation: WriteOperations.Update,
-        entity: AlertingAuthorizationEntity.Alert,
-      });
+      // @ts-expect-error: ruleTypesConsumersMap is a private method of the auth class
+      expect(auth.ruleTypesConsumersMap).toMatchInlineSnapshot(`
+        Map {
+          "rule-type-1" => Set {
+            "consumer-a",
+            "consumer-b",
+            "consumer-d",
+          },
+          "rule-type-2" => Set {
+            "consumer-a",
+            "consumer-b",
+            "consumer-c",
+            "consumer-e",
+          },
+        }
+      `);
+    });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
+    it('throws an error when a generic error occurs', async () => {
+      expect.assertions(1);
 
-      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(1);
-      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
-        'myType',
-        'myApp',
-        'alert',
-        'update'
-      );
-      expect(checkPrivileges).toHaveBeenCalledWith({
-        kibana: [mockAuthorizationAction('myType', 'myApp', 'alert', 'update')],
-      });
-    });
+      getSpace.mockRejectedValue(new Error('Error'));
 
-    test('ensures the user has privileges to execute rules for the specified rule type and operation without consumer when consumer is alerts', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      const alertAuthorization = new AlertingAuthorization({
+      const authPromise = AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
 
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
-      });
+      await expect(authPromise).rejects.toThrow();
+    });
 
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'alerts',
-        operation: WriteOperations.Create,
-        entity: AlertingAuthorizationEntity.Rule,
-      });
+    it.each([403, 404])(
+      `construct the AlertingAuthorization with empty features if the error is boom and %s`,
+      async (errorStatusCode: number) => {
+        getSpace.mockRejectedValue(
+          new Boom.Boom('Server error', {
+            statusCode: errorStatusCode,
+            message: 'my error message',
+          })
+        );
+
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+          authorization: securityStart.authz,
+        });
+
+        // @ts-expect-error: allRegisteredConsumers is a private method of the auth class
+        expect(auth.ruleTypesConsumersMap).toMatchInlineSnapshot(`Map {}`);
+        // @ts-expect-error: allRegisteredConsumers is a private method of the auth class
+        expect(auth.allRegisteredConsumers).toMatchInlineSnapshot(`Set {}`);
+      }
+    );
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
+    it('throws an error if the error is boom but not 403', async () => {
+      expect.assertions(1);
 
-      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(1);
-      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
-        'myType',
-        'myApp',
-        'rule',
-        'create'
+      getSpace.mockRejectedValue(
+        new Boom.Boom('Server error', { statusCode: 400, message: 'my error message' })
       );
-      expect(checkPrivileges).toHaveBeenCalledWith({
-        kibana: [mockAuthorizationAction('myType', 'myApp', 'rule', 'create')],
-      });
-    });
 
-    test('ensures the user has privileges to execute alerts for the specified rule type and operation without consumer when consumer is alerts', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      const alertAuthorization = new AlertingAuthorization({
+      const authPromise = AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
-      });
-
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
-      });
-
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'alerts',
-        operation: WriteOperations.Update,
-        entity: AlertingAuthorizationEntity.Alert,
+        authorization: securityStart.authz,
       });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
-
-      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(1);
-      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
-        'myType',
-        'myApp',
-        'alert',
-        'update'
-      );
-      expect(checkPrivileges).toHaveBeenCalledWith({
-        kibana: [mockAuthorizationAction('myType', 'myApp', 'alert', 'update')],
-      });
+      await expect(authPromise).rejects.toThrow();
     });
+  });
 
-    test('ensures the user has privileges to execute rules for the specified rule type, operation and producer when producer is different from consumer', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
-      });
+  describe('ensureAuthorized', () => {
+    beforeEach(() => {
+      jest.clearAllMocks();
+      allRegisteredConsumers.clear();
+      allRegisteredConsumers.add('myApp');
+    });
 
+    it('is a no-op when there is no authorization api', async () => {
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
         getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
 
       await alertAuthorization.ensureAuthorized({
         ruleTypeId: 'myType',
-        consumer: 'myOtherApp',
+        consumer: 'myApp',
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
       });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
-
-      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(1);
-      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
-        'myType',
-        'myOtherApp',
-        'rule',
-        'create'
-      );
-      expect(checkPrivileges).toHaveBeenCalledWith({
-        kibana: [mockAuthorizationAction('myType', 'myOtherApp', 'rule', 'create')],
-      });
+      expect(checkPrivileges).not.toHaveBeenCalled();
     });
 
-    test('ensures the user has privileges to execute alerts for the specified rule type, operation and producer when producer is different from consumer', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
-      });
+    it('is a no-op when the security license is disabled', async () => {
+      securityStart.authz.mode.useRbacForRequest.mockReturnValue(false);
 
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
+        authorization: securityStart.authz,
         getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
 
       await alertAuthorization.ensureAuthorized({
         ruleTypeId: 'myType',
-        consumer: 'myOtherApp',
-        operation: WriteOperations.Update,
-        entity: AlertingAuthorizationEntity.Alert,
+        consumer: 'myApp',
+        operation: WriteOperations.Create,
+        entity: AlertingAuthorizationEntity.Rule,
       });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
-
-      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(1);
-      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
-        'myType',
-        'myOtherApp',
-        'alert',
-        'update'
-      );
-      expect(checkPrivileges).toHaveBeenCalledWith({
-        kibana: [mockAuthorizationAction('myType', 'myOtherApp', 'alert', 'update')],
-      });
+      expect(checkPrivileges).not.toHaveBeenCalled();
     });
 
-    test('ensures the producer is used for authorization if the consumer is `alerts`', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
-      });
-
+    it('authorized correctly', async () => {
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
+        authorization: securityStart.authz,
         getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
 
       await alertAuthorization.ensureAuthorized({
         ruleTypeId: 'myType',
-        consumer: 'alerts',
+        consumer: 'myApp',
         operation: WriteOperations.Create,
         entity: AlertingAuthorizationEntity.Rule,
       });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "myType/myApp/rule/create",
+            ],
+          },
+        ]
+      `);
+    });
 
-      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(1);
-      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
-        'myType',
-        'myApp',
-        'rule',
-        'create'
+    it('throws if user lacks the required rule privileges for the consumer', async () => {
+      securityStart.authz.checkPrivilegesDynamicallyWithRequest.mockReturnValue(
+        jest.fn(async () => ({ hasAllRequested: false }))
       );
-      expect(checkPrivileges).toHaveBeenCalledWith({
-        kibana: [mockAuthorizationAction('myType', 'myApp', 'rule', 'create')],
-      });
-    });
 
-    test('throws if user lacks the required rule privileges for the consumer', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
+        authorization: securityStart.authz,
         getSpaceId,
-      });
-
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: false,
-        privileges: {
-          kibana: [
-            {
-              privilege: mockAuthorizationAction('myType', 'myOtherApp', 'rule', 'create'),
-              authorized: false,
-            },
-            {
-              privilege: mockAuthorizationAction('myType', 'myApp', 'rule', 'create'),
-              authorized: true,
-            },
-          ],
-        },
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
 
       await expect(
         alertAuthorization.ensureAuthorized({
           ruleTypeId: 'myType',
-          consumer: 'myOtherApp',
+          consumer: 'myApp',
           operation: WriteOperations.Create,
           entity: AlertingAuthorizationEntity.Rule,
         })
       ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Unauthorized by \\"myOtherApp\\" to create \\"myType\\" rule"`
+        `"Unauthorized by \\"myApp\\" to create \\"myType\\" rule"`
       );
     });
 
-    test('throws if user lacks the required alert privileges for the consumer', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('throws if user lacks the required alert privileges for the consumer', async () => {
+      securityStart.authz.checkPrivilegesDynamicallyWithRequest.mockReturnValue(
+        jest.fn(async () => ({ hasAllRequested: false }))
+      );
+
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
+        authorization: securityStart.authz,
         getSpaceId,
-      });
-
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: false,
-        privileges: {
-          kibana: [
-            {
-              privilege: mockAuthorizationAction('myType', 'myOtherApp', 'alert', 'update'),
-              authorized: false,
-            },
-            {
-              privilege: mockAuthorizationAction('myType', 'myApp', 'alert', 'update'),
-              authorized: true,
-            },
-            {
-              privilege: mockAuthorizationAction('myType', 'myAppRulesOnly', 'alert', 'update'),
-              authorized: false,
-            },
-          ],
-        },
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
 
       await expect(
         alertAuthorization.ensureAuthorized({
           ruleTypeId: 'myType',
-          consumer: 'myAppRulesOnly',
+          consumer: 'myApp',
           operation: WriteOperations.Update,
           entity: AlertingAuthorizationEntity.Alert,
         })
       ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Unauthorized by \\"myAppRulesOnly\\" to update \\"myType\\" alert"`
+        `"Unauthorized by \\"myApp\\" to update \\"myType\\" alert"`
       );
     });
 
-    test('throws if user lacks the required privileges for the producer', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('throws if the user has access but the consumer is not registered', async () => {
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
+        authorization: securityStart.authz,
         getSpaceId,
-      });
-
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: false,
-        privileges: {
-          kibana: [
-            {
-              privilege: mockAuthorizationAction('myType', 'myOtherApp', 'alert', 'update'),
-              authorized: true,
-            },
-            {
-              privilege: mockAuthorizationAction('myType', 'myApp', 'alert', 'update'),
-              authorized: false,
-            },
-          ],
-        },
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
 
       await expect(
         alertAuthorization.ensureAuthorized({
           ruleTypeId: 'myType',
-          consumer: 'myOtherApp',
-          operation: WriteOperations.Update,
-          entity: AlertingAuthorizationEntity.Alert,
+          consumer: 'not-exist',
+          operation: WriteOperations.Create,
+          entity: AlertingAuthorizationEntity.Rule,
         })
       ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Unauthorized by \\"myOtherApp\\" to update \\"myType\\" alert"`
+        `"Unauthorized by \\"not-exist\\" to create \\"myType\\" rule"`
       );
     });
 
-    test('throws if user lacks the required privileges for both consumer and producer', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('throws when there is no authorization api but the consumer is not registered', async () => {
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
         getSpaceId,
-      });
-
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: false,
-        privileges: {
-          kibana: [
-            {
-              privilege: mockAuthorizationAction('myType', 'myOtherApp', 'alert', 'create'),
-              authorized: false,
-            },
-            {
-              privilege: mockAuthorizationAction('myType', 'myApp', 'alert', 'create'),
-              authorized: false,
-            },
-          ],
-        },
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
 
       await expect(
         alertAuthorization.ensureAuthorized({
           ruleTypeId: 'myType',
-          consumer: 'myOtherApp',
+          consumer: 'not-exist',
           operation: WriteOperations.Create,
-          entity: AlertingAuthorizationEntity.Alert,
+          entity: AlertingAuthorizationEntity.Rule,
         })
       ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Unauthorized by \\"myOtherApp\\" to create \\"myType\\" alert"`
+        `"Unauthorized by \\"not-exist\\" to create \\"myType\\" rule"`
       );
     });
 
-    test('checks additional privileges correctly', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('throws when the security license is disabled but the consumer is not registered', async () => {
+      securityStart.authz.mode.useRbacForRequest.mockReturnValue(false);
+
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
         getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
 
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
-      });
-
-      await alertAuthorization.ensureAuthorized({
-        ruleTypeId: 'myType',
-        consumer: 'myApp',
-        operation: WriteOperations.Create,
-        entity: AlertingAuthorizationEntity.Rule,
-        additionalPrivileges: ['test/create'],
-      });
+      await expect(
+        alertAuthorization.ensureAuthorized({
+          ruleTypeId: 'myType',
+          consumer: 'not-exist',
+          operation: WriteOperations.Create,
+          entity: AlertingAuthorizationEntity.Rule,
+        })
+      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Unauthorized by \\"not-exist\\" to create \\"myType\\" rule"`
+      );
+    });
 
-      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
+    it('throws an error when the consumer does not exist because it was from a disabled plugin', async () => {
+      features.getKibanaFeatures.mockReturnValue([
+        mockFeatureWithConsumers('my-feature-1', [
+          { ruleTypeId: 'rule-type-1', consumers: ['disabled-feature-consumer'] },
+        ]),
+        mockFeatureWithConsumers('my-feature-2', [
+          { ruleTypeId: 'rule-type-2', consumers: ['enabled-feature-consumer'] },
+        ]),
+      ]);
 
-      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(1);
-      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
-        'myType',
-        'myApp',
-        'rule',
-        'create'
-      );
-      expect(checkPrivileges).toHaveBeenCalledWith({
-        kibana: [mockAuthorizationAction('myType', 'myApp', 'rule', 'create'), 'test/create'],
+      getSpace.mockReturnValue({
+        id: 'default',
+        name: 'Default',
+        disabledFeatures: ['my-feature-1'],
       });
-    });
-  });
 
-  describe('getFindAuthorizationFilter', () => {
-    const myOtherAppAlertType: RegistryRuleType = {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      isExportable: true,
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'myOtherAppAlertType',
-      name: 'myOtherAppAlertType',
-      category: 'test',
-      producer: 'alerts',
-      enabledInLicense: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    };
-    const myAppAlertType: RegistryRuleType = {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      isExportable: true,
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'myAppAlertType',
-      name: 'myAppAlertType',
-      category: 'test',
-      producer: 'myApp',
-      enabledInLicense: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    };
-    const mySecondAppAlertType: RegistryRuleType = {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      isExportable: true,
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'mySecondAppAlertType',
-      name: 'mySecondAppAlertType',
-      category: 'test',
-      producer: 'myApp',
-      enabledInLicense: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    };
-    const setOfAlertTypes = new Set([myAppAlertType, myOtherAppAlertType, mySecondAppAlertType]);
-    test('omits filter when there is no authorization api', async () => {
-      const alertAuthorization = new AlertingAuthorization({
+      const auth = await AlertingAuthorization.create({
         request,
         ruleTypeRegistry,
-        features,
-        getSpace,
         getSpaceId,
-      });
-      const { filter, ensureRuleTypeIsAuthorized } =
-        await alertAuthorization.getFindAuthorizationFilter(AlertingAuthorizationEntity.Rule, {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'ruleId',
-            consumer: 'consumer',
-          },
-        });
-      expect(() => ensureRuleTypeIsAuthorized('someMadeUpType', 'myApp', 'rule')).not.toThrow();
-      expect(filter).toEqual(undefined);
-    });
-    test('ensureRuleTypeIsAuthorized is no-op when there is no authorization api', async () => {
-      const alertAuthorization = new AlertingAuthorization({
-        request,
-        ruleTypeRegistry,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      const { ensureRuleTypeIsAuthorized } = await alertAuthorization.getFindAuthorizationFilter(
-        AlertingAuthorizationEntity.Rule,
-        {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'ruleId',
-            consumer: 'consumer',
-          },
-        }
+
+      await expect(
+        auth.ensureAuthorized({
+          ruleTypeId: 'rule-type-1',
+          consumer: 'disabled-feature-consumer',
+          operation: WriteOperations.Create,
+          entity: AlertingAuthorizationEntity.Rule,
+        })
+      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Unauthorized by \\"disabled-feature-consumer\\" to create \\"rule-type-1\\" rule"`
       );
-      ensureRuleTypeIsAuthorized('someMadeUpType', 'myApp', 'rule');
     });
-    test('creates a filter based on the privileged types', async () => {
-      features.getKibanaFeatures.mockReturnValue([
-        mockFeature('myApp', ['myAppAlertType', 'mySecondAppAlertType']),
-        mockFeature('alerts', 'myOtherAppAlertType'),
-        myOtherAppFeature,
-        myAppWithSubFeature,
-      ]);
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: true,
-        privileges: { kibana: [] },
-      });
+
+    it('checks additional privileges correctly', async () => {
       const alertAuthorization = new AlertingAuthorization({
         request,
-        authorization,
         ruleTypeRegistry,
-        features,
-        getSpace,
+        authorization: securityStart.authz,
         getSpaceId,
+        allRegisteredConsumers,
+        ruleTypesConsumersMap,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
 
-      const filter = (
-        await alertAuthorization.getFindAuthorizationFilter(AlertingAuthorizationEntity.Rule, {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'path.to.rule_type_id',
-            consumer: 'consumer-field',
-          },
-        })
-      ).filter;
+      await alertAuthorization.ensureAuthorized({
+        ruleTypeId: 'myType',
+        consumer: 'myApp',
+        operation: WriteOperations.Create,
+        entity: AlertingAuthorizationEntity.Rule,
+        additionalPrivileges: ['test/create'],
+      });
 
-      expect(toKqlExpression(filter as KueryNode)).toMatchInlineSnapshot(
-        `"((path.to.rule_type_id: myAppAlertType AND (consumer-field: alerts OR consumer-field: discover OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature)) OR (path.to.rule_type_id: mySecondAppAlertType AND (consumer-field: alerts OR consumer-field: discover OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature)) OR (path.to.rule_type_id: myOtherAppAlertType AND (consumer-field: alerts OR consumer-field: discover OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature)))"`
-      );
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "myType/myApp/rule/create",
+              "test/create",
+            ],
+          },
+        ]
+      `);
     });
-    test('throws if user has no privileges to any rule type', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: false,
-        privileges: {
-          kibana: [
-            {
-              privilege: mockAuthorizationAction('myType', 'myOtherApp', 'rule', 'create'),
-              authorized: false,
-            },
-            {
-              privilege: mockAuthorizationAction('myType', 'myApp', 'rule', 'create'),
-              authorized: false,
-            },
-          ],
-        },
-      });
-      const alertAuthorization = new AlertingAuthorization({
+  });
+
+  describe('getFindAuthorizationFilter', () => {
+    it('creates a filter based on the privileged types', async () => {
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
-      await expect(
-        alertAuthorization.getFindAuthorizationFilter(AlertingAuthorizationEntity.Rule, {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'path.to.rule_type_id',
-            consumer: 'consumer-field',
-          },
-        })
-      ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Unauthorized to find rules for any rule types"`
-      );
-    });
-    test('creates an `ensureRuleTypeIsAuthorized` function which throws if type is unauthorized', async () => {
-      features.getKibanaFeatures.mockReturnValue([
-        mockFeature('myApp', ['myOtherAppAlertType', 'myAppAlertType']),
-        mockFeature('myOtherApp', ['myOtherAppAlertType', 'myAppAlertType']),
-      ]);
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+
       checkPrivileges.mockResolvedValueOnce({
         username: 'some-user',
-        hasAllRequested: false,
+        hasAllRequested: true,
         privileges: {
           kibana: [
             {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'find'),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'alerts', 'rule', 'find'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction(
-                'myOtherAppAlertType',
-                'myOtherApp',
-                'alert',
-                'find'
-              ),
-              authorized: false,
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'find'),
+              authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myApp', 'alert', 'find'),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-b', 'rule', 'find'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myOtherApp', 'alert', 'find'),
-              authorized: false,
+              privilege: mockAuthorizationAction('rule-type-id-2', 'alerts', 'rule', 'find'),
+              authorized: true,
             },
-          ],
-        },
-      });
-      const alertAuthorization = new AlertingAuthorization({
-        request,
-        authorization,
-        ruleTypeRegistry,
-        features,
-        getSpace,
-        getSpaceId,
-      });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
-      const { ensureRuleTypeIsAuthorized } = await alertAuthorization.getFindAuthorizationFilter(
-        AlertingAuthorizationEntity.Alert,
-        {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'ruleId',
-            consumer: 'consumer',
-          },
-        }
-      );
-      expect(() => {
-        ensureRuleTypeIsAuthorized('myAppAlertType', 'myOtherApp', 'alert');
-      }).toThrowErrorMatchingInlineSnapshot(
-        `"Unauthorized by \\"myOtherApp\\" to find \\"myAppAlertType\\" alert"`
-      );
-    });
-    test('creates an `ensureRuleTypeIsAuthorized` function which is no-op if type is authorized', async () => {
-      features.getKibanaFeatures.mockReturnValue([
-        mockFeature('myApp', ['myOtherAppAlertType', 'myAppAlertType']),
-        mockFeature('myOtherApp', 'myAppAlertType'),
-      ]);
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-      checkPrivileges.mockResolvedValueOnce({
-        username: 'some-user',
-        hasAllRequested: false,
-        privileges: {
-          kibana: [
             {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'rule', 'find'),
+              privilege: mockAuthorizationAction('rule-type-id-2', 'consumer-b', 'rule', 'find'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction(
-                'myOtherAppAlertType',
-                'myOtherApp',
-                'rule',
-                'find'
-              ),
-              authorized: false,
+              privilege: mockAuthorizationAction('rule-type-id-3', 'consumer-c', 'rule', 'find'),
+              authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myApp', 'rule', 'find'),
+              privilege: mockAuthorizationAction('rule-type-id-3', 'alerts', 'rule', 'find'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myOtherApp', 'rule', 'find'),
-              authorized: true,
+              privilege: mockAuthorizationAction('rule-type-id-3', 'consumer-d', 'rule', 'find'),
+              authorized: false,
             },
           ],
         },
       });
-      const alertAuthorization = new AlertingAuthorization({
-        request,
-        authorization,
-        ruleTypeRegistry,
-        features,
-        getSpace,
-        getSpaceId,
-      });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
-      const { ensureRuleTypeIsAuthorized } = await alertAuthorization.getFindAuthorizationFilter(
-        AlertingAuthorizationEntity.Rule,
-        {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'ruleId',
-            consumer: 'consumer',
+
+      const filter = (
+        await auth.getFindAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'path.to.rule_type_id',
+              consumer: 'consumer-field',
+            },
           },
-        }
+        })
+      ).filter;
+
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "rule-type-id-1/alerts/rule/find",
+              "rule-type-id-1/consumer-a/rule/find",
+              "rule-type-id-1/consumer-b/rule/find",
+              "rule-type-id-2/alerts/rule/find",
+              "rule-type-id-2/consumer-b/rule/find",
+              "rule-type-id-3/alerts/rule/find",
+              "rule-type-id-3/consumer-c/rule/find",
+              "rule-type-id-4/consumer-d/rule/find",
+            ],
+          },
+        ]
+      `);
+
+      expect(toKqlExpression(filter as KueryNode)).toMatchInlineSnapshot(
+        `"((path.to.rule_type_id: rule-type-id-1 AND (consumer-field: alerts OR consumer-field: consumer-a OR consumer-field: consumer-b)) OR (path.to.rule_type_id: rule-type-id-2 AND (consumer-field: alerts OR consumer-field: consumer-b)) OR (path.to.rule_type_id: rule-type-id-3 AND (consumer-field: consumer-c OR consumer-field: alerts)))"`
       );
-      expect(() => {
-        ensureRuleTypeIsAuthorized('myAppAlertType', 'myOtherApp', 'rule');
-      }).not.toThrow();
     });
-    test('creates an `logSuccessfulAuthorization` function which logs every authorized type', async () => {
-      features.getKibanaFeatures.mockReturnValue([
-        mockFeature('myApp', ['myOtherAppAlertType', 'myAppAlertType', 'mySecondAppAlertType']),
-        mockFeature('myOtherApp', ['mySecondAppAlertType', 'myAppAlertType']),
-      ]);
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+
+    it('does not throw if the rule type is authorized', async () => {
       checkPrivileges.mockResolvedValueOnce({
         username: 'some-user',
-        hasAllRequested: false,
+        hasAllRequested: true,
         privileges: {
           kibana: [
             {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'rule', 'find'),
-              authorized: true,
-            },
-            {
-              privilege: mockAuthorizationAction(
-                'myOtherAppAlertType',
-                'myOtherApp',
-                'rule',
-                'find'
-              ),
-              authorized: false,
-            },
-            {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myApp', 'rule', 'find'),
-              authorized: true,
-            },
-            {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myOtherApp', 'rule', 'find'),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'find'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('mySecondAppAlertType', 'myApp', 'rule', 'find'),
-              authorized: true,
-            },
-            {
-              privilege: mockAuthorizationAction(
-                'mySecondAppAlertType',
-                'myOtherApp',
-                'rule',
-                'find'
-              ),
+              privilege: mockAuthorizationAction('rule-type-id-2', 'consumer-b', 'rule', 'find'),
               authorized: true,
             },
           ],
         },
       });
-      const alertAuthorization = new AlertingAuthorization({
+
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
-      const { ensureRuleTypeIsAuthorized } = await alertAuthorization.getFindAuthorizationFilter(
-        AlertingAuthorizationEntity.Rule,
-        {
+
+      const { ensureRuleTypeIsAuthorized } = await auth.getFindAuthorizationFilter({
+        authorizationEntity: AlertingAuthorizationEntity.Rule,
+        filterOpts: {
           type: AlertingAuthorizationFilterType.KQL,
           fieldNames: {
-            ruleTypeId: 'ruleId',
-            consumer: 'consumer',
+            ruleTypeId: 'path.to.rule_type_id',
+            consumer: 'consumer-field',
           },
-        }
-      );
-      expect(() => {
-        ensureRuleTypeIsAuthorized('myAppAlertType', 'myOtherApp', 'rule');
-        ensureRuleTypeIsAuthorized('mySecondAppAlertType', 'myOtherApp', 'rule');
-        ensureRuleTypeIsAuthorized('myAppAlertType', 'myOtherApp', 'rule');
-      }).not.toThrow();
+        },
+      });
+
+      expect(() =>
+        ensureRuleTypeIsAuthorized('rule-type-id-1', 'consumer-a', 'rule')
+      ).not.toThrow();
+
+      expect(() =>
+        ensureRuleTypeIsAuthorized('rule-type-id-2', 'consumer-b', 'rule')
+      ).not.toThrow();
     });
+  });
 
-    // This is a specific use case currently for alerts as data
-    // Space ids are stored in the alerts documents and even if security is disabled
-    // still need to consider the users space privileges
-    test('creates a spaceId only filter if security is disabled, but require space awareness', async () => {
-      const alertAuthorization = new AlertingAuthorization({
-        request,
-        ruleTypeRegistry,
-        features,
-        getSpace,
-        getSpaceId,
+  describe('getAuthorizationFilter', () => {
+    describe('filter', () => {
+      it('gets the filter correctly with no security and no spaceIds in the fields names', async () => {
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+        });
+
+        const { filter } = await auth.getAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'ruleId',
+              consumer: 'consumer',
+            },
+          },
+          operation: ReadOperations.Get,
+        });
+
+        expect(filter).toEqual(undefined);
       });
-      const { filter } = await alertAuthorization.getFindAuthorizationFilter(
-        AlertingAuthorizationEntity.Alert,
-        {
-          type: AlertingAuthorizationFilterType.ESDSL,
-          fieldNames: {
-            ruleTypeId: 'ruleId',
-            consumer: 'consumer',
-            spaceIds: 'path.to.space.id',
+
+      // This is a specific use case currently for alerts as data
+      // Space ids are stored in the alerts documents and even if security is disabled
+      // still need to consider the users space privileges
+      it('gets the filter correctly with no security and spaceIds in the fields names', async () => {
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+        });
+
+        const { filter } = await auth.getAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'ruleId',
+              consumer: 'consumer',
+              spaceIds: 'path.to.space.id',
+            },
           },
-        }
-      );
+          operation: ReadOperations.Get,
+        });
 
-      expect(filter).toEqual({
-        bool: { minimum_should_match: 1, should: [{ match: { 'path.to.space.id': 'space1' } }] },
+        expect(toKqlExpression(filter as KueryNode)).toMatchInlineSnapshot(
+          `"path.to.space.id: space1"`
+        );
       });
-    });
-  });
 
-  describe('filterByRuleTypeAuthorization', () => {
-    const myOtherAppAlertType: RegistryRuleType = {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      isExportable: true,
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'myOtherAppAlertType',
-      name: 'myOtherAppAlertType',
-      category: 'test',
-      producer: 'myOtherApp',
-      enabledInLicense: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    };
-    const myAppAlertType: RegistryRuleType = {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      isExportable: true,
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'myAppAlertType',
-      name: 'myAppAlertType',
-      category: 'test',
-      producer: 'myApp',
-      enabledInLicense: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    };
-    const setOfAlertTypes = new Set([myAppAlertType, myOtherAppAlertType]);
-    beforeEach(() => {
-      features.getKibanaFeatures.mockReturnValue([
-        mockFeature('myApp', ['myOtherAppAlertType', 'myAppAlertType']),
-        mockFeature('myOtherApp', ['myAppAlertType', 'myOtherAppAlertType']),
-      ]);
-    });
-    test('augments a list of types with all features when there is no authorization api', async () => {
-      features.getKibanaFeatures.mockReturnValue([
-        myAppFeature,
-        myOtherAppFeature,
-        myAppWithSubFeature,
-        myFeatureWithoutAlerting,
-      ]);
-      const alertAuthorization = new AlertingAuthorization({
-        request,
-        ruleTypeRegistry,
-        features,
-        getSpace,
-        getSpaceId,
+      it('gets the filter correctly with security disabled', async () => {
+        securityStart.authz.mode.useRbacForRequest.mockReturnValue(false);
+
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+          authorization: securityStart.authz,
+        });
+
+        const { filter } = await auth.getAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'ruleId',
+              consumer: 'consumer',
+            },
+          },
+          operation: ReadOperations.Get,
+        });
+
+        expect(filter).toEqual(undefined);
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
 
-      await expect(
-        alertAuthorization.filterByRuleTypeAuthorization(
-          new Set([myAppAlertType, myOtherAppAlertType]),
-          [WriteOperations.Create],
-          AlertingAuthorizationEntity.Rule
-        )
-      ).resolves.toMatchInlineSnapshot(`
-        Set {
-          Object {
-            "actionGroups": Array [],
-            "actionVariables": undefined,
-            "authorizedConsumers": Object {
-              "alerts": Object {
-                "all": true,
-                "read": true,
+      it('gets the filter correctly for all rule types and consumers', async () => {
+        checkPrivileges.mockResolvedValueOnce({
+          username: 'some-user',
+          hasAllRequested: true,
+          privileges: {
+            kibana: [
+              {
+                privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+                authorized: true,
               },
-              "discover": Object {
-                "all": true,
-                "read": true,
+              {
+                privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-b', 'rule', 'get'),
+                authorized: true,
               },
-              "myApp": Object {
-                "all": true,
-                "read": true,
+              {
+                privilege: mockAuthorizationAction('rule-type-id-2', 'consumer-b', 'rule', 'get'),
+                authorized: true,
               },
-              "myAppWithSubFeature": Object {
-                "all": true,
-                "read": true,
+              {
+                privilege: mockAuthorizationAction('rule-type-id-3', 'consumer-c', 'rule', 'get'),
+                authorized: true,
               },
-              "myOtherApp": Object {
-                "all": true,
-                "read": true,
+              {
+                privilege: mockAuthorizationAction('rule-type-id-4', 'consumer-d', 'rule', 'get'),
+                authorized: true,
               },
+            ],
+          },
+        });
+
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+          authorization: securityStart.authz,
+        });
+
+        const { filter } = await auth.getAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'ruleId',
+              consumer: 'consumer',
             },
-            "category": "test",
-            "defaultActionGroupId": "default",
-            "enabledInLicense": true,
-            "hasAlertsMappings": false,
-            "hasFieldsForAAD": false,
-            "id": "myAppAlertType",
-            "isExportable": true,
-            "minimumLicenseRequired": "basic",
-            "name": "myAppAlertType",
-            "producer": "myApp",
-            "recoveryActionGroup": Object {
-              "id": "recovered",
-              "name": "Recovered",
-            },
-            "validLegacyConsumers": Array [],
           },
-          Object {
-            "actionGroups": Array [],
-            "actionVariables": undefined,
-            "authorizedConsumers": Object {
-              "alerts": Object {
-                "all": true,
-                "read": true,
+          operation: ReadOperations.Get,
+        });
+
+        expect(toKqlExpression(filter as KueryNode)).toMatchInlineSnapshot(
+          `"((ruleId: rule-type-id-1 AND (consumer: consumer-a OR consumer: consumer-b)) OR (ruleId: rule-type-id-2 AND consumer: consumer-b) OR (ruleId: rule-type-id-3 AND consumer: consumer-c) OR (ruleId: rule-type-id-4 AND consumer: consumer-d))"`
+        );
+      });
+
+      it('throws when the user is not authorized for any rule type', async () => {
+        checkPrivileges.mockResolvedValueOnce({
+          username: 'some-user',
+          hasAllRequested: true,
+          privileges: {
+            kibana: [],
+          },
+        });
+
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+          authorization: securityStart.authz,
+        });
+
+        await expect(
+          auth.getAuthorizationFilter({
+            authorizationEntity: AlertingAuthorizationEntity.Rule,
+            filterOpts: {
+              type: AlertingAuthorizationFilterType.KQL,
+              fieldNames: {
+                ruleTypeId: 'ruleId',
+                consumer: 'consumer',
               },
-              "discover": Object {
-                "all": true,
-                "read": true,
+            },
+            operation: ReadOperations.Get,
+          })
+        ).rejects.toThrowErrorMatchingInlineSnapshot(
+          `"Unauthorized to get rules for any rule types"`
+        );
+      });
+    });
+
+    describe('ensureRuleTypeIsAuthorized', () => {
+      it('does not throw if the rule type is authorized', async () => {
+        checkPrivileges.mockResolvedValueOnce({
+          username: 'some-user',
+          hasAllRequested: true,
+          privileges: {
+            kibana: [
+              {
+                privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+                authorized: true,
               },
-              "myApp": Object {
-                "all": true,
-                "read": true,
+              {
+                privilege: mockAuthorizationAction('rule-type-id-2', 'consumer-b', 'rule', 'get'),
+                authorized: true,
               },
-              "myAppWithSubFeature": Object {
-                "all": true,
-                "read": true,
+            ],
+          },
+        });
+
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+          authorization: securityStart.authz,
+        });
+
+        const { ensureRuleTypeIsAuthorized } = await auth.getAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'ruleId',
+              consumer: 'consumer',
+            },
+          },
+          operation: ReadOperations.Get,
+        });
+
+        expect(() =>
+          ensureRuleTypeIsAuthorized('rule-type-id-1', 'consumer-a', 'rule')
+        ).not.toThrow();
+
+        expect(() =>
+          ensureRuleTypeIsAuthorized('rule-type-id-2', 'consumer-b', 'rule')
+        ).not.toThrow();
+      });
+
+      it('throws if the rule type is not authorized', async () => {
+        checkPrivileges.mockResolvedValueOnce({
+          username: 'some-user',
+          hasAllRequested: true,
+          privileges: {
+            kibana: [
+              {
+                privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+                authorized: true,
               },
-              "myOtherApp": Object {
-                "all": true,
-                "read": true,
+            ],
+          },
+        });
+
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+          authorization: securityStart.authz,
+        });
+
+        const { ensureRuleTypeIsAuthorized } = await auth.getAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'ruleId',
+              consumer: 'consumer',
+            },
+          },
+          operation: ReadOperations.Get,
+        });
+
+        expect(() =>
+          ensureRuleTypeIsAuthorized('rule-type-id-2', 'consumer-a', 'rule')
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Unauthorized by \\"consumer-a\\" to get \\"rule-type-id-2\\" rule"`
+        );
+      });
+
+      it('throws if the rule type is not authorized for the entity', async () => {
+        checkPrivileges.mockResolvedValueOnce({
+          username: 'some-user',
+          hasAllRequested: true,
+          privileges: {
+            kibana: [
+              {
+                privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+                authorized: true,
+              },
+            ],
+          },
+        });
+
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+          authorization: securityStart.authz,
+        });
+
+        const { ensureRuleTypeIsAuthorized } = await auth.getAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'ruleId',
+              consumer: 'consumer',
+            },
+          },
+          operation: ReadOperations.Get,
+        });
+
+        expect(() =>
+          ensureRuleTypeIsAuthorized('rule-type-id-1', 'consumer-a', 'alert')
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Unauthorized by \\"consumer-a\\" to get \\"rule-type-id-1\\" alert"`
+        );
+      });
+
+      it('throws if the rule type is not authorized for the consumer', async () => {
+        checkPrivileges.mockResolvedValueOnce({
+          username: 'some-user',
+          hasAllRequested: true,
+          privileges: {
+            kibana: [
+              {
+                privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+                authorized: true,
               },
+            ],
+          },
+        });
+
+        const auth = await AlertingAuthorization.create({
+          request,
+          ruleTypeRegistry,
+          getSpaceId,
+          features,
+          getSpace,
+          authorization: securityStart.authz,
+        });
+
+        const { ensureRuleTypeIsAuthorized } = await auth.getAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'ruleId',
+              consumer: 'consumer',
             },
-            "category": "test",
-            "defaultActionGroupId": "default",
-            "enabledInLicense": true,
-            "hasAlertsMappings": false,
-            "hasFieldsForAAD": false,
-            "id": "myOtherAppAlertType",
-            "isExportable": true,
-            "minimumLicenseRequired": "basic",
-            "name": "myOtherAppAlertType",
-            "producer": "myOtherApp",
-            "recoveryActionGroup": Object {
-              "id": "recovered",
-              "name": "Recovered",
-            },
-            "validLegacyConsumers": Array [],
           },
-        }
+          operation: ReadOperations.Get,
+        });
+
+        expect(() =>
+          ensureRuleTypeIsAuthorized('rule-type-id-1', 'consumer-b', 'rule')
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Unauthorized by \\"consumer-b\\" to get \\"rule-type-id-1\\" rule"`
+        );
+      });
+    });
+  });
+
+  describe('getAuthorizedRuleTypes', () => {
+    it('calls checkPrivileges correctly', async () => {
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
+
+      await auth.getAuthorizedRuleTypes({
+        ruleTypeIds: ['rule-type-id-1'],
+        operations: [WriteOperations.Create],
+        authorizationEntity: AlertingAuthorizationEntity.Rule,
+      });
+
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "rule-type-id-1/alerts/rule/create",
+              "rule-type-id-1/consumer-a/rule/create",
+              "rule-type-id-1/consumer-b/rule/create",
+            ],
+          },
+        ]
       `);
     });
 
-    test('augments a list of types with consumers under which the operation is authorized', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('returns the authorized rules correctly', async () => {
       checkPrivileges.mockResolvedValueOnce({
         username: 'some-user',
-        hasAllRequested: false,
+        hasAllRequested: true,
         privileges: {
           kibana: [
             {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'rule', 'create'),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction(
-                'myOtherAppAlertType',
-                'myOtherApp',
-                'rule',
-                'create'
-              ),
-              authorized: false,
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'create'),
+              authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myApp', 'rule', 'create'),
+              privilege: mockAuthorizationAction('rule-type-id-2', 'consumer-b', 'rule', 'get'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myOtherApp', 'rule', 'create'),
+              privilege: mockAuthorizationAction('rule-type-id-3', 'consumer-c', 'rule', 'create'),
               authorized: true,
             },
           ],
         },
       });
 
-      const alertAuthorization = new AlertingAuthorization({
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
 
-      await expect(
-        alertAuthorization.filterByRuleTypeAuthorization(
-          new Set([myAppAlertType, myOtherAppAlertType]),
-          [WriteOperations.Create],
-          AlertingAuthorizationEntity.Rule
-        )
-      ).resolves.toMatchInlineSnapshot(`
-        Set {
-          Object {
-            "actionGroups": Array [],
-            "actionVariables": undefined,
+      expect(
+        await auth.getAuthorizedRuleTypes({
+          ruleTypeIds: ['rule-type-id-1'],
+          operations: [WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Map {
+          "rule-type-id-1" => Object {
             "authorizedConsumers": Object {
-              "myApp": Object {
+              "consumer-a": Object {
                 "all": true,
                 "read": true,
               },
             },
-            "category": "test",
-            "defaultActionGroupId": "default",
-            "enabledInLicense": true,
-            "hasAlertsMappings": false,
-            "hasFieldsForAAD": false,
-            "id": "myOtherAppAlertType",
-            "isExportable": true,
-            "minimumLicenseRequired": "basic",
-            "name": "myOtherAppAlertType",
-            "producer": "myOtherApp",
-            "recoveryActionGroup": Object {
-              "id": "recovered",
-              "name": "Recovered",
-            },
-            "validLegacyConsumers": Array [],
           },
-          Object {
-            "actionGroups": Array [],
-            "actionVariables": undefined,
-            "authorizedConsumers": Object {
-              "myApp": Object {
-                "all": true,
-                "read": true,
-              },
-              "myOtherApp": Object {
-                "all": true,
-                "read": true,
+        }
+      `);
+    });
+  });
+
+  describe('getAllAuthorizedRuleTypes', () => {
+    it('get authorized rule types with authorized consumers', async () => {
+      checkPrivileges.mockResolvedValueOnce({
+        username: 'some-user',
+        hasAllRequested: true,
+        privileges: {
+          kibana: [
+            {
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+              authorized: true,
+            },
+            {
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'create'),
+              authorized: true,
+            },
+            {
+              privilege: mockAuthorizationAction('rule-type-id-2', 'consumer-b', 'rule', 'get'),
+              authorized: true,
+            },
+            {
+              privilege: mockAuthorizationAction('rule-type-id-3', 'consumer-c', 'rule', 'create'),
+              authorized: false,
+            },
+          ],
+        },
+      });
+
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
+
+      expect(
+        await auth.getAllAuthorizedRuleTypes({
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-2" => Object {
+              "authorizedConsumers": Object {
+                "consumer-b": Object {
+                  "all": false,
+                  "read": true,
+                },
+              },
+            },
+          },
+          "hasAllRequested": true,
+          "username": "some-user",
+        }
+      `);
+    });
+
+    it('calls checkPrivileges with the correct actions', async () => {
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
+
+      await auth.getAllAuthorizedRuleTypes({
+        operations: [ReadOperations.Get, WriteOperations.Create],
+        authorizationEntity: AlertingAuthorizationEntity.Rule,
+      });
+
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "rule-type-id-1/alerts/rule/get",
+              "rule-type-id-1/alerts/rule/create",
+              "rule-type-id-1/consumer-a/rule/get",
+              "rule-type-id-1/consumer-a/rule/create",
+              "rule-type-id-1/consumer-b/rule/get",
+              "rule-type-id-1/consumer-b/rule/create",
+              "rule-type-id-2/alerts/rule/get",
+              "rule-type-id-2/alerts/rule/create",
+              "rule-type-id-2/consumer-b/rule/get",
+              "rule-type-id-2/consumer-b/rule/create",
+              "rule-type-id-3/alerts/rule/get",
+              "rule-type-id-3/alerts/rule/create",
+              "rule-type-id-3/consumer-c/rule/get",
+              "rule-type-id-3/consumer-c/rule/create",
+              "rule-type-id-4/consumer-d/rule/get",
+              "rule-type-id-4/consumer-d/rule/create",
+            ],
+          },
+        ]
+      `);
+    });
+  });
+
+  describe('_getAuthorizedRuleTypesWithAuthorizedConsumers', () => {
+    it('returns all rule types with all consumers as authorized with no authorization', async () => {
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+      });
+
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds,
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-2" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-3" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-4" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+          },
+          "hasAllRequested": true,
+        }
+      `);
+    });
+
+    it('filters out rule types with no authorization', async () => {
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+      });
+
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds: [ruleTypeIds[0], ruleTypeIds[1]],
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-2" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+          },
+          "hasAllRequested": true,
+        }
+      `);
+    });
+
+    it('returns all rule types with all consumers as authorized with disabled authorization', async () => {
+      securityStart.authz.mode.useRbacForRequest.mockReturnValue(false);
+
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
+
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds,
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-2" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-3" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-4" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+          },
+          "hasAllRequested": true,
+        }
+      `);
+    });
+
+    it('filters out rule types with disabled authorization', async () => {
+      securityStart.authz.mode.useRbacForRequest.mockReturnValue(false);
+
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
+
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds: [ruleTypeIds[0], ruleTypeIds[1]],
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+            "rule-type-id-2" => Object {
+              "authorizedConsumers": Object {
+                "alerts": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-c": Object {
+                  "all": true,
+                  "read": true,
+                },
+                "consumer-d": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+          },
+          "hasAllRequested": true,
+        }
+      `);
+    });
+
+    it('get authorized rule types with authorized consumers with read access only', async () => {
+      checkPrivileges.mockResolvedValueOnce({
+        username: 'some-user',
+        hasAllRequested: true,
+        privileges: {
+          kibana: [
+            {
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+              authorized: true,
+            },
+          ],
+        },
+      });
+
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
+
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds,
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "consumer-a": Object {
+                  "all": false,
+                  "read": true,
+                },
+              },
+            },
+          },
+          "hasAllRequested": true,
+          "username": "some-user",
+        }
+      `);
+    });
+
+    it('get authorized rule types with authorized consumers with full access', async () => {
+      checkPrivileges.mockResolvedValueOnce({
+        username: 'some-user',
+        hasAllRequested: true,
+        privileges: {
+          kibana: [
+            {
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+              authorized: true,
+            },
+            {
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'create'),
+              authorized: true,
+            },
+          ],
+        },
+      });
+
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
+
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds,
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
+              },
+            },
+          },
+          "hasAllRequested": true,
+          "username": "some-user",
+        }
+      `);
+    });
+
+    it('filters out not requested rule types', async () => {
+      checkPrivileges.mockResolvedValueOnce({
+        username: 'some-user',
+        hasAllRequested: true,
+        privileges: {
+          kibana: [
+            {
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
+              authorized: true,
+            },
+            {
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-b', 'rule', 'create'),
+              authorized: true,
+            },
+            {
+              privilege: mockAuthorizationAction('rule-type-id-3', 'consumer-c', 'rule', 'create'),
+              authorized: true,
+            },
+          ],
+        },
+      });
+
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
+
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds: [ruleTypeIds[0], ruleTypeIds[1]],
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "consumer-a": Object {
+                  "all": false,
+                  "read": true,
+                },
+                "consumer-b": Object {
+                  "all": true,
+                  "read": true,
+                },
               },
             },
-            "category": "test",
-            "defaultActionGroupId": "default",
-            "enabledInLicense": true,
-            "hasAlertsMappings": false,
-            "hasFieldsForAAD": false,
-            "id": "myAppAlertType",
-            "isExportable": true,
-            "minimumLicenseRequired": "basic",
-            "name": "myAppAlertType",
-            "producer": "myApp",
-            "recoveryActionGroup": Object {
-              "id": "recovered",
-              "name": "Recovered",
-            },
-            "validLegacyConsumers": Array [],
           },
+          "hasAllRequested": true,
+          "username": "some-user",
         }
       `);
     });
 
-    test('authorizes user under the `alerts` consumer when they are authorized by the producer', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('returns an empty map with no requested rule types', async () => {
       checkPrivileges.mockResolvedValueOnce({
         username: 'some-user',
-        hasAllRequested: false,
+        hasAllRequested: true,
         privileges: {
           kibana: [
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myApp', 'alert', 'create'),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myOtherApp', 'alert', 'create'),
-              authorized: false,
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'create'),
+              authorized: true,
             },
           ],
         },
       });
 
-      const alertAuthorization = new AlertingAuthorization({
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
 
-      await expect(
-        alertAuthorization.filterByRuleTypeAuthorization(
-          new Set([myAppAlertType]),
-          [WriteOperations.Create],
-          AlertingAuthorizationEntity.Alert
-        )
-      ).resolves.toMatchInlineSnapshot(`
-        Set {
-          Object {
-            "actionGroups": Array [],
-            "actionVariables": undefined,
-            "authorizedConsumers": Object {
-              "myApp": Object {
-                "all": true,
-                "read": true,
-              },
-            },
-            "category": "test",
-            "defaultActionGroupId": "default",
-            "enabledInLicense": true,
-            "hasAlertsMappings": false,
-            "hasFieldsForAAD": false,
-            "id": "myAppAlertType",
-            "isExportable": true,
-            "minimumLicenseRequired": "basic",
-            "name": "myAppAlertType",
-            "producer": "myApp",
-            "recoveryActionGroup": Object {
-              "id": "recovered",
-              "name": "Recovered",
-            },
-            "validLegacyConsumers": Array [],
-          },
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds: [],
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {},
+          "hasAllRequested": true,
+          "username": "some-user",
         }
       `);
     });
 
-    test('augments a list of types with consumers under which multiple operations are authorized', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('get authorized rule types with authorized consumers when some rule types are not authorized', async () => {
       checkPrivileges.mockResolvedValueOnce({
         username: 'some-user',
-        hasAllRequested: false,
+        hasAllRequested: true,
         privileges: {
           kibana: [
             {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'create'),
-              authorized: true,
-            },
-            {
-              privilege: mockAuthorizationAction(
-                'myOtherAppAlertType',
-                'myOtherApp',
-                'alert',
-                'create'
-              ),
-              authorized: false,
-            },
-            {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myApp', 'alert', 'create'),
-              authorized: false,
-            },
-            {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myOtherApp', 'alert', 'create'),
-              authorized: false,
-            },
-            {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'get'),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction(
-                'myOtherAppAlertType',
-                'myOtherApp',
-                'alert',
-                'get'
-              ),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'create'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myApp', 'alert', 'get'),
-              authorized: true,
+              privilege: mockAuthorizationAction('rule-type-id-2', 'consumer-b', 'rule', 'create'),
+              authorized: false,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myOtherApp', 'alert', 'get'),
+              privilege: mockAuthorizationAction('rule-type-id-3', 'consumer-c', 'rule', 'get'),
               authorized: true,
             },
           ],
         },
       });
 
-      const alertAuthorization = new AlertingAuthorization({
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
 
-      await expect(
-        alertAuthorization.filterByRuleTypeAuthorization(
-          new Set([myAppAlertType, myOtherAppAlertType]),
-          [WriteOperations.Create, ReadOperations.Get],
-          AlertingAuthorizationEntity.Alert
-        )
-      ).resolves.toMatchInlineSnapshot(`
-        Set {
-          Object {
-            "actionGroups": Array [],
-            "actionVariables": undefined,
-            "authorizedConsumers": Object {
-              "myApp": Object {
-                "all": true,
-                "read": true,
-              },
-              "myOtherApp": Object {
-                "all": false,
-                "read": true,
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds,
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
               },
             },
-            "category": "test",
-            "defaultActionGroupId": "default",
-            "enabledInLicense": true,
-            "hasAlertsMappings": false,
-            "hasFieldsForAAD": false,
-            "id": "myOtherAppAlertType",
-            "isExportable": true,
-            "minimumLicenseRequired": "basic",
-            "name": "myOtherAppAlertType",
-            "producer": "myOtherApp",
-            "recoveryActionGroup": Object {
-              "id": "recovered",
-              "name": "Recovered",
-            },
-            "validLegacyConsumers": Array [],
-          },
-          Object {
-            "actionGroups": Array [],
-            "actionVariables": undefined,
-            "authorizedConsumers": Object {
-              "myApp": Object {
-                "all": false,
-                "read": true,
-              },
-              "myOtherApp": Object {
-                "all": false,
-                "read": true,
+            "rule-type-id-3" => Object {
+              "authorizedConsumers": Object {
+                "consumer-c": Object {
+                  "all": false,
+                  "read": true,
+                },
               },
             },
-            "category": "test",
-            "defaultActionGroupId": "default",
-            "enabledInLicense": true,
-            "hasAlertsMappings": false,
-            "hasFieldsForAAD": false,
-            "id": "myAppAlertType",
-            "isExportable": true,
-            "minimumLicenseRequired": "basic",
-            "name": "myAppAlertType",
-            "producer": "myApp",
-            "recoveryActionGroup": Object {
-              "id": "recovered",
-              "name": "Recovered",
-            },
-            "validLegacyConsumers": Array [],
           },
+          "hasAllRequested": true,
+          "username": "some-user",
         }
       `);
     });
 
-    test('omits types which have no consumers under which the operation is authorized', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('get authorized rule types with authorized consumers when consumers are not valid for a rule type', async () => {
       checkPrivileges.mockResolvedValueOnce({
         username: 'some-user',
-        hasAllRequested: false,
+        hasAllRequested: true,
         privileges: {
           kibana: [
             {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'create'),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction(
-                'myOtherAppAlertType',
-                'myOtherApp',
-                'alert',
-                'create'
-              ),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'create'),
               authorized: true,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myApp', 'alert', 'create'),
+              privilege: mockAuthorizationAction('rule-type-id-2', 'consumer-b', 'rule', 'create'),
               authorized: false,
             },
             {
-              privilege: mockAuthorizationAction('myAppAlertType', 'myOtherApp', 'alert', 'create'),
-              authorized: false,
+              privilege: mockAuthorizationAction('rule-type-id-3', 'consumer-d', 'rule', 'get'),
+              authorized: true,
             },
           ],
         },
       });
 
-      const alertAuthorization = new AlertingAuthorization({
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
 
-      await expect(
-        alertAuthorization.filterByRuleTypeAuthorization(
-          new Set([myAppAlertType, myOtherAppAlertType]),
-          [WriteOperations.Create],
-          AlertingAuthorizationEntity.Alert
-        )
-      ).resolves.toMatchInlineSnapshot(`
-        Set {
-          Object {
-            "actionGroups": Array [],
-            "actionVariables": undefined,
-            "authorizedConsumers": Object {
-              "myApp": Object {
-                "all": true,
-                "read": true,
-              },
-              "myOtherApp": Object {
-                "all": true,
-                "read": true,
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds,
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
+        Object {
+          "authorizedRuleTypes": Map {
+            "rule-type-id-1" => Object {
+              "authorizedConsumers": Object {
+                "consumer-a": Object {
+                  "all": true,
+                  "read": true,
+                },
               },
             },
-            "category": "test",
-            "defaultActionGroupId": "default",
-            "enabledInLicense": true,
-            "hasAlertsMappings": false,
-            "hasFieldsForAAD": false,
-            "id": "myOtherAppAlertType",
-            "isExportable": true,
-            "minimumLicenseRequired": "basic",
-            "name": "myOtherAppAlertType",
-            "producer": "myOtherApp",
-            "recoveryActionGroup": Object {
-              "id": "recovered",
-              "name": "Recovered",
-            },
-            "validLegacyConsumers": Array [],
           },
+          "hasAllRequested": true,
+          "username": "some-user",
         }
       `);
     });
-  });
 
-  describe('getAugmentedRuleTypesWithAuthorization', () => {
-    const myOtherAppAlertType: RegistryRuleType = {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'myOtherAppAlertType',
-      name: 'myOtherAppAlertType',
-      category: 'test',
-      producer: 'alerts',
-      enabledInLicense: true,
-      isExportable: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    };
-    const myAppAlertType: RegistryRuleType = {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'myAppAlertType',
-      name: 'myAppAlertType',
-      category: 'test',
-      producer: 'myApp',
-      enabledInLicense: true,
-      isExportable: true,
-      hasAlertsMappings: true,
-      hasFieldsForAAD: true,
-      validLegacyConsumers: [],
-    };
-    const mySecondAppAlertType: RegistryRuleType = {
-      actionGroups: [],
-      actionVariables: undefined,
-      defaultActionGroupId: 'default',
-      minimumLicenseRequired: 'basic',
-      recoveryActionGroup: RecoveredActionGroup,
-      id: 'mySecondAppAlertType',
-      name: 'mySecondAppAlertType',
-      category: 'test',
-      producer: 'myApp',
-      enabledInLicense: true,
-      isExportable: true,
-      hasAlertsMappings: false,
-      hasFieldsForAAD: false,
-      validLegacyConsumers: [],
-    };
-    const setOfAlertTypes = new Set([myAppAlertType, myOtherAppAlertType, mySecondAppAlertType]);
-    beforeEach(() => {
-      features.getKibanaFeatures.mockReturnValue([mockFeature('myApp', ['myOtherAppAlertType'])]);
-    });
-    test('it returns authorized rule types given a set of feature ids', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('filters out rule types that are not in the rule type registry but registered in the feature', async () => {
+      ruleTypeRegistry.has.mockImplementation((ruleTypeId: string) => false);
+
       checkPrivileges.mockResolvedValueOnce({
         username: 'some-user',
-        hasAllRequested: false,
+        hasAllRequested: true,
         privileges: {
           kibana: [
             {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'find'),
+              privilege: mockAuthorizationAction('rule-type-id-1', 'consumer-a', 'rule', 'get'),
               authorized: true,
             },
           ],
         },
       });
-      const alertAuthorization = new AlertingAuthorization({
+
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
 
-      await expect(
-        alertAuthorization.getAugmentedRuleTypesWithAuthorization(
-          ['myApp'],
-          [ReadOperations.Find, ReadOperations.Get, WriteOperations.Update],
-          AlertingAuthorizationEntity.Alert
-        )
-      ).resolves.toMatchInlineSnapshot(`
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds: ['rule-type-id-1'],
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
         Object {
-          "authorizedRuleTypes": Set {
-            Object {
-              "actionGroups": Array [],
-              "actionVariables": undefined,
-              "authorizedConsumers": Object {
-                "myApp": Object {
-                  "all": false,
-                  "read": true,
-                },
-              },
-              "category": "test",
-              "defaultActionGroupId": "default",
-              "enabledInLicense": true,
-              "hasAlertsMappings": false,
-              "hasFieldsForAAD": false,
-              "id": "myOtherAppAlertType",
-              "isExportable": true,
-              "minimumLicenseRequired": "basic",
-              "name": "myOtherAppAlertType",
-              "producer": "alerts",
-              "recoveryActionGroup": Object {
-                "id": "recovered",
-                "name": "Recovered",
-              },
-              "validLegacyConsumers": Array [],
-            },
-          },
-          "hasAllRequested": false,
+          "authorizedRuleTypes": Map {},
+          "hasAllRequested": true,
           "username": "some-user",
         }
       `);
     });
 
-    test('it returns all authorized if user has read, get and update alert privileges', async () => {
-      const { authorization } = mockSecurity();
-      const checkPrivileges: jest.MockedFunction<
-        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-      > = jest.fn();
-      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+    it('filters out rule types that are registered in the rule type registry but not in the feature', async () => {
+      ruleTypeRegistry.has.mockImplementation((ruleTypeId: string) => true);
+
       checkPrivileges.mockResolvedValueOnce({
         username: 'some-user',
-        hasAllRequested: false,
+        hasAllRequested: true,
         privileges: {
           kibana: [
             {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'find'),
-              authorized: true,
-            },
-            {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'get'),
-              authorized: true,
-            },
-            {
-              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'update'),
+              privilege: mockAuthorizationAction('not-exist', 'consumer-a', 'rule', 'get'),
               authorized: true,
             },
           ],
         },
       });
-      const alertAuthorization = new AlertingAuthorization({
+
+      const auth = await AlertingAuthorization.create({
         request,
-        authorization,
         ruleTypeRegistry,
+        getSpaceId,
         features,
         getSpace,
-        getSpaceId,
+        authorization: securityStart.authz,
       });
-      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
 
-      await expect(
-        alertAuthorization.getAugmentedRuleTypesWithAuthorization(
-          ['myApp'],
-          [ReadOperations.Find, ReadOperations.Get, WriteOperations.Update],
-          AlertingAuthorizationEntity.Alert
-        )
-      ).resolves.toMatchInlineSnapshot(`
+      expect(
+        // @ts-expect-error: need to test the private method
+        await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+          ruleTypeIds: ['not-exist'],
+          operations: [ReadOperations.Get, WriteOperations.Create],
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+        })
+      ).toMatchInlineSnapshot(`
         Object {
-          "authorizedRuleTypes": Set {
-            Object {
-              "actionGroups": Array [],
-              "actionVariables": undefined,
-              "authorizedConsumers": Object {
-                "myApp": Object {
-                  "all": true,
-                  "read": true,
-                },
-              },
-              "category": "test",
-              "defaultActionGroupId": "default",
-              "enabledInLicense": true,
-              "hasAlertsMappings": false,
-              "hasFieldsForAAD": false,
-              "id": "myOtherAppAlertType",
-              "isExportable": true,
-              "minimumLicenseRequired": "basic",
-              "name": "myOtherAppAlertType",
-              "producer": "alerts",
-              "recoveryActionGroup": Object {
-                "id": "recovered",
-                "name": "Recovered",
-              },
-              "validLegacyConsumers": Array [],
-            },
-          },
-          "hasAllRequested": false,
+          "authorizedRuleTypes": Map {},
+          "hasAllRequested": true,
           "username": "some-user",
         }
       `);
     });
-  });
 
-  describe('8.11+', () => {
-    let alertAuthorization: AlertingAuthorization;
-
-    const setOfRuleTypes: RegistryRuleType[] = [
-      {
-        actionGroups: [],
-        actionVariables: undefined,
-        defaultActionGroupId: 'default',
-        minimumLicenseRequired: 'basic',
-        isExportable: true,
-        recoveryActionGroup: RecoveredActionGroup,
-        id: '.esQuery',
-        name: 'ES Query',
-        category: 'management',
-        producer: 'stackAlerts',
-        enabledInLicense: true,
-        hasAlertsMappings: false,
-        hasFieldsForAAD: false,
-        validLegacyConsumers: ['discover', 'alerts'],
-      },
-      {
-        actionGroups: [],
-        actionVariables: undefined,
-        defaultActionGroupId: 'default',
-        minimumLicenseRequired: 'basic',
-        isExportable: true,
-        recoveryActionGroup: RecoveredActionGroup,
-        id: '.threshold-rule-o11y',
-        name: 'New threshold 011y',
-        category: 'observability',
-        producer: 'observability',
-        enabledInLicense: true,
-        hasAlertsMappings: false,
-        hasFieldsForAAD: false,
-        validLegacyConsumers: [],
-      },
-      {
-        actionGroups: [],
-        actionVariables: undefined,
-        defaultActionGroupId: 'default',
-        minimumLicenseRequired: 'basic',
-        isExportable: true,
-        recoveryActionGroup: RecoveredActionGroup,
-        id: '.infrastructure-threshold-o11y',
-        name: 'Metrics o11y',
-        category: 'observability',
-        producer: 'infrastructure',
-        enabledInLicense: true,
-        hasAlertsMappings: false,
-        hasFieldsForAAD: false,
-        validLegacyConsumers: ['alerts'],
-      },
-      {
-        actionGroups: [],
-        actionVariables: undefined,
-        defaultActionGroupId: 'default',
-        minimumLicenseRequired: 'basic',
-        isExportable: true,
-        recoveryActionGroup: RecoveredActionGroup,
-        id: '.logs-threshold-o11y',
-        name: 'Logs o11y',
-        category: 'observability',
-        producer: 'logs',
-        enabledInLicense: true,
-        hasAlertsMappings: false,
-        hasFieldsForAAD: false,
-        validLegacyConsumers: ['alerts'],
-      },
-    ];
+    it('call checkPrivileges with the correct actions', async () => {
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
+      });
 
-    const onlyStackAlertsKibanaPrivileges = [
-      {
-        privilege: mockAuthorizationAction('.esQuery', 'stackAlerts', 'rule', 'create'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.esQuery', 'stackAlerts', 'rule', 'find'),
-        authorized: true,
-      },
-    ];
-    const only011yKibanaPrivileges = [
-      {
-        privilege: mockAuthorizationAction(
-          '.infrastructure-threshold-o11y',
-          'infrastructure',
-          'rule',
-          'create'
-        ),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction(
-          '.infrastructure-threshold-o11y',
-          'infrastructure',
-          'rule',
-          'find'
-        ),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction(
-          '.threshold-rule-o11y',
-          'infrastructure',
-          'rule',
-          'create'
-        ),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction(
-          '.threshold-rule-o11y',
-          'infrastructure',
-          'rule',
-          'find'
-        ),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.logs-threshold-o11y', 'logs', 'rule', 'create'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.logs-threshold-o11y', 'logs', 'rule', 'find'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.threshold-rule-o11y', 'logs', 'rule', 'create'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.threshold-rule-o11y', 'logs', 'rule', 'find'),
-        authorized: true,
-      },
-    ];
-    const onlyLogsAndStackAlertsKibanaPrivileges = [
-      {
-        privilege: mockAuthorizationAction('.esQuery', 'stackAlerts', 'rule', 'create'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.esQuery', 'stackAlerts', 'rule', 'find'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.logs-threshold-o11y', 'logs', 'rule', 'create'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.logs-threshold-o11y', 'logs', 'rule', 'find'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.threshold-rule-o11y', 'logs', 'rule', 'create'),
-        authorized: true,
-      },
-      {
-        privilege: mockAuthorizationAction('.threshold-rule-o11y', 'logs', 'rule', 'find'),
-        authorized: true,
-      },
-    ];
-
-    beforeEach(async () => {
-      ruleTypeRegistry.list.mockReturnValue(new Set(setOfRuleTypes));
-      ruleTypeRegistry.get.mockImplementation((id: string) => {
-        if (setOfRuleTypes.some((rt) => rt.id === id)) {
-          const ruleType = setOfRuleTypes.find((rt) => rt.id === id);
-          return (ruleType ?? {}) as NormalizedRuleType<{}, {}, {}, {}, {}, '', '', {}>;
-        }
-        return {} as NormalizedRuleType<{}, {}, {}, {}, {}, '', '', {}>;
+      // @ts-expect-error: need to test the private method
+      await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+        ruleTypeIds: [...ruleTypeIds, 'rule-type-not-exist'],
+        operations: [ReadOperations.Get, WriteOperations.Create],
+        authorizationEntity: AlertingAuthorizationEntity.Rule,
       });
-    });
 
-    describe('user only access to stack alerts + discover', () => {
-      beforeEach(() => {
-        const { authorization } = mockSecurity();
-        const checkPrivileges: jest.MockedFunction<
-          ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-        > = jest.fn();
-        authorization.mode.useRbacForRequest.mockReturnValue(true);
-
-        features.getKibanaFeatures.mockReset();
-        features.getKibanaFeatures.mockReturnValue([
-          mockFeature('stackAlerts', ['.esQuery']),
-          mockFeature('discover', []),
-        ]);
-        checkPrivileges.mockReset();
-        checkPrivileges.mockResolvedValue({
-          username: 'onlyStack',
-          hasAllRequested: true,
-          privileges: {
-            kibana: onlyStackAlertsKibanaPrivileges,
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [
+              "rule-type-id-1/alerts/rule/get",
+              "rule-type-id-1/alerts/rule/create",
+              "rule-type-id-1/consumer-a/rule/get",
+              "rule-type-id-1/consumer-a/rule/create",
+              "rule-type-id-1/consumer-b/rule/get",
+              "rule-type-id-1/consumer-b/rule/create",
+              "rule-type-id-2/alerts/rule/get",
+              "rule-type-id-2/alerts/rule/create",
+              "rule-type-id-2/consumer-b/rule/get",
+              "rule-type-id-2/consumer-b/rule/create",
+              "rule-type-id-3/alerts/rule/get",
+              "rule-type-id-3/alerts/rule/create",
+              "rule-type-id-3/consumer-c/rule/get",
+              "rule-type-id-3/consumer-c/rule/create",
+              "rule-type-id-4/consumer-d/rule/get",
+              "rule-type-id-4/consumer-d/rule/create",
+            ],
           },
-        });
-        authorization.checkPrivilegesDynamicallyWithRequest.mockReset();
-        authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-        alertAuthorization = new AlertingAuthorization({
-          request,
-          authorization,
-          ruleTypeRegistry,
-          features,
-          getSpace,
-          getSpaceId,
-        });
-      });
+        ]
+      `);
+    });
 
-      describe('ensureAuthorized', () => {
-        test('should allow to create .esquery rule type with stackAlerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'stackAlerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
+    it('call checkPrivileges with the correct actions when the rule type does not exist in the registry', async () => {
+      ruleTypeRegistry.has.mockImplementation((ruleTypeId: string) => false);
 
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should allow to create .esquery rule type with discover consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'discover',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should allow to create .esquery rule type with alerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'alerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .esquery rule type with logs consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'logs',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"logs\\" to create \\".esQuery\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .esquery rule type with infrastructure consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'infrastructure',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"infrastructure\\" to create \\".esQuery\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .threshold-rule-o11y rule type with alerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.threshold-rule-o11y',
-              consumer: 'alerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"alerts\\" to create \\".threshold-rule-o11y\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .logs-threshold-o11y rule type with alerts infrastructure', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.logs-threshold-o11y',
-              consumer: 'alerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"alerts\\" to create \\".logs-threshold-o11y\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
       });
-      test('creates a filter based on the privileged types', async () => {
-        const filter = (
-          await alertAuthorization.getFindAuthorizationFilter(AlertingAuthorizationEntity.Rule, {
-            type: AlertingAuthorizationFilterType.KQL,
-            fieldNames: {
-              ruleTypeId: 'path.to.rule_type_id',
-              consumer: 'consumer-field',
-            },
-          })
-        ).filter;
 
-        expect(toKqlExpression(filter as KueryNode)).toMatchInlineSnapshot(
-          `"(path.to.rule_type_id: .esQuery AND (consumer-field: alerts OR consumer-field: discover OR consumer-field: stackAlerts))"`
-        );
+      // @ts-expect-error: need to test the private method
+      await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+        ruleTypeIds: ['rule-type-id-1'],
+        operations: [ReadOperations.Get, WriteOperations.Create],
+        authorizationEntity: AlertingAuthorizationEntity.Rule,
       });
-    });
 
-    describe('user only access to o11y', () => {
-      beforeEach(() => {
-        const { authorization } = mockSecurity();
-        const checkPrivileges: jest.MockedFunction<
-          ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-        > = jest.fn();
-        authorization.mode.useRbacForRequest.mockReturnValue(true);
-
-        features.getKibanaFeatures.mockReset();
-        features.getKibanaFeatures.mockReturnValue([
-          mockFeature('infrastructure', [
-            '.infrastructure-threshold-o11y',
-            '.threshold-rule-o11y',
-            '.esQuery',
-          ]),
-          mockFeature('logs', ['.threshold-rule-o11y', '.esQuery', '.logs-threshold-o11y']),
-        ]);
-        checkPrivileges.mockReset();
-        checkPrivileges.mockResolvedValue({
-          username: 'onlyO11y',
-          hasAllRequested: true,
-          privileges: {
-            kibana: only011yKibanaPrivileges,
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [],
           },
-        });
-        authorization.checkPrivilegesDynamicallyWithRequest.mockReset();
-        authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-        alertAuthorization = new AlertingAuthorization({
-          request,
-          authorization,
-          ruleTypeRegistry,
-          features,
-          getSpace,
-          getSpaceId,
-        });
-      });
-
-      describe('ensureAuthorized', () => {
-        test('should throw an error to create .esquery rule type with stackAlerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'stackAlerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"stackAlerts\\" to create \\".esQuery\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .esquery rule type with discover consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'discover',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"discover\\" to create \\".esQuery\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .threshold-rule-o11y rule type with alerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.threshold-rule-o11y',
-              consumer: 'alerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"alerts\\" to create \\".threshold-rule-o11y\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should allow to create .esquery rule type with logs consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'logs',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should allow to create .esquery rule type with logs infrastructure', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'infrastructure',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should allow to create .logs-threshold-o11y rule type with alerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.logs-threshold-o11y',
-              consumer: 'alerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .threshold-rule-o11y rule type with logs consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.threshold-rule-o11y',
-              consumer: 'logs',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-      });
-      test('creates a filter based on the privileged types', async () => {
-        expect(
-          (
-            await alertAuthorization.getFindAuthorizationFilter(
-              AlertingAuthorizationEntity.Rule,
-              {
-                type: AlertingAuthorizationFilterType.KQL,
-                fieldNames: {
-                  ruleTypeId: 'path.to.rule_type_id',
-                  consumer: 'consumer-field',
-                },
-              },
-              new Set(['infrastructure', 'logs'])
-            )
-          ).filter
-        ).toEqual(
-          fromKueryExpression(
-            `(path.to.rule_type_id:.infrastructure-threshold-o11y and consumer-field:(infrastructure or alerts)) or (path.to.rule_type_id:.threshold-rule-o11y and consumer-field:(infrastructure or logs)) or (path.to.rule_type_id:.logs-threshold-o11y and consumer-field:(logs or alerts))`
-          )
-        );
-      });
+        ]
+      `);
     });
 
-    describe('user only access to logs and stackAlerts', () => {
-      beforeEach(() => {
-        const { authorization } = mockSecurity();
-        const checkPrivileges: jest.MockedFunction<
-          ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
-        > = jest.fn();
-        authorization.mode.useRbacForRequest.mockReturnValue(true);
-
-        features.getKibanaFeatures.mockClear();
-        features.getKibanaFeatures.mockReturnValue([
-          mockFeature('stackAlerts', ['.esQuery']),
-          mockFeature('logs', ['.logs-threshold-o11y', '.threshold-rule-o11y', '.esQuery']),
-        ]);
-        checkPrivileges.mockClear();
-        checkPrivileges.mockResolvedValue({
-          username: 'stackAndLogs',
-          hasAllRequested: true,
-          privileges: {
-            kibana: onlyLogsAndStackAlertsKibanaPrivileges,
-          },
-        });
-        authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
-        alertAuthorization = new AlertingAuthorization({
-          request,
-          authorization,
-          ruleTypeRegistry,
-          features,
-          getSpace,
-          getSpaceId,
-        });
-      });
-
-      describe('ensureAuthorized', () => {
-        test('should allow to create .esquery rule type with stackAlerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'stackAlerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
+    it('call checkPrivileges with the correct actions when the rule type does not exist in the feature', async () => {
+      ruleTypeRegistry.has.mockImplementation((ruleTypeId: string) => true);
 
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should allow to create .esquery rule type with discover consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'discover',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should allow to create .esquery rule type with logs consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'logs',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should allow to create .logs-threshold-o11y rule type with alerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.logs-threshold-o11y',
-              consumer: 'alerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .threshold-rule-o11y rule type with logs consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.threshold-rule-o11y',
-              consumer: 'logs',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).resolves.toEqual(undefined);
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .esquery rule type with logs infrastructure', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'infrastructure',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"infrastructure\\" to create \\".esQuery\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .threshold-rule-o11y rule type with alerts consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.threshold-rule-o11y',
-              consumer: 'alerts',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"alerts\\" to create \\".threshold-rule-o11y\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
-        test('should throw an error to create .esquery rule type with infrastructure consumer', async () => {
-          await expect(
-            alertAuthorization.ensureAuthorized({
-              ruleTypeId: '.esQuery',
-              consumer: 'infrastructure',
-              operation: WriteOperations.Create,
-              entity: AlertingAuthorizationEntity.Rule,
-            })
-          ).rejects.toThrowErrorMatchingInlineSnapshot(
-            `"Unauthorized by \\"infrastructure\\" to create \\".esQuery\\" rule"`
-          );
-
-          expect(ruleTypeRegistry.get).toHaveBeenCalledTimes(1);
-        });
+      const auth = await AlertingAuthorization.create({
+        request,
+        ruleTypeRegistry,
+        getSpaceId,
+        features,
+        getSpace,
+        authorization: securityStart.authz,
       });
 
-      test('creates a filter based on the privileged types', async () => {
-        const filter = (
-          await alertAuthorization.getFindAuthorizationFilter(AlertingAuthorizationEntity.Rule, {
-            type: AlertingAuthorizationFilterType.KQL,
-            fieldNames: {
-              ruleTypeId: 'path.to.rule_type_id',
-              consumer: 'consumer-field',
-            },
-          })
-        ).filter;
-
-        expect(toKqlExpression(filter as KueryNode)).toMatchInlineSnapshot(
-          `"((path.to.rule_type_id: .esQuery AND (consumer-field: alerts OR consumer-field: discover OR consumer-field: stackAlerts OR consumer-field: logs)) OR (path.to.rule_type_id: .logs-threshold-o11y AND (consumer-field: alerts OR consumer-field: discover OR consumer-field: stackAlerts OR consumer-field: logs)) OR (path.to.rule_type_id: .threshold-rule-o11y AND (consumer-field: alerts OR consumer-field: discover OR consumer-field: stackAlerts OR consumer-field: logs)))"`
-        );
+      // @ts-expect-error: need to test the private method
+      await auth._getAuthorizedRuleTypesWithAuthorizedConsumers({
+        ruleTypeIds: ['not-exist'],
+        operations: [ReadOperations.Get, WriteOperations.Create],
+        authorizationEntity: AlertingAuthorizationEntity.Rule,
       });
+
+      expect(checkPrivileges).toBeCalledTimes(1);
+      expect(checkPrivileges.mock.calls[0]).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "kibana": Array [],
+          },
+        ]
+      `);
     });
   });
 });
diff --git a/x-pack/plugins/alerting/server/authorization/alerting_authorization.ts b/x-pack/plugins/alerting/server/authorization/alerting_authorization.ts
index 6b24f2f5de9a4..a7e36590d2217 100644
--- a/x-pack/plugins/alerting/server/authorization/alerting_authorization.ts
+++ b/x-pack/plugins/alerting/server/authorization/alerting_authorization.ts
@@ -6,61 +6,20 @@
  */
 
 import Boom from '@hapi/boom';
-import { has, isEmpty } from 'lodash';
 import { KibanaRequest } from '@kbn/core/server';
 import { JsonObject } from '@kbn/utility-types';
 import { KueryNode } from '@kbn/es-query';
-import { SecurityPluginSetup } from '@kbn/security-plugin/server';
+import { SecurityPluginStart } from '@kbn/security-plugin/server';
 import { FeaturesPluginStart } from '@kbn/features-plugin/server';
 import { Space } from '@kbn/spaces-plugin/server';
-import { STACK_ALERTS_FEATURE_ID } from '@kbn/rule-data-utils';
 import { RegistryRuleType } from '../rule_type_registry';
-import { ALERTING_FEATURE_ID, RuleTypeRegistry } from '../types';
+import { RuleTypeRegistry } from '../types';
 import {
   asFiltersByRuleTypeAndConsumer,
   asFiltersBySpaceId,
   AlertingAuthorizationFilterOpts,
 } from './alerting_authorization_kuery';
-
-export enum AlertingAuthorizationEntity {
-  Rule = 'rule',
-  Alert = 'alert',
-}
-
-export enum ReadOperations {
-  Get = 'get',
-  GetRuleState = 'getRuleState',
-  GetAlertSummary = 'getAlertSummary',
-  GetExecutionLog = 'getExecutionLog',
-  GetActionErrorLog = 'getActionErrorLog',
-  Find = 'find',
-  GetAuthorizedAlertsIndices = 'getAuthorizedAlertsIndices',
-  GetRuleExecutionKPI = 'getRuleExecutionKPI',
-  GetBackfill = 'getBackfill',
-  FindBackfill = 'findBackfill',
-}
-
-export enum WriteOperations {
-  Create = 'create',
-  Delete = 'delete',
-  Update = 'update',
-  UpdateApiKey = 'updateApiKey',
-  Enable = 'enable',
-  Disable = 'disable',
-  MuteAll = 'muteAll',
-  UnmuteAll = 'unmuteAll',
-  MuteAlert = 'muteAlert',
-  UnmuteAlert = 'unmuteAlert',
-  Snooze = 'snooze',
-  BulkEdit = 'bulkEdit',
-  BulkDelete = 'bulkDelete',
-  BulkEnable = 'bulkEnable',
-  BulkDisable = 'bulkDisable',
-  Unsnooze = 'unsnooze',
-  RunSoon = 'runSoon',
-  ScheduleBackfill = 'scheduleBackfill',
-  DeleteBackfill = 'deleteBackfill',
-}
+import { ReadOperations, WriteOperations, AlertingAuthorizationEntity } from './types';
 
 export interface EnsureAuthorizedOpts {
   ruleTypeId: string;
@@ -74,75 +33,178 @@ interface HasPrivileges {
   read: boolean;
   all: boolean;
 }
+
 type AuthorizedConsumers = Record<string, HasPrivileges>;
 export interface RegistryAlertTypeWithAuth extends RegistryRuleType {
   authorizedConsumers: AuthorizedConsumers;
 }
 
-type IsAuthorizedAtProducerLevel = boolean;
-export interface ConstructorOptions {
+export type AuthorizedRuleTypes = Map<string, { authorizedConsumers: AuthorizedConsumers }>;
+
+export interface CreateOptions {
   ruleTypeRegistry: RuleTypeRegistry;
   request: KibanaRequest;
   features: FeaturesPluginStart;
   getSpace: (request: KibanaRequest) => Promise<Space | undefined>;
   getSpaceId: (request: KibanaRequest) => string | undefined;
-  authorization?: SecurityPluginSetup['authz'];
+  authorization?: SecurityPluginStart['authz'];
+}
+
+type ConstructorOptions = Pick<
+  CreateOptions,
+  'ruleTypeRegistry' | 'request' | 'authorization' | 'getSpaceId'
+> & {
+  allRegisteredConsumers: Set<string>;
+  ruleTypesConsumersMap: Map<string, Set<string>>;
+};
+
+interface GetAuthorizationFilterParams {
+  authorizationEntity: AlertingAuthorizationEntity;
+  filterOpts: AlertingAuthorizationFilterOpts;
+  operation: WriteOperations | ReadOperations;
 }
 
-const DISCOVER_FEATURE_ID = 'discover';
+interface GetAuthorizedRuleTypesWithAuthorizedConsumersParams {
+  ruleTypeIds?: string[];
+  operations: Array<ReadOperations | WriteOperations>;
+  authorizationEntity: AlertingAuthorizationEntity;
+}
+
+interface GetAllAuthorizedRuleTypesFindOperationParams {
+  authorizationEntity: AlertingAuthorizationEntity;
+  ruleTypeIds?: string[];
+}
+
+interface GetFindAuthorizationFilterParams {
+  authorizationEntity: AlertingAuthorizationEntity;
+  filterOpts: AlertingAuthorizationFilterOpts;
+}
+
+interface GetAuthorizedRuleTypesParams {
+  ruleTypeIds?: string[];
+  operations: Array<ReadOperations | WriteOperations>;
+  authorizationEntity: AlertingAuthorizationEntity;
+}
+
+interface GetAllAuthorizedRuleTypes {
+  operations: Array<ReadOperations | WriteOperations>;
+  authorizationEntity: AlertingAuthorizationEntity;
+}
 
 export class AlertingAuthorization {
   private readonly ruleTypeRegistry: RuleTypeRegistry;
   private readonly request: KibanaRequest;
-  private readonly authorization?: SecurityPluginSetup['authz'];
-  private readonly featuresIds: Promise<Set<string>>;
-  private readonly allPossibleConsumers: Promise<AuthorizedConsumers>;
+  private readonly authorization?: SecurityPluginStart['authz'];
+  private readonly allRegisteredConsumers: Set<string>;
+  private readonly ruleTypesConsumersMap: Map<string, Set<string>>;
   private readonly spaceId: string | undefined;
-  private readonly features: FeaturesPluginStart;
+
   constructor({
     ruleTypeRegistry,
     request,
     authorization,
-    features,
-    getSpace,
     getSpaceId,
+    allRegisteredConsumers,
+    ruleTypesConsumersMap,
   }: ConstructorOptions) {
     this.request = request;
     this.authorization = authorization;
     this.ruleTypeRegistry = ruleTypeRegistry;
-    this.features = features;
+    this.allRegisteredConsumers = allRegisteredConsumers;
+    this.ruleTypesConsumersMap = ruleTypesConsumersMap;
     this.spaceId = getSpaceId(request);
+  }
 
-    this.featuresIds = getSpace(request)
-      .then((maybeSpace) => new Set(maybeSpace?.disabledFeatures ?? []))
-      .then(
-        (disabledFeatures) =>
-          new Set(
-            features
-              .getKibanaFeatures()
-              .filter(
-                ({ id, alerting }) =>
-                  // ignore features which are disabled in the user's space
-                  !disabledFeatures.has(id) &&
-                  // ignore features which don't grant privileges to alerting
-                  (alerting?.length ?? 0 > 0)
-              )
-              .map((feature) => feature.id)
-          )
-      )
-      .catch(() => {
-        // failing to fetch the space means the user is likely not privileged in the
-        // active space at all, which means that their list of features should be empty
-        return new Set();
-      });
+  /**
+   * Creates an AlertingAuthorization object.
+   */
+  static async create({
+    request,
+    features,
+    getSpace,
+    getSpaceId,
+    authorization,
+    ruleTypeRegistry,
+  }: CreateOptions): Promise<AlertingAuthorization> {
+    const allRegisteredConsumers = new Set<string>();
+    const ruleTypesConsumersMap = new Map<string, Set<string>>();
+    let maybeSpace;
+
+    try {
+      maybeSpace = await getSpace(request);
+    } catch (error) {
+      /**
+       * Failing to fetch the space with 403 or 404 means the user is likely not privileged in the active space at all
+       * which means that `allRegisteredConsumers` and `ruleTypesConsumersMap` should be empty. By initializing the alerting authorization
+       * with empty data structures we ensure that the user will not have access to any rule types in the active space.
+       * All other errors are treated as server errors and they are surfaced to the upper level.
+       */
+      if (Boom.isBoom(error) && [403, 404].includes(error.output.statusCode)) {
+        return new AlertingAuthorization({
+          request,
+          authorization,
+          getSpaceId,
+          ruleTypeRegistry,
+          allRegisteredConsumers,
+          ruleTypesConsumersMap,
+        });
+      }
+
+      if (Boom.isBoom(error)) {
+        throw error;
+      }
 
-    this.allPossibleConsumers = this.featuresIds.then((featuresIds) => {
-      return featuresIds.size
-        ? asAuthorizedConsumers([ALERTING_FEATURE_ID, DISCOVER_FEATURE_ID, ...featuresIds], {
-            read: true,
-            all: true,
-          })
-        : {};
+      throw new Error(`Failed to create AlertingAuthorization class: ${error}`);
+    }
+
+    const disabledFeatures = new Set(maybeSpace?.disabledFeatures ?? []);
+    const featuresWithAlertingConfigured = features.getKibanaFeatures().filter(
+      ({ id, alerting }) =>
+        // ignore features which are disabled in the user's space
+        !disabledFeatures.has(id) &&
+        // ignore features which don't grant privileges to alerting
+        Boolean(alerting?.length)
+    );
+
+    /**
+     * Each feature configures a set of rule types. Each
+     * rule type configures its valid consumers. For example,
+     *
+     * { id: 'my-feature-id-1', alerting: [{ ruleTypeId: 'my-rule-type', consumers: ['consumer-a', 'consumer-b'] }] }
+     * { id: 'my-feature-id-2', alerting: [{ ruleTypeId: 'my-rule-type-2', consumers: ['consumer-a', 'consumer-d'] }] }
+     *
+     * In this loop we iterate over all features and we construct:
+     * a) a set that contains all registered consumers and
+     * b) a map that contains all valid consumers per rule type.
+     * We remove duplicates in the process. For example,
+     *
+     * allRegisteredConsumers: Set(1) { 'consumer-a', 'consumer-b', 'consumer-d' }
+     * ruleTypesConsumersMap: Map(1) {
+     *  'my-rule-type' => Set(1) { 'consumer-a', 'consumer-b' }
+     *  'my-rule-type-2' => Set(1) { 'consumer-a', 'consumer-d' }
+     * }
+     */
+    for (const feature of featuresWithAlertingConfigured) {
+      if (feature.alerting) {
+        for (const entry of feature.alerting) {
+          const consumers = ruleTypesConsumersMap.get(entry.ruleTypeId) ?? new Set();
+
+          entry.consumers.forEach((consumer) => {
+            consumers.add(consumer);
+            allRegisteredConsumers.add(consumer);
+          });
+          ruleTypesConsumersMap.set(entry.ruleTypeId, consumers);
+        }
+      }
+    }
+
+    return new AlertingAuthorization({
+      request,
+      authorization,
+      getSpaceId,
+      ruleTypeRegistry,
+      allRegisteredConsumers,
+      ruleTypesConsumersMap,
     });
   }
 
@@ -155,42 +217,30 @@ export class AlertingAuthorization {
   }
 
   /*
-   * This method exposes the private 'augmentRuleTypesWithAuthorization' to be
+   * This method exposes the private '_getAuthorizedRuleTypesWithAuthorizedConsumers' to be
    * used by the RAC/Alerts client
    */
-  public async getAugmentedRuleTypesWithAuthorization(
-    featureIds: readonly string[],
-    operations: Array<ReadOperations | WriteOperations>,
-    authorizationEntity: AlertingAuthorizationEntity
-  ): Promise<{
+  public async getAllAuthorizedRuleTypes(params: GetAllAuthorizedRuleTypes): Promise<{
     username?: string;
     hasAllRequested: boolean;
-    authorizedRuleTypes: Set<RegistryAlertTypeWithAuth>;
+    authorizedRuleTypes: AuthorizedRuleTypes;
   }> {
-    return this.augmentRuleTypesWithAuthorization(
-      this.ruleTypeRegistry.list(),
-      operations,
-      authorizationEntity,
-      new Set(featureIds)
-    );
+    return this._getAuthorizedRuleTypesWithAuthorizedConsumers({
+      operations: params.operations,
+      authorizationEntity: params.authorizationEntity,
+    });
   }
 
   public async ensureAuthorized({
     ruleTypeId,
-    consumer: legacyConsumer,
+    consumer,
     operation,
     entity,
     additionalPrivileges = [],
   }: EnsureAuthorizedOpts) {
     const { authorization } = this;
-    const ruleType = this.ruleTypeRegistry.get(ruleTypeId);
-    const consumer = getValidConsumer({
-      validLegacyConsumers: ruleType.validLegacyConsumers,
-      legacyConsumer,
-      producer: ruleType.producer,
-    });
 
-    const isAvailableConsumer = has(await this.allPossibleConsumers, consumer);
+    const isAvailableConsumer = this.allRegisteredConsumers.has(consumer);
     if (authorization && this.shouldCheckAuthorization()) {
       const checkPrivileges = authorization.checkPrivilegesDynamicallyWithRequest(this.request);
 
@@ -209,7 +259,7 @@ export class AlertingAuthorization {
          * as Privileged.
          * This check will ensure we don't accidentally let these through
          */
-        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, legacyConsumer, operation, entity));
+        throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, consumer, operation, entity));
       }
 
       if (!hasAllRequested) {
@@ -220,274 +270,204 @@ export class AlertingAuthorization {
     }
   }
 
-  public async getFindAuthorizationFilter(
-    authorizationEntity: AlertingAuthorizationEntity,
-    filterOpts: AlertingAuthorizationFilterOpts,
-    featuresIds?: Set<string>
-  ): Promise<{
+  public async getFindAuthorizationFilter(params: GetFindAuthorizationFilterParams): Promise<{
     filter?: KueryNode | JsonObject;
     ensureRuleTypeIsAuthorized: (ruleTypeId: string, consumer: string, auth: string) => void;
   }> {
-    return this.getAuthorizationFilter(
-      authorizationEntity,
-      filterOpts,
-      ReadOperations.Find,
-      featuresIds
-    );
+    return this.getAuthorizationFilter({
+      operation: ReadOperations.Find,
+      authorizationEntity: params.authorizationEntity,
+      filterOpts: params.filterOpts,
+    });
   }
 
-  public async getAuthorizedRuleTypes(
-    authorizationEntity: AlertingAuthorizationEntity,
-    featuresIds?: Set<string>
-  ): Promise<RegistryAlertTypeWithAuth[]> {
-    const { authorizedRuleTypes } = await this.augmentRuleTypesWithAuthorization(
-      this.ruleTypeRegistry.list(),
-      [ReadOperations.Find],
-      authorizationEntity,
-      featuresIds
-    );
-    return Array.from(authorizedRuleTypes);
+  public async getAllAuthorizedRuleTypesFindOperation(
+    params: GetAllAuthorizedRuleTypesFindOperationParams
+  ): Promise<AuthorizedRuleTypes> {
+    const { authorizedRuleTypes } = await this._getAuthorizedRuleTypesWithAuthorizedConsumers({
+      ruleTypeIds: params.ruleTypeIds,
+      operations: [ReadOperations.Find],
+      authorizationEntity: params.authorizationEntity,
+    });
+
+    return authorizedRuleTypes;
   }
 
-  public async getAuthorizationFilter(
-    authorizationEntity: AlertingAuthorizationEntity,
-    filterOpts: AlertingAuthorizationFilterOpts,
-    operation: WriteOperations | ReadOperations,
-    featuresIds?: Set<string>
-  ): Promise<{
+  public async getAuthorizationFilter(params: GetAuthorizationFilterParams): Promise<{
     filter?: KueryNode | JsonObject;
     ensureRuleTypeIsAuthorized: (ruleTypeId: string, consumer: string, auth: string) => void;
   }> {
     if (this.authorization && this.shouldCheckAuthorization()) {
-      const { authorizedRuleTypes } = await this.augmentRuleTypesWithAuthorization(
-        this.ruleTypeRegistry.list(),
-        [operation],
-        authorizationEntity,
-        featuresIds
-      );
+      const { authorizedRuleTypes } = await this._getAuthorizedRuleTypesWithAuthorizedConsumers({
+        operations: [params.operation],
+        authorizationEntity: params.authorizationEntity,
+      });
 
       if (!authorizedRuleTypes.size) {
-        throw Boom.forbidden(`Unauthorized to find ${authorizationEntity}s for any rule types`);
+        throw Boom.forbidden(
+          `Unauthorized to ${params.operation} ${params.authorizationEntity}s for any rule types`
+        );
       }
 
-      const authorizedRuleTypeIdsToConsumers = new Set<string>(
-        [...authorizedRuleTypes].reduce<string[]>((ruleTypeIdConsumerPairs, ruleType) => {
-          for (const consumer of Object.keys(ruleType.authorizedConsumers)) {
-            ruleTypeIdConsumerPairs.push(`${ruleType.id}/${consumer}/${authorizationEntity}`);
-          }
-          return ruleTypeIdConsumerPairs;
-        }, [])
-      );
-
-      const authorizedEntries: Map<string, Set<string>> = new Map();
       return {
         filter: asFiltersByRuleTypeAndConsumer(
           authorizedRuleTypes,
-          filterOpts,
+          params.filterOpts,
           this.spaceId
         ) as JsonObject,
         ensureRuleTypeIsAuthorized: (ruleTypeId: string, consumer: string, authType: string) => {
-          if (!authorizedRuleTypeIdsToConsumers.has(`${ruleTypeId}/${consumer}/${authType}`)) {
+          if (!authorizedRuleTypes.has(ruleTypeId) || authType !== params.authorizationEntity) {
+            throw Boom.forbidden(
+              getUnauthorizedMessage(ruleTypeId, consumer, params.operation, authType)
+            );
+          }
+
+          const authorizedRuleType = authorizedRuleTypes.get(ruleTypeId)!;
+          const authorizedConsumers = authorizedRuleType.authorizedConsumers;
+
+          if (!authorizedConsumers[consumer]) {
             throw Boom.forbidden(
-              getUnauthorizedMessage(ruleTypeId, consumer, 'find', authorizationEntity)
+              getUnauthorizedMessage(
+                ruleTypeId,
+                consumer,
+                params.operation,
+                params.authorizationEntity
+              )
             );
-          } else {
-            if (authorizedEntries.has(ruleTypeId)) {
-              authorizedEntries.get(ruleTypeId)!.add(consumer);
-            } else {
-              authorizedEntries.set(ruleTypeId, new Set([consumer]));
-            }
           }
         },
       };
     }
 
     return {
-      filter: asFiltersBySpaceId(filterOpts, this.spaceId) as JsonObject,
+      filter: asFiltersBySpaceId(params.filterOpts, this.spaceId) as JsonObject,
       ensureRuleTypeIsAuthorized: (ruleTypeId: string, consumer: string, authType: string) => {},
     };
   }
 
-  public async filterByRuleTypeAuthorization(
-    ruleTypes: Set<RegistryRuleType>,
-    operations: Array<ReadOperations | WriteOperations>,
-    authorizationEntity: AlertingAuthorizationEntity
-  ): Promise<Set<RegistryAlertTypeWithAuth>> {
-    const { authorizedRuleTypes } = await this.augmentRuleTypesWithAuthorization(
-      ruleTypes,
-      operations,
-      authorizationEntity
-    );
+  public async getAuthorizedRuleTypes(
+    params: GetAuthorizedRuleTypesParams
+  ): Promise<AuthorizedRuleTypes> {
+    const { authorizedRuleTypes } = await this._getAuthorizedRuleTypesWithAuthorizedConsumers({
+      ruleTypeIds: params.ruleTypeIds,
+      operations: params.operations,
+      authorizationEntity: params.authorizationEntity,
+    });
+
     return authorizedRuleTypes;
   }
 
-  private async augmentRuleTypesWithAuthorization(
-    ruleTypes: Set<RegistryRuleType>,
-    operations: Array<ReadOperations | WriteOperations>,
-    authorizationEntity: AlertingAuthorizationEntity,
-    featuresIds?: Set<string>
+  private async _getAuthorizedRuleTypesWithAuthorizedConsumers(
+    params: GetAuthorizedRuleTypesWithAuthorizedConsumersParams
   ): Promise<{
     username?: string;
     hasAllRequested: boolean;
-    authorizedRuleTypes: Set<RegistryAlertTypeWithAuth>;
+    authorizedRuleTypes: Map<string, { authorizedConsumers: AuthorizedConsumers }>;
   }> {
-    const fIds = new Set(featuresIds ?? (await this.featuresIds));
+    const { operations, authorizationEntity } = params;
+    const ruleTypeIds = params.ruleTypeIds
+      ? new Set(params.ruleTypeIds)
+      : new Set(this.ruleTypeRegistry.getAllTypes());
 
-    /**
-     * Temporary hack to fix issues with the discover consumer.
-     * Issue: https://github.com/elastic/kibana/issues/184595.
-     * PR https://github.com/elastic/kibana/pull/183756 will
-     * remove the hack and fix it in a generic way.
-     *
-     * The discover consumer should be authorized
-     * as the stackAlerts consumer.
-     */
-    if (fIds.has(DISCOVER_FEATURE_ID)) {
-      fIds.delete(DISCOVER_FEATURE_ID);
-      fIds.add(STACK_ALERTS_FEATURE_ID);
-    }
+    const requiredPrivileges = new Map<
+      string,
+      { ruleTypeId: string; consumer: string; operation: ReadOperations | WriteOperations }
+    >();
 
     if (this.authorization && this.shouldCheckAuthorization()) {
+      const authorizedRuleTypes = new Map<string, { authorizedConsumers: AuthorizedConsumers }>();
+
       const checkPrivileges = this.authorization.checkPrivilegesDynamicallyWithRequest(
         this.request
       );
 
-      // add an empty `authorizedConsumers` array on each ruleType
-      const ruleTypesWithAuthorization = Array.from(
-        this.augmentWithAuthorizedConsumers(ruleTypes, {})
-      );
-      const ruleTypesAuthorized: Map<string, RegistryAlertTypeWithAuth> = new Map();
-      // map from privilege to ruleType which we can refer back to when analyzing the result
-      // of checkPrivileges
-      const privilegeToRuleType = new Map<
-        string,
-        [RegistryAlertTypeWithAuth, string, HasPrivileges, IsAuthorizedAtProducerLevel]
-      >();
-      const allPossibleConsumers = await this.allPossibleConsumers;
-      const addLegacyConsumerPrivileges = (legacyConsumer: string) =>
-        legacyConsumer === ALERTING_FEATURE_ID ||
-        legacyConsumer === DISCOVER_FEATURE_ID ||
-        isEmpty(featuresIds);
-
-      for (const feature of fIds) {
-        const featureDef = this.features
-          .getKibanaFeatures()
-          .find((kFeature) => kFeature.id === feature);
-
-        for (const ruleTypeId of featureDef?.alerting ?? []) {
-          const ruleTypeAuth = ruleTypesWithAuthorization.find((rtwa) => rtwa.id === ruleTypeId);
-          if (ruleTypeAuth) {
-            if (!ruleTypesAuthorized.has(ruleTypeId)) {
-              ruleTypesAuthorized.set(ruleTypeId, ruleTypeAuth);
-            }
-            for (const operation of operations) {
-              privilegeToRuleType.set(
-                this.authorization!.actions.alerting.get(
-                  ruleTypeId,
-                  feature,
-                  authorizationEntity,
-                  operation
-                ),
-                [
-                  ruleTypeAuth,
-                  feature,
-                  hasPrivilegeByOperation(operation),
-                  ruleTypeAuth.producer === feature,
-                ]
-              );
-              // FUTURE ENGINEER
-              // We are just trying to add back the legacy consumers associated
-              // to the rule type to get back the privileges that was given at one point
-              if (!isEmpty(ruleTypeAuth.validLegacyConsumers)) {
-                ruleTypeAuth.validLegacyConsumers.forEach((legacyConsumer) => {
-                  if (addLegacyConsumerPrivileges(legacyConsumer)) {
-                    if (!allPossibleConsumers[legacyConsumer]) {
-                      allPossibleConsumers[legacyConsumer] = {
-                        read: true,
-                        all: true,
-                      };
-                    }
-
-                    privilegeToRuleType.set(
-                      this.authorization!.actions.alerting.get(
-                        ruleTypeId,
-                        legacyConsumer,
-                        authorizationEntity,
-                        operation
-                      ),
-                      [ruleTypeAuth, legacyConsumer, hasPrivilegeByOperation(operation), false]
-                    );
-                  }
-                });
+      for (const ruleTypeId of ruleTypeIds) {
+        /**
+         * Skip if the ruleTypeId is not configured in any feature
+         * or it is not set in the rule type registry.
+         */
+        if (!this.ruleTypesConsumersMap.has(ruleTypeId) || !this.ruleTypeRegistry.has(ruleTypeId)) {
+          continue;
+        }
+
+        const ruleType = this.ruleTypeRegistry.get(ruleTypeId)!;
+        const ruleTypeConsumers = this.ruleTypesConsumersMap.get(ruleTypeId) ?? new Set();
+
+        for (const consumerToAuthorize of ruleTypeConsumers) {
+          for (const operation of operations) {
+            requiredPrivileges.set(
+              this.authorization.actions.alerting.get(
+                ruleTypeId,
+                consumerToAuthorize,
+                authorizationEntity,
+                operation
+              ),
+              {
+                ruleTypeId: ruleType.id,
+                consumer: consumerToAuthorize,
+                operation,
               }
-            }
+            );
           }
         }
       }
 
       const { username, hasAllRequested, privileges } = await checkPrivileges({
-        kibana: [...privilegeToRuleType.keys()],
+        kibana: [...requiredPrivileges.keys()],
       });
 
+      for (const { authorized, privilege } of privileges.kibana) {
+        if (authorized && requiredPrivileges.has(privilege)) {
+          const { ruleTypeId, consumer, operation } = requiredPrivileges.get(privilege)!;
+
+          const authorizedRuleType = authorizedRuleTypes.get(ruleTypeId) ?? {
+            authorizedConsumers: {},
+          };
+
+          const authorizedConsumers = authorizedRuleType.authorizedConsumers;
+          const mergedOperations = mergeHasPrivileges(
+            getPrivilegesFromOperation(operation),
+            authorizedConsumers[consumer]
+          );
+
+          authorizedRuleTypes.set(ruleTypeId, {
+            authorizedConsumers: {
+              ...authorizedConsumers,
+              [consumer]: mergedOperations,
+            },
+          });
+        }
+      }
+
       return {
         username,
         hasAllRequested,
-        authorizedRuleTypes:
-          hasAllRequested && featuresIds === undefined
-            ? // has access to all features
-              this.augmentWithAuthorizedConsumers(
-                new Set(ruleTypesAuthorized.values()),
-                allPossibleConsumers
-              )
-            : // only has some of the required privileges
-              privileges.kibana.reduce((authorizedRuleTypes, { authorized, privilege }) => {
-                if (authorized && privilegeToRuleType.has(privilege)) {
-                  const [ruleType, feature, hasPrivileges, isAuthorizedAtProducerLevel] =
-                    privilegeToRuleType.get(privilege)!;
-                  if (fIds.has(feature)) {
-                    ruleType.authorizedConsumers[feature] = mergeHasPrivileges(
-                      hasPrivileges,
-                      ruleType.authorizedConsumers[feature]
-                    );
-
-                    if (isAuthorizedAtProducerLevel) {
-                      // granting privileges under the producer automatically authorized the Rules Management UI as well
-                      ruleType.validLegacyConsumers.forEach((legacyConsumer) => {
-                        if (addLegacyConsumerPrivileges(legacyConsumer)) {
-                          ruleType.authorizedConsumers[legacyConsumer] = mergeHasPrivileges(
-                            hasPrivileges,
-                            ruleType.authorizedConsumers[legacyConsumer]
-                          );
-                        }
-                      });
-                    }
-                    authorizedRuleTypes.add(ruleType);
-                  }
-                }
-                return authorizedRuleTypes;
-              }, new Set<RegistryAlertTypeWithAuth>()),
+        authorizedRuleTypes,
       };
     } else {
       return {
         hasAllRequested: true,
-        authorizedRuleTypes: this.augmentWithAuthorizedConsumers(
-          new Set([...ruleTypes].filter((ruleType) => fIds.has(ruleType.producer))),
-          await this.allPossibleConsumers
-        ),
+        authorizedRuleTypes: this.getRegisteredRuleTypesWithAllRegisteredConsumers(ruleTypeIds),
       };
     }
   }
 
-  private augmentWithAuthorizedConsumers(
-    ruleTypes: Set<RegistryRuleType>,
-    authorizedConsumers: AuthorizedConsumers
-  ): Set<RegistryAlertTypeWithAuth> {
-    return new Set(
-      Array.from(ruleTypes).map((ruleType) => ({
-        ...ruleType,
-        authorizedConsumers: { ...authorizedConsumers },
-      }))
-    );
+  private getRegisteredRuleTypesWithAllRegisteredConsumers(ruleTypeIds: Set<string>) {
+    const authorizedRuleTypes = new Map<string, { authorizedConsumers: AuthorizedConsumers }>();
+    const authorizedConsumers = getConsumersWithPrivileges(this.allRegisteredConsumers, {
+      all: true,
+      read: true,
+    });
+
+    Array.from(this.ruleTypesConsumersMap.keys())
+      .filter((ruleTypeId) => ruleTypeIds.has(ruleTypeId))
+      .forEach((ruleTypeId) => {
+        authorizedRuleTypes.set(ruleTypeId, {
+          authorizedConsumers,
+        });
+      });
+
+    return authorizedRuleTypes;
   }
 }
 
@@ -498,7 +478,7 @@ function mergeHasPrivileges(left: HasPrivileges, right?: HasPrivileges): HasPriv
   };
 }
 
-function hasPrivilegeByOperation(operation: ReadOperations | WriteOperations): HasPrivileges {
+function getPrivilegesFromOperation(operation: ReadOperations | WriteOperations): HasPrivileges {
   const read = Object.values(ReadOperations).includes(operation as unknown as ReadOperations);
   const all = Object.values(WriteOperations).includes(operation as unknown as WriteOperations);
   return {
@@ -507,34 +487,21 @@ function hasPrivilegeByOperation(operation: ReadOperations | WriteOperations): H
   };
 }
 
-function asAuthorizedConsumers(
-  consumers: string[],
+function getConsumersWithPrivileges(
+  consumers: Set<string>,
   hasPrivileges: HasPrivileges
 ): AuthorizedConsumers {
-  return consumers.reduce<AuthorizedConsumers>((acc, feature) => {
+  return Array.from(consumers).reduce<AuthorizedConsumers>((acc, feature) => {
     acc[feature] = hasPrivileges;
     return acc;
   }, {});
 }
 
 function getUnauthorizedMessage(
-  alertTypeId: string,
+  ruleTypeId: string,
   scope: string,
   operation: string,
   entity: string
 ): string {
-  return `Unauthorized by "${scope}" to ${operation} "${alertTypeId}" ${entity}`;
+  return `Unauthorized by "${scope}" to ${operation} "${ruleTypeId}" ${entity}`;
 }
-
-export const getValidConsumer = ({
-  validLegacyConsumers,
-  legacyConsumer,
-  producer,
-}: {
-  validLegacyConsumers: string[];
-  legacyConsumer: string;
-  producer: string;
-}): string =>
-  legacyConsumer === ALERTING_FEATURE_ID || validLegacyConsumers.includes(legacyConsumer)
-    ? producer
-    : legacyConsumer;
diff --git a/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts b/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts
index b433a95a77734..bcc2b37dca7dd 100644
--- a/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts
+++ b/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts
@@ -5,364 +5,258 @@
  * 2.0.
  */
 
-import { RecoveredActionGroup } from '../../common';
 import {
   AlertingAuthorizationFilterType,
   asFiltersByRuleTypeAndConsumer,
   ensureFieldIsSafeForQuery,
   asFiltersBySpaceId,
 } from './alerting_authorization_kuery';
-import { fromKueryExpression } from '@kbn/es-query';
+import { KueryNode, toKqlExpression } from '@kbn/es-query';
 
 describe('asKqlFiltersByRuleTypeAndConsumer', () => {
   test('constructs KQL filter for single rule type with single authorized consumer', async () => {
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
+        {
+          authorizedConsumers: {
+            myApp: { read: true, all: true },
+          },
+        },
+      ],
+    ]);
+
     expect(
-      asFiltersByRuleTypeAndConsumer(
-        new Set([
+      toKqlExpression(
+        asFiltersByRuleTypeAndConsumer(
+          authorizedRuleTypes,
           {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myAppAlertType',
-            name: 'myAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            authorizedConsumers: {
-              myApp: { read: true, all: true },
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'path.to.rule_type_id',
+              consumer: 'consumer-field',
             },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
-          },
-        ]),
-        {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'path.to.rule_type_id',
-            consumer: 'consumer-field',
           },
-        },
-        'space1'
+          'space1'
+        ) as KueryNode
       )
-    ).toEqual(
-      fromKueryExpression(`((path.to.rule_type_id:myAppAlertType and consumer-field:(myApp)))`)
-    );
+    ).toMatchInlineSnapshot(`"(path.to.rule_type_id: myAppAlertType AND consumer-field: myApp)"`);
   });
 
   test('constructs KQL filter for single rule type with multiple authorized consumers', async () => {
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
+        {
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+          },
+        },
+      ],
+    ]);
+
     expect(
-      asFiltersByRuleTypeAndConsumer(
-        new Set([
+      toKqlExpression(
+        asFiltersByRuleTypeAndConsumer(
+          authorizedRuleTypes,
           {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myAppAlertType',
-            name: 'myAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'path.to.rule_type_id',
+              consumer: 'consumer-field',
             },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
           },
-        ]),
-        {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'path.to.rule_type_id',
-            consumer: 'consumer-field',
-          },
-        },
-        'space1'
-      )
-    ).toEqual(
-      fromKueryExpression(
-        `((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp)))`
+          'space1'
+        ) as KueryNode
       )
+    ).toMatchInlineSnapshot(
+      `"(path.to.rule_type_id: myAppAlertType AND (consumer-field: alerts OR consumer-field: myApp OR consumer-field: myOtherApp))"`
     );
   });
 
   test('constructs KQL filter for multiple rule types across authorized consumer', async () => {
-    expect(
-      asFiltersByRuleTypeAndConsumer(
-        new Set([
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myAppAlertType',
-            name: 'myAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
+        {
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+            myAppWithSubFeature: { read: true, all: true },
           },
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myOtherAppAlertType',
-            name: 'myOtherAppAlertType',
-            category: 'test',
-            producer: 'alerts',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
+        },
+      ],
+      [
+        'myOtherAppAlertType',
+        {
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+            myAppWithSubFeature: { read: true, all: true },
           },
+        },
+      ],
+    ]);
+
+    expect(
+      toKqlExpression(
+        asFiltersByRuleTypeAndConsumer(
+          authorizedRuleTypes,
           {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'mySecondAppAlertType',
-            name: 'mySecondAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'path.to.rule_type_id',
+              consumer: 'consumer-field',
             },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
           },
-        ]),
-        {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'path.to.rule_type_id',
-            consumer: 'consumer-field',
-          },
-        },
-        'space1'
-      )
-    ).toEqual(
-      fromKueryExpression(
-        `((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:mySecondAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))`
+          'space1'
+        ) as KueryNode
       )
+    ).toMatchInlineSnapshot(
+      `"((path.to.rule_type_id: myAppAlertType AND (consumer-field: alerts OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature)) OR (path.to.rule_type_id: myOtherAppAlertType AND (consumer-field: alerts OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature)))"`
     );
   });
 
   test('constructs KQL filter with spaceId filter when spaceIds field path exists', async () => {
-    expect(
-      asFiltersByRuleTypeAndConsumer(
-        new Set([
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myAppAlertType',
-            name: 'myAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
-          },
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myOtherAppAlertType',
-            name: 'myOtherAppAlertType',
-            category: 'test',
-            producer: 'alerts',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
+        {
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+            myAppWithSubFeature: { read: true, all: true },
           },
-        ]),
+        },
+      ],
+      [
+        'myOtherAppAlertType',
         {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'path.to.rule_type_id',
-            consumer: 'consumer-field',
-            spaceIds: 'path.to.spaceIds',
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+            myAppWithSubFeature: { read: true, all: true },
           },
         },
-        'space1'
-      )
-    ).toEqual(
-      fromKueryExpression(
-        `((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1))`
-      )
-    );
-  });
+      ],
+    ]);
 
-  test('constructs KQL filter without spaceId filter when spaceIds path is specified, but spaceId is undefined', async () => {
     expect(
-      asFiltersByRuleTypeAndConsumer(
-        new Set([
+      toKqlExpression(
+        asFiltersByRuleTypeAndConsumer(
+          authorizedRuleTypes,
           {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myAppAlertType',
-            name: 'myAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'path.to.rule_type_id',
+              consumer: 'consumer-field',
+              spaceIds: 'path.to.spaceIds',
             },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
           },
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myOtherAppAlertType',
-            name: 'myOtherAppAlertType',
-            category: 'test',
-            producer: 'alerts',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
+          'space1'
+        ) as KueryNode
+      )
+    ).toMatchInlineSnapshot(
+      `"((path.to.rule_type_id: myAppAlertType AND (consumer-field: alerts OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature) AND path.to.spaceIds: space1) OR (path.to.rule_type_id: myOtherAppAlertType AND (consumer-field: alerts OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature) AND path.to.spaceIds: space1))"`
+    );
+  });
+
+  test('constructs KQL filter without spaceId filter when spaceIds path is specified, but spaceId is undefined', async () => {
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
+        {
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+            myAppWithSubFeature: { read: true, all: true },
           },
-        ]),
+        },
+      ],
+      [
+        'myOtherAppAlertType',
         {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'path.to.rule_type_id',
-            consumer: 'consumer-field',
-            spaceIds: 'path.to.spaceIds',
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+            myAppWithSubFeature: { read: true, all: true },
           },
         },
-        undefined
-      )
-    ).toEqual(
-      fromKueryExpression(
-        `((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))`
+      ],
+    ]);
+
+    expect(
+      toKqlExpression(
+        asFiltersByRuleTypeAndConsumer(
+          authorizedRuleTypes,
+          {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'path.to.rule_type_id',
+              consumer: 'consumer-field',
+              spaceIds: 'path.to.spaceIds',
+            },
+          },
+          undefined
+        ) as KueryNode
       )
+    ).toMatchInlineSnapshot(
+      `"((path.to.rule_type_id: myAppAlertType AND (consumer-field: alerts OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature)) OR (path.to.rule_type_id: myOtherAppAlertType AND (consumer-field: alerts OR consumer-field: myApp OR consumer-field: myOtherApp OR consumer-field: myAppWithSubFeature)))"`
     );
   });
 
   test('constructs KQL filter for single rule type with no authorized consumer', async () => {
-    const result = asFiltersByRuleTypeAndConsumer(
-      new Set([
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
         {
-          actionGroups: [],
-          defaultActionGroupId: 'default',
-          recoveryActionGroup: RecoveredActionGroup,
-          id: 'myAppAlertType',
-          name: 'myAppAlertType',
-          category: 'test',
-          producer: 'myApp',
-          minimumLicenseRequired: 'basic',
-          isExportable: true,
           authorizedConsumers: {},
-          enabledInLicense: true,
-          hasAlertsMappings: false,
-          hasFieldsForAAD: false,
-          validLegacyConsumers: [],
         },
-      ]),
-      {
-        type: AlertingAuthorizationFilterType.KQL,
-        fieldNames: {
-          ruleTypeId: 'path.to.rule_type_id',
-          consumer: 'consumer-field',
+      ],
+    ]);
+
+    const result = toKqlExpression(
+      asFiltersByRuleTypeAndConsumer(
+        authorizedRuleTypes,
+        {
+          type: AlertingAuthorizationFilterType.KQL,
+          fieldNames: {
+            ruleTypeId: 'path.to.rule_type_id',
+            consumer: 'consumer-field',
+          },
         },
-      },
-      'space1'
+        'space1'
+      ) as KueryNode
     );
 
-    expect(result).toEqual(fromKueryExpression(`path.to.rule_type_id:myAppAlertType`));
+    expect(result).toMatchInlineSnapshot(`"path.to.rule_type_id: myAppAlertType"`);
   });
 });
 
 describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
   test('constructs ES DSL filter for single rule type with single authorized consumer', async () => {
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
+        {
+          authorizedConsumers: {
+            myApp: { read: true, all: true },
+          },
+        },
+      ],
+    ]);
+
     expect(
       asFiltersByRuleTypeAndConsumer(
-        new Set([
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myAppAlertType',
-            name: 'myAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            authorizedConsumers: {
-              myApp: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
-          },
-        ]),
+        authorizedRuleTypes,
         {
           type: AlertingAuthorizationFilterType.ESDSL,
           fieldNames: {
@@ -405,30 +299,22 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
   });
 
   test('constructs ES DSL filter for single rule type with multiple authorized consumers', async () => {
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
+        {
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+          },
+        },
+      ],
+    ]);
+
     expect(
       asFiltersByRuleTypeAndConsumer(
-        new Set([
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myAppAlertType',
-            name: 'myAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
-          },
-        ]),
+        authorizedRuleTypes,
         {
           type: AlertingAuthorizationFilterType.ESDSL,
           fieldNames: {
@@ -478,73 +364,34 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
   });
 
   test('constructs ES DSL filter for multiple rule types across authorized consumer', async () => {
-    expect(
-      asFiltersByRuleTypeAndConsumer(
-        new Set([
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myAppAlertType',
-            name: 'myAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
-          },
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'myOtherAppAlertType',
-            name: 'myOtherAppAlertType',
-            category: 'test',
-            producer: 'alerts',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
+        {
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+            myAppWithSubFeature: { read: true, all: true },
           },
-          {
-            actionGroups: [],
-            defaultActionGroupId: 'default',
-            minimumLicenseRequired: 'basic',
-            isExportable: true,
-            recoveryActionGroup: RecoveredActionGroup,
-            id: 'mySecondAppAlertType',
-            name: 'mySecondAppAlertType',
-            category: 'test',
-            producer: 'myApp',
-            authorizedConsumers: {
-              alerts: { read: true, all: true },
-              myApp: { read: true, all: true },
-              myOtherApp: { read: true, all: true },
-              myAppWithSubFeature: { read: true, all: true },
-            },
-            enabledInLicense: true,
-            hasAlertsMappings: false,
-            hasFieldsForAAD: false,
-            validLegacyConsumers: [],
+        },
+      ],
+      [
+        'myOtherAppAlertType',
+        {
+          authorizedConsumers: {
+            alerts: { read: true, all: true },
+            myApp: { read: true, all: true },
+            myOtherApp: { read: true, all: true },
+            myAppWithSubFeature: { read: true, all: true },
           },
-        ]),
+        },
+      ],
+    ]);
+
+    expect(
+      asFiltersByRuleTypeAndConsumer(
+        authorizedRuleTypes,
         {
           type: AlertingAuthorizationFilterType.ESDSL,
           fieldNames: {
@@ -554,164 +401,175 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
         },
         'space1'
       )
-    ).toEqual({
-      bool: {
-        should: [
-          {
-            bool: {
-              filter: [
-                {
-                  bool: {
-                    should: [{ match: { 'path.to.rule_type_id': 'myAppAlertType' } }],
-                    minimum_should_match: 1,
-                  },
-                },
-                {
-                  bool: {
-                    should: [
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'alerts' } }],
-                          minimum_should_match: 1,
-                        },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myApp' } }],
-                          minimum_should_match: 1,
-                        },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myOtherApp' } }],
-                          minimum_should_match: 1,
-                        },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myAppWithSubFeature' } }],
-                          minimum_should_match: 1,
+    ).toMatchInlineSnapshot(`
+      Object {
+        "bool": Object {
+          "minimum_should_match": 1,
+          "should": Array [
+            Object {
+              "bool": Object {
+                "filter": Array [
+                  Object {
+                    "bool": Object {
+                      "minimum_should_match": 1,
+                      "should": Array [
+                        Object {
+                          "match": Object {
+                            "path.to.rule_type_id": "myAppAlertType",
+                          },
                         },
-                      },
-                    ],
-                    minimum_should_match: 1,
-                  },
-                },
-              ],
-            },
-          },
-          {
-            bool: {
-              filter: [
-                {
-                  bool: {
-                    should: [{ match: { 'path.to.rule_type_id': 'myOtherAppAlertType' } }],
-                    minimum_should_match: 1,
+                      ],
+                    },
                   },
-                },
-                {
-                  bool: {
-                    should: [
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'alerts' } }],
-                          minimum_should_match: 1,
+                  Object {
+                    "bool": Object {
+                      "minimum_should_match": 1,
+                      "should": Array [
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "match": Object {
+                                  "consumer-field": "alerts",
+                                },
+                              },
+                            ],
+                          },
                         },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myApp' } }],
-                          minimum_should_match: 1,
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "match": Object {
+                                  "consumer-field": "myApp",
+                                },
+                              },
+                            ],
+                          },
                         },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myOtherApp' } }],
-                          minimum_should_match: 1,
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "match": Object {
+                                  "consumer-field": "myOtherApp",
+                                },
+                              },
+                            ],
+                          },
                         },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myAppWithSubFeature' } }],
-                          minimum_should_match: 1,
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "match": Object {
+                                  "consumer-field": "myAppWithSubFeature",
+                                },
+                              },
+                            ],
+                          },
                         },
-                      },
-                    ],
-                    minimum_should_match: 1,
+                      ],
+                    },
                   },
-                },
-              ],
+                ],
+              },
             },
-          },
-          {
-            bool: {
-              filter: [
-                {
-                  bool: {
-                    should: [{ match: { 'path.to.rule_type_id': 'mySecondAppAlertType' } }],
-                    minimum_should_match: 1,
+            Object {
+              "bool": Object {
+                "filter": Array [
+                  Object {
+                    "bool": Object {
+                      "minimum_should_match": 1,
+                      "should": Array [
+                        Object {
+                          "match": Object {
+                            "path.to.rule_type_id": "myOtherAppAlertType",
+                          },
+                        },
+                      ],
+                    },
                   },
-                },
-                {
-                  bool: {
-                    should: [
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'alerts' } }],
-                          minimum_should_match: 1,
+                  Object {
+                    "bool": Object {
+                      "minimum_should_match": 1,
+                      "should": Array [
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "match": Object {
+                                  "consumer-field": "alerts",
+                                },
+                              },
+                            ],
+                          },
                         },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myApp' } }],
-                          minimum_should_match: 1,
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "match": Object {
+                                  "consumer-field": "myApp",
+                                },
+                              },
+                            ],
+                          },
                         },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myOtherApp' } }],
-                          minimum_should_match: 1,
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "match": Object {
+                                  "consumer-field": "myOtherApp",
+                                },
+                              },
+                            ],
+                          },
                         },
-                      },
-                      {
-                        bool: {
-                          should: [{ match: { 'consumer-field': 'myAppWithSubFeature' } }],
-                          minimum_should_match: 1,
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "match": Object {
+                                  "consumer-field": "myAppWithSubFeature",
+                                },
+                              },
+                            ],
+                          },
                         },
-                      },
-                    ],
-                    minimum_should_match: 1,
+                      ],
+                    },
                   },
-                },
-              ],
+                ],
+              },
             },
-          },
-        ],
-        minimum_should_match: 1,
-      },
-    });
+          ],
+        },
+      }
+    `);
   });
 
   test('constructs KQL filter for single rule type with no authorized consumer', async () => {
-    const result = asFiltersByRuleTypeAndConsumer(
-      new Set([
+    const authorizedRuleTypes = new Map([
+      [
+        'myAppAlertType',
         {
-          actionGroups: [],
-          defaultActionGroupId: 'default',
-          recoveryActionGroup: RecoveredActionGroup,
-          id: 'myAppAlertType',
-          name: 'myAppAlertType',
-          category: 'test',
-          producer: 'myApp',
-          minimumLicenseRequired: 'basic',
-          isExportable: true,
           authorizedConsumers: {},
-          enabledInLicense: true,
-          hasAlertsMappings: false,
-          hasFieldsForAAD: false,
-          validLegacyConsumers: [],
         },
-      ]),
+      ],
+    ]);
+
+    const result = asFiltersByRuleTypeAndConsumer(
+      authorizedRuleTypes,
       {
         type: AlertingAuthorizationFilterType.ESDSL,
         fieldNames: {
@@ -760,18 +618,20 @@ describe('asFiltersBySpaceId', () => {
 
   test('returns KQL filter of spaceId', () => {
     expect(
-      asFiltersBySpaceId(
-        {
-          type: AlertingAuthorizationFilterType.KQL,
-          fieldNames: {
-            ruleTypeId: 'path.to.rule_type_id',
-            consumer: 'consumer-field',
-            spaceIds: 'path.to.space.id',
+      toKqlExpression(
+        asFiltersBySpaceId(
+          {
+            type: AlertingAuthorizationFilterType.KQL,
+            fieldNames: {
+              ruleTypeId: 'path.to.rule_type_id',
+              consumer: 'consumer-field',
+              spaceIds: 'path.to.space.id',
+            },
           },
-        },
-        'space1'
+          'space1'
+        ) as KueryNode
       )
-    ).toEqual(fromKueryExpression('(path.to.space.id: space1)'));
+    ).toMatchInlineSnapshot(`"path.to.space.id: space1"`);
   });
 
   test('returns undefined if no path to spaceIds is provided', () => {
diff --git a/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.ts b/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.ts
index 01e30dfb38327..666059c7a7b47 100644
--- a/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.ts
+++ b/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.ts
@@ -9,7 +9,7 @@ import { remove } from 'lodash';
 import { EsQueryConfig, nodeBuilder, toElasticsearchQuery, KueryNode } from '@kbn/es-query';
 
 import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
-import { RegistryAlertTypeWithAuth } from './alerting_authorization';
+import { AuthorizedRuleTypes } from './alerting_authorization';
 
 export enum AlertingAuthorizationFilterType {
   KQL = 'kql',
@@ -35,36 +35,39 @@ const esQueryConfig: EsQueryConfig = {
 };
 
 export function asFiltersByRuleTypeAndConsumer(
-  ruleTypes: Set<RegistryAlertTypeWithAuth>,
+  ruleTypes: AuthorizedRuleTypes,
   opts: AlertingAuthorizationFilterOpts,
   spaceId: string | undefined
 ): KueryNode | estypes.QueryDslQueryContainer {
   const kueryNode = nodeBuilder.or(
-    Array.from(ruleTypes).reduce<KueryNode[]>((filters, { id, authorizedConsumers }) => {
-      ensureFieldIsSafeForQuery('ruleTypeId', id);
-
-      const andNodes: KueryNode[] = [nodeBuilder.is(opts.fieldNames.ruleTypeId, id)];
-
-      const authorizedConsumersKeys = Object.keys(authorizedConsumers);
-      if (authorizedConsumersKeys.length) {
-        andNodes.push(
-          nodeBuilder.or(
-            authorizedConsumersKeys.map((consumer) => {
-              ensureFieldIsSafeForQuery('consumer', consumer);
-              return nodeBuilder.is(opts.fieldNames.consumer, consumer);
-            })
-          )
-        );
-      }
-
-      if (opts.fieldNames.spaceIds != null && spaceId != null) {
-        andNodes.push(nodeBuilder.is(opts.fieldNames.spaceIds, spaceId));
-      }
-
-      filters.push(nodeBuilder.and(andNodes));
-
-      return filters;
-    }, [])
+    Array.from(ruleTypes.entries()).reduce<KueryNode[]>(
+      (filters, [id, { authorizedConsumers }]) => {
+        ensureFieldIsSafeForQuery('ruleTypeId', id);
+
+        const andNodes: KueryNode[] = [nodeBuilder.is(opts.fieldNames.ruleTypeId, id)];
+
+        const authorizedConsumersKeys = Object.keys(authorizedConsumers);
+        if (authorizedConsumersKeys.length) {
+          andNodes.push(
+            nodeBuilder.or(
+              authorizedConsumersKeys.map((consumer) => {
+                ensureFieldIsSafeForQuery('consumer', consumer);
+                return nodeBuilder.is(opts.fieldNames.consumer, consumer);
+              })
+            )
+          );
+        }
+
+        if (opts.fieldNames.spaceIds != null && spaceId != null) {
+          andNodes.push(nodeBuilder.is(opts.fieldNames.spaceIds, spaceId));
+        }
+
+        filters.push(nodeBuilder.and(andNodes));
+
+        return filters;
+      },
+      []
+    )
   );
 
   if (opts.type === AlertingAuthorizationFilterType.ESDSL) {
diff --git a/x-pack/plugins/alerting/server/authorization/index.ts b/x-pack/plugins/alerting/server/authorization/index.ts
index 17f0f9f22bbe1..e31dac301cbcb 100644
--- a/x-pack/plugins/alerting/server/authorization/index.ts
+++ b/x-pack/plugins/alerting/server/authorization/index.ts
@@ -7,3 +7,4 @@
 
 export * from './alerting_authorization';
 export * from './alerting_authorization_kuery';
+export * from './types';
diff --git a/x-pack/plugins/alerting/server/authorization/types.ts b/x-pack/plugins/alerting/server/authorization/types.ts
new file mode 100644
index 0000000000000..77357456c74b6
--- /dev/null
+++ b/x-pack/plugins/alerting/server/authorization/types.ts
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export enum AlertingAuthorizationEntity {
+  Rule = 'rule',
+  Alert = 'alert',
+}
+
+export enum ReadOperations {
+  Get = 'get',
+  GetRuleState = 'getRuleState',
+  GetAlertSummary = 'getAlertSummary',
+  GetExecutionLog = 'getExecutionLog',
+  GetActionErrorLog = 'getActionErrorLog',
+  Find = 'find',
+  GetAuthorizedAlertsIndices = 'getAuthorizedAlertsIndices',
+  GetRuleExecutionKPI = 'getRuleExecutionKPI',
+  GetBackfill = 'getBackfill',
+  FindBackfill = 'findBackfill',
+}
+
+export enum WriteOperations {
+  Create = 'create',
+  Delete = 'delete',
+  Update = 'update',
+  UpdateApiKey = 'updateApiKey',
+  Enable = 'enable',
+  Disable = 'disable',
+  MuteAll = 'muteAll',
+  UnmuteAll = 'unmuteAll',
+  MuteAlert = 'muteAlert',
+  UnmuteAlert = 'unmuteAlert',
+  Snooze = 'snooze',
+  BulkEdit = 'bulkEdit',
+  BulkDelete = 'bulkDelete',
+  BulkEnable = 'bulkEnable',
+  BulkDisable = 'bulkDisable',
+  Unsnooze = 'unsnooze',
+  RunSoon = 'runSoon',
+  ScheduleBackfill = 'scheduleBackfill',
+  DeleteBackfill = 'deleteBackfill',
+}
diff --git a/x-pack/plugins/alerting/server/index.ts b/x-pack/plugins/alerting/server/index.ts
index 2f5cd3994e436..a7d5cde2e064c 100644
--- a/x-pack/plugins/alerting/server/index.ts
+++ b/x-pack/plugins/alerting/server/index.ts
@@ -37,7 +37,7 @@ export { DEFAULT_AAD_CONFIG } from './types';
 export { RULE_SAVED_OBJECT_TYPE, API_KEY_PENDING_INVALIDATION_TYPE } from './saved_objects';
 export { RuleNotifyWhen } from '../common';
 export { DEFAULT_MAX_EPHEMERAL_ACTIONS_PER_ALERT } from './config';
-export type { PluginSetupContract, PluginStartContract } from './plugin';
+export type { AlertingServerSetup, AlertingServerStart } from './plugin';
 export type { FindResult, BulkEditOperation, BulkOperationError } from './rules_client';
 export type { Rule } from './application/rule/types';
 export type { PublicAlert as Alert } from './alert';
@@ -45,12 +45,13 @@ export { parseDuration, isRuleSnoozed } from './lib';
 export { getEsErrorMessage } from './lib/errors';
 export type { AlertingRulesConfig } from './config';
 export {
-  ReadOperations,
   AlertingAuthorizationFilterType,
   AlertingAuthorization,
+  ReadOperations,
   WriteOperations,
   AlertingAuthorizationEntity,
 } from './authorization';
+
 export {
   DEFAULT_ALERTS_ILM_POLICY,
   DEFAULT_ALERTS_ILM_POLICY_NAME,
diff --git a/x-pack/plugins/alerting/server/mocks.ts b/x-pack/plugins/alerting/server/mocks.ts
index 33cbccbaf8c0c..d885cf0721b4e 100644
--- a/x-pack/plugins/alerting/server/mocks.ts
+++ b/x-pack/plugins/alerting/server/mocks.ts
@@ -14,7 +14,7 @@ import { dataViewPluginMocks } from '@kbn/data-views-plugin/public/mocks';
 import { searchSourceCommonMock } from '@kbn/data-plugin/common/search/search_source/mocks';
 import { SharePluginStart } from '@kbn/share-plugin/server';
 import { rulesClientMock } from './rules_client.mock';
-import { PluginSetupContract, PluginStartContract } from './plugin';
+import { AlertingServerSetup, AlertingServerStart } from './plugin';
 import { Alert, AlertFactoryDoneUtils } from './alert';
 import {
   AlertInstanceContext,
@@ -27,7 +27,7 @@ import { publicAlertsClientMock } from './alerts_client/alerts_client.mock';
 export { rulesClientMock };
 
 const createSetupMock = () => {
-  const mock: jest.Mocked<PluginSetupContract> = {
+  const mock: jest.Mocked<AlertingServerSetup> = {
     registerType: jest.fn(),
     getSecurityHealth: jest.fn(),
     getConfig: jest.fn(),
@@ -57,7 +57,7 @@ const createShareStartMock = () => {
 };
 
 const createStartMock = () => {
-  const mock: jest.Mocked<PluginStartContract> = {
+  const mock: jest.Mocked<AlertingServerStart> = {
     listTypes: jest.fn(),
     getType: jest.fn(),
     getAllTypes: jest.fn(),
diff --git a/x-pack/plugins/alerting/server/plugin.test.ts b/x-pack/plugins/alerting/server/plugin.test.ts
index 37175ac960412..2938daf8b1ec3 100644
--- a/x-pack/plugins/alerting/server/plugin.test.ts
+++ b/x-pack/plugins/alerting/server/plugin.test.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { AlertingPlugin, PluginSetupContract } from './plugin';
+import { AlertingPlugin, AlertingServerSetup } from './plugin';
 import { createUsageCollectionSetupMock } from '@kbn/usage-collection-plugin/server/mocks';
 import { coreMock, statusServiceMock } from '@kbn/core/server/mocks';
 import { licensingMock } from '@kbn/licensing-plugin/server/mocks';
@@ -170,7 +170,7 @@ describe('Alerting Plugin', () => {
         });
 
         describe('registerType()', () => {
-          let setup: PluginSetupContract;
+          let setup: AlertingServerSetup;
           beforeEach(async () => {
             const context = coreMock.createPluginInitializerContext<AlertingConfig>(
               generateAlertingConfig()
@@ -209,7 +209,8 @@ describe('Alerting Plugin', () => {
               ...sampleRuleType,
               minimumLicenseRequired: 'basic',
             } as RuleType<never, never, {}, never, never, 'default', never, {}>;
-            await setup.registerType(ruleType);
+
+            setup.registerType(ruleType);
             expect(ruleType.ruleTaskTimeout).toBe('5m');
           });
 
@@ -219,7 +220,7 @@ describe('Alerting Plugin', () => {
               minimumLicenseRequired: 'basic',
               ruleTaskTimeout: '20h',
             } as RuleType<never, never, {}, never, never, 'default', never, {}>;
-            await setup.registerType(ruleType);
+            setup.registerType(ruleType);
             expect(ruleType.ruleTaskTimeout).toBe('20h');
           });
 
@@ -228,7 +229,7 @@ describe('Alerting Plugin', () => {
               ...sampleRuleType,
               minimumLicenseRequired: 'basic',
             } as RuleType<never, never, {}, never, never, 'default', never, {}>;
-            await setup.registerType(ruleType);
+            setup.registerType(ruleType);
             expect(ruleType.cancelAlertsOnRuleTimeout).toBe(true);
           });
 
@@ -238,13 +239,13 @@ describe('Alerting Plugin', () => {
               minimumLicenseRequired: 'basic',
               cancelAlertsOnRuleTimeout: false,
             } as RuleType<never, never, {}, never, never, 'default', never, {}>;
-            await setup.registerType(ruleType);
+            setup.registerType(ruleType);
             expect(ruleType.cancelAlertsOnRuleTimeout).toBe(false);
           });
         });
 
         describe('registerConnectorAdapter()', () => {
-          let setup: PluginSetupContract;
+          let setup: AlertingServerSetup;
 
           beforeEach(async () => {
             const context = coreMock.createPluginInitializerContext<AlertingConfig>(
@@ -314,9 +315,9 @@ describe('Alerting Plugin', () => {
             });
 
             expect(encryptedSavedObjectsSetup.canEncrypt).toEqual(false);
-            expect(() =>
+            await expect(() =>
               startContract.getRulesClientWithRequest({} as KibanaRequest)
-            ).toThrowErrorMatchingInlineSnapshot(
+            ).rejects.toThrowErrorMatchingInlineSnapshot(
               `"Unable to create alerts client because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command."`
             );
           });
@@ -380,7 +381,8 @@ describe('Alerting Plugin', () => {
               },
               getSavedObjectsClient: jest.fn(),
             } as unknown as KibanaRequest;
-            startContract.getRulesClientWithRequest(fakeRequest);
+
+            await startContract.getRulesClientWithRequest(fakeRequest);
           });
         });
 
@@ -443,7 +445,8 @@ describe('Alerting Plugin', () => {
             },
             getSavedObjectsClient: jest.fn(),
           } as unknown as KibanaRequest;
-          startContract.getAlertingAuthorizationWithRequest(fakeRequest);
+
+          await startContract.getAlertingAuthorizationWithRequest(fakeRequest);
         });
       });
     });
diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
index 9a12b13eb164c..1d2487e368afd 100644
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@@ -133,7 +133,7 @@ export const LEGACY_EVENT_LOG_ACTIONS = {
   resolvedInstance: 'resolved-instance',
 };
 
-export interface PluginSetupContract {
+export interface AlertingServerSetup {
   registerConnectorAdapter<
     RuleActionParams extends ConnectorAdapterParams = ConnectorAdapterParams,
     ConnectorParams extends ConnectorAdapterParams = ConnectorAdapterParams
@@ -168,19 +168,15 @@ export interface PluginSetupContract {
   getDataStreamAdapter: () => DataStreamAdapter;
 }
 
-export interface PluginStartContract {
+export interface AlertingServerStart {
   listTypes: RuleTypeRegistry['list'];
-
   getAllTypes: RuleTypeRegistry['getAllTypes'];
   getType: RuleTypeRegistry['get'];
   getAlertIndicesAlias: GetAlertIndicesAlias;
-
-  getRulesClientWithRequest(request: KibanaRequest): RulesClientApi;
-
+  getRulesClientWithRequest(request: KibanaRequest): Promise<RulesClientApi>;
   getAlertingAuthorizationWithRequest(
     request: KibanaRequest
-  ): PublicMethodsOf<AlertingAuthorization>;
-
+  ): Promise<PublicMethodsOf<AlertingAuthorization>>;
   getFrameworkHealth: () => Promise<AlertsHealth>;
 }
 
@@ -260,7 +256,7 @@ export class AlertingPlugin {
   public setup(
     core: CoreSetup<AlertingPluginsStart, unknown>,
     plugins: AlertingPluginsSetup
-  ): PluginSetupContract {
+  ): AlertingServerSetup {
     this.kibanaBaseUrl = core.http.basePath.publicBaseUrl;
     this.licenseState = new LicenseState(plugins.licensing.license$);
     this.security = plugins.security;
@@ -491,7 +487,7 @@ export class AlertingPlugin {
     };
   }
 
-  public start(core: CoreStart, plugins: AlertingPluginsStart): PluginStartContract {
+  public start(core: CoreStart, plugins: AlertingPluginsStart): AlertingServerStart {
     const {
       isESOCanEncrypt,
       logger,
@@ -518,7 +514,6 @@ export class AlertingPlugin {
 
     alertingAuthorizationClientFactory.initialize({
       ruleTypeRegistry: ruleTypeRegistry!,
-      securityPluginSetup: security,
       securityPluginStart: plugins.security,
       async getSpace(request: KibanaRequest) {
         return plugins.spaces?.spacesService.getActiveSpace(request);
@@ -572,7 +567,7 @@ export class AlertingPlugin {
       uiSettings: core.uiSettings,
     });
 
-    const getRulesClientWithRequest = (request: KibanaRequest) => {
+    const getRulesClientWithRequest = async (request: KibanaRequest) => {
       if (isESOCanEncrypt !== true) {
         throw new Error(
           `Unable to create alerts client because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.`
@@ -581,7 +576,7 @@ export class AlertingPlugin {
       return rulesClientFactory!.create(request, core.savedObjects);
     };
 
-    const getAlertingAuthorizationWithRequest = (request: KibanaRequest) => {
+    const getAlertingAuthorizationWithRequest = async (request: KibanaRequest) => {
       return alertingAuthorizationClientFactory!.create(request);
     };
 
@@ -633,11 +628,13 @@ export class AlertingPlugin {
     });
 
     this.eventLogService!.registerSavedObjectProvider(RULE_SAVED_OBJECT_TYPE, (request) => {
-      const client = getRulesClientWithRequest(request);
-      return (objects?: SavedObjectsBulkGetObject[]) =>
-        objects
+      return async (objects?: SavedObjectsBulkGetObject[]) => {
+        const client = await getRulesClientWithRequest(request);
+
+        return objects
           ? Promise.all(objects.map(async (objectItem) => await client.get({ id: objectItem.id })))
           : Promise.resolve([]);
+      };
     });
 
     this.eventLogService!.isEsContextReady()
diff --git a/x-pack/plugins/alerting/server/routes/_mock_handler_arguments.ts b/x-pack/plugins/alerting/server/routes/_mock_handler_arguments.ts
index b2f25d349ec7f..a24ea147d4113 100644
--- a/x-pack/plugins/alerting/server/routes/_mock_handler_arguments.ts
+++ b/x-pack/plugins/alerting/server/routes/_mock_handler_arguments.ts
@@ -59,7 +59,7 @@ export function mockHandlerArguments(
       alerting: {
         listTypes,
         getRulesClient() {
-          return rulesClient || rulesClientMock.create();
+          return Promise.resolve(rulesClient || rulesClientMock.create());
         },
         getRulesSettingsClient() {
           return rulesSettingsClient || rulesSettingsClientMock.create();
diff --git a/x-pack/plugins/alerting/server/routes/backfill/apis/delete/delete_backfill_route.ts b/x-pack/plugins/alerting/server/routes/backfill/apis/delete/delete_backfill_route.ts
index 6c343ac125188..66d90671ac1bd 100644
--- a/x-pack/plugins/alerting/server/routes/backfill/apis/delete/delete_backfill_route.ts
+++ b/x-pack/plugins/alerting/server/routes/backfill/apis/delete/delete_backfill_route.ts
@@ -29,7 +29,8 @@ export const deleteBackfillRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: DeleteBackfillRequestParamsV1 = req.params;
 
         await rulesClient.deleteBackfill(params.id);
diff --git a/x-pack/plugins/alerting/server/routes/backfill/apis/find/find_backfill_route.ts b/x-pack/plugins/alerting/server/routes/backfill/apis/find/find_backfill_route.ts
index fea2925c0983b..be1ff25ef5932 100644
--- a/x-pack/plugins/alerting/server/routes/backfill/apis/find/find_backfill_route.ts
+++ b/x-pack/plugins/alerting/server/routes/backfill/apis/find/find_backfill_route.ts
@@ -34,7 +34,8 @@ export const findBackfillRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const query: FindBackfillRequestQueryV1 = req.query;
 
         const result = await rulesClient.findBackfill(transformRequestV1(query));
diff --git a/x-pack/plugins/alerting/server/routes/backfill/apis/get/get_backfill_route.ts b/x-pack/plugins/alerting/server/routes/backfill/apis/get/get_backfill_route.ts
index bfb178d875c8b..5758bb6ba805f 100644
--- a/x-pack/plugins/alerting/server/routes/backfill/apis/get/get_backfill_route.ts
+++ b/x-pack/plugins/alerting/server/routes/backfill/apis/get/get_backfill_route.ts
@@ -31,7 +31,8 @@ export const getBackfillRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: GetBackfillRequestParamsV1 = req.params;
 
         const result = await rulesClient.getBackfill(params.id);
diff --git a/x-pack/plugins/alerting/server/routes/backfill/apis/schedule/schedule_backfill_route.ts b/x-pack/plugins/alerting/server/routes/backfill/apis/schedule/schedule_backfill_route.ts
index 466c69b2b6aa5..77eb5c9355cfb 100644
--- a/x-pack/plugins/alerting/server/routes/backfill/apis/schedule/schedule_backfill_route.ts
+++ b/x-pack/plugins/alerting/server/routes/backfill/apis/schedule/schedule_backfill_route.ts
@@ -29,7 +29,8 @@ export const scheduleBackfillRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const body: ScheduleBackfillRequestBodyV1 = req.body;
 
         const result = await rulesClient.scheduleBackfill(transformRequestV1(body));
diff --git a/x-pack/plugins/alerting/server/routes/framework/apis/health/health.test.ts b/x-pack/plugins/alerting/server/routes/framework/apis/health/health.test.ts
index f726073ed0844..83773ab8531b7 100644
--- a/x-pack/plugins/alerting/server/routes/framework/apis/health/health.test.ts
+++ b/x-pack/plugins/alerting/server/routes/framework/apis/health/health.test.ts
@@ -25,7 +25,7 @@ jest.mock('../../../../lib/license_api_access', () => ({
 
 const alerting = alertsMock.createStart();
 const currentDate = new Date().toISOString();
-const ruleTypes = [
+const ruleTypes: RegistryAlertTypeWithAuth[] = [
   {
     id: '1',
     name: 'name',
@@ -48,12 +48,11 @@ const ruleTypes = [
     category: 'test',
     producer: 'test',
     enabledInLicense: true,
-    minimumScheduleInterval: '1m',
     defaultScheduleInterval: '10m',
     hasAlertsMappings: false,
     hasFieldsForAAD: false,
     validLegacyConsumers: [],
-  } as RegistryAlertTypeWithAuth,
+  },
 ];
 
 beforeEach(() => {
@@ -76,7 +75,7 @@ beforeEach(() => {
 
 describe('healthRoute', () => {
   it('registers the route', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
@@ -89,7 +88,7 @@ describe('healthRoute', () => {
   });
 
   it('queries the usage api', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
@@ -113,7 +112,7 @@ describe('healthRoute', () => {
   });
 
   it('throws error when user does not have any access to any rule types', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set());
+    rulesClient.listRuleTypes.mockResolvedValueOnce([]);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
@@ -139,7 +138,7 @@ describe('healthRoute', () => {
   });
 
   it('evaluates whether Encrypted Saved Objects is missing encryption key', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
@@ -180,7 +179,7 @@ describe('healthRoute', () => {
   });
 
   test('when ES security status cannot be determined from license state, isSufficientlySecure should return false', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
     const licenseState = licenseStateMock.create();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
@@ -222,7 +221,7 @@ describe('healthRoute', () => {
   });
 
   test('when ES security is disabled, isSufficientlySecure should return true', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
     const licenseState = licenseStateMock.create();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
@@ -264,7 +263,7 @@ describe('healthRoute', () => {
   });
 
   test('when ES security is enabled but user cannot generate api keys, isSufficientlySecure should return false', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
     const licenseState = licenseStateMock.create();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
@@ -306,7 +305,7 @@ describe('healthRoute', () => {
   });
 
   test('when ES security is enabled and user can generate api keys, isSufficientlySecure should return true', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
     const licenseState = licenseStateMock.create();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
diff --git a/x-pack/plugins/alerting/server/routes/framework/apis/health/health.ts b/x-pack/plugins/alerting/server/routes/framework/apis/health/health.ts
index 34ef56a51daaa..4daf510b6a64f 100644
--- a/x-pack/plugins/alerting/server/routes/framework/apis/health/health.ts
+++ b/x-pack/plugins/alerting/server/routes/framework/apis/health/health.ts
@@ -48,8 +48,9 @@ export const healthRoute = (
       verifyAccessAndContext(licenseState, async function (context, req, res) {
         try {
           const alertingContext = await context.alerting;
+          const rulesClient = await alertingContext.getRulesClient();
           // Verify that user has access to at least one rule type
-          const ruleTypes = Array.from(await alertingContext.getRulesClient().listRuleTypes());
+          const ruleTypes = Array.from(await rulesClient.listRuleTypes());
           if (ruleTypes.length > 0) {
             const alertingFrameworkHealth = await alertingContext.getFrameworkHealth();
 
diff --git a/x-pack/plugins/alerting/server/routes/get_action_error_log.ts b/x-pack/plugins/alerting/server/routes/get_action_error_log.ts
index 5da2189c1d43d..7406d07c3fa24 100644
--- a/x-pack/plugins/alerting/server/routes/get_action_error_log.ts
+++ b/x-pack/plugins/alerting/server/routes/get_action_error_log.ts
@@ -69,7 +69,8 @@ export const getActionErrorLogRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const { id } = req.params;
         const withAuth = req.query.with_auth;
         const rewrittenReq = rewriteReq({ id, ...req.query });
diff --git a/x-pack/plugins/alerting/server/routes/get_global_execution_kpi.ts b/x-pack/plugins/alerting/server/routes/get_global_execution_kpi.ts
index 795b473dc8c66..48ea073369d2b 100644
--- a/x-pack/plugins/alerting/server/routes/get_global_execution_kpi.ts
+++ b/x-pack/plugins/alerting/server/routes/get_global_execution_kpi.ts
@@ -46,7 +46,8 @@ export const getGlobalExecutionKPIRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         return res.ok({
           body: await rulesClient.getGlobalExecutionKpiWithAuth(rewriteReq(req.query)),
         });
diff --git a/x-pack/plugins/alerting/server/routes/get_global_execution_logs.ts b/x-pack/plugins/alerting/server/routes/get_global_execution_logs.ts
index 9c9e09e81bd45..13ea133e21a82 100644
--- a/x-pack/plugins/alerting/server/routes/get_global_execution_logs.ts
+++ b/x-pack/plugins/alerting/server/routes/get_global_execution_logs.ts
@@ -71,7 +71,8 @@ export const getGlobalExecutionLogRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         return res.ok({
           body: await rulesClient.getGlobalExecutionLogWithAuth(rewriteReq(req.query)),
         });
diff --git a/x-pack/plugins/alerting/server/routes/get_rule_alert_summary.ts b/x-pack/plugins/alerting/server/routes/get_rule_alert_summary.ts
index 7eaf5d4645ecb..937db706199e2 100644
--- a/x-pack/plugins/alerting/server/routes/get_rule_alert_summary.ts
+++ b/x-pack/plugins/alerting/server/routes/get_rule_alert_summary.ts
@@ -75,7 +75,8 @@ export const getRuleAlertSummaryRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const { id } = req.params;
         const summary = await rulesClient.getAlertSummary(rewriteReq({ id, ...req.query }));
         return res.ok({ body: rewriteBodyRes(summary) });
diff --git a/x-pack/plugins/alerting/server/routes/get_rule_execution_kpi.ts b/x-pack/plugins/alerting/server/routes/get_rule_execution_kpi.ts
index af15520d3c32f..302ac0293a444 100644
--- a/x-pack/plugins/alerting/server/routes/get_rule_execution_kpi.ts
+++ b/x-pack/plugins/alerting/server/routes/get_rule_execution_kpi.ts
@@ -48,7 +48,8 @@ export const getRuleExecutionKPIRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const { id } = req.params;
         return res.ok({
           body: await rulesClient.getRuleExecutionKPI(rewriteReq({ id, ...req.query })),
diff --git a/x-pack/plugins/alerting/server/routes/get_rule_execution_log.ts b/x-pack/plugins/alerting/server/routes/get_rule_execution_log.ts
index 619bc82bd6378..4eccefd171f0e 100644
--- a/x-pack/plugins/alerting/server/routes/get_rule_execution_log.ts
+++ b/x-pack/plugins/alerting/server/routes/get_rule_execution_log.ts
@@ -73,7 +73,8 @@ export const getRuleExecutionLogRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const { id } = req.params;
         return res.ok({
           body: await rulesClient.getExecutionLogForRule(rewriteReq({ id, ...req.query })),
diff --git a/x-pack/plugins/alerting/server/routes/get_rule_state.ts b/x-pack/plugins/alerting/server/routes/get_rule_state.ts
index 7530f1d4964cd..1a2b17b8f6747 100644
--- a/x-pack/plugins/alerting/server/routes/get_rule_state.ts
+++ b/x-pack/plugins/alerting/server/routes/get_rule_state.ts
@@ -47,7 +47,8 @@ export const getRuleStateRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const { id } = req.params;
         const state = await rulesClient.getAlertState({ id });
         return state ? res.ok({ body: rewriteBodyRes(state) }) : res.noContent();
diff --git a/x-pack/plugins/alerting/server/routes/legacy/create.ts b/x-pack/plugins/alerting/server/routes/legacy/create.ts
index 10c0fd2941068..8346ec37edf9c 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/create.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/create.ts
@@ -84,7 +84,9 @@ export const createAlertRoute = ({
         if (!context.alerting) {
           return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
         }
-        const rulesClient = (await context.alerting).getRulesClient();
+
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const alert = req.body;
         const params = req.params;
         const notifyWhen = alert?.notifyWhen ? (alert.notifyWhen as RuleNotifyWhenType) : null;
diff --git a/x-pack/plugins/alerting/server/routes/legacy/delete.ts b/x-pack/plugins/alerting/server/routes/legacy/delete.ts
index a3ceb1ebccbba..738633c61f745 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/delete.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/delete.ts
@@ -52,7 +52,8 @@ export const deleteAlertRoute = (
         return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
       }
       trackLegacyRouteUsage('delete', usageCounter);
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
       const { id } = req.params;
       await rulesClient.delete({ id });
       return res.noContent();
diff --git a/x-pack/plugins/alerting/server/routes/legacy/disable.ts b/x-pack/plugins/alerting/server/routes/legacy/disable.ts
index 1d2293b698e42..e69a176776e0c 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/disable.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/disable.ts
@@ -53,7 +53,8 @@ export const disableAlertRoute = (
         return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
       }
       trackLegacyRouteUsage('disable', usageCounter);
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
       const { id } = req.params;
       try {
         await rulesClient.disableRule({ id });
diff --git a/x-pack/plugins/alerting/server/routes/legacy/enable.ts b/x-pack/plugins/alerting/server/routes/legacy/enable.ts
index 8f680a23f89eb..289b4050e059b 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/enable.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/enable.ts
@@ -55,7 +55,8 @@ export const enableAlertRoute = (
           return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
         }
         trackLegacyRouteUsage('enable', usageCounter);
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const { id } = req.params;
         try {
           await rulesClient.enableRule({ id });
diff --git a/x-pack/plugins/alerting/server/routes/legacy/find.ts b/x-pack/plugins/alerting/server/routes/legacy/find.ts
index ef4f8a45bcc0f..de1e5f8c226a1 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/find.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/find.ts
@@ -104,7 +104,8 @@ export const findAlertRoute = (
         ) as string[],
         usageCounter
       );
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
 
       const query = req.query;
       const renameMap = {
diff --git a/x-pack/plugins/alerting/server/routes/legacy/get.ts b/x-pack/plugins/alerting/server/routes/legacy/get.ts
index 08ecd410adc1f..19fc0f7ff49e6 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/get.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/get.ts
@@ -52,7 +52,8 @@ export const getAlertRoute = (
         return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
       }
       trackLegacyRouteUsage('get', usageCounter);
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
       const { id } = req.params;
       const { systemActions, ...rule } = await rulesClient.get({ id, excludeFromPublicApi: true });
       return res.ok({
diff --git a/x-pack/plugins/alerting/server/routes/legacy/get_alert_instance_summary.ts b/x-pack/plugins/alerting/server/routes/legacy/get_alert_instance_summary.ts
index 58ab6a5446756..0e50601a1fd4d 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/get_alert_instance_summary.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/get_alert_instance_summary.ts
@@ -61,7 +61,8 @@ export const getAlertInstanceSummaryRoute = (
         return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
       }
       trackLegacyRouteUsage('instanceSummary', usageCounter);
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
       const { id } = req.params;
       const { dateStart } = req.query;
       const summary = await rulesClient.getAlertSummary({ id, dateStart });
diff --git a/x-pack/plugins/alerting/server/routes/legacy/get_alert_state.ts b/x-pack/plugins/alerting/server/routes/legacy/get_alert_state.ts
index ad3d9591c92c4..f9db44c1e9a0c 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/get_alert_state.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/get_alert_state.ts
@@ -50,7 +50,8 @@ export const getAlertStateRoute = (
         return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
       }
       trackLegacyRouteUsage('state', usageCounter);
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
       const { id } = req.params;
       const state = await rulesClient.getAlertState({ id });
       return state ? res.ok({ body: state }) : res.noContent();
diff --git a/x-pack/plugins/alerting/server/routes/legacy/health.test.ts b/x-pack/plugins/alerting/server/routes/legacy/health.test.ts
index 64c994f9936b3..fea24b831e97d 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/health.test.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/health.test.ts
@@ -84,7 +84,7 @@ describe('healthRoute', () => {
   const docLinks = docLinksServiceMock.createSetupContract();
 
   it('registers the route', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
@@ -98,7 +98,7 @@ describe('healthRoute', () => {
   });
 
   it('should have internal access for serverless', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
@@ -112,7 +112,7 @@ describe('healthRoute', () => {
   });
 
   it('throws error when user does not have any access to any rule types', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set());
+    rulesClient.listRuleTypes.mockResolvedValueOnce([]);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
@@ -138,7 +138,7 @@ describe('healthRoute', () => {
   });
 
   it('evaluates whether Encrypted Saved Objects is missing encryption key', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
@@ -195,7 +195,7 @@ describe('healthRoute', () => {
   });
 
   test('when ES security status cannot be determined from license state, isSufficientlySecure should return false', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
     const licenseState = licenseStateMock.create();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
@@ -253,7 +253,7 @@ describe('healthRoute', () => {
   });
 
   test('when ES security is disabled, isSufficientlySecure should return true', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
     const licenseState = licenseStateMock.create();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
@@ -311,7 +311,7 @@ describe('healthRoute', () => {
   });
 
   test('when ES security is enabled but user cannot generate api keys, isSufficientlySecure should return false', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
     const licenseState = licenseStateMock.create();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
@@ -369,7 +369,7 @@ describe('healthRoute', () => {
   });
 
   test('when ES security is enabled and user can generate api keys, isSufficientlySecure should return true', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
     const licenseState = licenseStateMock.create();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
@@ -427,7 +427,7 @@ describe('healthRoute', () => {
   });
 
   it('should track every call', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const licenseState = licenseStateMock.create();
     const router = httpServiceMock.createRouter();
     const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
@@ -444,7 +444,7 @@ describe('healthRoute', () => {
   });
 
   it('should be deprecated', async () => {
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     const router = httpServiceMock.createRouter();
 
     const licenseState = licenseStateMock.create();
diff --git a/x-pack/plugins/alerting/server/routes/legacy/health.ts b/x-pack/plugins/alerting/server/routes/legacy/health.ts
index 223859124072b..b463298837f4e 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/health.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/health.ts
@@ -50,8 +50,9 @@ export function healthRoute(
       trackLegacyRouteUsage('health', usageCounter);
       try {
         const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         // Verify that user has access to at least one rule type
-        const ruleTypes = Array.from(await alertingContext.getRulesClient().listRuleTypes());
+        const ruleTypes = Array.from(await rulesClient.listRuleTypes());
         if (ruleTypes.length > 0) {
           const alertingFrameworkHealth = await alertingContext.getFrameworkHealth();
 
diff --git a/x-pack/plugins/alerting/server/routes/legacy/list_alert_types.test.ts b/x-pack/plugins/alerting/server/routes/legacy/list_alert_types.test.ts
index 3c1be0410f586..27e9d7ce44865 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/list_alert_types.test.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/list_alert_types.test.ts
@@ -44,7 +44,7 @@ describe('listAlertTypesRoute', () => {
     expect(config.path).toMatchInlineSnapshot(`"/api/alerts/list_alert_types"`);
     expect(config.options?.access).toBe('public');
 
-    const listTypes = [
+    const listTypes: RegistryAlertTypeWithAuth[] = [
       {
         id: '1',
         name: 'name',
@@ -69,9 +69,10 @@ describe('listAlertTypesRoute', () => {
         hasAlertsMappings: false,
         hasFieldsForAAD: false,
         validLegacyConsumers: [],
-      } as RegistryAlertTypeWithAuth,
+      },
     ];
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(listTypes));
+
+    rulesClient.listRuleTypes.mockResolvedValueOnce(listTypes);
 
     const [context, req, res] = mockHandlerArguments({ rulesClient }, {}, ['ok']);
 
@@ -167,7 +168,7 @@ describe('listAlertTypesRoute', () => {
       } as RegistryAlertTypeWithAuth,
     ];
 
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(listTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(listTypes);
 
     const [context, req, res] = mockHandlerArguments(
       { rulesClient },
@@ -224,7 +225,7 @@ describe('listAlertTypesRoute', () => {
       } as RegistryAlertTypeWithAuth,
     ];
 
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(listTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(listTypes);
 
     const [context, req, res] = mockHandlerArguments(
       { rulesClient },
@@ -245,7 +246,7 @@ describe('listAlertTypesRoute', () => {
     const mockUsageCountersSetup = usageCountersServiceMock.createSetupContract();
     const mockUsageCounter = mockUsageCountersSetup.createUsageCounter('test');
 
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set([]));
+    rulesClient.listRuleTypes.mockResolvedValueOnce([]);
 
     listAlertTypesRoute(router, licenseState, docLinks, mockUsageCounter);
     const [, handler] = router.get.mock.calls[0];
diff --git a/x-pack/plugins/alerting/server/routes/legacy/list_alert_types.ts b/x-pack/plugins/alerting/server/routes/legacy/list_alert_types.ts
index ad0f470ae9235..f4f2bc7936b3d 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/list_alert_types.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/list_alert_types.ts
@@ -45,8 +45,10 @@ export const listAlertTypesRoute = (
       }
       trackLegacyRouteUsage('listAlertTypes', usageCounter);
       const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
+
       return res.ok({
-        body: Array.from(await alertingContext.getRulesClient().listRuleTypes()),
+        body: Array.from(await rulesClient.listRuleTypes()),
       });
     })
   );
diff --git a/x-pack/plugins/alerting/server/routes/legacy/mute_all.ts b/x-pack/plugins/alerting/server/routes/legacy/mute_all.ts
index f7cb03a81dcb2..75c860167f21c 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/mute_all.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/mute_all.ts
@@ -53,7 +53,8 @@ export const muteAllAlertRoute = (
         return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
       }
       trackLegacyRouteUsage('muteAll', usageCounter);
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
       const { id } = req.params;
       try {
         await rulesClient.muteAll({ id });
diff --git a/x-pack/plugins/alerting/server/routes/legacy/mute_instance.ts b/x-pack/plugins/alerting/server/routes/legacy/mute_instance.ts
index a8e70ba707b78..23225c387ccaa 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/mute_instance.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/mute_instance.ts
@@ -58,7 +58,8 @@ export const muteAlertInstanceRoute = (
 
       trackLegacyRouteUsage('muteInstance', usageCounter);
 
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
 
       const renameMap = {
         alert_id: 'alertId',
diff --git a/x-pack/plugins/alerting/server/routes/legacy/unmute_all.ts b/x-pack/plugins/alerting/server/routes/legacy/unmute_all.ts
index bde7bea430fa5..2684ea60d7336 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/unmute_all.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/unmute_all.ts
@@ -53,7 +53,8 @@ export const unmuteAllAlertRoute = (
         return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
       }
       trackLegacyRouteUsage('unmuteAll', usageCounter);
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
       const { id } = req.params;
       try {
         await rulesClient.unmuteAll({ id });
diff --git a/x-pack/plugins/alerting/server/routes/legacy/unmute_instance.ts b/x-pack/plugins/alerting/server/routes/legacy/unmute_instance.ts
index 91774b0df7ac8..e6122a92509b0 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/unmute_instance.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/unmute_instance.ts
@@ -54,7 +54,8 @@ export const unmuteAlertInstanceRoute = (
         return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
       }
       trackLegacyRouteUsage('unmuteInstance', usageCounter);
-      const rulesClient = (await context.alerting).getRulesClient();
+      const alertingContext = await context.alerting;
+      const rulesClient = await alertingContext.getRulesClient();
       const { alertId, alertInstanceId } = req.params;
       try {
         await rulesClient.unmuteInstance({ alertId, alertInstanceId });
diff --git a/x-pack/plugins/alerting/server/routes/legacy/update.ts b/x-pack/plugins/alerting/server/routes/legacy/update.ts
index 04f54738e9608..3e3d3b5a480f0 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/update.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/update.ts
@@ -81,7 +81,8 @@ export const updateAlertRoute = (
           return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
         }
         trackLegacyRouteUsage('update', usageCounter);
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const { id } = req.params;
         const { name, actions, params, schedule, tags, throttle, notifyWhen } = req.body;
         try {
diff --git a/x-pack/plugins/alerting/server/routes/legacy/update_api_key.ts b/x-pack/plugins/alerting/server/routes/legacy/update_api_key.ts
index 0a3b62ebed368..603a321768573 100644
--- a/x-pack/plugins/alerting/server/routes/legacy/update_api_key.ts
+++ b/x-pack/plugins/alerting/server/routes/legacy/update_api_key.ts
@@ -55,7 +55,8 @@ export const updateApiKeyRoute = (
           return res.badRequest({ body: 'RouteHandlerContext is not registered for alerting' });
         }
         trackLegacyRouteUsage('updateApiKey', usageCounter);
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const { id } = req.params;
         try {
           await rulesClient.updateRuleApiKey({ id });
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/aggregate_rules_route.test.ts b/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/aggregate_rules_route.test.ts
index 77221de2d714b..74a94cbba80a1 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/aggregate_rules_route.test.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/aggregate_rules_route.test.ts
@@ -145,6 +145,7 @@ describe('aggregateRulesRoute', () => {
       {
         body: {
           default_search_operator: 'AND',
+          rule_type_ids: ['foo'],
         },
       },
       ['ok']
@@ -237,6 +238,9 @@ describe('aggregateRulesRoute', () => {
           },
           "options": Object {
             "defaultSearchOperator": "AND",
+            "ruleTypeIds": Array [
+              "foo",
+            ],
           },
         },
       ]
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/aggregate_rules_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/aggregate_rules_route.ts
index 9b595858793f8..05c5fc2167e11 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/aggregate_rules_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/aggregate_rules_route.ts
@@ -37,7 +37,8 @@ export const aggregateRulesRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const body: AggregateRulesRequestBodyV1 = req.body;
         const options = transformAggregateQueryRequestV1({
           ...body,
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/transforms/transform_aggregate_query_request/v1.ts b/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/transforms/transform_aggregate_query_request/v1.ts
index baa6b9bb46f9c..ae13f08d0afa5 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/transforms/transform_aggregate_query_request/v1.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/aggregate/transforms/transform_aggregate_query_request/v1.ts
@@ -13,13 +13,15 @@ export const transformAggregateQueryRequest: RewriteRequestCase<AggregateOptions
   default_search_operator: defaultSearchOperator,
   search_fields: searchFields,
   has_reference: hasReference,
-  filter_consumers: filterConsumers,
+  rule_type_ids: ruleTypeIds,
+  consumers,
   filter,
 }) => ({
   defaultSearchOperator,
   ...(hasReference ? { hasReference } : {}),
   ...(searchFields ? { searchFields } : {}),
   ...(search ? { search } : {}),
-  ...(filterConsumers ? { filterConsumers } : {}),
+  ...(ruleTypeIds ? { ruleTypeIds } : {}),
+  ...(consumers ? { consumers } : {}),
   ...(filter ? { filter } : {}),
 });
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_delete/bulk_delete_rules_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_delete/bulk_delete_rules_route.ts
index 8bd6f7fc19916..8548464d44812 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_delete/bulk_delete_rules_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_delete/bulk_delete_rules_route.ts
@@ -36,7 +36,8 @@ export const bulkDeleteRulesRoute = ({
     handleDisabledApiKeysError(
       router.handleLegacyErrors(
         verifyAccessAndContext(licenseState, async (context, req, res) => {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const alertingContext = await context.alerting;
+          const rulesClient = await alertingContext.getRulesClient();
 
           const body: BulkDeleteRulesRequestBodyV1 = req.body;
           const { filter, ids } = body;
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_disable/bulk_disable_rules_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_disable/bulk_disable_rules_route.ts
index 724eda3ae7b87..315904efa40a7 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_disable/bulk_disable_rules_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_disable/bulk_disable_rules_route.ts
@@ -37,7 +37,8 @@ export const bulkDisableRulesRoute = ({
     handleDisabledApiKeysError(
       router.handleLegacyErrors(
         verifyAccessAndContext(licenseState, async (context, req, res) => {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const alertingContext = await context.alerting;
+          const rulesClient = await alertingContext.getRulesClient();
 
           const body: BulkDisableRulesRequestBodyV1 = req.body;
           const { filter, ids, untrack } = body;
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_edit/bulk_edit_rules_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_edit/bulk_edit_rules_route.ts
index 4c853beeec250..f516b63031aad 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_edit/bulk_edit_rules_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_edit/bulk_edit_rules_route.ts
@@ -41,7 +41,8 @@ const buildBulkEditRulesRoute = ({ licenseState, path, router }: BuildBulkEditRu
     handleDisabledApiKeysError(
       router.handleLegacyErrors(
         verifyAccessAndContext(licenseState, async function (context, req, res) {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const alertingContext = await context.alerting;
+          const rulesClient = await alertingContext.getRulesClient();
           const actionsClient = (await context.actions).getActionsClient();
 
           const bulkEditData: BulkEditRulesRequestBodyV1 = req.body;
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_enable/bulk_enable_rules_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_enable/bulk_enable_rules_route.ts
index da97949fd0feb..71932cb6d78bb 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_enable/bulk_enable_rules_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_enable/bulk_enable_rules_route.ts
@@ -35,7 +35,8 @@ export const bulkEnableRulesRoute = ({
     handleDisabledApiKeysError(
       router.handleLegacyErrors(
         verifyAccessAndContext(licenseState, async (context, req, res) => {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const alertingContext = await context.alerting;
+          const rulesClient = await alertingContext.getRulesClient();
 
           const body: BulkEnableRulesRequestBodyV1 = req.body;
           try {
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack/bulk_untrack_alerts_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack/bulk_untrack_alerts_route.ts
index 622218705b510..a43cc48d95631 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack/bulk_untrack_alerts_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack/bulk_untrack_alerts_route.ts
@@ -28,7 +28,8 @@ export const bulkUntrackAlertsRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const body: BulkUntrackRequestBodyV1 = req.body;
         try {
           await rulesClient.bulkUntrackAlerts({
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/bulk_untrack_alerts_by_query_route.test.ts b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/bulk_untrack_alerts_by_query_route.test.ts
index 3486005d3b588..ebaab0cb98402 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/bulk_untrack_alerts_by_query_route.test.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/bulk_untrack_alerts_by_query_route.test.ts
@@ -45,7 +45,7 @@ describe('bulkUntrackAlertsByQueryRoute', () => {
           },
         },
       ],
-      feature_ids: ['o11y'],
+      rule_type_ids: ['o11y'],
     };
 
     const [context, req, res] = mockHandlerArguments(
@@ -62,7 +62,7 @@ describe('bulkUntrackAlertsByQueryRoute', () => {
     expect(rulesClient.bulkUntrackAlerts.mock.calls[0]).toEqual([
       {
         query: requestBody.query,
-        featureIds: requestBody.feature_ids,
+        ruleTypeIds: requestBody.rule_type_ids,
         isUsingQuery: true,
       },
     ]);
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/bulk_untrack_alerts_by_query_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/bulk_untrack_alerts_by_query_route.ts
index 5cebdb8c6e7f4..735cd75b7f4a9 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/bulk_untrack_alerts_by_query_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/bulk_untrack_alerts_by_query_route.ts
@@ -29,7 +29,8 @@ export const bulkUntrackAlertsByQueryRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const body: BulkUntrackByQueryRequestBodyV1 = req.body;
         try {
           await rulesClient.bulkUntrackAlerts({
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/transforms/transform_bulk_untrack_alerts_by_query_body/v1.ts b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/transforms/transform_bulk_untrack_alerts_by_query_body/v1.ts
index 87c58c48c4c6d..dd346f8cc818e 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/transforms/transform_bulk_untrack_alerts_by_query_body/v1.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/bulk_untrack_by_query/transforms/transform_bulk_untrack_alerts_by_query_body/v1.ts
@@ -9,8 +9,8 @@ import type { BulkUntrackByQueryRequestBodyV1 } from '../../../../../../../commo
 
 export const transformBulkUntrackAlertsByQueryBody = ({
   query,
-  feature_ids: featureIds,
+  rule_type_ids: ruleTypeIds,
 }: BulkUntrackByQueryRequestBodyV1) => ({
   query,
-  featureIds,
+  ruleTypeIds,
 });
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/clone/clone_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/clone/clone_rule_route.ts
index ea6460dfb9463..0aa23886a9b4a 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/clone/clone_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/clone/clone_rule_route.ts
@@ -33,7 +33,8 @@ export const cloneRuleRoute = (
     handleDisabledApiKeysError(
       router.handleLegacyErrors(
         verifyAccessAndContext(licenseState, async function (context, req, res) {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const alertingContext = await context.alerting;
+          const rulesClient = await alertingContext.getRulesClient();
           const params: CloneRuleRequestParamsV1 = req.params;
           try {
             // TODO (http-versioning): Remove this cast, this enables us to move forward
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/create/create_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/create/create_rule_route.ts
index 45341fb48e9bd..26775ad0f98d4 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/create/create_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/create/create_rule_route.ts
@@ -62,7 +62,8 @@ export const createRuleRoute = ({ router, licenseState, usageCounter }: RouteOpt
     handleDisabledApiKeysError(
       router.handleLegacyErrors(
         verifyAccessAndContext(licenseState, async function (context, req, res) {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const alertingContext = await context.alerting;
+          const rulesClient = await alertingContext.getRulesClient();
           const actionsClient = (await context.actions).getActionsClient();
           const rulesSettingsClient = (await context.alerting).getRulesSettingsClient(true);
 
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/delete/delete_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/delete/delete_rule_route.ts
index 0452de7f7becd..e1e09403b309a 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/delete/delete_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/delete/delete_rule_route.ts
@@ -48,7 +48,8 @@ export const deleteRuleRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
 
         const params: DeleteRuleRequestParamsV1 = req.params;
 
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/disable/disable_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/disable/disable_rule_route.ts
index cae82e80be869..e364bc130121d 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/disable/disable_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/disable/disable_rule_route.ts
@@ -51,7 +51,7 @@ export const disableRuleRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
         const { id }: DisableRuleRequestParamsV1 = req.params;
         const body: DisableRuleRequestBodyV1 = req.body || {};
         const { untrack = false } = body;
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/enable/enable_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/enable/enable_rule_route.ts
index 4843ed932374d..e5f0983bf844b 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/enable/enable_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/enable/enable_rule_route.ts
@@ -48,7 +48,7 @@ export const enableRuleRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
         const params: EnableRuleRequestParamsV1 = req.params;
 
         try {
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/find/find_internal_rules_route.test.ts b/x-pack/plugins/alerting/server/routes/rule/apis/find/find_internal_rules_route.test.ts
index 46ff2e8e96e12..53b330a8a2044 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/find/find_internal_rules_route.test.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/find/find_internal_rules_route.test.ts
@@ -7,6 +7,8 @@
 import { httpServiceMock } from '@kbn/core/server/mocks';
 import { licenseStateMock } from '../../../../lib/license_state.mock';
 import { findInternalRulesRoute } from './find_internal_rules_route';
+import { mockHandlerArguments } from '../../../_mock_handler_arguments';
+import { rulesClientMock } from '../../../../rules_client.mock';
 
 jest.mock('../../../../lib/license_api_access', () => ({
   verifyApiAccess: jest.fn(),
@@ -20,6 +22,8 @@ beforeEach(() => {
   jest.resetAllMocks();
 });
 
+const rulesClient = rulesClientMock.create();
+
 describe('findInternalRulesRoute', () => {
   it('registers the route without public access', async () => {
     const licenseState = licenseStateMock.create();
@@ -33,4 +37,78 @@ describe('findInternalRulesRoute', () => {
       expect.any(Function)
     );
   });
+
+  it('finds rules with proper parameters', async () => {
+    const licenseState = licenseStateMock.create();
+    const router = httpServiceMock.createRouter();
+
+    findInternalRulesRoute(router, licenseState);
+
+    const [config, handler] = router.post.mock.calls[0];
+
+    expect(config.path).toMatchInlineSnapshot(`"/internal/alerting/rules/_find"`);
+
+    const findResult = {
+      page: 1,
+      perPage: 1,
+      total: 0,
+      data: [],
+    };
+    rulesClient.find.mockResolvedValueOnce(findResult);
+
+    const [context, req, res] = mockHandlerArguments(
+      { rulesClient },
+      {
+        body: {
+          per_page: 1,
+          page: 1,
+          default_search_operator: 'OR',
+          rule_type_ids: ['foo'],
+          consumers: ['bar'],
+        },
+      },
+      ['ok']
+    );
+
+    expect(await handler(context, req, res)).toMatchInlineSnapshot(`
+            Object {
+              "body": Object {
+                "data": Array [],
+                "page": 1,
+                "per_page": 1,
+                "total": 0,
+              },
+            }
+        `);
+
+    expect(rulesClient.find).toHaveBeenCalledTimes(1);
+    expect(rulesClient.find.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        Object {
+          "excludeFromPublicApi": false,
+          "includeSnoozeData": true,
+          "options": Object {
+            "consumers": Array [
+              "bar",
+            ],
+            "defaultSearchOperator": "OR",
+            "page": 1,
+            "perPage": 1,
+            "ruleTypeIds": Array [
+              "foo",
+            ],
+          },
+        },
+      ]
+    `);
+
+    expect(res.ok).toHaveBeenCalledWith({
+      body: {
+        page: 1,
+        per_page: 1,
+        total: 0,
+        data: [],
+      },
+    });
+  });
 });
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/find/find_internal_rules_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/find/find_internal_rules_route.ts
index 8ff8ce59192cf..0117d86468f2a 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/find/find_internal_rules_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/find/find_internal_rules_route.ts
@@ -8,10 +8,10 @@
 import { IRouter } from '@kbn/core/server';
 import { UsageCounter } from '@kbn/usage-collection-plugin/server';
 import type {
-  FindRulesRequestQueryV1,
+  FindRulesInternalRequestBodyV1,
   FindRulesResponseV1,
 } from '../../../../../common/routes/rule/apis/find';
-import { findRulesRequestQuerySchemaV1 } from '../../../../../common/routes/rule/apis/find';
+import { findRulesInternalRequestBodySchemaV1 } from '../../../../../common/routes/rule/apis/find';
 import { RuleParamsV1 } from '../../../../../common/routes/rule/response';
 import { ILicenseState } from '../../../../lib';
 import {
@@ -20,7 +20,7 @@ import {
 } from '../../../../types';
 import { verifyAccessAndContext } from '../../../lib';
 import { trackLegacyTerminology } from '../../../lib/track_legacy_terminology';
-import { transformFindRulesBodyV1, transformFindRulesResponseV1 } from './transforms';
+import { transformFindRulesInternalBodyV1, transformFindRulesResponseV1 } from './transforms';
 
 export const findInternalRulesRoute = (
   router: IRouter<AlertingRequestHandlerContext>,
@@ -32,14 +32,14 @@ export const findInternalRulesRoute = (
       path: INTERNAL_ALERTING_API_FIND_RULES_PATH,
       options: { access: 'internal' },
       validate: {
-        body: findRulesRequestQuerySchemaV1,
+        body: findRulesInternalRequestBodySchemaV1,
       },
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
 
-        const body: FindRulesRequestQueryV1 = req.body;
+        const body: FindRulesInternalRequestBodyV1 = req.body;
 
         trackLegacyTerminology(
           [req.body.search, req.body.search_fields, req.body.sort_field].filter(
@@ -48,7 +48,7 @@ export const findInternalRulesRoute = (
           usageCounter
         );
 
-        const options = transformFindRulesBodyV1({
+        const options = transformFindRulesInternalBodyV1({
           ...body,
           has_reference: body.has_reference || undefined,
           search_fields: searchFieldsAsArray(body.search_fields),
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/find/find_rules_route.test.ts b/x-pack/plugins/alerting/server/routes/rule/apis/find/find_rules_route.test.ts
index 0e1f07a5ce543..27769cf237389 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/find/find_rules_route.test.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/find/find_rules_route.test.ts
@@ -42,6 +42,7 @@ describe('findRulesRoute', () => {
       expect.any(Function)
     );
   });
+
   it('finds rules with proper parameters', async () => {
     const licenseState = licenseStateMock.create();
     const router = httpServiceMock.createRouter();
@@ -446,4 +447,138 @@ describe('findRulesRoute', () => {
       incrementBy: 1,
     });
   });
+
+  it('should not support rule_type_ids', async () => {
+    const licenseState = licenseStateMock.create();
+    const router = httpServiceMock.createRouter();
+
+    findRulesRoute(router, licenseState);
+
+    const [config, handler] = router.get.mock.calls[0];
+
+    expect(config.path).toMatchInlineSnapshot(`"/api/alerting/rules/_find"`);
+
+    const findResult = {
+      page: 1,
+      perPage: 1,
+      total: 0,
+      data: [],
+    };
+    rulesClient.find.mockResolvedValueOnce(findResult);
+
+    const [context, req, res] = mockHandlerArguments(
+      { rulesClient },
+      {
+        query: {
+          per_page: 1,
+          page: 1,
+          default_search_operator: 'OR',
+          rule_type_ids: ['foo'],
+        },
+      },
+      ['ok']
+    );
+
+    expect(await handler(context, req, res)).toMatchInlineSnapshot(`
+            Object {
+              "body": Object {
+                "data": Array [],
+                "page": 1,
+                "per_page": 1,
+                "total": 0,
+              },
+            }
+        `);
+
+    expect(rulesClient.find).toHaveBeenCalledTimes(1);
+    expect(rulesClient.find.mock.calls[0]).toMatchInlineSnapshot(`
+            Array [
+              Object {
+                "excludeFromPublicApi": true,
+                "includeSnoozeData": true,
+                "options": Object {
+                  "defaultSearchOperator": "OR",
+                  "page": 1,
+                  "perPage": 1,
+                },
+              },
+            ]
+        `);
+
+    expect(res.ok).toHaveBeenCalledWith({
+      body: {
+        page: 1,
+        per_page: 1,
+        total: 0,
+        data: [],
+      },
+    });
+  });
+
+  it('should not support consumers', async () => {
+    const licenseState = licenseStateMock.create();
+    const router = httpServiceMock.createRouter();
+
+    findRulesRoute(router, licenseState);
+
+    const [config, handler] = router.get.mock.calls[0];
+
+    expect(config.path).toMatchInlineSnapshot(`"/api/alerting/rules/_find"`);
+
+    const findResult = {
+      page: 1,
+      perPage: 1,
+      total: 0,
+      data: [],
+    };
+    rulesClient.find.mockResolvedValueOnce(findResult);
+
+    const [context, req, res] = mockHandlerArguments(
+      { rulesClient },
+      {
+        query: {
+          per_page: 1,
+          page: 1,
+          default_search_operator: 'OR',
+          consumers: ['foo'],
+        },
+      },
+      ['ok']
+    );
+
+    expect(await handler(context, req, res)).toMatchInlineSnapshot(`
+            Object {
+              "body": Object {
+                "data": Array [],
+                "page": 1,
+                "per_page": 1,
+                "total": 0,
+              },
+            }
+        `);
+
+    expect(rulesClient.find).toHaveBeenCalledTimes(1);
+    expect(rulesClient.find.mock.calls[0]).toMatchInlineSnapshot(`
+            Array [
+              Object {
+                "excludeFromPublicApi": true,
+                "includeSnoozeData": true,
+                "options": Object {
+                  "defaultSearchOperator": "OR",
+                  "page": 1,
+                  "perPage": 1,
+                },
+              },
+            ]
+        `);
+
+    expect(res.ok).toHaveBeenCalledWith({
+      body: {
+        page: 1,
+        per_page: 1,
+        total: 0,
+        data: [],
+      },
+    });
+  });
 });
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/find/find_rules_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/find/find_rules_route.ts
index 90afde8f20813..37ea13c7983e6 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/find/find_rules_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/find/find_rules_route.ts
@@ -52,7 +52,7 @@ export const findRulesRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
 
         const query: FindRulesRequestQueryV1 = req.query;
 
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/find/transforms/index.ts b/x-pack/plugins/alerting/server/routes/rule/apis/find/transforms/index.ts
index 044a845f3f8f3..222215ffb9a31 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/find/transforms/index.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/find/transforms/index.ts
@@ -8,5 +8,8 @@
 export { transformFindRulesBody } from './transform_find_rules_body/latest';
 export { transformFindRulesResponse } from './transform_find_rules_response/latest';
 
-export { transformFindRulesBody as transformFindRulesBodyV1 } from './transform_find_rules_body/v1';
+export {
+  transformFindRulesBody as transformFindRulesBodyV1,
+  transformFindRulesInternalBody as transformFindRulesInternalBodyV1,
+} from './transform_find_rules_body/v1';
 export { transformFindRulesResponse as transformFindRulesResponseV1 } from './transform_find_rules_response/v1';
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/find/transforms/transform_find_rules_body/v1.ts b/x-pack/plugins/alerting/server/routes/rule/apis/find/transforms/transform_find_rules_body/v1.ts
index a2f9d3c99b00d..3248c8f45360a 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/find/transforms/transform_find_rules_body/v1.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/find/transforms/transform_find_rules_body/v1.ts
@@ -5,7 +5,10 @@
  * 2.0.
  */
 
-import type { FindRulesRequestQueryV1 } from '../../../../../../../common/routes/rule/apis/find';
+import type {
+  FindRulesInternalRequestBodyV1,
+  FindRulesRequestQueryV1,
+} from '../../../../../../../common/routes/rule/apis/find';
 import { FindRulesOptions } from '../../../../../../application/rule/methods/find';
 
 export const transformFindRulesBody = (params: FindRulesRequestQueryV1): FindRulesOptions => {
@@ -29,7 +32,42 @@ export const transformFindRulesBody = (params: FindRulesRequestQueryV1): FindRul
     ...(filter ? { filter } : {}),
     ...(defaultSearchOperator ? { defaultSearchOperator } : {}),
     ...(perPage ? { perPage } : {}),
-    ...(filterConsumers ? { filterConsumers } : {}),
+    ...(sortField ? { sortField } : {}),
+    ...(sortOrder ? { sortOrder } : {}),
+    ...(hasReference ? { hasReference } : {}),
+    ...(searchFields
+      ? { searchFields: Array.isArray(searchFields) ? searchFields : [searchFields] }
+      : {}),
+    ...(filterConsumers ? { consumers: filterConsumers } : {}),
+  };
+};
+
+export const transformFindRulesInternalBody = (
+  params: FindRulesInternalRequestBodyV1
+): FindRulesOptions => {
+  const {
+    per_page: perPage,
+    page,
+    search,
+    default_search_operator: defaultSearchOperator,
+    search_fields: searchFields,
+    sort_field: sortField,
+    sort_order: sortOrder,
+    has_reference: hasReference,
+    fields,
+    filter,
+    rule_type_ids: ruleTypeIds,
+    consumers,
+  } = params;
+  return {
+    ...(page ? { page } : {}),
+    ...(search ? { search } : {}),
+    ...(fields ? { fields } : {}),
+    ...(filter ? { filter } : {}),
+    ...(defaultSearchOperator ? { defaultSearchOperator } : {}),
+    ...(perPage ? { perPage } : {}),
+    ...(ruleTypeIds ? { ruleTypeIds } : {}),
+    ...(consumers ? { consumers } : {}),
     ...(sortField ? { sortField } : {}),
     ...(sortOrder ? { sortOrder } : {}),
     ...(hasReference ? { hasReference } : {}),
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/get/get_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/get/get_rule_route.ts
index 0c19d0c9c4f70..46ccc00e33626 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/get/get_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/get/get_rule_route.ts
@@ -64,7 +64,8 @@ const buildGetRuleRoute = ({
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: GetRuleRequestParamsV1 = req.params;
 
         // TODO (http-versioning): Remove this cast, this enables us to move forward
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/get_schedule_frequency/get_schedule_frequency_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/get_schedule_frequency/get_schedule_frequency_route.ts
index e130679a78437..b91c0841df911 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/get_schedule_frequency/get_schedule_frequency_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/get_schedule_frequency/get_schedule_frequency_route.ts
@@ -24,7 +24,8 @@ export const getScheduleFrequencyRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async (context, req, res) => {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
 
         const scheduleFrequencyResult = await rulesClient.getScheduleFrequency();
 
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/list_types/rule_types.test.ts b/x-pack/plugins/alerting/server/routes/rule/apis/list_types/rule_types.test.ts
index e6293a589743b..d32df997eb2c3 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/list_types/rule_types.test.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/list_types/rule_types.test.ts
@@ -97,7 +97,7 @@ describe('ruleTypesRoute', () => {
         has_fields_for_a_a_d: false,
       },
     ];
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(listTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(listTypes);
 
     const [context, req, res] = mockHandlerArguments({ rulesClient }, {}, ['ok']);
 
@@ -183,7 +183,7 @@ describe('ruleTypesRoute', () => {
       } as RegistryAlertTypeWithAuth,
     ];
 
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(listTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(listTypes);
 
     const [context, req, res] = mockHandlerArguments(
       { rulesClient },
@@ -240,7 +240,7 @@ describe('ruleTypesRoute', () => {
       } as RegistryAlertTypeWithAuth,
     ];
 
-    rulesClient.listRuleTypes.mockResolvedValueOnce(new Set(listTypes));
+    rulesClient.listRuleTypes.mockResolvedValueOnce(listTypes);
 
     const [context, req, res] = mockHandlerArguments(
       { rulesClient },
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/list_types/rule_types.ts b/x-pack/plugins/alerting/server/routes/rule/apis/list_types/rule_types.ts
index da9c62ab5f3f2..a49820704d74a 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/list_types/rule_types.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/list_types/rule_types.ts
@@ -42,7 +42,7 @@ export const ruleTypesRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
         const ruleTypes = await rulesClient.listRuleTypes();
 
         const responseBody: TypesRulesResponseBodyV1 = transformRuleTypesResponseV1(ruleTypes);
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/list_types/transforms/transform_rule_types_response/v1.ts b/x-pack/plugins/alerting/server/routes/rule/apis/list_types/transforms/transform_rule_types_response/v1.ts
index 54a5874331c86..e331fd9133332 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/list_types/transforms/transform_rule_types_response/v1.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/list_types/transforms/transform_rule_types_response/v1.ts
@@ -10,9 +10,9 @@ import { RegistryAlertTypeWithAuth } from '../../../../../../authorization';
 import type { TypesRulesResponseBodyV1 } from '../../../../../../../common/routes/rule/apis/list_types';
 
 export const transformRuleTypesResponse = (
-  ruleTypes: Set<RegistryAlertTypeWithAuth>
+  ruleTypes: RegistryAlertTypeWithAuth[]
 ): TypesRulesResponseBodyV1 => {
-  return Array.from(ruleTypes).map((ruleType: RegistryAlertTypeWithAuth) => {
+  return ruleTypes.map((ruleType: RegistryAlertTypeWithAuth) => {
     return {
       ...(ruleType.actionGroups ? { action_groups: ruleType.actionGroups } : {}),
       ...(ruleType.actionVariables ? { action_variables: ruleType.actionVariables } : {}),
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/mute_alert/mute_alert.ts b/x-pack/plugins/alerting/server/routes/rule/apis/mute_alert/mute_alert.ts
index 5ce924b445ca7..f9b7fa8bfbf0e 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/mute_alert/mute_alert.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/mute_alert/mute_alert.ts
@@ -48,7 +48,8 @@ export const muteAlertRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: MuteAlertRequestParamsV1 = req.params;
         try {
           await rulesClient.muteInstance(transformRequestParamsToApplicationV1(params));
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/mute_all/mute_all_rule.ts b/x-pack/plugins/alerting/server/routes/rule/apis/mute_all/mute_all_rule.ts
index e9aa0e42a046f..46f108cb3a94e 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/mute_all/mute_all_rule.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/mute_all/mute_all_rule.ts
@@ -51,7 +51,8 @@ export const muteAllRuleRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: MuteAllRuleRequestParamsV1 = req.params;
         trackDeprecatedRouteUsage('muteAll', usageCounter);
         try {
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/resolve/resolve_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/resolve/resolve_rule_route.ts
index f67485279edc5..ad0e846d452e5 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/resolve/resolve_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/resolve/resolve_rule_route.ts
@@ -34,7 +34,8 @@ export const resolveRuleRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: ResolveRuleRequestParamsV1 = req.params;
         const { id } = params;
         // TODO (http-versioning): Remove this cast, this enables us to move forward
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/snooze/snooze_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/snooze/snooze_rule_route.ts
index 1de46fd784905..3e0e22070d672 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/snooze/snooze_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/snooze/snooze_rule_route.ts
@@ -33,7 +33,8 @@ export const snoozeRuleRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: SnoozeRuleRequestParamsV1 = req.params;
         const body = transformSnoozeBodyV1(req.body);
         try {
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/tags/get_rule_tags.ts b/x-pack/plugins/alerting/server/routes/rule/apis/tags/get_rule_tags.ts
index c66bf0d61009a..05e4433f5e53d 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/tags/get_rule_tags.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/tags/get_rule_tags.ts
@@ -29,7 +29,8 @@ export const getRuleTagsRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const query: RuleTagsRequestQueryV1 = req.query;
 
         const options = transformRuleTagsQueryRequestV1(query);
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/unmute_alert/unmute_alert_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/unmute_alert/unmute_alert_route.ts
index 63560e354dc1b..34108b937cc43 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/unmute_alert/unmute_alert_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/unmute_alert/unmute_alert_route.ts
@@ -49,7 +49,7 @@ export const unmuteAlertRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
         const params: UnmuteAlertRequestParamsV1 = req.params;
         try {
           await rulesClient.unmuteInstance(transformRequestParamsToApplicationV1(params));
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/unmute_all/unmute_all_rule.ts b/x-pack/plugins/alerting/server/routes/rule/apis/unmute_all/unmute_all_rule.ts
index 8409128da6241..bf9d1660d0def 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/unmute_all/unmute_all_rule.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/unmute_all/unmute_all_rule.ts
@@ -48,7 +48,8 @@ export const unmuteAllRuleRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: UnmuteAllRuleRequestParamsV1 = req.params;
         try {
           await rulesClient.unmuteAll(params);
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/unsnooze/unsnooze_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/unsnooze/unsnooze_rule_route.ts
index 69e4c91eeaf35..e5f476cbb2038 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/unsnooze/unsnooze_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/unsnooze/unsnooze_rule_route.ts
@@ -33,7 +33,8 @@ export const unsnoozeRuleRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const params: UnsnoozeRuleRequestParamsV1 = req.params;
         const body = transformUnsnoozeBodyV1(req.body);
         try {
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/update/update_rule_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/update/update_rule_route.ts
index 5c925b05bace3..8fee470cb3bd7 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/update/update_rule_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/update/update_rule_route.ts
@@ -64,7 +64,8 @@ export const updateRuleRoute = (
     handleDisabledApiKeysError(
       router.handleLegacyErrors(
         verifyAccessAndContext(licenseState, async function (context, req, res) {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const alertingContext = await context.alerting;
+          const rulesClient = await alertingContext.getRulesClient();
           const actionsClient = (await context.actions).getActionsClient();
           const rulesSettingsClient = (await context.alerting).getRulesSettingsClient(true);
 
diff --git a/x-pack/plugins/alerting/server/routes/rule/apis/update_api_key/update_rule_api_key_route.ts b/x-pack/plugins/alerting/server/routes/rule/apis/update_api_key/update_rule_api_key_route.ts
index 7ba8589412357..4f16d873dfaa8 100644
--- a/x-pack/plugins/alerting/server/routes/rule/apis/update_api_key/update_rule_api_key_route.ts
+++ b/x-pack/plugins/alerting/server/routes/rule/apis/update_api_key/update_rule_api_key_route.ts
@@ -51,7 +51,7 @@ export const updateRuleApiKeyRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
         const { id }: UpdateApiKeyParamsV1 = req.params;
 
         try {
diff --git a/x-pack/plugins/alerting/server/routes/run_soon.ts b/x-pack/plugins/alerting/server/routes/run_soon.ts
index 589724ab57b06..1b7fa271c9587 100644
--- a/x-pack/plugins/alerting/server/routes/run_soon.ts
+++ b/x-pack/plugins/alerting/server/routes/run_soon.ts
@@ -31,7 +31,8 @@ export const runSoonRoute = (
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         const message = await rulesClient.runSoon(req.params);
         return message ? res.ok({ body: message }) : res.noContent();
       })
diff --git a/x-pack/plugins/alerting/server/routes/suggestions/values_suggestion_alerts.ts b/x-pack/plugins/alerting/server/routes/suggestions/values_suggestion_alerts.ts
index f39615efa7e8d..25dc8add03abf 100644
--- a/x-pack/plugins/alerting/server/routes/suggestions/values_suggestion_alerts.ts
+++ b/x-pack/plugins/alerting/server/routes/suggestions/values_suggestion_alerts.ts
@@ -11,15 +11,9 @@ import { firstValueFrom, Observable } from 'rxjs';
 import { getRequestAbortedSignal } from '@kbn/data-plugin/server';
 import { termsAggSuggestions } from '@kbn/unified-search-plugin/server/autocomplete/terms_agg';
 import type { ConfigSchema } from '@kbn/unified-search-plugin/server/config';
-import { UsageCounter } from '@kbn/usage-collection-plugin/server';
 import { getKbnServerError, reportServerError } from '@kbn/kibana-utils-plugin/server';
 import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
-import {
-  AlertConsumers,
-  ALERT_RULE_CONSUMER,
-  ALERT_RULE_TYPE_ID,
-  SPACE_IDS,
-} from '@kbn/rule-data-utils';
+import { ALERT_RULE_CONSUMER, ALERT_RULE_TYPE_ID, SPACE_IDS } from '@kbn/rule-data-utils';
 
 import { verifyAccessAndContext } from '../lib';
 import { RuleAuditAction, ruleAuditEvent } from '../../rules_client/common/audit_events';
@@ -27,6 +21,7 @@ import {
   AlertingAuthorizationEntity,
   AlertingAuthorizationFilterOpts,
   AlertingAuthorizationFilterType,
+  AuthorizedRuleTypes,
 } from '../../authorization';
 import { AlertingRequestHandlerContext } from '../../types';
 import { GetAlertIndicesAlias, ILicenseState } from '../../lib';
@@ -45,20 +40,11 @@ export const AlertsSuggestionsSchema = {
   }),
 };
 
-const VALID_FEATURE_IDS = new Set([
-  AlertConsumers.APM,
-  AlertConsumers.INFRASTRUCTURE,
-  AlertConsumers.LOGS,
-  AlertConsumers.SLO,
-  AlertConsumers.UPTIME,
-]);
-
 export function registerAlertsValueSuggestionsRoute(
   router: IRouter<AlertingRequestHandlerContext>,
   licenseState: ILicenseState,
   config$: Observable<ConfigSchema>,
-  getAlertIndicesAlias?: GetAlertIndicesAlias,
-  usageCounter?: UsageCounter
+  getAlertIndicesAlias?: GetAlertIndicesAlias
 ) {
   router.post(
     {
@@ -73,19 +59,21 @@ export function registerAlertsValueSuggestionsRoute(
         const abortSignal = getRequestAbortedSignal(request.events.aborted$);
         const { savedObjects, elasticsearch } = await context.core;
 
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         let authorizationTuple;
-        let authorizedRuleType = [];
+        let authorizedRuleType: AuthorizedRuleTypes = new Map();
+
         try {
           const authorization = rulesClient.getAuthorization();
-          authorizationTuple = await authorization.getFindAuthorizationFilter(
-            AlertingAuthorizationEntity.Alert,
-            alertingAuthorizationFilterOpts
-          );
-          authorizedRuleType = await authorization.getAuthorizedRuleTypes(
-            AlertingAuthorizationEntity.Alert,
-            VALID_FEATURE_IDS
-          );
+          authorizationTuple = await authorization.getFindAuthorizationFilter({
+            authorizationEntity: AlertingAuthorizationEntity.Alert,
+            filterOpts: alertingAuthorizationFilterOpts,
+          });
+
+          authorizedRuleType = await authorization.getAllAuthorizedRuleTypesFindOperation({
+            authorizationEntity: AlertingAuthorizationEntity.Alert,
+          });
         } catch (error) {
           rulesClient.getAuditLogger()?.log(
             ruleAuditEvent({
@@ -93,8 +81,10 @@ export function registerAlertsValueSuggestionsRoute(
               error,
             })
           );
+
           throw error;
         }
+
         const spaceId = rulesClient.getSpaceId();
         const { filter: authorizationFilter } = authorizationTuple;
         const filters = [
@@ -103,9 +93,10 @@ export function registerAlertsValueSuggestionsRoute(
         ] as estypes.QueryDslQueryContainer[];
 
         const index = getAlertIndicesAlias!(
-          authorizedRuleType.map((art) => art.id),
+          Array.from(authorizedRuleType.keys()).map((id) => id),
           spaceId
         ).join(',');
+
         try {
           const body = await termsAggSuggestions(
             config,
diff --git a/x-pack/plugins/alerting/server/routes/suggestions/values_suggestion_rules.ts b/x-pack/plugins/alerting/server/routes/suggestions/values_suggestion_rules.ts
index 6ada2378b3096..420d6473988fa 100644
--- a/x-pack/plugins/alerting/server/routes/suggestions/values_suggestion_rules.ts
+++ b/x-pack/plugins/alerting/server/routes/suggestions/values_suggestion_rules.ts
@@ -59,15 +59,14 @@ export function registerRulesValueSuggestionsRoute(
         const abortSignal = getRequestAbortedSignal(request.events.aborted$);
         const { savedObjects, elasticsearch } = await context.core;
 
-        const rulesClient = (await context.alerting).getRulesClient();
+        const alertingContext = await context.alerting;
+        const rulesClient = await alertingContext.getRulesClient();
         let authorizationTuple;
         try {
-          authorizationTuple = await rulesClient
-            .getAuthorization()
-            .getFindAuthorizationFilter(
-              AlertingAuthorizationEntity.Rule,
-              alertingAuthorizationFilterOpts
-            );
+          authorizationTuple = await rulesClient.getAuthorization().getFindAuthorizationFilter({
+            authorizationEntity: AlertingAuthorizationEntity.Rule,
+            filterOpts: alertingAuthorizationFilterOpts,
+          });
         } catch (error) {
           rulesClient.getAuditLogger()?.log(
             ruleAuditEvent({
diff --git a/x-pack/plugins/alerting/server/rule_type_registry.test.ts b/x-pack/plugins/alerting/server/rule_type_registry.test.ts
index e678228660e51..d9d7c1240922c 100644
--- a/x-pack/plugins/alerting/server/rule_type_registry.test.ts
+++ b/x-pack/plugins/alerting/server/rule_type_registry.test.ts
@@ -856,7 +856,7 @@ describe('Create Lifecycle', () => {
     test('should return empty when nothing is registered', () => {
       const registry = new RuleTypeRegistry(ruleTypeRegistryParams);
       const result = registry.list();
-      expect(result).toMatchInlineSnapshot(`Set {}`);
+      expect(result).toMatchInlineSnapshot(`Map {}`);
     });
 
     test('should return registered types', () => {
@@ -888,8 +888,8 @@ describe('Create Lifecycle', () => {
       });
       const result = registry.list();
       expect(result).toMatchInlineSnapshot(`
-        Set {
-          Object {
+        Map {
+          "test" => Object {
             "actionGroups": Array [
               Object {
                 "id": "testActionGroup",
diff --git a/x-pack/plugins/alerting/server/rule_type_registry.ts b/x-pack/plugins/alerting/server/rule_type_registry.ts
index 7562942f0262d..40d00acbef598 100644
--- a/x-pack/plugins/alerting/server/rule_type_registry.ts
+++ b/x-pack/plugins/alerting/server/rule_type_registry.ts
@@ -382,59 +382,40 @@ export class RuleTypeRegistry {
     >;
   }
 
-  public list(): Set<RegistryRuleType> {
-    const mapRuleTypes: Array<[string, UntypedNormalizedRuleType]> = Array.from(this.ruleTypes);
-    const tempRegistryRuleType = mapRuleTypes.map<RegistryRuleType>(
-      ([
-        id,
-        {
-          name,
-          actionGroups,
-          recoveryActionGroup,
-          defaultActionGroupId,
-          actionVariables,
-          category,
-          producer,
-          minimumLicenseRequired,
-          isExportable,
-          ruleTaskTimeout,
-          defaultScheduleInterval,
-          doesSetRecoveryContext,
-          alerts,
-          fieldsForAAD,
-          validLegacyConsumers,
-        },
-      ]) => {
-        // KEEP the type here to be safe if not the map is  ignoring it for some reason
-        const ruleType: RegistryRuleType = {
-          id,
-          name,
-          actionGroups,
-          recoveryActionGroup,
-          defaultActionGroupId,
-          actionVariables,
-          category,
-          producer,
-          minimumLicenseRequired,
-          isExportable,
-          ruleTaskTimeout,
-          defaultScheduleInterval,
-          doesSetRecoveryContext,
-          enabledInLicense: !!this.licenseState.getLicenseCheckForRuleType(
-            id,
-            name,
-            minimumLicenseRequired
-          ).isValid,
-          fieldsForAAD,
-          hasFieldsForAAD: Boolean(fieldsForAAD),
-          hasAlertsMappings: !!alerts,
-          validLegacyConsumers,
-          ...(alerts ? { alerts } : {}),
-        };
-        return ruleType;
-      }
-    );
-    return new Set(tempRegistryRuleType);
+  public list(): Map<string, RegistryRuleType> {
+    const ruleTypesMap = new Map();
+
+    this.ruleTypes.forEach((_ruleType) => {
+      const ruleType: RegistryRuleType = {
+        id: _ruleType.id,
+        name: _ruleType.name,
+        actionGroups: _ruleType.actionGroups,
+        recoveryActionGroup: _ruleType.recoveryActionGroup,
+        defaultActionGroupId: _ruleType.defaultActionGroupId,
+        actionVariables: _ruleType.actionVariables,
+        category: _ruleType.category,
+        producer: _ruleType.producer,
+        minimumLicenseRequired: _ruleType.minimumLicenseRequired,
+        isExportable: _ruleType.isExportable,
+        ruleTaskTimeout: _ruleType.ruleTaskTimeout,
+        defaultScheduleInterval: _ruleType.defaultScheduleInterval,
+        doesSetRecoveryContext: _ruleType.doesSetRecoveryContext,
+        enabledInLicense: !!this.licenseState.getLicenseCheckForRuleType(
+          _ruleType.id,
+          _ruleType.name,
+          _ruleType.minimumLicenseRequired
+        ).isValid,
+        fieldsForAAD: _ruleType.fieldsForAAD,
+        hasFieldsForAAD: Boolean(_ruleType.fieldsForAAD),
+        hasAlertsMappings: !!_ruleType.alerts,
+        ...(_ruleType.alerts ? { alerts: _ruleType.alerts } : {}),
+        validLegacyConsumers: _ruleType.validLegacyConsumers,
+      };
+
+      ruleTypesMap.set(ruleType.id, ruleType);
+    });
+
+    return ruleTypesMap;
   }
 
   public getAllTypes(): string[] {
diff --git a/x-pack/plugins/alerting/server/rules_client.mock.ts b/x-pack/plugins/alerting/server/rules_client.mock.ts
index 0616591cbe565..c7577656306d0 100644
--- a/x-pack/plugins/alerting/server/rules_client.mock.ts
+++ b/x-pack/plugins/alerting/server/rules_client.mock.ts
@@ -5,12 +5,15 @@
  * 2.0.
  */
 
+import { alertingAuthorizationMock } from './authorization/alerting_authorization.mock';
 import { RulesClientApi } from './types';
 
 type Schema = RulesClientApi;
 export type RulesClientMock = jest.Mocked<Schema>;
 
 const createRulesClientMock = () => {
+  const alertingAuthorization = alertingAuthorizationMock.create();
+
   const mocked: RulesClientMock = {
     aggregate: jest.fn().mockReturnValue({ ruleExecutionStatus: {}, ruleLastRunOutcome: {} }),
     getTags: jest.fn(),
@@ -31,10 +34,7 @@ const createRulesClientMock = () => {
     listRuleTypes: jest.fn(),
     getAlertSummary: jest.fn(),
     getAuditLogger: jest.fn(),
-    getAuthorization: jest.fn().mockImplementation(() => ({
-      getFindAuthorizationFilter: jest.fn().mockReturnValue({ filter: null }),
-      getAuthorizedRuleTypes: jest.fn().mockResolvedValue([]),
-    })),
+    getAuthorization: jest.fn().mockReturnValue(alertingAuthorization),
     getExecutionLogForRule: jest.fn(),
     getRuleExecutionKPI: jest.fn(),
     getGlobalExecutionKpiWithAuth: jest.fn(),
diff --git a/x-pack/plugins/alerting/server/rules_client/common/filters.test.ts b/x-pack/plugins/alerting/server/rules_client/common/filters.test.ts
new file mode 100644
index 0000000000000..fc14cb19bb803
--- /dev/null
+++ b/x-pack/plugins/alerting/server/rules_client/common/filters.test.ts
@@ -0,0 +1,463 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { nodeBuilder } from '@kbn/es-query';
+import {
+  buildConsumersFilter,
+  buildFilter,
+  buildRuleTypeIdsFilter,
+  combineFilterWithAuthorizationFilter,
+  combineFilters,
+} from './filters';
+
+describe('filters', () => {
+  describe('combineFilterWithAuthorizationFilter', () => {
+    it('returns undefined if neither a filter or authorizationFilter are passed', () => {
+      expect(combineFilterWithAuthorizationFilter()).toBeUndefined();
+    });
+
+    it('returns a single KueryNode when only a filter is passed in', () => {
+      const node = nodeBuilder.is('a', 'hello');
+      expect(combineFilterWithAuthorizationFilter(node)).toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "isQuoted": false,
+              "type": "literal",
+              "value": "a",
+            },
+            Object {
+              "isQuoted": false,
+              "type": "literal",
+              "value": "hello",
+            },
+          ],
+          "function": "is",
+          "type": "function",
+        }
+      `);
+    });
+
+    it('returns a single KueryNode when only an authorizationFilter is passed in', () => {
+      const node = nodeBuilder.is('a', 'hello');
+      expect(combineFilterWithAuthorizationFilter(undefined, node)).toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "isQuoted": false,
+              "type": "literal",
+              "value": "a",
+            },
+            Object {
+              "isQuoted": false,
+              "type": "literal",
+              "value": "hello",
+            },
+          ],
+          "function": "is",
+          "type": "function",
+        }
+      `);
+    });
+
+    it("returns a single KueryNode and'ing together the passed in parameters", () => {
+      const node = nodeBuilder.is('a', 'hello');
+      const node2 = nodeBuilder.is('b', 'hi');
+
+      expect(combineFilterWithAuthorizationFilter(node, node2)).toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "a",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "hello",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "b",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "hi",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+          ],
+          "function": "and",
+          "type": "function",
+        }
+      `);
+    });
+
+    it("returns a single KueryNode and'ing together the passed in parameters in opposite order", () => {
+      const node = nodeBuilder.is('a', 'hello');
+      const node2 = nodeBuilder.is('b', 'hi');
+
+      expect(combineFilterWithAuthorizationFilter(node2, node)).toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "b",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "hi",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "a",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "hello",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+          ],
+          "function": "and",
+          "type": "function",
+        }
+      `);
+    });
+  });
+
+  describe('buildFilter', () => {
+    it('returns undefined if filters is undefined', () => {
+      expect(buildFilter({ filters: undefined, field: 'abc', operator: 'or' })).toBeUndefined();
+    });
+
+    it('returns undefined if filters is is an empty array', () => {
+      expect(buildFilter({ filters: [], field: 'abc', operator: 'or' })).toBeUndefined();
+    });
+
+    it('returns a KueryNode using or operator', () => {
+      expect(buildFilter({ filters: ['value1'], field: 'abc', operator: 'or' }))
+        .toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "isQuoted": false,
+              "type": "literal",
+              "value": "alert.attributes.abc",
+            },
+            Object {
+              "isQuoted": false,
+              "type": "literal",
+              "value": "value1",
+            },
+          ],
+          "function": "is",
+          "type": "function",
+        }
+      `);
+    });
+
+    it("returns multiple nodes or'd together", () => {
+      expect(buildFilter({ filters: ['value1', 'value2'], field: 'abc', operator: 'or' }))
+        .toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "alert.attributes.abc",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "value1",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "alert.attributes.abc",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "value2",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+          ],
+          "function": "or",
+          "type": "function",
+        }
+      `);
+    });
+
+    it('does not escape special kql characters in the filter values', () => {
+      const specialCharacters = 'awesome:()\\<>"*';
+
+      expect(buildFilter({ filters: [specialCharacters], field: 'abc', operator: 'or' }))
+        .toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "isQuoted": false,
+              "type": "literal",
+              "value": "alert.attributes.abc",
+            },
+            Object {
+              "isQuoted": false,
+              "type": "literal",
+              "value": "awesome:()\\\\<>\\"*",
+            },
+          ],
+          "function": "is",
+          "type": "function",
+        }
+      `);
+    });
+  });
+
+  describe('combineFilters', () => {
+    it('returns undefined if the nodes are undefined or null', () => {
+      expect(combineFilters([null, undefined])).toBeUndefined();
+    });
+
+    it('combines the filters correctly', () => {
+      const node = nodeBuilder.is('a', 'hello');
+      const node2 = nodeBuilder.is('b', 'hi');
+
+      expect(combineFilters([node, null, undefined, node2])).toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "a",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "hello",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "b",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "hi",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+          ],
+          "function": "and",
+          "type": "function",
+        }
+      `);
+    });
+
+    it('combines the filters correctly with an operator', () => {
+      const node = nodeBuilder.is('a', 'hello');
+      const node2 = nodeBuilder.is('b', 'hi');
+
+      expect(combineFilters([node, null, undefined, node2], 'or')).toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "a",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "hello",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "b",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "hi",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+          ],
+          "function": "or",
+          "type": "function",
+        }
+      `);
+    });
+  });
+
+  describe('buildRuleTypeIdsFilter', () => {
+    it('returns undefined if ruleTypeIds is undefined', () => {
+      expect(buildRuleTypeIdsFilter()).toBeUndefined();
+    });
+
+    it('returns undefined if ruleTypeIds is is an empty array', () => {
+      expect(buildRuleTypeIdsFilter([])).toBeUndefined();
+    });
+
+    it('builds the filter correctly', () => {
+      expect(buildRuleTypeIdsFilter(['foo', 'bar'])).toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "alert.attributes.alertTypeId",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "foo",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "alert.attributes.alertTypeId",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "bar",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+          ],
+          "function": "or",
+          "type": "function",
+        }
+      `);
+    });
+  });
+
+  describe('buildConsumersFilter', () => {
+    it('returns undefined if ruleTypeIds is undefined', () => {
+      expect(buildConsumersFilter()).toBeUndefined();
+    });
+
+    it('returns undefined if ruleTypeIds is is an empty array', () => {
+      expect(buildConsumersFilter([])).toBeUndefined();
+    });
+
+    it('builds the filter correctly', () => {
+      expect(buildConsumersFilter(['foo', 'bar'])).toMatchInlineSnapshot(`
+        Object {
+          "arguments": Array [
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "alert.attributes.consumer",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "foo",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+            Object {
+              "arguments": Array [
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "alert.attributes.consumer",
+                },
+                Object {
+                  "isQuoted": false,
+                  "type": "literal",
+                  "value": "bar",
+                },
+              ],
+              "function": "is",
+              "type": "function",
+            },
+          ],
+          "function": "or",
+          "type": "function",
+        }
+      `);
+    });
+  });
+});
diff --git a/x-pack/plugins/alerting/server/rules_client/common/filters.ts b/x-pack/plugins/alerting/server/rules_client/common/filters.ts
new file mode 100644
index 0000000000000..b0c3ccc5e1ec1
--- /dev/null
+++ b/x-pack/plugins/alerting/server/rules_client/common/filters.ts
@@ -0,0 +1,92 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { KueryNode, nodeBuilder } from '@kbn/es-query';
+import { RULE_SAVED_OBJECT_TYPE } from '../..';
+
+export const NodeBuilderOperators = {
+  and: 'and',
+  or: 'or',
+} as const;
+
+type NodeBuilderOperatorsType = keyof typeof NodeBuilderOperators;
+
+interface FilterField {
+  filters?: string | string[];
+  field: string;
+  operator: NodeBuilderOperatorsType;
+  type?: string;
+}
+
+export const buildFilter = ({
+  filters,
+  field,
+  operator,
+  type = RULE_SAVED_OBJECT_TYPE,
+}: FilterField): KueryNode | undefined => {
+  if (filters === undefined) {
+    return;
+  }
+
+  const filtersAsArray = Array.isArray(filters) ? filters : [filters];
+
+  if (filtersAsArray.length === 0) {
+    return;
+  }
+
+  return nodeBuilder[operator](
+    filtersAsArray.map((filter) => nodeBuilder.is(`${type}.attributes.${field}`, filter))
+  );
+};
+
+export const buildRuleTypeIdsFilter = (ruleTypeIds?: string[]) => {
+  if (!ruleTypeIds || !ruleTypeIds?.length) {
+    return;
+  }
+
+  return buildFilter({ filters: ruleTypeIds, field: 'alertTypeId', operator: 'or' });
+};
+
+export const buildConsumersFilter = (consumers?: string[]) => {
+  if (!consumers || !consumers?.length) {
+    return;
+  }
+
+  return buildFilter({ filters: consumers, field: 'consumer', operator: 'or' });
+};
+
+/**
+ * Combines Kuery nodes and accepts an array with a mixture of undefined and KueryNodes. This will filter out the undefined
+ * filters and return a KueryNode with the filters combined using the specified operator which defaults to and if not defined.
+ */
+export function combineFilters(
+  nodes: Array<KueryNode | undefined | null>,
+  operator: NodeBuilderOperatorsType = NodeBuilderOperators.and
+): KueryNode | undefined {
+  const filters = nodes.filter(Boolean) as KueryNode[];
+
+  if (filters.length <= 0) {
+    return;
+  }
+
+  return nodeBuilder[operator](filters);
+}
+
+export const combineFilterWithAuthorizationFilter = (
+  filter?: KueryNode,
+  authorizationFilter?: KueryNode
+) => {
+  if (!filter && !authorizationFilter) {
+    return;
+  }
+
+  const kueries = [
+    ...(filter !== undefined ? [filter] : []),
+    ...(authorizationFilter !== undefined ? [authorizationFilter] : []),
+  ];
+  return nodeBuilder.and(kueries);
+};
diff --git a/x-pack/plugins/alerting/server/rules_client/lib/get_authorization_filter.ts b/x-pack/plugins/alerting/server/rules_client/lib/get_authorization_filter.ts
index b9cc41a0fd7c4..591602effc474 100644
--- a/x-pack/plugins/alerting/server/rules_client/lib/get_authorization_filter.ts
+++ b/x-pack/plugins/alerting/server/rules_client/lib/get_authorization_filter.ts
@@ -6,11 +6,11 @@
  */
 
 import { withSpan } from '@kbn/apm-utils';
-import { AlertingAuthorizationEntity } from '../../authorization';
 import { ruleAuditEvent, RuleAuditAction } from '../common/audit_events';
 import { RulesClientContext } from '../types';
 import { alertingAuthorizationFilterOpts } from '../common/constants';
 import { BulkAction } from '../types';
+import { AlertingAuthorizationEntity } from '../../authorization/types';
 
 export const getAuthorizationFilter = async (
   context: RulesClientContext,
@@ -20,10 +20,10 @@ export const getAuthorizationFilter = async (
     const authorizationTuple = await withSpan(
       { name: 'authorization.getFindAuthorizationFilter', type: 'rules' },
       () =>
-        context.authorization.getFindAuthorizationFilter(
-          AlertingAuthorizationEntity.Rule,
-          alertingAuthorizationFilterOpts
-        )
+        context.authorization.getFindAuthorizationFilter({
+          authorizationEntity: AlertingAuthorizationEntity.Rule,
+          filterOpts: alertingAuthorizationFilterOpts,
+        })
     );
     return authorizationTuple.filter;
   } catch (error) {
diff --git a/x-pack/plugins/alerting/server/rules_client/methods/get_action_error_log.ts b/x-pack/plugins/alerting/server/rules_client/methods/get_action_error_log.ts
index a7d60fc8f8ca4..4d71af6573b57 100644
--- a/x-pack/plugins/alerting/server/rules_client/methods/get_action_error_log.ts
+++ b/x-pack/plugins/alerting/server/rules_client/methods/get_action_error_log.ts
@@ -108,16 +108,16 @@ export async function getActionErrorLogWithAuth(
 
   let authorizationTuple;
   try {
-    authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-      AlertingAuthorizationEntity.Alert,
-      {
+    authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+      authorizationEntity: AlertingAuthorizationEntity.Alert,
+      filterOpts: {
         type: AlertingAuthorizationFilterType.KQL,
         fieldNames: {
           ruleTypeId: 'kibana.alert.rule.rule_type_id',
           consumer: 'kibana.alert.rule.consumer',
         },
-      }
-    );
+      },
+    });
   } catch (error) {
     context.auditLogger?.log(
       ruleAuditEvent({
diff --git a/x-pack/plugins/alerting/server/rules_client/methods/get_execution_kpi.ts b/x-pack/plugins/alerting/server/rules_client/methods/get_execution_kpi.ts
index fc2c1298f69ac..4441cc69a5f72 100644
--- a/x-pack/plugins/alerting/server/rules_client/methods/get_execution_kpi.ts
+++ b/x-pack/plugins/alerting/server/rules_client/methods/get_execution_kpi.ts
@@ -105,16 +105,16 @@ export async function getGlobalExecutionKpiWithAuth(
 
   let authorizationTuple;
   try {
-    authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-      AlertingAuthorizationEntity.Alert,
-      {
+    authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+      authorizationEntity: AlertingAuthorizationEntity.Alert,
+      filterOpts: {
         type: AlertingAuthorizationFilterType.KQL,
         fieldNames: {
           ruleTypeId: 'kibana.alert.rule.rule_type_id',
           consumer: 'kibana.alert.rule.consumer',
         },
-      }
-    );
+      },
+    });
   } catch (error) {
     context.auditLogger?.log(
       ruleAuditEvent({
diff --git a/x-pack/plugins/alerting/server/rules_client/methods/get_execution_log.ts b/x-pack/plugins/alerting/server/rules_client/methods/get_execution_log.ts
index 18d65c28fc9bb..95d41a02a685b 100644
--- a/x-pack/plugins/alerting/server/rules_client/methods/get_execution_log.ts
+++ b/x-pack/plugins/alerting/server/rules_client/methods/get_execution_log.ts
@@ -118,16 +118,16 @@ export async function getGlobalExecutionLogWithAuth(
 
   let authorizationTuple;
   try {
-    authorizationTuple = await context.authorization.getFindAuthorizationFilter(
-      AlertingAuthorizationEntity.Alert,
-      {
+    authorizationTuple = await context.authorization.getFindAuthorizationFilter({
+      authorizationEntity: AlertingAuthorizationEntity.Alert,
+      filterOpts: {
         type: AlertingAuthorizationFilterType.KQL,
         fieldNames: {
           ruleTypeId: 'kibana.alert.rule.rule_type_id',
           consumer: 'kibana.alert.rule.consumer',
         },
-      }
-    );
+      },
+    });
   } catch (error) {
     context.auditLogger?.log(
       ruleAuditEvent({
diff --git a/x-pack/plugins/alerting/server/rules_client/rules_client.mock.ts b/x-pack/plugins/alerting/server/rules_client/rules_client.mock.ts
new file mode 100644
index 0000000000000..f8e2beba7ee67
--- /dev/null
+++ b/x-pack/plugins/alerting/server/rules_client/rules_client.mock.ts
@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ActionsAuthorization } from '@kbn/actions-plugin/server';
+import { loggingSystemMock } from '@kbn/core-logging-server-mocks';
+import { uiSettingsServiceMock } from '@kbn/core-ui-settings-server-mocks';
+import { AlertingAuthorization } from '../authorization';
+import { ConnectorAdapterRegistry } from '../connector_adapters/connector_adapter_registry';
+import type { ConstructorOptions } from './rules_client';
+import { actionsAuthorizationMock } from '@kbn/actions-plugin/server/mocks';
+import {
+  savedObjectsClientMock,
+  savedObjectsRepositoryMock,
+} from '@kbn/core-saved-objects-api-server-mocks';
+import { auditLoggerMock } from '@kbn/core-security-server-mocks';
+import { encryptedSavedObjectsMock } from '@kbn/encrypted-saved-objects-plugin/server/mocks';
+import { taskManagerMock } from '@kbn/task-manager-plugin/server/mocks';
+import { alertingAuthorizationMock } from '../authorization/alerting_authorization.mock';
+import { backfillClientMock } from '../backfill_client/backfill_client.mock';
+import { ruleTypeRegistryMock } from '../rule_type_registry.mock';
+
+const create = () => {
+  const kibanaVersion = 'v8.17.0';
+  const taskManager = taskManagerMock.createStart();
+  const ruleTypeRegistry = ruleTypeRegistryMock.create();
+  const unsecuredSavedObjectsClient = savedObjectsClientMock.create();
+  const encryptedSavedObjects = encryptedSavedObjectsMock.createClient();
+  const authorization = alertingAuthorizationMock.create();
+  const actionsAuthorization = actionsAuthorizationMock.create();
+  const auditLogger = auditLoggerMock.create();
+  const internalSavedObjectsRepository = savedObjectsRepositoryMock.create();
+  const backfillClient = backfillClientMock.create();
+
+  const rulesClientParams: jest.Mocked<ConstructorOptions> = {
+    taskManager,
+    ruleTypeRegistry,
+    unsecuredSavedObjectsClient,
+    authorization: authorization as unknown as AlertingAuthorization,
+    actionsAuthorization: actionsAuthorization as unknown as ActionsAuthorization,
+    spaceId: 'default',
+    namespace: 'default',
+    getUserName: jest.fn(),
+    createAPIKey: jest.fn(),
+    logger: loggingSystemMock.create().get(),
+    internalSavedObjectsRepository,
+    encryptedSavedObjectsClient: encryptedSavedObjects,
+    getActionsClient: jest.fn(),
+    getEventLogClient: jest.fn(),
+    kibanaVersion,
+    auditLogger,
+    maxScheduledPerMinute: 10000,
+    minimumScheduleInterval: { value: '1m', enforce: false },
+    isAuthenticationTypeAPIKey: jest.fn(),
+    getAuthenticationAPIKey: jest.fn(),
+    getAlertIndicesAlias: jest.fn(),
+    alertsService: null,
+    backfillClient,
+    isSystemAction: jest.fn(),
+    connectorAdapterRegistry: new ConnectorAdapterRegistry(),
+    uiSettings: uiSettingsServiceMock.createStartContract(),
+  };
+
+  return rulesClientParams;
+};
+
+export const rulesClientContextMock = { create };
diff --git a/x-pack/plugins/alerting/server/rules_client/tests/list_rule_types.test.ts b/x-pack/plugins/alerting/server/rules_client/tests/list_rule_types.test.ts
index b096ec1c75f7d..7205decb32bb5 100644
--- a/x-pack/plugins/alerting/server/rules_client/tests/list_rule_types.test.ts
+++ b/x-pack/plugins/alerting/server/rules_client/tests/list_rule_types.test.ts
@@ -17,10 +17,7 @@ import { ruleTypeRegistryMock } from '../../rule_type_registry.mock';
 import { alertingAuthorizationMock } from '../../authorization/alerting_authorization.mock';
 import { encryptedSavedObjectsMock } from '@kbn/encrypted-saved-objects-plugin/server/mocks';
 import { actionsAuthorizationMock } from '@kbn/actions-plugin/server/mocks';
-import {
-  AlertingAuthorization,
-  RegistryAlertTypeWithAuth,
-} from '../../authorization/alerting_authorization';
+import { AlertingAuthorization } from '../../authorization/alerting_authorization';
 import { ActionsAuthorization } from '@kbn/actions-plugin/server';
 import { getBeforeSetup } from './lib';
 import { RecoveredActionGroup } from '../../../common';
@@ -88,6 +85,7 @@ describe('listRuleTypes', () => {
     hasFieldsForAAD: false,
     validLegacyConsumers: [],
   };
+
   const myAppAlertType: RegistryRuleType = {
     actionGroups: [],
     actionVariables: undefined,
@@ -104,7 +102,11 @@ describe('listRuleTypes', () => {
     hasFieldsForAAD: false,
     validLegacyConsumers: [],
   };
-  const setOfAlertTypes = new Set([myAppAlertType, alertingAlertType]);
+
+  const setOfAlertTypes = new Map<string, RegistryRuleType>([
+    [myAppAlertType.id, myAppAlertType],
+    [alertingAlertType.id, alertingAlertType],
+  ]);
 
   const authorizedConsumers = {
     alerts: { read: true, all: true },
@@ -118,62 +120,162 @@ describe('listRuleTypes', () => {
 
   test('should return a list of AlertTypes that exist in the registry', async () => {
     ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
-    authorization.filterByRuleTypeAuthorization.mockResolvedValue(
-      new Set<RegistryAlertTypeWithAuth>([
-        { ...myAppAlertType, authorizedConsumers },
-        { ...alertingAlertType, authorizedConsumers },
+    ruleTypeRegistry.has.mockReturnValue(true);
+
+    authorization.getAuthorizedRuleTypes.mockResolvedValue(
+      new Map([
+        [myAppAlertType.id, { authorizedConsumers }],
+        [alertingAlertType.id, { authorizedConsumers }],
       ])
     );
-    expect(await rulesClient.listRuleTypes()).toEqual(
-      new Set([
-        { ...myAppAlertType, authorizedConsumers },
-        { ...alertingAlertType, authorizedConsumers },
+
+    expect(await rulesClient.listRuleTypes()).toMatchInlineSnapshot(`
+      Array [
+        Object {
+          "actionGroups": Array [],
+          "actionVariables": undefined,
+          "authorizedConsumers": Object {
+            "alerts": Object {
+              "all": true,
+              "read": true,
+            },
+            "myApp": Object {
+              "all": true,
+              "read": true,
+            },
+            "myOtherApp": Object {
+              "all": true,
+              "read": true,
+            },
+          },
+          "category": "test",
+          "defaultActionGroupId": "default",
+          "enabledInLicense": true,
+          "hasAlertsMappings": false,
+          "hasFieldsForAAD": false,
+          "id": "myAppAlertType",
+          "isExportable": true,
+          "minimumLicenseRequired": "basic",
+          "name": "myAppAlertType",
+          "producer": "myApp",
+          "recoveryActionGroup": Object {
+            "id": "recovered",
+            "name": "Recovered",
+          },
+          "validLegacyConsumers": Array [],
+        },
+        Object {
+          "actionGroups": Array [],
+          "actionVariables": undefined,
+          "authorizedConsumers": Object {
+            "alerts": Object {
+              "all": true,
+              "read": true,
+            },
+            "myApp": Object {
+              "all": true,
+              "read": true,
+            },
+            "myOtherApp": Object {
+              "all": true,
+              "read": true,
+            },
+          },
+          "category": "test",
+          "defaultActionGroupId": "default",
+          "enabledInLicense": true,
+          "hasAlertsMappings": false,
+          "hasFieldsForAAD": false,
+          "id": "alertingAlertType",
+          "isExportable": true,
+          "minimumLicenseRequired": "basic",
+          "name": "alertingAlertType",
+          "producer": "alerts",
+          "recoveryActionGroup": Object {
+            "id": "recovered",
+            "name": "Recovered",
+          },
+          "validLegacyConsumers": Array [],
+        },
+      ]
+    `);
+  });
+
+  test('should filter out rule types that are not registered in the registry', async () => {
+    ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
+    ruleTypeRegistry.has.mockImplementation((id: string) => id === myAppAlertType.id);
+
+    authorization.getAuthorizedRuleTypes.mockResolvedValue(
+      new Map([
+        [myAppAlertType.id, { authorizedConsumers }],
+        [alertingAlertType.id, { authorizedConsumers }],
       ])
     );
+
+    expect(await rulesClient.listRuleTypes()).toMatchInlineSnapshot(`
+      Array [
+        Object {
+          "actionGroups": Array [],
+          "actionVariables": undefined,
+          "authorizedConsumers": Object {
+            "alerts": Object {
+              "all": true,
+              "read": true,
+            },
+            "myApp": Object {
+              "all": true,
+              "read": true,
+            },
+            "myOtherApp": Object {
+              "all": true,
+              "read": true,
+            },
+          },
+          "category": "test",
+          "defaultActionGroupId": "default",
+          "enabledInLicense": true,
+          "hasAlertsMappings": false,
+          "hasFieldsForAAD": false,
+          "id": "myAppAlertType",
+          "isExportable": true,
+          "minimumLicenseRequired": "basic",
+          "name": "myAppAlertType",
+          "producer": "myApp",
+          "recoveryActionGroup": Object {
+            "id": "recovered",
+            "name": "Recovered",
+          },
+          "validLegacyConsumers": Array [],
+        },
+      ]
+    `);
   });
 
   describe('authorization', () => {
-    const listedTypes = new Set<RegistryRuleType>([
-      {
-        actionGroups: [],
-        actionVariables: undefined,
-        defaultActionGroupId: 'default',
-        minimumLicenseRequired: 'basic',
-        isExportable: true,
-        recoveryActionGroup: RecoveredActionGroup,
-        id: 'myType',
-        name: 'myType',
-        category: 'test',
-        producer: 'myApp',
-        enabledInLicense: true,
-        hasAlertsMappings: false,
-        hasFieldsForAAD: false,
-        validLegacyConsumers: [],
-      },
-      {
-        id: 'myOtherType',
-        name: 'Test',
-        actionGroups: [{ id: 'default', name: 'Default' }],
-        defaultActionGroupId: 'default',
-        minimumLicenseRequired: 'basic',
-        isExportable: true,
-        recoveryActionGroup: RecoveredActionGroup,
-        category: 'test',
-        producer: 'alerts',
-        enabledInLicense: true,
-        hasAlertsMappings: false,
-        hasFieldsForAAD: false,
-        validLegacyConsumers: [],
-      },
-    ]);
-    beforeEach(() => {
-      ruleTypeRegistry.list.mockReturnValue(listedTypes);
-    });
-
-    test('should return a list of AlertTypes that exist in the registry only if the user is authorised to get them', async () => {
-      const authorizedTypes = new Set<RegistryAlertTypeWithAuth>([
+    const listedTypes = new Map<string, RegistryRuleType>([
+      [
+        'myType',
         {
+          actionGroups: [],
+          actionVariables: undefined,
+          defaultActionGroupId: 'default',
+          minimumLicenseRequired: 'basic',
+          isExportable: true,
+          recoveryActionGroup: RecoveredActionGroup,
           id: 'myType',
+          name: 'myType',
+          category: 'test',
+          producer: 'myApp',
+          enabledInLicense: true,
+          hasAlertsMappings: false,
+          hasFieldsForAAD: false,
+          validLegacyConsumers: [],
+        },
+      ],
+      [
+        'myOtherType',
+        {
+          id: 'myOtherType',
           name: 'Test',
           actionGroups: [{ id: 'default', name: 'Default' }],
           defaultActionGroupId: 'default',
@@ -182,18 +284,62 @@ describe('listRuleTypes', () => {
           recoveryActionGroup: RecoveredActionGroup,
           category: 'test',
           producer: 'alerts',
-          authorizedConsumers: {
-            myApp: { read: true, all: true },
-          },
           enabledInLicense: true,
           hasAlertsMappings: false,
           hasFieldsForAAD: false,
           validLegacyConsumers: [],
         },
-      ]);
-      authorization.filterByRuleTypeAuthorization.mockResolvedValue(authorizedTypes);
+      ],
+    ]);
+
+    beforeEach(() => {
+      ruleTypeRegistry.list.mockReturnValue(listedTypes);
+      ruleTypeRegistry.has.mockReturnValue(true);
+    });
 
-      expect(await rulesClient.listRuleTypes()).toEqual(authorizedTypes);
+    test('should return a list of AlertTypes that exist in the registry only if the user is authorized to get them', async () => {
+      authorization.getAuthorizedRuleTypes.mockResolvedValue(
+        new Map([
+          [
+            'myType',
+            {
+              authorizedConsumers: {
+                myApp: { read: true, all: true },
+              },
+            },
+          ],
+        ])
+      );
+
+      expect(await rulesClient.listRuleTypes()).toMatchInlineSnapshot(`
+        Array [
+          Object {
+            "actionGroups": Array [],
+            "actionVariables": undefined,
+            "authorizedConsumers": Object {
+              "myApp": Object {
+                "all": true,
+                "read": true,
+              },
+            },
+            "category": "test",
+            "defaultActionGroupId": "default",
+            "enabledInLicense": true,
+            "hasAlertsMappings": false,
+            "hasFieldsForAAD": false,
+            "id": "myType",
+            "isExportable": true,
+            "minimumLicenseRequired": "basic",
+            "name": "myType",
+            "producer": "myApp",
+            "recoveryActionGroup": Object {
+              "id": "recovered",
+              "name": "Recovered",
+            },
+            "validLegacyConsumers": Array [],
+          },
+        ]
+      `);
     });
   });
 });
diff --git a/x-pack/plugins/alerting/server/rules_client/types.ts b/x-pack/plugins/alerting/server/rules_client/types.ts
index 9a701e1c95c81..afcb4e1037a6c 100644
--- a/x-pack/plugins/alerting/server/rules_client/types.ts
+++ b/x-pack/plugins/alerting/server/rules_client/types.ts
@@ -23,7 +23,6 @@ import { TaskManagerStartContract } from '@kbn/task-manager-plugin/server';
 import { IEventLogClient, IEventLogger } from '@kbn/event-log-plugin/server';
 import { AuditLogger } from '@kbn/security-plugin/server';
 import { DistributiveOmit } from '@elastic/eui';
-import { RegistryRuleType } from '../rule_type_registry';
 import {
   RuleTypeRegistry,
   IntervalSchedule,
@@ -108,9 +107,6 @@ export type NormalizedAlertActionWithGeneratedValues =
   | NormalizedAlertDefaultActionWithGeneratedValues
   | NormalizedAlertSystemActionWithGeneratedValues;
 
-export interface RegistryAlertTypeWithAuth extends RegistryRuleType {
-  authorizedConsumers: string[];
-}
 export type CreateAPIKeyResult =
   | { apiKeysEnabled: false }
   | { apiKeysEnabled: true; result: SecurityPluginGrantAPIKeyResult };
diff --git a/x-pack/plugins/alerting/server/rules_client_factory.test.ts b/x-pack/plugins/alerting/server/rules_client_factory.test.ts
index 4cd7ffbcf0c6c..9af5962915d72 100644
--- a/x-pack/plugins/alerting/server/rules_client_factory.test.ts
+++ b/x-pack/plugins/alerting/server/rules_client_factory.test.ts
@@ -98,11 +98,11 @@ test('creates a rules client with proper constructor arguments when security is
   const request = mockRouter.createKibanaRequest();
 
   savedObjectsService.getScopedClient.mockReturnValue(savedObjectsClient);
-  alertingAuthorizationClientFactory.create.mockReturnValue(
+  alertingAuthorizationClientFactory.create.mockResolvedValue(
     alertingAuthorization as unknown as AlertingAuthorization
   );
 
-  factory.create(request, savedObjectsService);
+  await factory.create(request, savedObjectsService);
 
   expect(savedObjectsService.getScopedClient).toHaveBeenCalledWith(request, {
     excludedExtensions: [SECURITY_EXTENSION_ID],
@@ -154,11 +154,11 @@ test('creates a rules client with proper constructor arguments', async () => {
   const request = mockRouter.createKibanaRequest();
 
   savedObjectsService.getScopedClient.mockReturnValue(savedObjectsClient);
-  alertingAuthorizationClientFactory.create.mockReturnValue(
+  alertingAuthorizationClientFactory.create.mockResolvedValue(
     alertingAuthorization as unknown as AlertingAuthorization
   );
 
-  factory.create(request, savedObjectsService);
+  await factory.create(request, savedObjectsService);
 
   expect(savedObjectsService.getScopedClient).toHaveBeenCalledWith(request, {
     excludedExtensions: [SECURITY_EXTENSION_ID],
@@ -203,7 +203,7 @@ test('creates a rules client with proper constructor arguments', async () => {
 test('getUserName() returns null when security is disabled', async () => {
   const factory = new RulesClientFactory();
   factory.initialize(rulesClientFactoryParams);
-  factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
+  await factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
   const constructorCall = jest.requireMock('./rules_client').RulesClient.mock.calls[0][0];
 
   const userNameResult = await constructorCall.getUserName();
@@ -216,7 +216,7 @@ test('getUserName() returns a name when security is enabled', async () => {
     ...rulesClientFactoryParams,
     securityService,
   });
-  factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
+  await factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
   const constructorCall = jest.requireMock('./rules_client').RulesClient.mock.calls[0][0];
 
   securityService.authc.getCurrentUser.mockReturnValueOnce({
@@ -229,7 +229,7 @@ test('getUserName() returns a name when security is enabled', async () => {
 test('getActionsClient() returns ActionsClient', async () => {
   const factory = new RulesClientFactory();
   factory.initialize(rulesClientFactoryParams);
-  factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
+  await factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
   const constructorCall = jest.requireMock('./rules_client').RulesClient.mock.calls[0][0];
 
   const actionsClient = await constructorCall.getActionsClient();
@@ -239,7 +239,7 @@ test('getActionsClient() returns ActionsClient', async () => {
 test('createAPIKey() returns { apiKeysEnabled: false } when security is disabled', async () => {
   const factory = new RulesClientFactory();
   factory.initialize(rulesClientFactoryParams);
-  factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
+  await factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
   const constructorCall = jest.requireMock('./rules_client').RulesClient.mock.calls[0][0];
 
   const createAPIKeyResult = await constructorCall.createAPIKey();
@@ -249,7 +249,7 @@ test('createAPIKey() returns { apiKeysEnabled: false } when security is disabled
 test('createAPIKey() returns { apiKeysEnabled: false } when security is enabled but ES security is disabled', async () => {
   const factory = new RulesClientFactory();
   factory.initialize(rulesClientFactoryParams);
-  factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
+  await factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
   const constructorCall = jest.requireMock('./rules_client').RulesClient.mock.calls[0][0];
 
   securityPluginStart.authc.apiKeys.grantAsInternalUser.mockResolvedValueOnce(null);
@@ -265,7 +265,7 @@ test('createAPIKey() returns an API key when security is enabled', async () => {
     securityPluginSetup,
     securityPluginStart,
   });
-  factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
+  await factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
   const constructorCall = jest.requireMock('./rules_client').RulesClient.mock.calls[0][0];
 
   securityPluginStart.authc.apiKeys.grantAsInternalUser.mockResolvedValueOnce({
@@ -296,7 +296,7 @@ test('createAPIKey() throws when security plugin createAPIKey throws an error',
     securityPluginSetup,
     securityPluginStart,
   });
-  factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
+  await factory.create(mockRouter.createKibanaRequest(), savedObjectsService);
   const constructorCall = jest.requireMock('./rules_client').RulesClient.mock.calls[0][0];
 
   securityPluginStart.authc.apiKeys.grantAsInternalUser.mockRejectedValueOnce(
diff --git a/x-pack/plugins/alerting/server/rules_client_factory.ts b/x-pack/plugins/alerting/server/rules_client_factory.ts
index f28170b277ac4..f56b0840317bb 100644
--- a/x-pack/plugins/alerting/server/rules_client_factory.ts
+++ b/x-pack/plugins/alerting/server/rules_client_factory.ts
@@ -115,7 +115,10 @@ export class RulesClientFactory {
     this.securityService = options.securityService;
   }
 
-  public create(request: KibanaRequest, savedObjects: SavedObjectsServiceStart): RulesClient {
+  public async create(
+    request: KibanaRequest,
+    savedObjects: SavedObjectsServiceStart
+  ): Promise<RulesClient> {
     const { securityPluginSetup, securityService, securityPluginStart, actions, eventLog } = this;
     const spaceId = this.getSpaceId(request);
 
@@ -123,6 +126,8 @@ export class RulesClientFactory {
       throw new Error('AlertingAuthorizationClientFactory is not defined');
     }
 
+    const authorization = await this.authorization.create(request);
+
     return new RulesClient({
       spaceId,
       kibanaVersion: this.kibanaVersion,
@@ -139,7 +144,7 @@ export class RulesClientFactory {
           AD_HOC_RUN_SAVED_OBJECT_TYPE,
         ],
       }),
-      authorization: this.authorization.create(request),
+      authorization,
       actionsAuthorization: actions.getActionsAuthorizationWithRequest(request),
       namespace: this.spaceIdToNamespace(spaceId),
       internalSavedObjectsRepository: this.internalSavedObjectsRepository,
@@ -169,6 +174,7 @@ export class RulesClientFactory {
         if (!createAPIKeyResult) {
           return { apiKeysEnabled: false };
         }
+
         return {
           apiKeysEnabled: true,
           result: createAPIKeyResult,
diff --git a/x-pack/plugins/alerting/server/task_runner/rule_loader.test.ts b/x-pack/plugins/alerting/server/task_runner/rule_loader.test.ts
index 4690ccc653a32..c5e833dee1058 100644
--- a/x-pack/plugins/alerting/server/task_runner/rule_loader.test.ts
+++ b/x-pack/plugins/alerting/server/task_runner/rule_loader.test.ts
@@ -113,7 +113,7 @@ describe('rule_loader', () => {
       });
     });
 
-    test('throws when rule is not enabled', async () => {
+    test('throws when rule is not enabled', () => {
       let outcome = 'success';
       try {
         validateRuleAndCreateFakeRequest({
@@ -128,7 +128,7 @@ describe('rule_loader', () => {
       expect(outcome).toBe('failure');
     });
 
-    test('throws when rule type is not enabled', async () => {
+    test('throws when rule type is not enabled', () => {
       ruleTypeRegistry.ensureRuleTypeEnabled.mockImplementation(() => {
         throw new Error('rule-type-not-enabled: 2112');
       });
@@ -148,7 +148,7 @@ describe('rule_loader', () => {
       expect(outcome).toBe('failure');
     });
 
-    test('test throws when rule params fail validation', async () => {
+    test('test throws when rule params fail validation', () => {
       mockGetAlertFromRaw.mockReturnValueOnce({
         name: ruleName,
         alertTypeId: ruleTypeId,
diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts
index c7ef8f563843c..4c3d9ee57f51d 100644
--- a/x-pack/plugins/alerting/server/types.ts
+++ b/x-pack/plugins/alerting/server/types.ts
@@ -29,7 +29,7 @@ import { Alert } from '@kbn/alerts-as-data-utils';
 import { ActionsApiRequestHandlerContext } from '@kbn/actions-plugin/server';
 import { AlertsHealth } from '@kbn/alerting-types';
 import { RuleTypeRegistry as OrigruleTypeRegistry } from './rule_type_registry';
-import { PluginSetupContract, PluginStartContract } from './plugin';
+import { AlertingServerSetup, AlertingServerStart } from './plugin';
 import { RulesClient } from './rules_client';
 import {
   RulesSettingsClient,
@@ -62,7 +62,7 @@ export type { RuleTypeParams };
  * @public
  */
 export interface AlertingApiRequestHandlerContext {
-  getRulesClient: () => RulesClient;
+  getRulesClient: () => Promise<RulesClient>;
   getRulesSettingsClient: (withoutAuth?: boolean) => RulesSettingsClient;
   getMaintenanceWindowClient: () => MaintenanceWindowClient;
   listTypes: RuleTypeRegistry['list'];
@@ -362,8 +362,8 @@ export type PartialRuleWithLegacyId<Params extends RuleTypeParams = never> = Pic
   Partial<Omit<RuleWithLegacyId<Params>, 'id'>>;
 
 export interface AlertingPlugin {
-  setup: PluginSetupContract;
-  start: PluginStartContract;
+  setup: AlertingServerSetup;
+  start: AlertingServerStart;
 }
 
 export interface AlertsConfigType {
diff --git a/x-pack/plugins/alerting/tsconfig.json b/x-pack/plugins/alerting/tsconfig.json
index d261a00db74ca..6019f8711d681 100644
--- a/x-pack/plugins/alerting/tsconfig.json
+++ b/x-pack/plugins/alerting/tsconfig.json
@@ -70,9 +70,11 @@
     "@kbn/search-types",
     "@kbn/alerting-state-types",
     "@kbn/core-security-server",
+    "@kbn/security-plugin-types-server",
     "@kbn/core-http-server",
     "@kbn/zod",
     "@kbn/core-saved-objects-base-server-internal",
+    "@kbn/core-security-server-mocks",
     "@kbn/response-ops-rule-params",
     "@kbn/core-http-server-utils"
   ],
diff --git a/x-pack/plugins/cases/common/constants/owner.test.ts b/x-pack/plugins/cases/common/constants/owner.test.ts
index 07b6866f857a4..b53f177dd7d29 100644
--- a/x-pack/plugins/cases/common/constants/owner.test.ts
+++ b/x-pack/plugins/cases/common/constants/owner.test.ts
@@ -10,7 +10,11 @@ import { OWNER_INFO } from './owners';
 
 describe('OWNER_INFO', () => {
   it('should use all available rule consumers', () => {
-    const allConsumers = new Set(Object.values(AlertConsumers));
+    const allConsumers = new Set(
+      // Alerts consumer fallbacks to producer so it is not counted as valid one
+      Object.values(AlertConsumers).filter((consumer) => consumer !== AlertConsumers.ALERTS)
+    );
+
     const ownersMappingConsumers = new Set(
       Object.values(OWNER_INFO)
         .map((value) => value.validRuleConsumers ?? [])
diff --git a/x-pack/plugins/cases/common/constants/owners.ts b/x-pack/plugins/cases/common/constants/owners.ts
index a7628628a7dcc..79db38345e566 100644
--- a/x-pack/plugins/cases/common/constants/owners.ts
+++ b/x-pack/plugins/cases/common/constants/owners.ts
@@ -59,6 +59,11 @@ export const OWNER_INFO: Record<Owner, RouteInfo> = {
     label: 'Management',
     iconType: 'managementApp',
     appRoute: '/app/management/insightsAndAlerting',
-    validRuleConsumers: [AlertConsumers.ML, AlertConsumers.STACK_ALERTS, AlertConsumers.EXAMPLE],
+    validRuleConsumers: [
+      AlertConsumers.ML,
+      AlertConsumers.STACK_ALERTS,
+      AlertConsumers.EXAMPLE,
+      AlertConsumers.DISCOVER,
+    ],
   },
 } as const;
diff --git a/x-pack/plugins/cases/common/utils/owner.test.ts b/x-pack/plugins/cases/common/utils/owner.test.ts
index a6f7c99f540bb..4e005750ad36f 100644
--- a/x-pack/plugins/cases/common/utils/owner.test.ts
+++ b/x-pack/plugins/cases/common/utils/owner.test.ts
@@ -40,7 +40,7 @@ describe('owner utils', () => {
       validRuleConsumers: item.validRuleConsumers,
     }));
 
-    it.each(owners)('returns owner %s correctly for consumer', (owner) => {
+    it.each(owners)('returns owner %j correctly for consumer', (owner) => {
       for (const consumer of owner.validRuleConsumers ?? []) {
         const result = getOwnerFromRuleConsumerProducer({ consumer });
 
@@ -48,7 +48,7 @@ describe('owner utils', () => {
       }
     });
 
-    it.each(owners)('returns owner %s correctly for producer', (owner) => {
+    it.each(owners)('returns owner %j correctly for producer', (owner) => {
       for (const producer of owner.validRuleConsumers ?? []) {
         const result = getOwnerFromRuleConsumerProducer({ producer });
 
@@ -80,5 +80,14 @@ describe('owner utils', () => {
 
       expect(owner).toBe(OWNER_INFO.securitySolution.id);
     });
+
+    it('fallbacks to producer when the consumer is alerts', () => {
+      const owner = getOwnerFromRuleConsumerProducer({
+        consumer: AlertConsumers.ALERTS,
+        producer: AlertConsumers.OBSERVABILITY,
+      });
+
+      expect(owner).toBe(OWNER_INFO.observability.id);
+    });
   });
 });
diff --git a/x-pack/plugins/cases/common/utils/owner.ts b/x-pack/plugins/cases/common/utils/owner.ts
index 7bde7220233db..d159a3d55ee7a 100644
--- a/x-pack/plugins/cases/common/utils/owner.ts
+++ b/x-pack/plugins/cases/common/utils/owner.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { AlertConsumers } from '@kbn/rule-data-utils';
 import { OWNER_INFO } from '../constants';
 import type { Owner } from '../constants/types';
 
@@ -29,9 +30,12 @@ export const getOwnerFromRuleConsumerProducer = ({
     return OWNER_INFO.securitySolution.id;
   }
 
+  // Fallback to producer if the consumer is alerts
+  const consumerValue = consumer === AlertConsumers.ALERTS ? producer : consumer;
+
   for (const value of Object.values(OWNER_INFO)) {
     const foundConsumer = value.validRuleConsumers?.find(
-      (validConsumer) => validConsumer === consumer || validConsumer === producer
+      (validConsumer) => validConsumer === consumerValue || validConsumer === producer
     );
 
     if (foundConsumer) {
diff --git a/x-pack/plugins/cases/public/components/case_view/components/case_view_alerts.test.tsx b/x-pack/plugins/cases/public/components/case_view/components/case_view_alerts.test.tsx
index fe2deb74dfa10..7366acf6e051f 100644
--- a/x-pack/plugins/cases/public/components/case_view/components/case_view_alerts.test.tsx
+++ b/x-pack/plugins/cases/public/components/case_view/components/case_view_alerts.test.tsx
@@ -15,6 +15,7 @@ import type { CaseUI } from '../../../../common';
 import { CaseViewAlerts } from './case_view_alerts';
 import * as api from '../../../containers/api';
 import type { FeatureIdsResponse } from '../../../containers/types';
+import { SECURITY_SOLUTION_RULE_TYPE_IDS } from '@kbn/securitysolution-rules';
 
 jest.mock('../../../containers/api');
 
@@ -54,7 +55,7 @@ describe('CaseUI View Page activity tab', () => {
       expect(getAlertsStateTableMock).toHaveBeenCalledWith({
         alertsTableConfigurationRegistry: expect.anything(),
         configurationId: 'securitySolution-case',
-        featureIds: ['siem'],
+        ruleTypeIds: SECURITY_SOLUTION_RULE_TYPE_IDS,
         id: 'case-details-alerts-securitySolution',
         query: {
           ids: {
@@ -88,7 +89,8 @@ describe('CaseUI View Page activity tab', () => {
       expect(getAlertsStateTableMock).toHaveBeenCalledWith({
         alertsTableConfigurationRegistry: expect.anything(),
         configurationId: 'case-details-alerts-observability',
-        featureIds: ['observability'],
+        ruleTypeIds: ['log-threshold'],
+        consumers: ['observability'],
         id: 'case-details-alerts-observability',
         query: {
           ids: {
diff --git a/x-pack/plugins/cases/public/components/case_view/components/case_view_alerts.tsx b/x-pack/plugins/cases/public/components/case_view/components/case_view_alerts.tsx
index 9570bee46b3fe..6f8223b5305f1 100644
--- a/x-pack/plugins/cases/public/components/case_view/components/case_view_alerts.tsx
+++ b/x-pack/plugins/cases/public/components/case_view/components/case_view_alerts.tsx
@@ -8,8 +8,8 @@
 import React, { useMemo } from 'react';
 
 import { EuiFlexItem, EuiFlexGroup, EuiProgress } from '@elastic/eui';
-import type { ValidFeatureId } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
-import { AlertConsumers } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
+import type { AlertsTableStateProps } from '@kbn/triggers-actions-ui-plugin/public/application/sections/alerts_table/alerts_table_state';
+import { SECURITY_SOLUTION_RULE_TYPE_IDS } from '@kbn/securitysolution-rules';
 import { SECURITY_SOLUTION_OWNER } from '../../../../common/constants';
 import type { CaseUI } from '../../../../common';
 import { useKibana } from '../../../common/lib/kibana';
@@ -49,14 +49,16 @@ export const CaseViewAlerts = ({ caseData, onAlertsTableLoaded }: CaseViewAlerts
         )
       : '';
 
-  const alertStateProps = useMemo(
+  const alertStateProps: AlertsTableStateProps = useMemo(
     () => ({
       alertsTableConfigurationRegistry: triggersActionsUi.alertsTableConfigurationRegistry,
       configurationId: configId,
       id: `case-details-alerts-${caseData.owner}`,
-      featureIds: (caseData.owner === SECURITY_SOLUTION_OWNER
-        ? [AlertConsumers.SIEM]
-        : alertData?.featureIds ?? []) as ValidFeatureId[],
+      ruleTypeIds:
+        caseData.owner === SECURITY_SOLUTION_OWNER
+          ? SECURITY_SOLUTION_RULE_TYPE_IDS
+          : alertData?.ruleTypeIds ?? [],
+      consumers: alertData?.featureIds,
       query: alertIdsQuery,
       showAlertStatusWithFlapping: caseData.owner !== SECURITY_SOLUTION_OWNER,
       onLoaded: onAlertsTableLoaded,
@@ -65,6 +67,7 @@ export const CaseViewAlerts = ({ caseData, onAlertsTableLoaded }: CaseViewAlerts
       triggersActionsUi.alertsTableConfigurationRegistry,
       configId,
       caseData.owner,
+      alertData?.ruleTypeIds,
       alertData?.featureIds,
       alertIdsQuery,
       onAlertsTableLoaded,
diff --git a/x-pack/plugins/cases/public/components/system_actions/cases/cases_params.tsx b/x-pack/plugins/cases/public/components/system_actions/cases/cases_params.tsx
index 9fabf39db0bc4..e77e8313c6963 100644
--- a/x-pack/plugins/cases/public/components/system_actions/cases/cases_params.tsx
+++ b/x-pack/plugins/cases/public/components/system_actions/cases/cases_params.tsx
@@ -8,7 +8,6 @@
 import React, { memo, useCallback, useEffect, useMemo } from 'react';
 
 import type { ActionParamsProps } from '@kbn/triggers-actions-ui-plugin/public/types';
-import type { AlertConsumers, ValidFeatureId } from '@kbn/rule-data-utils';
 import type { EuiComboBoxOptionOption } from '@elastic/eui';
 import {
   EuiCheckbox,
@@ -37,7 +36,7 @@ const DEFAULT_EMPTY_TEMPLATE_KEY = 'defaultEmptyTemplateKey';
 
 export const CasesParamsFieldsComponent: React.FunctionComponent<
   ActionParamsProps<CasesActionParams>
-> = ({ actionParams, editAction, errors, index, producerId, featureId }) => {
+> = ({ actionParams, editAction, errors, index, producerId, featureId, ruleTypeId }) => {
   const {
     cloud,
     data: { dataViews: dataViewsService },
@@ -58,9 +57,7 @@ export const CasesParamsFieldsComponent: React.FunctionComponent<
     http,
     toasts,
     dataViewsService,
-    featureIds: producerId
-      ? [producerId as Exclude<ValidFeatureId, typeof AlertConsumers.SIEM>]
-      : [],
+    ruleTypeIds: ruleTypeId ? [ruleTypeId] : [],
   });
 
   const { data: configurations, isLoading: isLoadingCaseConfiguration } =
diff --git a/x-pack/plugins/cases/server/connectors/cases/index.test.ts b/x-pack/plugins/cases/server/connectors/cases/index.test.ts
index 7b6d244d165b3..c0480d694184f 100644
--- a/x-pack/plugins/cases/server/connectors/cases/index.test.ts
+++ b/x-pack/plugins/cases/server/connectors/cases/index.test.ts
@@ -366,7 +366,7 @@ describe('getCasesConnectorType', () => {
 
         expect(
           adapter.getKibanaPrivileges?.({
-            consumer: 'alerting',
+            consumer: 'not-exist',
             producer: AlertConsumers.LOGS,
           })
         ).toEqual([
@@ -387,7 +387,7 @@ describe('getCasesConnectorType', () => {
 
         expect(
           adapter.getKibanaPrivileges?.({
-            consumer: 'alerting',
+            consumer: 'alerts',
             producer: AlertConsumers.LOGS,
           })
         ).toEqual([
diff --git a/x-pack/plugins/cases/server/connectors/cases/index.ts b/x-pack/plugins/cases/server/connectors/cases/index.ts
index 07b4ab5e29551..b630de5209e2d 100644
--- a/x-pack/plugins/cases/server/connectors/cases/index.ts
+++ b/x-pack/plugins/cases/server/connectors/cases/index.ts
@@ -95,7 +95,7 @@ export const getCasesConnectorAdapter = ({
   return {
     connectorTypeId: CASES_CONNECTOR_ID,
     ruleActionParamsSchema: CasesConnectorRuleActionParamsSchema,
-    buildActionParams: ({ alerts, rule, params, spaceId, ruleUrl }) => {
+    buildActionParams: ({ alerts, rule, params, ruleUrl }) => {
       const caseAlerts = [...alerts.new.data, ...alerts.ongoing.data];
 
       const owner = getOwnerFromRuleConsumerProducer({
diff --git a/x-pack/plugins/cases/server/connectors/index.ts b/x-pack/plugins/cases/server/connectors/index.ts
index 0b0f201b46d42..56dcddfbee76a 100644
--- a/x-pack/plugins/cases/server/connectors/index.ts
+++ b/x-pack/plugins/cases/server/connectors/index.ts
@@ -9,7 +9,7 @@ import type { PluginSetupContract as ActionsPluginSetupContract } from '@kbn/act
 import type { KibanaRequest } from '@kbn/core-http-server';
 import type { CoreSetup, SavedObjectsClientContract } from '@kbn/core/server';
 import { SECURITY_EXTENSION_ID } from '@kbn/core/server';
-import type { PluginSetupContract as AlertingPluginSetup } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import type { CasesClient } from '../client';
 import { getCasesConnectorAdapter, getCasesConnectorType } from './cases';
 
@@ -25,7 +25,7 @@ export function registerConnectorTypes({
   isServerlessSecurity,
 }: {
   actions: ActionsPluginSetupContract;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
   core: CoreSetup;
   getCasesClient: (request: KibanaRequest) => Promise<CasesClient>;
   getSpaceId: (request?: KibanaRequest) => string;
diff --git a/x-pack/plugins/cases/server/types.ts b/x-pack/plugins/cases/server/types.ts
index a51817c9d7e58..8606808e1c183 100644
--- a/x-pack/plugins/cases/server/types.ts
+++ b/x-pack/plugins/cases/server/types.ts
@@ -29,7 +29,7 @@ import type { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
 import type { LicensingPluginSetup, LicensingPluginStart } from '@kbn/licensing-plugin/server';
 import type { NotificationsPluginStart } from '@kbn/notifications-plugin/server';
 import type { RuleRegistryPluginStartContract } from '@kbn/rule-registry-plugin/server';
-import type { PluginSetupContract as AlertingPluginSetup } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import type { CloudSetup } from '@kbn/cloud-plugin/server';
 import type { CasesClient } from './client';
 import type { AttachmentFramework } from './attachment_framework/types';
@@ -37,7 +37,7 @@ import type { ExternalReferenceAttachmentTypeRegistry } from './attachment_frame
 import type { PersistableStateAttachmentTypeRegistry } from './attachment_framework/persistable_state_registry';
 
 export interface CasesServerSetupDependencies {
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
   actions: ActionsPluginSetup;
   lens: LensServerPluginSetup;
   features: FeaturesPluginSetup;
diff --git a/x-pack/plugins/cases/tsconfig.json b/x-pack/plugins/cases/tsconfig.json
index 48ca36a02b2be..2a77cb0e7b5a1 100644
--- a/x-pack/plugins/cases/tsconfig.json
+++ b/x-pack/plugins/cases/tsconfig.json
@@ -74,6 +74,7 @@
     "@kbn/core-logging-server-mocks",
     "@kbn/core-logging-browser-mocks",
     "@kbn/presentation-publishing",
+    "@kbn/securitysolution-rules",
     "@kbn/alerts-ui-shared",
     "@kbn/cloud-plugin",
     "@kbn/core-http-server-mocks",
diff --git a/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts b/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts
index b72cb27088eda..52a7c8b555094 100644
--- a/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts
+++ b/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts
@@ -31,7 +31,7 @@ import { bulkActionBenchmarkRulesHandler } from './v1';
 	    // ... (additional benchmark rules)
 	  ];
 	}
-	
+
 	Response:
 	{
 	  updated_benchmark_rules: CspBenchmarkRulesStates; Benchmark rules object that were affected
@@ -67,7 +67,7 @@ export const defineBulkActionCspBenchmarkRulesRoute = (router: CspRouter) =>
 
           const benchmarkRulesToUpdate = requestBody.rules;
 
-          const detectionRulesClient = (await context.alerting).getRulesClient();
+          const detectionRulesClient = await (await context.alerting).getRulesClient();
 
           const handlerResponse = await bulkActionBenchmarkRulesHandler(
             cspContext.soClient,
diff --git a/x-pack/plugins/features/common/alerting_kibana_privilege.ts b/x-pack/plugins/features/common/alerting_kibana_privilege.ts
new file mode 100644
index 0000000000000..4a435b5c651c7
--- /dev/null
+++ b/x-pack/plugins/features/common/alerting_kibana_privilege.ts
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * Interface for registering an alerting privilege.
+ * Alerting privilege registration allows plugins to
+ * specify for which rule types and consumers the feature
+ * has access to.
+ */
+
+export type AlertingKibanaPrivilege = ReadonlyArray<{
+  ruleTypeId: string;
+  consumers: readonly string[];
+}>;
diff --git a/x-pack/plugins/features/common/feature_kibana_privileges.ts b/x-pack/plugins/features/common/feature_kibana_privileges.ts
index 1939d0b5e4e49..a7d39669ef00a 100644
--- a/x-pack/plugins/features/common/feature_kibana_privileges.ts
+++ b/x-pack/plugins/features/common/feature_kibana_privileges.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { AlertingKibanaPrivilege } from './alerting_kibana_privilege';
 import { FeatureKibanaPrivilegesReference } from './feature_kibana_privileges_reference';
 
 /**
@@ -97,47 +98,47 @@ export interface FeatureKibanaPrivileges {
   alerting?: {
     rule?: {
       /**
-       * List of rule types which users should have full read/write access to when granted this privilege.
+       * List of rule types and consumers for which users should have full read/write access to when granted this privilege.
        * @example
        * ```ts
        *  {
-       *    all: ['my-alert-type-within-my-feature']
+       *    all: [{ ruleTypeId: 'my-alert-type-within-my-feature', consumers: ['my-consumer-within-my-feature'] }]
        *  }
        * ```
        */
-      all?: readonly string[];
+      all?: AlertingKibanaPrivilege;
       /**
-       * List of rule types which users should have read-only access to when granted this privilege.
+       * List of rule types and consumers for which users should have read-only access to when granted this privilege.
        * @example
        * ```ts
        *  {
-       *    read: ['my-alert-type']
+       *    read: [{ ruleTypeId: 'my-alert-type-within-my-feature', consumers: ['my-consumer-within-my-feature'] }]
        *  }
        * ```
        */
-      read?: readonly string[];
+      read?: AlertingKibanaPrivilege;
     };
     alert?: {
       /**
-       * List of rule types for which users should have full read/write access their alert data to when granted this privilege.
+       * List of rule types and consumers for which users should have full read/write access their alert data to when granted this privilege.
        * @example
        * ```ts
        *  {
-       *    all: ['my-alert-type-within-my-feature']
+       *    all: [{ ruleTypeId: 'my-alert-type-within-my-feature', consumers: ['my-consumer-within-my-feature'] }]
        *  }
        * ```
        */
-      all?: readonly string[];
+      all?: AlertingKibanaPrivilege;
       /**
-       * List of rule types for which users should have read-only access to their alert data when granted this privilege.
+       * List of rule types and consumers for which users should have read-only access to their alert data when granted this privilege.
        * @example
        * ```ts
        *  {
-       *    read: ['my-alert-type']
+       *    read: [{ ruleTypeId: 'my-alert-type-within-my-feature', consumers: ['my-consumer-within-my-feature'] }]
        *  }
        * ```
        */
-      read?: readonly string[];
+      read?: AlertingKibanaPrivilege;
     };
   };
 
diff --git a/x-pack/plugins/features/common/kibana_feature.ts b/x-pack/plugins/features/common/kibana_feature.ts
index 3a5d9fc2a0e50..dba79a1663fca 100644
--- a/x-pack/plugins/features/common/kibana_feature.ts
+++ b/x-pack/plugins/features/common/kibana_feature.ts
@@ -11,6 +11,7 @@ import { LicenseType } from '@kbn/licensing-plugin/common/types';
 import { FeatureKibanaPrivileges } from './feature_kibana_privileges';
 import { SubFeatureConfig, SubFeature as KibanaSubFeature } from './sub_feature';
 import { ReservedKibanaPrivilege } from './reserved_kibana_privilege';
+import { AlertingKibanaPrivilege } from './alerting_kibana_privilege';
 
 /**
  * Enum for allowed feature scope values.
@@ -107,11 +108,12 @@ export interface KibanaFeatureConfig {
   catalogue?: readonly string[];
 
   /**
-   * If your feature grants access to specific Alert Types, you can specify them here to control visibility based on the current space.
-   * Include both Alert Types registered by the feature and external Alert Types such as built-in
-   * Alert Types and Alert Types provided by other features to which you wish to grant access.
+   * If your feature grants access to specific rule types, you can specify them here to control visibility based on the current space.
+   * Include both rule types registered by the feature and external rule types such as built-in
+   * rule types and rule types provided by other features to which you wish to grant access. For each rule type
+   * you can specify the consumers the feature has access to.
    */
-  alerting?: readonly string[];
+  alerting?: AlertingKibanaPrivilege;
 
   /**
    * If your feature grants access to specific case types, you can specify them here to control visibility based on the current space.
diff --git a/x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.test.ts b/x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.test.ts
index c7d501bb17cf8..c4e542a7ebcde 100644
--- a/x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.test.ts
+++ b/x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.test.ts
@@ -62,11 +62,11 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
               read: [],
             },
           },
@@ -96,10 +96,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -134,11 +134,11 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
               read: [],
             },
           },
@@ -171,10 +171,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -205,12 +205,12 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              all: ['alerting-all-type'],
-              read: ['alerting-read-type-alerts'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type-alerts', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -239,10 +239,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -278,12 +278,12 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              all: ['alerting-all-type'],
-              read: ['alerting-read-type-alerts'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type-alerts', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -323,10 +323,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-another-read-type'],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -355,10 +355,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -390,7 +390,7 @@ describe('featurePrivilegeIterator', () => {
                   },
                   alerting: {
                     alert: {
-                      all: ['alerting-all-sub-type'],
+                      all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
                     },
                   },
                   cases: {
@@ -436,10 +436,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-another-read-type'],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -471,10 +471,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -506,10 +506,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-another-read-type'],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -538,10 +538,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -573,7 +573,7 @@ describe('featurePrivilegeIterator', () => {
                   },
                   alerting: {
                     alert: {
-                      all: ['alerting-all-sub-type'],
+                      all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
                     },
                   },
                   cases: {
@@ -619,10 +619,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-another-read-type'],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -654,10 +654,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -689,10 +689,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-another-read-type'],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -721,10 +721,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -757,7 +757,7 @@ describe('featurePrivilegeIterator', () => {
                   },
                   alerting: {
                     alert: {
-                      all: ['alerting-all-sub-type'],
+                      all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
                     },
                   },
                   cases: {
@@ -804,12 +804,12 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
               read: [],
             },
             alert: {
-              all: ['alerting-all-sub-type'],
-              read: ['alerting-another-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -843,11 +843,11 @@ describe('featurePrivilegeIterator', () => {
           alerting: {
             rule: {
               all: [],
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              all: ['alerting-all-sub-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -887,12 +887,12 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
               all: [],
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -921,10 +921,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -956,7 +956,7 @@ describe('featurePrivilegeIterator', () => {
                   },
                   alerting: {
                     alert: {
-                      all: ['alerting-read-type'],
+                      all: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
                     },
                   },
                   cases: {
@@ -994,12 +994,12 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              all: ['alerting-read-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1032,11 +1032,11 @@ describe('featurePrivilegeIterator', () => {
           alerting: {
             rule: {
               all: [],
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              all: ['alerting-read-type'],
-              read: ['alerting-read-type'],
+              all: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1076,10 +1076,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-another-read-type'],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1108,10 +1108,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1144,7 +1144,7 @@ describe('featurePrivilegeIterator', () => {
                   },
                   alerting: {
                     alert: {
-                      all: ['alerting-all-sub-type'],
+                      all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
                     },
                   },
                   cases: {
@@ -1191,12 +1191,12 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
               read: [],
             },
             alert: {
-              all: ['alerting-all-sub-type'],
-              read: ['alerting-another-read-type'],
+              all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1228,10 +1228,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1390,8 +1390,8 @@ describe('featurePrivilegeIterator', () => {
                   },
                   alerting: {
                     rule: {
-                      all: ['alerting-all-sub-type'],
-                      read: ['alerting-read-sub-type'],
+                      all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
+                      read: [{ ruleTypeId: 'alerting-read-sub-type', consumers: ['foo'] }],
                     },
                   },
                   cases: {
@@ -1438,8 +1438,8 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-sub-type'],
-              read: ['alerting-read-sub-type'],
+              all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-sub-type', consumers: ['foo'] }],
             },
             alert: {
               all: [],
@@ -1476,8 +1476,8 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-sub-type'],
-              read: ['alerting-read-sub-type'],
+              all: [{ ruleTypeId: 'alerting-all-sub-type', consumers: ['foo'] }],
+              read: [{ ruleTypeId: 'alerting-read-sub-type', consumers: ['foo'] }],
             },
             alert: {
               all: [],
@@ -1521,10 +1521,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-another-read-type'],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1553,10 +1553,10 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1612,12 +1612,12 @@ describe('featurePrivilegeIterator', () => {
           },
           alerting: {
             rule: {
-              all: ['alerting-all-type'],
+              all: [{ ruleTypeId: 'alerting-all-type', consumers: ['foo'] }],
               read: [],
             },
             alert: {
               all: [],
-              read: ['alerting-another-read-type'],
+              read: [{ ruleTypeId: 'alerting-another-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
@@ -1650,11 +1650,11 @@ describe('featurePrivilegeIterator', () => {
           alerting: {
             rule: {
               all: [],
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
             alert: {
               all: [],
-              read: ['alerting-read-type'],
+              read: [{ ruleTypeId: 'alerting-read-type', consumers: ['foo'] }],
             },
           },
           cases: {
diff --git a/x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.ts b/x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.ts
index a9d7336ea0a22..45518004430a4 100644
--- a/x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.ts
+++ b/x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.ts
@@ -8,6 +8,7 @@
 import _ from 'lodash';
 
 import type { LicenseType } from '@kbn/licensing-plugin/server';
+import { AlertingKibanaPrivilege } from '../../common/alerting_kibana_privilege';
 import type { FeatureKibanaPrivileges, KibanaFeature } from '..';
 import { subFeaturePrivilegeIterator } from './sub_feature_privilege_iterator';
 
@@ -108,26 +109,46 @@ function mergeWithSubFeatures(
       subFeaturePrivilege.savedObject.read
     );
 
+    /**
+     * Merges all alerting rule types and consumers
+     * from features and sub features.
+     * Removes duplicated values.
+     */
+    const mergeAlertingEntries = (entries: AlertingKibanaPrivilege): AlertingKibanaPrivilege => {
+      const alertingMap = new Map<string, Set<string>>();
+
+      for (const entry of entries) {
+        const consumers = alertingMap.get(entry.ruleTypeId) ?? new Set();
+        entry.consumers.forEach((consumer) => consumers.add(consumer));
+        alertingMap.set(entry.ruleTypeId, consumers);
+      }
+
+      return Array.from(alertingMap).map(([ruleTypeId, consumers]) => ({
+        ruleTypeId,
+        consumers: Array.from(consumers),
+      }));
+    };
+
     mergedConfig.alerting = {
       rule: {
-        all: mergeArrays(
-          mergedConfig.alerting?.rule?.all ?? [],
-          subFeaturePrivilege.alerting?.rule?.all ?? []
-        ),
-        read: mergeArrays(
-          mergedConfig.alerting?.rule?.read ?? [],
-          subFeaturePrivilege.alerting?.rule?.read ?? []
-        ),
+        all: mergeAlertingEntries([
+          ...(mergedConfig.alerting?.rule?.all ?? []),
+          ...(subFeaturePrivilege.alerting?.rule?.all ?? []),
+        ]),
+        read: mergeAlertingEntries([
+          ...(mergedConfig.alerting?.rule?.read ?? []),
+          ...(subFeaturePrivilege.alerting?.rule?.read ?? []),
+        ]),
       },
       alert: {
-        all: mergeArrays(
-          mergedConfig.alerting?.alert?.all ?? [],
-          subFeaturePrivilege.alerting?.alert?.all ?? []
-        ),
-        read: mergeArrays(
-          mergedConfig.alerting?.alert?.read ?? [],
-          subFeaturePrivilege.alerting?.alert?.read ?? []
-        ),
+        all: mergeAlertingEntries([
+          ...(mergedConfig.alerting?.alert?.all ?? []),
+          ...(subFeaturePrivilege.alerting?.alert?.all ?? []),
+        ]),
+        read: mergeAlertingEntries([
+          ...(mergedConfig.alerting?.alert?.read ?? []),
+          ...(subFeaturePrivilege.alerting?.alert?.read ?? []),
+        ]),
       },
     };
 
diff --git a/x-pack/plugins/features/server/feature_registry.test.ts b/x-pack/plugins/features/server/feature_registry.test.ts
index 08da08e0a19bd..9ed7a207560b0 100644
--- a/x-pack/plugins/features/server/feature_registry.test.ts
+++ b/x-pack/plugins/features/server/feature_registry.test.ts
@@ -868,404 +868,688 @@ describe('FeatureRegistry', () => {
       );
     });
 
-    it(`prevents privileges from specifying alerting/rule entries that don't exist at the root level`, () => {
-      const feature: KibanaFeatureConfig = {
-        id: 'test-feature',
-        name: 'Test Feature',
-        app: [],
-        category: { id: 'foo', label: 'foo' },
-        alerting: ['bar'],
-        privileges: {
-          all: {
-            alerting: {
-              rule: {
-                all: ['foo', 'bar'],
-                read: ['baz'],
+    describe('alerting', () => {
+      it(`prevents privileges from specifying rule types that don't exist at the root level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+          privileges: {
+            all: {
+              alerting: {
+                rule: {
+                  all: [
+                    { ruleTypeId: 'foo', consumers: ['test-feature'] },
+                    { ruleTypeId: 'bar', consumers: ['test-feature'] },
+                  ],
+                  read: [{ ruleTypeId: 'baz', consumers: ['test-feature'] }],
+                },
               },
-            },
-            savedObject: {
-              all: [],
-              read: [],
-            },
-            ui: [],
-            app: [],
-          },
-          read: {
-            alerting: {
-              rule: {
-                read: ['foo', 'bar', 'baz'],
+              savedObject: {
+                all: [],
+                read: [],
               },
+              ui: [],
+              app: [],
             },
-            savedObject: {
-              all: [],
-              read: [],
+            read: {
+              alerting: {
+                rule: {
+                  read: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+                },
+              },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
             },
-            ui: [],
-            app: [],
           },
-        },
-      };
+        };
 
-      const featureRegistry = new FeatureRegistry();
+        const featureRegistry = new FeatureRegistry();
 
-      expect(() =>
-        featureRegistry.registerKibanaFeature(feature)
-      ).toThrowErrorMatchingInlineSnapshot(
-        `"Feature privilege test-feature.all has unknown alerting entries: foo, baz"`
-      );
-    });
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature privilege test-feature.all has unknown ruleTypeId: foo"`
+        );
+      });
 
-    it(`prevents privileges from specifying alerting/alert entries that don't exist at the root level`, () => {
-      const feature: KibanaFeatureConfig = {
-        id: 'test-feature',
-        name: 'Test Feature',
-        app: [],
-        category: { id: 'foo', label: 'foo' },
-        alerting: ['bar'],
-        privileges: {
-          all: {
-            alerting: {
-              alert: {
-                all: ['foo', 'bar'],
-                read: ['baz'],
+      it(`prevents privileges from specifying rule types entries that don't exist at the root level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+          privileges: {
+            all: {
+              alerting: {
+                alert: {
+                  all: [
+                    { ruleTypeId: 'foo', consumers: ['test-feature'] },
+                    { ruleTypeId: 'bar', consumers: ['test-feature'] },
+                  ],
+                  read: [{ ruleTypeId: 'baz', consumers: ['test-feature'] }],
+                },
               },
-            },
-            savedObject: {
-              all: [],
-              read: [],
-            },
-            ui: [],
-            app: [],
-          },
-          read: {
-            alerting: {
-              alert: {
-                read: ['foo', 'bar', 'baz'],
+              savedObject: {
+                all: [],
+                read: [],
               },
+              ui: [],
+              app: [],
             },
-            savedObject: {
-              all: [],
-              read: [],
+            read: {
+              alerting: {
+                alert: {
+                  read: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+                },
+              },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
             },
-            ui: [],
-            app: [],
           },
-        },
-      };
+        };
 
-      const featureRegistry = new FeatureRegistry();
+        const featureRegistry = new FeatureRegistry();
 
-      expect(() =>
-        featureRegistry.registerKibanaFeature(feature)
-      ).toThrowErrorMatchingInlineSnapshot(
-        `"Feature privilege test-feature.all has unknown alerting entries: foo, baz"`
-      );
-    });
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature privilege test-feature.all has unknown ruleTypeId: foo"`
+        );
+      });
 
-    it(`prevents features from specifying alerting/rule entries that don't exist at the privilege level`, () => {
-      const feature: KibanaFeatureConfig = {
-        id: 'test-feature',
-        name: 'Test Feature',
-        app: [],
-        category: { id: 'foo', label: 'foo' },
-        alerting: ['foo', 'bar', 'baz'],
-        privileges: {
-          all: {
-            alerting: {
-              rule: {
-                all: ['foo'],
+      it(`prevents features from specifying rule types that don't exist at the privilege level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [
+            { ruleTypeId: 'foo', consumers: ['test-feature'] },
+            { ruleTypeId: 'bar', consumers: ['test-feature'] },
+            { ruleTypeId: 'baz', consumers: ['test-feature'] },
+          ],
+          privileges: {
+            all: {
+              alerting: {
+                rule: {
+                  all: [{ ruleTypeId: 'foo', consumers: ['test-feature'] }],
+                },
+              },
+              savedObject: {
+                all: [],
+                read: [],
               },
+              ui: [],
+              app: [],
             },
-            savedObject: {
-              all: [],
-              read: [],
+            read: {
+              alerting: {
+                rule: {
+                  all: [{ ruleTypeId: 'foo', consumers: ['test-feature'] }],
+                },
+              },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
             },
-            ui: [],
-            app: [],
           },
-          read: {
-            alerting: {
-              rule: {
-                all: ['foo'],
+          subFeatures: [
+            {
+              name: 'my sub feature',
+              privilegeGroups: [
+                {
+                  groupType: 'independent',
+                  privileges: [
+                    {
+                      id: 'cool-sub-feature-privilege',
+                      name: 'cool privilege',
+                      includeIn: 'none',
+                      savedObject: {
+                        all: [],
+                        read: [],
+                      },
+                      ui: [],
+                      alerting: {
+                        rule: {
+                          all: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+                        },
+                      },
+                    },
+                  ],
+                },
+              ],
+            },
+          ],
+        };
+
+        const featureRegistry = new FeatureRegistry();
+
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature test-feature specifies alerting rule types which are not granted to any privileges: baz"`
+        );
+      });
+
+      it(`prevents features from specifying rule types entries that don't exist at the privilege level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [
+            { ruleTypeId: 'foo', consumers: ['test-feature'] },
+            { ruleTypeId: 'bar', consumers: ['test-feature'] },
+            { ruleTypeId: 'baz', consumers: ['test-feature'] },
+          ],
+          privileges: {
+            all: {
+              alerting: {
+                alert: {
+                  all: [{ ruleTypeId: 'foo', consumers: ['test-feature'] }],
+                },
               },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
             },
-            savedObject: {
-              all: [],
-              read: [],
+            read: {
+              alerting: {
+                alert: {
+                  all: [{ ruleTypeId: 'foo', consumers: ['test-feature'] }],
+                },
+              },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
             },
-            ui: [],
-            app: [],
           },
-        },
-        subFeatures: [
-          {
-            name: 'my sub feature',
-            privilegeGroups: [
-              {
-                groupType: 'independent',
-                privileges: [
-                  {
-                    id: 'cool-sub-feature-privilege',
-                    name: 'cool privilege',
-                    includeIn: 'none',
-                    savedObject: {
-                      all: [],
-                      read: [],
-                    },
-                    ui: [],
-                    alerting: {
-                      rule: {
-                        all: ['bar'],
+          subFeatures: [
+            {
+              name: 'my sub feature',
+              privilegeGroups: [
+                {
+                  groupType: 'independent',
+                  privileges: [
+                    {
+                      id: 'cool-sub-feature-privilege',
+                      name: 'cool privilege',
+                      includeIn: 'none',
+                      savedObject: {
+                        all: [],
+                        read: [],
                       },
+                      ui: [],
+                      alerting: {
+                        alert: {
+                          all: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+                        },
+                      },
+                    },
+                  ],
+                },
+              ],
+            },
+          ],
+        };
+
+        const featureRegistry = new FeatureRegistry();
+
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature test-feature specifies alerting rule types which are not granted to any privileges: baz"`
+        );
+      });
+
+      it(`prevents reserved privileges from specifying rule types that don't exist at the root level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+          privileges: null,
+          reserved: {
+            description: 'something',
+            privileges: [
+              {
+                id: 'reserved',
+                privilege: {
+                  alerting: {
+                    rule: {
+                      all: [
+                        { ruleTypeId: 'foo', consumers: ['test-feature'] },
+                        { ruleTypeId: 'bar', consumers: ['test-feature'] },
+                        { ruleTypeId: 'baz', consumers: ['test-feature'] },
+                      ],
                     },
                   },
-                ],
+                  savedObject: {
+                    all: [],
+                    read: [],
+                  },
+                  ui: [],
+                  app: [],
+                },
               },
             ],
           },
-        ],
-      };
+        };
 
-      const featureRegistry = new FeatureRegistry();
+        const featureRegistry = new FeatureRegistry();
 
-      expect(() =>
-        featureRegistry.registerKibanaFeature(feature)
-      ).toThrowErrorMatchingInlineSnapshot(
-        `"Feature test-feature specifies alerting entries which are not granted to any privileges: baz"`
-      );
-    });
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature privilege test-feature.reserved has unknown ruleTypeId: foo"`
+        );
+      });
 
-    it(`prevents features from specifying alerting/alert entries that don't exist at the privilege level`, () => {
-      const feature: KibanaFeatureConfig = {
-        id: 'test-feature',
-        name: 'Test Feature',
-        app: [],
-        category: { id: 'foo', label: 'foo' },
-        alerting: ['foo', 'bar', 'baz'],
-        privileges: {
-          all: {
-            alerting: {
-              alert: {
-                all: ['foo'],
+      it(`prevents reserved privileges from specifying rule types entries that don't exist at the root level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+          privileges: null,
+          reserved: {
+            description: 'something',
+            privileges: [
+              {
+                id: 'reserved',
+                privilege: {
+                  alerting: {
+                    alert: {
+                      all: [
+                        { ruleTypeId: 'foo', consumers: ['test-feature'] },
+                        { ruleTypeId: 'bar', consumers: ['test-feature'] },
+                        { ruleTypeId: 'baz', consumers: ['test-feature'] },
+                      ],
+                    },
+                  },
+                  savedObject: {
+                    all: [],
+                    read: [],
+                  },
+                  ui: [],
+                  app: [],
+                },
               },
-            },
-            savedObject: {
-              all: [],
-              read: [],
-            },
-            ui: [],
-            app: [],
+            ],
           },
-          read: {
-            alerting: {
-              alert: {
-                all: ['foo'],
+        };
+
+        const featureRegistry = new FeatureRegistry();
+
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature privilege test-feature.reserved has unknown ruleTypeId: foo"`
+        );
+      });
+
+      it(`prevents features from specifying rule types that don't exist at the reserved privilege level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [
+            { ruleTypeId: 'foo', consumers: ['test-feature'] },
+            { ruleTypeId: 'bar', consumers: ['test-feature'] },
+            { ruleTypeId: 'baz', consumers: ['test-feature'] },
+          ],
+          privileges: null,
+          reserved: {
+            description: 'something',
+            privileges: [
+              {
+                id: 'reserved',
+                privilege: {
+                  alerting: {
+                    rule: {
+                      all: [
+                        { ruleTypeId: 'foo', consumers: ['test-feature'] },
+                        { ruleTypeId: 'bar', consumers: ['test-feature'] },
+                      ],
+                    },
+                  },
+                  savedObject: {
+                    all: [],
+                    read: [],
+                  },
+                  ui: [],
+                  app: [],
+                },
               },
-            },
-            savedObject: {
-              all: [],
-              read: [],
-            },
-            ui: [],
-            app: [],
+            ],
           },
-        },
-        subFeatures: [
-          {
-            name: 'my sub feature',
-            privilegeGroups: [
+        };
+
+        const featureRegistry = new FeatureRegistry();
+
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature test-feature specifies alerting rule types which are not granted to any privileges: baz"`
+        );
+      });
+
+      it(`prevents features from specifying rule types entries that don't exist at the reserved privilege level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [
+            { ruleTypeId: 'foo', consumers: ['test-feature'] },
+            { ruleTypeId: 'bar', consumers: ['test-feature'] },
+            { ruleTypeId: 'baz', consumers: ['test-feature'] },
+          ],
+          privileges: null,
+          reserved: {
+            description: 'something',
+            privileges: [
               {
-                groupType: 'independent',
-                privileges: [
-                  {
-                    id: 'cool-sub-feature-privilege',
-                    name: 'cool privilege',
-                    includeIn: 'none',
-                    savedObject: {
-                      all: [],
-                      read: [],
-                    },
-                    ui: [],
-                    alerting: {
-                      alert: {
-                        all: ['bar'],
-                      },
+                id: 'reserved',
+                privilege: {
+                  alerting: {
+                    alert: {
+                      all: [
+                        { ruleTypeId: 'foo', consumers: ['test-feature'] },
+                        { ruleTypeId: 'bar', consumers: ['test-feature'] },
+                      ],
                     },
                   },
-                ],
+                  savedObject: {
+                    all: [],
+                    read: [],
+                  },
+                  ui: [],
+                  app: [],
+                },
               },
             ],
           },
-        ],
-      };
+        };
 
-      const featureRegistry = new FeatureRegistry();
+        const featureRegistry = new FeatureRegistry();
 
-      expect(() =>
-        featureRegistry.registerKibanaFeature(feature)
-      ).toThrowErrorMatchingInlineSnapshot(
-        `"Feature test-feature specifies alerting entries which are not granted to any privileges: baz"`
-      );
-    });
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature test-feature specifies alerting rule types which are not granted to any privileges: baz"`
+        );
+      });
 
-    it(`prevents reserved privileges from specifying alerting/rule entries that don't exist at the root level`, () => {
-      const feature: KibanaFeatureConfig = {
-        id: 'test-feature',
-        name: 'Test Feature',
-        app: [],
-        category: { id: 'foo', label: 'foo' },
-        alerting: ['bar'],
-        privileges: null,
-        reserved: {
-          description: 'something',
-          privileges: [
-            {
-              id: 'reserved',
-              privilege: {
-                alerting: {
-                  rule: {
-                    all: ['foo', 'bar', 'baz'],
-                  },
+      it(`prevents privileges from specifying rule types without consumers`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'foo', consumers: [] }],
+          privileges: {
+            all: {
+              alerting: {
+                rule: {
+                  all: [{ ruleTypeId: 'foo', consumers: [] }],
                 },
-                savedObject: {
-                  all: [],
-                  read: [],
+              },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
+            },
+            read: {
+              alerting: {
+                rule: {
+                  read: [{ ruleTypeId: 'foo', consumers: [] }],
                 },
-                ui: [],
-                app: [],
               },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
             },
-          ],
-        },
-      };
+          },
+        };
 
-      const featureRegistry = new FeatureRegistry();
+        const featureRegistry = new FeatureRegistry();
 
-      expect(() =>
-        featureRegistry.registerKibanaFeature(feature)
-      ).toThrowErrorMatchingInlineSnapshot(
-        `"Feature privilege test-feature.reserved has unknown alerting entries: foo, baz"`
-      );
-    });
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"[alerting.0.consumers]: array size is [0], but cannot be smaller than [1]"`
+        );
+      });
 
-    it(`prevents reserved privileges from specifying alerting/alert entries that don't exist at the root level`, () => {
-      const feature: KibanaFeatureConfig = {
-        id: 'test-feature',
-        name: 'Test Feature',
-        app: [],
-        category: { id: 'foo', label: 'foo' },
-        alerting: ['bar'],
-        privileges: null,
-        reserved: {
-          description: 'something',
-          privileges: [
-            {
-              id: 'reserved',
-              privilege: {
-                alerting: {
-                  alert: {
-                    all: ['foo', 'bar', 'baz'],
-                  },
+      it(`prevents privileges from specifying consumers entries that don't exist at the root level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+          privileges: {
+            all: {
+              alerting: {
+                rule: {
+                  all: [{ ruleTypeId: 'bar', consumers: ['not-exist'] }],
+                  read: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
                 },
-                savedObject: {
-                  all: [],
-                  read: [],
+              },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
+            },
+            read: {
+              alerting: {
+                rule: {
+                  read: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
                 },
-                ui: [],
-                app: [],
               },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
             },
-          ],
-        },
-      };
+          },
+        };
 
-      const featureRegistry = new FeatureRegistry();
+        const featureRegistry = new FeatureRegistry();
 
-      expect(() =>
-        featureRegistry.registerKibanaFeature(feature)
-      ).toThrowErrorMatchingInlineSnapshot(
-        `"Feature privilege test-feature.reserved has unknown alerting entries: foo, baz"`
-      );
-    });
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature privilege test-feature.all.bar has unknown consumer: not-exist"`
+        );
+      });
 
-    it(`prevents features from specifying alerting/rule entries that don't exist at the reserved privilege level`, () => {
-      const feature: KibanaFeatureConfig = {
-        id: 'test-feature',
-        name: 'Test Feature',
-        app: [],
-        category: { id: 'foo', label: 'foo' },
-        alerting: ['foo', 'bar', 'baz'],
-        privileges: null,
-        reserved: {
-          description: 'something',
-          privileges: [
-            {
-              id: 'reserved',
-              privilege: {
-                alerting: {
-                  rule: {
-                    all: ['foo', 'bar'],
-                  },
+      it(`prevents features from specifying consumers that don't exist at the privilege level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'foo', consumers: ['test-feature', 'should-exist', 'foo'] }],
+          privileges: {
+            all: {
+              alerting: {
+                alert: {
+                  all: [{ ruleTypeId: 'foo', consumers: ['test-feature'] }],
                 },
-                savedObject: {
-                  all: [],
-                  read: [],
+              },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
+            },
+            read: {
+              alerting: {
+                alert: {
+                  all: [{ ruleTypeId: 'foo', consumers: ['test-feature'] }],
                 },
-                ui: [],
-                app: [],
               },
+              savedObject: {
+                all: [],
+                read: [],
+              },
+              ui: [],
+              app: [],
+            },
+          },
+          subFeatures: [
+            {
+              name: 'my sub feature',
+              privilegeGroups: [
+                {
+                  groupType: 'independent',
+                  privileges: [
+                    {
+                      id: 'cool-sub-feature-privilege',
+                      name: 'cool privilege',
+                      includeIn: 'none',
+                      savedObject: {
+                        all: [],
+                        read: [],
+                      },
+                      ui: [],
+                      alerting: {
+                        alert: {
+                          all: [{ ruleTypeId: 'foo', consumers: ['foo'] }],
+                        },
+                      },
+                    },
+                  ],
+                },
+              ],
             },
           ],
-        },
-      };
+        };
 
-      const featureRegistry = new FeatureRegistry();
+        const featureRegistry = new FeatureRegistry();
 
-      expect(() =>
-        featureRegistry.registerKibanaFeature(feature)
-      ).toThrowErrorMatchingInlineSnapshot(
-        `"Feature test-feature specifies alerting entries which are not granted to any privileges: baz"`
-      );
-    });
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature test-feature specifies alerting consumers which are not granted to any privileges: should-exist"`
+        );
+      });
 
-    it(`prevents features from specifying alerting/alert entries that don't exist at the reserved privilege level`, () => {
-      const feature: KibanaFeatureConfig = {
-        id: 'test-feature',
-        name: 'Test Feature',
-        app: [],
-        category: { id: 'foo', label: 'foo' },
-        alerting: ['foo', 'bar', 'baz'],
-        privileges: null,
-        reserved: {
-          description: 'something',
-          privileges: [
-            {
-              id: 'reserved',
-              privilege: {
-                alerting: {
-                  alert: {
-                    all: ['foo', 'bar'],
+      it(`prevents reserved privileges from specifying consumers that don't exist at the root level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'bar', consumers: ['test-feature'] }],
+          privileges: null,
+          reserved: {
+            description: 'something',
+            privileges: [
+              {
+                id: 'reserved',
+                privilege: {
+                  alerting: {
+                    rule: {
+                      all: [{ ruleTypeId: 'bar', consumers: ['not-exist'] }],
+                    },
+                  },
+                  savedObject: {
+                    all: [],
+                    read: [],
                   },
+                  ui: [],
+                  app: [],
                 },
-                savedObject: {
-                  all: [],
-                  read: [],
+              },
+            ],
+          },
+        };
+
+        const featureRegistry = new FeatureRegistry();
+
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature privilege test-feature.reserved.bar has unknown consumer: not-exist"`
+        );
+      });
+
+      it(`prevents features from specifying consumers that don't exist at the reserved privilege level`, () => {
+        const feature: KibanaFeatureConfig = {
+          id: 'test-feature',
+          name: 'Test Feature',
+          app: [],
+          category: { id: 'foo', label: 'foo' },
+          alerting: [{ ruleTypeId: 'foo', consumers: ['test-feature', 'should-exist'] }],
+          privileges: null,
+          reserved: {
+            description: 'something',
+            privileges: [
+              {
+                id: 'reserved',
+                privilege: {
+                  alerting: {
+                    rule: {
+                      all: [{ ruleTypeId: 'foo', consumers: ['test-feature'] }],
+                    },
+                  },
+                  savedObject: {
+                    all: [],
+                    read: [],
+                  },
+                  ui: [],
+                  app: [],
                 },
-                ui: [],
-                app: [],
               },
-            },
-          ],
-        },
-      };
+            ],
+          },
+        };
 
-      const featureRegistry = new FeatureRegistry();
+        const featureRegistry = new FeatureRegistry();
 
-      expect(() =>
-        featureRegistry.registerKibanaFeature(feature)
-      ).toThrowErrorMatchingInlineSnapshot(
-        `"Feature test-feature specifies alerting entries which are not granted to any privileges: baz"`
-      );
+        expect(() =>
+          featureRegistry.registerKibanaFeature(feature)
+        ).toThrowErrorMatchingInlineSnapshot(
+          `"Feature test-feature specifies alerting consumers which are not granted to any privileges: should-exist"`
+        );
+      });
     });
 
     it(`prevents privileges from specifying cases entries that don't exist at the root level`, () => {
@@ -2068,11 +2352,15 @@ describe('FeatureRegistry', () => {
               all: {
                 ui: [],
                 savedObject: { all: [], read: [] },
-                alerting: { alert: { all: ['one'] } },
+                alerting: {
+                  alert: {
+                    all: [{ ruleTypeId: 'one', consumers: ['featureE'] }],
+                  },
+                },
               },
               read: { ui: [], savedObject: { all: [], read: [] } },
             },
-            alerting: ['one'],
+            alerting: [{ ruleTypeId: 'one', consumers: ['featureE'] }],
           },
         ];
         features.forEach((f) => registry.registerKibanaFeature(f));
diff --git a/x-pack/plugins/features/server/feature_schema.ts b/x-pack/plugins/features/server/feature_schema.ts
index ce444c41e477d..3923eb31dbecb 100644
--- a/x-pack/plugins/features/server/feature_schema.ts
+++ b/x-pack/plugins/features/server/feature_schema.ts
@@ -11,6 +11,7 @@ import { difference } from 'lodash';
 import { Capabilities as UICapabilities } from '@kbn/core/server';
 import { KibanaFeatureConfig, KibanaFeatureScope } from '../common';
 import { FeatureKibanaPrivileges, ElasticsearchFeatureConfig } from '.';
+import { AlertingKibanaPrivilege } from '../common/alerting_kibana_privilege';
 
 // Each feature gets its own property on the UICapabilities object,
 // but that object has a few built-in properties which should not be overwritten.
@@ -63,7 +64,13 @@ const managementSchema = schema.recordOf(
   listOfCapabilitiesSchema
 );
 const catalogueSchema = listOfCapabilitiesSchema;
-const alertingSchema = schema.arrayOf(schema.string());
+const alertingSchema = schema.arrayOf(
+  schema.object({
+    ruleTypeId: schema.string(),
+    consumers: schema.arrayOf(schema.string(), { minSize: 1 }),
+  })
+);
+
 const casesSchema = schema.arrayOf(schema.string());
 
 const appCategorySchema = schema.object({
@@ -331,7 +338,14 @@ export function validateKibanaFeature(feature: KibanaFeatureConfig) {
 
   const unseenCatalogue = new Set(catalogue);
 
-  const unseenAlertTypes = new Set(alerting);
+  const alertingMap = new Map(
+    alerting.map(({ ruleTypeId, consumers }) => [ruleTypeId, new Set(consumers)])
+  );
+
+  const unseenAlertingRyleTypeIds = new Set(alertingMap.keys());
+  const unseenAlertingConsumers = new Set(
+    alerting.flatMap(({ consumers }) => Array.from(consumers.values()))
+  );
 
   const unseenCasesTypes = new Set(cases);
 
@@ -362,20 +376,40 @@ export function validateKibanaFeature(feature: KibanaFeatureConfig) {
   }
 
   function validateAlertingEntry(privilegeId: string, entry: FeatureKibanaPrivileges['alerting']) {
-    const all: string[] = [...(entry?.rule?.all ?? []), ...(entry?.alert?.all ?? [])];
-    const read: string[] = [...(entry?.rule?.read ?? []), ...(entry?.alert?.read ?? [])];
+    const seenRuleTypeIds = new Set<string>();
+    const seenConsumers = new Set<string>();
+
+    const validateAlertingPrivilege = (alertingPrivilege?: AlertingKibanaPrivilege) => {
+      for (const { ruleTypeId, consumers } of alertingPrivilege ?? []) {
+        if (!alertingMap.has(ruleTypeId)) {
+          throw new Error(
+            `Feature privilege ${feature.id}.${privilegeId} has unknown ruleTypeId: ${ruleTypeId}`
+          );
+        }
+
+        const alertingMapConsumers = alertingMap.get(ruleTypeId)!;
+
+        for (const consumer of consumers) {
+          if (!alertingMapConsumers.has(consumer)) {
+            throw new Error(
+              `Feature privilege ${feature.id}.${privilegeId}.${ruleTypeId} has unknown consumer: ${consumer}`
+            );
+          }
 
-    all.forEach((privilegeAlertTypes) => unseenAlertTypes.delete(privilegeAlertTypes));
-    read.forEach((privilegeAlertTypes) => unseenAlertTypes.delete(privilegeAlertTypes));
+          seenConsumers.add(consumer);
+        }
 
-    const unknownAlertingEntries = difference([...all, ...read], alerting);
-    if (unknownAlertingEntries.length > 0) {
-      throw new Error(
-        `Feature privilege ${
-          feature.id
-        }.${privilegeId} has unknown alerting entries: ${unknownAlertingEntries.join(', ')}`
-      );
-    }
+        seenRuleTypeIds.add(ruleTypeId);
+      }
+    };
+
+    validateAlertingPrivilege(entry?.rule?.all);
+    validateAlertingPrivilege(entry?.rule?.read);
+    validateAlertingPrivilege(entry?.alert?.all);
+    validateAlertingPrivilege(entry?.alert?.read);
+
+    seenRuleTypeIds.forEach((ruleTypeId: string) => unseenAlertingRyleTypeIds.delete(ruleTypeId));
+    seenConsumers.forEach((consumer: string) => unseenAlertingConsumers.delete(consumer));
   }
 
   function validateCasesEntry(privilegeId: string, entry: FeatureKibanaPrivileges['cases']) {
@@ -510,12 +544,22 @@ export function validateKibanaFeature(feature: KibanaFeatureConfig) {
     );
   }
 
-  if (unseenAlertTypes.size > 0) {
+  if (unseenAlertingRyleTypeIds.size > 0) {
+    throw new Error(
+      `Feature ${
+        feature.id
+      } specifies alerting rule types which are not granted to any privileges: ${Array.from(
+        unseenAlertingRyleTypeIds.keys()
+      ).join(',')}`
+    );
+  }
+
+  if (unseenAlertingConsumers.size > 0) {
     throw new Error(
       `Feature ${
         feature.id
-      } specifies alerting entries which are not granted to any privileges: ${Array.from(
-        unseenAlertTypes.values()
+      } specifies alerting consumers which are not granted to any privileges: ${Array.from(
+        unseenAlertingConsumers.keys()
       ).join(',')}`
     );
   }
diff --git a/x-pack/plugins/ml/common/constants/alerts.ts b/x-pack/plugins/ml/common/constants/alerts.ts
index 009345d23542d..8ed9d61b418ff 100644
--- a/x-pack/plugins/ml/common/constants/alerts.ts
+++ b/x-pack/plugins/ml/common/constants/alerts.ts
@@ -12,6 +12,7 @@ import {
   ALERT_RULE_NAME,
   ALERT_START,
   ALERT_STATUS,
+  AlertConsumers,
   ML_ANOMALY_DETECTION_RULE_TYPE_ID,
 } from '@kbn/rule-data-utils';
 import type { JobsHealthTests } from '../types/alerts';
@@ -21,6 +22,9 @@ export const ML_ALERT_TYPES = {
   AD_JOBS_HEALTH: 'xpack.ml.anomaly_detection_jobs_health',
 } as const;
 
+export const ML_RULE_TYPE_IDS = Object.values(ML_ALERT_TYPES);
+export const ML_VALID_CONSUMERS = [AlertConsumers.ML, AlertConsumers.ALERTS];
+
 export type MlAlertType = (typeof ML_ALERT_TYPES)[keyof typeof ML_ALERT_TYPES];
 
 export const ALERT_PREVIEW_SAMPLE_SIZE = 5;
diff --git a/x-pack/plugins/ml/common/index.ts b/x-pack/plugins/ml/common/index.ts
index bc53fc4247f2d..dbb6c1a54ca16 100644
--- a/x-pack/plugins/ml/common/index.ts
+++ b/x-pack/plugins/ml/common/index.ts
@@ -8,5 +8,5 @@
 export { getDefaultCapabilities as getDefaultMlCapabilities } from './types/capabilities';
 export { DATAFEED_STATE, JOB_STATE } from './constants/states';
 export type { MlSummaryJob, SummaryJobState } from './types/anomaly_detection_jobs';
-export { ML_ALERT_TYPES } from './constants/alerts';
+export { ML_ALERT_TYPES, ML_RULE_TYPE_IDS } from './constants/alerts';
 export type { Job, Datafeed } from './types/anomaly_detection_jobs';
diff --git a/x-pack/plugins/ml/common/types/capabilities.ts b/x-pack/plugins/ml/common/types/capabilities.ts
index e7a097fae7dc4..b598a3bfd4d2d 100644
--- a/x-pack/plugins/ml/common/types/capabilities.ts
+++ b/x-pack/plugins/ml/common/types/capabilities.ts
@@ -6,6 +6,7 @@
  */
 
 import type { KibanaRequest } from '@kbn/core/server';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { PLUGIN_ID } from '../constants/app';
 import {
   ML_JOB_SAVED_OBJECT_TYPE,
@@ -109,6 +110,11 @@ export function getDefaultCapabilities(): MlCapabilities {
   };
 }
 
+const alertingFeatures = Object.values(ML_ALERT_TYPES).map((ruleTypeId) => ({
+  ruleTypeId,
+  consumers: [PLUGIN_ID, ALERTING_FEATURE_ID],
+}));
+
 export function getPluginPrivileges() {
   const apmUserMlCapabilitiesKeys = Object.keys(apmUserMlCapabilities);
   const userMlCapabilitiesKeys = Object.keys(userMlCapabilities);
@@ -150,10 +156,10 @@ export function getPluginPrivileges() {
       },
       alerting: {
         rule: {
-          all: Object.values(ML_ALERT_TYPES),
+          all: alertingFeatures,
         },
         alert: {
-          all: Object.values(ML_ALERT_TYPES),
+          all: alertingFeatures,
         },
       },
     },
@@ -172,10 +178,10 @@ export function getPluginPrivileges() {
       },
       alerting: {
         rule: {
-          read: Object.values(ML_ALERT_TYPES),
+          read: alertingFeatures,
         },
         alert: {
-          read: Object.values(ML_ALERT_TYPES),
+          read: alertingFeatures,
         },
       },
     },
diff --git a/x-pack/plugins/ml/kibana.jsonc b/x-pack/plugins/ml/kibana.jsonc
index 274a92c57a2c3..5c4961de54e97 100644
--- a/x-pack/plugins/ml/kibana.jsonc
+++ b/x-pack/plugins/ml/kibana.jsonc
@@ -63,7 +63,8 @@
       "lens",
       "maps",
       "savedObjectsFinder",
-      "usageCollection"
+      "usageCollection",
+      "alerting"
     ],
     "extraPublicDirs": [
       "common"
diff --git a/x-pack/plugins/ml/public/application/explorer/alerts/alerts_panel.tsx b/x-pack/plugins/ml/public/application/explorer/alerts/alerts_panel.tsx
index b9b680a9fbac5..338c5a2a2b3c5 100644
--- a/x-pack/plugins/ml/public/application/explorer/alerts/alerts_panel.tsx
+++ b/x-pack/plugins/ml/public/application/explorer/alerts/alerts_panel.tsx
@@ -15,9 +15,12 @@ import {
 } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
 import { FormattedMessage } from '@kbn/i18n-react';
-import { ALERT_STATUS_ACTIVE, AlertConsumers, type AlertStatus } from '@kbn/rule-data-utils';
+import { ALERT_STATUS_ACTIVE, type AlertStatus } from '@kbn/rule-data-utils';
+import type { AlertsTableStateProps } from '@kbn/triggers-actions-ui-plugin/public/application/sections/alerts_table/alerts_table_state';
 import React, { type FC, useState } from 'react';
 import useObservable from 'react-use/lib/useObservable';
+import { ML_VALID_CONSUMERS } from '../../../../common/constants/alerts';
+import { ML_RULE_TYPE_IDS } from '../../../../common';
 import { ML_ALERTS_CONFIG_ID } from '../../../alerting/anomaly_detection_alerts_table/register_alerts_table_configuration';
 import { CollapsiblePanel } from '../../components/collapsible_panel';
 import { useMlKibana } from '../../contexts/kibana';
@@ -42,13 +45,13 @@ export const AlertsPanel: FC = () => {
   const alertsQuery = useObservable(anomalyDetectionAlertsStateService.alertsQuery$, {});
   const isLoading = useObservable(anomalyDetectionAlertsStateService.isLoading$, true);
 
-  const alertStateProps = {
+  const alertStateProps: AlertsTableStateProps = {
     alertsTableConfigurationRegistry: triggersActionsUi!.alertsTableConfigurationRegistry,
     configurationId: ML_ALERTS_CONFIG_ID,
     id: `ml-details-alerts`,
-    featureIds: [AlertConsumers.ML],
+    ruleTypeIds: ML_RULE_TYPE_IDS,
+    consumers: ML_VALID_CONSUMERS,
     query: alertsQuery,
-    showExpandToDetails: true,
     showAlertStatusWithFlapping: true,
     cellContext: {
       fieldFormats,
diff --git a/x-pack/plugins/ml/public/application/explorer/alerts/anomaly_detection_alerts_state_service.ts b/x-pack/plugins/ml/public/application/explorer/alerts/anomaly_detection_alerts_state_service.ts
index d02e9baf91c95..82bd60a4802ab 100644
--- a/x-pack/plugins/ml/public/application/explorer/alerts/anomaly_detection_alerts_state_service.ts
+++ b/x-pack/plugins/ml/public/application/explorer/alerts/anomaly_detection_alerts_state_service.ts
@@ -21,7 +21,6 @@ import {
   ALERT_START,
   ALERT_STATUS,
   ALERT_UUID,
-  AlertConsumers,
 } from '@kbn/rule-data-utils';
 import { isDefined } from '@kbn/ml-is-defined';
 import { getSeverityColor } from '@kbn/ml-anomaly-utils';
@@ -30,6 +29,8 @@ import {
   ALERT_ANOMALY_SCORE,
   ALERT_ANOMALY_TIMESTAMP,
   ML_ALERT_TYPES,
+  ML_RULE_TYPE_IDS,
+  ML_VALID_CONSUMERS,
 } from '../../../../common/constants/alerts';
 import { StateService } from '../../services/state_service';
 import type { AnomalyTimelineStateService } from '../anomaly_timeline_state_service';
@@ -175,7 +176,8 @@ export class AnomalyDetectionAlertsStateService extends StateService {
             return this.data.search
               .search<RuleRegistrySearchRequest, RuleRegistrySearchResponse>(
                 {
-                  featureIds: [AlertConsumers.ML],
+                  ruleTypeIds: ML_RULE_TYPE_IDS,
+                  consumers: ML_VALID_CONSUMERS,
                   query,
                 },
                 { strategy: 'privateRuleRegistryAlertsSearchStrategy' }
diff --git a/x-pack/plugins/ml/server/plugin.ts b/x-pack/plugins/ml/server/plugin.ts
index 01f3ec7e5d131..ba6c5387a93cb 100644
--- a/x-pack/plugins/ml/server/plugin.ts
+++ b/x-pack/plugins/ml/server/plugin.ts
@@ -26,6 +26,7 @@ import type { SpacesPluginSetup } from '@kbn/spaces-plugin/server';
 import type { FieldFormatsStart } from '@kbn/field-formats-plugin/server';
 import type { HomeServerPluginSetup } from '@kbn/home-plugin/server';
 import type { CasesServerSetup } from '@kbn/cases-plugin/server';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 import type { PluginsSetup, PluginsStart, RouteInitialization } from './types';
 import type { MlCapabilities } from '../common/types/capabilities';
@@ -142,7 +143,10 @@ export class MlServerPlugin
       management: {
         insightsAndAlerting: ['jobsListLink', 'triggersActions'],
       },
-      alerting: Object.values(ML_ALERT_TYPES),
+      alerting: Object.values(ML_ALERT_TYPES).map((ruleTypeId) => ({
+        ruleTypeId,
+        consumers: [PLUGIN_ID, ALERTING_FEATURE_ID],
+      })),
       privileges: {
         all: admin,
         read: user,
diff --git a/x-pack/plugins/ml/server/routes/job_service.ts b/x-pack/plugins/ml/server/routes/job_service.ts
index 3814d36bc3a6c..8c9f90db38186 100644
--- a/x-pack/plugins/ml/server/routes/job_service.ts
+++ b/x-pack/plugins/ml/server/routes/job_service.ts
@@ -135,7 +135,7 @@ export function jobServiceRoutes({ router, routeGuard }: RouteInitialization) {
       routeGuard.fullLicenseAPIGuard(async ({ client, mlClient, request, response, context }) => {
         try {
           const alerting = await context.alerting;
-          const rulesClient = alerting?.getRulesClient();
+          const rulesClient = await alerting?.getRulesClient();
           const { deleteJobs } = jobServiceProvider(client, mlClient, rulesClient);
 
           const { jobIds, deleteUserAnnotations, deleteAlertingRules } = request.body;
@@ -283,7 +283,8 @@ export function jobServiceRoutes({ router, routeGuard }: RouteInitialization) {
       routeGuard.fullLicenseAPIGuard(async ({ client, mlClient, request, response, context }) => {
         try {
           const alerting = await context.alerting;
-          const { jobsSummary } = jobServiceProvider(client, mlClient, alerting?.getRulesClient());
+          const rulesClient = await alerting?.getRulesClient();
+          const { jobsSummary } = jobServiceProvider(client, mlClient, rulesClient);
           const { jobIds } = request.body;
           const resp = await jobsSummary(jobIds);
 
@@ -317,11 +318,8 @@ export function jobServiceRoutes({ router, routeGuard }: RouteInitialization) {
       routeGuard.fullLicenseAPIGuard(async ({ client, mlClient, response, context }) => {
         try {
           const alerting = await context.alerting;
-          const { getJobIdsWithGeo } = jobServiceProvider(
-            client,
-            mlClient,
-            alerting?.getRulesClient()
-          );
+          const rulesClient = await alerting?.getRulesClient();
+          const { getJobIdsWithGeo } = jobServiceProvider(client, mlClient, rulesClient);
 
           const resp = await getJobIdsWithGeo();
 
@@ -425,11 +423,9 @@ export function jobServiceRoutes({ router, routeGuard }: RouteInitialization) {
       routeGuard.fullLicenseAPIGuard(async ({ client, mlClient, request, response, context }) => {
         try {
           const alerting = await context.alerting;
-          const { createFullJobsList } = jobServiceProvider(
-            client,
-            mlClient,
-            alerting?.getRulesClient()
-          );
+          const rulesClient = await alerting?.getRulesClient();
+
+          const { createFullJobsList } = jobServiceProvider(client, mlClient, rulesClient);
           const { jobIds } = request.body;
           const resp = await createFullJobsList(jobIds);
 
diff --git a/x-pack/plugins/monitoring/public/alerts/alert_form.test.tsx b/x-pack/plugins/monitoring/public/alerts/alert_form.test.tsx
index 2cca4638876c9..f1e84753820fe 100644
--- a/x-pack/plugins/monitoring/public/alerts/alert_form.test.tsx
+++ b/x-pack/plugins/monitoring/public/alerts/alert_form.test.tsx
@@ -270,6 +270,7 @@ describe('alert_form', () => {
                 actionTypeRegistry={actionTypeRegistry}
                 featureId="alerting"
                 producerId="alerting"
+                ruleTypeId=".es-query"
               />
             </KibanaReactContext.Provider>
           </I18nProvider>
diff --git a/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.ts b/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.ts
index 52c0c2a6b7334..b753388af7d5d 100644
--- a/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.ts
+++ b/x-pack/plugins/monitoring/server/lib/cluster/get_clusters_from_request.ts
@@ -123,25 +123,19 @@ export async function getClustersFromRequest(
     // update clusters with license check results
     const getSupportedClusters = flagSupportedClusters(req, CCS_REMOTE_PATTERN);
     clusters = await getSupportedClusters(clusters);
+    clusters = initializeClusters(clusters);
 
     // add alerts data
     if (isInCodePath(codePaths, [CODE_PATH_ALERTS])) {
-      const rulesClient = req.getRulesClient();
-      const alertStatus = await fetchStatus(
-        rulesClient,
-        undefined,
-        clusters.map((cluster) => get(cluster, 'elasticsearch.cluster.id', cluster.cluster_uuid))
+      const rulesClient = await req.getRulesClient();
+      const clustersIds = clusters.map((cluster) =>
+        get(cluster, 'elasticsearch.cluster.id', cluster.cluster_uuid)
       );
 
-      for (const cluster of clusters) {
-        if (!rulesClient) {
-          cluster.alerts = {
-            list: {},
-            alertsMeta: {
-              enabled: false,
-            },
-          };
-        } else {
+      if (rulesClient) {
+        const alertStatus = await fetchStatus(rulesClient, undefined, clustersIds);
+
+        for (const cluster of clusters) {
           try {
             cluster.alerts = {
               list: Object.keys(alertStatus).reduce<RulesByType>((acc, ruleTypeName) => {
@@ -163,12 +157,6 @@ export async function getClustersFromRequest(
             req.logger.warn(
               `Unable to fetch alert status because '${err.message}'. Alerts may not properly show up in the UI.`
             );
-            cluster.alerts = {
-              list: {},
-              alertsMeta: {
-                enabled: true,
-              },
-            };
           }
         }
       }
@@ -284,3 +272,13 @@ export async function getClustersFromRequest(
 
   return getClustersSummary(req.server, clusters as EnhancedClusters[], kibanaUuid, isCcrEnabled);
 }
+
+const initializeClusters = (clusters: Cluster[]): Cluster[] => {
+  return clusters.map((cluster) => ({
+    ...cluster,
+    list: {},
+    alertsMeta: {
+      enabled: false,
+    },
+  }));
+};
diff --git a/x-pack/plugins/monitoring/server/lib/setup/collection/get_collection_status.test.ts b/x-pack/plugins/monitoring/server/lib/setup/collection/get_collection_status.test.ts
index b743e0300aef6..ce03cc5aecf3b 100644
--- a/x-pack/plugins/monitoring/server/lib/setup/collection/get_collection_status.test.ts
+++ b/x-pack/plugins/monitoring/server/lib/setup/collection/get_collection_status.test.ts
@@ -94,7 +94,7 @@ const mockReq = (
     headers: {},
     getKibanaStatsCollector: () => null,
     getUiSettingsService: () => null,
-    getActionTypeRegistry: () => null,
+    getActionTypeRegistry: () => [],
     getRulesClient: () => null,
     getActionsClient: () => null,
   };
diff --git a/x-pack/plugins/monitoring/server/plugin.ts b/x-pack/plugins/monitoring/server/plugin.ts
index 0a7460457854e..dbf375aa2e057 100644
--- a/x-pack/plugins/monitoring/server/plugin.ts
+++ b/x-pack/plugins/monitoring/server/plugin.ts
@@ -23,7 +23,9 @@ import {
 import { get } from 'lodash';
 import { DEFAULT_APP_CATEGORIES } from '@kbn/core/server';
 import { RouteMethod } from '@kbn/core/server';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
+import { AlertConsumers } from '@kbn/rule-data-utils';
 import {
   KIBANA_MONITORING_LOGGING_TAG,
   KIBANA_STATS_TYPE_MONITORING,
@@ -265,6 +267,11 @@ export class MonitoringPlugin
   }
 
   registerPluginInUI(plugins: PluginsSetup) {
+    const alertingFeatures = RULES.map((ruleTypeId) => ({
+      ruleTypeId,
+      consumers: ['monitoring', ALERTING_FEATURE_ID, AlertConsumers.OBSERVABILITY],
+    }));
+
     plugins.features.registerKibanaFeature({
       id: 'monitoring',
       name: i18n.translate('xpack.monitoring.featureRegistry.monitoringFeatureName', {
@@ -275,7 +282,7 @@ export class MonitoringPlugin
       app: ['monitoring', 'kibana'],
       catalogue: ['monitoring'],
       privileges: null,
-      alerting: RULES,
+      alerting: alertingFeatures,
       reserved: {
         description: i18n.translate('xpack.monitoring.feature.reserved.description', {
           defaultMessage: 'To grant users access, you should also assign the monitoring_user role.',
@@ -292,10 +299,10 @@ export class MonitoringPlugin
               },
               alerting: {
                 rule: {
-                  all: RULES,
+                  all: alertingFeatures,
                 },
                 alert: {
-                  all: RULES,
+                  all: alertingFeatures,
                 },
               },
               ui: [],
@@ -335,7 +342,7 @@ export class MonitoringPlugin
             payload: req.body,
             getKibanaStatsCollector: () => this.legacyShimDependencies.kibanaStatsCollector,
             getUiSettingsService: () => coreContext.uiSettings.client,
-            getActionTypeRegistry: () => actionContext?.listTypes(),
+            getActionTypeRegistry: () => actionContext?.listTypes() ?? [],
             getRulesClient: () => {
               try {
                 return plugins.alerting.getRulesClientWithRequest(req);
diff --git a/x-pack/plugins/monitoring/server/routes/api/v1/alerts/enable.ts b/x-pack/plugins/monitoring/server/routes/api/v1/alerts/enable.ts
index 8b919fd1f86ea..593f3c9b2b4ab 100644
--- a/x-pack/plugins/monitoring/server/routes/api/v1/alerts/enable.ts
+++ b/x-pack/plugins/monitoring/server/routes/api/v1/alerts/enable.ts
@@ -30,6 +30,7 @@ export function enableAlertsRoute(server: MonitoringCore, npRoute: RouteDependen
         const actionContext = await context.actions;
 
         const alerts = RulesFactory.getAll();
+
         if (alerts.length) {
           const { isSufficientlySecure, hasPermanentEncryptionKey } = npRoute.alerting
             ?.getSecurityHealth
@@ -49,9 +50,10 @@ export function enableAlertsRoute(server: MonitoringCore, npRoute: RouteDependen
           }
         }
 
-        const rulesClient = alertingContext?.getRulesClient();
+        const rulesClient = await alertingContext?.getRulesClient();
         const actionsClient = actionContext?.getActionsClient();
         const types = actionContext?.listTypes();
+
         if (!rulesClient || !actionsClient || !types) {
           return response.ok({ body: undefined });
         }
diff --git a/x-pack/plugins/monitoring/server/routes/api/v1/alerts/status.ts b/x-pack/plugins/monitoring/server/routes/api/v1/alerts/status.ts
index 64a0b7b92d85f..a6c7d9b833ee1 100644
--- a/x-pack/plugins/monitoring/server/routes/api/v1/alerts/status.ts
+++ b/x-pack/plugins/monitoring/server/routes/api/v1/alerts/status.ts
@@ -36,7 +36,7 @@ export function alertStatusRoute(npRoute: RouteDependencies) {
       try {
         const { clusterUuid } = request.params;
         const { alertTypeIds, filters } = request.body;
-        const rulesClient = (await context.alerting)?.getRulesClient();
+        const rulesClient = await (await context.alerting)?.getRulesClient();
         if (!rulesClient) {
           return response.ok({ body: undefined });
         }
diff --git a/x-pack/plugins/monitoring/server/types.ts b/x-pack/plugins/monitoring/server/types.ts
index 95707caf50199..14ef949b93949 100644
--- a/x-pack/plugins/monitoring/server/types.ts
+++ b/x-pack/plugins/monitoring/server/types.ts
@@ -24,17 +24,14 @@ import type {
 } from '@kbn/actions-plugin/server';
 import type { AlertingApiRequestHandlerContext } from '@kbn/alerting-plugin/server';
 import type { RacApiRequestHandlerContext } from '@kbn/rule-registry-plugin/server';
-import {
-  PluginStartContract as AlertingPluginStartContract,
-  PluginSetupContract as AlertingPluginSetupContract,
-} from '@kbn/alerting-plugin/server';
+import { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import { InfraPluginSetup, InfraRequestHandlerContext } from '@kbn/infra-plugin/server';
-import { PluginSetupContract as AlertingPluginSetup } from '@kbn/alerting-plugin/server';
 import { LicensingPluginStart } from '@kbn/licensing-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 import { EncryptedSavedObjectsPluginSetup } from '@kbn/encrypted-saved-objects-plugin/server';
 import { CloudSetup } from '@kbn/cloud-plugin/server';
 import { RouteConfig, RouteMethod, Headers } from '@kbn/core/server';
+import { ActionTypeRegistry } from '@kbn/actions-plugin/server/action_type_registry';
 import { ElasticsearchModifiedSource } from '../common/types/es';
 import { RulesByType } from '../common/types/alerts';
 import { configSchema, MonitoringConfig } from './config';
@@ -53,7 +50,7 @@ export interface PluginsSetup {
   encryptedSavedObjects?: EncryptedSavedObjectsPluginSetup;
   usageCollection?: UsageCollectionSetup;
   features: FeaturesPluginSetup;
-  alerting?: AlertingPluginSetupContract;
+  alerting?: AlertingServerSetup;
   infra: InfraPluginSetup;
   cloud?: CloudSetup;
 }
@@ -66,7 +63,7 @@ export type RequestHandlerContextMonitoringPlugin = CustomRequestHandlerContext<
 }>;
 
 export interface PluginsStart {
-  alerting: AlertingPluginStartContract;
+  alerting: AlertingServerStart;
   actions: ActionsPluginsStartContact;
   licensing: LicensingPluginStart;
 }
@@ -76,7 +73,7 @@ export interface RouteDependencies {
   router: IRouter<RequestHandlerContextMonitoringPlugin>;
   licenseService: MonitoringLicenseService;
   encryptedSavedObjects?: EncryptedSavedObjectsPluginSetup;
-  alerting?: AlertingPluginSetup;
+  alerting?: AlertingServerSetup;
   logger: Logger;
 }
 
@@ -127,9 +124,11 @@ export interface LegacyRequest<Params = any, Query = any, Body = any> {
   headers: Headers;
   getKibanaStatsCollector: () => any;
   getUiSettingsService: () => any;
-  getActionTypeRegistry: () => any;
-  getRulesClient: () => any;
-  getActionsClient: () => any;
+  getActionTypeRegistry: () => ReturnType<ActionTypeRegistry['list']>;
+  getRulesClient: () => ReturnType<AlertingServerStart['getRulesClientWithRequest']> | null;
+  getActionsClient: () => ReturnType<
+    ActionsPluginsStartContact['getActionsClientWithRequest']
+  > | null;
   server: LegacyServer;
 }
 
diff --git a/x-pack/plugins/observability_solution/apm/common/alerting/config/apm_alerting_feature_ids.ts b/x-pack/plugins/observability_solution/apm/common/alerting/config/apm_alerting_feature_ids.ts
index ac0afd7e912ca..784ab0b534256 100644
--- a/x-pack/plugins/observability_solution/apm/common/alerting/config/apm_alerting_feature_ids.ts
+++ b/x-pack/plugins/observability_solution/apm/common/alerting/config/apm_alerting_feature_ids.ts
@@ -5,12 +5,19 @@
  * 2.0.
  */
 
-import { AlertConsumers, type ValidFeatureId } from '@kbn/rule-data-utils';
+import {
+  AlertConsumers,
+  OBSERVABILITY_RULE_TYPE_IDS,
+  type ValidFeatureId,
+} from '@kbn/rule-data-utils';
 
-export const apmAlertingFeatureIds: ValidFeatureId[] = [
+export const apmAlertingConsumers: ValidFeatureId[] = [
   AlertConsumers.LOGS,
   AlertConsumers.APM,
   AlertConsumers.SLO,
   AlertConsumers.OBSERVABILITY,
   AlertConsumers.INFRASTRUCTURE,
+  AlertConsumers.ALERTS,
 ];
+
+export const apmAlertingRuleTypeIds: string[] = [...OBSERVABILITY_RULE_TYPE_IDS];
diff --git a/x-pack/plugins/observability_solution/apm/public/components/app/alerts_overview/index.tsx b/x-pack/plugins/observability_solution/apm/public/components/app/alerts_overview/index.tsx
index 54ff6402b6777..682634819e623 100644
--- a/x-pack/plugins/observability_solution/apm/public/components/app/alerts_overview/index.tsx
+++ b/x-pack/plugins/observability_solution/apm/public/components/app/alerts_overview/index.tsx
@@ -13,7 +13,10 @@ import { EuiPanel, EuiFlexItem, EuiFlexGroup } from '@elastic/eui';
 import { BoolQuery } from '@kbn/es-query';
 import { AlertConsumers } from '@kbn/rule-data-utils';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
-import { apmAlertingFeatureIds } from '../../../../common/alerting/config/apm_alerting_feature_ids';
+import {
+  apmAlertingConsumers,
+  apmAlertingRuleTypeIds,
+} from '../../../../common/alerting/config/apm_alerting_feature_ids';
 import { ApmPluginStartDeps } from '../../../plugin';
 import { useAnyOfApmParams } from '../../../hooks/use_apm_params';
 import { SERVICE_NAME } from '../../../../common/es_fields/apm';
@@ -108,7 +111,8 @@ export function AlertsOverview() {
               alertsTableConfigurationRegistry={alertsTableConfigurationRegistry}
               id={'service-overview-alerts'}
               configurationId={AlertConsumers.OBSERVABILITY}
-              featureIds={apmAlertingFeatureIds}
+              ruleTypeIds={apmAlertingRuleTypeIds}
+              consumers={apmAlertingConsumers}
               query={esQuery}
               showAlertStatusWithFlapping
               cellContext={{ observabilityRuleTypeRegistry }}
diff --git a/x-pack/plugins/observability_solution/apm/server/feature.ts b/x-pack/plugins/observability_solution/apm/server/feature.ts
index f9b047c602cda..6e129d298e0a7 100644
--- a/x-pack/plugins/observability_solution/apm/server/feature.ts
+++ b/x-pack/plugins/observability_solution/apm/server/feature.ts
@@ -15,10 +15,14 @@ import {
 
 import { APM_INDEX_SETTINGS_SAVED_OBJECT_TYPE } from '@kbn/apm-data-access-plugin/server/saved_objects/apm_indices';
 import { ApmRuleType } from '@kbn/rule-data-utils';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureConfig, KibanaFeatureScope } from '@kbn/features-plugin/common';
 import { APM_SERVER_FEATURE_ID } from '../common/rules/apm_rule_types';
 
-const ruleTypes = Object.values(ApmRuleType);
+const alertingFeatures = Object.values(ApmRuleType).map((ruleTypeId) => ({
+  ruleTypeId,
+  consumers: [APM_SERVER_FEATURE_ID, ALERTING_FEATURE_ID],
+}));
 
 export const APM_FEATURE: KibanaFeatureConfig = {
   id: APM_SERVER_FEATURE_ID,
@@ -33,7 +37,7 @@ export const APM_FEATURE: KibanaFeatureConfig = {
   management: {
     insightsAndAlerting: ['triggersActions'],
   },
-  alerting: ruleTypes,
+  alerting: alertingFeatures,
   // see x-pack/plugins/features/common/feature_kibana_privileges.ts
   privileges: {
     all: {
@@ -46,10 +50,10 @@ export const APM_FEATURE: KibanaFeatureConfig = {
       },
       alerting: {
         alert: {
-          all: ruleTypes,
+          all: alertingFeatures,
         },
         rule: {
-          all: ruleTypes,
+          all: alertingFeatures,
         },
       },
       management: {
@@ -67,10 +71,10 @@ export const APM_FEATURE: KibanaFeatureConfig = {
       },
       alerting: {
         alert: {
-          read: ruleTypes,
+          read: alertingFeatures,
         },
         rule: {
-          read: ruleTypes,
+          read: alertingFeatures,
         },
       },
       management: {
diff --git a/x-pack/plugins/observability_solution/apm/server/lib/helpers/get_apm_alerts_client.ts b/x-pack/plugins/observability_solution/apm/server/lib/helpers/get_apm_alerts_client.ts
index 528d5bd8cc6a0..95c29472dbc79 100644
--- a/x-pack/plugins/observability_solution/apm/server/lib/helpers/get_apm_alerts_client.ts
+++ b/x-pack/plugins/observability_solution/apm/server/lib/helpers/get_apm_alerts_client.ts
@@ -12,7 +12,7 @@ import { DataTier } from '@kbn/observability-shared-plugin/common';
 import { searchExcludedDataTiers } from '@kbn/observability-plugin/common/ui_settings_keys';
 import { estypes } from '@elastic/elasticsearch';
 import { getDataTierFilterCombined } from '@kbn/apm-data-access-plugin/server/utils';
-import { apmAlertingFeatureIds } from '../../../common/alerting/config/apm_alerting_feature_ids';
+import { apmAlertingRuleTypeIds } from '../../../common/alerting/config/apm_alerting_feature_ids';
 import type { MinimalAPMRouteHandlerResources } from '../../routes/apm_routes/register_apm_server_routes';
 
 export type ApmAlertsClient = Awaited<ReturnType<typeof getApmAlertsClient>>;
@@ -32,7 +32,7 @@ export async function getApmAlertsClient({
 
   const ruleRegistryPluginStart = await plugins.ruleRegistry.start();
   const alertsClient = await ruleRegistryPluginStart.getRacClientWithRequest(request);
-  const apmAlertsIndices = await alertsClient.getAuthorizedAlertsIndices(apmAlertingFeatureIds);
+  const apmAlertsIndices = await alertsClient.getAuthorizedAlertsIndices(apmAlertingRuleTypeIds);
 
   if (!apmAlertsIndices || isEmpty(apmAlertsIndices)) {
     throw Error('No alert indices exist for "apm"');
diff --git a/x-pack/plugins/observability_solution/apm/server/routes/alerts/register_apm_rule_types.ts b/x-pack/plugins/observability_solution/apm/server/routes/alerts/register_apm_rule_types.ts
index 4c57ef4a10e1d..ea653b47145a2 100644
--- a/x-pack/plugins/observability_solution/apm/server/routes/alerts/register_apm_rule_types.ts
+++ b/x-pack/plugins/observability_solution/apm/server/routes/alerts/register_apm_rule_types.ts
@@ -8,10 +8,7 @@
 import type { AlertsLocatorParams } from '@kbn/observability-plugin/common';
 import { LocatorPublic } from '@kbn/share-plugin/common';
 import { IBasePath, Logger, SavedObjectsClientContract } from '@kbn/core/server';
-import {
-  PluginSetupContract as AlertingPluginSetupContract,
-  type IRuleTypeAlerts,
-} from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup, IRuleTypeAlerts } from '@kbn/alerting-plugin/server';
 import { ObservabilityPluginSetup } from '@kbn/observability-plugin/server';
 import { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
 import { MlPluginSetup } from '@kbn/ml-plugin/server';
@@ -100,7 +97,7 @@ export const ApmRuleTypeAlertDefinition: IRuleTypeAlerts<ObservabilityApmAlert>
 };
 
 export interface RegisterRuleDependencies {
-  alerting: AlertingPluginSetupContract;
+  alerting: AlertingServerSetup;
   basePath: IBasePath;
   getApmIndices: (soClient: SavedObjectsClientContract) => Promise<APMIndices>;
   apmConfig: APMConfig;
diff --git a/x-pack/plugins/observability_solution/apm/server/routes/alerts/test_utils/index.ts b/x-pack/plugins/observability_solution/apm/server/routes/alerts/test_utils/index.ts
index ce3e67baea1d6..9230ca4983698 100644
--- a/x-pack/plugins/observability_solution/apm/server/routes/alerts/test_utils/index.ts
+++ b/x-pack/plugins/observability_solution/apm/server/routes/alerts/test_utils/index.ts
@@ -9,7 +9,7 @@ import { IBasePath, Logger } from '@kbn/core/server';
 import { elasticsearchServiceMock } from '@kbn/core/server/mocks';
 import { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
 import { ruleRegistryMocks } from '@kbn/rule-registry-plugin/server/mocks';
-import { PluginSetupContract as AlertingPluginSetupContract } from '@kbn/alerting-plugin/server';
+import { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { ObservabilityPluginSetup } from '@kbn/observability-plugin/server';
 import { DEFAULT_FLAPPING_SETTINGS } from '@kbn/alerting-plugin/common';
 import { APMConfig, APM_SERVER_FEATURE_ID } from '../../..';
@@ -28,7 +28,7 @@ export const createRuleTypeMocks = () => {
     registerType: ({ executor }) => {
       alertExecutor = executor;
     },
-  } as AlertingPluginSetupContract;
+  } as AlertingServerSetup;
 
   const scheduleActions = jest.fn();
   const getUuid = jest.fn();
diff --git a/x-pack/plugins/observability_solution/apm/server/routes/typings.ts b/x-pack/plugins/observability_solution/apm/server/routes/typings.ts
index 126ae48937648..de5aeb6031d1c 100644
--- a/x-pack/plugins/observability_solution/apm/server/routes/typings.ts
+++ b/x-pack/plugins/observability_solution/apm/server/routes/typings.ts
@@ -16,14 +16,12 @@ import type {
 import type { RacApiRequestHandlerContext } from '@kbn/rule-registry-plugin/server';
 import type { LicensingApiRequestHandlerContext } from '@kbn/licensing-plugin/server';
 import type { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
-import type { RulesClientApi } from '@kbn/alerting-plugin/server/types';
+import { RulesClientApi } from '@kbn/alerting-plugin/server/types';
 
 export type ApmPluginRequestHandlerContext = CustomRequestHandlerContext<{
   licensing: Pick<LicensingApiRequestHandlerContext, 'license' | 'featureUsage'>;
   alerting: {
-    // Pick<AlertingApiRequestHandlerContext, 'getRulesClient'> is a superset of this
-    // and incompatible with the start contract from the alerting plugin
-    getRulesClient: () => RulesClientApi;
+    getRulesClient: () => Promise<RulesClientApi>;
   };
   rac: Pick<RacApiRequestHandlerContext, 'getAlertsClient'>;
 }>;
diff --git a/x-pack/plugins/observability_solution/apm/server/types.ts b/x-pack/plugins/observability_solution/apm/server/types.ts
index 84e0d5462c43b..e99860b9d441f 100644
--- a/x-pack/plugins/observability_solution/apm/server/types.ts
+++ b/x-pack/plugins/observability_solution/apm/server/types.ts
@@ -24,7 +24,7 @@ import { SpacesPluginSetup, SpacesPluginStart } from '@kbn/spaces-plugin/server'
 import { HomeServerPluginSetup, HomeServerPluginStart } from '@kbn/home-plugin/server';
 import { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
 import { ActionsPlugin } from '@kbn/actions-plugin/server';
-import { AlertingPlugin } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import { CloudSetup } from '@kbn/cloud-plugin/server';
 import { FeaturesPluginSetup, FeaturesPluginStart } from '@kbn/features-plugin/server';
 import { LicensingPluginSetup, LicensingPluginStart } from '@kbn/licensing-plugin/server';
@@ -78,7 +78,7 @@ export interface APMPluginSetupDependencies {
   observabilityAIAssistant?: ObservabilityAIAssistantServerSetup;
   // optional dependencies
   actions?: ActionsPlugin['setup'];
-  alerting?: AlertingPlugin['setup'];
+  alerting?: AlertingServerSetup;
   cloud?: CloudSetup;
   fleet?: FleetPluginSetup;
   home?: HomeServerPluginSetup;
@@ -105,7 +105,7 @@ export interface APMPluginStartDependencies {
   observabilityAIAssistant?: ObservabilityAIAssistantServerStart;
   // optional dependencies
   actions?: ActionsPlugin['start'];
-  alerting?: AlertingPlugin['start'];
+  alerting?: AlertingServerStart;
   cloud?: undefined;
   fleet?: FleetPluginStart;
   home?: HomeServerPluginStart;
diff --git a/x-pack/plugins/observability_solution/infra/common/alerting/logs/log_threshold/types.ts b/x-pack/plugins/observability_solution/infra/common/alerting/logs/log_threshold/types.ts
index b8410a478b6f8..2ae0e0b00a2dd 100644
--- a/x-pack/plugins/observability_solution/infra/common/alerting/logs/log_threshold/types.ts
+++ b/x-pack/plugins/observability_solution/infra/common/alerting/logs/log_threshold/types.ts
@@ -10,7 +10,7 @@ import * as rt from 'io-ts';
 import { persistedLogViewReferenceRT } from '@kbn/logs-shared-plugin/common';
 import { commonSearchSuccessResponseFieldsRT } from '../../../utils/elasticsearch_runtime_types';
 
-export const LOG_DOCUMENT_COUNT_RULE_TYPE_ID = 'logs.alert.document.count';
+export { LOG_THRESHOLD_ALERT_TYPE_ID as LOG_DOCUMENT_COUNT_RULE_TYPE_ID } from '@kbn/rule-data-utils';
 
 const ThresholdTypeRT = rt.keyof({
   count: null,
diff --git a/x-pack/plugins/observability_solution/infra/common/alerting/metrics/types.ts b/x-pack/plugins/observability_solution/infra/common/alerting/metrics/types.ts
index b5a3c084c47cb..d1adb75d51134 100644
--- a/x-pack/plugins/observability_solution/infra/common/alerting/metrics/types.ts
+++ b/x-pack/plugins/observability_solution/infra/common/alerting/metrics/types.ts
@@ -8,16 +8,12 @@ import { TimeUnitChar } from '@kbn/observability-plugin/common/utils/formatters/
 import { InventoryItemType, SnapshotMetricType } from '@kbn/metrics-data-access-plugin/common';
 import { COMPARATORS } from '@kbn/alerting-comparators';
 import { LEGACY_COMPARATORS } from '@kbn/observability-plugin/common/utils/convert_legacy_outside_comparator';
+export { INFRA_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { SnapshotCustomMetricInput } from '../../http_api';
 
 export const METRIC_THRESHOLD_ALERT_TYPE_ID = 'metrics.alert.threshold';
 export const METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID = 'metrics.alert.inventory.threshold';
 
-export enum InfraRuleType {
-  MetricThreshold = 'metrics.alert.threshold',
-  InventoryThreshold = 'metrics.alert.inventory.threshold',
-}
-
 export enum Aggregators {
   COUNT = 'count',
   AVERAGE = 'avg',
diff --git a/x-pack/plugins/observability_solution/infra/common/constants.ts b/x-pack/plugins/observability_solution/infra/common/constants.ts
index f871b7a6707ca..c86d39cddb3fb 100644
--- a/x-pack/plugins/observability_solution/infra/common/constants.ts
+++ b/x-pack/plugins/observability_solution/infra/common/constants.ts
@@ -16,12 +16,13 @@ export const METRICS_FEATURE_ID = AlertConsumers.INFRASTRUCTURE;
 export const INFRA_ALERT_FEATURE_ID = AlertConsumers.INFRASTRUCTURE;
 export const LOGS_FEATURE_ID = AlertConsumers.LOGS;
 
-export const INFRA_ALERT_FEATURE_IDS: ValidFeatureId[] = [
+export const INFRA_ALERT_CONSUMERS: ValidFeatureId[] = [
   AlertConsumers.INFRASTRUCTURE,
   AlertConsumers.OBSERVABILITY,
   AlertConsumers.LOGS,
   AlertConsumers.SLO,
   AlertConsumers.APM,
+  AlertConsumers.ALERTS,
 ];
 
 export type InfraFeatureId = typeof METRICS_FEATURE_ID | typeof LOGS_FEATURE_ID;
diff --git a/x-pack/plugins/observability_solution/infra/public/components/shared/alerts/alerts_overview.tsx b/x-pack/plugins/observability_solution/infra/public/components/shared/alerts/alerts_overview.tsx
index 5c622a8e1bbbc..e1143948f1674 100644
--- a/x-pack/plugins/observability_solution/infra/public/components/shared/alerts/alerts_overview.tsx
+++ b/x-pack/plugins/observability_solution/infra/public/components/shared/alerts/alerts_overview.tsx
@@ -8,14 +8,15 @@ import React, { useCallback, useMemo, useState } from 'react';
 import type { AlertStatus } from '@kbn/observability-plugin/common/typings';
 import type { TimeRange } from '@kbn/es-query';
 import { useSummaryTimeRange } from '@kbn/observability-plugin/public';
-import { AlertConsumers } from '@kbn/rule-data-utils';
+import { AlertConsumers, OBSERVABILITY_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import { BrushEndListener, XYBrushEvent } from '@elastic/charts';
 import type { InventoryItemType } from '@kbn/metrics-data-access-plugin/common';
+import { INFRA_ALERT_CONSUMERS } from '../../../../common/constants';
 import { AlertsCount } from '../../../hooks/use_alerts_count';
 import { useKibanaContextForPlugin } from '../../../hooks/use_kibana';
 import { createAlertsEsQuery } from '../../../utils/filters/create_alerts_es_query';
-import { ALERT_STATUS_ALL, infraAlertFeatureIds } from './constants';
+import { ALERT_STATUS_ALL } from './constants';
 import AlertsStatusFilter from './alerts_status_filter';
 import { useAssetDetailsUrlState } from '../../asset_details/hooks/use_asset_details_url_state';
 
@@ -112,7 +113,8 @@ export const AlertsOverview = ({
       <EuiFlexItem>
         <AlertSummaryWidget
           chartProps={chartProps}
-          featureIds={infraAlertFeatureIds}
+          ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS}
+          consumers={INFRA_ALERT_CONSUMERS}
           filter={alertsEsQuery}
           timeRange={summaryTimeRange}
           onLoaded={onLoaded}
@@ -125,7 +127,8 @@ export const AlertsOverview = ({
           alertsTableConfigurationRegistry={alertsTableConfigurationRegistry}
           id={'assetDetailsAlertsTable'}
           configurationId={AlertConsumers.OBSERVABILITY}
-          featureIds={infraAlertFeatureIds}
+          ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS}
+          consumers={INFRA_ALERT_CONSUMERS}
           showAlertStatusWithFlapping
           query={alertsEsQueryByStatus}
           initialPageSize={5}
diff --git a/x-pack/plugins/observability_solution/infra/public/components/shared/alerts/constants.ts b/x-pack/plugins/observability_solution/infra/public/components/shared/alerts/constants.ts
index 77471dc8c51ac..a876d5f812de5 100644
--- a/x-pack/plugins/observability_solution/infra/public/components/shared/alerts/constants.ts
+++ b/x-pack/plugins/observability_solution/infra/public/components/shared/alerts/constants.ts
@@ -14,7 +14,7 @@ import {
 } from '@kbn/rule-data-utils';
 import type { Filter } from '@kbn/es-query';
 import type { AlertStatus } from '@kbn/observability-plugin/common/typings';
-import { INFRA_ALERT_FEATURE_IDS } from '../../../../common/constants';
+import { INFRA_ALERT_CONSUMERS } from '../../../../common/constants';
 
 export const ALERT_STATUS_ALL = 'all';
 
@@ -87,4 +87,4 @@ export const ALERTS_PATH = '/app/observability/alerts';
 export const ALERTS_PER_PAGE = 10;
 export const ALERTS_TABLE_ID = 'xpack.infra.hosts.alerts.table';
 
-export const infraAlertFeatureIds = INFRA_ALERT_FEATURE_IDS;
+export const infraAlertFeatureIds = INFRA_ALERT_CONSUMERS;
diff --git a/x-pack/plugins/observability_solution/infra/public/hooks/use_alerts_count.test.ts b/x-pack/plugins/observability_solution/infra/public/hooks/use_alerts_count.test.ts
index 87db1db65398a..e6f0e63c2c29b 100644
--- a/x-pack/plugins/observability_solution/infra/public/hooks/use_alerts_count.test.ts
+++ b/x-pack/plugins/observability_solution/infra/public/hooks/use_alerts_count.test.ts
@@ -6,7 +6,7 @@
  */
 
 import { waitFor, renderHook } from '@testing-library/react';
-import { ALERT_STATUS, ValidFeatureId } from '@kbn/rule-data-utils';
+import { ALERT_STATUS } from '@kbn/rule-data-utils';
 
 import { useAlertsCount } from './use_alerts_count';
 import { KibanaReactContextValue, useKibana } from '@kbn/kibana-react-plugin/public';
@@ -53,7 +53,8 @@ const mockUseKibana = () => {
 };
 
 describe('useAlertsCount', () => {
-  const featureIds: ValidFeatureId[] = ['infrastructure'];
+  const ruleTypeIds = ['metrics.alert.inventory.threshold'];
+  const consumers = ['foo'];
 
   beforeAll(() => {
     mockUseKibana();
@@ -66,7 +67,7 @@ describe('useAlertsCount', () => {
   it('should return the mocked data from API', async () => {
     mockedPostAPI.mockResolvedValue(mockedAlertsCountResponse);
 
-    const { result } = renderHook(() => useAlertsCount({ featureIds }));
+    const { result } = renderHook(() => useAlertsCount({ ruleTypeIds }));
 
     expect(result.current.loading).toBe(true);
     expect(result.current.alertsCount).toEqual(undefined);
@@ -90,7 +91,8 @@ describe('useAlertsCount', () => {
 
     renderHook(() =>
       useAlertsCount({
-        featureIds,
+        ruleTypeIds,
+        consumers,
         query,
       })
     );
@@ -101,7 +103,8 @@ describe('useAlertsCount', () => {
           terms: { field: ALERT_STATUS },
         },
       },
-      feature_ids: featureIds,
+      rule_type_ids: ruleTypeIds,
+      consumers,
       query,
       size: 0,
     });
@@ -118,7 +121,7 @@ describe('useAlertsCount', () => {
     const error = new Error('Fetch Alerts Count Failed');
     mockedPostAPI.mockRejectedValueOnce(error);
 
-    const { result } = renderHook(() => useAlertsCount({ featureIds }));
+    const { result } = renderHook(() => useAlertsCount({ ruleTypeIds }));
 
     await waitFor(() => expect(result.current.error?.message).toMatch(error.message));
   });
diff --git a/x-pack/plugins/observability_solution/infra/public/hooks/use_alerts_count.ts b/x-pack/plugins/observability_solution/infra/public/hooks/use_alerts_count.ts
index 5c602d09b7d23..aab542d597f92 100644
--- a/x-pack/plugins/observability_solution/infra/public/hooks/use_alerts_count.ts
+++ b/x-pack/plugins/observability_solution/infra/public/hooks/use_alerts_count.ts
@@ -12,17 +12,19 @@ import { BASE_RAC_ALERTS_API_PATH } from '@kbn/rule-registry-plugin/common/const
 import { estypes } from '@elastic/elasticsearch';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
 import type { HttpSetup } from '@kbn/core/public';
-import { ALERT_STATUS_ACTIVE, ALERT_STATUS_RECOVERED, ValidFeatureId } from '@kbn/rule-data-utils';
+import { ALERT_STATUS_ACTIVE, ALERT_STATUS_RECOVERED } from '@kbn/rule-data-utils';
 
 import { InfraClientCoreStart } from '../types';
 
 interface UseAlertsCountProps {
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  consumers?: string[];
   query?: estypes.QueryDslQueryContainer;
 }
 
 interface FetchAlertsCountParams {
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  consumers?: string[];
   query?: estypes.QueryDslQueryContainer;
   http: HttpSetup;
   signal: AbortSignal;
@@ -35,7 +37,7 @@ export interface AlertsCount {
 
 const ALERT_STATUS = 'kibana.alert.status';
 
-export function useAlertsCount({ featureIds, query }: UseAlertsCountProps) {
+export function useAlertsCount({ ruleTypeIds, consumers, query }: UseAlertsCountProps) {
   const { http } = useKibana<InfraClientCoreStart>().services;
 
   const abortCtrlRef = useRef(new AbortController());
@@ -45,13 +47,14 @@ export function useAlertsCount({ featureIds, query }: UseAlertsCountProps) {
       abortCtrlRef.current.abort();
       abortCtrlRef.current = new AbortController();
       return fetchAlertsCount({
-        featureIds,
+        ruleTypeIds,
+        consumers,
         query,
         http,
         signal: abortCtrlRef.current.signal,
       });
     },
-    [featureIds, query, http],
+    [ruleTypeIds, query, http],
     { loading: true }
   );
 
@@ -70,7 +73,8 @@ export function useAlertsCount({ featureIds, query }: UseAlertsCountProps) {
 }
 
 async function fetchAlertsCount({
-  featureIds,
+  ruleTypeIds,
+  consumers,
   http,
   query,
   signal,
@@ -84,7 +88,8 @@ async function fetchAlertsCount({
             terms: { field: ALERT_STATUS },
           },
         },
-        feature_ids: featureIds,
+        rule_type_ids: ruleTypeIds,
+        consumers,
         query,
         size: 0,
       }),
diff --git a/x-pack/plugins/observability_solution/infra/public/pages/logs/settings/indices_configuration_panel.tsx b/x-pack/plugins/observability_solution/infra/public/pages/logs/settings/indices_configuration_panel.tsx
index 8f42b4cf1bc6a..0e16a404cbd54 100644
--- a/x-pack/plugins/observability_solution/infra/public/pages/logs/settings/indices_configuration_panel.tsx
+++ b/x-pack/plugins/observability_solution/infra/public/pages/logs/settings/indices_configuration_panel.tsx
@@ -19,7 +19,7 @@ import {
 import { EuiCallOut } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
 import { loadRuleAggregations } from '@kbn/triggers-actions-ui-plugin/public';
-import { LOG_THRESHOLD_ALERT_TYPE_ID } from '@kbn/rule-data-utils';
+import { AlertConsumers, LOG_THRESHOLD_ALERT_TYPE_ID } from '@kbn/rule-data-utils';
 
 import { rulesLocatorID, RulesParams } from '@kbn/observability-plugin/public';
 import { EuiLink } from '@elastic/eui';
@@ -93,7 +93,8 @@ export const IndicesConfigurationPanel = React.memo<{
       if (http) {
         const { ruleExecutionStatus } = await loadRuleAggregations({
           http,
-          typesFilter: [LOG_THRESHOLD_ALERT_TYPE_ID],
+          ruleTypeIds: [LOG_THRESHOLD_ALERT_TYPE_ID],
+          consumers: [AlertConsumers.LOGS, AlertConsumers.ALERTS, AlertConsumers.OBSERVABILITY],
         });
         const numberOfRules = Object.values(ruleExecutionStatus).reduce(
           (acc, value) => acc + value,
diff --git a/x-pack/plugins/observability_solution/infra/public/pages/metrics/hosts/components/tabs/alerts/alerts_tab_content.tsx b/x-pack/plugins/observability_solution/infra/public/pages/metrics/hosts/components/tabs/alerts/alerts_tab_content.tsx
index 14da46d12d349..7b0ec7ed2d2f1 100644
--- a/x-pack/plugins/observability_solution/infra/public/pages/metrics/hosts/components/tabs/alerts/alerts_tab_content.tsx
+++ b/x-pack/plugins/observability_solution/infra/public/pages/metrics/hosts/components/tabs/alerts/alerts_tab_content.tsx
@@ -6,11 +6,16 @@
  */
 import React from 'react';
 import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
-import { AlertConsumers } from '@kbn/rule-data-utils';
+import {
+  AlertConsumers,
+  INFRA_RULE_TYPE_IDS,
+  OBSERVABILITY_RULE_TYPE_IDS,
+} from '@kbn/rule-data-utils';
 import { BrushEndListener, type XYBrushEvent } from '@elastic/charts';
 import { useSummaryTimeRange } from '@kbn/observability-plugin/public';
 import { useBoolean } from '@kbn/react-hooks';
 import type { TimeRange } from '@kbn/es-query';
+import { INFRA_ALERT_CONSUMERS } from '../../../../../../../common/constants';
 import { useKibanaContextForPlugin } from '../../../../../../hooks/use_kibana';
 import { HeightRetainer } from '../../../../../../components/height_retainer';
 import { useUnifiedSearchContext } from '../../../hooks/use_unified_search';
@@ -20,7 +25,6 @@ import { AlertsEsQuery } from '../../../../../../utils/filters/create_alerts_es_
 import {
   ALERTS_PER_PAGE,
   ALERTS_TABLE_ID,
-  infraAlertFeatureIds,
 } from '../../../../../../components/shared/alerts/constants';
 import AlertsStatusFilter from '../../../../../../components/shared/alerts/alerts_status_filter';
 import { CreateAlertRuleButton } from '../../../../../../components/shared/alerts/links/create_alert_rule_button';
@@ -86,7 +90,8 @@ export const AlertsTabContent = () => {
             <AlertsStateTable
               alertsTableConfigurationRegistry={alertsTableConfigurationRegistry}
               configurationId={AlertConsumers.OBSERVABILITY}
-              featureIds={infraAlertFeatureIds}
+              ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS}
+              consumers={INFRA_ALERT_CONSUMERS}
               id={ALERTS_TABLE_ID}
               initialPageSize={ALERTS_PER_PAGE}
               query={alertsEsQueryByStatus}
@@ -141,7 +146,8 @@ const MemoAlertSummaryWidget = React.memo(
     return (
       <AlertSummaryWidget
         chartProps={chartProps}
-        featureIds={infraAlertFeatureIds}
+        ruleTypeIds={INFRA_RULE_TYPE_IDS}
+        consumers={INFRA_ALERT_CONSUMERS}
         filter={alertsQuery}
         fullSize
         timeRange={summaryTimeRange}
diff --git a/x-pack/plugins/observability_solution/infra/public/pages/metrics/hosts/components/tabs/alerts_tab_badge.tsx b/x-pack/plugins/observability_solution/infra/public/pages/metrics/hosts/components/tabs/alerts_tab_badge.tsx
index c2361ce39dfec..9647d7a475836 100644
--- a/x-pack/plugins/observability_solution/infra/public/pages/metrics/hosts/components/tabs/alerts_tab_badge.tsx
+++ b/x-pack/plugins/observability_solution/infra/public/pages/metrics/hosts/components/tabs/alerts_tab_badge.tsx
@@ -7,15 +7,17 @@
 import React from 'react';
 import { EuiIcon, EuiLoadingSpinner, EuiBadge, EuiToolTip } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
+import { INFRA_ALERT_CONSUMERS } from '../../../../../../common/constants';
+import { INFRA_RULE_TYPE_IDS } from '../../../../../../common/alerting/metrics/types';
 import { useAlertsCount } from '../../../../../hooks/use_alerts_count';
 import { useAlertsQuery } from '../../hooks/use_alerts_query';
-import { infraAlertFeatureIds } from '../../../../../components/shared/alerts/constants';
 
 export const AlertsTabBadge = () => {
   const { alertsEsQuery } = useAlertsQuery();
 
   const { alertsCount, loading, error } = useAlertsCount({
-    featureIds: infraAlertFeatureIds,
+    ruleTypeIds: INFRA_RULE_TYPE_IDS,
+    consumers: INFRA_ALERT_CONSUMERS,
     query: alertsEsQuery,
   });
 
diff --git a/x-pack/plugins/observability_solution/infra/public/pages/metrics/settings/source_configuration_settings.tsx b/x-pack/plugins/observability_solution/infra/public/pages/metrics/settings/source_configuration_settings.tsx
index de078dcb354df..37d2771908eae 100644
--- a/x-pack/plugins/observability_solution/infra/public/pages/metrics/settings/source_configuration_settings.tsx
+++ b/x-pack/plugins/observability_solution/infra/public/pages/metrics/settings/source_configuration_settings.tsx
@@ -22,6 +22,7 @@ import {
 import { loadRuleAggregations } from '@kbn/triggers-actions-ui-plugin/public';
 import { HttpSetup } from '@kbn/core-http-browser';
 import {
+  AlertConsumers,
   METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID,
   METRIC_THRESHOLD_ALERT_TYPE_ID,
 } from '@kbn/rule-data-utils';
@@ -58,7 +59,12 @@ export const SourceConfigurationSettings = ({
       if (http) {
         const { ruleExecutionStatus } = await loadRuleAggregations({
           http,
-          typesFilter: [METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID, METRIC_THRESHOLD_ALERT_TYPE_ID],
+          ruleTypeIds: [METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID, METRIC_THRESHOLD_ALERT_TYPE_ID],
+          consumers: [
+            AlertConsumers.INFRASTRUCTURE,
+            AlertConsumers.ALERTS,
+            AlertConsumers.OBSERVABILITY,
+          ],
         });
         const numberOfRules = Object.values(ruleExecutionStatus).reduce(
           (acc, value) => acc + value,
diff --git a/x-pack/plugins/observability_solution/infra/server/features.ts b/x-pack/plugins/observability_solution/infra/server/features.ts
index b2f83967920e1..77fb8d317fefd 100644
--- a/x-pack/plugins/observability_solution/infra/server/features.ts
+++ b/x-pack/plugins/observability_solution/infra/server/features.ts
@@ -14,6 +14,7 @@ import {
 } from '@kbn/rule-data-utils';
 import { ES_QUERY_ID } from '@kbn/rule-data-utils';
 import { metricsDataSourceSavedObjectName } from '@kbn/metrics-data-access-plugin/server';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 import { LOG_DOCUMENT_COUNT_RULE_TYPE_ID } from '../common/alerting/logs/log_threshold/types';
 import {
@@ -31,6 +32,11 @@ const metricRuleTypes = [
   ML_ANOMALY_DETECTION_RULE_TYPE_ID,
 ];
 
+const metricAlertingFeatures = metricRuleTypes.map((ruleTypeId) => ({
+  ruleTypeId,
+  consumers: [METRICS_FEATURE_ID, ALERTING_FEATURE_ID],
+}));
+
 export const METRICS_FEATURE = {
   id: METRICS_FEATURE_ID,
   name: i18n.translate('xpack.infra.featureRegistry.linkInfrastructureTitle', {
@@ -44,7 +50,7 @@ export const METRICS_FEATURE = {
   management: {
     insightsAndAlerting: ['triggersActions'],
   },
-  alerting: metricRuleTypes,
+  alerting: metricAlertingFeatures,
   privileges: {
     all: {
       app: ['infra', 'metrics', 'kibana'],
@@ -56,10 +62,10 @@ export const METRICS_FEATURE = {
       },
       alerting: {
         rule: {
-          all: metricRuleTypes,
+          all: metricAlertingFeatures,
         },
         alert: {
-          all: metricRuleTypes,
+          all: metricAlertingFeatures,
         },
       },
       management: {
@@ -77,10 +83,10 @@ export const METRICS_FEATURE = {
       },
       alerting: {
         rule: {
-          read: metricRuleTypes,
+          read: metricAlertingFeatures,
         },
         alert: {
-          read: metricRuleTypes,
+          read: metricAlertingFeatures,
         },
       },
       management: {
@@ -98,6 +104,11 @@ const logsRuleTypes = [
   ML_ANOMALY_DETECTION_RULE_TYPE_ID,
 ];
 
+const logsAlertingFeatures = logsRuleTypes.map((ruleTypeId) => ({
+  ruleTypeId,
+  consumers: [LOGS_FEATURE_ID, ALERTING_FEATURE_ID],
+}));
+
 export const LOGS_FEATURE = {
   id: LOGS_FEATURE_ID,
   name: i18n.translate('xpack.infra.featureRegistry.linkLogsTitle', {
@@ -111,7 +122,7 @@ export const LOGS_FEATURE = {
   management: {
     insightsAndAlerting: ['triggersActions'],
   },
-  alerting: logsRuleTypes,
+  alerting: logsAlertingFeatures,
   privileges: {
     all: {
       app: ['infra', 'logs', 'kibana', 'observability-logs-explorer'],
@@ -123,10 +134,10 @@ export const LOGS_FEATURE = {
       },
       alerting: {
         rule: {
-          all: logsRuleTypes,
+          all: logsAlertingFeatures,
         },
         alert: {
-          all: logsRuleTypes,
+          all: logsAlertingFeatures,
         },
       },
       management: {
@@ -140,10 +151,10 @@ export const LOGS_FEATURE = {
       api: ['infra', 'rac'],
       alerting: {
         rule: {
-          read: logsRuleTypes,
+          read: logsAlertingFeatures,
         },
         alert: {
-          read: logsRuleTypes,
+          read: logsAlertingFeatures,
         },
       },
       management: {
diff --git a/x-pack/plugins/observability_solution/infra/server/lib/adapters/framework/adapter_types.ts b/x-pack/plugins/observability_solution/infra/server/lib/adapters/framework/adapter_types.ts
index b8dd11a17fb0b..3ee4f9632b359 100644
--- a/x-pack/plugins/observability_solution/infra/server/lib/adapters/framework/adapter_types.ts
+++ b/x-pack/plugins/observability_solution/infra/server/lib/adapters/framework/adapter_types.ts
@@ -20,7 +20,7 @@ import { HomeServerPluginSetup } from '@kbn/home-plugin/server';
 import { VisTypeTimeseriesSetup } from '@kbn/vis-type-timeseries-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 import { SpacesPluginSetup } from '@kbn/spaces-plugin/server';
-import { PluginSetupContract as AlertingPluginContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { MlPluginSetup } from '@kbn/ml-plugin/server';
 import {
   RuleRegistryPluginSetupContract,
@@ -46,7 +46,7 @@ import type {
 } from '@kbn/entityManager-plugin/server';
 
 export interface InfraServerPluginSetupDeps {
-  alerting: AlertingPluginContract;
+  alerting: AlertingServerSetup;
   data: DataPluginSetup;
   home: HomeServerPluginSetup;
   features: FeaturesPluginSetup;
diff --git a/x-pack/plugins/observability_solution/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts b/x-pack/plugins/observability_solution/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
index 7b69d76ba0ce9..f85738248a9c0 100644
--- a/x-pack/plugins/observability_solution/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
+++ b/x-pack/plugins/observability_solution/infra/server/lib/alerting/inventory_metric_threshold/register_inventory_metric_threshold_rule_type.ts
@@ -8,7 +8,7 @@
 import { schema, Type } from '@kbn/config-schema';
 import { i18n } from '@kbn/i18n';
 import { DEFAULT_APP_CATEGORIES } from '@kbn/core/server';
-import { GetViewInAppRelativeUrlFnOpts, PluginSetupContract } from '@kbn/alerting-plugin/server';
+import { GetViewInAppRelativeUrlFnOpts, AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { observabilityPaths } from '@kbn/observability-plugin/common';
 import { TimeUnitChar } from '@kbn/observability-plugin/common/utils/formatters/duration';
 import {
@@ -81,7 +81,7 @@ const groupActionVariableDescription = i18n.translate(
 );
 
 export function registerInventoryThresholdRuleType(
-  alertingPlugin: PluginSetupContract,
+  alertingPlugin: AlertingServerSetup,
   libs: InfraBackendLibs,
   { featureFlags }: InfraConfig,
   locators: InfraLocators
diff --git a/x-pack/plugins/observability_solution/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts b/x-pack/plugins/observability_solution/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
index decac47dbb5f9..d4eb9050499cf 100644
--- a/x-pack/plugins/observability_solution/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
+++ b/x-pack/plugins/observability_solution/infra/server/lib/alerting/log_threshold/register_log_threshold_rule_type.ts
@@ -7,7 +7,10 @@
 
 import { i18n } from '@kbn/i18n';
 import { DEFAULT_APP_CATEGORIES } from '@kbn/core/server';
-import { GetViewInAppRelativeUrlFnOpts, PluginSetupContract } from '@kbn/alerting-plugin/server';
+import type {
+  GetViewInAppRelativeUrlFnOpts,
+  AlertingServerSetup,
+} from '@kbn/alerting-plugin/server';
 import { observabilityPaths } from '@kbn/observability-plugin/common';
 import { decodeOrThrow } from '@kbn/io-ts-utils';
 import type { InfraConfig } from '../../../../common/plugin_config_types';
@@ -103,7 +106,7 @@ const viewInAppUrlActionVariableDescription = i18n.translate(
 );
 
 export function registerLogThresholdRuleType(
-  alertingPlugin: PluginSetupContract,
+  alertingPlugin: AlertingServerSetup,
   libs: InfraBackendLibs,
   { featureFlags }: InfraConfig
 ) {
diff --git a/x-pack/plugins/observability_solution/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts b/x-pack/plugins/observability_solution/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
index 6369465773cf7..3cc272a02c7fe 100644
--- a/x-pack/plugins/observability_solution/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
+++ b/x-pack/plugins/observability_solution/infra/server/lib/alerting/metric_threshold/register_metric_threshold_rule_type.ts
@@ -8,7 +8,10 @@
 import { DEFAULT_APP_CATEGORIES } from '@kbn/core/server';
 import { schema } from '@kbn/config-schema';
 import { i18n } from '@kbn/i18n';
-import { GetViewInAppRelativeUrlFnOpts, PluginSetupContract } from '@kbn/alerting-plugin/server';
+import type {
+  GetViewInAppRelativeUrlFnOpts,
+  AlertingServerSetup,
+} from '@kbn/alerting-plugin/server';
 import { observabilityPaths } from '@kbn/observability-plugin/common';
 import { COMPARATORS } from '@kbn/alerting-comparators';
 import { LEGACY_COMPARATORS } from '@kbn/observability-plugin/common/utils/convert_legacy_outside_comparator';
@@ -46,7 +49,7 @@ import { MetricsRulesTypeAlertDefinition } from '../register_rule_types';
 import { O11Y_AAD_FIELDS } from '../../../../common/constants';
 
 export function registerMetricThresholdRuleType(
-  alertingPlugin: PluginSetupContract,
+  alertingPlugin: AlertingServerSetup,
   libs: InfraBackendLibs,
   { featureFlags }: InfraConfig,
   locators: InfraLocators
diff --git a/x-pack/plugins/observability_solution/infra/server/lib/alerting/register_rule_types.ts b/x-pack/plugins/observability_solution/infra/server/lib/alerting/register_rule_types.ts
index 125c3135a235d..6d06c2c98607e 100644
--- a/x-pack/plugins/observability_solution/infra/server/lib/alerting/register_rule_types.ts
+++ b/x-pack/plugins/observability_solution/infra/server/lib/alerting/register_rule_types.ts
@@ -6,7 +6,7 @@
  */
 
 import { legacyExperimentalFieldMap } from '@kbn/alerts-as-data-utils';
-import { type IRuleTypeAlerts, PluginSetupContract } from '@kbn/alerting-plugin/server';
+import { type IRuleTypeAlerts, AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { registerMetricThresholdRuleType } from './metric_threshold/register_metric_threshold_rule_type';
 import { registerInventoryThresholdRuleType } from './inventory_metric_threshold/register_inventory_metric_threshold_rule_type';
 import { registerLogThresholdRuleType } from './log_threshold/register_log_threshold_rule_type';
@@ -36,7 +36,7 @@ export const MetricsRulesTypeAlertDefinition: IRuleTypeAlerts<MetricThresholdAle
 };
 
 const registerRuleTypes = (
-  alertingPlugin: PluginSetupContract,
+  alertingPlugin: AlertingServerSetup,
   libs: InfraBackendLibs,
   config: InfraConfig,
   locators: InfraLocators
diff --git a/x-pack/plugins/observability_solution/infra/server/lib/helpers/get_infra_alerts_client.ts b/x-pack/plugins/observability_solution/infra/server/lib/helpers/get_infra_alerts_client.ts
index c884b08ebaebf..99464efd02567 100644
--- a/x-pack/plugins/observability_solution/infra/server/lib/helpers/get_infra_alerts_client.ts
+++ b/x-pack/plugins/observability_solution/infra/server/lib/helpers/get_infra_alerts_client.ts
@@ -8,7 +8,7 @@ import { isEmpty } from 'lodash';
 import type { ESSearchRequest, InferSearchResponseOf } from '@kbn/es-types';
 import { ParsedTechnicalFields } from '@kbn/rule-registry-plugin/common';
 import type { KibanaRequest } from '@kbn/core/server';
-import { INFRA_ALERT_FEATURE_IDS } from '../../../common/constants';
+import { OBSERVABILITY_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import type { InfraBackendLibs } from '../infra_types';
 
 type RequiredParams = ESSearchRequest & {
@@ -27,7 +27,9 @@ export async function getInfraAlertsClient({
 }) {
   const [, { ruleRegistry }] = await libs.getStartServices();
   const alertsClient = await ruleRegistry.getRacClientWithRequest(request);
-  const infraAlertsIndices = await alertsClient.getAuthorizedAlertsIndices(INFRA_ALERT_FEATURE_IDS);
+  const infraAlertsIndices = await alertsClient.getAuthorizedAlertsIndices(
+    OBSERVABILITY_RULE_TYPE_IDS
+  );
 
   if (!infraAlertsIndices || isEmpty(infraAlertsIndices)) {
     throw Error('No alert indices exist for "infrastructure"');
diff --git a/x-pack/plugins/observability_solution/infra/server/routes/infra/lib/host/get_hosts_alerts_count.ts b/x-pack/plugins/observability_solution/infra/server/routes/infra/lib/host/get_hosts_alerts_count.ts
index d36ff06f35cf0..dbb1a3c2ceb69 100644
--- a/x-pack/plugins/observability_solution/infra/server/routes/infra/lib/host/get_hosts_alerts_count.ts
+++ b/x-pack/plugins/observability_solution/infra/server/routes/infra/lib/host/get_hosts_alerts_count.ts
@@ -12,7 +12,7 @@ import {
   ALERT_STATUS_ACTIVE,
   ALERT_UUID,
 } from '@kbn/rule-data-utils';
-import { HOST_NAME_FIELD, INFRA_ALERT_FEATURE_IDS } from '../../../../../common/constants';
+import { HOST_NAME_FIELD, INFRA_ALERT_CONSUMERS } from '../../../../../common/constants';
 import { GetHostParameters } from '../types';
 
 export async function getHostsAlertsCount({
@@ -40,7 +40,7 @@ export async function getHostsAlertsCount({
     query: {
       bool: {
         filter: [
-          ...termsQuery(ALERT_RULE_PRODUCER, ...INFRA_ALERT_FEATURE_IDS),
+          ...termsQuery(ALERT_RULE_PRODUCER, ...INFRA_ALERT_CONSUMERS),
           ...termQuery(ALERT_STATUS, ALERT_STATUS_ACTIVE),
           ...termsQuery(HOST_NAME_FIELD, ...hostNames),
           ...rangeQuery,
diff --git a/x-pack/plugins/observability_solution/infra/server/services/rules/types.ts b/x-pack/plugins/observability_solution/infra/server/services/rules/types.ts
index 68ae0bd95b410..ee2d5967b081b 100644
--- a/x-pack/plugins/observability_solution/infra/server/services/rules/types.ts
+++ b/x-pack/plugins/observability_solution/infra/server/services/rules/types.ts
@@ -5,10 +5,10 @@
  * 2.0.
  */
 
-import { PluginSetupContract as AlertingPluginSetup } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { IRuleDataClient, RuleRegistryPluginSetupContract } from '@kbn/rule-registry-plugin/server';
 export interface RulesServiceSetupDeps {
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
   ruleRegistry: RuleRegistryPluginSetupContract;
 }
 
diff --git a/x-pack/plugins/observability_solution/inventory/server/lib/create_alerts_client/create_alerts_client.ts b/x-pack/plugins/observability_solution/inventory/server/lib/create_alerts_client/create_alerts_client.ts
index 150e946fd98d6..878abd516e5bd 100644
--- a/x-pack/plugins/observability_solution/inventory/server/lib/create_alerts_client/create_alerts_client.ts
+++ b/x-pack/plugins/observability_solution/inventory/server/lib/create_alerts_client/create_alerts_client.ts
@@ -8,6 +8,7 @@
 import { isEmpty } from 'lodash';
 import { ESSearchRequest, InferSearchResponseOf } from '@kbn/es-types';
 import { ParsedTechnicalFields } from '@kbn/rule-registry-plugin/common';
+import { OBSERVABILITY_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { InventoryRouteHandlerResources } from '../../routes/types';
 
 export type AlertsClient = Awaited<ReturnType<typeof createAlertsClient>>;
@@ -18,13 +19,7 @@ export async function createAlertsClient({
 }: Pick<InventoryRouteHandlerResources, 'plugins' | 'request'>) {
   const ruleRegistryPluginStart = await plugins.ruleRegistry.start();
   const alertsClient = await ruleRegistryPluginStart.getRacClientWithRequest(request);
-  const alertsIndices = await alertsClient.getAuthorizedAlertsIndices([
-    'logs',
-    'infrastructure',
-    'apm',
-    'slo',
-    'observability',
-  ]);
+  const alertsIndices = await alertsClient.getAuthorizedAlertsIndices(OBSERVABILITY_RULE_TYPE_IDS);
 
   if (!alertsIndices || isEmpty(alertsIndices)) {
     throw Error('No alert indices exist');
diff --git a/x-pack/plugins/observability_solution/investigate_app/server/services/get_alerts_client.ts b/x-pack/plugins/observability_solution/investigate_app/server/services/get_alerts_client.ts
index bf1070307742a..c5eaf3f4c3d8e 100644
--- a/x-pack/plugins/observability_solution/investigate_app/server/services/get_alerts_client.ts
+++ b/x-pack/plugins/observability_solution/investigate_app/server/services/get_alerts_client.ts
@@ -8,6 +8,7 @@
 import { isEmpty } from 'lodash';
 import { ESSearchRequest, InferSearchResponseOf } from '@kbn/es-types';
 import { ParsedTechnicalFields } from '@kbn/rule-registry-plugin/common';
+import { OBSERVABILITY_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { InvestigateAppRouteHandlerResources } from '../routes/types';
 
 export type AlertsClient = Awaited<ReturnType<typeof getAlertsClient>>;
@@ -18,14 +19,7 @@ export async function getAlertsClient({
 }: Pick<InvestigateAppRouteHandlerResources, 'plugins' | 'request'>) {
   const ruleRegistryPluginStart = await plugins.ruleRegistry.start();
   const alertsClient = await ruleRegistryPluginStart.getRacClientWithRequest(request);
-  const alertsIndices = await alertsClient.getAuthorizedAlertsIndices([
-    'logs',
-    'infrastructure',
-    'apm',
-    'slo',
-    'uptime',
-    'observability',
-  ]);
+  const alertsIndices = await alertsClient.getAuthorizedAlertsIndices(OBSERVABILITY_RULE_TYPE_IDS);
 
   if (!alertsIndices || isEmpty(alertsIndices)) {
     throw Error('No alert indices exist');
diff --git a/x-pack/plugins/observability_solution/metrics_data_access/server/lib/adapters/framework/adapter_types.ts b/x-pack/plugins/observability_solution/metrics_data_access/server/lib/adapters/framework/adapter_types.ts
index 246988ed96307..6449fcc30b2dc 100644
--- a/x-pack/plugins/observability_solution/metrics_data_access/server/lib/adapters/framework/adapter_types.ts
+++ b/x-pack/plugins/observability_solution/metrics_data_access/server/lib/adapters/framework/adapter_types.ts
@@ -19,7 +19,7 @@ import { PluginStart as DataViewsPluginStart } from '@kbn/data-views-plugin/serv
 import { HomeServerPluginSetup } from '@kbn/home-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 import { SpacesPluginSetup } from '@kbn/spaces-plugin/server';
-import { PluginSetupContract as AlertingPluginContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { MlPluginSetup } from '@kbn/ml-plugin/server';
 import { RuleRegistryPluginSetupContract } from '@kbn/rule-registry-plugin/server';
 import { ObservabilityPluginSetup } from '@kbn/observability-plugin/server';
@@ -27,7 +27,7 @@ import { VersionedRouteConfig } from '@kbn/core-http-server';
 import { MetricsDataPluginSetup } from '../../../types';
 
 export interface InfraServerPluginSetupDeps {
-  alerting: AlertingPluginContract;
+  alerting: AlertingServerSetup;
   data: DataPluginSetup;
   home: HomeServerPluginSetup;
   features: FeaturesPluginSetup;
diff --git a/x-pack/plugins/observability_solution/observability/common/constants.ts b/x-pack/plugins/observability_solution/observability/common/constants.ts
index 0286e4bef0825..785f1caf4cb6d 100644
--- a/x-pack/plugins/observability_solution/observability/common/constants.ts
+++ b/x-pack/plugins/observability_solution/observability/common/constants.ts
@@ -5,7 +5,11 @@
  * 2.0.
  */
 
-import { AlertConsumers } from '@kbn/rule-data-utils';
+import {
+  AlertConsumers,
+  STACK_RULE_TYPE_IDS_SUPPORTED_BY_OBSERVABILITY,
+  OBSERVABILITY_RULE_TYPE_IDS,
+} from '@kbn/rule-data-utils';
 import type { ValidFeatureId } from '@kbn/rule-data-utils';
 import type { RuleCreationValidConsumer } from '@kbn/triggers-actions-ui-plugin/public';
 
@@ -20,6 +24,7 @@ export const observabilityAlertFeatureIds: ValidFeatureId[] = [
   AlertConsumers.UPTIME,
   AlertConsumers.SLO,
   AlertConsumers.OBSERVABILITY,
+  AlertConsumers.ALERTS,
 ];
 
 export const observabilityRuleCreationValidConsumers: RuleCreationValidConsumer[] = [
@@ -29,3 +34,8 @@ export const observabilityRuleCreationValidConsumers: RuleCreationValidConsumer[
 ];
 
 export const EventsAsUnit = 'events';
+
+export const OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES = [
+  ...OBSERVABILITY_RULE_TYPE_IDS,
+  ...STACK_RULE_TYPE_IDS_SUPPORTED_BY_OBSERVABILITY,
+];
diff --git a/x-pack/plugins/observability_solution/observability/public/components/alert_search_bar/alert_search_bar.test.tsx b/x-pack/plugins/observability_solution/observability/public/components/alert_search_bar/alert_search_bar.test.tsx
index b7da84869679a..d64d8dcbb1a41 100644
--- a/x-pack/plugins/observability_solution/observability/public/components/alert_search_bar/alert_search_bar.test.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/components/alert_search_bar/alert_search_bar.test.tsx
@@ -12,8 +12,8 @@ import { uiSettingsServiceMock } from '@kbn/core-ui-settings-browser-mocks';
 
 import { ObservabilityAlertSearchBarProps, Services } from './types';
 import { ObservabilityAlertSearchBar } from './alert_search_bar';
-import { observabilityAlertFeatureIds } from '../../../common/constants';
 import { render } from '../../utils/test_helper';
+import { OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES } from '../../../common/constants';
 
 const getAlertsSearchBarMock = jest.fn();
 const ALERT_SEARCH_BAR_DATA_TEST_SUBJ = 'alerts-search-bar';
@@ -69,7 +69,7 @@ describe('ObservabilityAlertSearchBar', () => {
     expect(getAlertsSearchBarMock).toHaveBeenCalledWith(
       expect.objectContaining({
         appName: 'testAppName',
-        featureIds: observabilityAlertFeatureIds,
+        ruleTypeIds: OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES,
         rangeFrom: 'now-15m',
         rangeTo: 'now',
         query: '',
diff --git a/x-pack/plugins/observability_solution/observability/public/components/alert_search_bar/alert_search_bar.tsx b/x-pack/plugins/observability_solution/observability/public/components/alert_search_bar/alert_search_bar.tsx
index 863855bbbb3b8..dd855829edf6f 100644
--- a/x-pack/plugins/observability_solution/observability/public/components/alert_search_bar/alert_search_bar.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/components/alert_search_bar/alert_search_bar.tsx
@@ -11,8 +11,8 @@ import React, { useCallback, useEffect } from 'react';
 import { i18n } from '@kbn/i18n';
 import { Filter, Query } from '@kbn/es-query';
 import { getEsQueryConfig } from '@kbn/data-plugin/common';
+import { OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES } from '../../../common/constants';
 import { AlertsStatusFilter } from './components';
-import { observabilityAlertFeatureIds } from '../../../common/constants';
 import { ALERT_STATUS_QUERY, DEFAULT_QUERIES, DEFAULT_QUERY_STRING } from './constants';
 import { ObservabilityAlertSearchBarProps } from './types';
 import { buildEsQuery } from '../../utils/build_es_query';
@@ -161,7 +161,7 @@ export function ObservabilityAlertSearchBar({
       <EuiFlexItem>
         <AlertsSearchBar
           appName={appName}
-          featureIds={observabilityAlertFeatureIds}
+          ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
           rangeFrom={rangeFrom}
           rangeTo={rangeTo}
           showFilterBar={showFilterBar}
diff --git a/x-pack/plugins/observability_solution/observability/public/components/alerts_table/alerts/get_alerts_page_table_configuration.tsx b/x-pack/plugins/observability_solution/observability/public/components/alerts_table/alerts/get_alerts_page_table_configuration.tsx
index 8282d90752d7c..d64c8523ceb61 100644
--- a/x-pack/plugins/observability_solution/observability/public/components/alerts_table/alerts/get_alerts_page_table_configuration.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/components/alerts_table/alerts/get_alerts_page_table_configuration.tsx
@@ -15,11 +15,8 @@ import {
 import { DataViewsServicePublic } from '@kbn/data-views-plugin/public/types';
 import { HttpSetup } from '@kbn/core-http-browser';
 import { NotificationsStart } from '@kbn/core-notifications-browser';
-import {
-  casesFeatureId,
-  observabilityAlertFeatureIds,
-  observabilityFeatureId,
-} from '../../../../common';
+import { OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES } from '../../../../common/constants';
+import { casesFeatureId, observabilityFeatureId } from '../../../../common';
 import { AlertActions } from '../../../pages/alerts/components/alert_actions';
 import { useGetAlertFlyoutComponents } from '../../alerts_flyout/use_get_alert_flyout_components';
 import type { ObservabilityRuleTypeRegistry } from '../../../rules/create_observability_rule_type_registry';
@@ -68,7 +65,7 @@ export const getAlertsPageTableConfiguration = (
     ruleTypeIds: observabilityRuleTypeRegistry.list(),
     usePersistentControls: getPersistentControlsHook({
       groupingId: id ?? ALERTS_PAGE_ALERTS_TABLE_CONFIG_ID,
-      featureIds: observabilityAlertFeatureIds,
+      ruleTypeIds: OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES,
       services: {
         dataViews,
         http,
diff --git a/x-pack/plugins/observability_solution/observability/public/components/alerts_table/alerts/get_persistent_controls.ts b/x-pack/plugins/observability_solution/observability/public/components/alerts_table/alerts/get_persistent_controls.ts
index 2141e0fb68d66..6e0f697e831a9 100644
--- a/x-pack/plugins/observability_solution/observability/public/components/alerts_table/alerts/get_persistent_controls.ts
+++ b/x-pack/plugins/observability_solution/observability/public/components/alerts_table/alerts/get_persistent_controls.ts
@@ -9,12 +9,11 @@ import { useMemo, useCallback } from 'react';
 import { type AlertsGroupingProps, useAlertsGroupingState } from '@kbn/alerts-grouping';
 import { useAlertsDataView } from '@kbn/alerts-ui-shared/src/common/hooks/use_alerts_data_view';
 import { useGetGroupSelectorStateless } from '@kbn/grouping/src/hooks/use_get_group_selector';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { AlertsByGroupingAgg } from '../types';
 
 interface GetPersistentControlsParams {
   groupingId: string;
-  featureIds: AlertConsumers[];
+  ruleTypeIds: string[];
   maxGroupingLevels?: number;
   services: Pick<
     AlertsGroupingProps<AlertsByGroupingAgg>['services'],
@@ -25,7 +24,7 @@ interface GetPersistentControlsParams {
 export const getPersistentControlsHook =
   ({
     groupingId,
-    featureIds,
+    ruleTypeIds,
     maxGroupingLevels = 3,
     services: { dataViews, http, notifications },
   }: GetPersistentControlsParams) =>
@@ -43,7 +42,7 @@ export const getPersistentControlsHook =
     );
 
     const { dataView } = useAlertsDataView({
-      featureIds,
+      ruleTypeIds,
       dataViewsService: dataViews,
       http,
       toasts: notifications.toasts,
diff --git a/x-pack/plugins/observability_solution/observability/public/pages/alert_details/components/alert_history.tsx b/x-pack/plugins/observability_solution/observability/public/pages/alert_details/components/alert_history.tsx
index dfcf01e4e4c13..614a842963868 100644
--- a/x-pack/plugins/observability_solution/observability/public/pages/alert_details/components/alert_history.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/pages/alert_details/components/alert_history.tsx
@@ -6,7 +6,6 @@
  */
 
 import React from 'react';
-import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import {
   EuiPanel,
   EuiFlexGroup,
@@ -17,12 +16,10 @@ import {
   EuiLoadingSpinner,
 } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
-import { ALERT_INSTANCE_ID, ALERT_RULE_UUID, type AlertConsumers } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID, ALERT_RULE_UUID } from '@kbn/rule-data-utils';
 import { useAlertsHistory } from '@kbn/observability-alert-details';
 import type { Rule } from '@kbn/triggers-actions-ui-plugin/public';
 import { convertTo } from '../../../../common/utils/formatters';
-import { useFetchRuleTypes } from '../../../hooks/use_fetch_rule_types';
-import { useGetFilteredRuleTypes } from '../../../hooks/use_get_filtered_rule_types';
 import { useKibana } from '../../../utils/kibana_react';
 import { TopAlert } from '../../..';
 import { getDefaultAlertSummaryTimeRange } from '../../../utils/alert_summary_widget';
@@ -43,19 +40,11 @@ export function AlertHistoryChart({ rule, alert }: Props) {
     notifications,
     triggersActionsUi: { getAlertSummaryWidget: AlertSummaryWidget },
   } = useKibana().services;
+
   const instanceId = alert.fields[ALERT_INSTANCE_ID];
-  const filteredRuleTypes = useGetFilteredRuleTypes();
-  const { ruleTypes } = useFetchRuleTypes({
-    filterByRuleTypeIds: filteredRuleTypes,
-  });
-  const ruleType = ruleTypes?.find((type) => type.id === rule?.ruleTypeId);
-  const featureIds =
-    rule?.consumer === ALERTING_FEATURE_ID && ruleType?.producer
-      ? [ruleType.producer as AlertConsumers]
-      : rule
-      ? [rule.consumer as AlertConsumers]
-      : [];
   const ruleId = alert.fields[ALERT_RULE_UUID];
+  const ruleTypeIds = [rule.ruleTypeId];
+  const consumers = [rule.consumer];
 
   const {
     data: { avgTimeToRecoverUS, totalTriggeredAlerts },
@@ -63,7 +52,8 @@ export function AlertHistoryChart({ rule, alert }: Props) {
     isError,
   } = useAlertsHistory({
     http,
-    featureIds,
+    ruleTypeIds,
+    consumers,
     ruleId: rule.id,
     dateRange,
     instanceId,
@@ -162,7 +152,8 @@ export function AlertHistoryChart({ rule, alert }: Props) {
       </EuiFlexGroup>
       <EuiSpacer size="s" />
       <AlertSummaryWidget
-        featureIds={featureIds}
+        ruleTypeIds={ruleTypeIds}
+        consumers={consumers}
         timeRange={getDefaultAlertSummaryTimeRange()}
         fullSize
         hideStats
diff --git a/x-pack/plugins/observability_solution/observability/public/pages/alert_details/components/related_alerts.tsx b/x-pack/plugins/observability_solution/observability/public/pages/alert_details/components/related_alerts.tsx
index 6ccebc34e4722..5fba814fc3349 100644
--- a/x-pack/plugins/observability_solution/observability/public/pages/alert_details/components/related_alerts.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/pages/alert_details/components/related_alerts.tsx
@@ -29,7 +29,10 @@ import { BoolQuery, Filter, type Query } from '@kbn/es-query';
 import { AlertsGrouping } from '@kbn/alerts-grouping';
 import { ObservabilityFields } from '../../../../common/utils/alerting/types';
 
-import { observabilityAlertFeatureIds } from '../../../../common/constants';
+import {
+  OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES,
+  observabilityAlertFeatureIds,
+} from '../../../../common/constants';
 import {
   getRelatedAlertKuery,
   getSharedFields,
@@ -125,7 +128,8 @@ export function InternalRelatedAlerts({ alert }: Props) {
       <EuiFlexItem>
         {esQuery && (
           <AlertsGrouping<AlertsByGroupingAgg>
-            featureIds={observabilityAlertFeatureIds}
+            ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+            consumers={observabilityAlertFeatureIds}
             defaultFilters={ALERT_STATUS_FILTER[alertSearchBarStateProps.status] ?? DEFAULT_FILTERS}
             from={alertSearchBarStateProps.rangeFrom}
             to={alertSearchBarStateProps.rangeTo}
@@ -149,7 +153,8 @@ export function InternalRelatedAlerts({ alert }: Props) {
               return (
                 <AlertsStateTable
                   id={ALERTS_TABLE_ID}
-                  featureIds={observabilityAlertFeatureIds}
+                  ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+                  consumers={observabilityAlertFeatureIds}
                   configurationId={RELATED_ALERTS_TABLE_CONFIG_ID}
                   query={mergeBoolQueries(esQuery, groupQuery)}
                   showAlertStatusWithFlapping
diff --git a/x-pack/plugins/observability_solution/observability/public/pages/alerts/alerts.tsx b/x-pack/plugins/observability_solution/observability/public/pages/alerts/alerts.tsx
index 6607052225555..64013c1762f1a 100644
--- a/x-pack/plugins/observability_solution/observability/public/pages/alerts/alerts.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/pages/alerts/alerts.tsx
@@ -37,8 +37,11 @@ import {
 } from '../../components/alert_search_bar/containers';
 import { calculateTimeRangeBucketSize } from '../overview/helpers/calculate_bucket_size';
 import { getAlertSummaryTimeRange } from '../../utils/alert_summary_widget';
-import { observabilityAlertFeatureIds } from '../../../common/constants';
-import { ALERTS_URL_STORAGE_KEY } from '../../../common/constants';
+import {
+  ALERTS_URL_STORAGE_KEY,
+  OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES,
+  observabilityAlertFeatureIds,
+} from '../../../common/constants';
 import { ALERTS_PAGE_ALERTS_TABLE_CONFIG_ID } from '../../constants';
 import { useGetAvailableRulesWithDescriptions } from '../../hooks/use_get_available_rules_with_descriptions';
 import { HeaderMenu } from '../overview/components/header_menu/header_menu';
@@ -177,8 +180,8 @@ function InternalAlertsPage() {
     try {
       const response = await loadRuleAggregations({
         http,
-        typesFilter: filteredRuleTypes,
-        filterConsumers: observabilityAlertFeatureIds,
+        ruleTypeIds: filteredRuleTypes,
+        consumers: observabilityAlertFeatureIds,
       });
       const { ruleExecutionStatus, ruleMutedStatus, ruleEnabledStatus, ruleSnoozedStatus } =
         response;
@@ -250,7 +253,8 @@ function InternalAlertsPage() {
           </EuiFlexItem>
           <EuiFlexItem>
             <AlertSummaryWidget
-              featureIds={observabilityAlertFeatureIds}
+              ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+              consumers={observabilityAlertFeatureIds}
               filter={esQuery}
               fullSize
               timeRange={alertSummaryTimeRange}
@@ -260,7 +264,8 @@ function InternalAlertsPage() {
           <EuiFlexItem>
             {esQuery && (
               <AlertsGrouping<AlertsByGroupingAgg>
-                featureIds={observabilityAlertFeatureIds}
+                ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+                consumers={observabilityAlertFeatureIds}
                 defaultFilters={
                   ALERT_STATUS_FILTER[alertSearchBarStateProps.status] ?? DEFAULT_FILTERS
                 }
@@ -286,7 +291,8 @@ function InternalAlertsPage() {
                   return (
                     <AlertsStateTable
                       id={ALERTS_TABLE_ID}
-                      featureIds={observabilityAlertFeatureIds}
+                      ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+                      consumers={observabilityAlertFeatureIds}
                       configurationId={ALERTS_PAGE_ALERTS_TABLE_CONFIG_ID}
                       query={mergeBoolQueries(esQuery, groupQuery)}
                       showAlertStatusWithFlapping
diff --git a/x-pack/plugins/observability_solution/observability/public/pages/overview/overview.tsx b/x-pack/plugins/observability_solution/observability/public/pages/overview/overview.tsx
index c7b71431050cf..ad6fccbb7df99 100644
--- a/x-pack/plugins/observability_solution/observability/public/pages/overview/overview.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/pages/overview/overview.tsx
@@ -11,7 +11,10 @@ import { i18n } from '@kbn/i18n';
 import { useBreadcrumbs, useFetcher } from '@kbn/observability-shared-plugin/public';
 import { AlertConsumers } from '@kbn/rule-data-utils';
 import React, { useCallback, useEffect, useMemo, useState } from 'react';
-import { observabilityAlertFeatureIds } from '../../../common/constants';
+import {
+  OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES,
+  observabilityAlertFeatureIds,
+} from '../../../common/constants';
 import { paths } from '../../../common/locators/paths';
 import { LoadingObservability } from '../../components/loading_observability';
 import { DEFAULT_DATE_FORMAT, DEFAULT_INTERVAL } from '../../constants';
@@ -235,7 +238,8 @@ export function OverviewPage() {
             hasError={false}
           >
             <AlertSummaryWidget
-              featureIds={observabilityAlertFeatureIds}
+              ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+              consumers={observabilityAlertFeatureIds}
               filter={esQuery}
               fullSize
               timeRange={alertSummaryTimeRange}
@@ -243,7 +247,8 @@ export function OverviewPage() {
             <AlertsStateTable
               alertsTableConfigurationRegistry={alertsTableConfigurationRegistry}
               configurationId={AlertConsumers.OBSERVABILITY}
-              featureIds={observabilityAlertFeatureIds}
+              ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+              consumers={observabilityAlertFeatureIds}
               hideLazyLoader
               id={ALERTS_TABLE_ID}
               initialPageSize={ALERTS_PER_PAGE}
diff --git a/x-pack/plugins/observability_solution/observability/public/pages/rule_details/components/rule_details_tabs.tsx b/x-pack/plugins/observability_solution/observability/public/pages/rule_details/components/rule_details_tabs.tsx
index 095c5796946fd..7a41d363c9656 100644
--- a/x-pack/plugins/observability_solution/observability/public/pages/rule_details/components/rule_details_tabs.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/pages/rule_details/components/rule_details_tabs.tsx
@@ -15,9 +15,9 @@ import {
 } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
 import type { RuleTypeParams } from '@kbn/alerting-plugin/common';
-import type { AlertConsumers } from '@kbn/rule-data-utils';
 import type { Rule } from '@kbn/triggers-actions-ui-plugin/public';
 import type { Query, BoolQuery } from '@kbn/es-query';
+import { observabilityAlertFeatureIds } from '../../../../common';
 import { useKibana } from '../../../utils/kibana_react';
 import { usePluginContext } from '../../../hooks/use_plugin_context';
 import { ObservabilityAlertSearchbarWithUrlSync } from '../../../components/alert_search_bar/alert_search_bar_with_url_sync';
@@ -38,7 +38,7 @@ interface Props {
         bool: BoolQuery;
       }
     | undefined;
-  featureIds: AlertConsumers[] | undefined;
+  ruleTypeIds?: string[];
   rule: Rule<RuleTypeParams>;
   ruleId: string;
   ruleType: any;
@@ -49,7 +49,7 @@ interface Props {
 export function RuleDetailsTabs({
   activeTabId,
   esQuery,
-  featureIds,
+  ruleTypeIds,
   rule,
   ruleId,
   ruleType,
@@ -90,12 +90,13 @@ export function RuleDetailsTabs({
 
           <EuiFlexGroup style={{ minHeight: 450 }} direction={'column'}>
             <EuiFlexItem>
-              {esQuery && featureIds && (
+              {esQuery && ruleTypeIds && (
                 <AlertsStateTable
                   alertsTableConfigurationRegistry={alertsTableConfigurationRegistry}
                   configurationId={RULE_DETAILS_ALERTS_TABLE_CONFIG_ID}
                   id={RULE_DETAILS_PAGE_ID}
-                  featureIds={featureIds}
+                  ruleTypeIds={ruleTypeIds}
+                  consumers={observabilityAlertFeatureIds}
                   query={esQuery}
                   showAlertStatusWithFlapping
                   cellContext={{ observabilityRuleTypeRegistry }}
diff --git a/x-pack/plugins/observability_solution/observability/public/pages/rule_details/rule_details.tsx b/x-pack/plugins/observability_solution/observability/public/pages/rule_details/rule_details.tsx
index 3b2e5d3118c4a..11a3a736ecaeb 100644
--- a/x-pack/plugins/observability_solution/observability/public/pages/rule_details/rule_details.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/pages/rule_details/rule_details.tsx
@@ -9,9 +9,8 @@ import React, { useState, useEffect, useRef } from 'react';
 import { useParams, useLocation } from 'react-router-dom';
 import { EuiSpacer, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
-import { ALERTING_FEATURE_ID, RuleExecutionStatusErrorReasons } from '@kbn/alerting-plugin/common';
+import { RuleExecutionStatusErrorReasons } from '@kbn/alerting-plugin/common';
 import type { BoolQuery } from '@kbn/es-query';
-import type { AlertConsumers } from '@kbn/rule-data-utils';
 import { useBreadcrumbs } from '@kbn/observability-shared-plugin/public';
 import { useKibana } from '../../utils/kibana_react';
 import { usePluginContext } from '../../hooks/use_plugin_context';
@@ -27,7 +26,11 @@ import { RuleDetailsTabs } from './components/rule_details_tabs';
 import { getHealthColor } from './helpers/get_health_color';
 import { isRuleEditable } from './helpers/is_rule_editable';
 import { ruleDetailsLocatorID } from '../../../common';
-import { ALERT_STATUS_ALL } from '../../../common/constants';
+import {
+  ALERT_STATUS_ALL,
+  OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES,
+  observabilityAlertFeatureIds,
+} from '../../../common/constants';
 import {
   RULE_DETAILS_EXECUTION_TAB,
   RULE_DETAILS_ALERTS_TAB,
@@ -180,16 +183,8 @@ export function RuleDetailsPage() {
   };
 
   const ruleType = ruleTypes?.find((type) => type.id === rule?.ruleTypeId);
-
   const isEditable = isRuleEditable({ capabilities, rule, ruleType, ruleTypeRegistry });
 
-  const featureIds =
-    rule?.consumer === ALERTING_FEATURE_ID && ruleType?.producer
-      ? [ruleType.producer as AlertConsumers]
-      : rule
-      ? [rule.consumer as AlertConsumers]
-      : [];
-
   const ruleStatusMessage =
     rule?.executionStatus.error?.reason === RuleExecutionStatusErrorReasons.License
       ? rulesStatusesTranslationsMapping.noLicense
@@ -234,7 +229,8 @@ export function RuleDetailsPage() {
 
         <EuiFlexItem style={{ minWidth: 350 }}>
           <AlertSummaryWidget
-            featureIds={featureIds}
+            ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+            consumers={observabilityAlertFeatureIds}
             onClick={handleAlertSummaryWidgetClick}
             timeRange={alertSummaryWidgetTimeRange}
             filter={{
@@ -261,7 +257,7 @@ export function RuleDetailsPage() {
 
       <RuleDetailsTabs
         esQuery={esQuery}
-        featureIds={featureIds}
+        ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
         rule={rule}
         ruleId={ruleId}
         ruleType={ruleType}
diff --git a/x-pack/plugins/observability_solution/observability/public/pages/rules/rules_tab.tsx b/x-pack/plugins/observability_solution/observability/public/pages/rules/rules_tab.tsx
index ae896b66d990f..5fc4de8e0c452 100644
--- a/x-pack/plugins/observability_solution/observability/public/pages/rules/rules_tab.tsx
+++ b/x-pack/plugins/observability_solution/observability/public/pages/rules/rules_tab.tsx
@@ -10,9 +10,10 @@ import { useHistory } from 'react-router-dom';
 import { createKbnUrlStateStorage } from '@kbn/kibana-utils-plugin/public';
 import { RuleStatus } from '@kbn/triggers-actions-ui-plugin/public';
 import { AlertConsumers } from '@kbn/rule-data-utils';
+import { OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES } from '../../../common/constants';
+import { observabilityAlertFeatureIds } from '../../../common';
 import { useKibana } from '../../utils/kibana_react';
 import { useGetFilteredRuleTypes } from '../../hooks/use_get_filtered_rule_types';
-import { observabilityAlertFeatureIds } from '../../../common/constants';
 
 interface RulesTabProps {
   setRefresh: React.Dispatch<React.SetStateAction<Date>>;
@@ -75,7 +76,8 @@ export function RulesTab({ setRefresh, stateRefresh }: RulesTabProps) {
 
   return (
     <RuleList
-      filterConsumers={observabilityAlertFeatureIds}
+      ruleTypeIds={OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES}
+      consumers={observabilityAlertFeatureIds}
       filteredRuleTypes={filteredRuleTypes}
       lastRunOutcomeFilter={stateLastResponse}
       refresh={stateRefresh}
diff --git a/x-pack/plugins/observability_solution/observability/server/lib/rules/register_rule_types.ts b/x-pack/plugins/observability_solution/observability/server/lib/rules/register_rule_types.ts
index c214939bdec88..300dcda5e4f0f 100644
--- a/x-pack/plugins/observability_solution/observability/server/lib/rules/register_rule_types.ts
+++ b/x-pack/plugins/observability_solution/observability/server/lib/rules/register_rule_types.ts
@@ -5,14 +5,14 @@
  * 2.0.
  */
 
-import { PluginSetupContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { IBasePath, Logger } from '@kbn/core/server';
 import { CustomThresholdLocators } from './custom_threshold/custom_threshold_executor';
 import { ObservabilityConfig } from '../..';
 import { thresholdRuleType } from './custom_threshold/register_custom_threshold_rule_type';
 
 export function registerRuleTypes(
-  alertingPlugin: PluginSetupContract,
+  alertingPlugin: AlertingServerSetup,
   basePath: IBasePath,
   config: ObservabilityConfig,
   logger: Logger,
diff --git a/x-pack/plugins/observability_solution/observability/server/plugin.ts b/x-pack/plugins/observability_solution/observability/server/plugin.ts
index 4d0e809f882e7..53c91feb3b842 100644
--- a/x-pack/plugins/observability_solution/observability/server/plugin.ts
+++ b/x-pack/plugins/observability_solution/observability/server/plugin.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { PluginSetupContract, PluginStartContract } from '@kbn/alerting-plugin/server';
+import { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import {
   createUICapabilities as createCasesUICapabilities,
   getApiTags as getCasesApiTags,
@@ -23,21 +23,12 @@ import { LogsExplorerLocatorParams, LOGS_EXPLORER_LOCATOR_ID } from '@kbn/deepli
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 import type { GuidedOnboardingPluginSetup } from '@kbn/guided-onboarding-plugin/server';
 import { i18n } from '@kbn/i18n';
-import {
-  ApmRuleType,
-  ES_QUERY_ID,
-  ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-  METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID,
-  OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-  SLO_BURN_RATE_RULE_TYPE_ID,
-  SYNTHETICS_STATUS_RULE,
-  SYNTHETICS_TLS_RULE,
-} from '@kbn/rule-data-utils';
 import { RuleRegistryPluginSetupContract } from '@kbn/rule-registry-plugin/server';
 import { SharePluginSetup } from '@kbn/share-plugin/server';
 import { SpacesPluginSetup, SpacesPluginStart } from '@kbn/spaces-plugin/server';
 import { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
 import { DataViewsServerPluginStart } from '@kbn/data-views-plugin/server';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 import { ObservabilityConfig } from '.';
 import { observabilityFeatureId } from '../common';
@@ -57,13 +48,14 @@ import { registerRoutes } from './routes/register_routes';
 import { threshold } from './saved_objects/threshold';
 import { AlertDetailsContextualInsightsService } from './services';
 import { uiSettings } from './ui_settings';
+import { OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES } from '../common/constants';
 import { getCasesFeature } from './features/cases_v1';
 import { getCasesFeatureV2 } from './features/cases_v2';
 
 export type ObservabilityPluginSetup = ReturnType<ObservabilityPlugin['setup']>;
 
 interface PluginSetup {
-  alerting: PluginSetupContract;
+  alerting: AlertingServerSetup;
   features: FeaturesPluginSetup;
   guidedOnboarding?: GuidedOnboardingPluginSetup;
   ruleRegistry: RuleRegistryPluginSetupContract;
@@ -74,21 +66,17 @@ interface PluginSetup {
 }
 
 interface PluginStart {
-  alerting: PluginStartContract;
+  alerting: AlertingServerStart;
   spaces?: SpacesPluginStart;
   dataViews: DataViewsServerPluginStart;
 }
 
-const o11yRuleTypes = [
-  SLO_BURN_RATE_RULE_TYPE_ID,
-  OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-  ES_QUERY_ID,
-  ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-  METRIC_INVENTORY_THRESHOLD_ALERT_TYPE_ID,
-  ...Object.values(ApmRuleType),
-  SYNTHETICS_STATUS_RULE,
-  SYNTHETICS_TLS_RULE,
-];
+const alertingFeatures = OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES.map(
+  (ruleTypeId) => ({
+    ruleTypeId,
+    consumers: [observabilityFeatureId, ALERTING_FEATURE_ID],
+  })
+);
 
 export class ObservabilityPlugin implements Plugin<ObservabilityPluginSetup> {
   private logger: Logger;
@@ -141,7 +129,7 @@ export class ObservabilityPlugin implements Plugin<ObservabilityPluginSetup> {
         scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
         app: [observabilityFeatureId],
         catalogue: [observabilityFeatureId],
-        alerting: o11yRuleTypes,
+        alerting: alertingFeatures,
         privileges: {
           all: {
             app: [observabilityFeatureId],
@@ -153,10 +141,10 @@ export class ObservabilityPlugin implements Plugin<ObservabilityPluginSetup> {
             },
             alerting: {
               rule: {
-                all: o11yRuleTypes,
+                all: alertingFeatures,
               },
               alert: {
-                all: o11yRuleTypes,
+                all: alertingFeatures,
               },
             },
             ui: ['read', 'write'],
@@ -171,10 +159,10 @@ export class ObservabilityPlugin implements Plugin<ObservabilityPluginSetup> {
             },
             alerting: {
               rule: {
-                read: o11yRuleTypes,
+                read: alertingFeatures,
               },
               alert: {
-                read: o11yRuleTypes,
+                read: alertingFeatures,
               },
             },
             ui: ['read'],
diff --git a/x-pack/plugins/observability_solution/observability/server/routes/register_routes.ts b/x-pack/plugins/observability_solution/observability/server/routes/register_routes.ts
index 9ce2d7c9f1829..e10ce506bc99a 100644
--- a/x-pack/plugins/observability_solution/observability/server/routes/register_routes.ts
+++ b/x-pack/plugins/observability_solution/observability/server/routes/register_routes.ts
@@ -30,7 +30,7 @@ export interface RegisterRoutesDependencies {
   assistant: {
     alertDetailsContextualInsightsService: AlertDetailsContextualInsightsService;
   };
-  getRulesClientWithRequest: (request: KibanaRequest) => RulesClientApi;
+  getRulesClientWithRequest: (request: KibanaRequest) => Promise<RulesClientApi>;
 }
 
 export function registerRoutes({ repository, core, logger, dependencies }: RegisterRoutes) {
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/routes/types.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/routes/types.ts
index 62365536f3823..645da146dfb89 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/routes/types.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/routes/types.ts
@@ -28,7 +28,7 @@ type ObservabilityAIAssistantRequestHandlerContextBase = CustomRequestHandlerCon
   // these two are here for compatibility with APM functions
   rac: Pick<RacApiRequestHandlerContext, 'getAlertsClient'>;
   alerting: {
-    getRulesClient: () => RulesClientApi;
+    getRulesClient: () => Promise<RulesClientApi>;
   };
 }>;
 
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/types.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/types.ts
index a8ab57b8ee53c..f44911c172ce4 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/types.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/types.ts
@@ -22,10 +22,7 @@ import type { LicensingPluginSetup, LicensingPluginStart } from '@kbn/licensing-
 import type { CloudSetup, CloudStart } from '@kbn/cloud-plugin/server';
 import type { ServerlessPluginSetup, ServerlessPluginStart } from '@kbn/serverless/server';
 import type { RuleRegistryPluginStartContract } from '@kbn/rule-registry-plugin/server';
-import type {
-  PluginSetupContract as AlertingPluginSetup,
-  PluginStartContract as AlertingPluginStart,
-} from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import type { ObservabilityAIAssistantService } from './service';
 
 export interface ObservabilityAIAssistantServerSetup {
@@ -51,7 +48,7 @@ export interface ObservabilityAIAssistantPluginSetupDependencies {
   licensing: LicensingPluginSetup;
   cloud?: CloudSetup;
   serverless?: ServerlessPluginSetup;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
 }
 
 export interface ObservabilityAIAssistantPluginStartDependencies {
@@ -64,5 +61,5 @@ export interface ObservabilityAIAssistantPluginStartDependencies {
   ruleRegistry: RuleRegistryPluginStartContract;
   cloud?: CloudStart;
   serverless?: ServerlessPluginStart;
-  alerting: AlertingPluginStart;
+  alerting: AlertingServerStart;
 }
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/alerts.ts b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/alerts.ts
index 682f2e2a4b19b..5408dbbf4ab4f 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/alerts.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/alerts.ts
@@ -14,8 +14,10 @@ import { ParsedTechnicalFields } from '@kbn/rule-registry-plugin/common';
 import {
   ALERT_STATUS,
   ALERT_STATUS_ACTIVE,
+  AlertConsumers,
 } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
 import { omit } from 'lodash';
+import { OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES } from '@kbn/observability-plugin/common/constants';
 import { FunctionRegistrationParameters } from '.';
 
 const defaultFields = [
@@ -61,15 +63,6 @@ const OMITTED_ALERT_FIELDS = [
   'kibana.version',
 ] as const;
 
-const DEFAULT_FEATURE_IDS = [
-  'apm',
-  'infrastructure',
-  'logs',
-  'uptime',
-  'slo',
-  'observability',
-] as const;
-
 export function registerAlertsFunction({
   functions,
   resources,
@@ -183,7 +176,16 @@ export function registerAlertsFunction({
         const kqlQuery = !filter ? [] : [toElasticsearchQuery(fromKueryExpression(filter))];
 
         const response = await alertsClient.find({
-          featureIds: DEFAULT_FEATURE_IDS as unknown as string[],
+          ruleTypeIds: OBSERVABILITY_RULE_TYPE_IDS_WITH_SUPPORTED_STACK_RULE_TYPES,
+          consumers: [
+            AlertConsumers.APM,
+            AlertConsumers.INFRASTRUCTURE,
+            AlertConsumers.LOGS,
+            AlertConsumers.UPTIME,
+            AlertConsumers.SLO,
+            AlertConsumers.OBSERVABILITY,
+            AlertConsumers.ALERTS,
+          ],
           query: {
             bool: {
               filter: [
@@ -194,17 +196,17 @@ export function registerAlertsFunction({
                       lte: end,
                     },
                   },
-                },
-                ...kqlQuery,
-                ...(!includeRecovered
-                  ? [
-                      {
-                        term: {
-                          [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
+                  ...kqlQuery,
+                  ...(!includeRecovered
+                    ? [
+                        {
+                          term: {
+                            [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
+                          },
                         },
-                      },
-                    ]
-                  : []),
+                      ]
+                    : []),
+                },
               ],
             },
           },
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/types.ts b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/types.ts
index a1196be6a829a..0a3fc6d9dc12d 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/types.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/types.ts
@@ -9,10 +9,7 @@ import type {
   PluginSetupContract as ActionsPluginSetup,
   PluginStartContract as ActionsPluginStart,
 } from '@kbn/actions-plugin/server';
-import type {
-  PluginSetupContract as AlertingPluginSetup,
-  PluginStartContract as AlertingPluginStart,
-} from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import type {
   DataViewsServerPluginSetup,
   DataViewsServerPluginStart,
@@ -47,7 +44,7 @@ export interface ObservabilityAIAssistantAppServerSetup {}
 export interface ObservabilityAIAssistantAppPluginStartDependencies {
   observabilityAIAssistant: ObservabilityAIAssistantServerStart;
   ruleRegistry: RuleRegistryPluginStartContract;
-  alerting: AlertingPluginStart;
+  alerting: AlertingServerStart;
   licensing: LicensingPluginStart;
   actions: ActionsPluginStart;
   security: SecurityPluginStart;
@@ -64,7 +61,7 @@ export interface ObservabilityAIAssistantAppPluginStartDependencies {
 export interface ObservabilityAIAssistantAppPluginSetupDependencies {
   observabilityAIAssistant: ObservabilityAIAssistantServerSetup;
   ruleRegistry: RuleRegistryPluginSetupContract;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
   licensing: LicensingPluginSetup;
   actions: ActionsPluginSetup;
   security: SecurityPluginSetup;
diff --git a/x-pack/plugins/observability_solution/slo/public/embeddable/slo/alerts/components/slo_alerts_summary.tsx b/x-pack/plugins/observability_solution/slo/public/embeddable/slo/alerts/components/slo_alerts_summary.tsx
index 968d1f80a0824..9aea7b17f43f1 100644
--- a/x-pack/plugins/observability_solution/slo/public/embeddable/slo/alerts/components/slo_alerts_summary.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/embeddable/slo/alerts/components/slo_alerts_summary.tsx
@@ -9,7 +9,7 @@ import type { TimeRange } from '@kbn/es-query';
 import { useTimeBuckets } from '@kbn/observability-plugin/public';
 import { getAlertSummaryTimeRange } from '@kbn/observability-plugin/public';
 import { calculateTimeRangeBucketSize } from '@kbn/observability-plugin/public';
-import { observabilityAlertFeatureIds } from '@kbn/observability-plugin/common';
+import { AlertConsumers, SLO_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { useSloAlertsQuery } from './slo_alerts_table';
 
 import { SloEmbeddableDeps } from '../types';
@@ -61,7 +61,8 @@ export function SloAlertsSummary({
 
   return (
     <AlertSummaryWidget
-      featureIds={observabilityAlertFeatureIds}
+      ruleTypeIds={SLO_RULE_TYPE_IDS}
+      consumers={[AlertConsumers.SLO, AlertConsumers.ALERTS, AlertConsumers.OBSERVABILITY]}
       filter={esQuery}
       timeRange={alertSummaryTimeRange}
       fullSize
diff --git a/x-pack/plugins/observability_solution/slo/public/embeddable/slo/alerts/components/slo_alerts_table.tsx b/x-pack/plugins/observability_solution/slo/public/embeddable/slo/alerts/components/slo_alerts_table.tsx
index 02e94973e4ffd..8da688e38a75f 100644
--- a/x-pack/plugins/observability_solution/slo/public/embeddable/slo/alerts/components/slo_alerts_table.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/embeddable/slo/alerts/components/slo_alerts_table.tsx
@@ -5,7 +5,7 @@
  * 2.0.
  */
 import React, { useMemo } from 'react';
-import { AlertConsumers } from '@kbn/rule-data-utils';
+import { AlertConsumers, SLO_BURN_RATE_RULE_TYPE_ID } from '@kbn/rule-data-utils';
 import type { TimeRange } from '@kbn/es-query';
 import { ALL_VALUE } from '@kbn/slo-schema';
 import { AlertsTableStateProps } from '@kbn/triggers-actions-ui-plugin/public/application/sections/alerts_table/alerts_table_state';
@@ -105,7 +105,8 @@ export function SloAlertsTable({
       query={useSloAlertsQuery(slos, timeRange, showAllGroupByInstances)}
       alertsTableConfigurationRegistry={alertsTableConfigurationRegistry}
       configurationId={SLO_ALERTS_TABLE_CONFIG_ID}
-      featureIds={[AlertConsumers.SLO, AlertConsumers.OBSERVABILITY]}
+      ruleTypeIds={[SLO_BURN_RATE_RULE_TYPE_ID]}
+      consumers={[AlertConsumers.SLO, AlertConsumers.ALERTS, AlertConsumers.OBSERVABILITY]}
       hideLazyLoader
       id={ALERTS_TABLE_ID}
       initialPageSize={ALERTS_PER_PAGE}
diff --git a/x-pack/plugins/observability_solution/slo/public/hooks/use_fetch_active_alerts.ts b/x-pack/plugins/observability_solution/slo/public/hooks/use_fetch_active_alerts.ts
index 8fa7d3ec88e91..8ca275ae78a1a 100644
--- a/x-pack/plugins/observability_solution/slo/public/hooks/use_fetch_active_alerts.ts
+++ b/x-pack/plugins/observability_solution/slo/public/hooks/use_fetch_active_alerts.ts
@@ -8,7 +8,10 @@
 import { useQuery } from '@tanstack/react-query';
 import { BASE_RAC_ALERTS_API_PATH } from '@kbn/rule-registry-plugin/common';
 
-import { AlertConsumers } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
+import {
+  AlertConsumers,
+  SLO_RULE_TYPE_IDS,
+} from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
 import { useKibana } from './use_kibana';
 import { sloKeys } from './query_key_factory';
 import { ActiveAlerts } from './active_alerts';
@@ -57,7 +60,8 @@ export function useFetchActiveAlerts({
       try {
         const response = await http.post<FindApiResponse>(`${BASE_RAC_ALERTS_API_PATH}/find`, {
           body: JSON.stringify({
-            feature_ids: [AlertConsumers.SLO, AlertConsumers.OBSERVABILITY],
+            rule_type_ids: SLO_RULE_TYPE_IDS,
+            consumers: [AlertConsumers.SLO, AlertConsumers.OBSERVABILITY, AlertConsumers.ALERTS],
             size: 0,
             query: {
               bool: {
@@ -69,11 +73,6 @@ export function useFetchActiveAlerts({
                       },
                     },
                   },
-                  {
-                    term: {
-                      'kibana.alert.rule.rule_type_id': 'slo.rules.burnRate',
-                    },
-                  },
                   {
                     term: {
                       'kibana.alert.status': 'active',
diff --git a/x-pack/plugins/observability_solution/slo/public/hooks/use_fetch_slos_with_burn_rate_rules.ts b/x-pack/plugins/observability_solution/slo/public/hooks/use_fetch_slos_with_burn_rate_rules.ts
index ce1efab910723..65546a3f6c96c 100644
--- a/x-pack/plugins/observability_solution/slo/public/hooks/use_fetch_slos_with_burn_rate_rules.ts
+++ b/x-pack/plugins/observability_solution/slo/public/hooks/use_fetch_slos_with_burn_rate_rules.ts
@@ -12,8 +12,9 @@ import {
   useQuery,
 } from '@tanstack/react-query';
 import type { Rule } from '@kbn/triggers-actions-ui-plugin/public';
-import { BASE_ALERTING_API_PATH } from '@kbn/alerting-plugin/common';
+import { INTERNAL_ALERTING_API_FIND_RULES_PATH } from '@kbn/alerting-plugin/common';
 import { HttpSetup } from '@kbn/core/public';
+import { SLO_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { useKibana } from './use_kibana';
 import { sloKeys } from './query_key_factory';
 import { WindowSchema } from '../typings';
@@ -54,17 +55,15 @@ async function fetchRules({
   http: HttpSetup;
   signal?: AbortSignal;
 }) {
-  const filter = 'alert.attributes.alertTypeId:slo.rules.burnRate';
-
-  const query = {
+  const body = {
     search,
-    filter,
     fields: ['id', 'params.windows', 'name'],
     per_page: 1000,
+    rule_type_ids: SLO_RULE_TYPE_IDS,
   };
 
-  const response = await http.get<RuleApiResponse>(`${BASE_ALERTING_API_PATH}/rules/_find`, {
-    query,
+  const response = await http.post<RuleApiResponse>(INTERNAL_ALERTING_API_FIND_RULES_PATH, {
+    body: JSON.stringify({ ...body }),
     signal,
   });
 
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_details/components/slo_detail_alerts.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_details/components/slo_detail_alerts.tsx
index 3aa94c00b6441..7b31baf0d62b0 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_details/components/slo_detail_alerts.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_details/components/slo_detail_alerts.tsx
@@ -6,7 +6,7 @@
  */
 import { EuiFlexGroup, EuiFlexItem, EuiSpacer } from '@elastic/eui';
 import React, { Fragment } from 'react';
-import { AlertConsumers } from '@kbn/rule-data-utils';
+import { AlertConsumers, SLO_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 
 import { ALL_VALUE, SLOWithSummaryResponse } from '@kbn/slo-schema';
 import { SLO_ALERTS_TABLE_ID } from '@kbn/observability-shared-plugin/common';
@@ -32,7 +32,8 @@ export function SloDetailsAlerts({ slo }: Props) {
             configurationId={AlertConsumers.OBSERVABILITY}
             id={SLO_ALERTS_TABLE_ID}
             data-test-subj="alertTable"
-            featureIds={[AlertConsumers.SLO, AlertConsumers.OBSERVABILITY]}
+            ruleTypeIds={SLO_RULE_TYPE_IDS}
+            consumers={[AlertConsumers.SLO, AlertConsumers.ALERTS, AlertConsumers.OBSERVABILITY]}
             query={{
               bool: {
                 filter: [
diff --git a/x-pack/plugins/observability_solution/slo/server/lib/rules/register_burn_rate_rule.ts b/x-pack/plugins/observability_solution/slo/server/lib/rules/register_burn_rate_rule.ts
index d432dc5c52d34..ace1a1318ce29 100644
--- a/x-pack/plugins/observability_solution/slo/server/lib/rules/register_burn_rate_rule.ts
+++ b/x-pack/plugins/observability_solution/slo/server/lib/rules/register_burn_rate_rule.ts
@@ -5,14 +5,14 @@
  * 2.0.
  */
 
-import { PluginSetupContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import { IBasePath, Logger } from '@kbn/core/server';
 import { IRuleDataService } from '@kbn/rule-registry-plugin/server';
 import { CustomThresholdLocators } from '@kbn/observability-plugin/server';
 import { sloBurnRateRuleType } from './slo_burn_rate';
 
 export function registerBurnRateRule(
-  alertingPlugin: PluginSetupContract,
+  alertingPlugin: AlertingServerSetup,
   basePath: IBasePath,
   logger: Logger,
   ruleDataService: IRuleDataService,
diff --git a/x-pack/plugins/observability_solution/slo/server/plugin.ts b/x-pack/plugins/observability_solution/slo/server/plugin.ts
index 7699cbe5f1404..99cd4a2230a94 100644
--- a/x-pack/plugins/observability_solution/slo/server/plugin.ts
+++ b/x-pack/plugins/observability_solution/slo/server/plugin.ts
@@ -14,10 +14,11 @@ import {
   PluginInitializerContext,
   SavedObjectsClient,
 } from '@kbn/core/server';
-import { KibanaFeatureScope } from '@kbn/features-plugin/common';
-import { i18n } from '@kbn/i18n';
 import { AlertsLocatorDefinition, sloFeatureId } from '@kbn/observability-plugin/common';
 import { SLO_BURN_RATE_RULE_TYPE_ID } from '@kbn/rule-data-utils';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
+import { KibanaFeatureScope } from '@kbn/features-plugin/common';
+import { i18n } from '@kbn/i18n';
 import { mapValues } from 'lodash';
 import { registerSloUsageCollector } from './lib/collectors/register';
 import { registerBurnRateRule } from './lib/rules/register_burn_rate_rule';
@@ -61,6 +62,11 @@ export class SLOPlugin
 
     const savedObjectTypes = [SO_SLO_TYPE, SO_SLO_SETTINGS_TYPE];
 
+    const alertingFeatures = sloRuleTypes.map((ruleTypeId) => ({
+      ruleTypeId,
+      consumers: [sloFeatureId, ALERTING_FEATURE_ID],
+    }));
+
     plugins.features.registerKibanaFeature({
       id: sloFeatureId,
       name: i18n.translate('xpack.slo.featureRegistry.linkSloTitle', {
@@ -71,7 +77,7 @@ export class SLOPlugin
       scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
       app: [sloFeatureId, 'kibana'],
       catalogue: [sloFeatureId, 'observability'],
-      alerting: sloRuleTypes,
+      alerting: alertingFeatures,
       privileges: {
         all: {
           app: [sloFeatureId, 'kibana'],
@@ -83,10 +89,10 @@ export class SLOPlugin
           },
           alerting: {
             rule: {
-              all: sloRuleTypes,
+              all: alertingFeatures,
             },
             alert: {
-              all: sloRuleTypes,
+              all: alertingFeatures,
             },
           },
           ui: ['read', 'write'],
@@ -101,10 +107,10 @@ export class SLOPlugin
           },
           alerting: {
             rule: {
-              read: sloRuleTypes,
+              read: alertingFeatures,
             },
             alert: {
-              read: sloRuleTypes,
+              read: alertingFeatures,
             },
           },
           ui: ['read'],
diff --git a/x-pack/plugins/observability_solution/slo/server/services/get_slos_overview.ts b/x-pack/plugins/observability_solution/slo/server/services/get_slos_overview.ts
index 32660b68f4693..fb2be7bcbf74d 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/get_slos_overview.ts
+++ b/x-pack/plugins/observability_solution/slo/server/services/get_slos_overview.ts
@@ -15,7 +15,7 @@ import {
 import { RulesClientApi } from '@kbn/alerting-plugin/server/types';
 import { AlertsClient } from '@kbn/rule-registry-plugin/server';
 import moment from 'moment';
-import { observabilityAlertFeatureIds } from '@kbn/observability-plugin/common';
+import { AlertConsumers, SLO_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { typedSearch } from '../utils/queries';
 import { getElasticsearchQueryOrThrow, parseStringFilters } from './transform_generators';
 import { getListOfSummaryIndices, getSloSettings } from './slo_settings';
@@ -108,21 +108,16 @@ export class GetSLOsOverview {
     const [rules, alerts] = await Promise.all([
       this.rulesClient.find({
         options: {
-          search: 'alert.attributes.alertTypeId:("slo.rules.burnRate")',
+          ruleTypeIds: SLO_RULE_TYPE_IDS,
+          consumers: [AlertConsumers.SLO, AlertConsumers.ALERTS, AlertConsumers.OBSERVABILITY],
         },
       }),
 
       this.racClient.getAlertSummary({
-        featureIds: observabilityAlertFeatureIds,
+        ruleTypeIds: SLO_RULE_TYPE_IDS,
+        consumers: [AlertConsumers.SLO, AlertConsumers.ALERTS, AlertConsumers.OBSERVABILITY],
         gte: moment().subtract(24, 'hours').toISOString(),
         lte: moment().toISOString(),
-        filter: [
-          {
-            term: {
-              'kibana.alert.rule.rule_type_id': 'slo.rules.burnRate',
-            },
-          },
-        ],
       }),
     ]);
 
diff --git a/x-pack/plugins/observability_solution/slo/server/types.ts b/x-pack/plugins/observability_solution/slo/server/types.ts
index b9269f49c4d9f..9a40547820182 100644
--- a/x-pack/plugins/observability_solution/slo/server/types.ts
+++ b/x-pack/plugins/observability_solution/slo/server/types.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { PluginSetupContract, PluginStartContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import { CloudSetup } from '@kbn/cloud-plugin/server';
 import { DataViewsServerPluginStart } from '@kbn/data-views-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
@@ -31,7 +31,7 @@ export interface SLOServerSetup {}
 export interface SLOServerStart {}
 
 export interface SLOPluginSetupDependencies {
-  alerting: PluginSetupContract;
+  alerting: AlertingServerSetup;
   ruleRegistry: RuleRegistryPluginSetupContract;
   share: SharePluginSetup;
   features: FeaturesPluginSetup;
@@ -44,7 +44,7 @@ export interface SLOPluginSetupDependencies {
 }
 
 export interface SLOPluginStartDependencies {
-  alerting: PluginStartContract;
+  alerting: AlertingServerStart;
   taskManager: TaskManagerStartContract;
   spaces?: SpacesPluginStart;
   ruleRegistry: RuleRegistryPluginStartContract;
diff --git a/x-pack/plugins/observability_solution/synthetics/common/constants/synthetics_alerts.ts b/x-pack/plugins/observability_solution/synthetics/common/constants/synthetics_alerts.ts
index 4f525bda17564..8a5812f46c6cb 100644
--- a/x-pack/plugins/observability_solution/synthetics/common/constants/synthetics_alerts.ts
+++ b/x-pack/plugins/observability_solution/synthetics/common/constants/synthetics_alerts.ts
@@ -8,6 +8,8 @@
 import type { ActionGroup } from '@kbn/alerting-plugin/common';
 import { i18n } from '@kbn/i18n';
 
+export { SYNTHETICS_STATUS_RULE, SYNTHETICS_TLS_RULE } from '@kbn/rule-data-utils';
+
 export type MonitorStatusActionGroup =
   | ActionGroup<'xpack.synthetics.alerts.actionGroups.monitorStatus'>
   | ActionGroup<'xpack.synthetics.alerts.actionGroups.tls'>;
@@ -34,14 +36,6 @@ export const ACTION_GROUP_DEFINITIONS: {
   TLS_CERTIFICATE,
 };
 
-export const SYNTHETICS_STATUS_RULE = 'xpack.synthetics.alerts.monitorStatus';
-export const SYNTHETICS_TLS_RULE = 'xpack.synthetics.alerts.tls';
-
-export const SYNTHETICS_ALERT_RULE_TYPES = {
-  MONITOR_STATUS: SYNTHETICS_STATUS_RULE,
-  TLS: SYNTHETICS_TLS_RULE,
-};
-
-export const SYNTHETICS_RULE_TYPES = [SYNTHETICS_STATUS_RULE, SYNTHETICS_TLS_RULE];
-
 export const SYNTHETICS_RULE_TYPES_ALERT_CONTEXT = 'observability.uptime';
+
+export { SYNTHETICS_RULE_TYPE_IDS as SYNTHETICS_RULE_TYPES } from '@kbn/rule-data-utils';
diff --git a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitor_details/hooks/use_fetch_active_alerts.ts b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitor_details/hooks/use_fetch_active_alerts.ts
index f81601e3ed413..ee00905ec7bd7 100644
--- a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitor_details/hooks/use_fetch_active_alerts.ts
+++ b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitor_details/hooks/use_fetch_active_alerts.ts
@@ -6,7 +6,10 @@
  */
 
 import { BASE_RAC_ALERTS_API_PATH } from '@kbn/rule-registry-plugin/common';
-import { AlertConsumers } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
+import {
+  AlertConsumers,
+  SYNTHETICS_RULE_TYPE_IDS,
+} from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
 import { useFetcher } from '@kbn/observability-shared-plugin/public';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
 import { useParams } from 'react-router-dom';
@@ -25,7 +28,8 @@ export function useFetchActiveAlerts() {
   const { loading, data } = useFetcher(async () => {
     return await http.post<ESSearchResponse>(`${BASE_RAC_ALERTS_API_PATH}/find`, {
       body: JSON.stringify({
-        feature_ids: [AlertConsumers.UPTIME],
+        rule_type_ids: SYNTHETICS_RULE_TYPE_IDS,
+        consumers: [AlertConsumers.UPTIME, AlertConsumers.ALERTS, AlertConsumers.OBSERVABILITY],
         size: 0,
         track_total_hits: true,
         query: {
diff --git a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitor_details/monitor_alerts/monitor_detail_alerts.tsx b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitor_details/monitor_alerts/monitor_detail_alerts.tsx
index 1737aa21b27d2..cb071a877d6ee 100644
--- a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitor_details/monitor_alerts/monitor_detail_alerts.tsx
+++ b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitor_details/monitor_alerts/monitor_detail_alerts.tsx
@@ -6,7 +6,7 @@
  */
 import { EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiLoadingSpinner } from '@elastic/eui';
 import React from 'react';
-import { AlertConsumers } from '@kbn/rule-data-utils';
+import { AlertConsumers, SYNTHETICS_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
 import { useParams } from 'react-router-dom';
 import { useRefreshedRangeFromUrl } from '../../../hooks';
@@ -44,7 +44,8 @@ export function MonitorDetailsAlerts() {
             configurationId={AlertConsumers.OBSERVABILITY}
             id={MONITOR_ALERTS_TABLE_ID}
             data-test-subj="monitorAlertsTable"
-            featureIds={[AlertConsumers.UPTIME]}
+            ruleTypeIds={SYNTHETICS_RULE_TYPE_IDS}
+            consumers={[AlertConsumers.UPTIME, AlertConsumers.ALERTS, AlertConsumers.OBSERVABILITY]}
             query={{
               bool: {
                 filter: [
diff --git a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/lib/alert_types/monitor_status.tsx b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/lib/alert_types/monitor_status.tsx
index 794747853642c..7c8824a8d56c9 100644
--- a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/lib/alert_types/monitor_status.tsx
+++ b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/lib/alert_types/monitor_status.tsx
@@ -7,7 +7,7 @@
 
 import React from 'react';
 
-import { ALERT_REASON } from '@kbn/rule-data-utils';
+import { ALERT_REASON, SYNTHETICS_ALERT_RULE_TYPES } from '@kbn/rule-data-utils';
 
 import type { ObservabilityRuleTypeModel } from '@kbn/observability-plugin/public';
 import type { RuleTypeParamsExpressionProps } from '@kbn/triggers-actions-ui-plugin/public';
@@ -15,7 +15,6 @@ import { getSyntheticsErrorRouteFromMonitorId } from '../../../../../common/util
 import { STATE_ID } from '../../../../../common/field_names';
 import { SyntheticsMonitorStatusTranslations } from '../../../../../common/rules/synthetics/translations';
 import type { StatusRuleParams } from '../../../../../common/rules/status_rule';
-import { SYNTHETICS_ALERT_RULE_TYPES } from '../../../../../common/constants/synthetics_alerts';
 import type { AlertTypeInitializer } from './types';
 
 const { defaultActionMessage, defaultRecoveryMessage, description } =
diff --git a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/lib/alert_types/tls.tsx b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/lib/alert_types/tls.tsx
index 896a84cd1688c..10c45ece27a9f 100644
--- a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/lib/alert_types/tls.tsx
+++ b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/lib/alert_types/tls.tsx
@@ -6,13 +6,12 @@
  */
 
 import React from 'react';
-import { ALERT_REASON } from '@kbn/rule-data-utils';
+import { ALERT_REASON, SYNTHETICS_ALERT_RULE_TYPES } from '@kbn/rule-data-utils';
 import { ObservabilityRuleTypeModel } from '@kbn/observability-plugin/public';
 import type { RuleTypeParamsExpressionProps } from '@kbn/triggers-actions-ui-plugin/public';
 import { ValidationResult } from '@kbn/triggers-actions-ui-plugin/public';
 import { TlsTranslations } from '../../../../../common/rules/synthetics/translations';
 import { CERTIFICATES_ROUTE } from '../../../../../common/constants/ui';
-import { SYNTHETICS_ALERT_RULE_TYPES } from '../../../../../common/constants/synthetics_alerts';
 import type { TLSParams } from '../../../../../common/runtime_types/alerts/tls';
 
 import type { AlertTypeInitializer } from './types';
diff --git a/x-pack/plugins/observability_solution/synthetics/server/alert_rules/status_rule/monitor_status_rule.ts b/x-pack/plugins/observability_solution/synthetics/server/alert_rules/status_rule/monitor_status_rule.ts
index ff4516a861225..1e3f8bf35e06b 100644
--- a/x-pack/plugins/observability_solution/synthetics/server/alert_rules/status_rule/monitor_status_rule.ts
+++ b/x-pack/plugins/observability_solution/synthetics/server/alert_rules/status_rule/monitor_status_rule.ts
@@ -10,16 +10,14 @@ import { isEmpty } from 'lodash';
 import { GetViewInAppRelativeUrlFnOpts, AlertsClientError } from '@kbn/alerting-plugin/server';
 import { observabilityPaths } from '@kbn/observability-plugin/common';
 import apm from 'elastic-apm-node';
+import { SYNTHETICS_ALERT_RULE_TYPES } from '@kbn/rule-data-utils';
 import { AlertOverviewStatus } from '../../../common/runtime_types/alert_rules/common';
 import { StatusRuleExecutorOptions } from './types';
 import { syntheticsRuleFieldMap } from '../../../common/rules/synthetics_rule_field_map';
 import { SyntheticsPluginsSetupDependencies, SyntheticsServerSetup } from '../../types';
 import { StatusRuleExecutor } from './status_rule_executor';
 import { StatusRulePramsSchema } from '../../../common/rules/status_rule';
-import {
-  MONITOR_STATUS,
-  SYNTHETICS_ALERT_RULE_TYPES,
-} from '../../../common/constants/synthetics_alerts';
+import { MONITOR_STATUS } from '../../../common/constants/synthetics_alerts';
 import {
   setRecoveredAlertsContext,
   updateState,
diff --git a/x-pack/plugins/observability_solution/synthetics/server/alert_rules/tls_rule/tls_rule.ts b/x-pack/plugins/observability_solution/synthetics/server/alert_rules/tls_rule/tls_rule.ts
index 5f8fc43c5d91c..111d590a4fd76 100644
--- a/x-pack/plugins/observability_solution/synthetics/server/alert_rules/tls_rule/tls_rule.ts
+++ b/x-pack/plugins/observability_solution/synthetics/server/alert_rules/tls_rule/tls_rule.ts
@@ -14,6 +14,7 @@ import {
   AlertsClientError,
 } from '@kbn/alerting-plugin/server';
 import { asyncForEach } from '@kbn/std';
+import { SYNTHETICS_ALERT_RULE_TYPES } from '@kbn/rule-data-utils';
 import { getAlertDetailsUrl, observabilityPaths } from '@kbn/observability-plugin/common';
 import { schema } from '@kbn/config-schema';
 import { ObservabilityUptimeAlert } from '@kbn/alerts-as-data-utils';
@@ -22,10 +23,7 @@ import { SyntheticsPluginsSetupDependencies, SyntheticsServerSetup } from '../..
 import { getCertSummary, getTLSAlertDocument, setTLSRecoveredAlertsContext } from './message_utils';
 import { SyntheticsCommonState } from '../../../common/runtime_types/alert_rules/common';
 import { TLSRuleExecutor } from './tls_rule_executor';
-import {
-  SYNTHETICS_ALERT_RULE_TYPES,
-  TLS_CERTIFICATE,
-} from '../../../common/constants/synthetics_alerts';
+import { TLS_CERTIFICATE } from '../../../common/constants/synthetics_alerts';
 import { SyntheticsRuleTypeAlertDefinition, updateState } from '../common';
 import { ALERT_DETAILS_URL, getActionVariables } from '../action_variables';
 import { SyntheticsMonitorClient } from '../../synthetics_service/synthetics_monitor/synthetics_monitor_client';
diff --git a/x-pack/plugins/observability_solution/synthetics/server/feature.ts b/x-pack/plugins/observability_solution/synthetics/server/feature.ts
index 900e655b0cc0d..0e8a08e8aed13 100644
--- a/x-pack/plugins/observability_solution/synthetics/server/feature.ts
+++ b/x-pack/plugins/observability_solution/synthetics/server/feature.ts
@@ -11,9 +11,10 @@ import {
   SubFeaturePrivilegeGroupConfig,
   SubFeaturePrivilegeGroupType,
 } from '@kbn/features-plugin/common';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
+import { UPTIME_RULE_TYPE_IDS, SYNTHETICS_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 import { syntheticsMonitorType, syntheticsParamType } from '../common/types/saved_objects';
-import { SYNTHETICS_RULE_TYPES } from '../common/constants/synthetics_alerts';
 import {
   legacyPrivateLocationsSavedObjectName,
   privateLocationSavedObjectName,
@@ -25,16 +26,14 @@ import {
 } from './saved_objects/synthetics_settings';
 import { syntheticsApiKeyObjectType } from './saved_objects/service_api_key';
 
-const UPTIME_RULE_TYPES = [
-  'xpack.uptime.alerts.tls',
-  'xpack.uptime.alerts.tlsCertificate',
-  'xpack.uptime.alerts.monitorStatus',
-  'xpack.uptime.alerts.durationAnomaly',
-];
-
 export const PRIVATE_LOCATION_WRITE_API = 'private-location-write';
 
-const ruleTypes = [...UPTIME_RULE_TYPES, ...SYNTHETICS_RULE_TYPES];
+const ruleTypes = [...UPTIME_RULE_TYPE_IDS, ...SYNTHETICS_RULE_TYPE_IDS];
+
+const alertingFeatures = ruleTypes.map((ruleTypeId) => ({
+  ruleTypeId,
+  consumers: [PLUGIN.ID, ALERTING_FEATURE_ID],
+}));
 
 const elasticManagedLocationsEnabledPrivilege: SubFeaturePrivilegeGroupConfig = {
   groupType: 'independent' as SubFeaturePrivilegeGroupType,
@@ -84,7 +83,7 @@ export const syntheticsFeature = {
   management: {
     insightsAndAlerting: ['triggersActions'],
   },
-  alerting: ruleTypes,
+  alerting: alertingFeatures,
   privileges: {
     all: {
       app: ['uptime', 'kibana', 'synthetics'],
@@ -104,10 +103,10 @@ export const syntheticsFeature = {
       },
       alerting: {
         rule: {
-          all: ruleTypes,
+          all: alertingFeatures,
         },
         alert: {
-          all: ruleTypes,
+          all: alertingFeatures,
         },
       },
       management: {
@@ -134,10 +133,10 @@ export const syntheticsFeature = {
       },
       alerting: {
         rule: {
-          read: ruleTypes,
+          read: alertingFeatures,
         },
         alert: {
-          read: ruleTypes,
+          read: alertingFeatures,
         },
       },
       management: {
diff --git a/x-pack/plugins/observability_solution/synthetics/server/routes/default_alerts/default_alert_service.ts b/x-pack/plugins/observability_solution/synthetics/server/routes/default_alerts/default_alert_service.ts
index 2e2263f6e3965..d13395a42ca1a 100644
--- a/x-pack/plugins/observability_solution/synthetics/server/routes/default_alerts/default_alert_service.ts
+++ b/x-pack/plugins/observability_solution/synthetics/server/routes/default_alerts/default_alert_service.ts
@@ -99,7 +99,7 @@ export class DefaultAlertService {
   }
 
   async getExistingAlert(ruleType: DefaultRuleType) {
-    const rulesClient = (await this.context.alerting)?.getRulesClient();
+    const rulesClient = await (await this.context.alerting)?.getRulesClient();
 
     const { data } = await rulesClient.find({
       options: {
@@ -123,7 +123,7 @@ export class DefaultAlertService {
     }
 
     const actions = await this.getAlertActions(ruleType);
-    const rulesClient = (await this.context.alerting)?.getRulesClient();
+    const rulesClient = await (await this.context.alerting)?.getRulesClient();
     const {
       actions: actionsFromRules = [],
       systemActions = [],
@@ -158,7 +158,7 @@ export class DefaultAlertService {
         minimumRuleInterval
       );
     } else {
-      const rulesClient = (await this.context.alerting)?.getRulesClient();
+      const rulesClient = await (await this.context.alerting)?.getRulesClient();
       await rulesClient.bulkDeleteRules({
         filter: `alert.attributes.alertTypeId:"${SYNTHETICS_STATUS_RULE}" AND alert.attributes.tags:"SYNTHETICS_DEFAULT_ALERT"`,
       });
@@ -174,7 +174,7 @@ export class DefaultAlertService {
         minimumRuleInterval
       );
     } else {
-      const rulesClient = (await this.context.alerting)?.getRulesClient();
+      const rulesClient = await (await this.context.alerting)?.getRulesClient();
       await rulesClient.bulkDeleteRules({
         filter: `alert.attributes.alertTypeId:"${SYNTHETICS_TLS_RULE}" AND alert.attributes.tags:"SYNTHETICS_DEFAULT_ALERT"`,
       });
@@ -182,7 +182,7 @@ export class DefaultAlertService {
   }
 
   async upsertDefaultAlert(ruleType: DefaultRuleType, name: string, interval: string) {
-    const rulesClient = (await this.context.alerting)?.getRulesClient();
+    const rulesClient = await (await this.context.alerting)?.getRulesClient();
 
     const alert = await this.getExistingAlert(ruleType);
     if (alert) {
diff --git a/x-pack/plugins/observability_solution/synthetics/server/types.ts b/x-pack/plugins/observability_solution/synthetics/server/types.ts
index e024721101d1f..1a8016830c085 100644
--- a/x-pack/plugins/observability_solution/synthetics/server/types.ts
+++ b/x-pack/plugins/observability_solution/synthetics/server/types.ts
@@ -17,10 +17,7 @@ import {
   Logger,
   SavedObjectsClientContract,
 } from '@kbn/core/server';
-import {
-  PluginStartContract as AlertingPluginStart,
-  PluginSetupContract as AlertingPluginSetup,
-} from '@kbn/alerting-plugin/server';
+import { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import { SharePluginSetup } from '@kbn/share-plugin/server';
 import { ObservabilityPluginSetup } from '@kbn/observability-plugin/server';
 import { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
@@ -62,14 +59,14 @@ export interface SyntheticsServerSetup {
   basePath: IBasePath;
   isDev?: boolean;
   coreStart: CoreStart;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
   pluginsStart: SyntheticsPluginsStartDependencies;
   isElasticsearchServerless: boolean;
 }
 
 export interface SyntheticsPluginsSetupDependencies {
   features: FeaturesPluginSetup;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
   observability: ObservabilityPluginSetup;
   usageCollection: UsageCollectionSetup;
   ml: MlSetup;
@@ -90,7 +87,7 @@ export interface SyntheticsPluginsStartDependencies {
   taskManager: TaskManagerStartContract;
   telemetry: TelemetryPluginStart;
   spaces?: SpacesPluginStart;
-  alerting: AlertingPluginStart;
+  alerting: AlertingServerStart;
 }
 
 export type UptimeRequestHandlerContext = CustomRequestHandlerContext<{
diff --git a/x-pack/plugins/observability_solution/uptime/common/constants/synthetics_alerts.ts b/x-pack/plugins/observability_solution/uptime/common/constants/synthetics_alerts.ts
index 223b8909de96e..5de01b708ea2c 100644
--- a/x-pack/plugins/observability_solution/uptime/common/constants/synthetics_alerts.ts
+++ b/x-pack/plugins/observability_solution/uptime/common/constants/synthetics_alerts.ts
@@ -42,6 +42,4 @@ export const SYNTHETICS_ALERT_RULE_TYPES = {
   TLS: SYNTHETICS_TLS_RULE,
 };
 
-export const SYNTHETICS_RULE_TYPES = [SYNTHETICS_STATUS_RULE, SYNTHETICS_TLS_RULE];
-
 export const SYNTHETICS_RULE_TYPES_ALERT_CONTEXT = 'observability.uptime';
diff --git a/x-pack/plugins/observability_solution/uptime/common/constants/uptime_alerts.ts b/x-pack/plugins/observability_solution/uptime/common/constants/uptime_alerts.ts
index 71f6bd1b183fb..1a84cf461b3e4 100644
--- a/x-pack/plugins/observability_solution/uptime/common/constants/uptime_alerts.ts
+++ b/x-pack/plugins/observability_solution/uptime/common/constants/uptime_alerts.ts
@@ -41,9 +41,4 @@ export const CLIENT_ALERT_TYPES = {
   DURATION_ANOMALY: 'xpack.uptime.alerts.durationAnomaly',
 };
 
-export const UPTIME_RULE_TYPES = [
-  'xpack.uptime.alerts.tls',
-  'xpack.uptime.alerts.tlsCertificate',
-  'xpack.uptime.alerts.monitorStatus',
-  'xpack.uptime.alerts.durationAnomaly',
-];
+export { UPTIME_RULE_TYPE_IDS as UPTIME_RULE_TYPES } from '@kbn/rule-data-utils';
diff --git a/x-pack/plugins/observability_solution/uptime/server/legacy_uptime/routes/monitors/monitors_details.ts b/x-pack/plugins/observability_solution/uptime/server/legacy_uptime/routes/monitors/monitors_details.ts
index 357d008c4b901..9cfc38b8730cc 100644
--- a/x-pack/plugins/observability_solution/uptime/server/legacy_uptime/routes/monitors/monitors_details.ts
+++ b/x-pack/plugins/observability_solution/uptime/server/legacy_uptime/routes/monitors/monitors_details.ts
@@ -23,7 +23,7 @@ export const createGetMonitorDetailsRoute: UMRestApiRouteFactory = (libs: UMServ
   handler: async ({ uptimeEsClient, context, request }): Promise<any> => {
     const { monitorId, dateStart, dateEnd } = request.query;
 
-    const rulesClient = (await context.alerting)?.getRulesClient();
+    const rulesClient = await (await context.alerting)?.getRulesClient();
 
     return await libs.requests.getMonitorDetails({
       uptimeEsClient,
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.mock.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.mock.ts
index 66ef6a73013f4..d58d5398f907c 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.mock.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.mock.ts
@@ -20,7 +20,6 @@ const createAlertsClientMock = () => {
     bulkUpdateCases: jest.fn(),
     find: jest.fn(),
     getGroupAggregations: jest.fn(),
-    getFeatureIdsByRegistrationContexts: jest.fn(),
     getBrowserFields: jest.fn(),
     getAlertSummary: jest.fn(),
     ensureAllAlertsAuthorizedRead: jest.fn(),
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.test.ts
new file mode 100644
index 0000000000000..77215955277dc
--- /dev/null
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.test.ts
@@ -0,0 +1,244 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { coreMock, loggingSystemMock } from '@kbn/core/server/mocks';
+import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
+import { ruleDataServiceMock } from '../rule_data_plugin_service/rule_data_plugin_service.mock';
+import { AlertsClient, ConstructorOptions } from './alerts_client';
+import { fromKueryExpression } from '@kbn/es-query';
+
+describe('AlertsClient', () => {
+  const alertingAuthMock = alertingAuthorizationMock.create();
+  const ruleDataService = ruleDataServiceMock.create();
+  const requestHandlerContext = coreMock.createRequestHandlerContext();
+  const esClientMock = requestHandlerContext.elasticsearch.client.asCurrentUser;
+
+  let alertsClient: AlertsClient;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    alertingAuthMock.getSpaceId.mockReturnValue('space-1');
+    alertingAuthMock.getAllAuthorizedRuleTypesFindOperation.mockResolvedValue(
+      new Map([
+        [
+          'test-rule-type-1',
+          {
+            id: 'test-rule-type-1',
+            authorizedConsumers: { foo: { all: true, read: true } },
+          },
+        ],
+      ])
+    );
+
+    alertingAuthMock.getAuthorizationFilter.mockResolvedValue({
+      filter: fromKueryExpression(
+        'alert.attributes.alertTypeId: test-rule-type-1 AND alert.attributes.consumer: foo'
+      ),
+      ensureRuleTypeIsAuthorized: jest.fn(),
+    });
+
+    const alertsClientParams: ConstructorOptions = {
+      logger: loggingSystemMock.create().get(),
+      authorization: alertingAuthMock,
+      esClient: esClientMock,
+      ruleDataService,
+      getRuleType: jest.fn(),
+      getRuleList: jest.fn(),
+      getAlertIndicesAlias: jest.fn(),
+    };
+
+    alertsClient = new AlertsClient(alertsClientParams);
+  });
+
+  describe('find', () => {
+    it('creates the ruleTypeIds filter correctly', async () => {
+      await alertsClient.find({ ruleTypeIds: ['test-rule-type-1', 'test-rule-type-2'] });
+
+      expect(esClientMock.search.mock.calls[0][0]).toMatchInlineSnapshot(`
+        Object {
+          "body": Object {
+            "_source": undefined,
+            "aggs": undefined,
+            "fields": Array [
+              "kibana.alert.rule.rule_type_id",
+              "kibana.alert.rule.consumer",
+              "kibana.alert.workflow_status",
+              "kibana.space_ids",
+            ],
+            "query": Object {
+              "bool": Object {
+                "filter": Array [
+                  Object {
+                    "arguments": Array [
+                      Object {
+                        "arguments": Array [
+                          Object {
+                            "isQuoted": false,
+                            "type": "literal",
+                            "value": "alert.attributes.alertTypeId",
+                          },
+                          Object {
+                            "isQuoted": false,
+                            "type": "literal",
+                            "value": "test-rule-type-1",
+                          },
+                        ],
+                        "function": "is",
+                        "type": "function",
+                      },
+                      Object {
+                        "arguments": Array [
+                          Object {
+                            "isQuoted": false,
+                            "type": "literal",
+                            "value": "alert.attributes.consumer",
+                          },
+                          Object {
+                            "isQuoted": false,
+                            "type": "literal",
+                            "value": "foo",
+                          },
+                        ],
+                        "function": "is",
+                        "type": "function",
+                      },
+                    ],
+                    "function": "and",
+                    "type": "function",
+                  },
+                  Object {
+                    "term": Object {
+                      "kibana.space_ids": "space-1",
+                    },
+                  },
+                  Object {
+                    "terms": Object {
+                      "kibana.alert.rule.rule_type_id": Array [
+                        "test-rule-type-1",
+                        "test-rule-type-2",
+                      ],
+                    },
+                  },
+                ],
+                "must": Array [],
+                "must_not": Array [],
+                "should": Array [],
+              },
+            },
+            "runtime_mappings": undefined,
+            "size": undefined,
+            "sort": Array [
+              Object {
+                "@timestamp": Object {
+                  "order": "asc",
+                  "unmapped_type": "date",
+                },
+              },
+            ],
+            "track_total_hits": undefined,
+          },
+          "ignore_unavailable": true,
+          "index": ".alerts-*",
+          "seq_no_primary_term": true,
+        }
+      `);
+    });
+
+    it('creates the consumers filter correctly', async () => {
+      await alertsClient.find({ consumers: ['test-consumer-1', 'test-consumer-2'] });
+
+      expect(esClientMock.search.mock.calls[0][0]).toMatchInlineSnapshot(`
+        Object {
+          "body": Object {
+            "_source": undefined,
+            "aggs": undefined,
+            "fields": Array [
+              "kibana.alert.rule.rule_type_id",
+              "kibana.alert.rule.consumer",
+              "kibana.alert.workflow_status",
+              "kibana.space_ids",
+            ],
+            "query": Object {
+              "bool": Object {
+                "filter": Array [
+                  Object {
+                    "arguments": Array [
+                      Object {
+                        "arguments": Array [
+                          Object {
+                            "isQuoted": false,
+                            "type": "literal",
+                            "value": "alert.attributes.alertTypeId",
+                          },
+                          Object {
+                            "isQuoted": false,
+                            "type": "literal",
+                            "value": "test-rule-type-1",
+                          },
+                        ],
+                        "function": "is",
+                        "type": "function",
+                      },
+                      Object {
+                        "arguments": Array [
+                          Object {
+                            "isQuoted": false,
+                            "type": "literal",
+                            "value": "alert.attributes.consumer",
+                          },
+                          Object {
+                            "isQuoted": false,
+                            "type": "literal",
+                            "value": "foo",
+                          },
+                        ],
+                        "function": "is",
+                        "type": "function",
+                      },
+                    ],
+                    "function": "and",
+                    "type": "function",
+                  },
+                  Object {
+                    "term": Object {
+                      "kibana.space_ids": "space-1",
+                    },
+                  },
+                  Object {
+                    "terms": Object {
+                      "kibana.alert.rule.consumer": Array [
+                        "test-consumer-1",
+                        "test-consumer-2",
+                      ],
+                    },
+                  },
+                ],
+                "must": Array [],
+                "must_not": Array [],
+                "should": Array [],
+              },
+            },
+            "runtime_mappings": undefined,
+            "size": undefined,
+            "sort": Array [
+              Object {
+                "@timestamp": Object {
+                  "order": "asc",
+                  "unmapped_type": "date",
+                },
+              },
+            ],
+            "track_total_hits": undefined,
+          },
+          "ignore_unavailable": true,
+          "index": ".alerts-*",
+          "seq_no_primary_term": true,
+        }
+      `);
+    });
+  });
+});
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index ea80a365ccd95..3a898b07fb461 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -15,29 +15,23 @@ import {
   ALERT_STATUS,
   getEsQueryConfig,
   getSafeSortIds,
-  isValidFeatureId,
   STATUS_VALUES,
-  ValidFeatureId,
   ALERT_STATUS_RECOVERED,
   ALERT_END,
   ALERT_STATUS_ACTIVE,
   ALERT_CASE_IDS,
   MAX_CASES_PER_ALERT,
-  AlertConsumers,
+  isSiemRuleType,
 } from '@kbn/rule-data-utils';
 
 import {
   AggregateName,
   AggregationsAggregate,
-  AggregationsMultiBucketAggregateBase,
   MappingRuntimeFields,
   QueryDslQueryContainer,
   SortCombinations,
 } from '@elastic/elasticsearch/lib/api/types';
-import type {
-  RuleTypeParams,
-  PluginStartContract as AlertingStart,
-} from '@kbn/alerting-plugin/server';
+import type { RuleTypeParams, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import {
   ReadOperations,
   AlertingAuthorization,
@@ -68,6 +62,8 @@ import {
   MAX_ALERTS_PAGES,
   MAX_PAGINATED_ALERTS,
 } from './constants';
+import { getRuleTypeIdsFilter } from '../lib/get_rule_type_ids_filter';
+import { getConsumersFilter } from '../lib/get_consumers_filter';
 
 // TODO: Fix typings https://github.com/elastic/kibana/issues/101776
 type NonNullableProps<Obj extends {}, Props extends keyof Obj> = Omit<Obj, Props> & {
@@ -97,7 +93,7 @@ export interface ConstructorOptions {
   ruleDataService: IRuleDataService;
   getRuleType: RuleTypeRegistry['get'];
   getRuleList: RuleTypeRegistry['list'];
-  getAlertIndicesAlias: AlertingStart['getAlertIndicesAlias'];
+  getAlertIndicesAlias: AlertingServerStart['getAlertIndicesAlias'];
 }
 
 export interface UpdateOptions<Params extends RuleTypeParams> {
@@ -138,7 +134,8 @@ interface GetAlertSummaryParams {
   id?: string;
   gte: string;
   lte: string;
-  featureIds: string[];
+  ruleTypeIds: string[];
+  consumers?: string[];
   filter?: estypes.QueryDslQueryContainer[];
   fixedInterval?: string;
 }
@@ -154,7 +151,8 @@ interface SearchAlertsParams {
   operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get;
   sort?: estypes.SortOptions[];
   lastSortIds?: Array<string | number>;
-  featureIds?: string[];
+  ruleTypeIds?: string[];
+  consumers?: string[];
   runtimeMappings?: MappingRuntimeFields;
 }
 
@@ -172,7 +170,7 @@ export class AlertsClient {
   private readonly ruleDataService: IRuleDataService;
   private readonly getRuleType: RuleTypeRegistry['get'];
   private readonly getRuleList: RuleTypeRegistry['list'];
-  private getAlertIndicesAlias!: AlertingStart['getAlertIndicesAlias'];
+  private getAlertIndicesAlias!: AlertingServerStart['getAlertIndicesAlias'];
 
   constructor(options: ConstructorOptions) {
     this.logger = options.logger;
@@ -295,7 +293,8 @@ export class AlertsClient {
     operation,
     sort,
     lastSortIds = [],
-    featureIds,
+    ruleTypeIds,
+    consumers,
     runtimeMappings,
   }: SearchAlertsParams) {
     try {
@@ -316,7 +315,8 @@ export class AlertsClient {
           alertSpaceId,
           operation,
           config,
-          featureIds ? new Set(featureIds) : undefined
+          ruleTypeIds,
+          consumers
         ),
         aggs,
         _source,
@@ -372,7 +372,9 @@ export class AlertsClient {
 
       return result;
     } catch (error) {
-      const errorMessage = `Unable to retrieve alert details for alert with id of "${id}" or with query "${query}" and operation ${operation} \nError: ${error}`;
+      const errorMessage = `Unable to retrieve alert details for alert with id of "${id}" or with query "${JSON.stringify(
+        query
+      )}" and operation ${operation} \nError: ${error}`;
       this.logger.error(errorMessage);
       throw Boom.notFound(errorMessage);
     }
@@ -457,16 +459,17 @@ export class AlertsClient {
     alertSpaceId: string,
     operation: WriteOperations.Update | ReadOperations.Get | ReadOperations.Find,
     config: EsQueryConfig,
-    featuresIds?: Set<string>
+    ruleTypeIds?: string[],
+    consumers?: string[]
   ) {
     try {
-      const authzFilter = (await getAuthzFilter(
-        this.authorization,
-        operation,
-        featuresIds
-      )) as Filter;
+      const authzFilter = (await getAuthzFilter(this.authorization, operation)) as Filter;
       const spacesFilter = getSpacesFilter(alertSpaceId) as unknown as Filter;
+      const ruleTypeIdsFilter = getRuleTypeIdsFilter(ruleTypeIds) as unknown as Filter;
+      const consumersFilter = getConsumersFilter(consumers) as unknown as Filter;
+
       let esQuery;
+
       if (id != null) {
         esQuery = { query: `_id:${id}`, language: 'kuery' };
       } else if (typeof query === 'string') {
@@ -474,12 +477,14 @@ export class AlertsClient {
       } else if (query != null && typeof query === 'object') {
         esQuery = [];
       }
+
       const builtQuery = buildEsQuery(
         undefined,
         esQuery == null ? { query: ``, language: 'kuery' } : esQuery,
-        [authzFilter, spacesFilter],
+        [authzFilter, spacesFilter, ruleTypeIdsFilter, consumersFilter],
         config
       );
+
       if (query != null && typeof query === 'object') {
         return {
           ...builtQuery,
@@ -639,15 +644,16 @@ export class AlertsClient {
   public async getAlertSummary({
     gte,
     lte,
-    featureIds,
+    ruleTypeIds,
+    consumers,
     filter,
     fixedInterval = '1m',
   }: GetAlertSummaryParams) {
     try {
-      const indexToUse = await this.getAuthorizedAlertsIndices(featureIds);
+      const indexToUse = await this.getAuthorizedAlertsIndices(ruleTypeIds);
 
       if (isEmpty(indexToUse)) {
-        throw Boom.badRequest('no featureIds were provided for getting alert summary');
+        throw Boom.badRequest('no ruleTypeIds were provided for getting alert summary');
       }
 
       // first search for the alert by id, then use the alert info to check if user has access to it
@@ -710,7 +716,8 @@ export class AlertsClient {
           },
         },
         size: 0,
-        featureIds,
+        ruleTypeIds,
+        consumers,
       });
 
       let activeAlertCount = 0;
@@ -981,7 +988,8 @@ export class AlertsClient {
     TAggregations = Record<AggregateName, AggregationsAggregate>
   >({
     aggs,
-    featureIds,
+    ruleTypeIds,
+    consumers,
     index,
     query,
     search_after: searchAfter,
@@ -992,7 +1000,8 @@ export class AlertsClient {
     runtimeMappings,
   }: {
     aggs?: object;
-    featureIds?: string[];
+    ruleTypeIds?: string[];
+    consumers?: string[];
     index?: string;
     query?: object;
     search_after?: Array<string | number>;
@@ -1004,15 +1013,16 @@ export class AlertsClient {
   }) {
     try {
       let indexToUse = index;
-      if (featureIds && !isEmpty(featureIds)) {
-        const tempIndexToUse = await this.getAuthorizedAlertsIndices(featureIds);
+      if (ruleTypeIds && !isEmpty(ruleTypeIds)) {
+        const tempIndexToUse = await this.getAuthorizedAlertsIndices(ruleTypeIds);
         if (!isEmpty(tempIndexToUse)) {
           indexToUse = (tempIndexToUse ?? []).join();
         }
       }
 
       const alertsSearchResponse = await this.searchAlerts<TAggregations>({
-        featureIds,
+        ruleTypeIds,
+        consumers,
         query,
         aggs,
         _source,
@@ -1042,7 +1052,8 @@ export class AlertsClient {
    * Performs a `find` query to extract aggregations on alert groups
    */
   public async getGroupAggregations({
-    featureIds,
+    ruleTypeIds,
+    consumers,
     groupByField,
     aggregations,
     filters,
@@ -1051,9 +1062,15 @@ export class AlertsClient {
     sort = [{ unitsCount: { order: 'desc' } }],
   }: {
     /**
-     * The feature ids the alerts belong to, used for authorization
+     * The rule type IDs the alerts belong to.
+     * Used for filtering.
+     */
+    ruleTypeIds: string[];
+    /**
+     * The consumers the alerts belong to.
+     * Used for filtering.
      */
-    featureIds: string[];
+    consumers?: string[];
     /**
      * The field to group by
      * @example "kibana.alert.rule.name"
@@ -1093,9 +1110,10 @@ export class AlertsClient {
     }
     const searchResult = await this.find<
       never,
-      { groupByFields: AggregationsMultiBucketAggregateBase<{ key: string }> }
+      { groupByFields: estypes.AggregationsMultiBucketAggregateBase<{ key: string }> }
     >({
-      featureIds,
+      ruleTypeIds,
+      consumers,
       aggs: {
         groupByFields: {
           terms: {
@@ -1163,14 +1181,15 @@ export class AlertsClient {
     return searchResult;
   }
 
-  public async getAuthorizedAlertsIndices(featureIds: string[]): Promise<string[] | undefined> {
+  public async getAuthorizedAlertsIndices(ruleTypeIds?: string[]): Promise<string[] | undefined> {
     try {
-      const authorizedRuleTypes = await this.authorization.getAuthorizedRuleTypes(
-        AlertingAuthorizationEntity.Alert,
-        new Set(featureIds)
-      );
+      const authorizedRuleTypes = await this.authorization.getAllAuthorizedRuleTypesFindOperation({
+        authorizationEntity: AlertingAuthorizationEntity.Alert,
+        ruleTypeIds,
+      });
+
       const indices = this.getAlertIndicesAlias(
-        authorizedRuleTypes.map((art: { id: any }) => art.id),
+        Array.from(authorizedRuleTypes.keys()).map((id) => id),
         this.spaceId
       );
 
@@ -1182,48 +1201,13 @@ export class AlertsClient {
     }
   }
 
-  public async getFeatureIdsByRegistrationContexts(
-    RegistrationContexts: string[]
-  ): Promise<string[]> {
-    try {
-      const featureIds =
-        this.ruleDataService.findFeatureIdsByRegistrationContexts(RegistrationContexts);
-      if (featureIds.length > 0) {
-        // ATTENTION FUTURE DEVELOPER when you are a super user the augmentedRuleTypes.authorizedRuleTypes will
-        // return all of the features that you can access and does not care about your featureIds
-        const augmentedRuleTypes = await this.authorization.getAugmentedRuleTypesWithAuthorization(
-          featureIds,
-          [ReadOperations.Find, ReadOperations.Get, WriteOperations.Update],
-          AlertingAuthorizationEntity.Alert
-        );
-        // As long as the user can read a minimum of one type of rule type produced by the provided feature,
-        // the user should be provided that features' alerts index.
-        // Limiting which alerts that user can read on that index will be done via the findAuthorizationFilter
-        const authorizedFeatures = new Set<string>();
-        for (const ruleType of augmentedRuleTypes.authorizedRuleTypes) {
-          authorizedFeatures.add(ruleType.producer);
-        }
-        const validAuthorizedFeatures = Array.from(authorizedFeatures).filter(
-          (feature): feature is ValidFeatureId =>
-            featureIds.includes(feature) && isValidFeatureId(feature)
-        );
-        return validAuthorizedFeatures;
-      }
-      return featureIds;
-    } catch (exc) {
-      const errMessage = `getFeatureIdsByRegistrationContexts failed to get feature ids: ${exc}`;
-      this.logger.error(errMessage);
-      throw Boom.failedDependency(errMessage);
-    }
-  }
-
   public async getBrowserFields({
-    featureIds,
+    ruleTypeIds,
     indices,
     metaFields,
     allowNoIndex,
   }: {
-    featureIds: string[];
+    ruleTypeIds: string[];
     indices: string[];
     metaFields: string[];
     allowNoIndex: boolean;
@@ -1231,13 +1215,15 @@ export class AlertsClient {
     const indexPatternsFetcherAsInternalUser = new IndexPatternsFetcher(this.esClient);
     const ruleTypeList = this.getRuleList();
     const fieldsForAAD = new Set<string>();
-    for (const rule of ruleTypeList) {
-      if (featureIds.includes(rule.producer) && rule.hasFieldsForAAD) {
+
+    for (const rule of ruleTypeList.values()) {
+      if (ruleTypeIds.includes(rule.id) && rule.hasFieldsForAAD) {
         (rule.fieldsForAAD ?? []).forEach((f) => {
           fieldsForAAD.add(f);
         });
       }
     }
+
     const { fields } = await indexPatternsFetcherAsInternalUser.getFieldsForWildcard({
       pattern: indices,
       metaFields,
@@ -1252,11 +1238,12 @@ export class AlertsClient {
   }
 
   public async getAADFields({ ruleTypeId }: { ruleTypeId: string }) {
-    const { producer, fieldsForAAD = [] } = this.getRuleType(ruleTypeId);
-    if (producer === AlertConsumers.SIEM) {
+    const { fieldsForAAD = [] } = this.getRuleType(ruleTypeId);
+    if (isSiemRuleType(ruleTypeId)) {
       throw Boom.badRequest(`Security solution rule type is not supported`);
     }
-    const indices = await this.getAuthorizedAlertsIndices([producer]);
+
+    const indices = await this.getAuthorizedAlertsIndices([ruleTypeId]);
     const indexPatternsFetcherAsInternalUser = new IndexPatternsFetcher(this.esClient);
     const { fields = [] } = await indexPatternsFetcherAsInternalUser.getFieldsForWildcard({
       pattern: indices ?? [],
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client_factory.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client_factory.test.ts
index 367ead5744d55..8613f6135d30a 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client_factory.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client_factory.test.ts
@@ -21,7 +21,7 @@ const alertingAuthMock = alertingAuthorizationMock.create();
 
 const alertsClientFactoryParams: AlertsClientFactoryProps = {
   logger: loggingSystemMock.create().get(),
-  getAlertingAuthorization: (_: KibanaRequest) => alertingAuthMock,
+  getAlertingAuthorization: (_: KibanaRequest) => Promise.resolve(alertingAuthMock),
   securityPluginSetup,
   esClient: {} as ElasticsearchClient,
   ruleDataService: ruleDataServiceMock.create(),
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client_factory.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client_factory.ts
index 934074cc4a2ed..91449954db61c 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client_factory.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client_factory.ts
@@ -8,10 +8,7 @@
 import { PublicMethodsOf } from '@kbn/utility-types';
 import { ElasticsearchClient, KibanaRequest, Logger } from '@kbn/core/server';
 import type { RuleTypeRegistry } from '@kbn/alerting-plugin/server/types';
-import {
-  AlertingAuthorization,
-  PluginStartContract as AlertingStart,
-} from '@kbn/alerting-plugin/server';
+import { AlertingAuthorization, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import { SecurityPluginSetup } from '@kbn/security-plugin/server';
 import { IRuleDataService } from '../rule_data_plugin_service';
 import { AlertsClient } from './alerts_client';
@@ -19,12 +16,14 @@ import { AlertsClient } from './alerts_client';
 export interface AlertsClientFactoryProps {
   logger: Logger;
   esClient: ElasticsearchClient;
-  getAlertingAuthorization: (request: KibanaRequest) => PublicMethodsOf<AlertingAuthorization>;
+  getAlertingAuthorization: (
+    request: KibanaRequest
+  ) => Promise<PublicMethodsOf<AlertingAuthorization>>;
   securityPluginSetup: SecurityPluginSetup | undefined;
   ruleDataService: IRuleDataService | null;
   getRuleType: RuleTypeRegistry['get'];
   getRuleList: RuleTypeRegistry['list'];
-  getAlertIndicesAlias: AlertingStart['getAlertIndicesAlias'];
+  getAlertIndicesAlias: AlertingServerStart['getAlertIndicesAlias'];
 }
 
 export class AlertsClientFactory {
@@ -33,12 +32,12 @@ export class AlertsClientFactory {
   private esClient!: ElasticsearchClient;
   private getAlertingAuthorization!: (
     request: KibanaRequest
-  ) => PublicMethodsOf<AlertingAuthorization>;
+  ) => Promise<PublicMethodsOf<AlertingAuthorization>>;
   private securityPluginSetup!: SecurityPluginSetup | undefined;
   private ruleDataService!: IRuleDataService | null;
   private getRuleType!: RuleTypeRegistry['get'];
   private getRuleList!: RuleTypeRegistry['list'];
-  private getAlertIndicesAlias!: AlertingStart['getAlertIndicesAlias'];
+  private getAlertIndicesAlias!: AlertingServerStart['getAlertIndicesAlias'];
 
   public initialize(options: AlertsClientFactoryProps) {
     /**
@@ -61,10 +60,11 @@ export class AlertsClientFactory {
 
   public async create(request: KibanaRequest): Promise<AlertsClient> {
     const { securityPluginSetup, getAlertingAuthorization, logger } = this;
+    const authorization = await getAlertingAuthorization(request);
 
     return new AlertsClient({
       logger,
-      authorization: getAlertingAuthorization(request),
+      authorization,
       auditLogger: securityPluginSetup?.audit.asScoped(request),
       esClient: this.esClient,
       ruleDataService: this.ruleDataService!,
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/bulk_update.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/bulk_update.test.ts
index 28cd76ca6dffe..8d2e6cffa0cc5 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/bulk_update.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/bulk_update.test.ts
@@ -17,7 +17,6 @@ import { loggingSystemMock } from '@kbn/core/server/mocks';
 import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
 import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
 import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
-import { AlertingAuthorizationEntity } from '@kbn/alerting-plugin/server';
 import { ruleDataServiceMock } from '../../rule_data_plugin_service/rule_data_plugin_service.mock';
 
 const alertingAuthMock = alertingAuthorizationMock.create();
@@ -36,39 +35,38 @@ const alertsClientParams: jest.Mocked<ConstructorOptions> = {
 };
 
 const DEFAULT_SPACE = 'test_default_space_id';
+const authorizedRuleTypes = new Map([
+  [
+    'apm.error_rate',
+    {
+      producer: 'apm',
+      id: 'apm.error_rate',
+      alerts: {
+        context: 'observability.apm',
+      },
+      authorizedConsumers: {},
+    },
+  ],
+]);
 
 beforeEach(() => {
   jest.resetAllMocks();
-  alertingAuthMock.getSpaceId.mockImplementation(() => 'test_default_space_id');
-  // @ts-expect-error
-  alertingAuthMock.getAuthorizationFilter.mockImplementation(async () =>
-    Promise.resolve({ filter: [] })
-  );
-  // @ts-expect-error
-  alertingAuthMock.getAugmentedRuleTypesWithAuthorization.mockImplementation(async () => {
-    const authorizedRuleTypes = new Set();
-    authorizedRuleTypes.add({ producer: 'apm' });
-    return Promise.resolve({ authorizedRuleTypes });
+  alertingAuthMock.getSpaceId.mockImplementation(() => DEFAULT_SPACE);
+  alertingAuthMock.getAuthorizationFilter.mockResolvedValue({
+    filter: undefined,
+    ensureRuleTypeIsAuthorized: jest.fn(),
   });
-  alertingAuthMock.ensureAuthorized.mockImplementation(
-    // @ts-expect-error
-    async ({
-      ruleTypeId,
-      consumer,
-      operation,
-      entity,
-    }: {
-      ruleTypeId: string;
-      consumer: string;
-      operation: string;
-      entity: typeof AlertingAuthorizationEntity.Alert;
-    }) => {
-      if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
-        return Promise.resolve();
-      }
-      return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  alertingAuthMock.getAllAuthorizedRuleTypes.mockResolvedValue({
+    hasAllRequested: true,
+    authorizedRuleTypes,
+  });
+
+  alertingAuthMock.ensureAuthorized.mockImplementation(async ({ ruleTypeId, consumer }) => {
+    if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
+      return Promise.resolve();
     }
-  );
+    return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  });
 });
 
 const fakeAlertId = 'myfakeid1';
@@ -337,7 +335,7 @@ describe('bulkUpdate()', () => {
           })
         ).rejects.toThrowErrorMatchingInlineSnapshot(`
           "queryAndAuditAllAlerts threw an error: Unable to retrieve alerts with query \\"kibana.alert.status: active\\" and operation update 
-           Error: Unable to retrieve alert details for alert with id of \\"null\\" or with query \\"kibana.alert.status: active\\" and operation update 
+           Error: Unable to retrieve alert details for alert with id of \\"null\\" or with query \\"\\"kibana.alert.status: active\\"\\" and operation update 
           Error: Error: Unauthorized for fake.rule and apm"
         `);
 
@@ -404,7 +402,7 @@ describe('bulkUpdate()', () => {
           })
         ).rejects.toThrowErrorMatchingInlineSnapshot(`
           "queryAndAuditAllAlerts threw an error: Unable to retrieve alerts with query \\"kibana.alert.status: active\\" and operation update 
-           Error: Unable to retrieve alert details for alert with id of \\"null\\" or with query \\"kibana.alert.status: active\\" and operation update 
+           Error: Unable to retrieve alert details for alert with id of \\"null\\" or with query \\"\\"kibana.alert.status: active\\"\\" and operation update 
           Error: Error: Unauthorized for fake.rule and apm"
         `);
 
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/find_alerts.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/find_alerts.test.ts
index 57e877f568cd9..c554ee4d61f99 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/find_alerts.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/find_alerts.test.ts
@@ -16,62 +16,107 @@ import { loggingSystemMock } from '@kbn/core/server/mocks';
 import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
 import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
 import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
-import { AlertingAuthorizationEntity } from '@kbn/alerting-plugin/server';
 import { ruleDataServiceMock } from '../../rule_data_plugin_service/rule_data_plugin_service.mock';
+import { JsonObject } from '@kbn/utility-types';
 
-const alertingAuthMock = alertingAuthorizationMock.create();
-const esClientMock = elasticsearchClientMock.createElasticsearchClient();
-const auditLogger = auditLoggerMock.create();
+describe('find()', () => {
+  const alertingAuthMock = alertingAuthorizationMock.create();
+  const esClientMock = elasticsearchClientMock.createElasticsearchClient();
+  const auditLogger = auditLoggerMock.create();
 
-const alertsClientParams: jest.Mocked<ConstructorOptions> = {
-  logger: loggingSystemMock.create().get(),
-  authorization: alertingAuthMock,
-  esClient: esClientMock,
-  auditLogger,
-  ruleDataService: ruleDataServiceMock.create(),
-  getRuleType: jest.fn(),
-  getRuleList: jest.fn(),
-  getAlertIndicesAlias: jest.fn(),
-};
+  const alertsClientParams: jest.Mocked<ConstructorOptions> = {
+    logger: loggingSystemMock.create().get(),
+    authorization: alertingAuthMock,
+    esClient: esClientMock,
+    auditLogger,
+    ruleDataService: ruleDataServiceMock.create(),
+    getRuleType: jest.fn(),
+    getRuleList: jest.fn(),
+    getAlertIndicesAlias: jest.fn(),
+  };
 
-const DEFAULT_SPACE = 'test_default_space_id';
+  const DEFAULT_SPACE = 'test_default_space_id';
+  const authorizedRuleTypes = new Map([
+    [
+      'apm.error_rate',
+      {
+        producer: 'apm',
+        id: 'apm.error_rate',
+        alerts: {
+          context: 'observability.apm',
+        },
+        authorizedConsumers: {},
+      },
+    ],
+  ]);
 
-beforeEach(() => {
-  jest.resetAllMocks();
-  alertingAuthMock.getSpaceId.mockImplementation(() => DEFAULT_SPACE);
-  // @ts-expect-error
-  alertingAuthMock.getAuthorizationFilter.mockImplementation(async () =>
-    Promise.resolve({ filter: [] })
-  );
-  // @ts-expect-error
-  alertingAuthMock.getAugmentedRuleTypesWithAuthorization.mockImplementation(async () => {
-    const authorizedRuleTypes = new Set();
-    authorizedRuleTypes.add({ producer: 'apm' });
-    return Promise.resolve({ authorizedRuleTypes });
-  });
+  const filter = {
+    bool: {
+      filter: [
+        {
+          bool: {
+            should: [
+              {
+                bool: {
+                  filter: [
+                    {
+                      bool: {
+                        should: [{ match: { 'kibana.alert.rule.rule_type_id': '.es-query' } }],
+                        minimum_should_match: 1,
+                      },
+                    },
+                    {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              should: [{ match: { 'kibana.alert.rule.consumer': 'stackAlerts' } }],
+                              minimum_should_match: 1,
+                            },
+                          },
+                          {
+                            bool: {
+                              should: [{ match: { 'kibana.alert.rule.consumer': 'alerts' } }],
+                              minimum_should_match: 1,
+                            },
+                          },
+                        ],
+                        minimum_should_match: 1,
+                      },
+                    },
+                  ],
+                },
+              },
+            ],
+            minimum_should_match: 1,
+          },
+        },
+        { term: { 'kibana.space_ids': 'default' } },
+        { terms: { 'kibana.alert.rule.rule_type_id': ['.es-query'] } },
+      ],
+    },
+  };
 
-  alertingAuthMock.ensureAuthorized.mockImplementation(
-    // @ts-expect-error
-    async ({
-      ruleTypeId,
-      consumer,
-      operation,
-      entity,
-    }: {
-      ruleTypeId: string;
-      consumer: string;
-      operation: string;
-      entity: typeof AlertingAuthorizationEntity.Alert;
-    }) => {
+  beforeEach(() => {
+    jest.resetAllMocks();
+    alertingAuthMock.getSpaceId.mockImplementation(() => DEFAULT_SPACE);
+    alertingAuthMock.getAuthorizationFilter.mockResolvedValue({
+      filter: filter as unknown as JsonObject,
+      ensureRuleTypeIsAuthorized: jest.fn(),
+    });
+    alertingAuthMock.getAllAuthorizedRuleTypes.mockResolvedValue({
+      hasAllRequested: true,
+      authorizedRuleTypes,
+    });
+
+    alertingAuthMock.ensureAuthorized.mockImplementation(async ({ ruleTypeId, consumer }) => {
       if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
         return Promise.resolve();
       }
       return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
-    }
-  );
-});
+    });
+  });
 
-describe('find()', () => {
   test('calls ES client with given params', async () => {
     const alertsClient = new AlertsClient(alertsClientParams);
     const searchAlertsSpy = jest.spyOn(alertsClient as any, 'searchAlerts');
@@ -111,19 +156,25 @@ describe('find()', () => {
     });
     const query = { match: { [ALERT_WORKFLOW_STATUS]: 'open' } };
     const index = '.alerts-observability.apm.alerts';
-    const featureIds = ['siem'];
+    const ruleTypeIds = ['siem.esqlRule', 'siem.eqlRule'];
+    const consumers = ['siem'];
+
     const result = await alertsClient.find({
       query,
       index,
-      featureIds,
+      ruleTypeIds,
+      consumers,
     });
+
     expect(searchAlertsSpy).toHaveBeenCalledWith(
       expect.objectContaining({
         query,
         index,
-        featureIds,
+        ruleTypeIds,
+        consumers,
       })
     );
+
     expect(result).toMatchInlineSnapshot(`
       Object {
         "_shards": Object {
@@ -176,12 +227,100 @@ describe('find()', () => {
             "query": Object {
               "bool": Object {
                 "filter": Array [
-                  Object {},
+                  Object {
+                    "bool": Object {
+                      "filter": Array [
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "bool": Object {
+                                  "filter": Array [
+                                    Object {
+                                      "bool": Object {
+                                        "minimum_should_match": 1,
+                                        "should": Array [
+                                          Object {
+                                            "match": Object {
+                                              "kibana.alert.rule.rule_type_id": ".es-query",
+                                            },
+                                          },
+                                        ],
+                                      },
+                                    },
+                                    Object {
+                                      "bool": Object {
+                                        "minimum_should_match": 1,
+                                        "should": Array [
+                                          Object {
+                                            "bool": Object {
+                                              "minimum_should_match": 1,
+                                              "should": Array [
+                                                Object {
+                                                  "match": Object {
+                                                    "kibana.alert.rule.consumer": "stackAlerts",
+                                                  },
+                                                },
+                                              ],
+                                            },
+                                          },
+                                          Object {
+                                            "bool": Object {
+                                              "minimum_should_match": 1,
+                                              "should": Array [
+                                                Object {
+                                                  "match": Object {
+                                                    "kibana.alert.rule.consumer": "alerts",
+                                                  },
+                                                },
+                                              ],
+                                            },
+                                          },
+                                        ],
+                                      },
+                                    },
+                                  ],
+                                },
+                              },
+                            ],
+                          },
+                        },
+                        Object {
+                          "term": Object {
+                            "kibana.space_ids": "default",
+                          },
+                        },
+                        Object {
+                          "terms": Object {
+                            "kibana.alert.rule.rule_type_id": Array [
+                              ".es-query",
+                            ],
+                          },
+                        },
+                      ],
+                    },
+                  },
                   Object {
                     "term": Object {
                       "kibana.space_ids": "test_default_space_id",
                     },
                   },
+                  Object {
+                    "terms": Object {
+                      "kibana.alert.rule.rule_type_id": Array [
+                        "siem.esqlRule",
+                        "siem.eqlRule",
+                      ],
+                    },
+                  },
+                  Object {
+                    "terms": Object {
+                      "kibana.alert.rule.consumer": Array [
+                        "siem",
+                      ],
+                    },
+                  },
                 ],
                 "must": Array [
                   Object {
@@ -310,7 +449,80 @@ describe('find()', () => {
             "query": Object {
               "bool": Object {
                 "filter": Array [
-                  Object {},
+                  Object {
+                    "bool": Object {
+                      "filter": Array [
+                        Object {
+                          "bool": Object {
+                            "minimum_should_match": 1,
+                            "should": Array [
+                              Object {
+                                "bool": Object {
+                                  "filter": Array [
+                                    Object {
+                                      "bool": Object {
+                                        "minimum_should_match": 1,
+                                        "should": Array [
+                                          Object {
+                                            "match": Object {
+                                              "kibana.alert.rule.rule_type_id": ".es-query",
+                                            },
+                                          },
+                                        ],
+                                      },
+                                    },
+                                    Object {
+                                      "bool": Object {
+                                        "minimum_should_match": 1,
+                                        "should": Array [
+                                          Object {
+                                            "bool": Object {
+                                              "minimum_should_match": 1,
+                                              "should": Array [
+                                                Object {
+                                                  "match": Object {
+                                                    "kibana.alert.rule.consumer": "stackAlerts",
+                                                  },
+                                                },
+                                              ],
+                                            },
+                                          },
+                                          Object {
+                                            "bool": Object {
+                                              "minimum_should_match": 1,
+                                              "should": Array [
+                                                Object {
+                                                  "match": Object {
+                                                    "kibana.alert.rule.consumer": "alerts",
+                                                  },
+                                                },
+                                              ],
+                                            },
+                                          },
+                                        ],
+                                      },
+                                    },
+                                  ],
+                                },
+                              },
+                            ],
+                          },
+                        },
+                        Object {
+                          "term": Object {
+                            "kibana.space_ids": "default",
+                          },
+                        },
+                        Object {
+                          "terms": Object {
+                            "kibana.alert.rule.rule_type_id": Array [
+                              ".es-query",
+                            ],
+                          },
+                        },
+                      ],
+                    },
+                  },
                   Object {
                     "term": Object {
                       "kibana.space_ids": "test_default_space_id",
@@ -437,7 +649,7 @@ describe('find()', () => {
         index: '.alerts-observability.apm.alerts',
       })
     ).rejects.toThrowErrorMatchingInlineSnapshot(`
-      "Unable to retrieve alert details for alert with id of \\"undefined\\" or with query \\"[object Object]\\" and operation find 
+      "Unable to retrieve alert details for alert with id of \\"undefined\\" or with query \\"{\\"match\\":{\\"kibana.alert.workflow_status\\":\\"open\\"}}\\" and operation find 
       Error: Error: Unauthorized for fake.rule and apm"
     `);
 
@@ -467,7 +679,7 @@ describe('find()', () => {
         index: '.alerts-observability.apm.alerts',
       })
     ).rejects.toThrowErrorMatchingInlineSnapshot(`
-      "Unable to retrieve alert details for alert with id of \\"undefined\\" or with query \\"[object Object]\\" and operation find 
+      "Unable to retrieve alert details for alert with id of \\"undefined\\" or with query \\"{\\"match\\":{\\"kibana.alert.workflow_status\\":\\"open\\"}}\\" and operation find 
       Error: Error: something went wrong"
     `);
   });
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
index b48e68c3bf255..b0fcb505d95b6 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
@@ -17,7 +17,6 @@ import { loggingSystemMock } from '@kbn/core/server/mocks';
 import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
 import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
 import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
-import { AlertingAuthorizationEntity } from '@kbn/alerting-plugin/server';
 import { ruleDataServiceMock } from '../../rule_data_plugin_service/rule_data_plugin_service.mock';
 
 const alertingAuthMock = alertingAuthorizationMock.create();
@@ -36,41 +35,38 @@ const alertsClientParams: jest.Mocked<ConstructorOptions> = {
 };
 
 const DEFAULT_SPACE = 'test_default_space_id';
+const authorizedRuleTypes = new Map([
+  [
+    'apm.error_rate',
+    {
+      producer: 'apm',
+      id: 'apm.error_rate',
+      alerts: {
+        context: 'observability.apm',
+      },
+      authorizedConsumers: {},
+    },
+  ],
+]);
 
 beforeEach(() => {
   jest.resetAllMocks();
   alertingAuthMock.getSpaceId.mockImplementation(() => DEFAULT_SPACE);
-  // @ts-expect-error
-  alertingAuthMock.getAuthorizationFilter.mockImplementation(async () =>
-    Promise.resolve({ filter: [] })
-  );
-
-  // @ts-expect-error
-  alertingAuthMock.getAugmentedRuleTypesWithAuthorization.mockImplementation(async () => {
-    const authorizedRuleTypes = new Set();
-    authorizedRuleTypes.add({ producer: 'apm' });
-    return Promise.resolve({ authorizedRuleTypes });
+  alertingAuthMock.getAuthorizationFilter.mockResolvedValue({
+    filter: undefined,
+    ensureRuleTypeIsAuthorized: jest.fn(),
+  });
+  alertingAuthMock.getAllAuthorizedRuleTypes.mockResolvedValue({
+    hasAllRequested: true,
+    authorizedRuleTypes,
   });
 
-  alertingAuthMock.ensureAuthorized.mockImplementation(
-    // @ts-expect-error
-    async ({
-      ruleTypeId,
-      consumer,
-      operation,
-      entity,
-    }: {
-      ruleTypeId: string;
-      consumer: string;
-      operation: string;
-      entity: typeof AlertingAuthorizationEntity.Alert;
-    }) => {
-      if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
-        return Promise.resolve();
-      }
-      return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  alertingAuthMock.ensureAuthorized.mockImplementation(async ({ ruleTypeId, consumer }) => {
+    if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
+      return Promise.resolve();
     }
-  );
+    return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  });
 });
 
 describe('get()', () => {
@@ -150,7 +146,6 @@ describe('get()', () => {
                       ],
                     },
                   },
-                  Object {},
                   Object {
                     "term": Object {
                       "kibana.space_ids": "test_default_space_id",
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_aad_fields.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_aad_fields.test.ts
index 777b3d3e26742..0a7b11e2be9b0 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_aad_fields.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_aad_fields.test.ts
@@ -5,7 +5,6 @@
  * 2.0.
  */
 
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { AlertsClient, ConstructorOptions } from '../alerts_client';
 import { loggingSystemMock } from '@kbn/core/server/mocks';
 import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
@@ -38,13 +37,12 @@ beforeEach(() => {
 describe('getAADFields()', () => {
   test('should throw an error when a rule type belong to security solution', async () => {
     getRuleTypeMock.mockImplementation(() => ({
-      producer: AlertConsumers.SIEM,
       fieldsForAAD: [],
     }));
     const alertsClient = new AlertsClient(alertsClientParams);
 
     await expect(
-      alertsClient.getAADFields({ ruleTypeId: 'security-type' })
+      alertsClient.getAADFields({ ruleTypeId: 'siem.esqlRule' })
     ).rejects.toThrowErrorMatchingInlineSnapshot(`"Security solution rule type is not supported"`);
   });
 });
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_alerts_group_aggregations.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_alerts_group_aggregations.test.ts
index c351de1283c2b..2bcafffdeebab 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_alerts_group_aggregations.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_alerts_group_aggregations.test.ts
@@ -5,13 +5,11 @@
  * 2.0.
  */
 
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { AlertsClient, ConstructorOptions } from '../alerts_client';
 import { loggingSystemMock } from '@kbn/core/server/mocks';
 import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
 import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
 import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
-import { AlertingAuthorizationEntity } from '@kbn/alerting-plugin/server';
 import { ruleDataServiceMock } from '../../rule_data_plugin_service/rule_data_plugin_service.mock';
 import { DEFAULT_ALERTS_GROUP_BY_FIELD_SIZE, MAX_ALERTS_GROUPING_QUERY_SIZE } from '../constants';
 
@@ -33,40 +31,38 @@ const alertsClientParams: jest.Mocked<ConstructorOptions> = {
 };
 
 const DEFAULT_SPACE = 'test_default_space_id';
+const authorizedRuleTypes = new Map([
+  [
+    'apm.error_rate',
+    {
+      producer: 'apm',
+      id: 'apm.error_rate',
+      alerts: {
+        context: 'observability.apm',
+      },
+      authorizedConsumers: {},
+    },
+  ],
+]);
 
 beforeEach(() => {
   jest.resetAllMocks();
   alertingAuthMock.getSpaceId.mockImplementation(() => DEFAULT_SPACE);
-  // @ts-expect-error
-  alertingAuthMock.getAuthorizationFilter.mockImplementation(async () =>
-    Promise.resolve({ filter: [] })
-  );
-  // @ts-expect-error
-  alertingAuthMock.getAugmentedRuleTypesWithAuthorization.mockImplementation(async () => {
-    const authorizedRuleTypes = new Set();
-    authorizedRuleTypes.add({ producer: 'apm' });
-    return Promise.resolve({ authorizedRuleTypes });
+  alertingAuthMock.getAuthorizationFilter.mockResolvedValue({
+    filter: undefined,
+    ensureRuleTypeIsAuthorized: jest.fn(),
+  });
+  alertingAuthMock.getAllAuthorizedRuleTypes.mockResolvedValue({
+    hasAllRequested: true,
+    authorizedRuleTypes,
   });
 
-  alertingAuthMock.ensureAuthorized.mockImplementation(
-    // @ts-expect-error
-    async ({
-      ruleTypeId,
-      consumer,
-      operation,
-      entity,
-    }: {
-      ruleTypeId: string;
-      consumer: string;
-      operation: string;
-      entity: typeof AlertingAuthorizationEntity.Alert;
-    }) => {
-      if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
-        return Promise.resolve();
-      }
-      return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  alertingAuthMock.ensureAuthorized.mockImplementation(async ({ ruleTypeId, consumer }) => {
+    if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
+      return Promise.resolve();
     }
-  );
+    return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  });
 });
 
 describe('getGroupAggregations()', () => {
@@ -74,7 +70,9 @@ describe('getGroupAggregations()', () => {
     const alertsClient = new AlertsClient(alertsClientParams);
     alertsClient.find = jest.fn().mockResolvedValue({ aggregations: {} });
 
-    const featureIds = [AlertConsumers.STACK_ALERTS];
+    const ruleTypeIds = ['.es-query'];
+    const consumers = ['stackAlerts'];
+
     const groupByField = 'kibana.alert.rule.name';
     const aggregations = {
       usersCount: {
@@ -86,7 +84,8 @@ describe('getGroupAggregations()', () => {
     const filters = [{ range: { '@timestamp': { gte: 'now-1d/d', lte: 'now/d' } } }];
 
     await alertsClient.getGroupAggregations({
-      featureIds,
+      ruleTypeIds,
+      consumers,
       groupByField,
       aggregations,
       filters,
@@ -95,7 +94,8 @@ describe('getGroupAggregations()', () => {
     });
 
     expect(alertsClient.find).toHaveBeenCalledWith({
-      featureIds,
+      ruleTypeIds,
+      consumers,
       aggs: {
         groupByFields: {
           terms: {
@@ -157,7 +157,7 @@ describe('getGroupAggregations()', () => {
     });
 
     const result = await alertsClient.getGroupAggregations({
-      featureIds: [AlertConsumers.STACK_ALERTS],
+      ruleTypeIds: ['.es-query'],
       groupByField: 'kibana.alert.rule.name',
       aggregations: {},
       filters: [],
@@ -176,7 +176,7 @@ describe('getGroupAggregations()', () => {
 
     await expect(() =>
       alertsClient.getGroupAggregations({
-        featureIds: ['apm', 'infrastructure', 'logs', 'observability', 'slo', 'uptime'],
+        ruleTypeIds: ['apm', 'infrastructure', 'logs', 'observability', 'slo', 'uptime'],
         groupByField: 'kibana.alert.rule.name',
         pageIndex: 101,
         pageSize: 50,
@@ -186,7 +186,7 @@ describe('getGroupAggregations()', () => {
     );
     await expect(() =>
       alertsClient.getGroupAggregations({
-        featureIds: ['apm', 'infrastructure', 'logs', 'observability', 'slo', 'uptime'],
+        ruleTypeIds: ['apm', 'infrastructure', 'logs', 'observability', 'slo', 'uptime'],
         groupByField: 'kibana.alert.rule.name',
         pageIndex: 10,
         pageSize: 5000,
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_alerts_summary.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_alerts_summary.test.ts
new file mode 100644
index 0000000000000..deb3b82058843
--- /dev/null
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get_alerts_summary.test.ts
@@ -0,0 +1,311 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { AlertsClient, ConstructorOptions } from '../alerts_client';
+import { loggingSystemMock } from '@kbn/core/server/mocks';
+import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
+import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
+import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
+import { ruleDataServiceMock } from '../../rule_data_plugin_service/rule_data_plugin_service.mock';
+import { JsonObject } from '@kbn/utility-types';
+
+jest.mock('uuid', () => ({ v4: () => 'unique-value' }));
+
+const alertingAuthMock = alertingAuthorizationMock.create();
+const esClientMock = elasticsearchClientMock.createElasticsearchClient();
+const auditLogger = auditLoggerMock.create();
+
+const alertsClientParams: jest.Mocked<ConstructorOptions> = {
+  logger: loggingSystemMock.create().get(),
+  authorization: alertingAuthMock,
+  esClient: esClientMock,
+  auditLogger,
+  ruleDataService: ruleDataServiceMock.create(),
+  getRuleType: jest.fn(),
+  getRuleList: jest.fn(),
+  getAlertIndicesAlias: jest.fn().mockReturnValue(['stack-index']),
+};
+
+const DEFAULT_SPACE = 'test_default_space_id';
+const authorizedRuleTypes = new Map([
+  [
+    '.es-query',
+    {
+      producer: 'stackAlerts',
+      id: '.es-query',
+      alerts: {
+        context: 'stack',
+      },
+      authorizedConsumers: {},
+    },
+  ],
+]);
+
+const filter = {
+  bool: {
+    filter: [
+      {
+        bool: {
+          should: [
+            {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      should: [{ match: { 'kibana.alert.rule.rule_type_id': '.es-query' } }],
+                      minimum_should_match: 1,
+                    },
+                  },
+                  {
+                    bool: {
+                      should: [
+                        {
+                          bool: {
+                            should: [{ match: { 'kibana.alert.rule.consumer': 'stackAlerts' } }],
+                            minimum_should_match: 1,
+                          },
+                        },
+                        {
+                          bool: {
+                            should: [{ match: { 'kibana.alert.rule.consumer': 'alerts' } }],
+                            minimum_should_match: 1,
+                          },
+                        },
+                      ],
+                      minimum_should_match: 1,
+                    },
+                  },
+                ],
+              },
+            },
+          ],
+          minimum_should_match: 1,
+        },
+      },
+      { term: { 'kibana.space_ids': 'default' } },
+      { terms: { 'kibana.alert.rule.rule_type_id': ['.es-query'] } },
+    ],
+  },
+};
+
+describe('getAlertSummary()', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    alertingAuthMock.getSpaceId.mockImplementation(() => DEFAULT_SPACE);
+    alertingAuthMock.getAllAuthorizedRuleTypesFindOperation.mockResolvedValue(authorizedRuleTypes);
+    alertingAuthMock.getAuthorizationFilter.mockResolvedValue({
+      filter: filter as unknown as JsonObject,
+      ensureRuleTypeIsAuthorized: jest.fn(),
+    });
+  });
+
+  test('calls find() with the correct params', async () => {
+    const alertsClient = new AlertsClient(alertsClientParams) as jest.Mocked<AlertsClient>;
+    alertsClient.find = jest.fn().mockResolvedValue({ aggregations: {} });
+
+    const ruleTypeIds = ['.es-query'];
+    const consumers = ['stackAlerts'];
+
+    await alertsClient.getAlertSummary({
+      gte: 'now-1d/d',
+      lte: 'now/d',
+      ruleTypeIds,
+      consumers,
+    });
+
+    expect(esClientMock.search.mock.calls).toMatchInlineSnapshot(`
+      Array [
+        Array [
+          Object {
+            "body": Object {
+              "_source": undefined,
+              "aggs": Object {
+                "active_alerts_bucket": Object {
+                  "date_histogram": Object {
+                    "extended_bounds": Object {
+                      "max": "now/d",
+                      "min": "now-1d/d",
+                    },
+                    "field": "kibana.alert.time_range",
+                    "fixed_interval": "1m",
+                    "hard_bounds": Object {
+                      "max": "now/d",
+                      "min": "now-1d/d",
+                    },
+                    "min_doc_count": 0,
+                  },
+                },
+                "count": Object {
+                  "terms": Object {
+                    "field": "kibana.alert.status",
+                  },
+                },
+                "recovered_alerts": Object {
+                  "aggs": Object {
+                    "container": Object {
+                      "date_histogram": Object {
+                        "extended_bounds": Object {
+                          "max": "now/d",
+                          "min": "now-1d/d",
+                        },
+                        "field": "kibana.alert.end",
+                        "fixed_interval": "1m",
+                        "min_doc_count": 0,
+                      },
+                    },
+                  },
+                  "filter": Object {
+                    "term": Object {
+                      "kibana.alert.status": "recovered",
+                    },
+                  },
+                },
+              },
+              "fields": Array [
+                "kibana.alert.rule.rule_type_id",
+                "kibana.alert.rule.consumer",
+                "kibana.alert.workflow_status",
+                "kibana.space_ids",
+              ],
+              "query": Object {
+                "bool": Object {
+                  "filter": Array [
+                    Object {
+                      "bool": Object {
+                        "filter": Array [
+                          Object {
+                            "bool": Object {
+                              "minimum_should_match": 1,
+                              "should": Array [
+                                Object {
+                                  "bool": Object {
+                                    "filter": Array [
+                                      Object {
+                                        "bool": Object {
+                                          "minimum_should_match": 1,
+                                          "should": Array [
+                                            Object {
+                                              "match": Object {
+                                                "kibana.alert.rule.rule_type_id": ".es-query",
+                                              },
+                                            },
+                                          ],
+                                        },
+                                      },
+                                      Object {
+                                        "bool": Object {
+                                          "minimum_should_match": 1,
+                                          "should": Array [
+                                            Object {
+                                              "bool": Object {
+                                                "minimum_should_match": 1,
+                                                "should": Array [
+                                                  Object {
+                                                    "match": Object {
+                                                      "kibana.alert.rule.consumer": "stackAlerts",
+                                                    },
+                                                  },
+                                                ],
+                                              },
+                                            },
+                                            Object {
+                                              "bool": Object {
+                                                "minimum_should_match": 1,
+                                                "should": Array [
+                                                  Object {
+                                                    "match": Object {
+                                                      "kibana.alert.rule.consumer": "alerts",
+                                                    },
+                                                  },
+                                                ],
+                                              },
+                                            },
+                                          ],
+                                        },
+                                      },
+                                    ],
+                                  },
+                                },
+                              ],
+                            },
+                          },
+                          Object {
+                            "term": Object {
+                              "kibana.space_ids": "default",
+                            },
+                          },
+                          Object {
+                            "terms": Object {
+                              "kibana.alert.rule.rule_type_id": Array [
+                                ".es-query",
+                              ],
+                            },
+                          },
+                        ],
+                      },
+                    },
+                    Object {
+                      "term": Object {
+                        "kibana.space_ids": "test_default_space_id",
+                      },
+                    },
+                    Object {
+                      "terms": Object {
+                        "kibana.alert.rule.rule_type_id": Array [
+                          ".es-query",
+                        ],
+                      },
+                    },
+                    Object {
+                      "terms": Object {
+                        "kibana.alert.rule.consumer": Array [
+                          "stackAlerts",
+                        ],
+                      },
+                    },
+                  ],
+                  "must": Array [
+                    Object {
+                      "bool": Object {
+                        "filter": Array [
+                          Object {
+                            "range": Object {
+                              "kibana.alert.time_range": Object {
+                                "gt": "now-1d/d",
+                                "lt": "now/d",
+                              },
+                            },
+                          },
+                        ],
+                      },
+                    },
+                  ],
+                  "must_not": Array [],
+                  "should": Array [],
+                },
+              },
+              "runtime_mappings": undefined,
+              "size": 0,
+              "sort": Array [
+                Object {
+                  "@timestamp": Object {
+                    "order": "asc",
+                    "unmapped_type": "date",
+                  },
+                },
+              ],
+              "track_total_hits": undefined,
+            },
+            "ignore_unavailable": true,
+            "index": "stack-index",
+            "seq_no_primary_term": true,
+          },
+        ],
+      ]
+    `);
+  });
+});
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
index bd6a1b2695cd1..4b9587b8e0ca1 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
@@ -16,7 +16,6 @@ import { loggingSystemMock } from '@kbn/core/server/mocks';
 import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
 import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
 import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
-import { AlertingAuthorizationEntity } from '@kbn/alerting-plugin/server';
 import { ruleDataServiceMock } from '../../rule_data_plugin_service/rule_data_plugin_service.mock';
 
 const alertingAuthMock = alertingAuthorizationMock.create();
@@ -35,41 +34,38 @@ const alertsClientParams: jest.Mocked<ConstructorOptions> = {
 };
 
 const DEFAULT_SPACE = 'test_default_space_id';
+const authorizedRuleTypes = new Map([
+  [
+    'apm.error_rate',
+    {
+      producer: 'apm',
+      id: 'apm.error_rate',
+      alerts: {
+        context: 'observability.apm',
+      },
+      authorizedConsumers: {},
+    },
+  ],
+]);
 
 beforeEach(() => {
   jest.resetAllMocks();
   alertingAuthMock.getSpaceId.mockImplementation(() => DEFAULT_SPACE);
-  // @ts-expect-error
-  alertingAuthMock.getAuthorizationFilter.mockImplementation(async () =>
-    Promise.resolve({ filter: [] })
-  );
-
-  // @ts-expect-error
-  alertingAuthMock.getAugmentedRuleTypesWithAuthorization.mockImplementation(async () => {
-    const authorizedRuleTypes = new Set();
-    authorizedRuleTypes.add({ producer: 'apm' });
-    return Promise.resolve({ authorizedRuleTypes });
+  alertingAuthMock.getAuthorizationFilter.mockResolvedValue({
+    filter: undefined,
+    ensureRuleTypeIsAuthorized: jest.fn(),
+  });
+  alertingAuthMock.getAllAuthorizedRuleTypes.mockResolvedValue({
+    hasAllRequested: true,
+    authorizedRuleTypes,
   });
 
-  alertingAuthMock.ensureAuthorized.mockImplementation(
-    // @ts-expect-error
-    async ({
-      ruleTypeId,
-      consumer,
-      operation,
-      entity,
-    }: {
-      ruleTypeId: string;
-      consumer: string;
-      operation: string;
-      entity: typeof AlertingAuthorizationEntity.Alert;
-    }) => {
-      if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
-        return Promise.resolve();
-      }
-      return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  alertingAuthMock.ensureAuthorized.mockImplementation(async ({ ruleTypeId, consumer }) => {
+    if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
+      return Promise.resolve();
     }
-  );
+    return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  });
 });
 
 describe('update()', () => {
diff --git a/x-pack/plugins/rule_registry/server/lib/get_authz_filter.ts b/x-pack/plugins/rule_registry/server/lib/get_authz_filter.ts
index e1524b99f88d9..58ea503aa6ed4 100644
--- a/x-pack/plugins/rule_registry/server/lib/get_authz_filter.ts
+++ b/x-pack/plugins/rule_registry/server/lib/get_authz_filter.ts
@@ -19,17 +19,15 @@ import {
 
 export async function getAuthzFilter(
   authorization: PublicMethodsOf<AlertingAuthorization>,
-  operation: WriteOperations.Update | ReadOperations.Get | ReadOperations.Find,
-  featuresIds?: Set<string>
+  operation: WriteOperations.Update | ReadOperations.Get | ReadOperations.Find
 ) {
-  const { filter } = await authorization.getAuthorizationFilter(
-    AlertingAuthorizationEntity.Alert,
-    {
+  const { filter } = await authorization.getAuthorizationFilter({
+    authorizationEntity: AlertingAuthorizationEntity.Alert,
+    filterOpts: {
       type: AlertingAuthorizationFilterType.ESDSL,
       fieldNames: { consumer: ALERT_RULE_CONSUMER, ruleTypeId: ALERT_RULE_TYPE_ID },
     },
     operation,
-    featuresIds
-  );
+  });
   return filter;
 }
diff --git a/x-pack/plugins/rule_registry/server/lib/get_consumers_filter.test.tsx b/x-pack/plugins/rule_registry/server/lib/get_consumers_filter.test.tsx
new file mode 100644
index 0000000000000..600177e1c33ea
--- /dev/null
+++ b/x-pack/plugins/rule_registry/server/lib/get_consumers_filter.test.tsx
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { getConsumersFilter } from './get_consumers_filter';
+
+describe('getConsumersFilter()', () => {
+  it('should return a consumers filter', () => {
+    expect(getConsumersFilter(['foo', 'bar'])).toStrictEqual({
+      terms: {
+        'kibana.alert.rule.consumer': ['foo', 'bar'],
+      },
+    });
+  });
+
+  it('should return undefined if no consumers are provided', () => {
+    expect(getConsumersFilter()).toBeUndefined();
+  });
+
+  it('should return undefined if an empty array is provided', () => {
+    expect(getConsumersFilter([])).toBeUndefined();
+  });
+});
diff --git a/x-pack/plugins/rule_registry/server/lib/get_consumers_filter.tsx b/x-pack/plugins/rule_registry/server/lib/get_consumers_filter.tsx
new file mode 100644
index 0000000000000..c5089416b7ef5
--- /dev/null
+++ b/x-pack/plugins/rule_registry/server/lib/get_consumers_filter.tsx
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { ALERT_RULE_CONSUMER } from '../../common/technical_rule_data_field_names';
+
+export function getConsumersFilter(consumers?: string[]) {
+  return consumers && consumers.length > 0
+    ? { terms: { [ALERT_RULE_CONSUMER]: consumers } }
+    : undefined;
+}
diff --git a/x-pack/plugins/rule_registry/server/lib/get_rule_type_ids_filter.test.tsx b/x-pack/plugins/rule_registry/server/lib/get_rule_type_ids_filter.test.tsx
new file mode 100644
index 0000000000000..7254f25256c2f
--- /dev/null
+++ b/x-pack/plugins/rule_registry/server/lib/get_rule_type_ids_filter.test.tsx
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { getRuleTypeIdsFilter } from './get_rule_type_ids_filter';
+
+describe('getRuleTypeIdsFilter()', () => {
+  it('should return a rule type ids filter', () => {
+    expect(getRuleTypeIdsFilter(['foo', 'bar'])).toStrictEqual({
+      terms: {
+        'kibana.alert.rule.rule_type_id': ['foo', 'bar'],
+      },
+    });
+  });
+
+  it('should return undefined if no rule type ids are provided', () => {
+    expect(getRuleTypeIdsFilter()).toBeUndefined();
+  });
+
+  it('should return undefined if an empty array is provided', () => {
+    expect(getRuleTypeIdsFilter([])).toBeUndefined();
+  });
+});
diff --git a/x-pack/plugins/rule_registry/server/lib/get_rule_type_ids_filter.tsx b/x-pack/plugins/rule_registry/server/lib/get_rule_type_ids_filter.tsx
new file mode 100644
index 0000000000000..f204d6d17acff
--- /dev/null
+++ b/x-pack/plugins/rule_registry/server/lib/get_rule_type_ids_filter.tsx
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { ALERT_RULE_TYPE_ID } from '../../common/technical_rule_data_field_names';
+
+export function getRuleTypeIdsFilter(ruleTypeIds?: string[]) {
+  return ruleTypeIds && ruleTypeIds.length > 0
+    ? { terms: { [ALERT_RULE_TYPE_ID]: ruleTypeIds } }
+    : undefined;
+}
diff --git a/x-pack/plugins/rule_registry/server/plugin.ts b/x-pack/plugins/rule_registry/server/plugin.ts
index 60ee2256ae377..ae1159843b170 100644
--- a/x-pack/plugins/rule_registry/server/plugin.ts
+++ b/x-pack/plugins/rule_registry/server/plugin.ts
@@ -18,10 +18,7 @@ import {
   ServiceStatusLevels,
 } from '@kbn/core/server';
 
-import type {
-  PluginSetupContract as AlertingSetup,
-  PluginStartContract as AlertingStart,
-} from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import type { SecurityPluginSetup } from '@kbn/security-plugin/server';
 import type { SpacesPluginStart } from '@kbn/spaces-plugin/server';
 import type {
@@ -40,11 +37,11 @@ import { ruleRegistrySearchStrategyProvider, RULE_SEARCH_STRATEGY_NAME } from '.
 export interface RuleRegistryPluginSetupDependencies {
   security?: SecurityPluginSetup;
   data: DataPluginSetup;
-  alerting: AlertingSetup;
+  alerting: AlertingServerSetup;
 }
 
 export interface RuleRegistryPluginStartDependencies {
-  alerting: AlertingStart;
+  alerting: AlertingServerStart;
   data: DataPluginStart;
   spaces?: SpacesPluginStart;
 }
@@ -56,7 +53,7 @@ export interface RuleRegistryPluginSetupContract {
 
 export interface RuleRegistryPluginStartContract {
   getRacClientWithRequest: (req: KibanaRequest) => Promise<AlertsClient>;
-  alerting: AlertingStart;
+  alerting: AlertingServerStart;
 }
 
 export class RuleRegistryPlugin
@@ -165,7 +162,7 @@ export class RuleRegistryPlugin
       logger,
       esClient: core.elasticsearch.client.asInternalUser,
       // NOTE: Alerts share the authorization client with the alerting plugin
-      getAlertingAuthorization(request: KibanaRequest) {
+      async getAlertingAuthorization(request: KibanaRequest) {
         return plugins.alerting.getAlertingAuthorizationWithRequest(request);
       },
       securityPluginSetup: security,
@@ -175,7 +172,7 @@ export class RuleRegistryPlugin
       getAlertIndicesAlias: plugins.alerting.getAlertIndicesAlias,
     });
 
-    const getRacClientWithRequest = (request: KibanaRequest) => {
+    const getRacClientWithRequest = async (request: KibanaRequest) => {
       return alertsClientFactory.create(request);
     };
 
@@ -190,7 +187,7 @@ export class RuleRegistryPlugin
     return function alertsRouteHandlerContext(context, request): RacApiRequestHandlerContext {
       return {
         getAlertsClient: async () => {
-          const createdClient = alertsClientFactory.create(request);
+          const createdClient = await alertsClientFactory.create(request);
           return createdClient;
         },
       };
diff --git a/x-pack/plugins/rule_registry/server/routes/__mocks__/request_responses.ts b/x-pack/plugins/rule_registry/server/routes/__mocks__/request_responses.ts
index d3857c4c49f17..7f214c95b0fcc 100644
--- a/x-pack/plugins/rule_registry/server/routes/__mocks__/request_responses.ts
+++ b/x-pack/plugins/rule_registry/server/routes/__mocks__/request_responses.ts
@@ -12,7 +12,7 @@ export const getReadIndexRequest = () =>
   requestMock.create({
     method: 'get',
     path: `${BASE_RAC_ALERTS_API_PATH}/index`,
-    query: { features: 'siem' },
+    query: { ruleTypeIds: 'siem.esqlRule' },
   });
 
 export const getReadRequest = () =>
@@ -33,18 +33,18 @@ export const getUpdateRequest = () =>
     },
   });
 
-export const getReadFeatureIdsRequest = () =>
+export const getFindRequest = () =>
   requestMock.create({
-    method: 'get',
-    path: `${BASE_RAC_ALERTS_API_PATH}/_feature_ids`,
-    query: { registrationContext: ['security'] },
+    method: 'post',
+    path: `${BASE_RAC_ALERTS_API_PATH}/find`,
+    body: { rule_type_ids: ['siem.esqlRule'], consumers: ['siem'] },
   });
 
 export const getO11yBrowserFields = () =>
   requestMock.create({
     method: 'get',
     path: `${BASE_RAC_ALERTS_API_PATH}/browser_fields`,
-    query: { featureIds: ['apm', 'logs'] },
+    query: { ruleTypeIds: ['apm.anomaly', 'logs.alert.document.count'] },
   });
 
 export const getMetricThresholdAADFields = () =>
@@ -59,7 +59,14 @@ export const getAlertsGroupAggregationsRequest = () =>
     method: 'post',
     path: `${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`,
     body: {
-      featureIds: ['apm', 'infrastructure', 'logs', 'observability', 'slo', 'uptime'],
+      ruleTypeIds: [
+        'apm.anomaly',
+        'logs.alert.document.count',
+        'metrics.alert.threshold',
+        'slo.rules.burnRate',
+        'xpack.uptime.alerts.durationAnomaly',
+      ],
+      consumers: ['apm'],
       groupByField: 'kibana.alert.rule.name',
       aggregations: {
         unitsCount: {
diff --git a/x-pack/plugins/rule_registry/server/routes/__mocks__/response_adapters.ts b/x-pack/plugins/rule_registry/server/routes/__mocks__/response_adapters.ts
index 6afba9e232c5e..1fef218202f2d 100644
--- a/x-pack/plugins/rule_registry/server/routes/__mocks__/response_adapters.ts
+++ b/x-pack/plugins/rule_registry/server/routes/__mocks__/response_adapters.ts
@@ -39,6 +39,8 @@ const buildResponses = (method: Method, calls: MockCall[]): ResponseCall[] => {
         status: call.statusCode,
         body: call.body,
       }));
+    case 'notFound':
+      return calls.map(([call]) => ({ status: 404, body: call.body }));
     default:
       throw new Error(`Encountered unexpected call to response.${method}`);
   }
diff --git a/x-pack/plugins/rule_registry/server/routes/find.test.ts b/x-pack/plugins/rule_registry/server/routes/find.test.ts
new file mode 100644
index 0000000000000..c84868c39f889
--- /dev/null
+++ b/x-pack/plugins/rule_registry/server/routes/find.test.ts
@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { findAlertsByQueryRoute } from './find';
+import { requestContextMock } from './__mocks__/request_context';
+import { getFindRequest } from './__mocks__/request_responses';
+import { serverMock } from './__mocks__/server';
+
+describe('findAlertsByQueryRoute', () => {
+  let server: ReturnType<typeof serverMock.create>;
+  let { clients, context } = requestContextMock.createTools();
+
+  beforeEach(async () => {
+    server = serverMock.create();
+    ({ clients, context } = requestContextMock.createTools());
+
+    // @ts-expect-error: More properties are not needed
+    clients.rac.find.mockResolvedValue({ hits: { hits: [] } });
+
+    findAlertsByQueryRoute(server.router);
+  });
+
+  test('returns 200 when querying for alerts', async () => {
+    const response = await server.inject(getFindRequest(), context);
+
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual({ hits: { hits: [] } });
+  });
+
+  test('calls the alerts client correctly', async () => {
+    const response = await server.inject(getFindRequest(), context);
+
+    expect(response.status).toEqual(200);
+    expect(clients.rac.find).toHaveBeenCalledWith({
+      _source: undefined,
+      aggs: undefined,
+      consumers: ['siem'],
+      index: undefined,
+      query: undefined,
+      ruleTypeIds: ['siem.esqlRule'],
+      search_after: undefined,
+      size: undefined,
+      sort: undefined,
+      track_total_hits: undefined,
+    });
+  });
+
+  test('accepts not defined ryleTypeIds and consumers', async () => {
+    const response = await server.inject({ ...getFindRequest(), body: {} }, context);
+    expect(response.status).toEqual(200);
+  });
+});
diff --git a/x-pack/plugins/rule_registry/server/routes/find.ts b/x-pack/plugins/rule_registry/server/routes/find.ts
index 4ce4567dd35bd..d41de4d64f71f 100644
--- a/x-pack/plugins/rule_registry/server/routes/find.ts
+++ b/x-pack/plugins/rule_registry/server/routes/find.ts
@@ -25,7 +25,8 @@ export const findAlertsByQueryRoute = (router: IRouter<RacRequestHandlerContext>
           t.exact(
             t.partial({
               aggs: t.record(t.string, t.intersection([metricsAggsSchemas, bucketAggsSchemas])),
-              feature_ids: t.union([t.array(t.string), t.undefined]),
+              rule_type_ids: t.union([t.array(t.string), t.undefined]),
+              consumers: t.union([t.array(t.string), t.undefined]),
               index: t.string,
               query: t.object,
               search_after: t.union([t.array(t.number), t.array(t.string), t.undefined]),
@@ -50,7 +51,8 @@ export const findAlertsByQueryRoute = (router: IRouter<RacRequestHandlerContext>
       try {
         const {
           aggs,
-          feature_ids: featureIds,
+          rule_type_ids: ruleTypeIds,
+          consumers,
           index,
           query,
           // eslint-disable-next-line @typescript-eslint/naming-convention
@@ -65,7 +67,8 @@ export const findAlertsByQueryRoute = (router: IRouter<RacRequestHandlerContext>
         const alertsClient = await racContext.getAlertsClient();
         const alerts = await alertsClient.find({
           aggs,
-          featureIds,
+          ruleTypeIds,
+          consumers,
           index,
           query,
           search_after,
diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_index.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_index.test.ts
index b8ef01847d8ea..28d901dc5a137 100644
--- a/x-pack/plugins/rule_registry/server/routes/get_alert_index.test.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_alert_index.test.ts
@@ -31,6 +31,28 @@ describe('getAlertsIndexRoute', () => {
     expect(response.body).toEqual({ index_name: ['alerts-security.alerts'] });
   });
 
+  test('accepts an array of string ', async () => {
+    const ruleTypeIds = ['foo', 'bar'];
+
+    await server.inject({ ...getReadIndexRequest(), query: { ruleTypeIds } }, context);
+
+    expect(clients.rac.getAuthorizedAlertsIndices).toHaveBeenCalledWith(ruleTypeIds);
+  });
+
+  test('accepts a single string', async () => {
+    const ruleTypeIds = 'foo';
+
+    await server.inject({ ...getReadIndexRequest(), query: { ruleTypeIds } }, context);
+
+    expect(clients.rac.getAuthorizedAlertsIndices).toHaveBeenCalledWith([ruleTypeIds]);
+  });
+
+  test('accepts not defined ryleTypeIds', async () => {
+    await server.inject({ ...getReadIndexRequest(), query: {} }, context);
+
+    expect(clients.rac.getAuthorizedAlertsIndices).toHaveBeenCalledWith(undefined);
+  });
+
   describe('request validation', () => {
     test('rejects invalid query params', async () => {
       await expect(
@@ -38,12 +60,12 @@ describe('getAlertsIndexRoute', () => {
           requestMock.create({
             method: 'get',
             path: `${BASE_RAC_ALERTS_API_PATH}/index`,
-            query: { features: 4 },
+            query: { ruleTypeIds: 4 },
           }),
           context
         )
       ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Request was rejected with message: 'Invalid value \\"4\\" supplied to \\"features\\"'"`
+        `"Request was rejected with message: 'Invalid value \\"4\\" supplied to \\"ruleTypeIds\\"'"`
       );
     });
 
diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_index.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_index.ts
index aa3ec89fde7c8..e83d784bd4fb7 100644
--- a/x-pack/plugins/rule_registry/server/routes/get_alert_index.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_alert_index.ts
@@ -8,7 +8,6 @@
 import { IRouter } from '@kbn/core/server';
 import * as t from 'io-ts';
 import { transformError } from '@kbn/securitysolution-es-utils';
-import { validFeatureIds } from '@kbn/rule-data-utils';
 import { buildRouteValidation } from './utils/route_validation';
 
 import { RacRequestHandlerContext } from '../types';
@@ -22,7 +21,7 @@ export const getAlertsIndexRoute = (router: IRouter<RacRequestHandlerContext>) =
         query: buildRouteValidation(
           t.exact(
             t.partial({
-              features: t.string,
+              ruleTypeIds: t.union([t.string, t.array(t.string)]),
             })
           )
         ),
@@ -40,10 +39,17 @@ export const getAlertsIndexRoute = (router: IRouter<RacRequestHandlerContext>) =
       try {
         const racContext = await context.rac;
         const alertsClient = await racContext.getAlertsClient();
-        const { features } = request.query;
-        const indexName = await alertsClient.getAuthorizedAlertsIndices(
-          features?.split(',') ?? validFeatureIds
-        );
+        const { ruleTypeIds } = request.query;
+
+        const ruleTypeIdsAsArray =
+          ruleTypeIds != null
+            ? Array.isArray(ruleTypeIds)
+              ? ruleTypeIds
+              : [ruleTypeIds]
+            : ruleTypeIds;
+
+        const indexName = await alertsClient.getAuthorizedAlertsIndices(ruleTypeIdsAsArray);
+
         return response.ok({
           body: { index_name: indexName },
         });
diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_summary.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_summary.test.ts
index e15f2d40dc826..961b33310bfc7 100644
--- a/x-pack/plugins/rule_registry/server/routes/get_alert_summary.test.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_alert_summary.test.ts
@@ -35,7 +35,7 @@ describe('getAlertSummaryRoute', () => {
           requestMock.create({
             method: 'post',
             path: `${BASE_RAC_ALERTS_API_PATH}/_alert_summary`,
-            body: { gte: 4, lte: 3, featureIds: ['logs'] },
+            body: { gte: 4, lte: 3, ruleTypeIds: ['logs'] },
           }),
           context
         )
@@ -52,7 +52,7 @@ describe('getAlertSummaryRoute', () => {
           body: {
             gte: '2020-12-16T15:00:00.000Z',
             lte: '2020-12-16',
-            featureIds: ['logs'],
+            ruleTypeIds: ['logs'],
           },
         }),
         context
@@ -76,7 +76,7 @@ describe('getAlertSummaryRoute', () => {
           body: {
             gte: '2020-12-16T15:00:00.000Z',
             lte: '2020-12-16T16:00:00.000Z',
-            featureIds: ['logs'],
+            ruleTypeIds: ['logs'],
             fixed_interval: 'xx',
           },
         }),
@@ -102,7 +102,7 @@ describe('getAlertSummaryRoute', () => {
             body: {
               gte: '2020-12-16T15:00:00.000Z',
               lte: '2020-12-16T16:00:00.000Z',
-              featureIds: ['logs'],
+              ruleTypeIds: ['logs'],
               boop: 'unknown',
             },
           }),
@@ -112,5 +112,68 @@ describe('getAlertSummaryRoute', () => {
         `"Request was rejected with message: 'invalid keys \\"boop\\"'"`
       );
     });
+
+    test('rejects without ruleTypeIds', async () => {
+      await expect(
+        server.inject(
+          requestMock.create({
+            method: 'post',
+            path: `${BASE_RAC_ALERTS_API_PATH}/_alert_summary`,
+            body: {
+              gte: '2020-12-16T15:00:00.000Z',
+              lte: '2020-12-16T16:00:00.000Z',
+            },
+          }),
+          context
+        )
+      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Request was rejected with message: 'Invalid value \\"undefined\\" supplied to \\"ruleTypeIds\\"'"`
+      );
+    });
+
+    test('accepts consumers', async () => {
+      await expect(
+        server.inject(
+          requestMock.create({
+            method: 'post',
+            path: `${BASE_RAC_ALERTS_API_PATH}/_alert_summary`,
+            body: {
+              gte: '2020-12-16T15:00:00.000Z',
+              lte: '2020-12-16T16:00:00.000Z',
+              consumers: ['foo'],
+              ruleTypeIds: ['bar'],
+            },
+          }),
+          context
+        )
+      ).resolves.not.toThrow();
+    });
+
+    test('calls the alerts client correctly', async () => {
+      await expect(
+        server.inject(
+          requestMock.create({
+            method: 'post',
+            path: `${BASE_RAC_ALERTS_API_PATH}/_alert_summary`,
+            body: {
+              gte: '2020-12-16T15:00:00.000Z',
+              lte: '2020-12-16T16:00:00.000Z',
+              consumers: ['foo'],
+              ruleTypeIds: ['bar'],
+            },
+          }),
+          context
+        )
+      ).resolves.not.toThrow();
+
+      expect(clients.rac.getAlertSummary).toHaveBeenCalledWith({
+        consumers: ['foo'],
+        filter: undefined,
+        fixedInterval: undefined,
+        gte: '2020-12-16T15:00:00.000Z',
+        lte: '2020-12-16T16:00:00.000Z',
+        ruleTypeIds: ['bar'],
+      });
+    });
   });
 });
diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_summary.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_summary.ts
index e33b0137a932e..9be3de57fdc0a 100644
--- a/x-pack/plugins/rule_registry/server/routes/get_alert_summary.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_alert_summary.ts
@@ -27,13 +27,14 @@ export const getAlertSummaryRoute = (router: IRouter<RacRequestHandlerContext>)
               t.type({
                 gte: t.string,
                 lte: t.string,
-                featureIds: t.array(t.string),
+                ruleTypeIds: t.array(t.string),
               })
             ),
             t.exact(
               t.partial({
                 fixed_interval: t.string,
                 filter: t.array(t.object),
+                consumers: t.array(t.string),
               })
             ),
           ])
@@ -52,7 +53,14 @@ export const getAlertSummaryRoute = (router: IRouter<RacRequestHandlerContext>)
       try {
         const racContext = await context.rac;
         const alertsClient = await racContext.getAlertsClient();
-        const { gte, lte, featureIds, filter, fixed_interval: fixedInterval } = request.body;
+        const {
+          gte,
+          lte,
+          ruleTypeIds,
+          consumers,
+          filter,
+          fixed_interval: fixedInterval,
+        } = request.body;
         if (
           !(
             moment(gte, 'YYYY-MM-DDTHH:mm:ss.SSSZ', true).isValid() &&
@@ -71,7 +79,8 @@ export const getAlertSummaryRoute = (router: IRouter<RacRequestHandlerContext>)
         const aggs = await alertsClient.getAlertSummary({
           gte,
           lte,
-          featureIds,
+          ruleTypeIds,
+          consumers,
           filter: filter as estypes.QueryDslQueryContainer[],
           fixedInterval,
         });
diff --git a/x-pack/plugins/rule_registry/server/routes/get_alerts_group_aggregations.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alerts_group_aggregations.test.ts
index 1ce32adc37e62..5bf3a4a1622cd 100644
--- a/x-pack/plugins/rule_registry/server/routes/get_alerts_group_aggregations.test.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_alerts_group_aggregations.test.ts
@@ -200,7 +200,7 @@ describe('getAlertsGroupAggregations', () => {
           context
         )
       ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Request was rejected with message: 'Invalid value \\"undefined\\" supplied to \\"featureIds\\"'"`
+        `"Request was rejected with message: 'Invalid value \\"undefined\\" supplied to \\"ruleTypeIds\\"'"`
       );
     });
 
@@ -211,7 +211,13 @@ describe('getAlertsGroupAggregations', () => {
             method: 'post',
             path: `${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`,
             body: {
-              featureIds: ['apm', 'infrastructure', 'logs', 'observability', 'slo', 'uptime'],
+              ruleTypeIds: [
+                'apm.anomaly',
+                'logs.alert.document.count',
+                'metrics.alert.threshold',
+                'slo.rules.burnRate',
+                'xpack.uptime.alerts.durationAnomaly',
+              ],
               groupByField: 'kibana.alert.rule.name',
               aggregations: {
                 scriptedAggregation: {
@@ -231,7 +237,13 @@ describe('getAlertsGroupAggregations', () => {
             method: 'post',
             path: `${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`,
             body: {
-              featureIds: ['apm', 'infrastructure', 'logs', 'observability', 'slo', 'uptime'],
+              ruleTypeIds: [
+                'apm.anomaly',
+                'logs.alert.document.count',
+                'metrics.alert.threshold',
+                'slo.rules.burnRate',
+                'xpack.uptime.alerts.durationAnomaly',
+              ],
               groupByField: 'kibana.alert.rule.name',
               filters: [
                 {
@@ -256,7 +268,13 @@ describe('getAlertsGroupAggregations', () => {
             method: 'post',
             path: `${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`,
             body: {
-              featureIds: ['apm', 'infrastructure', 'logs', 'observability', 'slo', 'uptime'],
+              ruleTypeIds: [
+                'apm.anomaly',
+                'logs.alert.document.count',
+                'metrics.alert.threshold',
+                'slo.rules.burnRate',
+                'xpack.uptime.alerts.durationAnomaly',
+              ],
               groupByField: 'kibana.alert.rule.name',
               aggregations: {},
               runtimeMappings: {},
@@ -280,4 +298,84 @@ describe('getAlertsGroupAggregations', () => {
       message: 'Unable to get alerts',
     });
   });
+
+  test('rejects without ruleTypeIds', async () => {
+    await expect(
+      server.inject(
+        requestMock.create({
+          method: 'post',
+          path: `${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`,
+          body: {
+            groupByField: 'kibana.alert.rule.name',
+          },
+        }),
+        context
+      )
+    ).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Request was rejected with message: 'Invalid value \\"undefined\\" supplied to \\"ruleTypeIds\\"'"`
+    );
+  });
+
+  test('accepts consumers', async () => {
+    await expect(
+      server.inject(
+        requestMock.create({
+          method: 'post',
+          path: `${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`,
+          body: {
+            ruleTypeIds: [
+              'apm.anomaly',
+              'logs.alert.document.count',
+              'metrics.alert.threshold',
+              'slo.rules.burnRate',
+              'xpack.uptime.alerts.durationAnomaly',
+            ],
+            groupByField: 'kibana.alert.rule.name',
+            consumers: ['foo'],
+          },
+        }),
+        context
+      )
+    ).resolves.not.toThrow();
+  });
+
+  test('calls the alerts client correctly', async () => {
+    await expect(
+      server.inject(
+        requestMock.create({
+          method: 'post',
+          path: `${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`,
+          body: {
+            ruleTypeIds: [
+              'apm.anomaly',
+              'logs.alert.document.count',
+              'metrics.alert.threshold',
+              'slo.rules.burnRate',
+              'xpack.uptime.alerts.durationAnomaly',
+            ],
+            groupByField: 'kibana.alert.rule.name',
+            consumers: ['foo'],
+          },
+        }),
+        context
+      )
+    ).resolves.not.toThrow();
+
+    expect(clients.rac.getGroupAggregations).toHaveBeenCalledWith({
+      aggregations: undefined,
+      consumers: ['foo'],
+      filters: undefined,
+      groupByField: 'kibana.alert.rule.name',
+      pageIndex: 0,
+      pageSize: 10,
+      ruleTypeIds: [
+        'apm.anomaly',
+        'logs.alert.document.count',
+        'metrics.alert.threshold',
+        'slo.rules.burnRate',
+        'xpack.uptime.alerts.durationAnomaly',
+      ],
+      sort: undefined,
+    });
+  });
 });
diff --git a/x-pack/plugins/rule_registry/server/routes/get_alerts_group_aggregations.ts b/x-pack/plugins/rule_registry/server/routes/get_alerts_group_aggregations.ts
index 34c56b7691a1f..6924025f2b33a 100644
--- a/x-pack/plugins/rule_registry/server/routes/get_alerts_group_aggregations.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_alerts_group_aggregations.ts
@@ -22,17 +22,24 @@ export const getAlertsGroupAggregations = (router: IRouter<RacRequestHandlerCont
       path: `${BASE_RAC_ALERTS_API_PATH}/_group_aggregations`,
       validate: {
         body: buildRouteValidation(
-          t.exact(
-            t.type({
-              featureIds: t.array(t.string),
-              groupByField: t.string,
-              aggregations: t.union([alertsAggregationsSchema, t.undefined]),
-              filters: t.union([t.array(alertsGroupFilterSchema), t.undefined]),
-              sort: t.union([t.array(t.object), t.undefined]),
-              pageIndex: t.union([t.number, t.undefined]),
-              pageSize: t.union([t.number, t.undefined]),
-            })
-          )
+          t.intersection([
+            t.exact(
+              t.type({
+                ruleTypeIds: t.array(t.string),
+                groupByField: t.string,
+                aggregations: t.union([alertsAggregationsSchema, t.undefined]),
+                filters: t.union([t.array(alertsGroupFilterSchema), t.undefined]),
+                sort: t.union([t.array(t.object), t.undefined]),
+                pageIndex: t.union([t.number, t.undefined]),
+                pageSize: t.union([t.number, t.undefined]),
+              })
+            ),
+            t.exact(
+              t.partial({
+                consumers: t.array(t.string),
+              })
+            ),
+          ])
         ),
       },
       security: {
@@ -46,7 +53,8 @@ export const getAlertsGroupAggregations = (router: IRouter<RacRequestHandlerCont
     },
     async (context, request, response) => {
       const {
-        featureIds,
+        ruleTypeIds,
+        consumers,
         groupByField,
         aggregations,
         filters,
@@ -58,7 +66,8 @@ export const getAlertsGroupAggregations = (router: IRouter<RacRequestHandlerCont
         const racContext = await context.rac;
         const alertsClient = await racContext.getAlertsClient();
         const alerts = await alertsClient.getGroupAggregations({
-          featureIds,
+          ruleTypeIds,
+          consumers,
           groupByField,
           aggregations,
           filters,
diff --git a/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_feature_id.test.ts b/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_feature_id.test.ts
deleted file mode 100644
index 49e559c9f4c24..0000000000000
--- a/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_feature_id.test.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { BASE_RAC_ALERTS_API_PATH } from '../../common/constants';
-import { getBrowserFieldsByFeatureId } from './get_browser_fields_by_feature_id';
-import { requestContextMock } from './__mocks__/request_context';
-import { getO11yBrowserFields } from './__mocks__/request_responses';
-import { requestMock, serverMock } from './__mocks__/server';
-
-describe('getBrowserFieldsByFeatureId', () => {
-  let server: ReturnType<typeof serverMock.create>;
-  let { clients, context } = requestContextMock.createTools();
-  const path = `${BASE_RAC_ALERTS_API_PATH}/browser_fields`;
-
-  beforeEach(async () => {
-    server = serverMock.create();
-    ({ clients, context } = requestContextMock.createTools());
-  });
-
-  describe('when racClient returns o11y indices', () => {
-    beforeEach(() => {
-      clients.rac.getAuthorizedAlertsIndices.mockResolvedValue([
-        '.alerts-observability.logs.alerts-default',
-      ]);
-
-      getBrowserFieldsByFeatureId(server.router);
-    });
-
-    test('route registered', async () => {
-      const response = await server.inject(getO11yBrowserFields(), context);
-
-      expect(response.status).toEqual(200);
-    });
-
-    test('rejects invalid featureId type', async () => {
-      await expect(
-        server.inject(
-          requestMock.create({
-            method: 'get',
-            path,
-            query: { featureIds: undefined },
-          }),
-          context
-        )
-      ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Request was rejected with message: 'Invalid value \\"undefined\\" supplied to \\"featureIds\\"'"`
-      );
-    });
-
-    test('returns error status if rac client "getAuthorizedAlertsIndices" fails', async () => {
-      clients.rac.getAuthorizedAlertsIndices.mockRejectedValue(new Error('Unable to get index'));
-      const response = await server.inject(getO11yBrowserFields(), context);
-
-      expect(response.status).toEqual(500);
-      expect(response.body).toEqual({
-        attributes: { success: false },
-        message: 'Unable to get index',
-      });
-    });
-  });
-});
diff --git a/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_rule_type_ids.test.ts b/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_rule_type_ids.test.ts
new file mode 100644
index 0000000000000..819ed89bc7c08
--- /dev/null
+++ b/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_rule_type_ids.test.ts
@@ -0,0 +1,123 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { BASE_RAC_ALERTS_API_PATH } from '../../common/constants';
+import { getBrowserFieldsByFeatureId } from './get_browser_fields_by_rule_type_ids';
+import { requestContextMock } from './__mocks__/request_context';
+import { getO11yBrowserFields } from './__mocks__/request_responses';
+import { requestMock, serverMock } from './__mocks__/server';
+
+describe('getBrowserFieldsByFeatureId', () => {
+  let server: ReturnType<typeof serverMock.create>;
+  let { clients, context } = requestContextMock.createTools();
+  const path = `${BASE_RAC_ALERTS_API_PATH}/browser_fields`;
+
+  beforeEach(async () => {
+    server = serverMock.create();
+    ({ clients, context } = requestContextMock.createTools());
+
+    clients.rac.getAuthorizedAlertsIndices.mockResolvedValue([
+      '.alerts-observability.logs.alerts-default',
+    ]);
+
+    clients.rac.getBrowserFields.mockResolvedValue({ browserFields: {}, fields: [] });
+
+    getBrowserFieldsByFeatureId(server.router);
+  });
+
+  test('route registered', async () => {
+    const response = await server.inject(getO11yBrowserFields(), context);
+
+    expect(response.status).toEqual(200);
+  });
+
+  test('it calls getAuthorizedAlertsIndices with o11y rule types', async () => {
+    const response = await server.inject(getO11yBrowserFields(), context);
+
+    expect(response.status).toEqual(200);
+    expect(clients.rac.getAuthorizedAlertsIndices).toHaveBeenCalledWith([
+      'apm.anomaly',
+      'logs.alert.document.count',
+    ]);
+  });
+
+  test('it calls getAuthorizedAlertsIndices only for o11y rule types when siem rule types are mixed', async () => {
+    const response = await server.inject(
+      {
+        ...getO11yBrowserFields(),
+        query: { ruleTypeIds: ['apm.anomaly', 'siem.esqlRuleType'] },
+      },
+      context
+    );
+
+    expect(response.status).toEqual(200);
+    expect(clients.rac.getAuthorizedAlertsIndices).toHaveBeenCalledWith(['apm.anomaly']);
+  });
+
+  test('it does not call getAuthorizedAlertsIndices with siem rule types', async () => {
+    const response = await server.inject(
+      {
+        ...getO11yBrowserFields(),
+        query: { ruleTypeIds: ['siem.esqlRuleType'] },
+      },
+      context
+    );
+
+    expect(response.status).toEqual(200);
+    expect(clients.rac.getAuthorizedAlertsIndices).not.toHaveBeenCalledWith();
+  });
+
+  test('accepts an array of string ', async () => {
+    const ruleTypeIds = ['foo', 'bar'];
+
+    await server.inject({ ...getO11yBrowserFields(), query: { ruleTypeIds } }, context);
+
+    expect(clients.rac.getAuthorizedAlertsIndices).toHaveBeenCalledWith(ruleTypeIds);
+  });
+
+  test('accepts a single string', async () => {
+    const ruleTypeIds = 'foo';
+
+    await server.inject({ ...getO11yBrowserFields(), query: { ruleTypeIds } }, context);
+
+    expect(clients.rac.getAuthorizedAlertsIndices).toHaveBeenCalledWith([ruleTypeIds]);
+  });
+
+  test('returns 404 when getAuthorizedAlertsIndices returns an empty array', async () => {
+    clients.rac.getAuthorizedAlertsIndices.mockResolvedValue([]);
+
+    const response = await server.inject(getO11yBrowserFields(), context);
+
+    expect(response.status).toEqual(404);
+  });
+
+  test('rejects invalid ruleTypeIds', async () => {
+    await expect(
+      server.inject(
+        requestMock.create({
+          method: 'get',
+          path,
+          query: { ruleTypeIds: undefined },
+        }),
+        context
+      )
+    ).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Request was rejected with message: 'Invalid value \\"undefined\\" supplied to \\"ruleTypeIds\\"'"`
+    );
+  });
+
+  test('returns error status if rac client "getAuthorizedAlertsIndices" fails', async () => {
+    clients.rac.getAuthorizedAlertsIndices.mockRejectedValue(new Error('Unable to get index'));
+    const response = await server.inject(getO11yBrowserFields(), context);
+
+    expect(response.status).toEqual(500);
+    expect(response.body).toEqual({
+      attributes: { success: false },
+      message: 'Unable to get index',
+    });
+  });
+});
diff --git a/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_feature_id.ts b/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_rule_type_ids.ts
similarity index 83%
rename from x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_feature_id.ts
rename to x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_rule_type_ids.ts
index 20a3781be6973..4c27095ae77c6 100644
--- a/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_feature_id.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_browser_fields_by_rule_type_ids.ts
@@ -9,6 +9,7 @@ import { IRouter } from '@kbn/core/server';
 import { transformError } from '@kbn/securitysolution-es-utils';
 import * as t from 'io-ts';
 
+import { isSiemRuleType } from '@kbn/rule-data-utils';
 import { RacRequestHandlerContext } from '../types';
 import { BASE_RAC_ALERTS_API_PATH } from '../../common/constants';
 import { buildRouteValidation } from './utils/route_validation';
@@ -21,7 +22,7 @@ export const getBrowserFieldsByFeatureId = (router: IRouter<RacRequestHandlerCon
         query: buildRouteValidation(
           t.exact(
             t.type({
-              featureIds: t.union([t.string, t.array(t.string)]),
+              ruleTypeIds: t.union([t.string, t.array(t.string)]),
             })
           )
         ),
@@ -39,18 +40,21 @@ export const getBrowserFieldsByFeatureId = (router: IRouter<RacRequestHandlerCon
       try {
         const racContext = await context.rac;
         const alertsClient = await racContext.getAlertsClient();
-        const { featureIds = [] } = request.query;
-        const onlyO11yFeatureIds = (Array.isArray(featureIds) ? featureIds : [featureIds]).filter(
-          (fId) => fId !== 'siem'
-        );
+        const { ruleTypeIds = [] } = request.query;
+
+        const onlyO11yRuleTypeIds = (
+          Array.isArray(ruleTypeIds) ? ruleTypeIds : [ruleTypeIds]
+        ).filter((ruleTypeId) => !isSiemRuleType(ruleTypeId));
+
         const o11yIndices =
-          (onlyO11yFeatureIds
-            ? await alertsClient.getAuthorizedAlertsIndices(onlyO11yFeatureIds)
+          (onlyO11yRuleTypeIds
+            ? await alertsClient.getAuthorizedAlertsIndices(onlyO11yRuleTypeIds)
             : []) ?? [];
+
         if (o11yIndices.length === 0) {
           return response.notFound({
             body: {
-              message: `No alerts-observability indices found for featureIds [${featureIds}]`,
+              message: `No alerts-observability indices found for rule type ids [${onlyO11yRuleTypeIds}]`,
               attributes: { success: false },
             },
           });
@@ -58,10 +62,11 @@ export const getBrowserFieldsByFeatureId = (router: IRouter<RacRequestHandlerCon
 
         const fields = await alertsClient.getBrowserFields({
           indices: o11yIndices,
-          featureIds: onlyO11yFeatureIds,
+          ruleTypeIds: onlyO11yRuleTypeIds,
           metaFields: ['_id', '_index'],
           allowNoIndex: true,
         });
+
         return response.ok({
           body: fields,
         });
diff --git a/x-pack/plugins/rule_registry/server/routes/get_feature_ids_by_registration_contexts.test.ts b/x-pack/plugins/rule_registry/server/routes/get_feature_ids_by_registration_contexts.test.ts
deleted file mode 100644
index 80f2b4e6026d0..0000000000000
--- a/x-pack/plugins/rule_registry/server/routes/get_feature_ids_by_registration_contexts.test.ts
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { BASE_RAC_ALERTS_API_PATH } from '../../common/constants';
-import { getFeatureIdsByRegistrationContexts } from './get_feature_ids_by_registration_contexts';
-import { requestContextMock } from './__mocks__/request_context';
-import { getReadFeatureIdsRequest } from './__mocks__/request_responses';
-import { requestMock, serverMock } from './__mocks__/server';
-
-describe('getFeatureIdsByRegistrationContexts', () => {
-  let server: ReturnType<typeof serverMock.create>;
-  let { clients, context } = requestContextMock.createTools();
-
-  beforeEach(async () => {
-    server = serverMock.create();
-    ({ clients, context } = requestContextMock.createTools());
-
-    clients.rac.getFeatureIdsByRegistrationContexts.mockResolvedValue(['siem']);
-
-    getFeatureIdsByRegistrationContexts(server.router);
-  });
-
-  test('returns 200 when querying for features ids', async () => {
-    const response = await server.inject(getReadFeatureIdsRequest(), context);
-
-    expect(response.status).toEqual(200);
-    expect(response.body).toEqual(['siem']);
-  });
-
-  describe('request validation', () => {
-    test('rejects invalid query params', async () => {
-      await expect(
-        server.inject(
-          requestMock.create({
-            method: 'get',
-            path: `${BASE_RAC_ALERTS_API_PATH}/_feature_ids`,
-            query: { registrationContext: 4 },
-          }),
-          context
-        )
-      ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Request was rejected with message: 'Invalid value \\"4\\" supplied to \\"registrationContext\\"'"`
-      );
-    });
-
-    test('rejects unknown query params', async () => {
-      await expect(
-        server.inject(
-          requestMock.create({
-            method: 'get',
-            path: `${BASE_RAC_ALERTS_API_PATH}/_feature_ids`,
-            query: { boop: 'siem' },
-          }),
-          context
-        )
-      ).rejects.toThrowErrorMatchingInlineSnapshot(
-        `"Request was rejected with message: 'invalid keys \\"boop\\"'"`
-      );
-    });
-  });
-
-  test('returns error status if rac client "getFeatureIdsByRegistrationContexts" fails', async () => {
-    clients.rac.getFeatureIdsByRegistrationContexts.mockRejectedValue(
-      new Error('Unable to get feature ids')
-    );
-    const response = await server.inject(getReadFeatureIdsRequest(), context);
-
-    expect(response.status).toEqual(500);
-    expect(response.body).toEqual({
-      attributes: { success: false },
-      message: 'Unable to get feature ids',
-    });
-  });
-});
diff --git a/x-pack/plugins/rule_registry/server/routes/get_feature_ids_by_registration_contexts.ts b/x-pack/plugins/rule_registry/server/routes/get_feature_ids_by_registration_contexts.ts
deleted file mode 100644
index 43bd491daafbe..0000000000000
--- a/x-pack/plugins/rule_registry/server/routes/get_feature_ids_by_registration_contexts.ts
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { IRouter } from '@kbn/core/server';
-import * as t from 'io-ts';
-import { transformError } from '@kbn/securitysolution-es-utils';
-
-import { RacRequestHandlerContext } from '../types';
-import { BASE_RAC_ALERTS_API_PATH } from '../../common/constants';
-import { buildRouteValidation } from './utils/route_validation';
-
-export const getFeatureIdsByRegistrationContexts = (router: IRouter<RacRequestHandlerContext>) => {
-  router.get(
-    {
-      path: `${BASE_RAC_ALERTS_API_PATH}/_feature_ids`,
-      validate: {
-        query: buildRouteValidation(
-          t.exact(
-            t.partial({
-              registrationContext: t.union([t.string, t.array(t.string)]),
-            })
-          )
-        ),
-      },
-      security: {
-        authz: {
-          requiredPrivileges: ['rac'],
-        },
-      },
-      options: {
-        access: 'internal',
-      },
-    },
-    async (context, request, response) => {
-      try {
-        const racContext = await context.rac;
-        const alertsClient = await racContext.getAlertsClient();
-        const { registrationContext = [] } = request.query;
-        const featureIds = await alertsClient.getFeatureIdsByRegistrationContexts(
-          Array.isArray(registrationContext) ? registrationContext : [registrationContext]
-        );
-        return response.ok({
-          body: featureIds,
-        });
-      } catch (exc) {
-        const err = transformError(exc);
-        const contentType = {
-          'content-type': 'application/json',
-        };
-        const defaultedHeaders = {
-          ...contentType,
-        };
-
-        return response.customError({
-          headers: defaultedHeaders,
-          statusCode: err.statusCode,
-          body: {
-            message: err.message,
-            attributes: {
-              success: false,
-            },
-          },
-        });
-      }
-    }
-  );
-};
diff --git a/x-pack/plugins/rule_registry/server/routes/index.ts b/x-pack/plugins/rule_registry/server/routes/index.ts
index ae9f113ee0ac1..72ecfc4c9b8ef 100644
--- a/x-pack/plugins/rule_registry/server/routes/index.ts
+++ b/x-pack/plugins/rule_registry/server/routes/index.ts
@@ -13,8 +13,7 @@ import { updateAlertByIdRoute } from './update_alert_by_id';
 import { getAlertsIndexRoute } from './get_alert_index';
 import { bulkUpdateAlertsRoute } from './bulk_update_alerts';
 import { findAlertsByQueryRoute } from './find';
-import { getFeatureIdsByRegistrationContexts } from './get_feature_ids_by_registration_contexts';
-import { getBrowserFieldsByFeatureId } from './get_browser_fields_by_feature_id';
+import { getBrowserFieldsByFeatureId } from './get_browser_fields_by_rule_type_ids';
 import { getAlertSummaryRoute } from './get_alert_summary';
 import { getAADFieldsByRuleType } from './get_aad_fields_by_rule_type';
 
@@ -25,7 +24,6 @@ export function defineRoutes(router: IRouter<RacRequestHandlerContext>) {
   bulkUpdateAlertsRoute(router);
   findAlertsByQueryRoute(router);
   getAlertsGroupAggregations(router);
-  getFeatureIdsByRegistrationContexts(router);
   getBrowserFieldsByFeatureId(router);
   getAlertSummaryRoute(router);
   getAADFieldsByRuleType(router);
diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/rule_data_plugin_service.mock.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/rule_data_plugin_service.mock.ts
index 9b279a541b3e9..cfbfafd0092bf 100644
--- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/rule_data_plugin_service.mock.ts
+++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/rule_data_plugin_service.mock.ts
@@ -17,7 +17,6 @@ export const ruleDataServiceMock = {
     initializeIndex: jest.fn(),
     findIndexByName: jest.fn(),
     findIndexByFeature: jest.fn(),
-    findFeatureIdsByRegistrationContexts: jest.fn(),
   }),
 };
 
diff --git a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/rule_data_plugin_service.ts b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/rule_data_plugin_service.ts
index efe4a5dd4f32f..91192848830ec 100644
--- a/x-pack/plugins/rule_registry/server/rule_data_plugin_service/rule_data_plugin_service.ts
+++ b/x-pack/plugins/rule_registry/server/rule_data_plugin_service/rule_data_plugin_service.ts
@@ -78,12 +78,6 @@ export interface IRuleDataService {
    * Note: features are used in RBAC.
    */
   findIndexByFeature(featureId: ValidFeatureId, dataset: Dataset): IndexInfo | null;
-
-  /**
-   * Looks up Kibana "feature" associated with the given registration context.
-   * Note: features are used in RBAC.
-   */
-  findFeatureIdsByRegistrationContexts(registrationContexts: string[]): string[];
 }
 
 // TODO: This is a leftover. Remove its usage from the "observability" plugin and delete it.
@@ -248,17 +242,6 @@ export class RuleDataService implements IRuleDataService {
     return this.indicesByBaseName.get(baseName) ?? null;
   }
 
-  public findFeatureIdsByRegistrationContexts(registrationContexts: string[]): string[] {
-    const featureIds: string[] = [];
-    registrationContexts.forEach((rc) => {
-      const featureId = this.registrationContextByFeatureId.get(rc);
-      if (featureId) {
-        featureIds.push(featureId);
-      }
-    });
-    return featureIds;
-  }
-
   public findIndexByFeature(featureId: ValidFeatureId, dataset: Dataset): IndexInfo | null {
     const foundIndices = this.indicesByFeatureId.get(featureId) ?? [];
     if (dataset && foundIndices.length > 0) {
diff --git a/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.test.ts b/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.test.ts
index 4dabfb3feb390..1086714ab758a 100644
--- a/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.test.ts
+++ b/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.test.ts
@@ -4,12 +4,11 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { of } from 'rxjs';
+import { lastValueFrom, of } from 'rxjs';
 import { merge } from 'lodash';
 import { loggerMock } from '@kbn/logging-mocks';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { ALERT_EVENTS_FIELDS } from '@kbn/alerts-as-data-utils';
-import { ruleRegistrySearchStrategyProvider, EMPTY_RESPONSE } from './search_strategy';
+import { ruleRegistrySearchStrategyProvider } from './search_strategy';
 import { dataPluginMock } from '@kbn/data-plugin/server/mocks';
 import { SearchStrategyDependencies } from '@kbn/data-plugin/server';
 import { alertsMock } from '@kbn/alerting-plugin/server/mocks';
@@ -18,6 +17,9 @@ import { spacesMock } from '@kbn/spaces-plugin/server/mocks';
 import type { RuleRegistrySearchRequest } from '../../common';
 import * as getAuthzFilterImport from '../lib/get_authz_filter';
 import { getIsKibanaRequest } from '../lib/get_is_kibana_request';
+import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
+import { Boom } from '@hapi/boom';
+import { KbnSearchError } from '@kbn/data-plugin/server/search/report_search_error';
 
 jest.mock('../lib/get_is_kibana_request');
 
@@ -53,8 +55,10 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
   const security = securityMock.createSetup();
   const spaces = spacesMock.createStart();
   const logger = loggerMock.create();
+  const authorizationMock = alertingAuthorizationMock.create();
   const getAuthorizedRuleTypesMock = jest.fn();
   const getAlertIndicesAliasMock = jest.fn();
+
   const response = getBasicResponse({
     rawResponse: {
       hits: {
@@ -73,13 +77,19 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
   const searchStrategySearch = jest.fn().mockImplementation(() => of(response));
 
   beforeEach(() => {
+    jest.clearAllMocks();
+
     getAuthorizedRuleTypesMock.mockResolvedValue([]);
     getAlertIndicesAliasMock.mockReturnValue(['test']);
-    const authorizationMock = {
-      getAuthorizedRuleTypes: getAuthorizedRuleTypesMock,
-    } as never;
     alerting.getAlertingAuthorizationWithRequest.mockResolvedValue(authorizationMock);
     alerting.getAlertIndicesAlias = getAlertIndicesAliasMock;
+    alerting.listTypes.mockReturnValue(
+      // @ts-expect-error: rule type properties are not needed for the test
+      new Map([
+        ['.es-query', {}],
+        ['siem.esqlRule', {}],
+      ])
+    );
 
     data.search.getSearchStrategy.mockImplementation(() => {
       return {
@@ -115,7 +125,7 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
     getAuthorizedRuleTypesMock.mockResolvedValue([]);
     getAlertIndicesAliasMock.mockReturnValue(['observability-logs']);
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.LOGS],
+      ruleTypeIds: ['.es-query'],
     };
     const options = {};
     const deps = {
@@ -124,16 +134,16 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    const result = await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
+    const result = await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
 
     expect(result).toEqual(response);
   });
 
   it('should return an empty response if no valid indices are found', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.LOGS],
+      ruleTypeIds: ['.es-query'],
     };
     const options = {};
     const deps = {
@@ -145,15 +155,30 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    const result = await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
-    expect(result).toBe(EMPTY_RESPONSE);
+    const result = await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
+    expect(result).toMatchInlineSnapshot(`
+      Object {
+        "inspect": Object {
+          "dsl": Array [
+            "{}",
+          ],
+        },
+        "rawResponse": Object {
+          "hits": Object {
+            "hits": Array [],
+            "total": 0,
+          },
+        },
+      }
+    `);
   });
 
-  it('should not apply rbac filters for siem', async () => {
+  it('should not apply rbac filters for siem rule types', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.SIEM],
+      ruleTypeIds: ['siem.esqlRule'],
     };
     const options = {};
     const deps = {
@@ -165,15 +190,16 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
     expect(getAuthzFilterSpy).not.toHaveBeenCalled();
   });
 
-  it('should throw an error if requesting multiple featureIds and one is SIEM', async () => {
+  it('should throw an error if requesting multiple rule types and one is for siem', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.SIEM, AlertConsumers.LOGS],
+      ruleTypeIds: ['.es-query', 'siem.esqlRule'],
     };
     const options = {};
     const deps = {
@@ -186,19 +212,70 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
     let err;
+
     try {
-      await strategy
-        .search(request, options, deps as unknown as SearchStrategyDependencies)
-        .toPromise();
+      await lastValueFrom(
+        strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+      );
     } catch (e) {
       err = e;
     }
-    expect(err).toBeDefined();
+
+    expect(err.statusCode).toBe(400);
+    expect(err.message).toBe(
+      'The privateRuleRegistryAlertsSearchStrategy search strategy is unable to accommodate requests containing multiple rule types with mixed authorization.'
+    );
+  });
+
+  it('should not throw an error with empty rule type ids', async () => {
+    const request: RuleRegistrySearchRequest = {
+      ruleTypeIds: [],
+    };
+
+    const options = {};
+    const deps = {
+      request: {},
+    };
+
+    getAuthorizedRuleTypesMock.mockResolvedValue([]);
+    getAlertIndicesAliasMock.mockReturnValue([]);
+
+    const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
+
+    await expect(
+      lastValueFrom(
+        strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+      )
+    ).resolves.not.toThrow();
+  });
+
+  it('should filter out invalid rule types', async () => {
+    const request: RuleRegistrySearchRequest = {
+      ruleTypeIds: ['.es-query', 'not-exist'],
+    };
+
+    const options = {};
+    const deps = {
+      request: {},
+    };
+
+    const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
+
+    await expect(
+      lastValueFrom(
+        strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+      )
+    ).resolves.not.toThrow();
+
+    expect(authorizationMock.getAllAuthorizedRuleTypesFindOperation).toHaveBeenCalledWith({
+      authorizationEntity: 'alert',
+      ruleTypeIds: ['.es-query'],
+    });
   });
 
   it('should use internal user when requesting o11y alerts as RBAC is applied', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.LOGS],
+      ruleTypeIds: ['.es-query'],
     };
     const options = {};
     const deps = {
@@ -209,16 +286,17 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
     expect(data.search.searchAsInternalUser.search).toHaveBeenCalled();
     expect(searchStrategySearch).not.toHaveBeenCalled();
   });
 
   it('should use scoped user when requesting siem alerts as RBAC is not applied', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.SIEM],
+      ruleTypeIds: ['siem.esqlRule'],
     };
     const options = {};
     const deps = {
@@ -230,16 +308,17 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
     expect(data.search.searchAsInternalUser.search as jest.Mock).not.toHaveBeenCalled();
     expect(searchStrategySearch).toHaveBeenCalled();
   });
 
   it('should support pagination', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.LOGS],
+      ruleTypeIds: ['.es-query'],
       pagination: {
         pageSize: 10,
         pageIndex: 0,
@@ -254,9 +333,10 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
     expect((data.search.searchAsInternalUser.search as jest.Mock).mock.calls.length).toBe(1);
     expect(
       (data.search.searchAsInternalUser.search as jest.Mock).mock.calls[0][0].params.body.size
@@ -268,7 +348,7 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
   it('should support sorting', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.LOGS],
+      ruleTypeIds: ['.es-query'],
       sort: [
         {
           test: {
@@ -286,9 +366,10 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
     expect((data.search.searchAsInternalUser.search as jest.Mock).mock.calls.length).toBe(1);
     expect(
       (data.search.searchAsInternalUser.search as jest.Mock).mock.calls[0][0].params.body.sort
@@ -297,7 +378,7 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
   it('passes the query ids if provided', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.SIEM],
+      ruleTypeIds: ['siem.esqlRule'],
       query: {
         ids: { values: ['test-id'] },
       },
@@ -311,21 +392,24 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
     const arg0 = searchStrategySearch.mock.calls[0][0];
     expect(arg0.params.body.fields.length).toEqual(
       // +2 because of fields.push({ field: 'kibana.alert.*', include_unmapped: false }); and
       // fields.push({ field: 'signal.*', include_unmapped: false });
       ALERT_EVENTS_FIELDS.length + 2
     );
+
     expect.arrayContaining([
       expect.objectContaining({
         x: 2,
         y: 3,
       }),
     ]);
+
     expect(arg0).toEqual(
       expect.objectContaining({
         id: undefined,
@@ -355,9 +439,9 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
     );
   });
 
-  it('passes the fields if provided', async () => {
+  it('passes the fields if provided for siem rule types', async () => {
     const request: RuleRegistrySearchRequest = {
-      featureIds: [AlertConsumers.SIEM],
+      ruleTypeIds: ['siem.esqlRule'],
       query: {
         ids: { values: ['test-id'] },
       },
@@ -372,42 +456,264 @@ describe('ruleRegistrySearchStrategyProvider()', () => {
 
     const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
 
-    await strategy
-      .search(request, options, deps as unknown as SearchStrategyDependencies)
-      .toPromise();
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
 
     const arg0 = searchStrategySearch.mock.calls[0][0];
-    expect(arg0.params.body.fields.length).toEqual(
+    const fields = arg0.params.body.fields;
+
+    expect(fields.length).toEqual(
       // +2 because of fields.push({ field: 'kibana.alert.*', include_unmapped: false }); and
       // fields.push({ field: 'signal.*', include_unmapped: false }); + my-super-field
       ALERT_EVENTS_FIELDS.length + 3
     );
-    expect(arg0).toEqual(
-      expect.objectContaining({
-        id: undefined,
-        params: expect.objectContaining({
-          allow_no_indices: true,
-          body: expect.objectContaining({
-            _source: false,
-            fields: expect.arrayContaining([
-              expect.objectContaining({
-                field: 'my-super-field',
-                include_unmapped: true,
-              }),
-            ]),
-            from: 0,
-            query: {
-              ids: {
-                values: ['test-id'],
+
+    const siemField = fields.find((field: { field: string }) => field.field === 'signal.*');
+    const kibanaField = fields.find((field: { field: string }) => field.field === 'kibana.alert.*');
+    const myField = fields.find((field: { field: string }) => field.field === 'my-super-field');
+
+    expect(siemField).toMatchInlineSnapshot(`
+      Object {
+        "field": "signal.*",
+        "include_unmapped": false,
+      }
+    `);
+
+    expect(kibanaField).toMatchInlineSnapshot(`
+      Object {
+        "field": "kibana.alert.*",
+        "include_unmapped": false,
+      }
+    `);
+
+    expect(myField).toMatchInlineSnapshot(`
+      Object {
+        "field": "my-super-field",
+        "include_unmapped": true,
+      }
+    `);
+  });
+
+  it('passes the fields if provided for o11y rule types', async () => {
+    const request: RuleRegistrySearchRequest = {
+      ruleTypeIds: ['.es-query'],
+      query: {
+        ids: { values: ['test-id'] },
+      },
+      fields: [{ field: 'my-super-field', include_unmapped: true }],
+    };
+    const options = {};
+    const deps = {
+      request: {},
+    };
+    getAuthorizedRuleTypesMock.mockResolvedValue([]);
+    getAlertIndicesAliasMock.mockReturnValue(['security-siem']);
+
+    const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
+
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
+    const arg0 = (data.search.searchAsInternalUser.search as jest.Mock).mock.calls[0][0];
+    const fields = arg0.params.body.fields;
+
+    expect(fields.length).toEqual(
+      // +2 because of fields.push({ field: 'kibana.alert.*', include_unmapped: false }); and
+      // fields.push({ field: '*', include_unmapped: false }); + my-super-field
+      3
+    );
+
+    const allField = fields.find((field: { field: string }) => field.field === '*');
+    const kibanaField = fields.find((field: { field: string }) => field.field === 'kibana.alert.*');
+    const myField = fields.find((field: { field: string }) => field.field === 'my-super-field');
+
+    expect(allField).toMatchInlineSnapshot(`
+      Object {
+        "field": "*",
+        "include_unmapped": true,
+      }
+    `);
+
+    expect(kibanaField).toMatchInlineSnapshot(`
+      Object {
+        "field": "kibana.alert.*",
+        "include_unmapped": false,
+      }
+    `);
+
+    expect(myField).toMatchInlineSnapshot(`
+      Object {
+        "field": "my-super-field",
+        "include_unmapped": true,
+      }
+    `);
+  });
+
+  it('should handle Boom errors correctly', async () => {
+    getAuthzFilterSpy.mockRejectedValue(new Boom('boom error message', { statusCode: 400 }));
+
+    const request: RuleRegistrySearchRequest = {
+      ruleTypeIds: ['.es-query'],
+    };
+
+    const options = {};
+    const deps = {
+      request: {},
+    };
+
+    const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
+
+    let err;
+
+    try {
+      await lastValueFrom(
+        strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+      );
+    } catch (e) {
+      err = e;
+    }
+
+    expect(err.statusCode).toBe(400);
+    expect(err.message).toBe('boom error message');
+  });
+
+  it('should handle KbnSearchError errors correctly', async () => {
+    getAuthzFilterSpy.mockRejectedValue(new KbnSearchError('kbn search error message', 403));
+
+    const request: RuleRegistrySearchRequest = {
+      ruleTypeIds: ['.es-query'],
+    };
+
+    const options = {};
+    const deps = {
+      request: {},
+    };
+
+    const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
+
+    let err;
+
+    try {
+      await lastValueFrom(
+        strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+      );
+    } catch (e) {
+      err = e;
+    }
+
+    expect(err.statusCode).toBe(403);
+    expect(err.message).toBe('kbn search error message');
+  });
+
+  it('should convert errors to KbnSearchError errors correctly', async () => {
+    getAuthzFilterSpy.mockRejectedValue(new Error('plain error message'));
+
+    const request: RuleRegistrySearchRequest = {
+      ruleTypeIds: ['.es-query'],
+    };
+
+    const options = {};
+    const deps = {
+      request: {},
+    };
+
+    const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
+
+    let err;
+
+    try {
+      await lastValueFrom(
+        strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+      );
+    } catch (e) {
+      err = e;
+    }
+
+    expect(err.statusCode).toBe(500);
+    expect(err.message).toBe('plain error message');
+  });
+
+  it('should apply the rule type IDs filter', async () => {
+    const request: RuleRegistrySearchRequest = {
+      ruleTypeIds: ['siem.esqlRule'],
+    };
+
+    const options = {};
+    const deps = {
+      request: {},
+    };
+
+    getAuthorizedRuleTypesMock.mockResolvedValue([]);
+    getAlertIndicesAliasMock.mockReturnValue(['security-siem']);
+
+    const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
+
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
+    );
+
+    const arg0 = searchStrategySearch.mock.calls[0][0];
+    expect(arg0.params.body.query).toMatchInlineSnapshot(`
+      Object {
+        "bool": Object {
+          "filter": Array [
+            Object {
+              "terms": Object {
+                "kibana.alert.rule.rule_type_id": Array [
+                  "siem.esqlRule",
+                ],
               },
             },
-            size: 1000,
-            sort: [],
-          }),
-          ignore_unavailable: true,
-          index: ['security-siem'],
-        }),
-      })
+          ],
+        },
+      }
+    `);
+  });
+
+  it('should apply the consumers filter', async () => {
+    const request: RuleRegistrySearchRequest = {
+      ruleTypeIds: ['siem.esqlRule'],
+      consumers: ['alerts'],
+    };
+
+    const options = {};
+    const deps = {
+      request: {},
+    };
+
+    getAuthorizedRuleTypesMock.mockResolvedValue([]);
+    getAlertIndicesAliasMock.mockReturnValue(['security-siem']);
+
+    const strategy = ruleRegistrySearchStrategyProvider(data, alerting, logger, security, spaces);
+
+    await lastValueFrom(
+      strategy.search(request, options, deps as unknown as SearchStrategyDependencies)
     );
+
+    const arg0 = searchStrategySearch.mock.calls[0][0];
+    expect(arg0.params.body.query).toMatchInlineSnapshot(`
+      Object {
+        "bool": Object {
+          "filter": Array [
+            Object {
+              "terms": Object {
+                "kibana.alert.rule.consumer": Array [
+                  "alerts",
+                ],
+              },
+            },
+            Object {
+              "terms": Object {
+                "kibana.alert.rule.rule_type_id": Array [
+                  "siem.esqlRule",
+                ],
+              },
+            },
+          ],
+        },
+      }
+    `);
   });
 });
diff --git a/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.ts b/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.ts
index a497008086c88..246b38aaf733d 100644
--- a/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.ts
+++ b/x-pack/plugins/rule_registry/server/search_strategy/search_strategy.ts
@@ -4,28 +4,36 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { map, mergeMap, catchError } from 'rxjs';
+
+import Boom from '@hapi/boom';
+import { map, mergeMap, catchError, of } from 'rxjs';
 import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { Logger } from '@kbn/core/server';
-import { from, of } from 'rxjs';
-import { isValidFeatureId, AlertConsumers } from '@kbn/rule-data-utils';
+import { from } from 'rxjs';
 import { ENHANCED_ES_SEARCH_STRATEGY } from '@kbn/data-plugin/common';
 import { ISearchStrategy, PluginStart } from '@kbn/data-plugin/server';
 import {
   ReadOperations,
-  PluginStartContract as AlertingStart,
+  AlertingServerStart,
   AlertingAuthorizationEntity,
 } from '@kbn/alerting-plugin/server';
 import { SecurityPluginSetup } from '@kbn/security-plugin/server';
 import { SpacesPluginStart } from '@kbn/spaces-plugin/server';
 import { buildAlertFieldsRequest } from '@kbn/alerts-as-data-utils';
+import { partition } from 'lodash';
+import { isSiemRuleType } from '@kbn/rule-data-utils';
+import { KbnSearchError } from '@kbn/data-plugin/server/search/report_search_error';
 import type { RuleRegistrySearchRequest, RuleRegistrySearchResponse } from '../../common';
 import { MAX_ALERT_SEARCH_SIZE } from '../../common/constants';
 import { AlertAuditAction, alertAuditEvent } from '..';
 import { getSpacesFilter, getAuthzFilter } from '../lib';
+import { getRuleTypeIdsFilter } from '../lib/get_rule_type_ids_filter';
+import { getConsumersFilter } from '../lib/get_consumers_filter';
 
 export const EMPTY_RESPONSE: RuleRegistrySearchResponse = {
-  rawResponse: {} as RuleRegistrySearchResponse['rawResponse'],
+  rawResponse: {
+    hits: { total: 0, hits: [] },
+  } as unknown as RuleRegistrySearchResponse['rawResponse'],
 };
 
 export const RULE_SEARCH_STRATEGY_NAME = 'privateRuleRegistryAlertsSearchStrategy';
@@ -35,7 +43,7 @@ const EXCLUDED_RULE_TYPE_IDS = ['siem.notifications'];
 
 export const ruleRegistrySearchStrategyProvider = (
   data: PluginStart,
-  alerting: AlertingStart,
+  alerting: AlertingServerStart,
   logger: Logger,
   security?: SecurityPluginSetup,
   spaces?: SpacesPluginStart
@@ -44,57 +52,69 @@ export const ruleRegistrySearchStrategyProvider = (
   const requestUserEs = data.search.getSearchStrategy(ENHANCED_ES_SEARCH_STRATEGY);
   return {
     search: (request, options, deps) => {
+      let params = {};
+
       // SIEM uses RBAC fields in their alerts but also utilizes ES DLS which
       // is different than every other solution so we need to special case
       // those requests.
-      let siemRequest = false;
-      let params = {};
-      if (request.featureIds.length === 1 && request.featureIds[0] === AlertConsumers.SIEM) {
-        siemRequest = true;
-      } else if (request.featureIds.includes(AlertConsumers.SIEM)) {
-        throw new Error(
-          `The ${RULE_SEARCH_STRATEGY_NAME} search strategy is unable to accommodate requests containing multiple feature IDs and one of those IDs is SIEM.`
+      const isAnyRuleTypeESAuthorized = request.ruleTypeIds.some(isSiemRuleType);
+      const isEachRuleTypeESAuthorized =
+        // every returns true for empty arrays
+        request.ruleTypeIds.length > 0 && request.ruleTypeIds.every(isSiemRuleType);
+
+      const registeredRuleTypes = alerting.listTypes();
+
+      const [validRuleTypeIds, invalidRuleTypeIds] = partition(request.ruleTypeIds, (ruleTypeId) =>
+        registeredRuleTypes.has(ruleTypeId)
+      );
+
+      if (isAnyRuleTypeESAuthorized && !isEachRuleTypeESAuthorized) {
+        throw new KbnSearchError(
+          `The ${RULE_SEARCH_STRATEGY_NAME} search strategy is unable to accommodate requests containing multiple rule types with mixed authorization.`,
+          400
         );
       }
-      request.featureIds.forEach((featureId) => {
-        if (!isValidFeatureId(featureId)) {
-          logger.warn(
-            `Found invalid feature '${featureId}' while using ${RULE_SEARCH_STRATEGY_NAME} search strategy. No alert data from this feature will be searched.`
-          );
-        }
+
+      invalidRuleTypeIds.forEach((ruleTypeId) => {
+        logger.warn(
+          `Found invalid rule type '${ruleTypeId}' while using ${RULE_SEARCH_STRATEGY_NAME} search strategy. No alert data from this rule type will be searched.`
+        );
       });
 
       const securityAuditLogger = security?.audit.asScoped(deps.request);
       const getActiveSpace = async () => spaces?.spacesService.getActiveSpace(deps.request);
-      const getAsync = async (featureIds: string[]) => {
+
+      const getAsync = async (ruleTypeIds: string[]) => {
         const [space, authorization] = await Promise.all([
           getActiveSpace(),
           alerting.getAlertingAuthorizationWithRequest(deps.request),
         ]);
+
         let authzFilter;
-        const fIds = new Set(featureIds);
-        if (!siemRequest && featureIds.length > 0) {
+
+        if (!isAnyRuleTypeESAuthorized && ruleTypeIds.length > 0) {
           authzFilter = (await getAuthzFilter(
             authorization,
-            ReadOperations.Find,
-            fIds
+            ReadOperations.Find
           )) as estypes.QueryDslQueryContainer;
         }
 
-        const authorizedRuleTypes =
-          featureIds.length > 0
-            ? await authorization.getAuthorizedRuleTypes(AlertingAuthorizationEntity.Alert, fIds)
-            : [];
+        const authorizedRuleTypes = await authorization.getAllAuthorizedRuleTypesFindOperation({
+          authorizationEntity: AlertingAuthorizationEntity.Alert,
+          ruleTypeIds,
+        });
 
         return { space, authzFilter, authorizedRuleTypes };
       };
-      return from(getAsync(request.featureIds)).pipe(
+      return from(getAsync(validRuleTypeIds)).pipe(
         mergeMap(({ space, authzFilter, authorizedRuleTypes }) => {
-          const allRuleTypes = authorizedRuleTypes.map((art: { id: string }) => art.id);
-          const ruleTypes = (allRuleTypes ?? []).filter(
+          const authorizedRuleTypesIds = Array.from(authorizedRuleTypes.keys());
+          const ruleTypes = (authorizedRuleTypesIds ?? []).filter(
             (ruleTypeId: string) => !EXCLUDED_RULE_TYPE_IDS.includes(ruleTypeId)
           );
+
           const indices = alerting.getAlertIndicesAlias(ruleTypes, space?.id);
+
           if (indices.length === 0) {
             return of(EMPTY_RESPONSE);
           }
@@ -104,13 +124,26 @@ export const ruleRegistrySearchStrategyProvider = (
               ? request.query?.bool?.filter
               : [request.query?.bool?.filter]
             : [];
+
           if (authzFilter) {
             filter.push(authzFilter);
           }
+
           if (space?.id) {
             filter.push(getSpacesFilter(space.id) as estypes.QueryDslQueryContainer);
           }
 
+          const ruleTypeFilter = getRuleTypeIdsFilter(request.ruleTypeIds);
+          const consumersFilter = getConsumersFilter(request.consumers);
+
+          if (consumersFilter) {
+            filter.push(consumersFilter);
+          }
+
+          if (ruleTypeFilter) {
+            filter.push(ruleTypeFilter);
+          }
+
           const sort = request.sort ?? [];
 
           const query = {
@@ -123,10 +156,11 @@ export const ruleRegistrySearchStrategyProvider = (
                   },
                 }),
           };
+
           let fields = request?.fields ?? [];
           fields.push({ field: 'kibana.alert.*', include_unmapped: false });
 
-          if (siemRequest) {
+          if (isAnyRuleTypeESAuthorized) {
             fields.push({ field: 'signal.*', include_unmapped: false });
             fields = fields.concat(buildAlertFieldsRequest([], false));
           } else {
@@ -149,7 +183,7 @@ export const ruleRegistrySearchStrategyProvider = (
               ...(request.runtimeMappings ? { runtime_mappings: request.runtimeMappings } : {}),
             },
           };
-          return (siemRequest ? requestUserEs : internalUserEs).search(
+          return (isAnyRuleTypeESAuthorized ? requestUserEs : internalUserEs).search(
             { id: request.id, params },
             options,
             deps
@@ -180,7 +214,6 @@ export const ruleRegistrySearchStrategyProvider = (
           return response;
         }),
         catchError((err) => {
-          // check if auth error, if yes, write to ecs logger
           if (securityAuditLogger != null && err?.output?.statusCode === 403) {
             securityAuditLogger.log(
               alertAuditEvent({
@@ -191,7 +224,15 @@ export const ruleRegistrySearchStrategyProvider = (
             );
           }
 
-          throw err;
+          if (Boom.isBoom(err)) {
+            throw new KbnSearchError(err.output.payload.message, err.output.statusCode);
+          }
+
+          if (err instanceof KbnSearchError) {
+            throw err;
+          }
+
+          throw new KbnSearchError(err.message, 500);
         })
       );
     },
diff --git a/x-pack/plugins/security_solution/public/attack_discovery/pages/results/attack_discovery_panel/tabs/alerts_tab/index.tsx b/x-pack/plugins/security_solution/public/attack_discovery/pages/results/attack_discovery_panel/tabs/alerts_tab/index.tsx
index 97bec48eaaae6..1976d97c9c8d5 100644
--- a/x-pack/plugins/security_solution/public/attack_discovery/pages/results/attack_discovery_panel/tabs/alerts_tab/index.tsx
+++ b/x-pack/plugins/security_solution/public/attack_discovery/pages/results/attack_discovery_panel/tabs/alerts_tab/index.tsx
@@ -6,9 +6,11 @@
  */
 
 import type { AttackDiscovery, Replacements } from '@kbn/elastic-assistant-common';
-import { AlertConsumers } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
+import { SECURITY_SOLUTION_RULE_TYPE_IDS } from '@kbn/securitysolution-rules';
+import type { AlertsTableStateProps } from '@kbn/triggers-actions-ui-plugin/public/application/sections/alerts_table/alerts_table_state';
 import React, { useMemo } from 'react';
 
+import { AlertConsumers } from '@kbn/rule-data-utils';
 import { ALERTS_TABLE_REGISTRY_CONFIG_IDS } from '../../../../../../../common/constants';
 import { useKibana } from '../../../../../../common/lib/kibana';
 
@@ -39,12 +41,13 @@ const AlertsTabComponent: React.FC<Props> = ({ attackDiscovery, replacements })
 
   const configId = ALERTS_TABLE_REGISTRY_CONFIG_IDS.CASE; // show the same row-actions as in the case view
 
-  const alertStateProps = useMemo(
+  const alertStateProps: AlertsTableStateProps = useMemo(
     () => ({
       alertsTableConfigurationRegistry: triggersActionsUi.alertsTableConfigurationRegistry,
       configurationId: configId,
       id: `attack-discovery-alerts-${attackDiscovery.id}`,
-      featureIds: [AlertConsumers.SIEM],
+      ruleTypeIds: SECURITY_SOLUTION_RULE_TYPE_IDS,
+      consumers: [AlertConsumers.SIEM],
       query: alertIdsQuery,
       showAlertStatusWithFlapping: false,
     }),
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx
index 3b637340e01e4..013cd87cdf070 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx
@@ -12,7 +12,7 @@ import type { FC } from 'react';
 import React, { useRef, useEffect, useState, useCallback, useMemo } from 'react';
 import type { AlertsTableStateProps } from '@kbn/triggers-actions-ui-plugin/public/application/sections/alerts_table/alerts_table_state';
 import type { Alert } from '@kbn/triggers-actions-ui-plugin/public/types';
-import { ALERT_BUILDING_BLOCK_TYPE } from '@kbn/rule-data-utils';
+import { ALERT_BUILDING_BLOCK_TYPE, AlertConsumers } from '@kbn/rule-data-utils';
 import styled from 'styled-components';
 import { useDispatch } from 'react-redux';
 import { getEsQueryConfig } from '@kbn/data-plugin/public';
@@ -22,6 +22,7 @@ import {
   tableDefaults,
   TableId,
 } from '@kbn/securitysolution-data-table';
+import { SECURITY_SOLUTION_RULE_TYPE_IDS } from '@kbn/securitysolution-rules';
 import type { RunTimeMappings } from '@kbn/timelines-plugin/common/search_strategy';
 import { useGlobalTime } from '../../../common/containers/use_global_time';
 import { useLicense } from '../../../common/hooks/use_license';
@@ -55,7 +56,7 @@ const { updateIsLoading, updateTotalCount } = dataTableActions;
 
 const DEFAULT_DATA_GRID_HEIGHT = 600;
 
-const ALERT_TABLE_FEATURE_ID: AlertsTableStateProps['featureIds'] = ['siem'];
+const ALERT_TABLE_CONSUMERS: AlertsTableStateProps['consumers'] = [AlertConsumers.SIEM];
 
 // Highlight rows with building block alerts
 const shouldHighlightRow = (alert: Alert) => !!alert[ALERT_BUILDING_BLOCK_TYPE];
@@ -287,7 +288,8 @@ export const AlertsTableComponent: FC<DetectionEngineAlertTableProps> = ({
       configurationId: configId,
       // stores separate configuration based on the view of the table
       id: `detection-engine-alert-table-${configId}-${tableView}`,
-      featureIds: ALERT_TABLE_FEATURE_ID,
+      ruleTypeIds: SECURITY_SOLUTION_RULE_TYPE_IDS,
+      consumers: ALERT_TABLE_CONSUMERS,
       query: finalBoolQuery,
       gridStyle,
       shouldHighlightRow,
diff --git a/x-pack/plugins/security_solution/public/detections/components/detection_engine_filters/detection_engine_filters.tsx b/x-pack/plugins/security_solution/public/detections/components/detection_engine_filters/detection_engine_filters.tsx
index 126c86055aa4c..5e5f3418b3e2b 100644
--- a/x-pack/plugins/security_solution/public/detections/components/detection_engine_filters/detection_engine_filters.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/detection_engine_filters/detection_engine_filters.tsx
@@ -7,12 +7,12 @@
 
 import React, { useCallback, useMemo } from 'react';
 import type { FilterControlConfig } from '@kbn/alerts-ui-shared';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { createKbnUrlStateStorage, Storage } from '@kbn/kibana-utils-plugin/public';
 import { ControlGroupRenderer } from '@kbn/controls-plugin/public';
 import type { AlertFilterControlsProps } from '@kbn/alerts-ui-shared/src/alert_filter_controls';
 import { AlertFilterControls } from '@kbn/alerts-ui-shared/src/alert_filter_controls';
 import { useHistory } from 'react-router-dom';
+import { SECURITY_SOLUTION_RULE_TYPE_IDS } from '@kbn/securitysolution-rules';
 import { useKibana } from '../../../common/lib/kibana';
 import { DEFAULT_DETECTION_PAGE_FILTERS } from '../../../../common/constants';
 import { URL_PARAM_KEY } from '../../../common/hooks/use_url_state';
@@ -75,7 +75,7 @@ export const DetectionEngineFilters = ({ indexPattern, ...props }: DetectionEngi
       controlsUrlState={filterControlsUrlState}
       setControlsUrlState={setFilterControlsUrlState}
       spaceId={spaceId}
-      featureIds={[AlertConsumers.SIEM]}
+      ruleTypeIds={SECURITY_SOLUTION_RULE_TYPE_IDS}
       chainingSystem="HIERARCHICAL"
       defaultControls={DEFAULT_DETECTION_PAGE_FILTERS}
       dataViewSpec={dataViewSpec}
diff --git a/x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts b/x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts
index 1afa24ebbd529..bdffed6c1269a 100644
--- a/x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts
@@ -21,7 +21,7 @@ import type {
   FleetStartContract,
   MessageSigningServiceInterface,
 } from '@kbn/fleet-plugin/server';
-import type { PluginStartContract as AlertsPluginStartContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerStart } from '@kbn/alerting-plugin/server';
 import type { CloudSetup } from '@kbn/cloud-plugin/server';
 import type { FleetActionsClientInterface } from '@kbn/fleet-plugin/server/services/actions/types';
 import type { PluginStartContract as ActionsPluginStartContract } from '@kbn/actions-plugin/server';
@@ -73,7 +73,7 @@ export interface EndpointAppContextServiceStartContract {
   fleetStartServices: FleetStartContract;
   manifestManager: ManifestManager;
   security: SecurityServiceStart;
-  alerting: AlertsPluginStartContract;
+  alerting: AlertingServerStart;
   config: ConfigType;
   registerListsServerExtension?: ListsServerExtensionRegistrar;
   licenseService: LicenseService;
diff --git a/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.ts b/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.ts
index 54f1ce8cc7e01..4987250644cb4 100644
--- a/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.ts
+++ b/x-pack/plugins/security_solution/server/fleet_integration/fleet_integration.ts
@@ -7,7 +7,7 @@
 
 import type { Logger, ElasticsearchClient, SavedObjectsClientContract } from '@kbn/core/server';
 import type { ExceptionListClient } from '@kbn/lists-plugin/server';
-import type { PluginStartContract as AlertsStartContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerStart } from '@kbn/alerting-plugin/server';
 import type {
   PostPackagePolicyCreateCallback,
   PostPackagePolicyPostDeleteCallback,
@@ -119,7 +119,7 @@ export const getPackagePolicyCreateCallback = (
   logger: Logger,
   manifestManager: ManifestManager,
   securitySolutionRequestContextFactory: IRequestContextFactory,
-  alerts: AlertsStartContract,
+  alerts: AlertingServerStart,
   licenseService: LicenseService,
   exceptionsClient: ExceptionListClient | undefined,
   cloud: CloudSetup,
diff --git a/x-pack/plugins/security_solution/server/fleet_integration/handlers/install_prepackaged_rules.ts b/x-pack/plugins/security_solution/server/fleet_integration/handlers/install_prepackaged_rules.ts
index d4a60be85d3ea..891face9f2879 100644
--- a/x-pack/plugins/security_solution/server/fleet_integration/handlers/install_prepackaged_rules.ts
+++ b/x-pack/plugins/security_solution/server/fleet_integration/handlers/install_prepackaged_rules.ts
@@ -7,7 +7,7 @@
 
 import type { KibanaRequest, Logger } from '@kbn/core/server';
 import type { ExceptionListClient } from '@kbn/lists-plugin/server';
-import type { PluginStartContract as AlertsStartContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerStart } from '@kbn/alerting-plugin/server';
 import { createDetectionIndex } from '../../lib/detection_engine/routes/index/create_index_route';
 import { createPrepackagedRules } from '../../lib/detection_engine/prebuilt_rules';
 import type { SecuritySolutionApiRequestHandlerContext } from '../../types';
@@ -16,7 +16,7 @@ export interface InstallPrepackagedRulesProps {
   logger: Logger;
   context: SecuritySolutionApiRequestHandlerContext;
   request: KibanaRequest;
-  alerts: AlertsStartContract;
+  alerts: AlertingServerStart;
   exceptionsClient: ExceptionListClient;
 }
 
@@ -45,11 +45,8 @@ export const installPrepackagedRules = async ({
   try {
     // this checks to make sure index exists first, safe to try in case of failure above
     // may be able to recover from minor errors
-    await createPrepackagedRules(
-      context,
-      alerts.getRulesClientWithRequest(request),
-      exceptionsClient
-    );
+    const rulesClient = await alerts.getRulesClientWithRequest(request);
+    await createPrepackagedRules(context, rulesClient, exceptionsClient);
   } catch (err) {
     logger.error(
       `Unable to create detection rules automatically (${err.statusCode}): ${err.message}`
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.ts
index dc9c15ac5b5f7..718c16387281a 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.ts
@@ -45,7 +45,7 @@ export const getPrebuiltRulesAndTimelinesStatusRoute = (router: SecuritySolution
         const siemResponse = buildSiemResponse(response);
         const ctx = await context.resolve(['core', 'alerting']);
         const savedObjectsClient = ctx.core.savedObjects.client;
-        const rulesClient = ctx.alerting.getRulesClient();
+        const rulesClient = await ctx.alerting.getRulesClient();
         const ruleAssetsClient = createPrebuiltRuleAssetsClient(savedObjectsClient);
 
         try {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_status/get_prebuilt_rules_status_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_status/get_prebuilt_rules_status_route.ts
index 0561c826e0c78..52e2c552c74fa 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_status/get_prebuilt_rules_status_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/get_prebuilt_rules_status/get_prebuilt_rules_status_route.ts
@@ -37,7 +37,7 @@ export const getPrebuiltRulesStatusRoute = (router: SecuritySolutionPluginRouter
         try {
           const ctx = await context.resolve(['core', 'alerting']);
           const soClient = ctx.core.savedObjects.client;
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const ruleAssetsClient = createPrebuiltRuleAssetsClient(soClient);
           const ruleObjectsClient = createPrebuiltRuleObjectsClient(rulesClient);
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.ts
index 8740d27fce817..f24454726c615 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.ts
@@ -53,7 +53,7 @@ export const installPrebuiltRulesAndTimelinesRoute = (router: SecuritySolutionPl
         const siemResponse = buildSiemResponse(response);
 
         try {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const rulesClient = await (await context.alerting).getRulesClient();
 
           const validated = await createPrepackagedRules(
             await context.securitySolution,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_installation/perform_rule_installation_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_installation/perform_rule_installation_route.ts
index 8b4d38bd2f4a4..a2abc00b43a39 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_installation/perform_rule_installation_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_installation/perform_rule_installation_route.ts
@@ -61,7 +61,7 @@ export const performRuleInstallationRoute = (router: SecuritySolutionPluginRoute
           const ctx = await context.resolve(['core', 'alerting', 'securitySolution']);
           const config = ctx.securitySolution.getConfig();
           const soClient = ctx.core.savedObjects.client;
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
           const ruleAssetsClient = createPrebuiltRuleAssetsClient(soClient);
           const ruleObjectsClient = createPrebuiltRuleObjectsClient(rulesClient);
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/perform_rule_upgrade_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/perform_rule_upgrade_route.ts
index db5f7a186d303..cb0baca5c522e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/perform_rule_upgrade_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/perform_rule_upgrade_route.ts
@@ -61,7 +61,7 @@ export const performRuleUpgradeRoute = (
         try {
           const ctx = await context.resolve(['core', 'alerting', 'securitySolution']);
           const soClient = ctx.core.savedObjects.client;
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
           const ruleAssetsClient = createPrebuiltRuleAssetsClient(soClient);
           const ruleObjectsClient = createPrebuiltRuleObjectsClient(rulesClient);
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_installation/review_rule_installation_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_installation/review_rule_installation_route.ts
index c1c45532f61bb..78d75603dd23b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_installation/review_rule_installation_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_installation/review_rule_installation_route.ts
@@ -48,7 +48,7 @@ export const reviewRuleInstallationRoute = (router: SecuritySolutionPluginRouter
         try {
           const ctx = await context.resolve(['core', 'alerting']);
           const soClient = ctx.core.savedObjects.client;
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const ruleAssetsClient = createPrebuiltRuleAssetsClient(soClient);
           const ruleObjectsClient = createPrebuiltRuleObjectsClient(rulesClient);
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts
index 3da62bd9bb21d..0f8dee1a4e2ff 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts
@@ -57,7 +57,7 @@ export const reviewRuleUpgradeRoute = (router: SecuritySolutionPluginRouter) =>
         try {
           const ctx = await context.resolve(['core', 'alerting']);
           const soClient = ctx.core.savedObjects.client;
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const ruleAssetsClient = createPrebuiltRuleAssetsClient(soClient);
           const ruleObjectsClient = createPrebuiltRuleObjectsClient(rulesClient);
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts
index cba989890438e..3c99cebbbe8fb 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts
@@ -103,7 +103,7 @@ const createRequestContextMock = (
       getActionsClient: jest.fn(() => clients.actionsClient),
     } as unknown as jest.Mocked<ActionsApiRequestHandlerContext>,
     alerting: {
-      getRulesClient: jest.fn(() => clients.rulesClient),
+      getRulesClient: jest.fn().mockResolvedValue(clients.rulesClient),
     } as unknown as jest.Mocked<AlertingApiRequestHandlerContext>,
     licensing: clients.licensing,
     lists: {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts
index d5623df8db91c..2a06549f3f359 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts
@@ -64,7 +64,7 @@ export const legacyCreateLegacyNotificationRoute = (
         },
       },
       async (context, request, response) => {
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
         const savedObjectsClient = (await context.core).savedObjects.client;
         const { alert_id: ruleAlertId } = request.query;
         const { actions, interval, name } = request.body;
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts
index 1d8038b1052c3..b178d912ccf27 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts
@@ -63,7 +63,7 @@ export const createRuleExceptionsRoute = (router: SecuritySolutionPluginRouter)
             'licensing',
             'lists',
           ]);
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const listsClient = ctx.securitySolution.getExceptionListClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts
index 3680a70525fd4..db890c7104e58 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts
@@ -54,7 +54,7 @@ export const findRuleExceptionReferencesRoute = (router: SecuritySolutionPluginR
           const { ids, namespace_types: namespaceTypes, list_ids: listIds } = request.query;
 
           const ctx = await context.resolve(['core', 'securitySolution', 'alerting']);
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const listsClient = ctx.securitySolution.getExceptionListClient();
 
           if (
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_actions/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_actions/route.ts
index e599ff4a936ef..e0b33b35e2e1f 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_actions/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_actions/route.ts
@@ -131,7 +131,7 @@ export const performBulkActionRoute = (
             'actions',
           ]);
 
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const exceptionsClient = ctx.lists?.getExceptionListClient();
           const savedObjectsClient = ctx.core.savedObjects.client;
           const actionsClient = ctx.actions.getActionsClient();
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_create_rules/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_create_rules/route.ts
index 4a9b0b659e982..c868ddf7ffe22 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_create_rules/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_create_rules/route.ts
@@ -64,7 +64,7 @@ export const bulkCreateRulesRoute = (router: SecuritySolutionPluginRouter, logge
 
         try {
           const ctx = await context.resolve(['core', 'securitySolution', 'licensing', 'alerting']);
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
 
           const ruleDefinitions = request.body;
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_delete_rules/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_delete_rules/route.ts
index f582e19d2bcad..1a73b0802188c 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_delete_rules/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_delete_rules/route.ts
@@ -59,7 +59,7 @@ export const bulkDeleteRulesRoute = (router: SecuritySolutionPluginRouter, logge
     try {
       const ctx = await context.resolve(['core', 'securitySolution', 'alerting']);
 
-      const rulesClient = ctx.alerting.getRulesClient();
+      const rulesClient = await ctx.alerting.getRulesClient();
       const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
 
       const rules = await Promise.all(
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_patch_rules/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_patch_rules/route.ts
index d3d4648ccdde9..a47aab03efc1d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_patch_rules/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_patch_rules/route.ts
@@ -58,7 +58,7 @@ export const bulkPatchRulesRoute = (router: SecuritySolutionPluginRouter, logger
 
         try {
           const ctx = await context.resolve(['core', 'securitySolution', 'alerting', 'licensing']);
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
 
           const rules = await Promise.all(
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_update_rules/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_update_rules/route.ts
index a2c14610fdf2c..52185633d1007 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_update_rules/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_update_rules/route.ts
@@ -62,7 +62,7 @@ export const bulkUpdateRulesRoute = (router: SecuritySolutionPluginRouter, logge
 
         try {
           const ctx = await context.resolve(['core', 'securitySolution', 'alerting', 'licensing']);
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
 
           const rules = await Promise.all(
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/coverage_overview/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/coverage_overview/route.ts
index a959c522c1718..a3c6a07e0b8be 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/coverage_overview/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/coverage_overview/route.ts
@@ -45,7 +45,7 @@ export const getCoverageOverviewRoute = (router: SecuritySolutionPluginRouter) =
 
           const responseData = await handleCoverageOverviewRequest({
             params: request.body,
-            deps: { rulesClient: ctx.alerting.getRulesClient() },
+            deps: { rulesClient: await ctx.alerting.getRulesClient() },
           });
 
           return response.ok({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts
index a5fee66d00148..dbeaed85db055 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts
@@ -58,7 +58,7 @@ export const createRuleRoute = (router: SecuritySolutionPluginRouter): void => {
             'lists',
           ]);
 
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
           const exceptionsClient = ctx.lists?.getExceptionListClient();
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/delete_rule/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/delete_rule/route.ts
index a5854e9a2caf5..3e5ef8aa8ab7a 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/delete_rule/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/delete_rule/route.ts
@@ -50,7 +50,7 @@ export const deleteRuleRoute = (router: SecuritySolutionPluginRouter) => {
           const { id, rule_id: ruleId } = request.query;
 
           const ctx = await context.resolve(['core', 'securitySolution', 'alerting']);
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
 
           const rule = await readRules({ rulesClient, id, ruleId });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/export_rules/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/export_rules/route.ts
index a37bb29963332..be19da6df831e 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/export_rules/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/export_rules/route.ts
@@ -56,7 +56,7 @@ export const exportRulesRoute = (
       },
       async (context, request, response) => {
         const siemResponse = buildSiemResponse(response);
-        const rulesClient = (await context.alerting).getRulesClient();
+        const rulesClient = await (await context.alerting).getRulesClient();
         const exceptionsClient = (await context.lists)?.getExceptionListClient();
         const actionsClient = (await context.actions)?.getActionsClient();
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/filters/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/filters/route.ts
index 05633892cdddb..6496c6edc2a87 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/filters/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/filters/route.ts
@@ -70,7 +70,7 @@ export const getRuleManagementFilters = (router: SecuritySolutionPluginRouter) =
       async (context, _, response): Promise<IKibanaResponse<GetRuleManagementFiltersResponse>> => {
         const siemResponse = buildSiemResponse(response);
         const ctx = await context.resolve(['alerting']);
-        const rulesClient = ctx.alerting.getRulesClient();
+        const rulesClient = await ctx.alerting.getRulesClient();
 
         try {
           const [{ prebuilt: prebuiltRulesCount, custom: customRulesCount }, tags] =
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/find_rules/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/find_rules/route.ts
index 899e568e79630..dbe58e7815ea5 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/find_rules/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/find_rules/route.ts
@@ -51,7 +51,7 @@ export const findRulesRoute = (router: SecuritySolutionPluginRouter, logger: Log
         try {
           const { query } = request;
           const ctx = await context.resolve(['core', 'securitySolution', 'alerting']);
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
 
           const rules = await findRules({
             rulesClient,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/patch_rule/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/patch_rule/route.ts
index fcd388e81d1e7..6971628a780d9 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/patch_rule/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/patch_rule/route.ts
@@ -52,7 +52,7 @@ export const patchRuleRoute = (router: SecuritySolutionPluginRouter) => {
         }
         try {
           const params = request.body;
-          const rulesClient = (await context.alerting).getRulesClient();
+          const rulesClient = await (await context.alerting).getRulesClient();
           const detectionRulesClient = (await context.securitySolution).getDetectionRulesClient();
 
           const existingRule = await readRules({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/read_rule/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/read_rule/route.ts
index f8826e8aad45b..53b8ca4085209 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/read_rule/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/read_rule/route.ts
@@ -49,7 +49,7 @@ export const readRuleRoute = (router: SecuritySolutionPluginRouter, logger: Logg
         const { id, rule_id: ruleId } = request.query;
 
         try {
-          const rulesClient = (await context.alerting).getRulesClient();
+          const rulesClient = await (await context.alerting).getRulesClient();
 
           // TODO: https://github.com/elastic/kibana/issues/125642 Reuse fetchRuleById
           const rule = await readRules({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/update_rule/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/update_rule/route.ts
index 0bedcb25de528..8a83aae938d6f 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/update_rule/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/update_rule/route.ts
@@ -50,7 +50,7 @@ export const updateRuleRoute = (router: SecuritySolutionPluginRouter) => {
         }
         try {
           const ctx = await context.resolve(['core', 'securitySolution', 'alerting', 'licensing']);
-          const rulesClient = ctx.alerting.getRulesClient();
+          const rulesClient = await ctx.alerting.getRulesClient();
           const detectionRulesClient = ctx.securitySolution.getDetectionRulesClient();
 
           checkDefaultRuleExceptionListReferences({ exceptionLists: request.body.exceptions_list });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/tags/read_tags/route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/tags/read_tags/route.ts
index d94f695f39179..0332dfe024964 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/tags/read_tags/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/tags/read_tags/route.ts
@@ -32,7 +32,7 @@ export const readTagsRoute = (router: SecuritySolutionPluginRouter) => {
       async (context, request, response): Promise<IKibanaResponse<ReadTagsResponse>> => {
         const siemResponse = buildSiemResponse(response);
         const ctx = await context.resolve(['alerting']);
-        const rulesClient = ctx.alerting.getRulesClient();
+        const rulesClient = await ctx.alerting.getRulesClient();
 
         try {
           const tags = await readTags({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/rule_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/rule_type.ts
index c3b748f5d1828..b36ca687bc515 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/rule_type.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/rule_type.ts
@@ -16,7 +16,7 @@ import type { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
 import { ruleRegistryMocks } from '@kbn/rule-registry-plugin/server/mocks';
 import { eventLogServiceMock } from '@kbn/event-log-plugin/server/mocks';
 import type { PluginSetupContract as ActionsPluginSetupContract } from '@kbn/actions-plugin/server';
-import type { PluginSetupContract as AlertingPluginSetupContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 import type { ConfigType } from '../../../../config';
 import type { AlertAttributes } from '../types';
 import { createRuleMock } from './rule';
@@ -48,7 +48,7 @@ export const createRuleTypeMocks = (
       alertExecutor = executor;
     },
     getConfig: () => ({ run: { alerts: { max: DEFAULT_MAX_ALERTS } } }),
-  } as AlertingPluginSetupContract;
+  } as AlertingServerSetup;
 
   const actions = {
     registerType: jest.fn(),
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/search_after_bulk_create.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/search_after_bulk_create.test.ts
index d2e51e03908f7..d3b0c2dd6b420 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/search_after_bulk_create.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/search_after_bulk_create.test.ts
@@ -48,7 +48,7 @@ import { ruleExecutionLogMock } from '../../rule_monitoring/mocks';
 import type { BuildReasonMessage } from './reason_formatters';
 import type { QueryRuleParams } from '../../rule_schema';
 import { SERVER_APP_ID } from '../../../../../common/constants';
-import type { PluginSetupContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 
 describe('searchAfterAndBulkCreate', () => {
   let mockService: RuleExecutorServicesMock;
@@ -58,7 +58,7 @@ describe('searchAfterAndBulkCreate', () => {
   let wrapHits: WrapHits;
   let inputIndexPattern: string[] = [];
   let listClient = listMock.getListClient();
-  let alerting: PluginSetupContract;
+  let alerting: AlertingServerSetup;
   const ruleExecutionLogger = ruleExecutionLogMock.forExecutors.create();
   const someGuids = Array.from({ length: 13 }).map(() => uuidv4());
   const sampleParams = getQueryRuleParams();
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts
index 5397d473af3c8..0a625ed5f245b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts
@@ -68,7 +68,7 @@ import type { ShardError } from '../../../types';
 import { ruleExecutionLogMock } from '../../rule_monitoring/mocks';
 import type { GenericBulkCreateResponse } from '../factories';
 import type { BaseFieldsLatest } from '../../../../../common/api/detection_engine/model/alerts';
-import type { PluginSetupContract } from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 
 describe('utils', () => {
   const anchor = '2020-01-01T06:06:06.666Z';
@@ -446,7 +446,7 @@ describe('utils', () => {
   });
 
   describe('getRuleRangeTuples', () => {
-    let alerting: PluginSetupContract;
+    let alerting: AlertingServerSetup;
 
     beforeEach(() => {
       alerting = alertsMock.createSetup();
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts
index 45193c14fa396..bf0899978f2b2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts
@@ -27,7 +27,7 @@ import type {
 import type {
   AlertInstanceContext,
   AlertInstanceState,
-  PluginSetupContract,
+  AlertingServerSetup,
   RuleExecutorServices,
 } from '@kbn/alerting-plugin/server';
 import { parseDuration } from '@kbn/alerting-plugin/server';
@@ -429,7 +429,7 @@ export const getRuleRangeTuples = async ({
   interval: string;
   maxSignals: number;
   ruleExecutionLogger: IRuleExecutionLogForExecutors;
-  alerting: PluginSetupContract;
+  alerting: AlertingServerSetup;
 }) => {
   const originalFrom = dateMath.parse(from, { forceNow: startedAt });
   const originalTo = dateMath.parse(to, { forceNow: startedAt });
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/retry.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/retry.ts
index 4406afc4333e5..0fb96d9aaf72c 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/retry.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/retry.ts
@@ -50,7 +50,7 @@ export const registerSiemRuleMigrationsRetryRoute = (
             const inferenceClient = ctx.securitySolution.getInferenceClient();
             const actionsClient = ctx.actions.getActionsClient();
             const soClient = ctx.core.savedObjects.client;
-            const rulesClient = ctx.alerting.getRulesClient();
+            const rulesClient = await ctx.alerting.getRulesClient();
 
             const invocationConfig = {
               callbacks: [
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/rules/install.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/rules/install.ts
index 659534891b289..7e8b1a25a4837 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/rules/install.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/rules/install.ts
@@ -47,7 +47,7 @@ export const registerSiemRuleMigrationsInstallRoute = (
 
             const securitySolutionContext = ctx.securitySolution;
             const savedObjectsClient = ctx.core.savedObjects.client;
-            const rulesClient = ctx.alerting.getRulesClient();
+            const rulesClient = await ctx.alerting.getRulesClient();
 
             await installTranslated({
               migrationId,
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/rules/install_translated.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/rules/install_translated.ts
index ae4328e0ccf37..6fd4b5f0980b6 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/rules/install_translated.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/rules/install_translated.ts
@@ -46,7 +46,7 @@ export const registerSiemRuleMigrationsInstallTranslatedRoute = (
 
             const securitySolutionContext = ctx.securitySolution;
             const savedObjectsClient = ctx.core.savedObjects.client;
-            const rulesClient = ctx.alerting.getRulesClient();
+            const rulesClient = await ctx.alerting.getRulesClient();
 
             await installTranslated({
               migrationId,
diff --git a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/start.ts b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/start.ts
index 73ba2fd3cce71..e9369c0e8d19d 100644
--- a/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/start.ts
+++ b/x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/start.ts
@@ -50,7 +50,7 @@ export const registerSiemRuleMigrationsStartRoute = (
             const inferenceClient = ctx.securitySolution.getInferenceClient();
             const actionsClient = ctx.actions.getActionsClient();
             const soClient = ctx.core.savedObjects.client;
-            const rulesClient = ctx.alerting.getRulesClient();
+            const rulesClient = await ctx.alerting.getRulesClient();
 
             const invocationConfig = {
               callbacks: [
diff --git a/x-pack/plugins/security_solution/server/plugin_contract.ts b/x-pack/plugins/security_solution/server/plugin_contract.ts
index c178f0654d9bd..b1e7d0b613800 100644
--- a/x-pack/plugins/security_solution/server/plugin_contract.ts
+++ b/x-pack/plugins/security_solution/server/plugin_contract.ts
@@ -12,10 +12,7 @@ import type {
 } from '@kbn/data-plugin/server';
 import type { PluginStart as DataViewsPluginStart } from '@kbn/data-views-plugin/server';
 import type { UsageCollectionSetup as UsageCollectionPluginSetup } from '@kbn/usage-collection-plugin/server';
-import type {
-  PluginSetupContract as AlertingPluginSetup,
-  PluginStartContract as AlertingPluginStart,
-} from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import type {
   PluginSetupContract as ActionsPluginSetup,
   PluginStartContract as ActionsPluginStartContract,
@@ -50,7 +47,7 @@ import type { ProductFeaturesService } from './lib/product_features_service/prod
 import type { ExperimentalFeatures } from '../common';
 
 export interface SecuritySolutionPluginSetupDependencies {
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
   actions: ActionsPluginSetup;
   cases: CasesServerSetup;
   cloud: CloudSetup;
@@ -73,7 +70,7 @@ export interface SecuritySolutionPluginSetupDependencies {
 }
 
 export interface SecuritySolutionPluginStartDependencies {
-  alerting: AlertingPluginStart;
+  alerting: AlertingServerStart;
   cases?: CasesServerStart;
   cloud: CloudSetup;
   data: DataPluginStart;
diff --git a/x-pack/plugins/security_solution/server/request_context_factory.ts b/x-pack/plugins/security_solution/server/request_context_factory.ts
index 5cc321b2d58b1..ccf8420155677 100644
--- a/x-pack/plugins/security_solution/server/request_context_factory.ts
+++ b/x-pack/plugins/security_solution/server/request_context_factory.ts
@@ -107,6 +107,8 @@ export class RequestContextFactory implements IRequestContextFactory {
     // time it is requested (see `getEndpointAuthz()` below)
     let endpointAuthz: Immutable<EndpointAuthz>;
 
+    const rulesClient = await startPlugins.alerting.getRulesClientWithRequest(request);
+
     return {
       core: coreContext,
 
@@ -146,8 +148,8 @@ export class RequestContextFactory implements IRequestContextFactory {
         });
 
         return createDetectionRulesClient({
+          rulesClient,
           actionsClient,
-          rulesClient: startPlugins.alerting.getRulesClientWithRequest(request),
           savedObjectsClient: coreContext.savedObjects.client,
           mlAuthz,
         });
@@ -155,7 +157,7 @@ export class RequestContextFactory implements IRequestContextFactory {
 
       getDetectionEngineHealthClient: memoize(() =>
         ruleMonitoringService.createDetectionEngineHealthClient({
-          rulesClient: startPlugins.alerting.getRulesClientWithRequest(request),
+          rulesClient,
           eventLogClient: startPlugins.eventLog.getClient(request),
           currentSpaceId: getSpaceId(),
         })
diff --git a/x-pack/plugins/session_view/server/routes/alert_status_route.test.ts b/x-pack/plugins/session_view/server/routes/alert_status_route.test.ts
index 646c0cbca96b5..d38b83747181a 100644
--- a/x-pack/plugins/session_view/server/routes/alert_status_route.test.ts
+++ b/x-pack/plugins/session_view/server/routes/alert_status_route.test.ts
@@ -13,7 +13,7 @@ import {
 import { elasticsearchServiceMock } from '@kbn/core/server/mocks';
 import { searchAlertByUuid } from './alert_status_route';
 import { mockAlerts } from '../../common/mocks/constants/session_view_process.mock';
-import { getAlertsClientMockInstance, resetAlertingAuthMock } from './alerts_client_mock.test';
+import { getAlertsClientMockInstance } from './alerts_client_mock.test';
 
 const getEmptyResponse = async () => {
   return {
@@ -54,7 +54,6 @@ const getResponse = async () => {
 describe('alert_status_route.ts', () => {
   beforeEach(() => {
     jest.resetAllMocks();
-    resetAlertingAuthMock();
   });
 
   describe('searchAlertByUuid(client, alertUuid)', () => {
diff --git a/x-pack/plugins/session_view/server/routes/alert_status_route.ts b/x-pack/plugins/session_view/server/routes/alert_status_route.ts
index 64192198b5e46..0a1976456ef1c 100644
--- a/x-pack/plugins/session_view/server/routes/alert_status_route.ts
+++ b/x-pack/plugins/session_view/server/routes/alert_status_route.ts
@@ -11,6 +11,7 @@ import type {
   AlertsClient,
   RuleRegistryPluginStartContract,
 } from '@kbn/rule-registry-plugin/server';
+import { SECURITY_SOLUTION_RULE_TYPE_IDS } from '@kbn/securitysolution-rules';
 import {
   ALERT_STATUS_ROUTE,
   ALERT_UUID_PROPERTY,
@@ -65,9 +66,9 @@ export const registerAlertStatusRoute = (
 };
 
 export const searchAlertByUuid = async (client: AlertsClient, alertUuid: string) => {
-  const indices = (await client.getAuthorizedAlertsIndices(['siem']))?.filter(
-    (index) => index !== PREVIEW_ALERTS_INDEX
-  );
+  const indices = (
+    await client.getAuthorizedAlertsIndices(SECURITY_SOLUTION_RULE_TYPE_IDS)
+  )?.filter((index) => index !== PREVIEW_ALERTS_INDEX);
 
   if (!indices) {
     return { events: [] };
diff --git a/x-pack/plugins/session_view/server/routes/alerts_client_mock.test.ts b/x-pack/plugins/session_view/server/routes/alerts_client_mock.test.ts
index ff76314776025..dcc1f06b0f2eb 100644
--- a/x-pack/plugins/session_view/server/routes/alerts_client_mock.test.ts
+++ b/x-pack/plugins/session_view/server/routes/alerts_client_mock.test.ts
@@ -13,7 +13,6 @@ import { elasticsearchServiceMock } from '@kbn/core/server/mocks';
 import { loggingSystemMock } from '@kbn/core/server/mocks';
 import { alertingAuthorizationMock } from '@kbn/alerting-plugin/server/authorization/alerting_authorization.mock';
 import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
-import { AlertingAuthorizationEntity } from '@kbn/alerting-plugin/server';
 import { ruleDataServiceMock } from '@kbn/rule-registry-plugin/server/rule_data_plugin_service/rule_data_plugin_service.mock';
 import type { ElasticsearchClient } from '@kbn/core/server';
 import {
@@ -24,11 +23,6 @@ import {
 } from '@kbn/rule-data-utils';
 import { mockAlerts } from '../../common/mocks/constants/session_view_process.mock';
 
-export const alertingAuthMock = alertingAuthorizationMock.create();
-const auditLogger = auditLoggerMock.create();
-
-const DEFAULT_SPACE = 'test_default_space_id';
-
 const getResponse = async () => {
   return {
     hits: {
@@ -56,73 +50,62 @@ const getResponse = async () => {
   };
 };
 
-const esClientMock = elasticsearchServiceMock.createElasticsearchClient(getResponse());
-const getAlertIndicesAliasMock = jest.fn();
-const alertsClientParams: jest.Mocked<ConstructorOptions> = {
-  logger: loggingSystemMock.create().get(),
-  authorization: alertingAuthMock,
-  auditLogger,
-  ruleDataService: ruleDataServiceMock.create(),
-  esClient: esClientMock,
-  getRuleType: jest.fn(),
-  getRuleList: jest.fn(),
-  getAlertIndicesAlias: getAlertIndicesAliasMock,
-};
-
-export function getAlertsClientMockInstance(esClient?: ElasticsearchClient) {
-  esClient = esClient || elasticsearchServiceMock.createElasticsearchClient(getResponse());
-
-  const alertsClient = new AlertsClient({ ...alertsClientParams, esClient });
-
-  return alertsClient;
-}
+const createAlertsClientParams = () => {
+  const getAlertIndicesAliasMock = jest.fn();
+  const alertingAuthMock = alertingAuthorizationMock.create();
 
-export function resetAlertingAuthMock() {
-  alertingAuthMock.getSpaceId.mockImplementation(() => DEFAULT_SPACE);
-  // @ts-expect-error
-  alertingAuthMock.getAuthorizationFilter.mockImplementation(async () =>
-    Promise.resolve({ filter: [] })
-  );
-  // @ts-expect-error
-  alertingAuthMock.getAugmentedRuleTypesWithAuthorization.mockImplementation(async () => {
-    const authorizedRuleTypes = new Set();
-    authorizedRuleTypes.add({ producer: 'apm' });
-    return Promise.resolve({ authorizedRuleTypes });
-  });
-  // @ts-expect-error
-  alertingAuthMock.getAuthorizedRuleTypes.mockImplementation(async () => {
-    const authorizedRuleTypes = [
+  const authorizedRuleTypes = new Map([
+    [
+      'apm.error_rate',
       {
         producer: 'apm',
         id: 'apm.error_rate',
         alerts: {
           context: 'observability.apm',
         },
+        authorizedConsumers: {},
       },
-    ];
-    return Promise.resolve(authorizedRuleTypes);
+    ],
+  ]);
+
+  alertingAuthMock.getSpaceId.mockImplementation(() => 'test_default_space_id');
+  alertingAuthMock.getAllAuthorizedRuleTypes.mockResolvedValue({
+    hasAllRequested: true,
+    authorizedRuleTypes,
   });
+
+  alertingAuthMock.getAllAuthorizedRuleTypesFindOperation.mockResolvedValue(authorizedRuleTypes);
   getAlertIndicesAliasMock.mockReturnValue(['.alerts-observability.apm-default']);
 
-  alertingAuthMock.ensureAuthorized.mockImplementation(
-    // @ts-expect-error
-    async ({
-      ruleTypeId,
-      consumer,
-      operation,
-      entity,
-    }: {
-      ruleTypeId: string;
-      consumer: string;
-      operation: string;
-      entity: typeof AlertingAuthorizationEntity.Alert;
-    }) => {
-      if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
-        return Promise.resolve();
-      }
-      return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  alertingAuthMock.ensureAuthorized.mockImplementation(async ({ ruleTypeId, consumer }) => {
+    if (ruleTypeId === 'apm.error_rate' && consumer === 'apm') {
+      return Promise.resolve();
     }
-  );
+    return Promise.reject(new Error(`Unauthorized for ${ruleTypeId} and ${consumer}`));
+  });
+
+  const auditLogger = auditLoggerMock.create();
+  const esClientMock = elasticsearchServiceMock.createElasticsearchClient(getResponse());
+  const alertsClientParams: jest.Mocked<ConstructorOptions> = {
+    logger: loggingSystemMock.create().get(),
+    authorization: alertingAuthMock,
+    auditLogger,
+    ruleDataService: ruleDataServiceMock.create(),
+    esClient: esClientMock,
+    getRuleType: jest.fn(),
+    getRuleList: jest.fn(),
+    getAlertIndicesAlias: getAlertIndicesAliasMock,
+  };
+
+  return alertsClientParams;
+};
+
+export function getAlertsClientMockInstance(esClient?: ElasticsearchClient) {
+  esClient = esClient || elasticsearchServiceMock.createElasticsearchClient(getResponse());
+
+  const alertsClient = new AlertsClient({ ...createAlertsClientParams(), esClient });
+
+  return alertsClient;
 }
 
 // this is only here because the above imports complain if they aren't declared as part of a test file.
diff --git a/x-pack/plugins/session_view/server/routes/alerts_route.test.ts b/x-pack/plugins/session_view/server/routes/alerts_route.test.ts
index 12300b8946a78..b8ba3f5d45a02 100644
--- a/x-pack/plugins/session_view/server/routes/alerts_route.test.ts
+++ b/x-pack/plugins/session_view/server/routes/alerts_route.test.ts
@@ -7,7 +7,7 @@
 import { elasticsearchServiceMock } from '@kbn/core/server/mocks';
 import { searchAlerts } from './alerts_route';
 import { mockAlerts } from '../../common/mocks/constants/session_view_process.mock';
-import { getAlertsClientMockInstance, resetAlertingAuthMock } from './alerts_client_mock.test';
+import { getAlertsClientMockInstance } from './alerts_client_mock.test';
 
 const getEmptyResponse = async () => {
   return {
@@ -20,9 +20,7 @@ const getEmptyResponse = async () => {
 
 describe('alerts_route.ts', () => {
   beforeEach(() => {
-    jest.resetAllMocks();
-
-    resetAlertingAuthMock();
+    jest.clearAllMocks();
   });
 
   describe('searchAlerts(client, sessionEntityId)', () => {
diff --git a/x-pack/plugins/session_view/server/routes/alerts_route.ts b/x-pack/plugins/session_view/server/routes/alerts_route.ts
index c875236989efe..c4aa913334305 100644
--- a/x-pack/plugins/session_view/server/routes/alerts_route.ts
+++ b/x-pack/plugins/session_view/server/routes/alerts_route.ts
@@ -11,6 +11,7 @@ import type {
   AlertsClient,
   RuleRegistryPluginStartContract,
 } from '@kbn/rule-registry-plugin/server';
+import { SECURITY_SOLUTION_RULE_TYPE_IDS } from '@kbn/securitysolution-rules';
 import {
   ALERTS_ROUTE,
   ALERTS_PER_PAGE,
@@ -88,9 +89,9 @@ export const searchAlerts = async (
   range?: string[],
   cursor?: string
 ) => {
-  const indices = (await client.getAuthorizedAlertsIndices(['siem']))?.filter(
-    (index) => index !== PREVIEW_ALERTS_INDEX
-  );
+  const indices = (
+    await client.getAuthorizedAlertsIndices(SECURITY_SOLUTION_RULE_TYPE_IDS)
+  )?.filter((index) => index !== PREVIEW_ALERTS_INDEX);
 
   if (!indices) {
     return { events: [] };
diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.test.ts b/x-pack/plugins/session_view/server/routes/process_events_route.test.ts
index 034cab178af2f..aaba035c7496b 100644
--- a/x-pack/plugins/session_view/server/routes/process_events_route.test.ts
+++ b/x-pack/plugins/session_view/server/routes/process_events_route.test.ts
@@ -12,7 +12,7 @@ import {
   mockEvents,
   mockAlerts,
 } from '../../common/mocks/constants/session_view_process.mock';
-import { getAlertsClientMockInstance, resetAlertingAuthMock } from './alerts_client_mock.test';
+import { getAlertsClientMockInstance } from './alerts_client_mock.test';
 import type { ProcessEvent } from '../../common';
 
 const getEmptyResponse = async () => {
@@ -38,8 +38,6 @@ const getResponse = async () => {
 describe('process_events_route.ts', () => {
   beforeEach(() => {
     jest.resetAllMocks();
-
-    resetAlertingAuthMock();
   });
 
   describe('fetchEventsAndScopedAlerts(client, entityId, cursor, forward)', () => {
diff --git a/x-pack/plugins/session_view/tsconfig.json b/x-pack/plugins/session_view/tsconfig.json
index 20a1f5234d9ff..412de8355943c 100644
--- a/x-pack/plugins/session_view/tsconfig.json
+++ b/x-pack/plugins/session_view/tsconfig.json
@@ -38,6 +38,7 @@
     "@kbn/shared-ux-router",
     "@kbn/usage-collection-plugin",
     "@kbn/analytics",
+    "@kbn/securitysolution-rules",
   ],
   "exclude": [
     "target/**/*",
diff --git a/x-pack/plugins/stack_alerts/server/feature.test.ts b/x-pack/plugins/stack_alerts/server/feature.test.ts
index 769fad5172d65..deb1a317eed51 100644
--- a/x-pack/plugins/stack_alerts/server/feature.test.ts
+++ b/x-pack/plugins/stack_alerts/server/feature.test.ts
@@ -27,36 +27,145 @@ describe('Stack Alerts Feature Privileges', () => {
     const featuresSetup = featuresPluginMock.createSetup();
     plugin.setup(coreSetup, { alerting: alertingSetup, features: featuresSetup });
 
-    expect(BUILT_IN_ALERTS_FEATURE.alerting).toMatchInlineSnapshot(`
+    const ruleTypeAlerting = BUILT_IN_ALERTS_FEATURE.alerting ?? [];
+    const ruleTypeAll = BUILT_IN_ALERTS_FEATURE.privileges?.all?.alerting?.rule?.all ?? [];
+    const ruleTypeRead = BUILT_IN_ALERTS_FEATURE.privileges?.read?.alerting?.rule?.read ?? [];
+
+    expect(ruleTypeAlerting).toMatchInlineSnapshot(`
       Array [
-        ".index-threshold",
-        ".geo-containment",
-        ".es-query",
-        "transform_health",
-        "observability.rules.custom_threshold",
-        "xpack.ml.anomaly_detection_alert",
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": ".index-threshold",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": ".geo-containment",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": "transform_health",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+            "discover",
+          ],
+          "ruleTypeId": ".es-query",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+          ],
+          "ruleTypeId": "xpack.ml.anomaly_detection_alert",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+          ],
+          "ruleTypeId": "observability.rules.custom_threshold",
+        },
       ]
     `);
 
-    expect(BUILT_IN_ALERTS_FEATURE.privileges?.all?.alerting?.rule?.all).toMatchInlineSnapshot(`
+    expect(ruleTypeAll).toMatchInlineSnapshot(`
       Array [
-        ".index-threshold",
-        ".geo-containment",
-        ".es-query",
-        "transform_health",
-        "observability.rules.custom_threshold",
-        "xpack.ml.anomaly_detection_alert",
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": ".index-threshold",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": ".geo-containment",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": "transform_health",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+            "discover",
+          ],
+          "ruleTypeId": ".es-query",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+          ],
+          "ruleTypeId": "xpack.ml.anomaly_detection_alert",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+          ],
+          "ruleTypeId": "observability.rules.custom_threshold",
+        },
       ]
     `);
 
-    expect(BUILT_IN_ALERTS_FEATURE.privileges?.read?.alerting?.rule?.read).toMatchInlineSnapshot(`
+    expect(ruleTypeRead).toMatchInlineSnapshot(`
       Array [
-        ".index-threshold",
-        ".geo-containment",
-        ".es-query",
-        "transform_health",
-        "observability.rules.custom_threshold",
-        "xpack.ml.anomaly_detection_alert",
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": ".index-threshold",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": ".geo-containment",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+          ],
+          "ruleTypeId": "transform_health",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+            "alerts",
+            "discover",
+          ],
+          "ruleTypeId": ".es-query",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+          ],
+          "ruleTypeId": "xpack.ml.anomaly_detection_alert",
+        },
+        Object {
+          "consumers": Array [
+            "stackAlerts",
+          ],
+          "ruleTypeId": "observability.rules.custom_threshold",
+        },
       ]
     `);
   });
diff --git a/x-pack/plugins/stack_alerts/server/feature.ts b/x-pack/plugins/stack_alerts/server/feature.ts
index fcb7aba3947a3..fa98c155b6ba8 100644
--- a/x-pack/plugins/stack_alerts/server/feature.ts
+++ b/x-pack/plugins/stack_alerts/server/feature.ts
@@ -15,11 +15,59 @@ import {
   STACK_ALERTS_FEATURE_ID,
 } from '@kbn/rule-data-utils';
 import { ES_QUERY_ID as ElasticsearchQuery } from '@kbn/rule-data-utils';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 import { ID as IndexThreshold } from './rule_types/index_threshold/rule_type';
 import { GEO_CONTAINMENT_ID as GeoContainment } from './rule_types/geo_containment';
 
 const TransformHealth = TRANSFORM_RULE_TYPE.TRANSFORM_HEALTH;
+const DISCOVER_CONSUMER = 'discover';
+
+const basicAlertingFeatures = [IndexThreshold, GeoContainment, TransformHealth].map(
+  (ruleTypeId) => ({
+    ruleTypeId,
+    consumers: [STACK_ALERTS_FEATURE_ID, ALERTING_FEATURE_ID],
+  })
+);
+
+/**
+ * We need to add the discover consumer
+ * to support legacy ES rules that were
+ * created with the discover consumer.
+ *
+ * Issue: https://github.com/elastic/kibana/issues/184595
+ */
+const esQueryAlertingFeature = {
+  ruleTypeId: ElasticsearchQuery,
+  consumers: [STACK_ALERTS_FEATURE_ID, ALERTING_FEATURE_ID, DISCOVER_CONSUMER],
+};
+
+/**
+ * Only the stackAlerts consumer is valid
+ * for the stackAlerts feature ID for the
+ * xpack.ml.anomaly_detection_alert rule type.
+ */
+const mlAnomalyDetectionAlertingFeature = {
+  ruleTypeId: ML_ANOMALY_DETECTION_RULE_TYPE_ID,
+  consumers: [STACK_ALERTS_FEATURE_ID],
+};
+
+/**
+ * Only the stackAlerts consumer is valid
+ * for the stackAlerts feature ID for the
+ * observability.rules.custom_threshold rule type.
+ */
+const observabilityThresholdAlertingFeature = {
+  ruleTypeId: OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
+  consumers: [STACK_ALERTS_FEATURE_ID],
+};
+
+const alertingFeatures = [
+  ...basicAlertingFeatures,
+  esQueryAlertingFeature,
+  mlAnomalyDetectionAlertingFeature,
+  observabilityThresholdAlertingFeature,
+];
 
 export const BUILT_IN_ALERTS_FEATURE: KibanaFeatureConfig = {
   id: STACK_ALERTS_FEATURE_ID,
@@ -32,14 +80,7 @@ export const BUILT_IN_ALERTS_FEATURE: KibanaFeatureConfig = {
   management: {
     insightsAndAlerting: ['triggersActions'],
   },
-  alerting: [
-    IndexThreshold,
-    GeoContainment,
-    ElasticsearchQuery,
-    TransformHealth,
-    OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-    ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-  ],
+  alerting: alertingFeatures,
   privileges: {
     all: {
       app: [],
@@ -49,24 +90,10 @@ export const BUILT_IN_ALERTS_FEATURE: KibanaFeatureConfig = {
       },
       alerting: {
         rule: {
-          all: [
-            IndexThreshold,
-            GeoContainment,
-            ElasticsearchQuery,
-            TransformHealth,
-            OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-            ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-          ],
+          all: alertingFeatures,
         },
         alert: {
-          all: [
-            IndexThreshold,
-            GeoContainment,
-            ElasticsearchQuery,
-            TransformHealth,
-            OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-            ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-          ],
+          all: alertingFeatures,
         },
       },
       savedObject: {
@@ -84,24 +111,10 @@ export const BUILT_IN_ALERTS_FEATURE: KibanaFeatureConfig = {
       },
       alerting: {
         rule: {
-          read: [
-            IndexThreshold,
-            GeoContainment,
-            ElasticsearchQuery,
-            TransformHealth,
-            OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-            ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-          ],
+          read: alertingFeatures,
         },
         alert: {
-          read: [
-            IndexThreshold,
-            GeoContainment,
-            ElasticsearchQuery,
-            TransformHealth,
-            OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-            ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-          ],
+          read: alertingFeatures,
         },
       },
       savedObject: {
diff --git a/x-pack/plugins/stack_alerts/server/rule_types/types.ts b/x-pack/plugins/stack_alerts/server/rule_types/types.ts
index e06553233e774..876a3c472e3ad 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/types.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/types.ts
@@ -7,12 +7,12 @@
 
 import { StackAlert } from '@kbn/alerts-as-data-utils';
 import { CoreSetup, Logger } from '@kbn/core/server';
-import { AlertingSetup, StackAlertsStartDeps } from '../types';
+import { AlertingServerSetup, StackAlertsStartDeps } from '../types';
 
 export interface RegisterRuleTypesParams {
   logger: Logger;
   data: Promise<StackAlertsStartDeps['triggersActionsUi']['data']>;
-  alerting: AlertingSetup;
+  alerting: AlertingServerSetup;
   core: CoreSetup;
 }
 
diff --git a/x-pack/plugins/stack_alerts/server/types.ts b/x-pack/plugins/stack_alerts/server/types.ts
index ce148fb8c0434..1f4d2d2914867 100644
--- a/x-pack/plugins/stack_alerts/server/types.ts
+++ b/x-pack/plugins/stack_alerts/server/types.ts
@@ -6,20 +6,19 @@
  */
 
 import { PluginStartContract as TriggersActionsUiStartContract } from '@kbn/triggers-actions-ui-plugin/server';
-import { PluginSetupContract as AlertingSetup } from '@kbn/alerting-plugin/server';
-
 export type {
-  PluginSetupContract as AlertingSetup,
   RuleType,
   RuleParamsAndRefs,
   RuleExecutorOptions,
   RuleTypeParams,
+  AlertingServerSetup,
 } from '@kbn/alerting-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
+import { AlertingServerSetup } from '@kbn/alerting-plugin/server';
 
 // this plugin's dependendencies
 export interface StackAlertsDeps {
-  alerting: AlertingSetup;
+  alerting: AlertingServerSetup;
   features: FeaturesPluginSetup;
 }
 
diff --git a/x-pack/plugins/timelines/server/types.ts b/x-pack/plugins/timelines/server/types.ts
index 311281f67ea2a..b412b69be9737 100644
--- a/x-pack/plugins/timelines/server/types.ts
+++ b/x-pack/plugins/timelines/server/types.ts
@@ -6,7 +6,7 @@
  */
 
 import type { PluginSetup, PluginStart } from '@kbn/data-plugin/server';
-import { PluginStartContract as AlertingPluginStartContract } from '@kbn/alerting-plugin/server';
+import { AlertingServerStart } from '@kbn/alerting-plugin/server';
 import { SecurityPluginSetup } from '@kbn/security-plugin/server';
 
 // eslint-disable-next-line @typescript-eslint/no-empty-interface
@@ -21,5 +21,5 @@ export interface SetupPlugins {
 
 export interface StartPlugins {
   data: PluginStart;
-  alerting: AlertingPluginStartContract;
+  alerting: AlertingServerStart;
 }
diff --git a/x-pack/plugins/transform/server/lib/alerting/transform_health_rule_type/register_transform_health_rule_type.ts b/x-pack/plugins/transform/server/lib/alerting/transform_health_rule_type/register_transform_health_rule_type.ts
index ac04ff6a7662e..1fe9c3cc59336 100644
--- a/x-pack/plugins/transform/server/lib/alerting/transform_health_rule_type/register_transform_health_rule_type.ts
+++ b/x-pack/plugins/transform/server/lib/alerting/transform_health_rule_type/register_transform_health_rule_type.ts
@@ -16,11 +16,7 @@ import type {
   RuleTypeState,
 } from '@kbn/alerting-plugin/common';
 import { AlertsClientError } from '@kbn/alerting-plugin/server';
-import type {
-  PluginSetupContract as AlertingSetup,
-  IRuleTypeAlerts,
-  RuleType,
-} from '@kbn/alerting-plugin/server';
+import type { AlertingServerSetup, IRuleTypeAlerts, RuleType } from '@kbn/alerting-plugin/server';
 import type { FieldFormatsStart } from '@kbn/field-formats-plugin/server';
 import type { TransformHealthAlert } from '@kbn/alerts-as-data-utils';
 import { ALERT_REASON } from '@kbn/rule-data-utils';
@@ -74,7 +70,7 @@ export const TRANSFORM_ISSUE_DETECTED: ActionGroup<TransformIssue> = {
 
 interface RegisterParams {
   logger: Logger;
-  alerting: AlertingSetup;
+  alerting: AlertingServerSetup;
   getFieldFormatsStart: () => FieldFormatsStart;
 }
 
diff --git a/x-pack/plugins/transform/server/routes/api/transforms_all/route_handler.ts b/x-pack/plugins/transform/server/routes/api/transforms_all/route_handler.ts
index 8bbedd9faa023..4bf9a03b64882 100644
--- a/x-pack/plugins/transform/server/routes/api/transforms_all/route_handler.ts
+++ b/x-pack/plugins/transform/server/routes/api/transforms_all/route_handler.ts
@@ -28,10 +28,13 @@ export const routeHandler: RequestHandler<
     });
 
     const alerting = await ctx.alerting;
+
     if (alerting) {
+      const rulesClient = await alerting.getRulesClient();
+
       const transformHealthService = transformHealthServiceProvider({
         esClient: esClient.asCurrentUser,
-        rulesClient: alerting.getRulesClient(),
+        rulesClient,
       });
 
       // @ts-ignore
diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json
index ab81cd0a8ac8c..cd3678bcc173f 100644
--- a/x-pack/plugins/translations/translations/fr-FR.json
+++ b/x-pack/plugins/translations/translations/fr-FR.json
@@ -191,14 +191,8 @@
     "alertsUIShared.healthCheck.encryptionErrorTitle": "Configuration supplémentaire requise",
     "alertsUIShared.healthCheck.healthCheck.apiKeysAndEncryptionErrorTitle": "Configuration supplémentaire requise",
     "alertsUIShared.hooks.useAlertDataView.fetchErrorMessage": "Impossible de charger la vue des données de l'alerte",
-    "alertsUIShared.hooks.useFindAlertsQuery.unableToFetchAlertsGroupingAggregations": "Impossible de récupérer les agrégations de groupement d'alertes",
     "alertsUIShared.hooks.useFindAlertsQuery.unableToFindAlertsQueryMessage": "Impossible de trouver les alertes",
     "alertsUIShared.hooks.useLoadRuleTypesQuery.unableToLoadRuleTypesMessage": "Impossible de charger les types de règles",
-    "alertsUIShared.hooks.useRuleAADFields.errorMessage": "Impossible de charger les champs d'alerte par type de règle",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByConfigMessageTitle": "Cette fonctionnalité est désactivée par la configuration de Kibana.",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseLinkTitle": "Afficher les options de licence",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseMessageDescription": "Pour réactiver cette action, veuillez mettre à niveau votre licence.",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseMessageTitle": "Cette fonctionnalité requiert une licence {minimumLicenseRequired}.",
     "alertsUIShared.maintenanceWindowCallout.fetchError": "La vérification visant à déterminer si les fenêtres de maintenance sont actives a échoué",
     "alertsUIShared.maintenanceWindowCallout.fetchErrorDescription": "Les notifications de règle sont arrêtées lorsque les fenêtres de maintenance sont en cours d'exécution.",
     "alertsUIShared.maintenanceWindowCallout.maintenanceWindowActive": "{activeWindowCount, plural, one {Une fenêtre de maintenance est} other {Des fenêtres de maintenance sont}} en cours d'exécution pour des règles de {categories}",
@@ -48712,7 +48706,6 @@
     "xpack.triggersActionsUI.updateApiKeyConfirmModal.failureMessage": "Impossible de mettre à jour {idsToUpdate, plural, one {la clé} other {les clés}} de l'API",
     "xpack.triggersActionsUI.updateApiKeyConfirmModal.title": "Mettre à jour la clé d'API",
     "xpack.triggersActionsUI.urlSyncedAlertsSearchBar.invalidQueryTitle": "Chaîne de requête non valide",
-    "xpack.triggersActionsUI.useRuleAADFields.errorMessage": "Impossible de charger les champs d'alerte par type de règle",
     "xpack.upgradeAssistant.app.deniedPrivilegeDescription": "Afin d'utiliser l'assistant de mise à niveau et de résoudre les problèmes de déclassement, vous devez disposer d'un accès permettant de gérer tous les espaces Kibana.",
     "xpack.upgradeAssistant.app.deniedPrivilegeTitle": "Rôle d'administrateur Kibana requis",
     "xpack.upgradeAssistant.appTitle": "Assistant de mise à niveau",
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index 9b667b15f673d..8d3f9df8ddbf2 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -191,14 +191,8 @@
     "alertsUIShared.healthCheck.encryptionErrorTitle": "追加の設定が必要です",
     "alertsUIShared.healthCheck.healthCheck.apiKeysAndEncryptionErrorTitle": "追加の設定が必要です",
     "alertsUIShared.hooks.useAlertDataView.fetchErrorMessage": "アラートデータビューを読み込めません",
-    "alertsUIShared.hooks.useFindAlertsQuery.unableToFetchAlertsGroupingAggregations": "アラートグループ集約を取得できません。",
     "alertsUIShared.hooks.useFindAlertsQuery.unableToFindAlertsQueryMessage": "アラートが見つかりません",
     "alertsUIShared.hooks.useLoadRuleTypesQuery.unableToLoadRuleTypesMessage": "ルールタイプを読み込めません",
-    "alertsUIShared.hooks.useRuleAADFields.errorMessage": "ルールタイプごとにアラートフィールドを読み込めません",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByConfigMessageTitle": "この機能は Kibana の構成で無効になっています。",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseLinkTitle": "ライセンスオプションを表示",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseMessageDescription": "このアクションを再び有効にするには、ライセンスをアップグレードしてください。",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseMessageTitle": "この機能には {minimumLicenseRequired} ライセンスが必要です。",
     "alertsUIShared.maintenanceWindowCallout.fetchError": "保守時間枠がアクティブであるかどうかを確認できませんでした",
     "alertsUIShared.maintenanceWindowCallout.fetchErrorDescription": "保守時間枠の実行中は、ルール通知が停止されます。",
     "alertsUIShared.maintenanceWindowCallout.maintenanceWindowActive": "{categories}ルールの{activeWindowCount, plural, other {保守時間枠}}が実行中です",
@@ -48671,8 +48665,7 @@
     "xpack.triggersActionsUI.updateApiKeyConfirmModal.description": "古いAPI {idsToUpdate, plural, other {キー}}は回復できません",
     "xpack.triggersActionsUI.updateApiKeyConfirmModal.failureMessage": "API {idsToUpdate, plural, other {キー}}を更新できませんでした",
     "xpack.triggersActionsUI.updateApiKeyConfirmModal.title": "APIキーの更新",
-    "xpack.triggersActionsUI.urlSyncedAlertsSearchBar.invalidQueryTitle": "無効なクエリー文字列",
-    "xpack.triggersActionsUI.useRuleAADFields.errorMessage": "ルールタイプごとにアラートフィールドを読み込めません",
+    "xpack.triggersActionsUI.urlSyncedAlertsSearchBar.invalidQueryTitle": "無効なクエリ文字列",
     "xpack.upgradeAssistant.app.deniedPrivilegeDescription": "アップグレードアシスタントを使用して、廃止予定の問題を解決するには、すべてのKibanaスペースを管理するためのアクセス権が必要です。",
     "xpack.upgradeAssistant.app.deniedPrivilegeTitle": "Kibana管理者ロールが必要です",
     "xpack.upgradeAssistant.appTitle": "アップグレードアシスタント",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index f4d9a4827f353..6f5ba4b47d4df 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -191,14 +191,8 @@
     "alertsUIShared.healthCheck.encryptionErrorTitle": "需要其他设置",
     "alertsUIShared.healthCheck.healthCheck.apiKeysAndEncryptionErrorTitle": "需要其他设置",
     "alertsUIShared.hooks.useAlertDataView.fetchErrorMessage": "无法加载告警数据视图",
-    "alertsUIShared.hooks.useFindAlertsQuery.unableToFetchAlertsGroupingAggregations": "无法提取告警分组聚合",
     "alertsUIShared.hooks.useFindAlertsQuery.unableToFindAlertsQueryMessage": "无法找到告警",
     "alertsUIShared.hooks.useLoadRuleTypesQuery.unableToLoadRuleTypesMessage": "无法加载规则类型",
-    "alertsUIShared.hooks.useRuleAADFields.errorMessage": "无法按规则类型加载告警字段",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByConfigMessageTitle": "此功能已由 Kibana 配置禁用。",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseLinkTitle": "查看许可证选项",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseMessageDescription": "要重新启用此操作，请升级您的许可证。",
-    "alertsUIShared.licenseCheck.actionTypeDisabledByLicenseMessageTitle": "此功能需要{minimumLicenseRequired}许可证。",
     "alertsUIShared.maintenanceWindowCallout.fetchError": "无法检查维护窗口是否处于活动状态",
     "alertsUIShared.maintenanceWindowCallout.fetchErrorDescription": "维护窗口正在运行时会停止规则通知。",
     "alertsUIShared.maintenanceWindowCallout.maintenanceWindowActive": "{activeWindowCount, plural, other {维护窗口正}}针对 {categories} 规则运行",
@@ -48747,7 +48741,6 @@
     "xpack.triggersActionsUI.updateApiKeyConfirmModal.failureMessage": "无法更新 API {idsToUpdate, plural, other {密钥}}",
     "xpack.triggersActionsUI.updateApiKeyConfirmModal.title": "更新 API 密钥",
     "xpack.triggersActionsUI.urlSyncedAlertsSearchBar.invalidQueryTitle": "字符串查询无效",
-    "xpack.triggersActionsUI.useRuleAADFields.errorMessage": "无法按规则类型加载告警字段",
     "xpack.upgradeAssistant.app.deniedPrivilegeDescription": "要使用升级助手并解决弃用问题，必须具有管理所有 Kibana 工作区的访问权限。",
     "xpack.upgradeAssistant.app.deniedPrivilegeTitle": "需要 Kibana 管理员角色",
     "xpack.upgradeAssistant.appTitle": "升级助手",
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_alert_summary.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_alert_summary.test.ts
index 92c1e3bc5ca69..b21439038cd72 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_alert_summary.test.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_alert_summary.test.ts
@@ -6,7 +6,6 @@
  */
 
 import { waitFor, renderHook } from '@testing-library/react';
-import { ValidFeatureId } from '@kbn/rule-data-utils';
 import { useKibana } from '../../common/lib/kibana';
 import {
   mockedAlertSummaryResponse,
@@ -18,7 +17,7 @@ jest.mock('../../common/lib/kibana');
 
 const useKibanaMock = useKibana as jest.Mocked<typeof useKibana>;
 describe('useLoadAlertSummary', () => {
-  const featureIds: ValidFeatureId[] = ['apm'];
+  const ruleTypeIds: string[] = ['apm'];
   const mockedPostAPI = jest.fn();
 
   beforeAll(() => {
@@ -36,7 +35,7 @@ describe('useLoadAlertSummary', () => {
 
     const { result } = renderHook(() =>
       useLoadAlertSummary({
-        featureIds,
+        ruleTypeIds,
         timeRange: mockedAlertSummaryTimeRange,
       })
     );
@@ -72,7 +71,7 @@ describe('useLoadAlertSummary', () => {
 
     renderHook(() =>
       useLoadAlertSummary({
-        featureIds,
+        ruleTypeIds,
         timeRange: mockedAlertSummaryTimeRange,
         filter,
       })
@@ -82,7 +81,7 @@ describe('useLoadAlertSummary', () => {
       fixed_interval: fixedInterval,
       gte: utcFrom,
       lte: utcTo,
-      featureIds,
+      ruleTypeIds,
       filter: [filter],
     });
 
@@ -102,7 +101,7 @@ describe('useLoadAlertSummary', () => {
 
     const { result } = renderHook(() =>
       useLoadAlertSummary({
-        featureIds,
+        ruleTypeIds,
         timeRange: mockedAlertSummaryTimeRange,
       })
     );
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_alert_summary.ts b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_alert_summary.ts
index 10ce201885098..c8053ca571477 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_alert_summary.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_alert_summary.ts
@@ -6,7 +6,6 @@
  */
 
 import { useEffect, useState, useCallback, useRef } from 'react';
-import type { ValidFeatureId } from '@kbn/rule-data-utils';
 import { estypes } from '@elastic/elasticsearch';
 import { AsApiContract } from '@kbn/actions-plugin/common';
 import { HttpSetup } from '@kbn/core/public';
@@ -15,7 +14,8 @@ import { useKibana } from '../../common/lib/kibana';
 import { Alert, AlertSummaryTimeRange } from '../sections/alert_summary_widget/types';
 
 interface UseLoadAlertSummaryProps {
-  featureIds?: ValidFeatureId[];
+  ruleTypeIds?: string[];
+  consumers?: string[];
   timeRange: AlertSummaryTimeRange;
   filter?: estypes.QueryDslQueryContainer;
 }
@@ -32,7 +32,12 @@ interface LoadAlertSummaryResponse {
   error?: string;
 }
 
-export function useLoadAlertSummary({ featureIds, timeRange, filter }: UseLoadAlertSummaryProps) {
+export function useLoadAlertSummary({
+  ruleTypeIds,
+  consumers,
+  timeRange,
+  filter,
+}: UseLoadAlertSummaryProps) {
   const { http } = useKibana().services;
   const [alertSummary, setAlertSummary] = useState<LoadAlertSummaryResponse>({
     isLoading: true,
@@ -45,14 +50,15 @@ export function useLoadAlertSummary({ featureIds, timeRange, filter }: UseLoadAl
   const isCancelledRef = useRef(false);
   const abortCtrlRef = useRef(new AbortController());
   const loadAlertSummary = useCallback(async () => {
-    if (!featureIds) return;
+    if (!ruleTypeIds) return;
     isCancelledRef.current = false;
     abortCtrlRef.current.abort();
     abortCtrlRef.current = new AbortController();
 
     try {
       const { activeAlertCount, activeAlerts, recoveredAlertCount } = await fetchAlertSummary({
-        featureIds,
+        ruleTypeIds,
+        consumers,
         filter,
         http,
         signal: abortCtrlRef.current.signal,
@@ -80,7 +86,7 @@ export function useLoadAlertSummary({ featureIds, timeRange, filter }: UseLoadAl
         }
       }
     }
-  }, [featureIds, filter, http, timeRange]);
+  }, [ruleTypeIds, consumers, filter, http, timeRange]);
 
   useEffect(() => {
     loadAlertSummary();
@@ -90,26 +96,29 @@ export function useLoadAlertSummary({ featureIds, timeRange, filter }: UseLoadAl
 }
 
 async function fetchAlertSummary({
-  featureIds,
+  ruleTypeIds,
+  consumers,
   filter,
   http,
   signal,
   timeRange: { utcFrom, utcTo, fixedInterval },
 }: {
   http: HttpSetup;
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  consumers?: string[];
   signal: AbortSignal;
   timeRange: AlertSummaryTimeRange;
   filter?: estypes.QueryDslQueryContainer;
 }): Promise<AlertSummary> {
-  const res = featureIds.length
+  const res = ruleTypeIds.length
     ? await http.post<AsApiContract<any>>(`${BASE_RAC_ALERTS_API_PATH}/_alert_summary`, {
         signal,
         body: JSON.stringify({
           fixed_interval: fixedInterval,
           gte: utcFrom,
           lte: utcTo,
-          featureIds,
+          ruleTypeIds,
+          consumers,
           filter: [filter],
         }),
       })
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_aggregations.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_aggregations.test.tsx
index e1cb5f6f4f5ee..b84e1b529b493 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_aggregations.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_aggregations.test.tsx
@@ -6,7 +6,10 @@
  */
 import React from 'react';
 import { waitFor, renderHook } from '@testing-library/react';
-import { useLoadRuleAggregationsQuery as useLoadRuleAggregations } from './use_load_rule_aggregations_query';
+import {
+  UseLoadRuleAggregationsQueryProps,
+  useLoadRuleAggregationsQuery as useLoadRuleAggregations,
+} from './use_load_rule_aggregations_query';
 import { RuleStatus } from '../../types';
 import { useKibana } from '../../common/lib/kibana';
 import { IToasts } from '@kbn/core-notifications-browser';
@@ -59,10 +62,9 @@ describe('useLoadRuleAggregations', () => {
   });
 
   it('should call loadRuleAggregations API and handle result', async () => {
-    const params = {
+    const params: UseLoadRuleAggregationsQueryProps = {
       filters: {
         searchText: '',
-        types: [],
         actionTypes: [],
         ruleExecutionStatuses: [],
         ruleLastRunOutcomes: [],
@@ -72,6 +74,8 @@ describe('useLoadRuleAggregations', () => {
       },
       enabled: true,
       refresh: undefined,
+      ruleTypeIds: [],
+      consumers: [],
     };
 
     const { rerender, result } = renderHook(
@@ -87,12 +91,13 @@ describe('useLoadRuleAggregations', () => {
       expect(loadRuleAggregationsWithKueryFilter).toBeCalledWith(
         expect.objectContaining({
           searchText: '',
-          typesFilter: [],
           actionTypesFilter: [],
           ruleExecutionStatusesFilter: [],
           ruleLastRunOutcomesFilter: [],
           ruleStatusesFilter: [],
           tagsFilter: [],
+          ruleTypeIds: [],
+          consumers: [],
         })
       );
       expect(result.current.rulesStatusesTotal).toEqual(MOCK_AGGS.ruleExecutionStatus);
@@ -100,10 +105,9 @@ describe('useLoadRuleAggregations', () => {
   });
 
   it('should call loadRuleAggregation API with params and handle result', async () => {
-    const params = {
+    const params: UseLoadRuleAggregationsQueryProps = {
       filters: {
         searchText: 'test',
-        types: ['type1', 'type2'],
         actionTypes: ['action1', 'action2'],
         ruleExecutionStatuses: ['status1', 'status2'],
         ruleParams: {},
@@ -113,6 +117,8 @@ describe('useLoadRuleAggregations', () => {
       },
       enabled: true,
       refresh: undefined,
+      ruleTypeIds: ['foo'],
+      consumers: ['bar'],
     };
 
     const { rerender, result } = renderHook(() => useLoadRuleAggregations(params), {
@@ -125,12 +131,13 @@ describe('useLoadRuleAggregations', () => {
       expect(loadRuleAggregationsWithKueryFilter).toBeCalledWith(
         expect.objectContaining({
           searchText: 'test',
-          typesFilter: ['type1', 'type2'],
           actionTypesFilter: ['action1', 'action2'],
           ruleExecutionStatusesFilter: ['status1', 'status2'],
           ruleStatusesFilter: ['enabled', 'snoozed'] as RuleStatus[],
           tagsFilter: ['tag1', 'tag2'],
           ruleLastRunOutcomesFilter: ['outcome1', 'outcome2'],
+          ruleTypeIds: ['foo'],
+          consumers: ['bar'],
         })
       );
       expect(result.current.rulesStatusesTotal).toEqual(MOCK_AGGS.ruleExecutionStatus);
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_aggregations_query.ts b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_aggregations_query.ts
index b7f5be0325729..c588959dedf52 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_aggregations_query.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rule_aggregations_query.ts
@@ -22,15 +22,16 @@ const initializeAggregationResult = (values: readonly string[]) => {
   );
 };
 
-interface UseLoadRuleAggregationsQueryProps {
+export interface UseLoadRuleAggregationsQueryProps {
   filters: RulesListFilters;
   enabled: boolean;
-  filterConsumers?: string[];
+  ruleTypeIds?: string[];
+  consumers?: string[];
   refresh?: Date;
 }
 
 export const useLoadRuleAggregationsQuery = (props: UseLoadRuleAggregationsQueryProps) => {
-  const { filters, enabled, refresh, filterConsumers } = props;
+  const { filters, enabled, refresh, ruleTypeIds, consumers } = props;
 
   const {
     http,
@@ -41,13 +42,13 @@ export const useLoadRuleAggregationsQuery = (props: UseLoadRuleAggregationsQuery
     return loadRuleAggregationsWithKueryFilter({
       http,
       searchText: filters.searchText,
-      typesFilter: filters.types,
       actionTypesFilter: filters.actionTypes,
       ruleExecutionStatusesFilter: filters.ruleExecutionStatuses,
       ruleLastRunOutcomesFilter: filters.ruleLastRunOutcomes,
       ruleStatusesFilter: filters.ruleStatuses,
       tagsFilter: filters.tags,
-      filterConsumers,
+      ruleTypeIds,
+      consumers,
     });
   };
 
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rules_query.ts b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rules_query.ts
index 795e316786892..7806e6ce1e6aa 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rules_query.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_load_rules_query.ts
@@ -20,7 +20,8 @@ type UseLoadRulesQueryProps = Omit<LoadRulesProps, 'http'> & {
   sort: LoadRulesProps['sort'];
   enabled: boolean;
   refresh?: Date;
-  filterConsumers?: string[];
+  ruleTypeIds?: string[];
+  consumers?: string[];
   hasReference?: {
     type: string;
     id: string;
@@ -28,7 +29,8 @@ type UseLoadRulesQueryProps = Omit<LoadRulesProps, 'http'> & {
 };
 
 export const useLoadRulesQuery = (props: UseLoadRulesQueryProps) => {
-  const { filterConsumers, filters, page, sort, onPage, enabled, refresh, hasReference } = props;
+  const { ruleTypeIds, consumers, filters, page, sort, onPage, enabled, refresh, hasReference } =
+    props;
   const {
     http,
     notifications: { toasts },
@@ -56,7 +58,7 @@ export const useLoadRulesQuery = (props: UseLoadRulesQueryProps) => {
       {
         refresh: refresh?.toISOString(),
       },
-      filterConsumers,
+      ruleTypeIds,
       hasReference,
     ],
     queryFn: () => {
@@ -73,7 +75,8 @@ export const useLoadRulesQuery = (props: UseLoadRulesQueryProps) => {
         tagsFilter: filters.tags,
         kueryNode: filters.kueryNode,
         sort,
-        filterConsumers,
+        ruleTypeIds,
+        consumers,
         hasReference,
       });
     },
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_rule_aad_fields.ts b/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_rule_aad_fields.ts
deleted file mode 100644
index 91aaf19776d8b..0000000000000
--- a/x-pack/plugins/triggers_actions_ui/public/application/hooks/use_rule_aad_fields.ts
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { DataViewField } from '@kbn/data-views-plugin/common';
-import { useKibana } from '@kbn/kibana-react-plugin/public';
-import { useQuery } from '@tanstack/react-query';
-import { i18n } from '@kbn/i18n';
-import { useMemo } from 'react';
-import { fetchRuleTypeAadTemplateFields } from '@kbn/alerts-ui-shared/src/common/apis/fetch_rule_type_aad_template_fields';
-import { TriggersAndActionsUiServices } from '../..';
-
-const EMPTY_AAD_FIELDS: DataViewField[] = [];
-
-export function useRuleAADFields(ruleTypeId?: string): {
-  aadFields: DataViewField[];
-  loading: boolean;
-} {
-  const {
-    http,
-    notifications: { toasts },
-  } = useKibana<TriggersAndActionsUiServices>().services;
-
-  const queryAadFieldsFn = () => {
-    return fetchRuleTypeAadTemplateFields({ http, ruleTypeId });
-  };
-
-  const onErrorFn = () => {
-    toasts.addDanger(
-      i18n.translate('xpack.triggersActionsUI.useRuleAADFields.errorMessage', {
-        defaultMessage: 'Unable to load alert fields per rule type',
-      })
-    );
-  };
-
-  const {
-    data: aadFields = EMPTY_AAD_FIELDS,
-    isInitialLoading,
-    isLoading,
-  } = useQuery({
-    queryKey: ['loadAlertAadFieldsPerRuleType', ruleTypeId],
-    queryFn: queryAadFieldsFn,
-    onError: onErrorFn,
-    refetchOnWindowFocus: false,
-    enabled: ruleTypeId !== undefined,
-  });
-
-  return useMemo(
-    () => ({
-      aadFields,
-      loading: ruleTypeId === undefined ? false : isInitialLoading || isLoading,
-    }),
-    [aadFields, isInitialLoading, isLoading, ruleTypeId]
-  );
-}
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/check_rule_type_enabled.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/lib/check_rule_type_enabled.test.tsx
index 0668fb56c4ef1..5771b505ae0c4 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/check_rule_type_enabled.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/check_rule_type_enabled.test.tsx
@@ -33,6 +33,7 @@ describe('checkRuleTypeEnabled', () => {
       authorizedConsumers: {},
       minimumLicenseRequired: 'basic',
       enabledInLicense: true,
+      category: 'my-category',
     };
     expect(checkRuleTypeEnabled(alertType)).toMatchInlineSnapshot(`
           Object {
@@ -57,6 +58,7 @@ describe('checkRuleTypeEnabled', () => {
       authorizedConsumers: {},
       minimumLicenseRequired: 'gold',
       enabledInLicense: false,
+      category: 'my-category',
     };
     expect(checkRuleTypeEnabled(alertType)).toMatchInlineSnapshot(`
       Object {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/execution_duration_utils.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/execution_duration_utils.test.ts
index f7ade3778f287..7bce422f5f9f3 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/execution_duration_utils.test.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/execution_duration_utils.test.ts
@@ -63,6 +63,7 @@ function mockRuleType(overwrites: Partial<RuleType> = {}): RuleType {
     producer: 'alerts',
     minimumLicenseRequired: 'basic',
     enabledInLicense: true,
+    category: 'my-category',
     ...overwrites,
   };
 }
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate.test.ts
index a5ae973f14d97..b546748d695e4 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate.test.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate.test.ts
@@ -113,7 +113,7 @@ describe('loadRuleAggregations', () => {
     `);
   });
 
-  test('should call aggregate API with typesFilter', async () => {
+  test('should call aggregate API with ruleTypeIds', async () => {
     const resolvedValue = {
       rule_execution_status: {
         ok: 4,
@@ -127,7 +127,7 @@ describe('loadRuleAggregations', () => {
 
     const result = await loadRuleAggregations({
       http,
-      typesFilter: ['foo', 'bar'],
+      ruleTypeIds: ['foo', 'bar'],
     });
     expect(result).toEqual({
       ruleExecutionStatus: {
@@ -142,13 +142,13 @@ describe('loadRuleAggregations', () => {
       Array [
         "/internal/alerting/rules/_aggregate",
         Object {
-          "body": "{\\"filter\\":\\"alert.attributes.alertTypeId:(foo or bar)\\",\\"default_search_operator\\":\\"AND\\"}",
+          "body": "{\\"default_search_operator\\":\\"AND\\",\\"rule_type_ids\\":[\\"foo\\",\\"bar\\"]}",
         },
       ]
     `);
   });
 
-  test('should call aggregate API with actionTypesFilter and typesFilter', async () => {
+  test('should call aggregate API with actionTypesFilter and ruleTypeIds', async () => {
     const resolvedValue = {
       rule_execution_status: {
         ok: 4,
@@ -164,7 +164,7 @@ describe('loadRuleAggregations', () => {
       http,
       searchText: 'baz',
       actionTypesFilter: ['action', 'type'],
-      typesFilter: ['foo', 'bar'],
+      ruleTypeIds: ['foo', 'bar'],
     });
     expect(result).toEqual({
       ruleExecutionStatus: {
@@ -179,7 +179,7 @@ describe('loadRuleAggregations', () => {
       Array [
         "/internal/alerting/rules/_aggregate",
         Object {
-          "body": "{\\"search_fields\\":\\"[\\\\\\"name\\\\\\",\\\\\\"tags\\\\\\"]\\",\\"search\\":\\"baz\\",\\"filter\\":\\"alert.attributes.alertTypeId:(foo or bar) and (alert.attributes.actions:{ actionTypeId:action } OR alert.attributes.actions:{ actionTypeId:type })\\",\\"default_search_operator\\":\\"AND\\"}",
+          "body": "{\\"search_fields\\":\\"[\\\\\\"name\\\\\\",\\\\\\"tags\\\\\\"]\\",\\"search\\":\\"baz\\",\\"filter\\":\\"(alert.attributes.actions:{ actionTypeId:action } OR alert.attributes.actions:{ actionTypeId:type })\\",\\"default_search_operator\\":\\"AND\\",\\"rule_type_ids\\":[\\"foo\\",\\"bar\\"]}",
         },
       ]
     `);
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate.ts
index 8edb10811bd8e..af855075cca87 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate.ts
@@ -39,15 +39,14 @@ export async function loadRuleTags({
 export async function loadRuleAggregations({
   http,
   searchText,
-  typesFilter,
   actionTypesFilter,
   ruleExecutionStatusesFilter,
   ruleStatusesFilter,
   tagsFilter,
-  filterConsumers,
+  ruleTypeIds,
+  consumers,
 }: LoadRuleAggregationsProps): Promise<AggregateRulesResponse> {
   const filters = mapFiltersToKql({
-    typesFilter,
     actionTypesFilter,
     ruleExecutionStatusesFilter,
     ruleStatusesFilter,
@@ -61,7 +60,8 @@ export async function loadRuleAggregations({
         search: searchText,
         filter: filters.length ? filters.join(' and ') : undefined,
         default_search_operator: 'AND',
-        filter_consumers: filterConsumers,
+        rule_type_ids: ruleTypeIds,
+        consumers,
       }),
     }
   );
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_helpers.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_helpers.ts
index 29462f07d5eec..fb787c249aeb9 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_helpers.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_helpers.ts
@@ -61,13 +61,13 @@ export const rewriteTagsBodyRes: RewriteRequestCase<GetRuleTagsResponse> = ({
 export interface LoadRuleAggregationsProps {
   http: HttpSetup;
   searchText?: string;
-  typesFilter?: string[];
   actionTypesFilter?: string[];
   ruleExecutionStatusesFilter?: string[];
   ruleLastRunOutcomesFilter?: string[];
   ruleStatusesFilter?: RuleStatus[];
   tagsFilter?: string[];
-  filterConsumers?: string[];
+  ruleTypeIds?: string[];
+  consumers?: string[];
 }
 
 export interface LoadRuleTagsProps {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_kuery_filter.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_kuery_filter.test.ts
new file mode 100644
index 0000000000000..a76147033fe65
--- /dev/null
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_kuery_filter.test.ts
@@ -0,0 +1,115 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { httpServiceMock } from '@kbn/core/public/mocks';
+import { loadRuleAggregationsWithKueryFilter } from './aggregate_kuery_filter';
+
+const http = httpServiceMock.createStartContract();
+
+describe('loadRuleAggregationsWithKueryFilter', () => {
+  beforeEach(() => jest.resetAllMocks());
+
+  test('should call aggregate API with base parameters', async () => {
+    const resolvedValue = {
+      rule_execution_status: {
+        ok: 4,
+        active: 2,
+        error: 1,
+        pending: 1,
+        unknown: 0,
+      },
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRuleAggregationsWithKueryFilter({ http });
+    expect(result).toEqual({
+      ruleExecutionStatus: {
+        ok: 4,
+        active: 2,
+        error: 1,
+        pending: 1,
+        unknown: 0,
+      },
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_aggregate",
+        Object {
+          "body": "{\\"default_search_operator\\":\\"AND\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call aggregate API with ruleTypeIds', async () => {
+    const resolvedValue = {
+      rule_execution_status: {
+        ok: 4,
+        active: 2,
+        error: 1,
+        pending: 1,
+        unknown: 0,
+      },
+    };
+
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRuleAggregationsWithKueryFilter({ http, ruleTypeIds: ['foo'] });
+    expect(result).toEqual({
+      ruleExecutionStatus: {
+        ok: 4,
+        active: 2,
+        error: 1,
+        pending: 1,
+        unknown: 0,
+      },
+    });
+
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_aggregate",
+        Object {
+          "body": "{\\"rule_type_ids\\":[\\"foo\\"],\\"default_search_operator\\":\\"AND\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call aggregate API with consumers', async () => {
+    const resolvedValue = {
+      rule_execution_status: {
+        ok: 4,
+        active: 2,
+        error: 1,
+        pending: 1,
+        unknown: 0,
+      },
+    };
+
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRuleAggregationsWithKueryFilter({ http, consumers: ['foo'] });
+    expect(result).toEqual({
+      ruleExecutionStatus: {
+        ok: 4,
+        active: 2,
+        error: 1,
+        pending: 1,
+        unknown: 0,
+      },
+    });
+
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_aggregate",
+        Object {
+          "body": "{\\"default_search_operator\\":\\"AND\\",\\"consumers\\":[\\"foo\\"]}",
+        },
+      ]
+    `);
+  });
+});
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_kuery_filter.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_kuery_filter.ts
index a0e270ddf2f67..dce41afcc8110 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_kuery_filter.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/aggregate_kuery_filter.ts
@@ -16,15 +16,14 @@ import { mapFiltersToKueryNode } from './map_filters_to_kuery_node';
 export async function loadRuleAggregationsWithKueryFilter({
   http,
   searchText,
-  typesFilter,
   actionTypesFilter,
   ruleExecutionStatusesFilter,
   ruleStatusesFilter,
   tagsFilter,
-  filterConsumers,
+  ruleTypeIds,
+  consumers,
 }: LoadRuleAggregationsProps): Promise<AggregateRulesResponse> {
   const filtersKueryNode = mapFiltersToKueryNode({
-    typesFilter,
     actionTypesFilter,
     tagsFilter,
     ruleExecutionStatusesFilter,
@@ -37,8 +36,9 @@ export async function loadRuleAggregationsWithKueryFilter({
     {
       body: JSON.stringify({
         ...(filtersKueryNode ? { filter: JSON.stringify(filtersKueryNode) } : {}),
-        filter_consumers: filterConsumers,
+        rule_type_ids: ruleTypeIds,
         default_search_operator: 'AND',
+        consumers,
       }),
     }
   );
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/alert_fields.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/alert_fields.ts
deleted file mode 100644
index 7be5b3eec0e69..0000000000000
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/alert_fields.ts
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { ValidFeatureId } from '@kbn/rule-data-utils';
-import { HttpSetup } from '@kbn/core/public';
-import { FieldSpec } from '@kbn/data-views-plugin/common';
-import { BASE_RAC_ALERTS_API_PATH } from '@kbn/rule-registry-plugin/common';
-
-export async function fetchAlertFields({
-  http,
-  featureIds,
-}: {
-  http: HttpSetup;
-  featureIds: ValidFeatureId[];
-}): Promise<FieldSpec[]> {
-  const { fields: alertFields = [] } = await http.get<{ fields: FieldSpec[] }>(
-    `${BASE_RAC_ALERTS_API_PATH}/browser_fields`,
-    {
-      query: { featureIds },
-    }
-  );
-  return alertFields;
-}
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/alert_index.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/alert_index.ts
deleted file mode 100644
index 8ac678664168b..0000000000000
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/alert_index.ts
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { BASE_RAC_ALERTS_API_PATH } from '@kbn/rule-registry-plugin/common';
-import { HttpSetup } from '@kbn/core/public';
-
-export async function fetchAlertIndexNames({
-  http,
-  features,
-}: {
-  http: HttpSetup;
-  features: string;
-}): Promise<string[]> {
-  const { index_name: indexNamesStr = [] } = await http.get<{ index_name: string[] }>(
-    `${BASE_RAC_ALERTS_API_PATH}/index`,
-    {
-      query: { features },
-    }
-  );
-  return indexNamesStr;
-}
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rule_types.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rule_types.test.ts
index cd9e829c8045e..0c42a21d7d436 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rule_types.test.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rule_types.test.ts
@@ -30,6 +30,7 @@ describe('loadRuleTypes', () => {
         authorizedConsumers: {},
         minimumLicenseRequired: 'basic',
         enabledInLicense: true,
+        category: 'my-category',
       },
     ];
     http.get.mockResolvedValueOnce(resolvedValue);
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules.test.ts
index b5a09e5a716f9..5fa4f83509650 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules.test.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules.test.ts
@@ -240,6 +240,55 @@ describe('loadRules', () => {
     `);
   });
 
+  test('should call find API with searchText and tagsFilter and ruleTypeIds and consumers', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.get.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRules({
+      http,
+      searchText: 'apples, foo, baz',
+      typesFilter: ['foo', 'bar'],
+      ruleTypeIds: ['one', 'two'],
+      consumers: ['my-consumer'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.get.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "query": Object {
+            "consumers": Array [
+              "my-consumer",
+            ],
+            "default_search_operator": "AND",
+            "filter": "alert.attributes.alertTypeId:(foo or bar)",
+            "page": 1,
+            "per_page": 10,
+            "rule_type_ids": Array [
+              "one",
+              "two",
+            ],
+            "search": "apples, foo, baz",
+            "search_fields": "[\\"name\\",\\"tags\\"]",
+            "sort_field": "name",
+            "sort_order": "asc",
+          },
+        },
+      ]
+    `);
+  });
+
   test('should call find API with ruleStatusesFilter', async () => {
     const resolvedValue = {
       page: 1,
@@ -374,4 +423,90 @@ describe('loadRules', () => {
       ]
     `);
   });
+
+  test('should call find API with ruleTypeIds', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.get.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRules({
+      http,
+      ruleTypeIds: ['foo', 'bar'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.get.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "query": Object {
+            "default_search_operator": "AND",
+            "filter": undefined,
+            "page": 1,
+            "per_page": 10,
+            "rule_type_ids": Array [
+              "foo",
+              "bar",
+            ],
+            "search": undefined,
+            "search_fields": undefined,
+            "sort_field": "name",
+            "sort_order": "asc",
+          },
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with consumers', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.get.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRules({
+      http,
+      consumers: ['foo', 'bar'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.get.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "query": Object {
+            "consumers": Array [
+              "foo",
+              "bar",
+            ],
+            "default_search_operator": "AND",
+            "filter": undefined,
+            "page": 1,
+            "per_page": 10,
+            "search": undefined,
+            "search_fields": undefined,
+            "sort_field": "name",
+            "sort_order": "asc",
+          },
+        },
+      ]
+    `);
+  });
 });
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules.ts
index 07a992c66c96c..8c17f18065c84 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules.ts
@@ -21,6 +21,8 @@ export async function loadRules({
   ruleStatusesFilter,
   tagsFilter,
   sort = { field: 'name', direction: 'asc' },
+  ruleTypeIds,
+  consumers,
 }: LoadRulesProps): Promise<{
   page: number;
   perPage: number;
@@ -51,6 +53,8 @@ export async function loadRules({
       default_search_operator: 'AND',
       sort_field: sort.field,
       sort_order: sort.direction,
+      ...(ruleTypeIds ? { rule_type_ids: ruleTypeIds } : {}),
+      ...(consumers ? { consumers } : {}),
     },
   });
   return {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_helpers.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_helpers.ts
index 4f8a8627bab52..aa1e2d1dac26f 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_helpers.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_helpers.ts
@@ -24,7 +24,8 @@ export interface LoadRulesProps {
   ruleStatusesFilter?: RuleStatus[];
   sort?: Sorting;
   kueryNode?: KueryNode;
-  filterConsumers?: string[];
+  ruleTypeIds?: string[];
+  consumers?: string[];
   hasReference?: {
     type: string;
     id: string;
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_kuery_filter.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_kuery_filter.test.ts
new file mode 100644
index 0000000000000..9e9821b8d82cb
--- /dev/null
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_kuery_filter.test.ts
@@ -0,0 +1,384 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { httpServiceMock } from '@kbn/core/public/mocks';
+import { loadRulesWithKueryFilter } from './rules_kuery_filter';
+
+const http = httpServiceMock.createStartContract();
+
+describe('loadRulesWithKueryFilter', () => {
+  beforeEach(() => jest.resetAllMocks());
+
+  test('should call find API with base parameters', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({ http, page: { index: 0, size: 10 } });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with searchText', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({
+      http,
+      searchText: 'apples',
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.name\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"apples\\\\\\"}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.tags\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"apples\\\\\\"}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with actionTypesFilter', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({
+      http,
+      searchText: 'foo',
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.name\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"foo\\\\\\"}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.tags\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"foo\\\\\\"}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with typesFilter', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({
+      http,
+      typesFilter: ['foo', 'bar'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.alertTypeId\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"foo\\\\\\",\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.alertTypeId\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"bar\\\\\\",\\\\\\"isQuoted\\\\\\":false}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with actionTypesFilter and typesFilter', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({
+      http,
+      searchText: 'baz',
+      typesFilter: ['foo', 'bar'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"and\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.alertTypeId\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"foo\\\\\\",\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.alertTypeId\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"bar\\\\\\",\\\\\\"isQuoted\\\\\\":false}]}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.name\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"baz\\\\\\"}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.tags\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"baz\\\\\\"}]}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with searchText and tagsFilter and typesFilter', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({
+      http,
+      searchText: 'apples, foo, baz',
+      typesFilter: ['foo', 'bar'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"and\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.alertTypeId\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"foo\\\\\\",\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.alertTypeId\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"bar\\\\\\",\\\\\\"isQuoted\\\\\\":false}]}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.name\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"apples, foo, baz\\\\\\"}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.tags\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"apples, foo, baz\\\\\\"}]}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with searchText and tagsFilter and ruleTypeIds and consumers', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({
+      http,
+      searchText: 'apples, foo, baz',
+      typesFilter: ['foo', 'bar'],
+      ruleTypeIds: ['one', 'two'],
+      consumers: ['my-consumer'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"and\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.alertTypeId\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"foo\\\\\\",\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.alertTypeId\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"bar\\\\\\",\\\\\\"isQuoted\\\\\\":false}]}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.name\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"apples, foo, baz\\\\\\"}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.tags\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"wildcard\\\\\\",\\\\\\"value\\\\\\":\\\\\\"apples, foo, baz\\\\\\"}]}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\",\\"rule_type_ids\\":[\\"one\\",\\"two\\"],\\"consumers\\":[\\"my-consumer\\"]}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with ruleStatusesFilter', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValue(resolvedValue);
+
+    let result = await loadRulesWithKueryFilter({
+      http,
+      ruleStatusesFilter: ['enabled', 'snoozed'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.enabled\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":true,\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.muteAll\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":true,\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"nested\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.snoozeSchedule\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"range\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"duration\\\\\\",\\\\\\"isQuoted\\\\\\":false},\\\\\\"gt\\\\\\",{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"0\\\\\\",\\\\\\"isQuoted\\\\\\":false}]}]}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+
+    result = await loadRulesWithKueryFilter({
+      http,
+      ruleStatusesFilter: ['disabled'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[1]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.enabled\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":false,\\\\\\"isQuoted\\\\\\":false}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+
+    result = await loadRulesWithKueryFilter({
+      http,
+      ruleStatusesFilter: ['enabled', 'disabled', 'snoozed'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[2]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.enabled\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":true,\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.enabled\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":false,\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.muteAll\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":true,\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"nested\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.snoozeSchedule\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"range\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"duration\\\\\\",\\\\\\"isQuoted\\\\\\":false},\\\\\\"gt\\\\\\",{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"0\\\\\\",\\\\\\"isQuoted\\\\\\":false}]}]}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with tagsFilter', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+    const result = await loadRulesWithKueryFilter({
+      http,
+      tagsFilter: ['a', 'b', 'c'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"filter\\":\\"{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"or\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.tags\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"a\\\\\\",\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.tags\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"b\\\\\\",\\\\\\"isQuoted\\\\\\":false}]},{\\\\\\"type\\\\\\":\\\\\\"function\\\\\\",\\\\\\"function\\\\\\":\\\\\\"is\\\\\\",\\\\\\"arguments\\\\\\":[{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"alert.attributes.tags\\\\\\",\\\\\\"isQuoted\\\\\\":false},{\\\\\\"type\\\\\\":\\\\\\"literal\\\\\\",\\\\\\"value\\\\\\":\\\\\\"c\\\\\\",\\\\\\"isQuoted\\\\\\":false}]}]}\\",\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\"}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with ruleTypeIds', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({
+      http,
+      ruleTypeIds: ['foo', 'bar'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\",\\"rule_type_ids\\":[\\"foo\\",\\"bar\\"]}",
+        },
+      ]
+    `);
+  });
+
+  test('should call find API with consumers', async () => {
+    const resolvedValue = {
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    };
+    http.post.mockResolvedValueOnce(resolvedValue);
+
+    const result = await loadRulesWithKueryFilter({
+      http,
+      consumers: ['foo', 'bar'],
+      page: { index: 0, size: 10 },
+    });
+    expect(result).toEqual({
+      page: 1,
+      perPage: 10,
+      total: 0,
+      data: [],
+    });
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"page\\":1,\\"per_page\\":10,\\"sort_field\\":\\"name\\",\\"sort_order\\":\\"asc\\",\\"consumers\\":[\\"foo\\",\\"bar\\"]}",
+        },
+      ]
+    `);
+  });
+});
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_kuery_filter.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_kuery_filter.ts
index 7c731dbfb016c..c765f8f478041 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_kuery_filter.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/rule_api/rules_kuery_filter.ts
@@ -24,8 +24,9 @@ export async function loadRulesWithKueryFilter({
   tagsFilter,
   sort = { field: 'name', direction: 'asc' },
   kueryNode,
-  filterConsumers,
+  ruleTypeIds,
   hasReference,
+  consumers,
 }: LoadRulesProps): Promise<{
   page: number;
   perPage: number;
@@ -58,8 +59,9 @@ export async function loadRulesWithKueryFilter({
       ...(filtersKueryNode ? { filter: JSON.stringify(filtersKueryNode) } : {}),
       sort_field: sort.field,
       sort_order: sort.direction,
-      filter_consumers: filterConsumers,
       ...(hasReference ? { has_reference: hasReference } : {}),
+      ...(ruleTypeIds ? { rule_type_ids: ruleTypeIds } : {}),
+      ...(consumers ? { consumers } : {}),
     }),
   });
 
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/lib/search_filters.ts b/x-pack/plugins/triggers_actions_ui/public/application/lib/search_filters.ts
index 3ae6a01633e40..532f49a159c89 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/lib/search_filters.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/lib/search_filters.ts
@@ -11,72 +11,78 @@ import {
   AlertConsumers,
   DefaultAlertFieldName,
 } from '@kbn/rule-data-utils';
-import { FILTERS, FilterStateStore, PhraseFilter, PhrasesFilter } from '@kbn/es-query';
+import { FILTERS, FilterStateStore, PhrasesFilter } from '@kbn/es-query';
 
 const $state = {
   store: FilterStateStore.APP_STATE,
 };
 
 export type AlertsFeatureIdsFilter = PhrasesFilter & {
-  meta: Pick<PhrasesFilter, 'meta'> & { alertsFeatureIds: AlertConsumers[] };
+  meta: PhrasesFilter['meta'] & { ruleTypeIds: string[]; consumers: string[] };
 };
 
 /**
  * Creates a match_phrase filter without an index pattern
  */
-export const createMatchPhraseFilter = (field: DefaultAlertFieldName, value: unknown) =>
-  ({
-    meta: {
-      field,
-      type: FILTERS.PHRASE,
-      key: field,
-      alias: null,
-      disabled: false,
-      index: undefined,
-      negate: false,
-      params: { query: value },
-      value: undefined,
-    },
-    $state,
-    query: {
-      match_phrase: {
-        [field]: value,
-      },
+export const createMatchPhraseFilter = (
+  field: DefaultAlertFieldName,
+  value: string
+): AlertsFeatureIdsFilter => ({
+  meta: {
+    field,
+    type: FILTERS.PHRASE,
+    key: field,
+    alias: null,
+    disabled: false,
+    index: undefined,
+    negate: false,
+    // @ts-expect-error
+    params: { query: value },
+    value: undefined,
+    ruleTypeIds: [],
+    consumers: [],
+  },
+  $state,
+  query: {
+    match_phrase: {
+      [field]: value,
     },
-  } as PhraseFilter);
+  },
+});
 
 /**
  * Creates a match_phrases filter without an index pattern
  */
 export const createMatchPhrasesFilter = (
   field: DefaultAlertFieldName,
-  values: unknown[],
+  values: string[],
   alias: string | null = null
-) =>
-  ({
-    meta: {
-      field,
-      type: FILTERS.PHRASES,
-      key: field,
-      alias,
-      disabled: false,
-      index: undefined,
-      negate: false,
-      params: values,
-      value: undefined,
-    },
-    $state,
-    query: {
-      bool: {
-        minimum_should_match: 1,
-        should: values.map((v) => ({
-          match_phrase: {
-            [field]: v,
-          },
-        })),
-      },
+): AlertsFeatureIdsFilter => ({
+  meta: {
+    field,
+    type: FILTERS.PHRASES,
+    key: field,
+    alias,
+    disabled: false,
+    index: undefined,
+    negate: false,
+    params: values,
+    value: undefined,
+    ruleTypeIds: [],
+    consumers: [],
+  },
+  $state,
+  query: {
+    bool: {
+      minimum_should_match: 1,
+      should: values.map((v) => ({
+        match_phrase: {
+          [field]: v,
+        },
+      })),
     },
-  } as PhrasesFilter);
+  },
+});
 
 /**
  * Creates a match_phrase filter targeted to filtering alerts by producer
@@ -88,15 +94,12 @@ export const createRuleProducerFilter = (producer: AlertConsumers) =>
  * Creates a match_phrase filter targeted to filtering alerts by rule type ids
  */
 export const createRuleTypesFilter = (
-  featureIds: AlertConsumers[],
-  alias: string,
-  ruleTypeIds: string[]
+  ruleTypeIds: string[],
+  consumers: string[],
+  alias: string
 ) => {
-  const filter = createMatchPhrasesFilter(
-    ALERT_RULE_TYPE_ID,
-    ruleTypeIds,
-    alias
-  ) as AlertsFeatureIdsFilter;
-  filter.meta.alertsFeatureIds = featureIds;
+  const filter = createMatchPhrasesFilter(ALERT_RULE_TYPE_ID, ruleTypeIds, alias);
+  filter.meta.ruleTypeIds = ruleTypeIds;
+  filter.meta.consumers = consumers;
   return filter;
 };
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_form.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_form.test.tsx
index 74b528ba7a64a..2c5f159d0a76f 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_form.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_form.test.tsx
@@ -399,6 +399,7 @@ describe('action_form', () => {
         }
         actionTypeRegistry={actionTypeRegistry}
         setHasActionsWithBrokenConnector={setHasActionsWithBrokenConnector}
+        ruleTypeId=".es-query"
       />
     );
 
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_type_form.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_type_form.test.tsx
index 116b416ac98f1..945ab23c43611 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_type_form.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_type_form.test.tsx
@@ -136,6 +136,7 @@ describe('action_type_form', () => {
     const wrapper = mountWithIntl(
       getActionTypeForm({
         index: 1,
+        ruleTypeId: '.es-query',
         actionItem: {
           id: '123',
           actionTypeId: '.pagerduty',
@@ -190,6 +191,7 @@ describe('action_type_form', () => {
       <I18nProvider>
         {getActionTypeForm({
           index: 1,
+          ruleTypeId: '.es-query',
           actionItem: {
             id: '123',
             actionTypeId: '.pagerduty',
@@ -239,6 +241,7 @@ describe('action_type_form', () => {
       <I18nProvider>
         {getActionTypeForm({
           index: 1,
+          ruleTypeId: 'siem.esqlRule',
           actionItem: {
             id: '123',
             actionTypeId: '.pagerduty',
@@ -288,6 +291,7 @@ describe('action_type_form', () => {
     const wrapper = mountWithIntl(
       getActionTypeForm({
         index: 1,
+        ruleTypeId: '.es-query',
         actionItem: {
           id: '123',
           actionTypeId: '.pagerduty',
@@ -340,6 +344,7 @@ describe('action_type_form', () => {
     const wrapper = mountWithIntl(
       getActionTypeForm({
         index: 1,
+        ruleTypeId: '.es-query',
         actionItem: {
           id: '123',
           actionTypeId: '.pagerduty',
@@ -413,6 +418,7 @@ describe('action_type_form', () => {
         {getActionTypeForm({
           index: 1,
           actionItem,
+          ruleTypeId: '.es-query',
           setActionFrequencyProperty: () => {
             actionItem.frequency = {
               notifyWhen: RuleNotifyWhen.ACTIVE,
@@ -551,6 +557,7 @@ describe('action_type_form', () => {
         <IntlProvider locale="en">
           {getActionTypeForm({
             index: 1,
+            ruleTypeId: '.es-query',
             actionItem,
             notifyWhenSelectOptions: CUSTOM_NOTIFY_WHEN_OPTIONS,
           })}
@@ -604,6 +611,7 @@ describe('action_type_form', () => {
         <IntlProvider locale="en">
           {getActionTypeForm({
             index: 1,
+            ruleTypeId: '.es-query',
             actionItem,
             notifyWhenSelectOptions: CUSTOM_NOTIFY_WHEN_OPTIONS,
           })}
@@ -664,7 +672,7 @@ function getActionTypeForm({
   messageVariables?: ActionVariables;
   summaryMessageVariables?: ActionVariables;
   notifyWhenSelectOptions?: NotifyWhenSelectOptions[];
-  ruleTypeId?: string;
+  ruleTypeId: string;
   producerId?: string;
   featureId?: string;
 }) {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_type_form.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_type_form.tsx
index 9af97b713dff3..8e95473ceca4c 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_type_form.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/action_type_form.tsx
@@ -8,7 +8,7 @@
 import React, { Suspense, useEffect, useState, useCallback, useMemo } from 'react';
 import { i18n } from '@kbn/i18n';
 import { FormattedMessage } from '@kbn/i18n-react';
-import { ValidFeatureId, AlertConsumers } from '@kbn/rule-data-utils';
+import { AlertConsumers } from '@kbn/rule-data-utils';
 import {
   EuiFlexGroup,
   EuiFlexItem,
@@ -507,7 +507,6 @@ export const ActionTypeForm = ({
               <RuleActionsAlertsFilter
                 action={actionItem}
                 onChange={(query) => setActionAlertsFilterProperty('query', query, index)}
-                featureIds={[producerId as ValidFeatureId]}
                 appName={featureId!}
                 ruleTypeId={ruleTypeId}
                 plugins={{
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/connector_rules_list.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/connector_rules_list.tsx
index c2e89eb31fe84..719cd0fef2377 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/connector_rules_list.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/action_connector_form/connector_rules_list.tsx
@@ -73,7 +73,6 @@ export const ConnectorRulesList = (props: ConnectorRulesListProps) => {
   const ruleFilters = useMemo(() => {
     const baseFilters = {
       searchText: searchFilter,
-      types: ruleTypeIds,
     };
 
     if (connector.isPreconfigured) {
@@ -105,10 +104,11 @@ export const ConnectorRulesList = (props: ConnectorRulesListProps) => {
         id: connector.id,
       },
     };
-  }, [connector, searchFilter, ruleTypeIds]);
+  }, [connector, searchFilter]);
 
   const { rulesState } = useLoadRulesQuery({
     ...ruleFilters,
+    ruleTypeIds,
     hasDefaultRuleTypesFiltersOn: ruleTypeIds.length === 0,
     page,
     sort,
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/alert_summary_widget.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/alert_summary_widget.test.tsx
index 743c475a287b3..84c2e4c5468a9 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/alert_summary_widget.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/alert_summary_widget.test.tsx
@@ -52,7 +52,7 @@ describe('AlertSummaryWidget', () => {
       <IntlProvider locale="en">
         <AlertSummaryWidget
           chartProps={mockedChartProps}
-          featureIds={['apm', 'uptime', 'logs']}
+          ruleTypeIds={['apm', 'uptime', 'logs']}
           onClick={jest.fn}
           timeRange={mockedTimeRange}
           dependencies={dependencies}
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/alert_summary_widget.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/alert_summary_widget.tsx
index b3ed78ba43a40..9fcc195a17ecf 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/alert_summary_widget.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/alert_summary_widget.tsx
@@ -19,7 +19,8 @@ import { AlertSummaryWidgetDependencies, DependencyProps } from './types';
 
 export const AlertSummaryWidget = ({
   chartProps,
-  featureIds,
+  ruleTypeIds,
+  consumers,
   filter,
   fullSize,
   onClick = () => {},
@@ -34,7 +35,8 @@ export const AlertSummaryWidget = ({
     isLoading,
     error,
   } = useLoadAlertSummary({
-    featureIds,
+    ruleTypeIds,
+    consumers,
     filter,
     timeRange,
   });
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/types.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/types.ts
index 2393ff9c16a64..88b40289cb6e0 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/types.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_summary_widget/types.ts
@@ -8,7 +8,7 @@
 import type { BrushEndListener, PartialTheme, SettingsProps, Theme } from '@elastic/charts';
 import { estypes } from '@elastic/elasticsearch';
 import { IUiSettingsClient } from '@kbn/core-ui-settings-browser';
-import { AlertStatus, ValidFeatureId } from '@kbn/rule-data-utils';
+import { AlertStatus } from '@kbn/rule-data-utils';
 import { ChartsPluginStart } from '@kbn/charts-plugin/public';
 
 export interface Alert {
@@ -48,7 +48,8 @@ export interface DependencyProps {
 }
 
 export interface AlertSummaryWidgetProps {
-  featureIds?: ValidFeatureId[];
+  ruleTypeIds?: string[];
+  consumers?: string[];
   filter?: estypes.QueryDslQueryContainer;
   fullSize?: boolean;
   onClick?: (status?: AlertStatus) => void;
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/components/stack_alerts_page.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/components/stack_alerts_page.tsx
index 26f4c3fd43bf0..f5a39ab5ac0d3 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/components/stack_alerts_page.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/components/stack_alerts_page.tsx
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import React, { lazy, Suspense, useEffect, useMemo, useState } from 'react';
+import React, { lazy, Suspense, useCallback, useEffect, useMemo, useState } from 'react';
 import { i18n } from '@kbn/i18n';
 import {
   EuiBetaBadge,
@@ -21,9 +21,10 @@ import {
   ALERT_STATUS_RECOVERED,
   ALERT_STATUS_UNTRACKED,
   AlertConsumers,
+  isSiemRuleType,
 } from '@kbn/rule-data-utils';
 import { QueryClientProvider } from '@tanstack/react-query';
-import { BoolQuery } from '@kbn/es-query';
+import { BoolQuery, Filter } from '@kbn/es-query';
 import { FormattedMessage } from '@kbn/i18n-react';
 import { ALERTS_PAGE_ID } from '../../../../common/constants';
 import { QuickFiltersMenuItem } from '../../alerts_search_bar/quick_filters';
@@ -31,7 +32,6 @@ import { NoPermissionPrompt } from '../../../components/prompts/no_permission_pr
 import { ALERT_TABLE_GLOBAL_CONFIG_ID } from '../../../constants';
 import { useRuleStats } from '../hooks/use_rule_stats';
 import { getAlertingSectionBreadcrumb } from '../../../lib/breadcrumb';
-import { NON_SIEM_FEATURE_IDS } from '../../alerts_search_bar/constants';
 import { alertProducersData } from '../../alerts_table/constants';
 import { UrlSyncedAlertsSearchBar } from '../../alerts_search_bar/url_synced_alerts_search_bar';
 import { useKibana } from '../../../../common/lib/kibana';
@@ -41,11 +41,21 @@ import {
   Provider,
 } from '../../alerts_search_bar/use_alert_search_bar_state_container';
 import { getCurrentDocTitle } from '../../../lib/doc_title';
-import { createMatchPhraseFilter, createRuleTypesFilter } from '../../../lib/search_filters';
+import {
+  AlertsFeatureIdsFilter,
+  createMatchPhraseFilter,
+  createRuleTypesFilter,
+} from '../../../lib/search_filters';
 import { useLoadRuleTypesQuery } from '../../../hooks/use_load_rule_types_query';
 import { nonNullable } from '../../../../../common/utils';
-import { useRuleTypeIdsByFeatureId } from '../hooks/use_rule_type_ids_by_feature_id';
+import {
+  RuleTypeIdsByFeatureId,
+  useRuleTypeIdsByFeatureId,
+} from '../hooks/use_rule_type_ids_by_feature_id';
 import { TECH_PREVIEW_DESCRIPTION, TECH_PREVIEW_LABEL } from '../../translations';
+import { AlertsTableSupportedConsumers } from '../../alerts_table/types';
+import { NON_SIEM_CONSUMERS } from '../../alerts_search_bar/constants';
+
 const AlertsTable = lazy(() => import('../../alerts_table/alerts_table_state'));
 
 /**
@@ -55,7 +65,7 @@ export const StackAlertsPage = () => {
   return (
     <Provider value={alertSearchBarStateContainer}>
       <QueryClientProvider client={alertsTableQueryClient}>
-        <PageContent />
+        <PageContentWrapper />
       </QueryClientProvider>
     </Provider>
   );
@@ -69,61 +79,121 @@ const getFeatureFilterLabel = (featureName: string) =>
     },
   });
 
-const PageContent = () => {
+const PageContentWrapperComponent: React.FC = () => {
   const {
     chrome: { docTitle },
     setBreadcrumbs,
-    alertsTableConfigurationRegistry,
   } = useKibana().services;
-  const [esQuery, setEsQuery] = useState({ bool: {} } as { bool: BoolQuery });
-  const [activeFeatureFilters, setActiveFeatureFilters] = useState<AlertConsumers[]>([]);
 
-  const ruleStats = useRuleStats();
   const {
     ruleTypesState: { data: ruleTypesIndex, initialLoad: isInitialLoadingRuleTypes },
     authorizedToReadAnyRules,
   } = useLoadRuleTypesQuery({ filteredRuleTypes: [] });
+
   const ruleTypeIdsByFeatureId = useRuleTypeIdsByFeatureId(ruleTypesIndex);
 
-  const browsingSiem = useMemo(
-    () => activeFeatureFilters.length === 1 && activeFeatureFilters[0] === AlertConsumers.SIEM,
-    [activeFeatureFilters]
-  );
-  const filteringBySolution = useMemo(
-    () => activeFeatureFilters.length > 0,
-    [activeFeatureFilters.length]
+  useEffect(() => {
+    setBreadcrumbs([getAlertingSectionBreadcrumb('alerts')]);
+    docTitle.change(getCurrentDocTitle('alerts'));
+  }, [docTitle, setBreadcrumbs]);
+
+  return !isInitialLoadingRuleTypes ? (
+    <PageContent
+      isLoading={isInitialLoadingRuleTypes}
+      authorizedToReadAnyRules={authorizedToReadAnyRules}
+      ruleTypeIdsByFeatureId={ruleTypeIdsByFeatureId}
+    />
+  ) : null;
+};
+
+const PageContentWrapper = React.memo(PageContentWrapperComponent);
+
+interface PageContentProps {
+  isLoading: boolean;
+  authorizedToReadAnyRules: boolean;
+  ruleTypeIdsByFeatureId: RuleTypeIdsByFeatureId;
+}
+
+const PageContentComponent: React.FC<PageContentProps> = ({
+  isLoading,
+  authorizedToReadAnyRules,
+  ruleTypeIdsByFeatureId,
+}) => {
+  const { alertsTableConfigurationRegistry } = useKibana().services;
+  const ruleTypeIdsByFeatureIdEntries = Object.entries(ruleTypeIdsByFeatureId);
+
+  const [esQuery, setEsQuery] = useState({ bool: {} } as { bool: BoolQuery });
+  const [ruleTypeIds, setRuleTypeIds] = useState<string[]>(() =>
+    getInitialRuleTypeIds(ruleTypeIdsByFeatureId)
   );
-  const featureIds = useMemo(
-    () =>
-      filteringBySolution
-        ? browsingSiem
-          ? [AlertConsumers.SIEM]
-          : activeFeatureFilters
-        : NON_SIEM_FEATURE_IDS,
-    [activeFeatureFilters, browsingSiem, filteringBySolution]
+
+  const [consumers, setConsumers] = useState<string[]>(NON_SIEM_CONSUMERS);
+
+  const [selectedFilters, setSelectedFilters] = useState<AlertsFeatureIdsFilter[]>([]);
+  const ruleStats = useRuleStats({ ruleTypeIds });
+  const isFilteringSecurityRules = ruleTypeIds.every(isSiemRuleType);
+
+  const onFilterSelected = useCallback(
+    (filters: Filter[]) => {
+      const newRuleTypeIds = [
+        ...new Set(
+          filters
+            .flatMap((ruleTypeId) => (ruleTypeId as AlertsFeatureIdsFilter).meta.ruleTypeIds)
+            .filter(nonNullable)
+        ),
+      ];
+
+      const newConsumers = [
+        ...new Set(
+          filters
+            .flatMap((ruleTypeId) => (ruleTypeId as AlertsFeatureIdsFilter).meta.consumers)
+            .filter(nonNullable)
+        ),
+      ];
+
+      setSelectedFilters(filters as AlertsFeatureIdsFilter[]);
+
+      if (newRuleTypeIds.length > 0) {
+        setRuleTypeIds(newRuleTypeIds);
+        setConsumers(newConsumers);
+        return;
+      }
+
+      setRuleTypeIds(getInitialRuleTypeIds(ruleTypeIdsByFeatureId));
+      setConsumers(NON_SIEM_CONSUMERS);
+    },
+    [ruleTypeIdsByFeatureId]
   );
+
   const quickFilters = useMemo(() => {
     const filters: QuickFiltersMenuItem[] = [];
-    if (Object.values(ruleTypeIdsByFeatureId).length > 0) {
+    if (ruleTypeIdsByFeatureIdEntries.length > 0) {
       filters.push(
-        ...Object.entries(ruleTypeIdsByFeatureId)
-          .map(([featureId, ruleTypeIds]) => {
-            const producerData = alertProducersData[featureId as AlertConsumers];
+        ...ruleTypeIdsByFeatureIdEntries
+          .map(([consumer, _ruleTypeIds]) => {
+            const producerData = alertProducersData[consumer as AlertsTableSupportedConsumers];
             if (!producerData) {
               return null;
             }
+
             const filterLabel = getFeatureFilterLabel(producerData.displayName);
-            const disabled =
-              filteringBySolution && featureId === AlertConsumers.SIEM
-                ? !browsingSiem
-                : browsingSiem;
+            const shouldDisable =
+              (isFilteringSecurityRules && consumer !== AlertConsumers.SIEM) ||
+              (!isFilteringSecurityRules && consumer === AlertConsumers.SIEM);
+
+            const isQuickFilterSelected = _ruleTypeIds.every((ruleTypeId) =>
+              ruleTypeIds.includes(ruleTypeId)
+            );
+
+            const disabled = selectedFilters.length > 0 && (shouldDisable || isQuickFilterSelected);
+
             return {
               name: filterLabel,
               icon: producerData.icon,
               filter: createRuleTypesFilter(
-                producerData.subFeatureIds ?? [featureId as AlertConsumers],
-                filterLabel,
-                ruleTypeIds
+                _ruleTypeIds,
+                producerData.subFeatureIds ?? [consumer],
+                filterLabel
               ),
               disabled,
             };
@@ -131,6 +201,7 @@ const PageContent = () => {
           .filter(nonNullable)
       );
     }
+
     filters.push({
       title: i18n.translate('xpack.triggersActionsUI.sections.globalAlerts.quickFilters.status', {
         defaultMessage: 'Status',
@@ -142,17 +213,12 @@ const PageContent = () => {
       })),
     });
     return filters;
-  }, [browsingSiem, filteringBySolution, ruleTypeIdsByFeatureId]);
-  const tableConfigurationId = useMemo(
-    // TODO in preparation for using solution-specific configurations
-    () => ALERT_TABLE_GLOBAL_CONFIG_ID,
-    []
-  );
-
-  useEffect(() => {
-    setBreadcrumbs([getAlertingSectionBreadcrumb('alerts')]);
-    docTitle.change(getCurrentDocTitle('alerts'));
-  }, [docTitle, setBreadcrumbs]);
+  }, [
+    isFilteringSecurityRules,
+    ruleTypeIds,
+    ruleTypeIdsByFeatureIdEntries,
+    selectedFilters.length,
+  ]);
 
   return (
     <>
@@ -177,28 +243,29 @@ const PageContent = () => {
         rightSideItems={ruleStats}
       />
       <EuiSpacer size="l" />
-      {!isInitialLoadingRuleTypes && !authorizedToReadAnyRules ? (
+      {!isLoading && !authorizedToReadAnyRules ? (
         <NoPermissionPrompt />
       ) : (
         <EuiFlexGroup gutterSize="m" direction="column" data-test-subj="stackAlertsPageContent">
           <UrlSyncedAlertsSearchBar
             appName={ALERTS_PAGE_ID}
-            featureIds={featureIds}
+            ruleTypeIds={ruleTypeIds}
             showFilterControls
             showFilterBar
             quickFilters={quickFilters}
-            onActiveFeatureFiltersChange={setActiveFeatureFilters}
             onEsQueryChange={setEsQuery}
+            onFilterSelected={onFilterSelected}
           />
           <Suspense fallback={<EuiLoadingSpinner />}>
             <AlertsTable
               // Here we force a rerender when switching feature ids to prevent the data grid
               // columns alignment from breaking after a change in the number of columns
-              key={featureIds.join()}
+              key={ruleTypeIds.join()}
               id="stack-alerts-page-table"
-              configurationId={tableConfigurationId}
+              configurationId={ALERT_TABLE_GLOBAL_CONFIG_ID}
               alertsTableConfigurationRegistry={alertsTableConfigurationRegistry}
-              featureIds={featureIds}
+              ruleTypeIds={ruleTypeIds}
+              consumers={consumers}
               query={esQuery}
               showAlertStatusWithFlapping
               initialPageSize={20}
@@ -209,3 +276,11 @@ const PageContent = () => {
     </>
   );
 };
+
+const PageContent = React.memo(PageContentComponent);
+
+const getInitialRuleTypeIds = (ruleTypeIdsByFeatureId: RuleTypeIdsByFeatureId): string[] =>
+  Object.entries(ruleTypeIdsByFeatureId)
+    .filter(([featureId]) => featureId !== AlertConsumers.SIEM)
+    .map(([_, _ruleTypeIds]) => _ruleTypeIds)
+    .flat();
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/hooks/use_rule_stats.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/hooks/use_rule_stats.tsx
index 06e371979d980..4d3841672defb 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/hooks/use_rule_stats.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/hooks/use_rule_stats.tsx
@@ -23,7 +23,12 @@ const Divider = styled.div`
   height: 100%;
 `;
 
-export const useRuleStats = () => {
+interface Props {
+  ruleTypeIds?: string[];
+  consumers?: string[];
+}
+
+export const useRuleStats = ({ ruleTypeIds, consumers }: Props = {}) => {
   const {
     http,
     notifications: { toasts },
@@ -46,7 +51,10 @@ export const useRuleStats = () => {
     try {
       const response = await loadRuleAggregations({
         http,
+        ruleTypeIds,
+        consumers,
       });
+
       const { ruleExecutionStatus, ruleMutedStatus, ruleEnabledStatus, ruleSnoozedStatus } =
         response;
       if (ruleExecutionStatus && ruleMutedStatus && ruleEnabledStatus && ruleSnoozedStatus) {
@@ -73,7 +81,7 @@ export const useRuleStats = () => {
     } finally {
       setLoading(false);
     }
-  }, [http, toasts]);
+  }, [consumers, http, ruleTypeIds, toasts]);
 
   useEffect(() => {
     loadRuleStats();
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/hooks/use_rule_type_ids_by_feature_id.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/hooks/use_rule_type_ids_by_feature_id.ts
index c8c5eedc3054f..1380f9655d479 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/hooks/use_rule_type_ids_by_feature_id.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_page/hooks/use_rule_type_ids_by_feature_id.ts
@@ -12,7 +12,7 @@ import { observabilityFeatureIds, stackFeatureIds } from '../../alerts_table/con
 import { MULTI_CONSUMER_RULE_TYPE_IDS } from '../../../constants';
 import { RuleTypeIndex } from '../../../../types';
 
-type RuleTypeIdsByFeatureId<T = string[]> = Partial<
+export type RuleTypeIdsByFeatureId<T = string[]> = Partial<
   Record<
     | typeof AlertConsumers.SIEM
     | typeof AlertConsumers.OBSERVABILITY
@@ -22,17 +22,20 @@ type RuleTypeIdsByFeatureId<T = string[]> = Partial<
   >
 >;
 
+const EMPTY_OBJECT = {};
+
 /**
  * Groups all rule type ids under their respective feature id
  */
 export const useRuleTypeIdsByFeatureId = (ruleTypesIndex: RuleTypeIndex) =>
   useMemo((): RuleTypeIdsByFeatureId => {
     if (!ruleTypesIndex?.size) {
-      return {};
+      return EMPTY_OBJECT;
     }
+
     const map = Array.from(ruleTypesIndex.entries()).reduce<RuleTypeIdsByFeatureId<Set<string>>>(
-      (types, [key, value]) => {
-        let producer = value.producer as keyof RuleTypeIdsByFeatureId;
+      (types, [ruleTypeId, ruleType]) => {
+        let producer = ruleType.producer as keyof RuleTypeIdsByFeatureId;
         // Some o11y apps are listed under 'observability' to create a grouped filter
         if (observabilityFeatureIds.includes(producer)) {
           producer = AlertConsumers.OBSERVABILITY;
@@ -41,14 +44,15 @@ export const useRuleTypeIdsByFeatureId = (ruleTypesIndex: RuleTypeIndex) =>
         if (stackFeatureIds.includes(producer)) {
           producer = AlertConsumers.STACK_ALERTS;
         }
+
         // Multi consumer rule type ids should be listed both in Observability and Stack alerts
-        if (MULTI_CONSUMER_RULE_TYPE_IDS.includes(value.id)) {
+        if (MULTI_CONSUMER_RULE_TYPE_IDS.includes(ruleType.id)) {
           (types[AlertConsumers.OBSERVABILITY] =
-            types[AlertConsumers.OBSERVABILITY] || new Set()).add(key);
+            types[AlertConsumers.OBSERVABILITY] || new Set()).add(ruleTypeId);
           (types[AlertConsumers.STACK_ALERTS] =
-            types[AlertConsumers.STACK_ALERTS] || new Set()).add(key);
+            types[AlertConsumers.STACK_ALERTS] || new Set()).add(ruleTypeId);
         } else {
-          (types[producer] = types[producer] || new Set()).add(key);
+          (types[producer] = types[producer] || new Set()).add(ruleTypeId);
         }
         return types;
       },
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/alerts_search_bar.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/alerts_search_bar.test.tsx
index 61fceacead341..3f285de6ead75 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/alerts_search_bar.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/alerts_search_bar.test.tsx
@@ -12,14 +12,10 @@ import { Filter, FilterStateStore } from '@kbn/es-query';
 import { dataPluginMock } from '@kbn/data-plugin/public/mocks';
 import { NotificationsStart } from '@kbn/core-notifications-browser';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
-import { useLoadRuleTypesQuery } from '../../hooks/use_load_rule_types_query';
-import { useRuleAADFields } from '../../hooks/use_rule_aad_fields';
 import { AlertsSearchBar } from './alerts_search_bar';
 
 const mockDataPlugin = dataPluginMock.createStartContract();
 jest.mock('@kbn/kibana-utils-plugin/public');
-jest.mock('../../hooks/use_load_rule_types_query');
-jest.mock('../../hooks/use_rule_aad_fields');
 jest.mock('@kbn/alerts-ui-shared/src/common/hooks/use_alerts_data_view');
 jest.mock('@kbn/kibana-react-plugin/public', () => ({
   ...jest.requireActual('@kbn/kibana-react-plugin/public'),
@@ -41,43 +37,28 @@ jest.mocked(useAlertsDataView).mockReturnValue({
   },
 });
 
-jest.mocked(useLoadRuleTypesQuery).mockReturnValue({
-  ruleTypesState: {
-    initialLoad: false,
-    data: new Map(),
-    isLoading: false,
-    error: undefined,
-  },
-  authorizedToReadAnyRules: false,
-  hasAnyAuthorizedRuleType: false,
-  authorizedRuleTypes: [],
-  authorizedToCreateAnyRules: false,
-  isSuccess: false,
-});
-
-jest.mocked(useRuleAADFields).mockReturnValue({
-  aadFields: [],
-  loading: false,
-});
-
 const mockUseKibana = useKibana as jest.Mock;
 
+const unifiedSearchBarMock = jest.fn().mockImplementation((props) => (
+  <button
+    data-test-subj="querySubmitButton"
+    onClick={() => props.onQuerySubmit({ dateRange: { from: 'now', to: 'now' } })}
+    type="button"
+  >
+    {'Hello world'}
+  </button>
+));
+
 describe('AlertsSearchBar', () => {
   beforeEach(() => {
+    jest.clearAllMocks();
+
     mockUseKibana.mockReturnValue({
       services: {
         data: mockDataPlugin,
         unifiedSearch: {
           ui: {
-            SearchBar: jest.fn().mockImplementation((props) => (
-              <button
-                data-test-subj="querySubmitButton"
-                onClick={() => props.onQuerySubmit({ dateRange: { from: 'now', to: 'now' } })}
-                type="button"
-              >
-                {'Hello world'}
-              </button>
-            )),
+            SearchBar: unifiedSearchBarMock,
           },
         },
         notifications: { toasts: { addWarning: jest.fn() } } as unknown as NotificationsStart,
@@ -85,10 +66,6 @@ describe('AlertsSearchBar', () => {
     });
   });
 
-  beforeEach(() => {
-    jest.clearAllMocks();
-  });
-
   it('renders correctly', async () => {
     render(
       <AlertsSearchBar
@@ -100,7 +77,6 @@ describe('AlertsSearchBar', () => {
         onSavedQueryUpdated={jest.fn()}
         onClearSavedQuery={jest.fn()}
         appName={'test'}
-        featureIds={['observability', 'stackAlerts']}
       />
     );
     expect(await screen.findByTestId('querySubmitButton')).toBeInTheDocument();
@@ -119,7 +95,6 @@ describe('AlertsSearchBar', () => {
         onSavedQueryUpdated={jest.fn()}
         onClearSavedQuery={jest.fn()}
         appName={'test'}
-        featureIds={['observability', 'stackAlerts']}
       />
     );
 
@@ -176,7 +151,6 @@ describe('AlertsSearchBar', () => {
         onSavedQueryUpdated={jest.fn()}
         onClearSavedQuery={jest.fn()}
         appName={'test'}
-        featureIds={['observability', 'stackAlerts']}
       />
     );
 
@@ -187,4 +161,136 @@ describe('AlertsSearchBar', () => {
       expect(mockDataPlugin.query.filterManager.setFilters).toHaveBeenCalledWith(filters);
     });
   });
+
+  it('calls the unifiedSearchBar correctly for security rule types', async () => {
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+        ruleTypeIds={['siem.esqlRuleType', '.esQuery']}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          suggestionsAbstraction: undefined,
+        }),
+        {}
+      );
+    });
+  });
+
+  it('calls the unifiedSearchBar correctly for NON security rule types', async () => {
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+        ruleTypeIds={['.esQuery']}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          suggestionsAbstraction: { type: 'alerts', fields: {} },
+        }),
+        {}
+      );
+    });
+  });
+
+  it('calls the unifiedSearchBar with correct index patters', async () => {
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+        ruleTypeIds={['.esQuery', 'apm.anomaly']}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          indexPatterns: [
+            {
+              fields: [
+                { aggregatable: true, name: 'event.action', searchable: true, type: 'string' },
+              ],
+              title: '.esQuery,apm.anomaly',
+            },
+          ],
+        }),
+        {}
+      );
+    });
+  });
+
+  it('calls the unifiedSearchBar with correct index patters without rule types', async () => {
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          indexPatterns: [
+            {
+              fields: [
+                { aggregatable: true, name: 'event.action', searchable: true, type: 'string' },
+              ],
+              title: '.alerts-*',
+            },
+          ],
+        }),
+        {}
+      );
+    });
+  });
+
+  it('calls the unifiedSearchBar with correct index patters without data views', async () => {
+    jest.mocked(useAlertsDataView).mockReturnValue({
+      isLoading: false,
+      dataView: undefined,
+    });
+
+    render(
+      <AlertsSearchBar
+        rangeFrom="now/d"
+        rangeTo="now/d"
+        query=""
+        onQuerySubmit={jest.fn()}
+        appName={'test'}
+        onFiltersUpdated={jest.fn()}
+      />
+    );
+
+    await waitFor(() => {
+      expect(unifiedSearchBarMock).toHaveBeenCalledWith(
+        expect.objectContaining({
+          indexPatterns: [],
+        }),
+        {}
+      );
+    });
+  });
 });
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/alerts_search_bar.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/alerts_search_bar.tsx
index 5e2880e65231c..0a5c18fab9d8c 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/alerts_search_bar.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/alerts_search_bar.tsx
@@ -9,7 +9,7 @@ import React, { useCallback, useMemo, useState } from 'react';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
 import { compareFilters, Query, TimeRange } from '@kbn/es-query';
 import { SuggestionsAbstraction } from '@kbn/unified-search-plugin/public/typeahead/suggestions_component';
-import { AlertConsumers, ValidFeatureId } from '@kbn/rule-data-utils';
+import { isSiemRuleType } from '@kbn/rule-data-utils';
 import { EuiContextMenuPanelDescriptor, EuiContextMenuPanelItemDescriptor } from '@elastic/eui';
 import { useAlertsDataView } from '@kbn/alerts-ui-shared/src/common/hooks/use_alerts_data_view';
 import { isQuickFiltersGroup, QuickFiltersMenuItem } from './quick_filters';
@@ -17,19 +17,15 @@ import { NO_INDEX_PATTERNS } from './constants';
 import { SEARCH_BAR_PLACEHOLDER } from './translations';
 import { AlertsSearchBarProps, QueryLanguageType } from './types';
 import { TriggersAndActionsUiServices } from '../../..';
-import { useRuleAADFields } from '../../hooks/use_rule_aad_fields';
-import { useLoadRuleTypesQuery } from '../../hooks/use_load_rule_types_query';
 
 const SA_ALERTS = { type: 'alerts', fields: {} } as SuggestionsAbstraction;
-const EMPTY_FEATURE_IDS: ValidFeatureId[] = [];
 
 // TODO Share buildEsQuery to be used between AlertsSearchBar and AlertsStateTable component https://github.com/elastic/kibana/issues/144615
 // Also TODO: Replace all references to this component with the one from alerts-ui-shared
 export function AlertsSearchBar({
   appName,
   disableQueryLanguageSwitcher = false,
-  featureIds = EMPTY_FEATURE_IDS,
-  ruleTypeId,
+  ruleTypeIds,
   query,
   filters,
   quickFilters = [],
@@ -58,33 +54,25 @@ export function AlertsSearchBar({
 
   const [queryLanguage, setQueryLanguage] = useState<QueryLanguageType>('kuery');
   const { dataView } = useAlertsDataView({
-    featureIds,
+    ruleTypeIds: ruleTypeIds ?? [],
     http,
     dataViewsService,
     toasts,
   });
-  const { aadFields, loading: fieldsLoading } = useRuleAADFields(ruleTypeId);
 
   const indexPatterns = useMemo(() => {
-    if (ruleTypeId && aadFields?.length) {
-      return [{ title: ruleTypeId, fields: aadFields }];
+    if (ruleTypeIds && dataView?.fields?.length) {
+      return [{ title: ruleTypeIds.join(','), fields: dataView.fields }];
     }
+
     if (dataView) {
       return [dataView];
     }
-    return null;
-  }, [aadFields, dataView, ruleTypeId]);
 
-  const ruleType = useLoadRuleTypesQuery({
-    filteredRuleTypes: ruleTypeId !== undefined ? [ruleTypeId] : [],
-    enabled: ruleTypeId !== undefined,
-  });
+    return null;
+  }, [dataView, ruleTypeIds]);
 
-  const isSecurity =
-    (featureIds && featureIds.length === 1 && featureIds.includes(AlertConsumers.SIEM)) ||
-    (ruleType &&
-      ruleTypeId &&
-      ruleType.ruleTypesState.data.get(ruleTypeId)?.producer === AlertConsumers.SIEM);
+  const isSecurity = ruleTypeIds?.some(isSiemRuleType) ?? false;
 
   const onSearchQuerySubmit = useCallback(
     (
@@ -174,7 +162,7 @@ export function AlertsSearchBar({
       appName={appName}
       disableQueryLanguageSwitcher={disableQueryLanguageSwitcher}
       // @ts-expect-error - DataView fields prop and SearchBar indexPatterns props are overly broad
-      indexPatterns={!indexPatterns || fieldsLoading ? NO_INDEX_PATTERNS : indexPatterns}
+      indexPatterns={!indexPatterns ? NO_INDEX_PATTERNS : indexPatterns}
       placeholder={placeholder}
       query={{ query: query ?? '', language: queryLanguage }}
       filters={filters}
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/constants.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/constants.ts
index 408d4d1714743..3539966400054 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/constants.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/constants.ts
@@ -10,5 +10,6 @@ import { AlertConsumers } from '@kbn/rule-data-utils';
 
 export const NO_INDEX_PATTERNS: DataView[] = [];
 export const ALERTS_SEARCH_BAR_PARAMS_URL_STORAGE_KEY = 'searchBarParams';
-export const ALL_FEATURE_IDS = Object.values(AlertConsumers);
-export const NON_SIEM_FEATURE_IDS = ALL_FEATURE_IDS.filter((fid) => fid !== AlertConsumers.SIEM);
+export const NON_SIEM_CONSUMERS = Object.values(AlertConsumers).filter(
+  (fid) => fid !== AlertConsumers.SIEM
+);
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/types.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/types.ts
index b1af2746d6cac..a9538bd4888b1 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/types.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/types.ts
@@ -6,7 +6,6 @@
  */
 
 import { Filter } from '@kbn/es-query';
-import { ValidFeatureId } from '@kbn/rule-data-utils';
 import { SearchBarProps } from '@kbn/unified-search-plugin/public/search_bar/search_bar';
 import { QuickFiltersMenuItem } from './quick_filters';
 
@@ -16,7 +15,6 @@ export interface AlertsSearchBarProps
   extends Omit<Partial<SearchBarProps>, 'query' | 'onQueryChange' | 'onQuerySubmit'> {
   appName: string;
   disableQueryLanguageSwitcher?: boolean;
-  featureIds: ValidFeatureId[];
   rangeFrom?: string;
   rangeTo?: string;
   query?: string;
@@ -27,7 +25,7 @@ export interface AlertsSearchBarProps
   showSubmitButton?: boolean;
   placeholder?: string;
   submitOnBlur?: boolean;
-  ruleTypeId?: string;
+  ruleTypeIds?: string[];
   onQueryChange?: (query: {
     dateRange: { from: string; to: string; mode?: 'absolute' | 'relative' };
     query?: string;
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/url_synced_alerts_search_bar.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/url_synced_alerts_search_bar.tsx
index de89eb9715733..175d9538918e7 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/url_synced_alerts_search_bar.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_search_bar/url_synced_alerts_search_bar.tsx
@@ -5,20 +5,17 @@
  * 2.0.
  */
 
-import React, { useCallback, useEffect, useMemo, useState } from 'react';
-import { BoolQuery } from '@kbn/es-query';
-import { AlertConsumers } from '@kbn/rule-data-utils';
+import React, { useCallback, useEffect, useState, useMemo } from 'react';
+import { BoolQuery, Filter } from '@kbn/es-query';
 import { i18n } from '@kbn/i18n';
 import { AlertFilterControls } from '@kbn/alerts-ui-shared/src/alert_filter_controls';
 import { ControlGroupRenderer } from '@kbn/controls-plugin/public';
 import { Storage } from '@kbn/kibana-utils-plugin/public';
-import { AlertsFeatureIdsFilter } from '../../lib/search_filters';
 import { useKibana } from '../../..';
 import { useAlertSearchBarStateContainer } from './use_alert_search_bar_state_container';
 import { ALERTS_SEARCH_BAR_PARAMS_URL_STORAGE_KEY } from './constants';
 import { AlertsSearchBarProps } from './types';
 import AlertsSearchBar from './alerts_search_bar';
-import { nonNullable } from '../../../../common/utils';
 import { buildEsQuery } from './build_es_query';
 
 const INVALID_QUERY_STRING_TOAST_TITLE = i18n.translate(
@@ -35,16 +32,17 @@ export interface UrlSyncedAlertsSearchBarProps
   > {
   showFilterControls?: boolean;
   onEsQueryChange: (esQuery: { bool: BoolQuery }) => void;
-  onActiveFeatureFiltersChange?: (value: AlertConsumers[]) => void;
+  onFilterSelected?: (filters: Filter[]) => void;
 }
 
 /**
  * An abstraction over AlertsSearchBar that syncs the query state with the url
  */
 export const UrlSyncedAlertsSearchBar = ({
+  ruleTypeIds,
   showFilterControls = false,
   onEsQueryChange,
-  onActiveFeatureFiltersChange,
+  onFilterSelected,
   ...rest
 }: UrlSyncedAlertsSearchBarProps) => {
   const {
@@ -91,13 +89,6 @@ export const UrlSyncedAlertsSearchBar = ({
 
   useEffect(() => {
     try {
-      onActiveFeatureFiltersChange?.([
-        ...new Set(
-          filters
-            .flatMap((f) => (f as AlertsFeatureIdsFilter).meta.alertsFeatureIds)
-            .filter(nonNullable)
-        ),
-      ]);
       onEsQueryChange(
         buildEsQuery({
           timeRange: {
@@ -108,6 +99,8 @@ export const UrlSyncedAlertsSearchBar = ({
           filters: [...filters, ...controlFilters],
         })
       );
+
+      onFilterSelected?.(filters);
     } catch (error) {
       toasts.addError(error, {
         title: INVALID_QUERY_STRING_TOAST_TITLE,
@@ -118,8 +111,8 @@ export const UrlSyncedAlertsSearchBar = ({
     controlFilters,
     filters,
     kuery,
-    onActiveFeatureFiltersChange,
     onEsQueryChange,
+    onFilterSelected,
     onKueryChange,
     rangeFrom,
     rangeTo,
@@ -154,6 +147,7 @@ export const UrlSyncedAlertsSearchBar = ({
         savedQuery={savedQuery}
         onSavedQueryUpdated={setSavedQuery}
         onClearSavedQuery={clearSavedQuery}
+        ruleTypeIds={ruleTypeIds}
         {...rest}
       />
       {showFilterControls && (
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table.tsx
index 61c65eded27b5..cf7e184c50f31 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table.tsx
@@ -309,7 +309,7 @@ const AlertsTable: React.FunctionComponent<AlertsTableProps> = memo((props: Aler
     dynamicRowHeight,
     query,
     querySnapshot,
-    featureIds,
+    ruleTypeIds,
     cases: { data: cases, isLoading: isLoadingCases },
     maintenanceWindows: { data: maintenanceWindows, isLoading: isLoadingMaintenanceWindows },
     controls,
@@ -345,7 +345,7 @@ const AlertsTable: React.FunctionComponent<AlertsTableProps> = memo((props: Aler
       query,
       useBulkActionsConfig: alertsTableConfiguration.useBulkActions,
       refresh: refetchAlerts,
-      featureIds,
+      ruleTypeIds,
       hideBulkActions: Boolean(alertsTableConfiguration.hideBulkActions),
     };
   }, [
@@ -355,7 +355,7 @@ const AlertsTable: React.FunctionComponent<AlertsTableProps> = memo((props: Aler
     alertsTableConfiguration.hideBulkActions,
     query,
     refetchAlerts,
-    featureIds,
+    ruleTypeIds,
   ]);
 
   const {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.test.tsx
index 13b9433ce4b9e..9db58d26d9251 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.test.tsx
@@ -9,12 +9,7 @@ import { BehaviorSubject } from 'rxjs';
 import userEvent from '@testing-library/user-event';
 import { get } from 'lodash';
 import { fireEvent, render, waitFor, screen, act } from '@testing-library/react';
-import {
-  AlertConsumers,
-  ALERT_CASE_IDS,
-  ALERT_MAINTENANCE_WINDOW_IDS,
-  ALERT_UUID,
-} from '@kbn/rule-data-utils';
+import { ALERT_CASE_IDS, ALERT_MAINTENANCE_WINDOW_IDS, ALERT_UUID } from '@kbn/rule-data-utils';
 import { Storage } from '@kbn/kibana-utils-plugin/public';
 
 import {
@@ -344,7 +339,7 @@ const browserFields: BrowserFields = {
   },
 };
 
-jest.mocked(fetchAlertsFields).mockResolvedValue({ browserFields, fields: [] });
+const fetchAlertsFieldsMock = fetchAlertsFields as jest.Mock;
 
 const queryClient = new QueryClient({
   defaultOptions: {
@@ -367,7 +362,7 @@ describe('AlertsTableState', () => {
     alertsTableConfigurationRegistry: alertsTableConfigurationRegistryMock,
     configurationId: PLUGIN_ID,
     id: PLUGIN_ID,
-    featureIds: [AlertConsumers.LOGS],
+    ruleTypeIds: ['logs'],
     query: {},
     columns,
     pagination: {
@@ -419,6 +414,8 @@ describe('AlertsTableState', () => {
       data: maintenanceWindowsMap,
       isFetching: false,
     });
+
+    fetchAlertsFieldsMock.mockResolvedValue({ browserFields, fields: [] });
   });
 
   describe('Cases', () => {
@@ -837,6 +834,8 @@ describe('AlertsTableState', () => {
         data: new Map(),
         isFetching: false,
       });
+
+      fetchAlertsFieldsMock.mockResolvedValue({ browserFields, fields: [] });
     });
 
     it('should show field browser', async () => {
@@ -845,13 +844,13 @@ describe('AlertsTableState', () => {
     });
 
     it('should remove an already existing element when selected', async () => {
-      const { getByTestId, queryByTestId } = render(<TestComponent {...tableProps} />);
+      const { findByTestId, queryByTestId } = render(<TestComponent {...tableProps} />);
 
       expect(queryByTestId(`dataGridHeaderCell-${AlertsField.name}`)).not.toBe(null);
-      fireEvent.click(getByTestId('show-field-browser'));
-      const fieldCheckbox = getByTestId(`field-${AlertsField.name}-checkbox`);
+      fireEvent.click(await findByTestId('show-field-browser'));
+      const fieldCheckbox = await findByTestId(`field-${AlertsField.name}-checkbox`);
       fireEvent.click(fieldCheckbox);
-      fireEvent.click(getByTestId('close'));
+      fireEvent.click(await findByTestId('close'));
 
       await waitFor(() => {
         expect(queryByTestId(`dataGridHeaderCell-${AlertsField.name}`)).toBe(null);
@@ -877,13 +876,15 @@ describe('AlertsTableState', () => {
         set: jest.fn(),
       }));
 
-      const { getByTestId, queryByTestId } = render(<TestComponent {...tableProps} />);
+      const { getByTestId, findByTestId, queryByTestId } = render(
+        <TestComponent {...tableProps} />
+      );
 
       expect(queryByTestId(`dataGridHeaderCell-${AlertsField.name}`)).toBe(null);
-      fireEvent.click(getByTestId('show-field-browser'));
-      const fieldCheckbox = getByTestId(`field-${AlertsField.name}-checkbox`);
+      fireEvent.click(await findByTestId('show-field-browser'));
+      const fieldCheckbox = await findByTestId(`field-${AlertsField.name}-checkbox`);
       fireEvent.click(fieldCheckbox);
-      fireEvent.click(getByTestId('close'));
+      fireEvent.click(await findByTestId('close'));
 
       await waitFor(() => {
         expect(queryByTestId(`dataGridHeaderCell-${AlertsField.name}`)).not.toBe(null);
@@ -896,13 +897,13 @@ describe('AlertsTableState', () => {
     });
 
     it('should insert a new field as column when its not a default one', async () => {
-      const { getByTestId, queryByTestId } = render(<TestComponent {...tableProps} />);
+      const { findByTestId, queryByTestId } = render(<TestComponent {...tableProps} />);
 
       expect(queryByTestId(`dataGridHeaderCell-${AlertsField.uuid}`)).toBe(null);
-      fireEvent.click(getByTestId('show-field-browser'));
-      const fieldCheckbox = getByTestId(`field-${AlertsField.uuid}-checkbox`);
+      fireEvent.click(await findByTestId('show-field-browser'));
+      const fieldCheckbox = await findByTestId(`field-${AlertsField.uuid}-checkbox`);
       fireEvent.click(fieldCheckbox);
-      fireEvent.click(getByTestId('close'));
+      fireEvent.click(await findByTestId('close'));
 
       await waitFor(() => {
         expect(queryByTestId(`dataGridHeaderCell-${AlertsField.uuid}`)).not.toBe(null);
@@ -958,6 +959,16 @@ describe('AlertsTableState', () => {
       expect(result.getByTestId('alertsStateTableEmptyState')).toBeTruthy();
     });
 
+    it('should render an empty screen when the data are undefined', async () => {
+      mockUseSearchAlertsQuery.mockReturnValue({
+        data: undefined,
+        refetch: refetchMock,
+      });
+
+      const result = render(<TestComponent {...tableProps} />);
+      expect(result.getByTestId('alertsStateTableEmptyState')).toBeTruthy();
+    });
+
     describe('inspect button', () => {
       it('should hide the inspect button by default', () => {
         render(<TestComponent {...tableProps} />);
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.tsx
index 62c78a3ad589c..93bb4f18dfe9a 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/alerts_table_state.tsx
@@ -21,7 +21,6 @@ import {
 } from '@elastic/eui';
 import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { ALERT_CASE_IDS, ALERT_MAINTENANCE_WINDOW_IDS } from '@kbn/rule-data-utils';
-import type { ValidFeatureId } from '@kbn/rule-data-utils';
 import type { RuleRegistrySearchRequestPagination } from '@kbn/rule-registry-plugin/common';
 import type { BrowserFields } from '@kbn/alerting-types';
 import { Storage } from '@kbn/kibana-utils-plugin/public';
@@ -68,7 +67,8 @@ export type AlertsTableStateProps = {
   alertsTableConfigurationRegistry: AlertsTableConfigurationRegistryContract;
   configurationId: string;
   id: string;
-  featureIds: ValidFeatureId[];
+  ruleTypeIds: string[];
+  consumers?: string[];
   query: Pick<QueryDslQueryContainer, 'bool' | 'ids'>;
   initialPageSize?: number;
   browserFields?: BrowserFields;
@@ -192,7 +192,8 @@ const AlertsTableStateWithQueryProvider = memo(
     alertsTableConfigurationRegistry,
     configurationId,
     id,
-    featureIds,
+    ruleTypeIds,
+    consumers,
     query,
     initialPageSize = DEFAULT_ALERTS_PAGE_SIZE,
     leadingControlColumns = DEFAULT_LEADING_CONTROL_COLUMNS,
@@ -292,7 +293,7 @@ const AlertsTableStateWithQueryProvider = memo(
       onColumnResize,
       fields,
     } = useColumns({
-      featureIds,
+      ruleTypeIds,
       storageAlertsTable,
       storage,
       id,
@@ -301,7 +302,8 @@ const AlertsTableStateWithQueryProvider = memo(
     });
 
     const [queryParams, setQueryParams] = useState({
-      featureIds,
+      ruleTypeIds,
+      consumers,
       fields,
       query,
       sort,
@@ -312,14 +314,16 @@ const AlertsTableStateWithQueryProvider = memo(
 
     useEffect(() => {
       setQueryParams(({ pageIndex: oldPageIndex, pageSize: oldPageSize, ...prevQueryParams }) => ({
-        featureIds,
+        ruleTypeIds,
+        consumers,
         fields,
         query,
         sort,
         runtimeMappings,
         // Go back to the first page if the query changes
         pageIndex: !deepEqual(prevQueryParams, {
-          featureIds,
+          ruleTypeIds,
+          consumers,
           fields,
           query,
           sort,
@@ -329,7 +333,7 @@ const AlertsTableStateWithQueryProvider = memo(
           : oldPageIndex,
         pageSize: oldPageSize,
       }));
-    }, [featureIds, fields, query, runtimeMappings, sort]);
+    }, [ruleTypeIds, fields, query, runtimeMappings, sort, consumers]);
 
     const {
       data: alertsData,
@@ -363,11 +367,11 @@ const AlertsTableStateWithQueryProvider = memo(
       }
     }, [alerts, isLoading, isSuccess, onLoaded]);
 
-    const mutedAlertIds = useMemo(() => {
+    const mutedRuleIds = useMemo(() => {
       return [...new Set(alerts.map((a) => a['kibana.alert.rule.uuid']![0]))];
     }, [alerts]);
 
-    const { data: mutedAlerts } = useGetMutedAlerts(mutedAlertIds);
+    const { data: mutedAlerts } = useGetMutedAlerts(mutedRuleIds);
     const overriddenActions = useMemo(() => {
       return { toggleColumn: onToggleColumn };
     }, [onToggleColumn]);
@@ -501,7 +505,7 @@ const AlertsTableStateWithQueryProvider = memo(
         toolbarVisibility,
         shouldHighlightRow,
         dynamicRowHeight,
-        featureIds,
+        ruleTypeIds,
         querySnapshot,
         pageIndex: queryParams.pageIndex,
         pageSize: queryParams.pageSize,
@@ -541,7 +545,7 @@ const AlertsTableStateWithQueryProvider = memo(
         toolbarVisibility,
         shouldHighlightRow,
         dynamicRowHeight,
-        featureIds,
+        ruleTypeIds,
         querySnapshot,
         queryParams.pageIndex,
         queryParams.pageSize,
@@ -579,7 +583,7 @@ const AlertsTableStateWithQueryProvider = memo(
 
     return (
       <AlertsTableContext.Provider value={alertsTableContext}>
-        {!isLoading && alertsCount === 0 && (
+        {!isLoading && alertsCount <= 0 && (
           <InspectButtonContainer>
             <EmptyState
               controls={persistentControls}
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/cells/render_cell_value.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/cells/render_cell_value.tsx
index ad82a9d3ee97c..6a25115ed7e2f 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/cells/render_cell_value.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/cells/render_cell_value.tsx
@@ -9,7 +9,6 @@ import { isEmpty } from 'lodash';
 import React from 'react';
 import {
   ALERT_DURATION,
-  AlertConsumers,
   ALERT_RULE_NAME,
   ALERT_RULE_UUID,
   ALERT_START,
@@ -25,6 +24,7 @@ import {
 import { EuiBadge, EuiLink, RenderCellValue } from '@elastic/eui';
 import { alertProducersData, observabilityFeatureIds } from '../constants';
 import { useKibana } from '../../../../common/lib/kibana';
+import { AlertsTableSupportedConsumers } from '../types';
 
 export const getMappedNonEcsValue = ({
   data,
@@ -136,7 +136,7 @@ export function getAlertFormatters(fieldFormats: FieldFormatsRegistry) {
         );
       case ALERT_RULE_CONSUMER:
         const producer = rowData?.find(({ field }) => field === ALERT_RULE_PRODUCER)?.value?.[0];
-        const consumer: AlertConsumers = observabilityFeatureIds.includes(producer)
+        const consumer: AlertsTableSupportedConsumers = observabilityFeatureIds.includes(producer)
           ? 'observability'
           : producer && (value === 'alerts' || value === 'stackAlerts' || value === 'discover')
           ? producer
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/constants.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/constants.ts
index 9605abb085232..54846574c1a10 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/constants.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/constants.ts
@@ -19,6 +19,7 @@ import {
   STACK_MONITORING_DISPLAY_NAME,
   UPTIME_DISPLAY_NAME,
 } from '../translations';
+import { AlertsTableSupportedConsumers } from './types';
 
 interface AlertProducerData {
   displayName: string;
@@ -33,13 +34,18 @@ export const observabilityFeatureIds: AlertConsumers[] = [
   AlertConsumers.LOGS,
   AlertConsumers.SLO,
   AlertConsumers.UPTIME,
+  AlertConsumers.ALERTS,
 ];
 
-export const stackFeatureIds: AlertConsumers[] = [AlertConsumers.STACK_ALERTS, AlertConsumers.ML];
+export const stackFeatureIds: AlertConsumers[] = [
+  AlertConsumers.STACK_ALERTS,
+  AlertConsumers.ML,
+  AlertConsumers.DISCOVER,
+];
 
 export const [_, ...observabilityApps] = observabilityFeatureIds;
 
-export const alertProducersData: Record<AlertConsumers, AlertProducerData> = {
+export const alertProducersData: Record<AlertsTableSupportedConsumers, AlertProducerData> = {
   [AlertConsumers.OBSERVABILITY]: {
     displayName: OBSERVABILITY_DISPLAY_NAME,
     icon: 'logoObservability',
@@ -86,4 +92,9 @@ export const alertProducersData: Record<AlertConsumers, AlertProducerData> = {
     displayName: 'Example',
     icon: 'beaker',
   },
+  [AlertConsumers.DISCOVER]: {
+    displayName: STACK_DISPLAY_NAME,
+    icon: 'managementApp',
+    subFeatureIds: stackFeatureIds,
+  },
 };
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/alert_mute/use_get_muted_alerts.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/alert_mute/use_get_muted_alerts.test.tsx
index 2718ccd8ca88e..ae75e5472f229 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/alert_mute/use_get_muted_alerts.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/alert_mute/use_get_muted_alerts.test.tsx
@@ -37,7 +37,7 @@ describe('useGetMutedAlerts', () => {
     await waitFor(() => {
       expect(muteAlertInstanceSpy).toHaveBeenCalledWith(
         expect.anything(),
-        { ids: ruleIds },
+        { ruleIds },
         expect.any(AbortSignal)
       );
     });
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/alert_mute/use_get_muted_alerts.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/alert_mute/use_get_muted_alerts.tsx
index 08f172451ca23..1ca6cbb22ea97 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/alert_mute/use_get_muted_alerts.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/alert_mute/use_get_muted_alerts.tsx
@@ -25,7 +25,7 @@ export const useGetMutedAlerts = (ruleIds: string[], enabled = true) => {
   return useQuery(
     triggersActionsUiQueriesKeys.mutedAlerts(),
     ({ signal }) =>
-      getMutedAlerts(http, { ids: ruleIds }, signal).then(({ data: rules }) =>
+      getMutedAlerts(http, { ruleIds }, signal).then(({ data: rules }) =>
         rules?.reduce((mutedAlerts, rule) => {
           mutedAlerts[rule.id] = rule.muted_alert_ids;
           return mutedAlerts;
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/apis/get_rules_muted_alerts.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/apis/get_rules_muted_alerts.test.ts
new file mode 100644
index 0000000000000..d0f1a39f7cede
--- /dev/null
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/apis/get_rules_muted_alerts.test.ts
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { httpServiceMock } from '@kbn/core/public/mocks';
+import { getMutedAlerts } from './get_rules_muted_alerts';
+
+const http = httpServiceMock.createStartContract();
+
+describe('getMutedAlerts', () => {
+  const apiRes = {
+    page: 1,
+    per_page: 10,
+    total: 0,
+    data: [],
+  };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    http.post.mockResolvedValueOnce(apiRes);
+  });
+
+  test('should call find API with correct params', async () => {
+    const result = await getMutedAlerts(http, { ruleIds: ['foo'] });
+
+    expect(result).toEqual({
+      page: 1,
+      per_page: 10,
+      total: 0,
+      data: [],
+    });
+
+    expect(http.post.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        "/internal/alerting/rules/_find",
+        Object {
+          "body": "{\\"rule_type_ids\\":[\\"foo\\"],\\"fields\\":[\\"id\\",\\"mutedInstanceIds\\"],\\"page\\":1,\\"per_page\\":1}",
+          "signal": undefined,
+        },
+      ]
+    `);
+  });
+});
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/apis/get_rules_muted_alerts.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/apis/get_rules_muted_alerts.ts
index 5a2f2fcc21c6b..d9baef548dafc 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/apis/get_rules_muted_alerts.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/apis/get_rules_muted_alerts.ts
@@ -6,7 +6,6 @@
  */
 
 import { HttpStart } from '@kbn/core-http-browser';
-import { nodeBuilder } from '@kbn/es-query';
 
 const INTERNAL_FIND_RULES_URL = '/internal/alerting/rules/_find';
 
@@ -21,18 +20,15 @@ export interface FindRulesResponse {
 
 export const getMutedAlerts = async (
   http: HttpStart,
-  params: { ids: string[] },
+  params: { ruleIds: string[] },
   signal?: AbortSignal
 ) => {
-  const filterNode = nodeBuilder.or(
-    params.ids.map((id) => nodeBuilder.is('alert.id', `alert:${id}`))
-  );
   return http.post<FindRulesResponse>(INTERNAL_FIND_RULES_URL, {
     body: JSON.stringify({
-      filter: JSON.stringify(filterNode),
+      rule_type_ids: params.ruleIds,
       fields: ['id', 'mutedInstanceIds'],
       page: 1,
-      per_page: params.ids.length,
+      per_page: params.ruleIds.length,
     }),
     signal,
   });
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_actions.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_actions.test.tsx
index 0f136e15156d7..554febab20210 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_actions.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_actions.test.tsx
@@ -392,7 +392,13 @@ describe('bulk action hooks', () => {
     it('appends only the case bulk actions for SIEM', async () => {
       const { result } = renderHook(
         () =>
-          useBulkActions({ alertsCount: 0, query: {}, casesConfig, refresh, featureIds: ['siem'] }),
+          useBulkActions({
+            alertsCount: 0,
+            query: {},
+            casesConfig,
+            refresh,
+            ruleTypeIds: ['siem.esqlRule'],
+          }),
         {
           wrapper: appMockRender.AppWrapper,
         }
@@ -476,7 +482,7 @@ describe('bulk action hooks', () => {
             query: {},
             casesConfig,
             refresh,
-            featureIds: ['observability'],
+            ruleTypeIds: ['observability'],
           }),
         {
           wrapper: appMockRender.AppWrapper,
@@ -492,7 +498,7 @@ describe('bulk action hooks', () => {
             query: {},
             casesConfig,
             refresh,
-            featureIds: ['observability'],
+            ruleTypeIds: ['observability'],
             hideBulkActions: true,
           }),
         {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_actions.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_actions.ts
index 727ff4f93ebd8..1f35d02f8d72f 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_actions.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_actions.ts
@@ -7,7 +7,7 @@
 import { useCallback, useContext, useEffect, useMemo } from 'react';
 import { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { useKibana } from '@kbn/kibana-react-plugin/public';
-import { ALERT_CASE_IDS, ValidFeatureId } from '@kbn/rule-data-utils';
+import { ALERT_CASE_IDS, isSiemRuleType } from '@kbn/rule-data-utils';
 import { AlertsTableContext } from '../contexts/alerts_table_context';
 import {
   AlertsTableConfigurationRegistry,
@@ -40,7 +40,7 @@ interface BulkActionsProps {
   casesConfig?: AlertsTableConfigurationRegistry['cases'];
   useBulkActionsConfig?: UseBulkActionsRegistry;
   refresh: () => void;
-  featureIds?: ValidFeatureId[];
+  ruleTypeIds?: string[];
   hideBulkActions?: boolean;
 }
 
@@ -57,7 +57,7 @@ export interface UseBulkActions {
 type UseBulkAddToCaseActionsProps = Pick<BulkActionsProps, 'casesConfig' | 'refresh'> &
   Pick<UseBulkActions, 'clearSelection'>;
 
-type UseBulkUntrackActionsProps = Pick<BulkActionsProps, 'refresh' | 'query' | 'featureIds'> &
+type UseBulkUntrackActionsProps = Pick<BulkActionsProps, 'refresh' | 'query' | 'ruleTypeIds'> &
   Pick<UseBulkActions, 'clearSelection' | 'setIsBulkActionsLoading'> & {
     isAllSelected: boolean;
   };
@@ -191,7 +191,7 @@ export const useBulkUntrackActions = ({
   refresh,
   clearSelection,
   query,
-  featureIds = [],
+  ruleTypeIds = [],
   isAllSelected,
 }: UseBulkUntrackActionsProps) => {
   const onSuccess = useCallback(() => {
@@ -217,7 +217,7 @@ export const useBulkUntrackActions = ({
       try {
         setIsBulkActionsLoading(true);
         if (isAllSelected) {
-          await untrackAlertsByQuery({ query, featureIds });
+          await untrackAlertsByQuery({ query, ruleTypeIds });
         } else {
           await untrackAlerts({ indices, alertUuids });
         }
@@ -228,7 +228,7 @@ export const useBulkUntrackActions = ({
     },
     [
       query,
-      featureIds,
+      ruleTypeIds,
       isAllSelected,
       onSuccess,
       setIsBulkActionsLoading,
@@ -277,7 +277,7 @@ export function useBulkActions({
   query,
   refresh,
   useBulkActionsConfig = () => [],
-  featureIds,
+  ruleTypeIds,
   hideBulkActions,
 }: BulkActionsProps): UseBulkActions {
   const {
@@ -300,13 +300,14 @@ export function useBulkActions({
     refresh,
     clearSelection,
     query,
-    featureIds,
+    ruleTypeIds,
     isAllSelected: bulkActionsState.isAllSelected,
   });
 
   const initialItems = useMemo(() => {
-    return [...caseBulkActions, ...(featureIds?.includes('siem') ? [] : untrackBulkActions)];
-  }, [caseBulkActions, featureIds, untrackBulkActions]);
+    return [...caseBulkActions, ...(ruleTypeIds?.some(isSiemRuleType) ? [] : untrackBulkActions)];
+  }, [caseBulkActions, ruleTypeIds, untrackBulkActions]);
+
   const bulkActions = useMemo(() => {
     if (hideBulkActions) {
       return [];
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_untrack_alerts_by_query.test.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_untrack_alerts_by_query.test.ts
new file mode 100644
index 0000000000000..5de16dd70ce52
--- /dev/null
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_untrack_alerts_by_query.test.ts
@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { act, renderHook } from '@testing-library/react-hooks';
+import { AppMockRenderer, createAppMockRenderer } from '../../test_utils';
+import { AlertsQueryContext } from '@kbn/alerts-ui-shared/src/common/contexts/alerts_query_context';
+import { useBulkUntrackAlertsByQuery } from './use_bulk_untrack_alerts_by_query';
+import { createStartServicesMock } from '../../../../common/lib/kibana/kibana_react.mock';
+import { TriggersAndActionsUiServices } from '../../../..';
+
+const mockUseKibanaReturnValue: TriggersAndActionsUiServices = createStartServicesMock();
+
+jest.mock('../../../../common/lib/kibana', () => ({
+  useKibana: jest.fn(() => ({
+    services: mockUseKibanaReturnValue,
+  })),
+}));
+
+const response = {};
+
+describe('useBulkUntrackAlertsByQuery', () => {
+  const httpMock = mockUseKibanaReturnValue.http.post as jest.Mock;
+
+  let appMockRender: AppMockRenderer;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    appMockRender = createAppMockRenderer(AlertsQueryContext);
+  });
+
+  it('calls the api when invoked with the correct parameters', async () => {
+    httpMock.mockResolvedValue(response);
+
+    const { result, waitFor } = renderHook(() => useBulkUntrackAlertsByQuery(), {
+      wrapper: appMockRender.AppWrapper,
+    });
+
+    await act(async () => {
+      // @ts-expect-error: no need to specify a query
+      await result.current.mutateAsync({ ruleTypeIds: ['foo'], query: [] });
+    });
+
+    await waitFor(() => {
+      expect(httpMock).toHaveBeenCalledWith('/internal/alerting/alerts/_bulk_untrack_by_query', {
+        body: '{"query":[],"rule_type_ids":["foo"]}',
+      });
+    });
+  });
+});
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_untrack_alerts_by_query.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_untrack_alerts_by_query.tsx
index 321d861e03615..88c878aa47a66 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_untrack_alerts_by_query.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_bulk_untrack_alerts_by_query.tsx
@@ -9,7 +9,6 @@ import { i18n } from '@kbn/i18n';
 import { useMutation } from '@tanstack/react-query';
 import { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { INTERNAL_BASE_ALERTING_API_PATH } from '@kbn/alerting-plugin/common';
-import { ValidFeatureId } from '@kbn/rule-data-utils';
 import { AlertsQueryContext } from '@kbn/alerts-ui-shared/src/common/contexts/alerts_query_context';
 import { useKibana } from '../../../../common';
 
@@ -22,14 +21,14 @@ export const useBulkUntrackAlertsByQuery = () => {
   const untrackAlertsByQuery = useMutation<
     string,
     string,
-    { query: Pick<QueryDslQueryContainer, 'bool' | 'ids'>; featureIds: ValidFeatureId[] }
+    { query: Pick<QueryDslQueryContainer, 'bool' | 'ids'>; ruleTypeIds: string[] }
   >(
     ['untrackAlerts'],
-    ({ query, featureIds }) => {
+    ({ query, ruleTypeIds }) => {
       try {
         const body = JSON.stringify({
           query: Array.isArray(query) ? query : [query],
-          feature_ids: featureIds,
+          rule_type_ids: ruleTypeIds,
         });
         return http.post(`${INTERNAL_BASE_ALERTING_API_PATH}/alerts/_bulk_untrack_by_query`, {
           body,
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_columns/use_columns.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_columns/use_columns.test.tsx
index d6ecf3d9ab20d..3b742bbd6d620 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_columns/use_columns.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_columns/use_columns.test.tsx
@@ -7,7 +7,6 @@
 
 import React, { FunctionComponent } from 'react';
 import { EuiDataGridColumn } from '@elastic/eui';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { Storage } from '@kbn/kibana-utils-plugin/public';
 import { act, waitFor, renderHook } from '@testing-library/react';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
@@ -76,7 +75,7 @@ mockFetchAlertsFields.mockResolvedValue({ browserFields, fields: [] });
 
 describe('useColumns', () => {
   const id = 'useColumnTest';
-  const featureIds: AlertConsumers[] = [AlertConsumers.LOGS, AlertConsumers.APM];
+  const ruleTypeIds: string[] = ['apm', 'logs'];
   let storage = { current: new Storage(mockStorage) };
 
   const getStorageAlertsTableByDefaultColumns = (defaultColumns: EuiDataGridColumn[]) => {
@@ -155,7 +154,7 @@ describe('useColumns', () => {
       () =>
         useColumns({
           defaultColumns,
-          featureIds,
+          ruleTypeIds,
           id,
           storageAlertsTable: localStorageAlertsTable,
           storage,
@@ -187,7 +186,7 @@ describe('useColumns', () => {
       () =>
         useColumns({
           defaultColumns,
-          featureIds,
+          ruleTypeIds,
           id,
           storageAlertsTable: localStorageAlertsTable,
           storage,
@@ -213,7 +212,7 @@ describe('useColumns', () => {
         useColumns({
           alertsFields,
           defaultColumns,
-          featureIds,
+          ruleTypeIds,
           id,
           storageAlertsTable: localStorageAlertsTable,
           storage,
@@ -232,7 +231,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
@@ -254,7 +253,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
@@ -283,7 +282,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
@@ -301,7 +300,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns: localDefaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
@@ -338,7 +337,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
@@ -357,7 +356,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
@@ -378,7 +377,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
@@ -407,7 +406,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
@@ -440,7 +439,7 @@ describe('useColumns', () => {
         () =>
           useColumns({
             defaultColumns,
-            featureIds,
+            ruleTypeIds,
             id,
             storageAlertsTable: localStorageAlertsTable,
             storage,
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_columns/use_columns.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_columns/use_columns.ts
index 30c9ff0ea69ed..3af1d37f10de8 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_columns/use_columns.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/hooks/use_columns/use_columns.ts
@@ -9,7 +9,6 @@ import { EuiDataGridColumn, EuiDataGridOnColumnResizeData } from '@elastic/eui';
 import { IStorageWrapper } from '@kbn/kibana-utils-plugin/public';
 import { BrowserField, BrowserFields } from '@kbn/alerting-types';
 import { MutableRefObject, useCallback, useEffect, useMemo, useRef, useState } from 'react';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 import { isEmpty } from 'lodash';
 import { useFetchAlertsFieldsQuery } from '@kbn/alerts-ui-shared/src/common/hooks/use_fetch_alerts_fields_query';
 import { AlertsQueryContext } from '@kbn/alerts-ui-shared/src/common/contexts/alerts_query_context';
@@ -18,7 +17,7 @@ import { toggleColumn } from './toggle_column';
 import { useKibana } from '../../../../../common';
 
 export interface UseColumnsArgs {
-  featureIds: AlertConsumers[];
+  ruleTypeIds: string[];
   storageAlertsTable: React.MutableRefObject<AlertsTableStorage>;
   storage: React.MutableRefObject<IStorageWrapper>;
   id: string;
@@ -155,7 +154,7 @@ const persist = ({
 };
 
 export const useColumns = ({
-  featureIds,
+  ruleTypeIds,
   storageAlertsTable,
   storage,
   id,
@@ -167,7 +166,7 @@ export const useColumns = ({
   const fieldsQuery = useFetchAlertsFieldsQuery(
     {
       http,
-      featureIds,
+      ruleTypeIds,
     },
     {
       enabled: !alertsFields,
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/types.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/types.ts
index 819cc42bd90e6..46b349ae9bcce 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/types.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/alerts_table/types.ts
@@ -20,6 +20,8 @@ export interface Consumer {
   name: string;
 }
 
+export type AlertsTableSupportedConsumers = Exclude<AlertConsumers, 'alerts'>;
+
 export type ServerError = IHttpFetchError<ResponseErrorBody>;
 
 export interface CellComponentProps {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule.test.tsx
index 23e6f978f4c05..d64c018a07f3e 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule.test.tsx
@@ -602,6 +602,7 @@ function mockRuleType(overloads: Partial<RuleType> = {}): RuleType {
     producer: 'rules',
     minimumLicenseRequired: 'basic',
     enabledInLicense: true,
+    category: 'my-category',
     ...overloads,
   };
 }
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule.tsx
index 34f5a8e65436a..593e0a989b5f3 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule.tsx
@@ -8,8 +8,8 @@
 import React, { lazy, useCallback, useMemo } from 'react';
 import { i18n } from '@kbn/i18n';
 import { EuiSpacer, EuiFlexGroup, EuiFlexItem, EuiTabbedContent } from '@elastic/eui';
-import { AlertStatusValues, ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
-import { ALERT_RULE_UUID, AlertConsumers } from '@kbn/rule-data-utils';
+import { AlertStatusValues } from '@kbn/alerting-plugin/common';
+import { ALERT_RULE_UUID } from '@kbn/rule-data-utils';
 import { ALERT_TABLE_GENERIC_CONFIG_ID } from '../../../constants';
 import { AlertTableConfigRegistry } from '../../../alert_table_config_registry';
 import { useKibana } from '../../../../common/lib/kibana';
@@ -106,11 +106,7 @@ export function RuleComponent({
           alertsTableConfigurationRegistry={
             alertsTableConfigurationRegistry as AlertTableConfigRegistry
           }
-          featureIds={
-            (rule.consumer === ALERTING_FEATURE_ID
-              ? [ruleType.producer]
-              : [rule.consumer]) as AlertConsumers[]
-          }
+          ruleTypeIds={[ruleType.id]}
           query={{ bool: { filter: { term: { [ALERT_RULE_UUID]: rule.id } } } }}
           showAlertStatusWithFlapping
           lastReloadRequestTime={lastReloadRequestTime}
@@ -131,11 +127,10 @@ export function RuleComponent({
     lastReloadRequestTime,
     onMuteAction,
     readOnly,
-    rule.consumer,
     rule.id,
     ruleType.hasAlertsMappings,
     ruleType.hasFieldsForAAD,
-    ruleType.producer,
+    ruleType.id,
   ]);
 
   const tabs = [
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_details.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_details.test.tsx
index ffde171117385..23c19642a8701 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_details.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_details.test.tsx
@@ -88,6 +88,7 @@ const ruleType: RuleType = {
   producer: ALERTING_FEATURE_ID,
   authorizedConsumers,
   enabledInLicense: true,
+  category: 'my-category',
 };
 
 describe('rule_details', () => {
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_route.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_route.test.tsx
index 7e660a30f7ec9..b8357c68da20e 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_route.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/rule_route.test.tsx
@@ -146,6 +146,7 @@ function mockRuleType(overloads: Partial<RuleType> = {}): RuleType {
     producer: 'rules',
     minimumLicenseRequired: 'basic',
     enabledInLicense: true,
+    category: 'my-category',
     ...overloads,
   };
 }
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/test_helpers.ts b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/test_helpers.ts
index 01ea94fdea8df..3da317d4e2be1 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/test_helpers.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_details/components/test_helpers.ts
@@ -79,6 +79,7 @@ export function mockRuleType(overloads: Partial<RuleType> = {}): RuleType {
     producer: 'rules',
     minimumLicenseRequired: 'basic',
     enabledInLicense: true,
+    category: 'my-category',
     ...overloads,
   };
 }
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_add.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_add.test.tsx
index c7b2876d83d84..0b9109c18831c 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_add.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_add.test.tsx
@@ -450,6 +450,7 @@ describe('rule_add', () => {
             },
           ],
           enabledInLicense: true,
+          category: 'my-category',
           defaultActionGroupId: 'threshold.fired',
           minimumLicenseRequired: 'basic',
           recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form.test.tsx
index 17bdcc92997ca..a89f7fe76339b 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form.test.tsx
@@ -329,6 +329,7 @@ describe('rule_form', () => {
             state: [],
           },
           enabledInLicense: true,
+          category: 'my-category',
         },
         {
           id: 'disabled-by-license',
@@ -352,6 +353,7 @@ describe('rule_form', () => {
             state: [],
           },
           enabledInLicense: false,
+          category: 'my-category',
         },
       ];
       useLoadRuleTypesQuery.mockReturnValue({
@@ -579,6 +581,7 @@ describe('rule_form', () => {
               },
             ],
             enabledInLicense: true,
+            category: 'my-category',
             defaultActionGroupId: 'threshold.fired',
             minimumLicenseRequired: 'basic',
             recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
@@ -652,6 +655,7 @@ describe('rule_form', () => {
               },
             ],
             enabledInLicense: true,
+            category: 'my-category',
             defaultActionGroupId: 'threshold.fired',
             minimumLicenseRequired: 'basic',
             recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
@@ -730,6 +734,7 @@ describe('rule_form', () => {
               },
             ],
             enabledInLicense: true,
+            category: 'my-category',
             defaultActionGroupId: 'threshold.fired',
             minimumLicenseRequired: 'basic',
             recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
@@ -789,6 +794,7 @@ describe('rule_form', () => {
               },
             ],
             enabledInLicense: true,
+            category: 'my-category',
             defaultActionGroupId: 'threshold.fired',
             minimumLicenseRequired: 'basic',
             recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
@@ -848,6 +854,7 @@ describe('rule_form', () => {
               },
             ],
             enabledInLicense: true,
+            category: 'my-category',
             defaultActionGroupId: 'threshold.fired',
             minimumLicenseRequired: 'basic',
             recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
@@ -907,6 +914,7 @@ describe('rule_form', () => {
               },
             ],
             enabledInLicense: true,
+            category: 'my-category',
             defaultActionGroupId: 'threshold.fired',
             minimumLicenseRequired: 'basic',
             recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
@@ -966,6 +974,7 @@ describe('rule_form', () => {
               },
             ],
             enabledInLicense: true,
+            category: 'my-category',
             defaultActionGroupId: 'threshold.fired',
             minimumLicenseRequired: 'basic',
             recoveryActionGroup: { id: 'recovered', name: 'Recovered' },
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form_consumer_selection.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form_consumer_selection.test.tsx
index bec46c682919b..c98733d377f0e 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form_consumer_selection.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form_consumer_selection.test.tsx
@@ -9,14 +9,19 @@ import React from 'react';
 import { fireEvent, render, screen } from '@testing-library/react';
 import { RuleFormConsumerSelection } from './rule_form_consumer_selection';
 import { RuleCreationValidConsumer } from '../../../types';
+import { useKibana } from '../../../common/lib/kibana';
 
 const mockConsumers: RuleCreationValidConsumer[] = ['logs', 'infrastructure', 'stackAlerts'];
 
 const mockOnChange = jest.fn();
 
+jest.mock('../../../common/lib/kibana');
+const useKibanaMock = useKibana as jest.Mocked<typeof useKibana>;
+
 describe('RuleFormConsumerSelectionModal', () => {
   beforeEach(() => {
     jest.clearAllMocks();
+    useKibanaMock().services.isServerless = false;
   });
 
   it('renders correctly', async () => {
@@ -162,41 +167,56 @@ describe('RuleFormConsumerSelectionModal', () => {
     expect(screen.queryByTestId('ruleFormConsumerSelect')).not.toBeInTheDocument();
   });
 
-  it('should display nothing if observability is one of the consumers', () => {
+  it('should display the initial selected consumer', () => {
     render(
       <RuleFormConsumerSelection
-        selectedConsumer={null}
-        consumers={['logs', 'observability']}
+        selectedConsumer={'logs'}
+        consumers={mockConsumers}
         onChange={mockOnChange}
         errors={{}}
       />
     );
 
-    expect(screen.queryByTestId('ruleFormConsumerSelect')).not.toBeInTheDocument();
+    expect(screen.getByTestId('comboBoxSearchInput')).toHaveValue('Logs');
   });
 
-  it('should display the initial selected consumer', () => {
+  it('should not display the initial selected consumer if it is not a selectable option', () => {
     render(
       <RuleFormConsumerSelection
         selectedConsumer={'logs'}
-        consumers={mockConsumers}
+        consumers={['stackAlerts', 'infrastructure']}
         onChange={mockOnChange}
         errors={{}}
       />
     );
+    expect(screen.getByTestId('comboBoxSearchInput')).toHaveValue('');
+  });
 
-    expect(screen.getByTestId('comboBoxSearchInput')).toHaveValue('Logs');
+  it('should not show the role visibility dropdown on serverless on an o11y project', () => {
+    useKibanaMock().services.isServerless = true;
+
+    render(
+      <RuleFormConsumerSelection
+        selectedConsumer={'logs'}
+        consumers={['stackAlerts', 'infrastructure', 'observability']}
+        onChange={mockOnChange}
+        errors={{}}
+      />
+    );
+    expect(screen.queryByTestId('ruleFormConsumerSelect')).not.toBeInTheDocument();
   });
 
-  it('should not display the initial selected consumer if it is not a selectable option', () => {
+  it('should set the consumer correctly on an o11y project', () => {
+    useKibanaMock().services.isServerless = true;
+
     render(
       <RuleFormConsumerSelection
         selectedConsumer={'logs'}
-        consumers={['stackAlerts', 'infrastructure']}
+        consumers={['stackAlerts', 'infrastructure', 'observability']}
         onChange={mockOnChange}
         errors={{}}
       />
     );
-    expect(screen.getByTestId('comboBoxSearchInput')).toHaveValue('');
+    expect(mockOnChange).toHaveBeenLastCalledWith('observability');
   });
 });
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form_consumer_selection.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form_consumer_selection.tsx
index 46ec61cca8a5e..9fff99c1c9998 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form_consumer_selection.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rule_form/rule_form_consumer_selection.tsx
@@ -10,6 +10,7 @@ import { EuiComboBox, EuiFormRow, EuiComboBoxOptionOption } from '@elastic/eui';
 import { i18n } from '@kbn/i18n';
 import { AlertConsumers, STACK_ALERTS_FEATURE_ID } from '@kbn/rule-data-utils';
 import { IErrorObject, RuleCreationValidConsumer } from '../../../types';
+import { useKibana } from '../../../common/lib/kibana';
 
 const SELECT_LABEL: string = i18n.translate(
   'xpack.triggersActionsUI.sections.ruleFormConsumerSelectionModal.selectLabel',
@@ -80,8 +81,11 @@ export interface RuleFormConsumerSelectionProps {
 const SINGLE_SELECTION = { asPlainText: true };
 
 export const RuleFormConsumerSelection = (props: RuleFormConsumerSelectionProps) => {
+  const { isServerless } = useKibana().services;
+
   const { consumers, errors, onChange, selectedConsumer, initialSelectedConsumer } = props;
   const isInvalid = (errors?.consumer as string[])?.length > 0;
+
   const handleOnChange = useCallback(
     (selected: Array<EuiComboBoxOptionOption<RuleCreationValidConsumer>>) => {
       if (selected.length > 0) {
@@ -93,6 +97,7 @@ export const RuleFormConsumerSelection = (props: RuleFormConsumerSelectionProps)
     },
     [onChange]
   );
+
   const validatedSelectedConsumer = useMemo(() => {
     if (
       selectedConsumer &&
@@ -103,6 +108,7 @@ export const RuleFormConsumerSelection = (props: RuleFormConsumerSelectionProps)
     }
     return null;
   }, [selectedConsumer, consumers]);
+
   const selectedOptions = useMemo(
     () =>
       validatedSelectedConsumer
@@ -149,15 +155,16 @@ export const RuleFormConsumerSelection = (props: RuleFormConsumerSelectionProps)
   useEffect(() => {
     if (consumers.length === 1) {
       onChange(consumers[0] as RuleCreationValidConsumer);
-    } else if (consumers.includes(AlertConsumers.OBSERVABILITY)) {
+    } else if (isServerless && consumers.includes(AlertConsumers.OBSERVABILITY)) {
       onChange(AlertConsumers.OBSERVABILITY as RuleCreationValidConsumer);
     }
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [consumers]);
 
-  if (consumers.length <= 1 || consumers.includes(AlertConsumers.OBSERVABILITY)) {
+  if (consumers.length <= 1 || (isServerless && consumers.includes(AlertConsumers.OBSERVABILITY))) {
     return null;
   }
+
   return (
     <EuiFormRow
       fullWidth
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.test.tsx
index 1efd0e572b324..35249777dedba 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.test.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.test.tsx
@@ -225,8 +225,7 @@ describe('Update Api Key', () => {
   });
 });
 
-// Failing: See https://github.com/elastic/kibana/issues/182435
-describe.skip('rules_list component empty', () => {
+describe('rules_list component empty', () => {
   beforeEach(() => {
     fetchActiveMaintenanceWindowsMock.mockResolvedValue([]);
     loadRulesWithKueryFilter.mockResolvedValue({
@@ -282,28 +281,6 @@ describe.skip('rules_list component empty', () => {
     expect(await screen.findByTestId('createFirstRuleEmptyPrompt')).toBeInTheDocument();
   });
 
-  it('renders MaintenanceWindowCallout if one exists', async () => {
-    fetchActiveMaintenanceWindowsMock.mockResolvedValue([RUNNING_MAINTENANCE_WINDOW_1]);
-    renderWithProviders(<RulesList />);
-    expect(
-      await screen.findByText(
-        'Rule notifications are stopped while maintenance windows are running.'
-      )
-    ).toBeInTheDocument();
-    expect(fetchActiveMaintenanceWindowsMock).toHaveBeenCalledTimes(1);
-  });
-
-  it("hides MaintenanceWindowCallout if filterConsumers does not match the running maintenance window's category", async () => {
-    fetchActiveMaintenanceWindowsMock.mockResolvedValue([
-      { ...RUNNING_MAINTENANCE_WINDOW_1, categoryIds: ['securitySolution'] },
-    ]);
-    renderWithProviders(<RulesList filterConsumers={['observability']} />);
-    await expect(
-      screen.findByText('Rule notifications are stopped while maintenance windows are running.')
-    ).rejects.toThrow();
-    expect(fetchActiveMaintenanceWindowsMock).toHaveBeenCalledTimes(1);
-  });
-
   it('renders Create rule button', async () => {
     renderWithProviders(<RulesList showCreateRuleButtonInPrompt />);
 
@@ -319,6 +296,7 @@ describe.skip('rules_list component empty', () => {
 describe('rules_list ', () => {
   let ruleTypeRegistry: jest.Mocked<RuleTypeRegistryContract>;
   let actionTypeRegistry: jest.Mocked<ActionTypeRegistryContract<unknown, unknown>>;
+
   beforeEach(() => {
     (getIsExperimentalFeatureEnabled as jest.Mock<any, any>).mockImplementation(() => false);
     loadRulesWithKueryFilter.mockResolvedValue({
@@ -1403,3 +1381,99 @@ describe('rules_list with show only capability', () => {
     });
   });
 });
+
+describe('MaintenanceWindowsMock', () => {
+  beforeEach(() => {
+    fetchActiveMaintenanceWindowsMock.mockResolvedValue([]);
+
+    loadRulesWithKueryFilter.mockResolvedValue({
+      page: 1,
+      perPage: 10000,
+      total: 0,
+      data: [],
+    });
+
+    loadActionTypes.mockResolvedValue([
+      {
+        id: 'test',
+        name: 'Test',
+      },
+      {
+        id: 'test2',
+        name: 'Test2',
+      },
+    ]);
+
+    loadRuleTypes.mockResolvedValue([ruleTypeFromApi]);
+    loadAllActions.mockResolvedValue([]);
+    loadRuleAggregationsWithKueryFilter.mockResolvedValue({});
+    loadRuleTags.mockResolvedValue({
+      data: ruleTags,
+      page: 1,
+      perPage: 50,
+      total: 4,
+    });
+
+    const actionTypeRegistry = actionTypeRegistryMock.create();
+    const ruleTypeRegistry = ruleTypeRegistryMock.create();
+
+    ruleTypeRegistry.list.mockReturnValue([ruleType]);
+    actionTypeRegistry.list.mockReturnValue([]);
+    useKibanaMock().services.application.capabilities = {
+      ...useKibanaMock().services.application.capabilities,
+      [MAINTENANCE_WINDOW_FEATURE_ID]: {
+        save: true,
+        show: true,
+      },
+    };
+    useKibanaMock().services.ruleTypeRegistry = ruleTypeRegistry;
+    useKibanaMock().services.actionTypeRegistry = actionTypeRegistry;
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+    queryClient.clear();
+    cleanup();
+  });
+
+  it('renders MaintenanceWindowCallout if one exists', async () => {
+    fetchActiveMaintenanceWindowsMock.mockResolvedValue([RUNNING_MAINTENANCE_WINDOW_1]);
+    renderWithProviders(<RulesList />);
+
+    expect(
+      await screen.findByText('One or more maintenance windows are running')
+    ).toBeInTheDocument();
+
+    expect(fetchActiveMaintenanceWindowsMock).toHaveBeenCalledTimes(1);
+  });
+
+  it('hides MaintenanceWindowCallout if the category ID is not supported', async () => {
+    loadRuleTypes.mockResolvedValue([{ ...ruleTypeFromApi, category: 'observability' }]);
+    fetchActiveMaintenanceWindowsMock.mockResolvedValue([
+      { ...RUNNING_MAINTENANCE_WINDOW_1, categoryIds: ['securitySolution'] },
+    ]);
+
+    renderWithProviders(<RulesList />);
+
+    await expect(
+      screen.findByText('Rule notifications are stopped while maintenance windows are running.')
+    ).rejects.toThrow();
+
+    expect(fetchActiveMaintenanceWindowsMock).toHaveBeenCalledTimes(1);
+  });
+
+  it('shows MaintenanceWindowCallout for a specific category', async () => {
+    loadRuleTypes.mockResolvedValue([{ ...ruleTypeFromApi, category: 'observability' }]);
+    fetchActiveMaintenanceWindowsMock.mockResolvedValue([
+      { ...RUNNING_MAINTENANCE_WINDOW_1, categoryIds: ['securitySolution', 'observability'] },
+    ]);
+
+    renderWithProviders(<RulesList />);
+
+    expect(
+      await screen.findByText('A maintenance window is running for Observability rules')
+    ).toBeInTheDocument();
+
+    expect(fetchActiveMaintenanceWindowsMock).toHaveBeenCalledTimes(1);
+  });
+});
diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx
index d98aa2c5dec67..c0b56fa224519 100644
--- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx
+++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx
@@ -117,7 +117,8 @@ const RuleAdd = lazy(() => import('../../rule_form/rule_add'));
 const RuleEdit = lazy(() => import('../../rule_form/rule_edit'));
 
 export interface RulesListProps {
-  filterConsumers?: string[];
+  ruleTypeIds?: string[];
+  consumers?: string[];
   filteredRuleTypes?: string[];
   lastResponseFilter?: string[];
   lastRunOutcomeFilter?: string[];
@@ -159,7 +160,8 @@ const initialPercentileOptions = Object.values(Percentiles).map((percentile) =>
 const EMPTY_ARRAY: string[] = [];
 
 export const RulesList = ({
-  filterConsumers,
+  ruleTypeIds,
+  consumers,
   filteredRuleTypes = EMPTY_ARRAY,
   lastResponseFilter,
   lastRunOutcomeFilter,
@@ -272,6 +274,7 @@ export const RulesList = ({
   const rulesTypesFilter = isEmpty(filters.types)
     ? authorizedRuleTypes.map((art) => art.id)
     : filters.types;
+
   const hasDefaultRuleTypesFiltersOn = isEmpty(filters.types);
 
   const computedFilter = useMemo(() => {
@@ -285,7 +288,8 @@ export const RulesList = ({
 
   // Fetch rules
   const { rulesState, loadRules, hasData, lastUpdate } = useLoadRulesQuery({
-    filterConsumers,
+    ruleTypeIds,
+    consumers,
     filters: computedFilter,
     hasDefaultRuleTypesFiltersOn,
     page,
@@ -298,7 +302,8 @@ export const RulesList = ({
   // Fetch status aggregation
   const { loadRuleAggregations, rulesStatusesTotal, rulesLastRunOutcomesTotal } =
     useLoadRuleAggregationsQuery({
-      filterConsumers,
+      ruleTypeIds,
+      consumers,
       filters: computedFilter,
       enabled: canLoadRules,
       refresh,
@@ -766,12 +771,16 @@ export const RulesList = ({
 
   const numberRulesToDelete = rulesToBulkEdit.length || numberOfSelectedItems;
 
+  const allRuleCategories = getAllUniqueRuleTypeCategories(
+    Array.from(ruleTypesState.data.values())
+  );
+
   return (
     <>
       {showSearchBar && !isEmpty(filters.ruleParams) ? (
         <RulesListClearRuleFilterBanner onClickClearFilter={handleClearRuleParamFilter} />
       ) : null}
-      <MaintenanceWindowCallout kibanaServices={kibanaServices} categories={filterConsumers} />
+      <MaintenanceWindowCallout kibanaServices={kibanaServices} categories={allRuleCategories} />
       <RulesListPrompts
         showNoAuthPrompt={showNoAuthPrompt}
         showCreateFirstRulePrompt={showCreateFirstRulePrompt}
@@ -1081,3 +1090,9 @@ export { RulesList as default };
 function filterRulesById(rules: Rule[], ids: string[]): Rule[] {
   return rules.filter((rule) => ids.includes(rule.id));
 }
+
+const getAllUniqueRuleTypeCategories = (ruleTypes: RuleType[]) => {
+  const categories = new Set(ruleTypes.map((ruleType) => ruleType.category));
+
+  return Array.from(categories).filter(Boolean);
+};
diff --git a/x-pack/plugins/triggers_actions_ui/public/types.ts b/x-pack/plugins/triggers_actions_ui/public/types.ts
index a592b19ae8a79..d6ea582058c1e 100644
--- a/x-pack/plugins/triggers_actions_ui/public/types.ts
+++ b/x-pack/plugins/triggers_actions_ui/public/types.ts
@@ -26,7 +26,7 @@ import type {
   RenderCellValue,
   EuiDataGridCellPopoverElementProps,
 } from '@elastic/eui';
-import type { RuleCreationValidConsumer, ValidFeatureId } from '@kbn/rule-data-utils';
+import type { RuleCreationValidConsumer } from '@kbn/rule-data-utils';
 import { EuiDataGridColumn, EuiDataGridControlColumn, EuiDataGridSorting } from '@elastic/eui';
 import { HttpSetup } from '@kbn/core/public';
 import { KueryNode } from '@kbn/es-query';
@@ -490,7 +490,7 @@ export type AlertsTableProps = {
    * Enable when rows may have variable heights (disables virtualization)
    */
   dynamicRowHeight?: boolean;
-  featureIds?: ValidFeatureId[];
+  ruleTypeIds?: string[];
   pageIndex: number;
   pageSize: number;
   sort: SortCombinations[];
diff --git a/x-pack/plugins/triggers_actions_ui/server/plugin.ts b/x-pack/plugins/triggers_actions_ui/server/plugin.ts
index b5cafb0571482..2263af73dbdc7 100644
--- a/x-pack/plugins/triggers_actions_ui/server/plugin.ts
+++ b/x-pack/plugins/triggers_actions_ui/server/plugin.ts
@@ -6,10 +6,7 @@
  */
 
 import { Logger, Plugin, CoreSetup, PluginInitializerContext } from '@kbn/core/server';
-import {
-  PluginSetupContract as AlertingPluginSetup,
-  PluginStartContract as AlertingPluginStart,
-} from '@kbn/alerting-plugin/server';
+import { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server';
 import { EncryptedSavedObjectsPluginSetup } from '@kbn/encrypted-saved-objects-plugin/server';
 import { getService, register as registerDataService } from './data';
 import { createHealthRoute, createConfigRoute } from './routes';
@@ -21,11 +18,11 @@ export interface PluginStartContract {
 
 interface PluginsSetup {
   encryptedSavedObjects?: EncryptedSavedObjectsPluginSetup;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
 }
 
 interface TriggersActionsPluginStart {
-  alerting: AlertingPluginStart;
+  alerting: AlertingServerStart;
 }
 
 export class TriggersActionsPlugin implements Plugin<void, PluginStartContract> {
diff --git a/x-pack/plugins/triggers_actions_ui/server/routes/config.test.ts b/x-pack/plugins/triggers_actions_ui/server/routes/config.test.ts
index 010a01b46fbdb..e96d5837b1138 100644
--- a/x-pack/plugins/triggers_actions_ui/server/routes/config.test.ts
+++ b/x-pack/plugins/triggers_actions_ui/server/routes/config.test.ts
@@ -45,7 +45,7 @@ describe('createConfigRoute', () => {
     const logger = loggingSystemMock.create().get();
     const mockRulesClient = rulesClientMock.create();
 
-    mockRulesClient.listRuleTypes.mockResolvedValueOnce(new Set(ruleTypes));
+    mockRulesClient.listRuleTypes.mockResolvedValueOnce(ruleTypes);
     createConfigRoute({
       logger,
       router,
@@ -80,7 +80,7 @@ describe('createConfigRoute', () => {
     const logger = loggingSystemMock.create().get();
     const mockRulesClient = rulesClientMock.create();
 
-    mockRulesClient.listRuleTypes.mockResolvedValueOnce(new Set());
+    mockRulesClient.listRuleTypes.mockResolvedValueOnce([]);
     createConfigRoute({
       logger,
       router,
diff --git a/x-pack/test/alerting_api_integration/common/plugins/alerts/server/plugin.ts b/x-pack/test/alerting_api_integration/common/plugins/alerts/server/plugin.ts
index 9210e9f71ed9c..62b6d6594b06c 100644
--- a/x-pack/test/alerting_api_integration/common/plugins/alerts/server/plugin.ts
+++ b/x-pack/test/alerting_api_integration/common/plugins/alerts/server/plugin.ts
@@ -8,10 +8,7 @@
 import { Plugin, CoreSetup, CoreStart, Logger, PluginInitializerContext } from '@kbn/core/server';
 import { firstValueFrom, Subject } from 'rxjs';
 import { PluginSetupContract as ActionsPluginSetup } from '@kbn/actions-plugin/server/plugin';
-import {
-  PluginStartContract as AlertingPluginsStart,
-  PluginSetupContract as AlertingPluginSetup,
-} from '@kbn/alerting-plugin/server/plugin';
+import { AlertingServerSetup, AlertingServerStart } from '@kbn/alerting-plugin/server/plugin';
 import {
   TaskManagerSetupContract,
   TaskManagerStartContract,
@@ -25,6 +22,7 @@ import { RuleRegistryPluginSetupContract } from '@kbn/rule-registry-plugin/serve
 import { IEventLogClientService } from '@kbn/event-log-plugin/server';
 import { NotificationsPluginStart } from '@kbn/notifications-plugin/server';
 import { RULE_SAVED_OBJECT_TYPE } from '@kbn/alerting-plugin/server';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 import { defineRoutes } from './routes';
 import { defineActionTypes } from './action_types';
@@ -34,13 +32,13 @@ import { defineConnectorAdapters } from './connector_adapters';
 export interface FixtureSetupDeps {
   features: FeaturesPluginSetup;
   actions: ActionsPluginSetup;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
   taskManager: TaskManagerSetupContract;
   ruleRegistry: RuleRegistryPluginSetupContract;
 }
 
 export interface FixtureStartDeps {
-  alerting: AlertingPluginsStart;
+  alerting: AlertingServerStart;
   encryptedSavedObjects: EncryptedSavedObjectsPluginStart;
   security?: SecurityPluginStart;
   spaces?: SpacesPluginStart;
@@ -50,6 +48,35 @@ export interface FixtureStartDeps {
   notifications: NotificationsPluginStart;
 }
 
+const testRuleTypes = [
+  'test.always-firing',
+  'test.cumulative-firing',
+  'test.never-firing',
+  'test.failing',
+  'test.authorization',
+  'test.delayed',
+  'test.validation',
+  'test.onlyContextVariables',
+  'test.onlyStateVariables',
+  'test.noop',
+  'test.unrestricted-noop',
+  'test.patternFiring',
+  'test.patternSuccessOrFailure',
+  'test.throw',
+  'test.longRunning',
+  'test.exceedsAlertLimit',
+  'test.always-firing-alert-as-data',
+  'test.patternFiringAad',
+  'test.waitingRule',
+  'test.patternFiringAutoRecoverFalse',
+  'test.severity',
+];
+
+const testAlertingFeatures = testRuleTypes.map((ruleTypeId) => ({
+  ruleTypeId,
+  consumers: ['alertsFixture', ALERTING_FEATURE_ID],
+}));
+
 export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, FixtureStartDeps> {
   private readonly logger: Logger;
 
@@ -72,30 +99,8 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
       name: 'Alerts',
       app: ['alerts', 'kibana'],
       category: { id: 'foo', label: 'foo' },
+      alerting: testAlertingFeatures,
       scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
-      alerting: [
-        'test.always-firing',
-        'test.cumulative-firing',
-        'test.never-firing',
-        'test.failing',
-        'test.authorization',
-        'test.delayed',
-        'test.validation',
-        'test.onlyContextVariables',
-        'test.onlyStateVariables',
-        'test.noop',
-        'test.unrestricted-noop',
-        'test.patternFiring',
-        'test.patternSuccessOrFailure',
-        'test.throw',
-        'test.longRunning',
-        'test.exceedsAlertLimit',
-        'test.always-firing-alert-as-data',
-        'test.patternFiringAad',
-        'test.waitingRule',
-        'test.patternFiringAutoRecoverFalse',
-        'test.severity',
-      ],
       privileges: {
         all: {
           app: ['alerts', 'kibana'],
@@ -105,29 +110,7 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
           },
           alerting: {
             rule: {
-              all: [
-                'test.always-firing',
-                'test.cumulative-firing',
-                'test.never-firing',
-                'test.failing',
-                'test.delayed',
-                'test.authorization',
-                'test.validation',
-                'test.onlyContextVariables',
-                'test.onlyStateVariables',
-                'test.noop',
-                'test.unrestricted-noop',
-                'test.patternFiring',
-                'test.patternSuccessOrFailure',
-                'test.throw',
-                'test.longRunning',
-                'test.exceedsAlertLimit',
-                'test.always-firing-alert-as-data',
-                'test.patternFiringAad',
-                'test.waitingRule',
-                'test.patternFiringAutoRecoverFalse',
-                'test.severity',
-              ],
+              all: testAlertingFeatures,
             },
           },
           ui: [],
@@ -140,29 +123,7 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
           },
           alerting: {
             rule: {
-              read: [
-                'test.always-firing',
-                'test.cumulative-firing',
-                'test.never-firing',
-                'test.failing',
-                'test.authorization',
-                'test.delayed',
-                'test.validation',
-                'test.onlyContextVariables',
-                'test.onlyStateVariables',
-                'test.noop',
-                'test.unrestricted-noop',
-                'test.patternFiring',
-                'test.patternSuccessOrFailure',
-                'test.throw',
-                'test.longRunning',
-                'test.exceedsAlertLimit',
-                'test.always-firing-alert-as-data',
-                'test.patternFiringAad',
-                'test.waitingRule',
-                'test.patternFiringAutoRecoverFalse',
-                'test.severity',
-              ],
+              read: testAlertingFeatures,
             },
           },
           ui: [],
diff --git a/x-pack/test/alerting_api_integration/common/plugins/alerts_restricted/server/plugin.ts b/x-pack/test/alerting_api_integration/common/plugins/alerts_restricted/server/plugin.ts
index 6f6673d6086ec..aebb43bd312d7 100644
--- a/x-pack/test/alerting_api_integration/common/plugins/alerts_restricted/server/plugin.ts
+++ b/x-pack/test/alerting_api_integration/common/plugins/alerts_restricted/server/plugin.ts
@@ -7,17 +7,18 @@
 
 import { Plugin, CoreSetup } from '@kbn/core/server';
 import { PluginSetupContract as ActionsPluginSetup } from '@kbn/actions-plugin/server/plugin';
-import { PluginSetupContract as AlertingPluginSetup } from '@kbn/alerting-plugin/server/plugin';
+import { AlertingServerSetup } from '@kbn/alerting-plugin/server/plugin';
 import { EncryptedSavedObjectsPluginStart } from '@kbn/encrypted-saved-objects-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 import { RULE_SAVED_OBJECT_TYPE } from '@kbn/alerting-plugin/server';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 import { defineAlertTypes } from './alert_types';
 
 export interface FixtureSetupDeps {
   features: FeaturesPluginSetup;
   actions: ActionsPluginSetup;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
 }
 
 export interface FixtureStartDeps {
@@ -31,8 +32,18 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
       name: 'AlertRestricted',
       app: ['alerts', 'kibana'],
       category: { id: 'foo', label: 'foo' },
+      alerting: [
+        {
+          ruleTypeId: 'test.restricted-noop',
+          consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID],
+        },
+        {
+          ruleTypeId: 'test.unrestricted-noop',
+          consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID],
+        },
+        { ruleTypeId: 'test.noop', consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID] },
+      ],
       scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
-      alerting: ['test.restricted-noop', 'test.unrestricted-noop', 'test.noop'],
       privileges: {
         all: {
           app: ['alerts', 'kibana'],
@@ -42,7 +53,20 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
           },
           alerting: {
             rule: {
-              all: ['test.restricted-noop', 'test.unrestricted-noop', 'test.noop'],
+              all: [
+                {
+                  ruleTypeId: 'test.restricted-noop',
+                  consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: 'test.unrestricted-noop',
+                  consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: 'test.noop',
+                  consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID],
+                },
+              ],
             },
           },
           ui: [],
@@ -55,7 +79,20 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
           },
           alerting: {
             rule: {
-              read: ['test.restricted-noop', 'test.unrestricted-noop', 'test.noop'],
+              read: [
+                {
+                  ruleTypeId: 'test.restricted-noop',
+                  consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: 'test.unrestricted-noop',
+                  consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID],
+                },
+                {
+                  ruleTypeId: 'test.noop',
+                  consumers: ['alertsRestrictedFixture', ALERTING_FEATURE_ID],
+                },
+              ],
             },
           },
           ui: [],
diff --git a/x-pack/test/alerting_api_integration/observability/metric_threshold_rule.ts b/x-pack/test/alerting_api_integration/observability/metric_threshold_rule.ts
index 4a1459d350ea6..fc900f7122fca 100644
--- a/x-pack/test/alerting_api_integration/observability/metric_threshold_rule.ts
+++ b/x-pack/test/alerting_api_integration/observability/metric_threshold_rule.ts
@@ -7,12 +7,9 @@
 
 import expect from '@kbn/expect';
 import { cleanup, generate, Dataset, PartialConfig } from '@kbn/data-forge';
-import {
-  Aggregators,
-  InfraRuleType,
-  MetricThresholdParams,
-} from '@kbn/infra-plugin/common/alerting/metrics';
+import { Aggregators, MetricThresholdParams } from '@kbn/infra-plugin/common/alerting/metrics';
 import { COMPARATORS } from '@kbn/alerting-comparators';
+import { InfraRuleType } from '@kbn/rule-data-utils';
 import {
   waitForDocumentInIndex,
   waitForAlertInIndex,
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/schedule.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/schedule.ts
index ab4734239ce0d..d2fdb7f4365f4 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/schedule.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/schedule.ts
@@ -127,6 +127,7 @@ export default function scheduleBackfillTests({ getService }: FtrProviderContext
           username: user.username,
           password: user.password,
         };
+
         it('should handle scheduling backfill job requests appropriately', async () => {
           const defaultStart = moment().utc().startOf('day').subtract(7, 'days').toISOString();
           const defaultEnd = moment().utc().startOf('day').subtract(1, 'day').toISOString();
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/bulk_untrack_by_query.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/bulk_untrack_by_query.ts
index 794cb73677730..66d04b723ca03 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/bulk_untrack_by_query.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/bulk_untrack_by_query.ts
@@ -130,7 +130,7 @@ export default function bulkUntrackByQueryTests({ getService }: FtrProviderConte
                   },
                 },
               ],
-              feature_ids: ['alertsFixture'],
+              rule_type_ids: ['test.always-firing-alert-as-data'],
             });
 
           switch (scenario.id) {
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/create.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/create.ts
index 95e6f7043c90b..d0716df4e2db9 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/create.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/create.ts
@@ -261,18 +261,11 @@ export default function createAlertTests({ getService }: FtrProviderContext) {
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('create', 'test.noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('create', 'test.noop', 'alertsFixture'),
+                message: getUnauthorizedErrorMessage('create', 'test.noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/delete.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/delete.ts
index d6cb57261a558..6814ed46c42b3 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/delete.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/delete.ts
@@ -219,7 +219,7 @@ export default function createDeleteTests({ getService }: FtrProviderContext) {
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('delete', 'test.noop', 'alertsFixture'),
+                message: getUnauthorizedErrorMessage('delete', 'test.noop', 'alerts'),
                 statusCode: 403,
               });
               objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/disable.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/disable.ts
index 264df417440f3..aa43d52d60ad4 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/disable.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/disable.ts
@@ -255,18 +255,11 @@ export default function createDisableAlertTests({ getService }: FtrProviderConte
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('disable', 'test.noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('disable', 'test.noop', 'alertsFixture'),
+                message: getUnauthorizedErrorMessage('disable', 'test.noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/enable.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/enable.ts
index 581f6f13a63b7..eef6ff320a828 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/enable.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/enable.ts
@@ -246,18 +246,11 @@ export default function createEnableAlertTests({ getService }: FtrProviderContex
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('enable', 'test.noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('enable', 'test.noop', 'alertsFixture'),
+                message: getUnauthorizedErrorMessage('enable', 'test.noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find.ts
index bf5595e5756c1..da74893f81713 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find.ts
@@ -8,12 +8,7 @@
 import expect from '@kbn/expect';
 import { chunk, omit } from 'lodash';
 import { v4 as uuidv4 } from 'uuid';
-import {
-  ES_QUERY_ID,
-  ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-  OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-} from '@kbn/rule-data-utils';
-import { SuperuserAtSpace1, UserAtSpaceScenarios, StackAlertsOnly } from '../../../scenarios';
+import { SuperuserAtSpace1, UserAtSpaceScenarios } from '../../../scenarios';
 import { getUrlPrefix, getTestRuleData, ObjectRemover } from '../../../../common/lib';
 import { FtrProviderContext } from '../../../../common/ftr_provider_context';
 
@@ -614,120 +609,5 @@ export default function createFindTests({ getService }: FtrProviderContext) {
         ]);
       });
     });
-
-    describe('stack alerts', () => {
-      const ruleTypes = [
-        [
-          ES_QUERY_ID,
-          {
-            searchType: 'esQuery',
-            timeWindowSize: 5,
-            timeWindowUnit: 'm',
-            threshold: [1000],
-            thresholdComparator: '>',
-            size: 100,
-            esQuery: '{\n    "query":{\n      "match_all" : {}\n    }\n  }',
-            aggType: 'count',
-            groupBy: 'all',
-            termSize: 5,
-            excludeHitsFromPreviousRun: false,
-            sourceFields: [],
-            index: ['.kibana'],
-            timeField: 'created_at',
-          },
-        ],
-        [
-          OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
-          {
-            criteria: [
-              {
-                comparator: '>',
-                metrics: [
-                  {
-                    name: 'A',
-                    aggType: 'count',
-                  },
-                ],
-                threshold: [100],
-                timeSize: 1,
-                timeUnit: 'm',
-              },
-            ],
-            alertOnNoData: false,
-            alertOnGroupDisappear: false,
-            searchConfiguration: {
-              query: {
-                query: '',
-                language: 'kuery',
-              },
-              index: 'kibana-event-log-data-view',
-            },
-          },
-        ],
-        [
-          ML_ANOMALY_DETECTION_RULE_TYPE_ID,
-          {
-            severity: 75,
-            resultType: 'bucket',
-            includeInterim: false,
-            jobSelection: {
-              jobIds: ['low_request_rate'],
-            },
-          },
-        ],
-      ];
-
-      const createRule = async (rule = {}) => {
-        const { body: createdAlert } = await supertest
-          .post(`${getUrlPrefix('space1')}/api/alerting/rule`)
-          .set('kbn-xsrf', 'foo')
-          .send(getTestRuleData({ ...rule }))
-          .expect(200);
-
-        objectRemover.add('space1', createdAlert.id, 'rule', 'alerting');
-      };
-
-      for (const [ruleTypeId, params] of ruleTypes) {
-        it(`should get rules of ${ruleTypeId} rule type ID and stackAlerts consumer`, async () => {
-          /**
-           * We create two rules. The first one is a test.noop
-           * rule with stackAlerts as consumer. The second rule
-           * is has different rule type ID but with the same consumer as the first rule (stackAlerts).
-           * This way we can verify that the find API call returns only the rules the user is authorized to.
-           * Specifically only the second rule because the StackAlertsOnly user does not have
-           * access to the test.noop rule type.
-           */
-          await createRule({ consumer: 'stackAlerts' });
-          await createRule({ rule_type_id: ruleTypeId, params, consumer: 'stackAlerts' });
-
-          const response = await supertestWithoutAuth
-            .get(`${getUrlPrefix('space1')}/api/alerting/rules/_find`)
-            .auth(StackAlertsOnly.username, StackAlertsOnly.password);
-
-          expect(response.statusCode).to.eql(200);
-          expect(response.body.total).to.equal(1);
-          expect(response.body.data[0].rule_type_id).to.equal(ruleTypeId);
-          expect(response.body.data[0].consumer).to.equal('stackAlerts');
-        });
-      }
-
-      for (const [ruleTypeId, params] of ruleTypes) {
-        it(`should NOT get rules of ${ruleTypeId} rule type ID and NOT stackAlerts consumer`, async () => {
-          /**
-           * We create two rules with logs as consumer. The user is authorized to
-           * access rules only with the stackAlerts consumers.
-           */
-          await createRule({ consumer: 'logs' });
-          await createRule({ rule_type_id: ruleTypeId, params, consumer: 'logs' });
-
-          const response = await supertestWithoutAuth
-            .get(`${getUrlPrefix('space1')}/api/alerting/rules/_find`)
-            .auth(StackAlertsOnly.username, StackAlertsOnly.password);
-
-          expect(response.statusCode).to.eql(200);
-          expect(response.body.total).to.equal(0);
-        });
-      }
-    });
   });
 }
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find_internal.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find_internal.ts
index ee8d49c662ada..751d5cf169836 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find_internal.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find_internal.ts
@@ -13,7 +13,13 @@ import {
   ML_ANOMALY_DETECTION_RULE_TYPE_ID,
   OBSERVABILITY_THRESHOLD_RULE_TYPE_ID,
 } from '@kbn/rule-data-utils';
-import { SuperuserAtSpace1, UserAtSpaceScenarios, StackAlertsOnly } from '../../../scenarios';
+import { Space } from '../../../../common/types';
+import {
+  Space1AllAtSpace1,
+  StackAlertsOnly,
+  SuperuserAtSpace1,
+  UserAtSpaceScenarios,
+} from '../../../scenarios';
 import { getUrlPrefix, getTestRuleData, ObjectRemover } from '../../../../common/lib';
 import { FtrProviderContext } from '../../../../common/ftr_provider_context';
 
@@ -31,40 +37,13 @@ export default function createFindTests({ getService }: FtrProviderContext) {
 
     for (const scenario of UserAtSpaceScenarios) {
       const { user, space } = scenario;
+
       describe(scenario.id, () => {
         it('should handle find alert request appropriately', async () => {
-          const { body: createdAction } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/actions/connector`)
-            .set('kbn-xsrf', 'foo')
-            .send({
-              name: 'MY action',
-              connector_type_id: 'test.noop',
-              config: {},
-              secrets: {},
-            })
-            .expect(200);
-
           const { body: createdAlert } = await supertest
             .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
             .set('kbn-xsrf', 'foo')
-            .send(
-              getTestRuleData({
-                actions: [
-                  {
-                    group: 'default',
-                    id: createdAction.id,
-                    params: {},
-                    frequency: {
-                      summary: false,
-                      notify_when: 'onThrottleInterval',
-                      throttle: '1m',
-                    },
-                  },
-                ],
-                notify_when: undefined,
-                throttle: undefined,
-              })
-            )
+            .send(getTestRuleData())
             .expect(200);
           objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
 
@@ -108,37 +87,23 @@ export default function createFindTests({ getService }: FtrProviderContext) {
                 consumer: 'alertsFixture',
                 schedule: { interval: '1m' },
                 enabled: true,
-                actions: [
-                  {
-                    group: 'default',
-                    id: createdAction.id,
-                    connector_type_id: 'test.noop',
-                    params: {},
-                    uuid: match.actions[0].uuid,
-                    frequency: {
-                      summary: false,
-                      notify_when: 'onThrottleInterval',
-                      throttle: '1m',
-                    },
-                  },
-                ],
+                actions: [],
                 params: {},
                 created_by: 'elastic',
+                api_key_created_by_user: false,
+                revision: 0,
                 scheduled_task_id: match.scheduled_task_id,
                 created_at: match.created_at,
                 updated_at: match.updated_at,
-                throttle: null,
-                notify_when: null,
+                throttle: '1m',
+                notify_when: 'onThrottleInterval',
                 updated_by: 'elastic',
                 api_key_owner: 'elastic',
-                api_key_created_by_user: false,
                 mute_all: false,
                 muted_alert_ids: [],
-                revision: 0,
                 execution_status: match.execution_status,
                 ...(match.next_run ? { next_run: match.next_run } : {}),
                 ...(match.last_run ? { last_run: match.last_run } : {}),
-
                 monitoring: match.monitoring,
                 snooze_schedule: match.snooze_schedule,
                 ...(hasActiveSnoozes && { active_snoozes: activeSnoozes }),
@@ -153,40 +118,15 @@ export default function createFindTests({ getService }: FtrProviderContext) {
         });
 
         it('should filter out types that the user is not authorized to `get` retaining pagination', async () => {
-          async function createNoOpAlert(overrides = {}) {
-            const alert = getTestRuleData(overrides);
-            const { body: createdAlert } = await supertest
-              .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-              .set('kbn-xsrf', 'foo')
-              .send(alert)
-              .expect(200);
-            objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
-            return {
-              id: createdAlert.id,
-              rule_type_id: alert.rule_type_id,
-            };
-          }
-          function createRestrictedNoOpAlert() {
-            return createNoOpAlert({
-              rule_type_id: 'test.restricted-noop',
-              consumer: 'alertsRestrictedFixture',
-            });
-          }
-          function createUnrestrictedNoOpAlert() {
-            return createNoOpAlert({
-              rule_type_id: 'test.unrestricted-noop',
-              consumer: 'alertsFixture',
-            });
-          }
           const allAlerts = [];
-          allAlerts.push(await createNoOpAlert());
-          allAlerts.push(await createNoOpAlert());
-          allAlerts.push(await createRestrictedNoOpAlert());
-          allAlerts.push(await createUnrestrictedNoOpAlert());
-          allAlerts.push(await createUnrestrictedNoOpAlert());
-          allAlerts.push(await createRestrictedNoOpAlert());
-          allAlerts.push(await createNoOpAlert());
-          allAlerts.push(await createNoOpAlert());
+          allAlerts.push(await createNoOpAlert(space));
+          allAlerts.push(await createNoOpAlert(space));
+          allAlerts.push(await createRestrictedNoOpAlert(space));
+          allAlerts.push(await createUnrestrictedNoOpAlert(space));
+          allAlerts.push(await createUnrestrictedNoOpAlert(space));
+          allAlerts.push(await createRestrictedNoOpAlert(space));
+          allAlerts.push(await createNoOpAlert(space));
+          allAlerts.push(await createNoOpAlert(space));
 
           const perPage = 4;
 
@@ -233,25 +173,24 @@ export default function createFindTests({ getService }: FtrProviderContext) {
               expect(response.body.per_page).to.be.equal(perPage);
               expect(response.body.total).to.be.equal(8);
 
-              {
-                const [firstPage, secondPage] = chunk(
-                  allAlerts.map((alert) => alert.id),
-                  perPage
-                );
-                expect(response.body.data.map((alert: any) => alert.id)).to.eql(firstPage);
-
-                const secondResponse = await supertestWithoutAuth
-                  .post(`${getUrlPrefix(space.id)}/internal/alerting/rules/_find`)
-                  .set('kbn-xsrf', 'foo')
-                  .auth(user.username, user.password)
-                  .send({
-                    per_page: perPage,
-                    sort_field: 'createdAt',
-                    page: 2,
-                  });
-
-                expect(secondResponse.body.data.map((alert: any) => alert.id)).to.eql(secondPage);
-              }
+              const [firstPage, secondPage] = chunk(
+                allAlerts.map((alert) => alert.id),
+                perPage
+              );
+              expect(response.body.data.map((alert: any) => alert.id)).to.eql(firstPage);
+
+              const secondResponse = await supertestWithoutAuth
+                .post(`${getUrlPrefix(space.id)}/internal/alerting/rules/_find`)
+                .set('kbn-xsrf', 'foo')
+                .auth(user.username, user.password)
+                .send({
+                  per_page: perPage,
+                  sort_field: 'createdAt',
+                  page: '2',
+                });
+
+              expect(secondResponse.statusCode).to.eql(200);
+              expect(secondResponse.body.data.map((alert: any) => alert.id)).to.eql(secondPage);
 
               break;
             default:
@@ -294,7 +233,7 @@ export default function createFindTests({ getService }: FtrProviderContext) {
             .set('kbn-xsrf', 'foo')
             .auth(user.username, user.password)
             .send({
-              filter: 'alert.attributes.actions:{ actionTypeId: test.noop }',
+              filter: 'alert.attributes.actions:{ actionTypeId: "test.noop" }',
             });
 
           switch (scenario.id) {
@@ -334,13 +273,14 @@ export default function createFindTests({ getService }: FtrProviderContext) {
                     group: 'default',
                     connector_type_id: 'test.noop',
                     params: {},
-                    uuid: createdAlert.actions[0].uuid,
+                    uuid: match.actions[0].uuid,
                   },
                 ],
                 params: {},
                 created_by: 'elastic',
-                throttle: '1m',
                 api_key_created_by_user: null,
+                revision: 0,
+                throttle: '1m',
                 updated_by: 'elastic',
                 api_key_owner: null,
                 mute_all: false,
@@ -349,7 +289,6 @@ export default function createFindTests({ getService }: FtrProviderContext) {
                 created_at: match.created_at,
                 updated_at: match.updated_at,
                 execution_status: match.execution_status,
-                revision: 0,
                 ...(match.next_run ? { next_run: match.next_run } : {}),
                 ...(match.last_run ? { last_run: match.last_run } : {}),
                 monitoring: match.monitoring,
@@ -577,73 +516,153 @@ export default function createFindTests({ getService }: FtrProviderContext) {
               throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
           }
         });
+
+        it('should filter by rule type IDs correctly', async () => {
+          await createNoOpAlert(space);
+          await createRestrictedNoOpAlert(space);
+          await createUnrestrictedNoOpAlert(space);
+
+          const perPage = 10;
+          const ruleTypeIds = ['test.restricted-noop', 'test.noop'];
+
+          const response = await supertestWithoutAuth
+            .post(`${getUrlPrefix(space.id)}/internal/alerting/rules/_find`)
+            .set('kbn-xsrf', 'foo')
+            .auth(user.username, user.password)
+            .send({
+              per_page: perPage,
+              sort_field: 'createdAt',
+              rule_type_ids: ruleTypeIds,
+            });
+
+          switch (scenario.id) {
+            case 'no_kibana_privileges at space1':
+            case 'space_1_all at space2':
+              expect(response.statusCode).to.eql(403);
+              expect(response.body).to.eql({
+                error: 'Forbidden',
+                message: `Unauthorized to find rules for any rule types`,
+                statusCode: 403,
+              });
+              break;
+            case 'space_1_all at space1':
+            case 'space_1_all_alerts_none_actions at space1':
+              expect(response.statusCode).to.eql(200);
+              expect(response.body.total).to.be.equal(1);
+
+              expect(
+                response.body.data.every(
+                  (rule: { rule_type_id: string }) => rule.rule_type_id === 'test.noop'
+                )
+              ).to.be.eql(true);
+              break;
+            case 'global_read at space1':
+            case 'superuser at space1':
+            case 'space_1_all_with_restricted_fixture at space1':
+              expect(response.statusCode).to.eql(200);
+              expect(response.body.total).to.be.equal(2);
+
+              expect(
+                response.body.data.every((rule: { rule_type_id: string }) =>
+                  ruleTypeIds.includes(rule.rule_type_id)
+                )
+              ).to.be.eql(true);
+              break;
+            default:
+              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
+          }
+        });
       });
     }
 
-    describe('Actions', () => {
-      const { user, space } = SuperuserAtSpace1;
+    describe('filtering', () => {
+      it('should return the correct rules when trying to exploit RBAC through the ruleTypeIds parameter', async () => {
+        const { user, space } = Space1AllAtSpace1;
 
-      it('should return the actions correctly', async () => {
-        const { body: createdAction } = await supertest
-          .post(`${getUrlPrefix(space.id)}/api/actions/connector`)
+        const { body: createdAlert1 } = await supertest
+          .post(`${getUrlPrefix(SuperuserAtSpace1.space.id)}/api/alerting/rule`)
           .set('kbn-xsrf', 'foo')
-          .send({
-            name: 'MY action',
-            connector_type_id: 'test.noop',
-            config: {},
-            secrets: {},
-          })
+          .send(
+            getTestRuleData({
+              rule_type_id: 'test.restricted-noop',
+              consumer: 'alertsRestrictedFixture',
+            })
+          )
+          .auth(SuperuserAtSpace1.user.username, SuperuserAtSpace1.user.password)
           .expect(200);
 
-        const { body: createdRule1 } = await supertest
-          .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
+        const { body: createdAlert2 } = await supertest
+          .post(`${getUrlPrefix(SuperuserAtSpace1.space.id)}/api/alerting/rule`)
           .set('kbn-xsrf', 'foo')
           .send(
             getTestRuleData({
-              enabled: true,
-              actions: [
-                {
-                  id: createdAction.id,
-                  group: 'default',
-                  params: {},
-                },
-                {
-                  id: 'system-connector-test.system-action',
-                  params: {},
-                },
-              ],
+              rule_type_id: 'test.noop',
+              consumer: 'alertsFixture',
             })
           )
+          .auth(SuperuserAtSpace1.user.username, SuperuserAtSpace1.user.password)
           .expect(200);
 
-        objectRemover.add(space.id, createdRule1.id, 'rule', 'alerting');
+        objectRemover.add(SuperuserAtSpace1.space.id, createdAlert1.id, 'rule', 'alerting');
+        objectRemover.add(SuperuserAtSpace1.space.id, createdAlert2.id, 'rule', 'alerting');
 
         const response = await supertestWithoutAuth
-          .get(`${getUrlPrefix(space.id)}/api/alerting/rules/_find`)
+          .post(`${getUrlPrefix(space.id)}/internal/alerting/rules/_find`)
           .set('kbn-xsrf', 'foo')
-          .auth(user.username, user.password);
+          .auth(user.username, user.password)
+          .send({
+            rule_type_ids: ['test.noop', 'test.restricted-noop'],
+          });
 
-        const action = response.body.data[0].actions[0];
-        const systemAction = response.body.data[0].actions[1];
-        const { uuid, ...restAction } = action;
-        const { uuid: systemActionUuid, ...restSystemAction } = systemAction;
+        expect(response.status).to.eql(200);
+        expect(response.body.total).to.equal(1);
+        expect(response.body.data[0].rule_type_id).to.eql('test.noop');
+      });
 
-        expect([restAction, restSystemAction]).to.eql([
-          {
-            id: createdAction.id,
-            connector_type_id: 'test.noop',
-            group: 'default',
-            params: {},
-          },
-          {
-            id: 'system-connector-test.system-action',
-            connector_type_id: 'test.system-action',
-            params: {},
-          },
-          ,
-        ]);
+      it('should return the correct rules when trying to exploit RBAC through the consumers parameter', async () => {
+        const { user, space } = Space1AllAtSpace1;
+
+        const { body: createdAlert1 } = await supertest
+          .post(`${getUrlPrefix(SuperuserAtSpace1.space.id)}/api/alerting/rule`)
+          .set('kbn-xsrf', 'foo')
+          .send(
+            getTestRuleData({
+              rule_type_id: 'test.restricted-noop',
+              consumer: 'alertsRestrictedFixture',
+            })
+          )
+          .auth(SuperuserAtSpace1.user.username, SuperuserAtSpace1.user.password)
+          .expect(200);
+
+        const { body: createdAlert2 } = await supertest
+          .post(`${getUrlPrefix(SuperuserAtSpace1.space.id)}/api/alerting/rule`)
+          .set('kbn-xsrf', 'foo')
+          .send(
+            getTestRuleData({
+              rule_type_id: 'test.noop',
+              consumer: 'alertsFixture',
+            })
+          )
+          .auth(SuperuserAtSpace1.user.username, SuperuserAtSpace1.user.password)
+          .expect(200);
+
+        objectRemover.add(SuperuserAtSpace1.space.id, createdAlert1.id, 'rule', 'alerting');
+        objectRemover.add(SuperuserAtSpace1.space.id, createdAlert2.id, 'rule', 'alerting');
+
+        const response = await supertestWithoutAuth
+          .post(`${getUrlPrefix(space.id)}/internal/alerting/rules/_find`)
+          .set('kbn-xsrf', 'foo')
+          .auth(user.username, user.password)
+          .send({
+            consumers: ['alertsFixture', 'alertsRestrictedFixture'],
+          });
+
+        expect(response.status).to.eql(200);
+        expect(response.body.total).to.equal(1);
+        expect(response.body.data[0].consumer).to.eql('alertsFixture');
       });
     });
+
     describe('stack alerts', () => {
       const ruleTypes = [
         [
@@ -758,5 +777,35 @@ export default function createFindTests({ getService }: FtrProviderContext) {
         });
       }
     });
+
+    async function createNoOpAlert(space: Space, overrides = {}) {
+      const alert = getTestRuleData(overrides);
+      const { body: createdAlert } = await supertest
+        .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
+        .set('kbn-xsrf', 'foo')
+        .send(alert)
+        .expect(200);
+
+      objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
+
+      return {
+        id: createdAlert.id,
+        rule_type_id: alert.rule_type_id,
+      };
+    }
+
+    function createRestrictedNoOpAlert(space: Space) {
+      return createNoOpAlert(space, {
+        rule_type_id: 'test.restricted-noop',
+        consumer: 'alertsRestrictedFixture',
+      });
+    }
+
+    function createUnrestrictedNoOpAlert(space: Space) {
+      return createNoOpAlert(space, {
+        rule_type_id: 'test.unrestricted-noop',
+        consumer: 'alertsFixture',
+      });
+    }
   });
 }
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find_with_post.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find_with_post.ts
deleted file mode 100644
index c8afff8fcc476..0000000000000
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/find_with_post.ts
+++ /dev/null
@@ -1,593 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import expect from '@kbn/expect';
-import { Agent as SuperTestAgent } from 'supertest';
-import { chunk, omit } from 'lodash';
-import { v4 as uuidv4 } from 'uuid';
-import { SupertestWithoutAuthProviderType } from '@kbn/ftr-common-functional-services';
-import { UserAtSpaceScenarios } from '../../../scenarios';
-import { getUrlPrefix, getTestRuleData, ObjectRemover } from '../../../../common/lib';
-import { FtrProviderContext } from '../../../../common/ftr_provider_context';
-
-const findTestUtils = (
-  describeType: 'internal' | 'public',
-  objectRemover: ObjectRemover,
-  supertest: SuperTestAgent,
-  supertestWithoutAuth: SupertestWithoutAuthProviderType
-) => {
-  describe(describeType, () => {
-    afterEach(async () => {
-      await objectRemover.removeAll();
-    });
-
-    for (const scenario of UserAtSpaceScenarios) {
-      const { user, space } = scenario;
-      describe(scenario.id, () => {
-        it('should handle find alert request appropriately', async () => {
-          const { body: createdAlert } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(getTestRuleData())
-            .expect(200);
-          objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
-
-          const response = await supertestWithoutAuth
-            .post(
-              `${getUrlPrefix(space.id)}/${
-                describeType === 'public' ? 'api' : 'internal'
-              }/alerting/rules/_find`
-            )
-            .set('kbn-xsrf', 'foo')
-            .auth(user.username, user.password)
-            .send({
-              search: 'test.noop',
-              search_fields: 'alertTypeId',
-            });
-
-          switch (scenario.id) {
-            case 'no_kibana_privileges at space1':
-            case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: `Unauthorized to find rules for any rule types`,
-                statusCode: 403,
-              });
-              break;
-            case 'global_read at space1':
-            case 'superuser at space1':
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
-            case 'space_1_all_with_restricted_fixture at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body.page).to.equal(1);
-              expect(response.body.per_page).to.be.greaterThan(0);
-              expect(response.body.total).to.be.greaterThan(0);
-              const match = response.body.data.find((obj: any) => obj.id === createdAlert.id);
-              const activeSnoozes = match.active_snoozes;
-              const hasActiveSnoozes = !!(activeSnoozes || []).filter((obj: any) => obj).length;
-              expect(match).to.eql({
-                id: createdAlert.id,
-                name: 'abc',
-                tags: ['foo'],
-                rule_type_id: 'test.noop',
-                running: match.running ?? false,
-                consumer: 'alertsFixture',
-                schedule: { interval: '1m' },
-                enabled: true,
-                actions: [],
-                params: {},
-                created_by: 'elastic',
-                api_key_created_by_user: false,
-                revision: 0,
-                scheduled_task_id: match.scheduled_task_id,
-                created_at: match.created_at,
-                updated_at: match.updated_at,
-                throttle: '1m',
-                notify_when: 'onThrottleInterval',
-                updated_by: 'elastic',
-                api_key_owner: 'elastic',
-                mute_all: false,
-                muted_alert_ids: [],
-                execution_status: match.execution_status,
-                ...(match.next_run ? { next_run: match.next_run } : {}),
-                ...(match.last_run ? { last_run: match.last_run } : {}),
-                ...(describeType === 'internal'
-                  ? {
-                      monitoring: match.monitoring,
-                      snooze_schedule: match.snooze_schedule,
-                      ...(hasActiveSnoozes && { active_snoozes: activeSnoozes }),
-                      is_snoozed_until: null,
-                    }
-                  : {}),
-              });
-              expect(Date.parse(match.created_at)).to.be.greaterThan(0);
-              expect(Date.parse(match.updated_at)).to.be.greaterThan(0);
-              break;
-            default:
-              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
-          }
-        });
-
-        it('should filter out types that the user is not authorized to `get` retaining pagination', async () => {
-          async function createNoOpAlert(overrides = {}) {
-            const alert = getTestRuleData(overrides);
-            const { body: createdAlert } = await supertest
-              .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-              .set('kbn-xsrf', 'foo')
-              .send(alert)
-              .expect(200);
-            objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
-            return {
-              id: createdAlert.id,
-              rule_type_id: alert.rule_type_id,
-            };
-          }
-          function createRestrictedNoOpAlert() {
-            return createNoOpAlert({
-              rule_type_id: 'test.restricted-noop',
-              consumer: 'alertsRestrictedFixture',
-            });
-          }
-          function createUnrestrictedNoOpAlert() {
-            return createNoOpAlert({
-              rule_type_id: 'test.unrestricted-noop',
-              consumer: 'alertsFixture',
-            });
-          }
-          const allAlerts = [];
-          allAlerts.push(await createNoOpAlert());
-          allAlerts.push(await createNoOpAlert());
-          allAlerts.push(await createRestrictedNoOpAlert());
-          allAlerts.push(await createUnrestrictedNoOpAlert());
-          allAlerts.push(await createUnrestrictedNoOpAlert());
-          allAlerts.push(await createRestrictedNoOpAlert());
-          allAlerts.push(await createNoOpAlert());
-          allAlerts.push(await createNoOpAlert());
-
-          const perPage = 4;
-
-          const response = await supertestWithoutAuth
-            .post(
-              `${getUrlPrefix(space.id)}/${
-                describeType === 'public' ? 'api' : 'internal'
-              }/alerting/rules/_find`
-            )
-            .set('kbn-xsrf', 'foo')
-            .auth(user.username, user.password)
-            .send({
-              per_page: perPage,
-              sort_field: 'createdAt',
-            });
-
-          switch (scenario.id) {
-            case 'no_kibana_privileges at space1':
-            case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: `Unauthorized to find rules for any rule types`,
-                statusCode: 403,
-              });
-              break;
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body.page).to.equal(1);
-              expect(response.body.per_page).to.be.equal(perPage);
-              expect(response.body.total).to.be.equal(6);
-              {
-                const [firstPage] = chunk(
-                  allAlerts
-                    .filter((alert) => alert.rule_type_id !== 'test.restricted-noop')
-                    .map((alert) => alert.id),
-                  perPage
-                );
-                expect(response.body.data.map((alert: any) => alert.id)).to.eql(firstPage);
-              }
-              break;
-            case 'global_read at space1':
-            case 'superuser at space1':
-            case 'space_1_all_with_restricted_fixture at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body.page).to.equal(1);
-              expect(response.body.per_page).to.be.equal(perPage);
-              expect(response.body.total).to.be.equal(8);
-
-              {
-                const [firstPage, secondPage] = chunk(
-                  allAlerts.map((alert) => alert.id),
-                  perPage
-                );
-                expect(response.body.data.map((alert: any) => alert.id)).to.eql(firstPage);
-
-                const secondResponse = await supertestWithoutAuth
-                  .post(`${getUrlPrefix(space.id)}/internal/alerting/rules/_find`)
-                  .set('kbn-xsrf', 'kibana')
-                  .auth(user.username, user.password)
-                  .send({
-                    per_page: perPage,
-                    sort_field: 'createdAt',
-                    page: 2,
-                  });
-
-                expect(secondResponse.body.data.map((alert: any) => alert.id)).to.eql(secondPage);
-              }
-
-              break;
-            default:
-              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
-          }
-        });
-
-        it('should handle find alert request with filter appropriately', async () => {
-          const { body: createdAction } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/actions/connector`)
-            .set('kbn-xsrf', 'foo')
-            .send({
-              name: 'My action',
-              connector_type_id: 'test.noop',
-              config: {},
-              secrets: {},
-            })
-            .expect(200);
-
-          const { body: createdAlert } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(
-              getTestRuleData({
-                enabled: false,
-                actions: [
-                  {
-                    id: createdAction.id,
-                    group: 'default',
-                    params: {},
-                  },
-                ],
-              })
-            )
-            .expect(200);
-          objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
-
-          const response = await supertestWithoutAuth
-            .post(
-              `${getUrlPrefix(space.id)}/${
-                describeType === 'public' ? 'api' : 'internal'
-              }/alerting/rules/_find`
-            )
-            .set('kbn-xsrf', 'foo')
-            .auth(user.username, user.password)
-            .send({
-              filter: 'alert.attributes.actions:{ actionTypeId: "test.noop" }',
-            });
-
-          switch (scenario.id) {
-            case 'no_kibana_privileges at space1':
-            case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: `Unauthorized to find rules for any rule types`,
-                statusCode: 403,
-              });
-              break;
-            case 'global_read at space1':
-            case 'superuser at space1':
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
-            case 'space_1_all_with_restricted_fixture at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body.page).to.equal(1);
-              expect(response.body.per_page).to.be.greaterThan(0);
-              expect(response.body.total).to.be.greaterThan(0);
-              const match = response.body.data.find((obj: any) => obj.id === createdAlert.id);
-              const activeSnoozes = match.active_snoozes;
-              const hasActiveSnoozes = !!(activeSnoozes || []).filter((obj: any) => obj).length;
-              expect(match).to.eql({
-                id: createdAlert.id,
-                name: 'abc',
-                tags: ['foo'],
-                rule_type_id: 'test.noop',
-                running: match.running ?? false,
-                consumer: 'alertsFixture',
-                schedule: { interval: '1m' },
-                enabled: false,
-                actions: [
-                  {
-                    id: createdAction.id,
-                    group: 'default',
-                    connector_type_id: 'test.noop',
-                    params: {},
-                    uuid: match.actions[0].uuid,
-                  },
-                ],
-                params: {},
-                created_by: 'elastic',
-                api_key_created_by_user: null,
-                revision: 0,
-                throttle: '1m',
-                updated_by: 'elastic',
-                api_key_owner: null,
-                mute_all: false,
-                muted_alert_ids: [],
-                notify_when: 'onThrottleInterval',
-                created_at: match.created_at,
-                updated_at: match.updated_at,
-                execution_status: match.execution_status,
-                ...(match.next_run ? { next_run: match.next_run } : {}),
-                ...(match.last_run ? { last_run: match.last_run } : {}),
-                ...(describeType === 'internal'
-                  ? {
-                      monitoring: match.monitoring,
-                      snooze_schedule: match.snooze_schedule,
-                      ...(hasActiveSnoozes && { active_snoozes: activeSnoozes }),
-                      is_snoozed_until: null,
-                    }
-                  : {}),
-              });
-              expect(Date.parse(match.created_at)).to.be.greaterThan(0);
-              expect(Date.parse(match.updated_at)).to.be.greaterThan(0);
-              break;
-            default:
-              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
-          }
-        });
-
-        it('should handle find alert request with fields appropriately', async () => {
-          const myTag = uuidv4();
-          const { body: createdAlert } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(
-              getTestRuleData({
-                enabled: false,
-                tags: [myTag],
-                rule_type_id: 'test.restricted-noop',
-                consumer: 'alertsRestrictedFixture',
-              })
-            )
-            .expect(200);
-          objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
-
-          // create another type with same tag
-          const { body: createdSecondAlert } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(
-              getTestRuleData({
-                tags: [myTag],
-                rule_type_id: 'test.restricted-noop',
-                consumer: 'alertsRestrictedFixture',
-              })
-            )
-            .expect(200);
-          objectRemover.add(space.id, createdSecondAlert.id, 'rule', 'alerting');
-
-          const response = await supertestWithoutAuth
-            .post(
-              `${getUrlPrefix(space.id)}/${
-                describeType === 'public' ? 'api' : 'internal'
-              }/alerting/rules/_find`
-            )
-            .set('kbn-xsrf', 'foo')
-            .auth(user.username, user.password)
-            .send({
-              filter: 'alert.attributes.alertTypeId:test.restricted-noop',
-              fields: ['tags'],
-              sort_field: 'createdAt',
-            });
-
-          switch (scenario.id) {
-            case 'no_kibana_privileges at space1':
-            case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: `Unauthorized to find rules for any rule types`,
-                statusCode: 403,
-              });
-              break;
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body.data).to.eql([]);
-              break;
-            case 'global_read at space1':
-            case 'superuser at space1':
-            case 'space_1_all_with_restricted_fixture at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body.page).to.equal(1);
-              expect(response.body.per_page).to.be.greaterThan(0);
-              expect(response.body.total).to.be.greaterThan(0);
-              const [matchFirst, matchSecond] = response.body.data;
-              expect(omit(matchFirst, 'updatedAt')).to.eql({
-                id: createdAlert.id,
-                actions: [],
-                tags: [myTag],
-                ...(describeType === 'internal' && {
-                  snooze_schedule: [],
-                  is_snoozed_until: null,
-                }),
-              });
-              expect(omit(matchSecond, 'updatedAt')).to.eql({
-                id: createdSecondAlert.id,
-                actions: [],
-                tags: [myTag],
-                ...(describeType === 'internal' && {
-                  snooze_schedule: [],
-                  is_snoozed_until: null,
-                }),
-              });
-              break;
-            default:
-              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
-          }
-        });
-
-        it('should handle find alert request with executionStatus field appropriately', async () => {
-          const myTag = uuidv4();
-          const { body: createdAlert } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(
-              getTestRuleData({
-                enabled: false,
-                tags: [myTag],
-                rule_type_id: 'test.restricted-noop',
-                consumer: 'alertsRestrictedFixture',
-              })
-            )
-            .expect(200);
-          objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
-
-          // create another type with same tag
-          const { body: createdSecondAlert } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(
-              getTestRuleData({
-                tags: [myTag],
-                rule_type_id: 'test.restricted-noop',
-                consumer: 'alertsRestrictedFixture',
-              })
-            )
-            .expect(200);
-          objectRemover.add(space.id, createdSecondAlert.id, 'rule', 'alerting');
-
-          const response = await supertestWithoutAuth
-            .post(
-              `${getUrlPrefix(space.id)}/${
-                describeType === 'public' ? 'api' : 'internal'
-              }/alerting/rules/_find`
-            )
-            .set('kbn-xsrf', 'foo')
-            .auth(user.username, user.password)
-            .send({
-              filter: 'alert.attributes.alertTypeId:test.restricted-noop',
-              fields: ['tags', 'executionStatus'],
-              sort_field: 'createdAt',
-            });
-
-          switch (scenario.id) {
-            case 'no_kibana_privileges at space1':
-            case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: `Unauthorized to find rules for any rule types`,
-                statusCode: 403,
-              });
-              break;
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body.data).to.eql([]);
-              break;
-            case 'global_read at space1':
-            case 'superuser at space1':
-            case 'space_1_all_with_restricted_fixture at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body.page).to.equal(1);
-              expect(response.body.per_page).to.be.greaterThan(0);
-              expect(response.body.total).to.be.greaterThan(0);
-              const [matchFirst, matchSecond] = response.body.data;
-              expect(omit(matchFirst, 'updatedAt')).to.eql({
-                id: createdAlert.id,
-                actions: [],
-                tags: [myTag],
-                execution_status: matchFirst.execution_status,
-                ...(describeType === 'internal' && {
-                  snooze_schedule: [],
-                  is_snoozed_until: null,
-                }),
-              });
-              expect(omit(matchSecond, 'updatedAt')).to.eql({
-                id: createdSecondAlert.id,
-                actions: [],
-                tags: [myTag],
-                execution_status: matchSecond.execution_status,
-                ...(describeType === 'internal' && {
-                  snooze_schedule: [],
-                  is_snoozed_until: null,
-                }),
-              });
-              break;
-            default:
-              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
-          }
-        });
-
-        it(`shouldn't find alert from another space`, async () => {
-          const { body: createdAlert } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(getTestRuleData())
-            .expect(200);
-          objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
-
-          const response = await supertestWithoutAuth
-            .post(
-              `${getUrlPrefix('other')}/${
-                describeType === 'public' ? 'api' : 'internal'
-              }/alerting/rules/_find`
-            )
-            .set('kbn-xsrf', 'foo')
-            .auth(user.username, user.password)
-            .send({
-              search: 'test.noop',
-              search_fields: 'alertTypeId',
-            });
-
-          switch (scenario.id) {
-            case 'no_kibana_privileges at space1':
-            case 'space_1_all at space2':
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
-            case 'space_1_all_with_restricted_fixture at space1':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: `Unauthorized to find rules for any rule types`,
-                statusCode: 403,
-              });
-              break;
-            case 'global_read at space1':
-            case 'superuser at space1':
-              expect(response.statusCode).to.eql(200);
-              expect(response.body).to.eql({
-                page: 1,
-                per_page: 10,
-                total: 0,
-                data: [],
-              });
-              break;
-            default:
-              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
-          }
-        });
-      });
-    }
-  });
-};
-
-// eslint-disable-next-line import/no-default-export
-export default function createFindTests({ getService }: FtrProviderContext) {
-  const supertest = getService('supertest');
-  const supertestWithoutAuth = getService('supertestWithoutAuth');
-
-  describe('find with post', () => {
-    const objectRemover = new ObjectRemover(supertest);
-
-    afterEach(async () => {
-      await objectRemover.removeAll();
-    });
-
-    findTestUtils('internal', objectRemover, supertest, supertestWithoutAuth);
-  });
-}
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/get.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/get.ts
index 78c662d98a541..c1872d1e40213 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/get.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/get.ts
@@ -223,23 +223,12 @@ const getTestUtils = (
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('get', 'test.restricted-noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'get',
-                  'test.restricted-noop',
-                  'alertsRestrictedFixture'
-                ),
+                message: getUnauthorizedErrorMessage('get', 'test.restricted-noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/index.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/index.ts
index 262fe8af301c8..dc85feb741eb8 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/index.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/index.ts
@@ -23,7 +23,6 @@ export default function alertingTests({ loadTestFile, getService }: FtrProviderC
       loadTestFile(require.resolve('./backfill'));
       loadTestFile(require.resolve('./find'));
       loadTestFile(require.resolve('./find_internal'));
-      loadTestFile(require.resolve('./find_with_post'));
       loadTestFile(require.resolve('./create'));
       loadTestFile(require.resolve('./delete'));
       loadTestFile(require.resolve('./disable'));
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/aggregate.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/aggregate.ts
new file mode 100644
index 0000000000000..dde153aca402e
--- /dev/null
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/aggregate.ts
@@ -0,0 +1,377 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { Space, User } from '../../../../common/types';
+import { Space1AllAtSpace1, SuperuserAtSpace1, UserAtSpaceScenarios } from '../../../scenarios';
+import { getUrlPrefix, getTestRuleData, ObjectRemover, getEventLog } from '../../../../common/lib';
+import { FtrProviderContext } from '../../../../common/ftr_provider_context';
+
+// eslint-disable-next-line import/no-default-export
+export default function createAggregateTests({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const retry = getService('retry');
+
+  const getEventLogWithRetry = async (id: string, space: Space) => {
+    await retry.try(async () => {
+      return await getEventLog({
+        getService,
+        spaceId: space.id,
+        type: 'alert',
+        id,
+        provider: 'alerting',
+        actions: new Map([['execute', { equal: 1 }]]),
+      });
+    });
+  };
+
+  describe('aggregate', () => {
+    const objectRemover = new ObjectRemover(supertest);
+
+    afterEach(async () => {
+      await objectRemover.removeAll();
+    });
+
+    for (const scenario of UserAtSpaceScenarios) {
+      const { user, space } = scenario;
+
+      describe(scenario.id, () => {
+        it('should aggregate alert status totals', async () => {
+          const NumOkAlerts = 4;
+          const NumActiveAlerts = 1;
+          const NumErrorAlerts = 2;
+
+          const okAlertIds: string[] = [];
+          const activeAlertIds: string[] = [];
+          const errorAlertIds: string[] = [];
+
+          await Promise.all(
+            [...Array(NumOkAlerts)].map(async () => {
+              const okAlertId = await createTestAlert(
+                {
+                  /**
+                   * The _aggregate calls is made
+                   * to get all stats across all rule types
+                   * that the user has access to. Only a subset
+                   * of users have access to the test.restricted-noop/alertsRestrictedFixture
+                   * pair. The differences in the stats ensure that even though we request
+                   * the stats for all rule types only for the ones that the user has access to
+                   * are returned.
+                   *  */
+                  rule_type_id: 'test.restricted-noop',
+                  schedule: { interval: '24h' },
+                  consumer: 'alertsRestrictedFixture',
+                },
+                space,
+                user
+              );
+
+              okAlertIds.push(okAlertId);
+
+              objectRemover.add(space.id, okAlertId, 'rule', 'alerting');
+            })
+          );
+
+          await Promise.all(okAlertIds.map((id) => getEventLogWithRetry(id, space)));
+
+          await Promise.all(
+            [...Array(NumActiveAlerts)].map(async () => {
+              const activeAlertId = await createTestAlert(
+                {
+                  rule_type_id: 'test.patternFiring',
+                  schedule: { interval: '24h' },
+                  params: {
+                    pattern: { instance: new Array(100).fill(true) },
+                  },
+                },
+                space,
+                user
+              );
+
+              activeAlertIds.push(activeAlertId);
+              objectRemover.add(space.id, activeAlertId, 'rule', 'alerting');
+            })
+          );
+
+          await Promise.all(activeAlertIds.map((id) => getEventLogWithRetry(id, space)));
+
+          await Promise.all(
+            [...Array(NumErrorAlerts)].map(async () => {
+              const errorAlertId = await createTestAlert(
+                {
+                  rule_type_id: 'test.throw',
+                  schedule: { interval: '24h' },
+                },
+                space,
+                user
+              );
+
+              errorAlertIds.push(errorAlertId);
+              objectRemover.add(space.id, errorAlertId, 'rule', 'alerting');
+            })
+          );
+
+          await Promise.all(errorAlertIds.map((id) => getEventLogWithRetry(id, space)));
+
+          switch (scenario.id) {
+            case 'no_kibana_privileges at space1':
+            case 'space_1_all at space2':
+              await aggregate({
+                space,
+                user,
+                expectedStatusCode: 403,
+                expectedResponse: {
+                  error: 'Forbidden',
+                  message: 'Unauthorized to find rules for any rule types',
+                  statusCode: 403,
+                },
+              });
+              break;
+            case 'space_1_all at space1':
+            case 'space_1_all_alerts_none_actions at space1':
+              await aggregate({
+                space,
+                user,
+                expectedStatusCode: 200,
+                expectedResponse: {
+                  rule_enabled_status: {
+                    disabled: 0,
+                    enabled: 3,
+                  },
+                  rule_execution_status: {
+                    ok: 0,
+                    active: NumActiveAlerts,
+                    error: NumErrorAlerts,
+                    pending: 0,
+                    unknown: 0,
+                    warning: 0,
+                  },
+                  rule_last_run_outcome: {
+                    succeeded: 1,
+                    warning: 0,
+                    failed: 2,
+                  },
+                  rule_muted_status: {
+                    muted: 0,
+                    unmuted: 3,
+                  },
+                  rule_snoozed_status: {
+                    snoozed: 0,
+                  },
+                  rule_tags: ['foo'],
+                },
+              });
+              break;
+            case 'global_read at space1':
+            case 'superuser at space1':
+            case 'space_1_all_with_restricted_fixture at space1':
+              await aggregate({
+                space,
+                user,
+                expectedStatusCode: 200,
+                expectedResponse: {
+                  rule_enabled_status: {
+                    disabled: 0,
+                    enabled: 7,
+                  },
+                  rule_execution_status: {
+                    ok: NumOkAlerts,
+                    active: NumActiveAlerts,
+                    error: NumErrorAlerts,
+                    pending: 0,
+                    unknown: 0,
+                    warning: 0,
+                  },
+                  rule_last_run_outcome: {
+                    succeeded: 5,
+                    warning: 0,
+                    failed: 2,
+                  },
+                  rule_muted_status: {
+                    muted: 0,
+                    unmuted: 7,
+                  },
+                  rule_snoozed_status: {
+                    snoozed: 0,
+                  },
+                  rule_tags: ['foo'],
+                },
+              });
+              break;
+            default:
+              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
+          }
+        });
+      });
+    }
+
+    describe('filtering', () => {
+      it('should return the correct rule stats when trying to exploit RBAC through the ruleTypeIds parameter', async () => {
+        const { user, space } = Space1AllAtSpace1;
+
+        const okAlertId = await createTestAlert(
+          {
+            rule_type_id: 'test.restricted-noop',
+            schedule: { interval: '24h' },
+            consumer: 'alertsRestrictedFixture',
+          },
+          SuperuserAtSpace1.space,
+          SuperuserAtSpace1.user
+        );
+
+        const activeAlertId = await createTestAlert(
+          {
+            rule_type_id: 'test.patternFiring',
+            schedule: { interval: '24h' },
+            params: {
+              pattern: { instance: new Array(100).fill(true) },
+            },
+          },
+          SuperuserAtSpace1.space,
+          SuperuserAtSpace1.user
+        );
+
+        objectRemover.add(SuperuserAtSpace1.space.id, okAlertId, 'rule', 'alerting');
+        objectRemover.add(SuperuserAtSpace1.space.id, activeAlertId, 'rule', 'alerting');
+
+        await aggregate({
+          space,
+          user,
+          params: { rule_type_ids: ['test.restricted-noop', 'test.patternFiring'] },
+          expectedStatusCode: 200,
+          expectedResponse: {
+            rule_enabled_status: {
+              disabled: 0,
+              enabled: 1,
+            },
+            rule_execution_status: {
+              ok: 0,
+              active: 1,
+              error: 0,
+              pending: 0,
+              unknown: 0,
+              warning: 0,
+            },
+            rule_last_run_outcome: {
+              succeeded: 1,
+              warning: 0,
+              failed: 0,
+            },
+            rule_muted_status: {
+              muted: 0,
+              unmuted: 1,
+            },
+            rule_snoozed_status: {
+              snoozed: 0,
+            },
+            rule_tags: ['foo'],
+          },
+        });
+      });
+
+      it('should return the correct rule stats when trying to exploit RBAC through the consumer parameter', async () => {
+        const { user, space } = Space1AllAtSpace1;
+
+        const okAlertId = await createTestAlert(
+          {
+            rule_type_id: 'test.restricted-noop',
+            schedule: { interval: '24h' },
+            consumer: 'alertsRestrictedFixture',
+          },
+          SuperuserAtSpace1.space,
+          SuperuserAtSpace1.user
+        );
+
+        const activeAlertId = await createTestAlert(
+          {
+            rule_type_id: 'test.patternFiring',
+            schedule: { interval: '24h' },
+            params: {
+              pattern: { instance: new Array(100).fill(true) },
+            },
+          },
+          SuperuserAtSpace1.space,
+          SuperuserAtSpace1.user
+        );
+
+        objectRemover.add(SuperuserAtSpace1.space.id, okAlertId, 'rule', 'alerting');
+        objectRemover.add(SuperuserAtSpace1.space.id, activeAlertId, 'rule', 'alerting');
+
+        await aggregate({
+          space,
+          user,
+          params: { consumers: ['alertsRestrictedFixture', 'alertsFixture'] },
+          expectedStatusCode: 200,
+          expectedResponse: {
+            rule_enabled_status: {
+              disabled: 0,
+              enabled: 1,
+            },
+            rule_execution_status: {
+              ok: 0,
+              active: 1,
+              error: 0,
+              pending: 0,
+              unknown: 0,
+              warning: 0,
+            },
+            rule_last_run_outcome: {
+              succeeded: 1,
+              warning: 0,
+              failed: 0,
+            },
+            rule_muted_status: {
+              muted: 0,
+              unmuted: 1,
+            },
+            rule_snoozed_status: {
+              snoozed: 0,
+            },
+            rule_tags: ['foo'],
+          },
+        });
+      });
+    });
+  });
+
+  async function createTestAlert(testAlertOverrides = {}, space: Space, user: User) {
+    const { body: createdAlert } = await supertest
+      .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
+      .set('kbn-xsrf', 'foo')
+      .send(getTestRuleData(testAlertOverrides))
+      .auth(user.username, user.password)
+      .expect(200);
+
+    return createdAlert.id;
+  }
+
+  const aggregate = async ({
+    space,
+    user,
+    expectedStatusCode,
+    expectedResponse,
+    params = {},
+  }: {
+    space: Space;
+    user: User;
+    expectedStatusCode: number;
+    expectedResponse: Record<string, unknown>;
+    params?: Record<string, unknown>;
+  }) => {
+    await retry.try(async () => {
+      const response = await supertestWithoutAuth
+        .post(`${getUrlPrefix(space.id)}/internal/alerting/rules/_aggregate`)
+        .set('kbn-xsrf', 'foo')
+        .auth(user.username, user.password)
+        .send(params);
+
+      expect(response.status).to.eql(expectedStatusCode);
+      expect(response.body).to.eql(expectedResponse);
+    });
+  };
+}
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts
index 245425e0bbfea..4a77496654a5a 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts
@@ -28,10 +28,7 @@ export default function alertingTests({ loadTestFile, getService }: FtrProviderC
         await setupSpacesAndUsers(getService);
       });
 
-      after(async () => {
-        await tearDown(getService);
-      });
-
+      loadTestFile(require.resolve('./aggregate'));
       loadTestFile(require.resolve('./mute_all'));
       loadTestFile(require.resolve('./mute_instance'));
       loadTestFile(require.resolve('./unmute_all'));
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_all.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_all.ts
index c5be0877c89ff..a9b6bf42e55a3 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_all.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_all.ts
@@ -252,11 +252,7 @@ export default function createMuteAlertTests({ getService }: FtrProviderContext)
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'muteAll',
-                  'test.restricted-noop',
-                  'alertsRestrictedFixture'
-                ),
+                message: getUnauthorizedErrorMessage('muteAll', 'test.restricted-noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_instance.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_instance.ts
index b7cdf762836fe..1e3d99f5dd6a8 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_instance.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_instance.ts
@@ -239,24 +239,13 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('muteAlert', 'test.restricted-noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'muteAlert',
-                  'test.restricted-noop',
-                  'alertsRestrictedFixture'
-                ),
+                message: getUnauthorizedErrorMessage('muteAlert', 'test.restricted-noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_all.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_all.ts
index d038108d29f67..6c7f56b75eec6 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_all.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_all.ts
@@ -259,6 +259,9 @@ export default function createUnmuteAlertTests({ getService }: FtrProviderContex
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
+            case 'global_read at space1':
+            case 'space_1_all at space1':
+            case 'space_1_all_alerts_none_actions at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
@@ -266,9 +269,6 @@ export default function createUnmuteAlertTests({ getService }: FtrProviderContex
                 statusCode: 403,
               });
               break;
-            case 'global_read at space1':
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_instance.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_instance.ts
index 97add81c6d5b8..a569b834fb82a 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_instance.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_instance.ts
@@ -259,17 +259,6 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'unmuteAlert',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':
@@ -279,7 +268,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
                 message: getUnauthorizedErrorMessage(
                   'unmuteAlert',
                   'test.restricted-noop',
-                  'alertsRestrictedFixture'
+                  'alerts'
                 ),
                 statusCode: 403,
               });
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update.ts
index 198baf12e751f..14f089b40759f 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update.ts
@@ -409,24 +409,13 @@ export default function createUpdateTests({ getService }: FtrProviderContext) {
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('update', 'test.restricted-noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'update',
-                  'test.restricted-noop',
-                  'alertsRestrictedFixture'
-                ),
+                message: getUnauthorizedErrorMessage('update', 'test.restricted-noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update_api_key.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update_api_key.ts
index 3df0570650146..b92e423cd6829 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update_api_key.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update_api_key.ts
@@ -238,17 +238,6 @@ export default function createUpdateApiKeyTests({ getService }: FtrProviderConte
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'updateApiKey',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':
@@ -258,7 +247,7 @@ export default function createUpdateApiKeyTests({ getService }: FtrProviderConte
                 message: getUnauthorizedErrorMessage(
                   'updateApiKey',
                   'test.restricted-noop',
-                  'alertsRestrictedFixture'
+                  'alerts'
                 ),
                 statusCode: 403,
               });
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_delete.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_delete.ts
index fc3526eebc6a4..acc0321adfa5b 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_delete.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_delete.ts
@@ -249,71 +249,6 @@ export default ({ getService }: FtrProviderContext) => {
           }
         });
 
-        it('should handle delete alert request appropriately when consumer is not the producer', async () => {
-          const { body: createdRule1 } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(
-              getTestRuleData({
-                rule_type_id: 'test.restricted-noop',
-                consumer: 'alertsFixture',
-              })
-            )
-            .expect(200);
-
-          const response = await supertestWithoutAuth
-            .patch(`${getUrlPrefix(space.id)}/internal/alerting/rules/_bulk_delete`)
-            .set('kbn-xsrf', 'foo')
-            .send({ ids: [createdRule1.id] })
-            .auth(user.username, user.password);
-
-          switch (scenario.id) {
-            case 'no_kibana_privileges at space1':
-            case 'space_1_all at space2':
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: 'Unauthorized to find rules for any rule types',
-                statusCode: 403,
-              });
-              expect(response.statusCode).to.eql(403);
-              objectRemover.add(space.id, createdRule1.id, 'rule', 'alerting');
-              // Ensure task still exists
-              await getScheduledTask(createdRule1.scheduled_task_id);
-              break;
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
-            case 'space_1_all_with_restricted_fixture at space1':
-            case 'global_read at space1':
-              expect(response.body).to.eql({
-                statusCode: 400,
-                error: 'Bad Request',
-                message: 'No rules found for bulk delete',
-              });
-              expect(response.statusCode).to.eql(400);
-              objectRemover.add(space.id, createdRule1.id, 'rule', 'alerting');
-              // Ensure task still exists
-              await getScheduledTask(createdRule1.scheduled_task_id);
-              break;
-            case 'superuser at space1':
-              expect(response.body).to.eql({
-                rules: [{ ...getDefaultRules(response), rule_type_id: 'test.restricted-noop' }],
-                errors: [],
-                total: 1,
-                taskIdsFailedToBeDeleted: [],
-              });
-              expect(response.statusCode).to.eql(200);
-              try {
-                await getScheduledTask(createdRule1.scheduled_task_id);
-                throw new Error('Should have removed scheduled task');
-              } catch (e) {
-                expect(e.meta.statusCode).to.eql(404);
-              }
-              break;
-            default:
-              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
-          }
-        });
-
         it('should handle delete alert request appropriately when consumer is "alerts"', async () => {
           const { body: createdRule1 } = await supertest
             .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
@@ -348,7 +283,7 @@ export default ({ getService }: FtrProviderContext) => {
             case 'global_read at space1':
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('bulkDelete', 'test.noop', 'alertsFixture'),
+                message: getUnauthorizedErrorMessage('bulkDelete', 'test.noop', 'alerts'),
                 statusCode: 403,
               });
               expect(response.statusCode).to.eql(403);
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_disable.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_disable.ts
index b8c2041cb27af..7bd3e42edeb70 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_disable.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_disable.ts
@@ -278,7 +278,7 @@ export default ({ getService }: FtrProviderContext) => {
             case 'global_read at space1':
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('bulkDisable', 'test.noop', 'alertsFixture'),
+                message: getUnauthorizedErrorMessage('bulkDisable', 'test.noop', 'alerts'),
                 statusCode: 403,
               });
               expect(response.statusCode).to.eql(403);
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_edit.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_edit.ts
index 1082a6741ec0d..c0835b91e209e 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_edit.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_edit.ts
@@ -388,11 +388,7 @@ export default function createUpdateTests({ getService }: FtrProviderContext) {
             case 'global_read at space1':
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'bulkEdit',
-                  'test.restricted-noop',
-                  'alertsRestrictedFixture'
-                ),
+                message: getUnauthorizedErrorMessage('bulkEdit', 'test.restricted-noop', 'alerts'),
                 statusCode: 403,
               });
               expect(response.statusCode).to.eql(403);
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_enable.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_enable.ts
index e7cd7044717c4..c829e130f246d 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_enable.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/bulk_enable.ts
@@ -228,54 +228,6 @@ export default ({ getService }: FtrProviderContext) => {
           }
         });
 
-        it('should handle enable alert request appropriately when consumer is not the producer', async () => {
-          const { body: createdRule } = await supertest
-            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(
-              getTestRuleData({
-                rule_type_id: 'test.restricted-noop',
-                consumer: 'alertsFixture',
-              })
-            )
-            .expect(200);
-          objectRemover.add(space.id, createdRule.id, 'rule', 'alerting');
-
-          const response = await supertestWithoutAuth
-            .patch(`${getUrlPrefix(space.id)}/internal/alerting/rules/_bulk_enable`)
-            .set('kbn-xsrf', 'foo')
-            .send({ ids: [createdRule.id] })
-            .auth(user.username, user.password);
-
-          switch (scenario.id) {
-            case 'no_kibana_privileges at space1':
-            case 'space_1_all at space2':
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: 'Unauthorized to find rules for any rule types',
-                statusCode: 403,
-              });
-              expect(response.statusCode).to.eql(403);
-              break;
-            case 'space_1_all at space1':
-            case 'space_1_all_alerts_none_actions at space1':
-            case 'space_1_all_with_restricted_fixture at space1':
-            case 'global_read at space1':
-              expect(response.body).to.eql({
-                statusCode: 400,
-                error: 'Bad Request',
-                message: 'No rules found for bulk enable',
-              });
-              expect(response.statusCode).to.eql(400);
-              break;
-            case 'superuser at space1':
-              expect(response.statusCode).to.eql(200);
-              break;
-            default:
-              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
-          }
-        });
-
         it('should handle enable alert request appropriately when consumer is "alerts"', async () => {
           const { body: createdRule } = await supertest
             .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
@@ -308,7 +260,7 @@ export default ({ getService }: FtrProviderContext) => {
             case 'global_read at space1':
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('bulkEnable', 'test.noop', 'alertsFixture'),
+                message: getUnauthorizedErrorMessage('bulkEnable', 'test.noop', 'alerts'),
                 statusCode: 403,
               });
               expect(response.statusCode).to.eql(403);
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group4/tests/alerting/snooze.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group4/tests/alerting/snooze.ts
index 8c1fed7978b55..c880b18dd4b46 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group4/tests/alerting/snooze.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group4/tests/alerting/snooze.ts
@@ -269,24 +269,13 @@ export default function createSnoozeRuleTests({ getService }: FtrProviderContext
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getUnauthorizedErrorMessage('snooze', 'test.restricted-noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'snooze',
-                  'test.restricted-noop',
-                  'alertsRestrictedFixture'
-                ),
+                message: getUnauthorizedErrorMessage('snooze', 'test.restricted-noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group4/tests/alerting/unsnooze.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group4/tests/alerting/unsnooze.ts
index eae8814a514fb..8f509e6104c3d 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group4/tests/alerting/unsnooze.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group4/tests/alerting/unsnooze.ts
@@ -254,11 +254,7 @@ export default function createUnsnoozeRuleTests({ getService }: FtrProviderConte
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',
-                message: getUnauthorizedErrorMessage(
-                  'unsnooze',
-                  'test.restricted-noop',
-                  'alertsRestrictedFixture'
-                ),
+                message: getUnauthorizedErrorMessage('unsnooze', 'test.restricted-noop', 'alerts'),
                 statusCode: 403,
               });
               break;
diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/scenarios.ts b/x-pack/test/alerting_api_integration/security_and_spaces/scenarios.ts
index fdb56a4fb501e..bf6b38b6befbe 100644
--- a/x-pack/test/alerting_api_integration/security_and_spaces/scenarios.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/scenarios.ts
@@ -282,6 +282,10 @@ const GlobalReadAtSpace1: GlobalReadAtSpace1 = {
   space: Space1,
 };
 
+interface Space1AllAtSpace1 extends Scenario {
+  id: 'space_1_all at space1';
+}
+
 interface Space1AllWithRestrictedFixtureAtSpace1 extends Scenario {
   id: 'space_1_all_with_restricted_fixture at space1';
 }
@@ -322,7 +326,8 @@ export const systemActionScenario: SystemActionSpace1 = {
 interface Space1AllAtSpace1 extends Scenario {
   id: 'space_1_all at space1';
 }
-const Space1AllAtSpace1: Space1AllAtSpace1 = {
+
+export const Space1AllAtSpace1: Space1AllAtSpace1 = {
   id: 'space_1_all at space1',
   user: Space1All,
   space: Space1,
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/aggregate_post.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/aggregate.ts
similarity index 51%
rename from x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/aggregate_post.ts
rename to x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/aggregate.ts
index 6269e9bff6e2b..c1553d1ef8d9e 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/aggregate_post.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/aggregate.ts
@@ -28,10 +28,12 @@ export default function createAggregateTests({ getService }: FtrProviderContext)
     });
   };
 
-  describe('aggregate post', () => {
+  describe('aggregate', () => {
     const objectRemover = new ObjectRemover(supertest);
 
-    afterEach(() => objectRemover.removeAll());
+    afterEach(async () => {
+      await objectRemover.removeAll();
+    });
 
     it('should aggregate when there are no alerts', async () => {
       const response = await supertest
@@ -157,6 +159,171 @@ export default function createAggregateTests({ getService }: FtrProviderContext)
       });
     });
 
+    it('should aggregate only filtered rules by rule type IDs', async () => {
+      const NumOkAlerts = 4;
+      const NumActiveAlerts = 1;
+      const NumErrorAlerts = 2;
+
+      const okAlertIds: string[] = [];
+      const activeAlertIds: string[] = [];
+      const errorAlertIds: string[] = [];
+
+      await Promise.all(
+        [...Array(NumOkAlerts)].map(async () => {
+          const okAlertId = await createTestAlert({
+            rule_type_id: 'test.noop',
+            schedule: { interval: '24h' },
+          });
+          okAlertIds.push(okAlertId);
+          objectRemover.add(Spaces.space1.id, okAlertId, 'rule', 'alerting');
+        })
+      );
+
+      await Promise.all(okAlertIds.map((id) => getEventLogWithRetry(id)));
+
+      await Promise.all(
+        [...Array(NumActiveAlerts)].map(async () => {
+          const activeAlertId = await createTestAlert({
+            rule_type_id: 'test.patternFiring',
+            schedule: { interval: '24h' },
+            params: {
+              pattern: { instance: new Array(100).fill(true) },
+            },
+          });
+          activeAlertIds.push(activeAlertId);
+          objectRemover.add(Spaces.space1.id, activeAlertId, 'rule', 'alerting');
+        })
+      );
+
+      await Promise.all(activeAlertIds.map((id) => getEventLogWithRetry(id)));
+
+      await Promise.all(
+        [...Array(NumErrorAlerts)].map(async () => {
+          const errorAlertId = await createTestAlert({
+            rule_type_id: 'test.throw',
+            schedule: { interval: '24h' },
+          });
+          errorAlertIds.push(errorAlertId);
+          objectRemover.add(Spaces.space1.id, errorAlertId, 'rule', 'alerting');
+        })
+      );
+
+      await Promise.all(errorAlertIds.map((id) => getEventLogWithRetry(id)));
+
+      await retry.try(async () => {
+        const response = await supertest
+          .post(`${getUrlPrefix(Spaces.space1.id)}/internal/alerting/rules/_aggregate`)
+          .set('kbn-xsrf', 'foo')
+          .send({ rule_type_ids: ['test.noop'] });
+
+        expect(response.status).to.eql(200);
+        expect(response.body).to.eql({
+          rule_enabled_status: {
+            disabled: 0,
+            enabled: 4,
+          },
+          rule_execution_status: {
+            ok: NumOkAlerts,
+            active: 0,
+            error: 0,
+            pending: 0,
+            unknown: 0,
+            warning: 0,
+          },
+          rule_last_run_outcome: {
+            succeeded: 4,
+            warning: 0,
+            failed: 0,
+          },
+          rule_muted_status: {
+            muted: 0,
+            unmuted: 4,
+          },
+          rule_snoozed_status: {
+            snoozed: 0,
+          },
+          rule_tags: ['foo'],
+        });
+      });
+    });
+
+    it('should aggregate only filtered rules by consumer', async () => {
+      const NumOkAlerts = 4;
+      const NumActiveAlerts = 1;
+      const NumErrorAlerts = 2;
+
+      const okAlertIds: string[] = [];
+      const activeAlertIds: string[] = [];
+      const errorAlertIds: string[] = [];
+
+      await Promise.all(
+        [...Array(NumOkAlerts)].map(async () => {
+          const okAlertId = await createTestAlert({
+            rule_type_id: 'test.restricted-noop',
+            schedule: { interval: '24h' },
+            consumer: 'alertsRestrictedFixture',
+          });
+          okAlertIds.push(okAlertId);
+          objectRemover.add(Spaces.space1.id, okAlertId, 'rule', 'alerting');
+        })
+      );
+
+      await Promise.all(okAlertIds.map((id) => getEventLogWithRetry(id)));
+
+      await Promise.all(
+        [...Array(NumActiveAlerts)].map(async () => {
+          const activeAlertId = await createTestAlert({
+            rule_type_id: 'test.patternFiring',
+            schedule: { interval: '24h' },
+            params: {
+              pattern: { instance: new Array(100).fill(true) },
+            },
+          });
+          activeAlertIds.push(activeAlertId);
+          objectRemover.add(Spaces.space1.id, activeAlertId, 'rule', 'alerting');
+        })
+      );
+
+      await Promise.all(activeAlertIds.map((id) => getEventLogWithRetry(id)));
+
+      await Promise.all(
+        [...Array(NumErrorAlerts)].map(async () => {
+          const errorAlertId = await createTestAlert({
+            rule_type_id: 'test.throw',
+            schedule: { interval: '24h' },
+          });
+          errorAlertIds.push(errorAlertId);
+          objectRemover.add(Spaces.space1.id, errorAlertId, 'rule', 'alerting');
+        })
+      );
+
+      await Promise.all(errorAlertIds.map((id) => getEventLogWithRetry(id)));
+
+      await retry.try(async () => {
+        const response = await supertest
+          .post(`${getUrlPrefix(Spaces.space1.id)}/internal/alerting/rules/_aggregate`)
+          .set('kbn-xsrf', 'foo')
+          .send({ consumers: ['alertsFixture'] });
+
+        expect(response.status).to.eql(200);
+        expect(response.body).to.eql({
+          rule_execution_status: {
+            error: NumErrorAlerts,
+            active: NumActiveAlerts,
+            ok: 0,
+            pending: 0,
+            unknown: 0,
+            warning: 0,
+          },
+          rule_last_run_outcome: { failed: 2, succeeded: 1, warning: 0 },
+          rule_enabled_status: { enabled: 3, disabled: 0 },
+          rule_muted_status: { muted: 0, unmuted: 3 },
+          rule_snoozed_status: { snoozed: 0 },
+          rule_tags: ['foo'],
+        });
+      });
+    });
+
     describe('tags limit', () => {
       it('should be 50 be default', async () => {
         const numOfAlerts = 3;
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/find.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/find.ts
index e730dd657d2f1..f6b48df9b9f17 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/find.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/find.ts
@@ -33,10 +33,13 @@ export default function createFindTests({ getService }: FtrProviderContext) {
   describe('find public API', () => {
     const objectRemover = new ObjectRemover(supertest);
 
-    afterEach(() => objectRemover.removeAll());
+    afterEach(async () => {
+      await objectRemover.removeAll();
+    });
 
     describe('handle find alert request', function () {
       this.tags('skipFIPS');
+
       it('should handle find alert request appropriately', async () => {
         const { body: createdAction } = await supertest
           .post(`${getUrlPrefix(Spaces.space1.id)}/api/actions/connector`)
@@ -290,6 +293,48 @@ export default function createFindTests({ getService }: FtrProviderContext) {
           'Error find rules: Filter is not supported on this field alert.attributes.mapped_params.risk_score'
         );
       });
+
+      it('should throw when using rule_type_ids', async () => {
+        const { body: createdAlert } = await supertest
+          .post(`${getUrlPrefix(Spaces.space1.id)}/api/alerting/rule`)
+          .set('kbn-xsrf', 'foo')
+          .send(getTestRuleData())
+          .expect(200);
+
+        objectRemover.add(Spaces.space1.id, createdAlert.id, 'rule', 'alerting');
+
+        const response = await supertest.get(
+          `${getUrlPrefix(Spaces.space1.id)}/api/alerting/rules/_find?rule_type_ids=foo`
+        );
+
+        expect(response.statusCode).to.eql(400);
+        expect(response.body).to.eql({
+          statusCode: 400,
+          error: 'Bad Request',
+          message: '[request query.rule_type_ids]: definition for this key is missing',
+        });
+      });
+
+      it('should throw when using consumers', async () => {
+        const { body: createdAlert } = await supertest
+          .post(`${getUrlPrefix(Spaces.space1.id)}/api/alerting/rule`)
+          .set('kbn-xsrf', 'foo')
+          .send(getTestRuleData())
+          .expect(200);
+
+        objectRemover.add(Spaces.space1.id, createdAlert.id, 'rule', 'alerting');
+
+        const response = await supertest.get(
+          `${getUrlPrefix(Spaces.space1.id)}/api/alerting/rules/_find?consumers=foo`
+        );
+
+        expect(response.statusCode).to.eql(400);
+        expect(response.body).to.eql({
+          statusCode: 400,
+          error: 'Bad Request',
+          message: '[request query.consumers]: definition for this key is missing',
+        });
+      });
     });
 
     describe('legacy', function () {
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/find_internal.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/find_internal.ts
index 25fc54a5229d3..7c10b9be598bb 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/find_internal.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/find_internal.ts
@@ -22,6 +22,7 @@ async function createAlert(
     .set('kbn-xsrf', 'foo')
     .send(getTestRuleData(overwrites))
     .expect(200);
+
   objectRemover.add(Spaces.space1.id, createdAlert.id, 'rule', 'alerting');
   return createdAlert;
 }
@@ -33,10 +34,13 @@ export default function createFindTests({ getService }: FtrProviderContext) {
   describe('find internal API', () => {
     const objectRemover = new ObjectRemover(supertest);
 
-    afterEach(() => objectRemover.removeAll());
+    afterEach(async () => {
+      await objectRemover.removeAll();
+    });
 
     describe('handle find alert request', function () {
       this.tags('skipFIPS');
+
       it('should handle find alert request appropriately', async () => {
         const { body: createdAction } = await supertest
           .post(`${getUrlPrefix(Spaces.space1.id)}/api/actions/connector`)
@@ -276,7 +280,7 @@ export default function createFindTests({ getService }: FtrProviderContext) {
 
       it('should filter on parameters', async () => {
         const response = await supertest
-          .get(`${getUrlPrefix(Spaces.space1.id)}/internal/alerting/rules/_find`)
+          .post(`${getUrlPrefix(Spaces.space1.id)}/internal/alerting/rules/_find`)
           .set('kbn-xsrf', 'foo')
           .send({
             filter: 'alert.attributes.params.risk_score:40',
@@ -286,17 +290,52 @@ export default function createFindTests({ getService }: FtrProviderContext) {
         expect(response.body.total).to.equal(1);
         expect(response.body.data[0].params.risk_score).to.eql(40);
       });
+    });
 
-      it('should error if filtering on mapped parameters directly using the public API', async () => {
-        const response = await supertest
-          .post(`${getUrlPrefix(Spaces.space1.id)}/internal/alerting/rules/_find`)
-          .set('kbn-xsrf', 'foo')
-          .send({
-            filter: 'alert.attributes.mapped_params.risk_score:40',
-          });
+    it('should filter rules by rule type IDs', async () => {
+      await createAlert(objectRemover, supertest, {
+        rule_type_id: 'test.noop',
+        consumer: 'alertsFixture',
+      });
 
-        expect(response.status).to.eql(200);
+      await createAlert(objectRemover, supertest, {
+        rule_type_id: 'test.restricted-noop',
+        consumer: 'alertsRestrictedFixture',
       });
+
+      const response = await supertest
+        .post(`${getUrlPrefix(Spaces.space1.id)}/internal/alerting/rules/_find`)
+        .set('kbn-xsrf', 'foo')
+        .send({
+          rule_type_ids: ['test.restricted-noop'],
+        });
+
+      expect(response.status).to.eql(200);
+      expect(response.body.total).to.equal(1);
+      expect(response.body.data[0].rule_type_id).to.eql('test.restricted-noop');
+    });
+
+    it('should filter rules by consumers', async () => {
+      await createAlert(objectRemover, supertest, {
+        rule_type_id: 'test.noop',
+        consumer: 'alertsFixture',
+      });
+
+      await createAlert(objectRemover, supertest, {
+        rule_type_id: 'test.restricted-noop',
+        consumer: 'alertsRestrictedFixture',
+      });
+
+      const response = await supertest
+        .post(`${getUrlPrefix(Spaces.space1.id)}/internal/alerting/rules/_find`)
+        .set('kbn-xsrf', 'foo')
+        .send({
+          consumers: ['alertsRestrictedFixture'],
+        });
+
+      expect(response.status).to.eql(200);
+      expect(response.body.total).to.equal(1);
+      expect(response.body.data[0].consumer).to.eql('alertsRestrictedFixture');
     });
 
     describe('legacy', function () {
@@ -309,11 +348,7 @@ export default function createFindTests({ getService }: FtrProviderContext) {
           .expect(200);
         objectRemover.add(Spaces.space1.id, createdAlert.id, 'rule', 'alerting');
 
-        const response = await supertest.get(
-          `${getUrlPrefix(
-            Spaces.space1.id
-          )}/api/alerts/_find?search=test.noop&search_fields=alertTypeId`
-        );
+        const response = await supertest.get(`${getUrlPrefix(Spaces.space1.id)}/api/alerts/_find`);
 
         expect(response.status).to.eql(200);
         expect(response.body.page).to.equal(1);
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/index.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/index.ts
index 7a0c24878d07f..d750fd7bcfb4e 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/index.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/index.ts
@@ -14,12 +14,13 @@ export default function alertingTests({ loadTestFile, getService }: FtrProviderC
     before(async () => await buildUp(getService));
     after(async () => await tearDown(getService));
 
-    loadTestFile(require.resolve('./aggregate_post'));
+    loadTestFile(require.resolve('./aggregate'));
     loadTestFile(require.resolve('./create'));
     loadTestFile(require.resolve('./delete'));
     loadTestFile(require.resolve('./disable'));
     loadTestFile(require.resolve('./enable'));
     loadTestFile(require.resolve('./find'));
+    loadTestFile(require.resolve('./find_internal'));
     loadTestFile(require.resolve('./get'));
     loadTestFile(require.resolve('./get_alert_state'));
     loadTestFile(require.resolve('./get_alert_summary'));
diff --git a/x-pack/test/common/services/bsearch_secure.ts b/x-pack/test/common/services/bsearch_secure.ts
index ccd1866ddd66e..6ce4964075733 100644
--- a/x-pack/test/common/services/bsearch_secure.ts
+++ b/x-pack/test/common/services/bsearch_secure.ts
@@ -52,10 +52,12 @@ export class BsearchSecureService extends FtrService {
     space,
   }: SendOptions) {
     const spaceUrl = getSpaceUrlPrefix(space);
+    const statusesWithoutRetry = [200, 400, 403, 500];
 
     const { body } = await this.retry.try(async () => {
       let result;
       const url = `${spaceUrl}/internal/search/${strategy}`;
+
       if (referer && kibanaVersion) {
         result = await supertestWithoutAuth
           .post(url)
@@ -97,9 +99,11 @@ export class BsearchSecureService extends FtrService {
           .set('kbn-xsrf', 'true')
           .send(options);
       }
-      if ((result.status === 500 || result.status === 200) && result.body) {
+
+      if (statusesWithoutRetry.includes(result.status) && result.body) {
         return result;
       }
+
       throw new Error('try again');
     });
 
diff --git a/x-pack/test/functional/apps/infra/metrics_source_configuration.ts b/x-pack/test/functional/apps/infra/metrics_source_configuration.ts
index 46d20489e4d36..39c6b33d2f3e2 100644
--- a/x-pack/test/functional/apps/infra/metrics_source_configuration.ts
+++ b/x-pack/test/functional/apps/infra/metrics_source_configuration.ts
@@ -7,13 +7,10 @@
 
 import { cleanup, Dataset, generate, PartialConfig } from '@kbn/data-forge';
 import expect from '@kbn/expect';
-import {
-  Aggregators,
-  InfraRuleType,
-  MetricThresholdParams,
-} from '@kbn/infra-plugin/common/alerting/metrics';
+import { Aggregators, MetricThresholdParams } from '@kbn/infra-plugin/common/alerting/metrics';
 
 import { COMPARATORS } from '@kbn/alerting-comparators';
+import { InfraRuleType } from '@kbn/rule-data-utils';
 import { createRule } from '../../../alerting_api_integration/observability/helpers/alerting_api_helper';
 import {
   waitForDocumentInIndex,
diff --git a/x-pack/test/functional/es_archives/observability/alerts/data.json.gz b/x-pack/test/functional/es_archives/observability/alerts/data.json.gz
index 4017aaab1bddf1ca9ba2582b819b813dfdc42e2d..bcab15f41c4492582199703e1d3feedd8f693af0 100644
GIT binary patch
literal 4473
zcmV-<5r*y`iwFoXMi*xQ17u-zVJ>QOZ*BnXom+1sxs}J?=Tis<0?aJJ3hx&^1Q}#!
zfdD%|u$jCh9T>dYO3RX?i=ED(zx$plSuNSBl8fC^S(0mdX3&yYJS-OZ|M8HAtY5zy
z46YWR?&H;Pa22Nh>bK<=4|cpPzxfqDz{gQ2f7MP2m!d(QCV{wuzd7qAa#+(4j5pD+
z>hki6Nr?Y0FDgcpMVw9SxUl0mTg=ha&ExFBy3u&F_*B^YyY&wtCc7Lj5H9~A>x|~p
z<;-u20^j^$F}jQMg}u8k^QV{+L@*-e7b1of51B3$H-CG&9@58$I9U|dFGkZzc}4lR
zhxqdMk5J<B*ZJrM3cLCB<H*^GU6rv2%b6{+DVB3cONdd#a42nk>R8s|D*fVi7U#Fq
zacM%lntEOP3>S(jZKN?mVNC?DzjQQ#>X`Ugte#U@r;C}L%vbk(9cQ!Y>>5fQujAOx
z7bB1S6s6e|p3Ed%-!2ySXcqsqgi5VG%!j}G-Q(k9@szmm(}wDpMLS>B>HpZ#IEKNN
z)%l<_I2g?bH;@dPz+iD}Cj(L7-weL@%h?PneNf$KnTC<y{4hw<*`TI?O~#kwSa`_!
zW;**+Uxrl?Hg&%*BPj9mF3zg@tJ>qf)DwGG^_L(2{PW<+>@Qnp|F1Or{d5w4*q6!u
zY#NsS$>jarzNF><uFFn({n``Wm&<awx>``;0<jn|90MXGdSo<#ZY_Mk$@=JQQ(Zwj
zn=N*`9mYdW3L(Vbny*__eP*ZkJxf;hY`Bfd&31=}L^q4L*XUEq&-J;k?>j@kUS{z)
zoqbH>>Ere0MyB_1vXgp#57h?`sZ8<rP5GasZC%cPyu9oo&gM_*qzhc&O}@}be4Njx
zv!arzGR4+|-=r%wbp#3!Cl4d&H+N5IU+d26%hnBgZ}(f+o9ezc#osDQv1Z7&oUCs6
z^LOQcpTGO=*Y>R8UMpy%1f|3X;uZ^}E#^ow7HP1CYoUAA9FjG>Fqkq1_alr^oXKxx
z&Gg<y_yOI2THL}fKEm~%u2-t}yzw3jD&h$$&r8ztr02;&c#@$}EqG%6$I0{&9{o++
zt*ukzN?k90$&#jC*A62qx%hg3NXxjEnxMc0M_llPtOx;xkW%7UdZTF%kOKmQG-R9)
zjDOk(d%bo@I^+exFL+TFq^Ctsi-XW2Ly#`T`^cfh^S;)O5#Q`(FzR)Z4*WoP3Wys@
zkyawYGYK#d27*f^dq^A<65mXTR#RBu^4gidg<5gbe?tQgwg@wO12P-pr1<B(9eX>r
zpu3I2cR;G(er~I$%aQ4lp=6grm#^*TCp+imX;e|*h$5$@KdA(=ltL>uERx`(R>}4>
zIv|ZWg)YX3AzT|KiRubX<0-Vt+v$8UWI%_b6Ns}OKs|tt44@40x-bAW_2!f1OwgWd
zMlE8}IK-I=$hwG;CzP|8N-gZyRu1a*eDhjLTe1*C3nFzv3QANrbRn{*OHY?0(<MW)
zE{rbwdi2Q>h9(y|js^)rEaKP^WW6vbNzVfd#7Fwpkzzy-u>iu5J%sV&>HH9YVMJg<
zn)$NI@b&Vwp%Tq-e@JUAwLsBVM2-Da<~s1xCGg}WZK$a8WXLz8X4~eG@v<`Y$I8^P
zk&=gzKygTcRT%LH!3d#4feR_{>lm3uKLypSS>^r;lGNCRq~qG8n;z8;IvFZ<!qC~u
zwrV81nbren>$-;S-I&o+C)l=J(_wcm|3av*=8lVug(xIqfl0(E_Q)n95RY0rOq2K0
zyfJsME<GEeJK>Jfn9w}#)RphR+@b9!+D?Q!RQ23BP3~Yiq__~$bj+O^yG`8L>QU{u
zlc8cgceXQnGwvv50>M$DpoIqalw0JYvIt9MrFA5V_}2aoxZH$;%Z)qW4xtj0On;}Y
ze23;v`)RmS;g0ONbBf&ILjleNh&t<*JGFKjxwGj}?YNVnVlBAy*73~mi9a-24r2p}
zDEARY3<@J714Ge-V1rgNvFsI{@$_bXFaT8(zC%t6Ojs9=57UHlm4l#$61G8*YL6h@
zZU^Uoy^0de2k?LfP(QO#oDaUgo6h12Bue}+xU&m?3m+p0|0Im6MV+E8G5#0wJt8R<
z<;-$RFqCaDhYXuGTR?|dmOZ+t(ANeMMhB+6C?P@R3KANpfJopVecEs>Q)@`*^^B7#
z1gG6WqRDP8B%ZhVc96)Bnv-!(zFlCw=Gq7xko3Su4h;nvXb@13G$|EAP$YX|>7W9;
zS~D-_H;w3I&74Y774}$4$+>AIm1#7N4#v^wW~OhNLL4``3EAcfXEg$UZsxdJ`kLyk
zmGoKW;7v@I_XGDSZ|L2r!a8r@kF18_=`hO<YA8%0O{c5ZTSnVyW`=rPkY);w;SV)P
z%4)m426w`N52l#W(s@gu4&Ik$8o?Nm#}rL0+o|U31I#k3a~)zn7sl@wkJHoCL*=C8
zY&9+64l*sl)sWGGs}|D|htk7mM%(FOhB91`9x@!9bTD$3#5=@&2*@$#5l@a|LxMC0
zpMV~A7k5dqGE}Q0#$B32sUhUlB!=gug(o{U<jk5_hV&gy3q?6h<FbYKeLyYT7;UG8
z8LDtWT9}Lx4yy!rO(^0fSQrs&j=WKraju-z{%y684}};qQ3$zj#q3~OC^6TX9@C*_
zh8;)@A*XX48NQFnM`*rmSc;JZl(&e;JCyuAGulr6GKAoQ<c}*Rwbur*2*l%9D5M2T
z$Ol^vjVX62<;ve(gx=^6JsPC4Fp77gfQ;tGNY|BbpS0b4jHq0XgqnkzS=Z40bUH>%
zV8?lgh&}N8R~7J&fBx%WIkz{vn`G?PU~8JdA+L*K#)W>`GxMz_dMTfOnv~UFemJ;v
z{=8~mgVEYVi@~Iw*}JM^{`%o+G7a$;=p7%fh99oV?Q$Qke*59d&qh#pBMaaD9TKe?
zah1g1FIOq1cV#|cvHJS=)t6r?xx9|!f0SQAJO0b)KV|;p>EmA~qeXSm-72T$d@;TI
zd2IsBE!O2({ZyqIh3cE?Hqh#Ov@RC>oJMiHN>P2ZH}Lpxs%E^p?BV9a)#uM;fmVI(
zPpiaFj~0Gwi=WXX&Fp+JTl&Rvwl~V*C5WCWLGk5z6|K0s5oQq+;|Cj$iy<*X$_l9)
zmsgJ!BED;P&=4}QB`EFil_BI8gfH;ZeDWp$Tqr<0VS<d+6bYY<Rg_w4dVIYNz8=(r
zJ2JimD|iOJ_LZo|SC6kAUvG!63?aWDd|A#C4$2{+qek4ih^*EaQ4J2bXH+qrJrVy#
z_<CODUk$Ifrj}=+u~#3;=@JFapw_+;_0;OAbuQF;wYMILS~YeLMy(9}z94E*%%hLN
zBI!j0S2HDKy(h@?z`@;g+F*AA)PmuPFonjQI9;5RDxN0mV1=3je%pG;{L_39?+VaP
zC{>&l_kMSK&kIBmB5Kdl;q;4d)oAx6epcFg%vF;$g}!nf`B0*oC8buVXq`Xo5eG~c
zl6NhoHFle%bgON*lhO=Pxg;s2fL9V#`ML&+I04o=88i~gFs3Z?A!J8$A4f`eJkH~7
z*%XHF2~BKJ()}LsX?g-uW-Y(;o<Q#jT!JS+6#QE#rn<)0uH8NOS_?``e6<(y3&NMc
z;P_DL5sYsr;+_Jusgg))YJ;$p8y(*qUwkNN8Cx&#zF5*j;Y%`%bq>Aii+2ve1GJER
z@IX(mcSSGgtz?KP^w!2>sg8Bt!mizVdOZ`AcJ#{7@e86?GTf`EC<;tt#G^DwI|fSS
z9N|J~<9POq*^WUkRvxs$O&901mCl#Rn#QUx-x&lCaFK<tK6s$VSC6l5@U;<?cKFH=
z@(aQjB~-FR1;B-{@<_gbG?VZ@p#p{KP@24b>>E5yS$f@qbv1XG7yDLUzH{)tc)@z_
ztH;-S!xtYC((OS;O?DgcwGot-bBFDP{DSc1sWD6@50s7yabg&9mWA?fI(imdP}wKN
z9RpvgI$oFRj!rA3A`@RV<vRoKOW>>^xZeBf@pTdS64gnlxZBX}TDy(-+6YQJd}Rpv
z1>q~Pq>Z#?vmhREr#Z4F7!<taDTQdcdHcyjF~q!jzm@D_>5FKC$(}=0Y7g74Dc>1H
zZUDYiAGy)v>s{dsdMhc<*Ak*z@2l2sJ-(g^O3TT^_CkI^`0`YGi=i<DORB?j9dbb!
zWSNHQBr@uh{ho+3$5$D-k>z|HhhAMQeX)Y{&R0*b_eL*Pz5Ymc9X4NM_h9tO(D4hR
zmm}V!loS#sGH^6iKw4pilne@+B)Kr;6zHX@S3;6~XZjv;?vP~#9@dxd9Gowjwe;0H
zUp>Aq0$*atc_CESVe>V18}YRfly>;a5b{gHm)AU6K@sBuBhIZwCOLq1!q`%*gTyDX
z>#Js;#!>N=Id}N#K9UoS+`xtCBR6_{y)%53|B?c_c-OnWcI`IdYfDgC;;X%oUl6{c
zc2QAH5VlGp&U{2B8jFIE5*i9K(w)Nj4|S8($HW)TeZTo@lj$cqdC2?7jUHd`3}1XG
zOnElYp0`3DD{^DkZlm|L5tMfL$`JAv`0DmGy9bD$w<fWW3^HCM#1&yk6VHI<*d>*O
zjyU_RV8`&nXt{Ah;!eCUt&KLBURX`}&S4S}XPq6}Pa^ghJAaG;BlJ+PLXyUC;bToA
z?%Hki!Zw1^4r3WY-U4HlmYxN`JR_LeB#@Wo3y_n+$Qgx^4ARJmlOjZ%0>IwkG-5Xq
z^!@(j9$@bcV3#<Jm?7jB=!Xf%vGm>}ilae12#2iY3W)&DND3lCOF0FM)ik`L?qkl3
zMSQhmoTeWpbstIJW9<E5j8(6D$Bm&^$HLgI-A0UU1f?CuGKBmBF-EL6(OQ8NRRVG8
zBGTAuM46<*^5mF!`&F^}9f-%m7!@>gRjkDh$<xG`kUhqFjJ-3AoyTcX8$oG@u?!(^
zfw6N5>JU=Ia`P@C-Uq~^h{*DC7q=$PMD9sAftbYlW!R%0$B~P#*OrM-6JL_{t6@F9
z-XFeRJ3QxD_}aDGh_8*HwDiK-3;6}%OKWPNRTvbwgnM<~B8zoG)?w{}r%t((IF17k
zsVM~S;w)cDGtWY-FWxys)aShixR0ps>2(qGI)jkJji9unSB8#X5WS>ugr|U!NFH2H
zrYX`6TO@5@-ccTCeEYKy;c3$HU}hm?2lQe}W0Cn9u)6Z?!&j#-RAl5!yhi^*#glrW
zVl_u3U_9P&P(iKTMkU>}?RH9<p(z)nq=GpwjPNLE80m3GEHaW>6s<~9nHZ!yg*U2W
zGZeCrxQkO|84;Le26fk!?;IQf+#ibGI|A>_5omD?*|CDUckMRfYa=Kvr?J`#`32$2
z3qo9o7Ex#gh;z7W9h5>2N2^&R(#eyEh3jxnlB7oFMsy!xOHwy4RP3j*dV0M#dJ$Z{
zDqix=Bf59(Hqk44OHzi8Ul6?%i<)R~%xQTh2G>|1t(`}dGU*~uIGw;NJ>Dg~x;PgC
z_lL^%^y=w#0rbky@e86CHNsIF0`i(U#Hoa~!J|Q%3F(A@&*tqT;L4c%ArtW6yLzLC
z%H4-lQ@)c~grTfof;q({nCgIla#2}zemM88-9{bVwCr{|nxQBcq@&m}X(&mEi*g$f
zP7>T6DN*7~Xy=>}{v<-N%8k14G`m>LmJI8xx2o3{?{s98eA(^N3+br|DX;cB$i{|q
zyv2Z*b{iK1Hf_6|kY-3q3n4w96JAK&eXH&JZWGlCckVy-()kV2`QK9yas(3Sr^`vD
zntCvrfY8Lj7$jpLZp)9w>gqxDB#Ob0WhR5i+c<fyvAAd}nLm}8gRn$9^S6V4Eo1u`
zkT9B8eY=fr{`8ks-h;={;&#yH%5B-KTGx-Siu6m(EaDu!dPnR2AD*iu?N##9Rr3D<
Ll7Z|p4FUlGnheWx

literal 4610
zcmV+d68-HTiwFpgcHL$G17u-zVJ>QOZ*BnXom+1sxs}J?=Tis`1ejTb72Yp;2r|gd
z0s(e_?C#_x>A>LCR@#;vUEJvm`n&I8$!^(Jm0awW%932uJq=r8@vvCr|HnffvVQ$;
zG<vuEbQ|A|NAJSSzx!?e;LcvJ@+ZH-FYxOm<Zrc8!lh`Cr%52L;3sFjL=I~jg7GFA
zR$rd4n1=YTd{H%-F5`S^uPb{U=gS3}xka4cSvR?!EI(ED_U7S>5R+Y9FA>iFk%x>H
zv(?;hiUObfVL7>pi>1A}&G}PI2_hH~^9vDUipNY>ikrXQUk~ZyU7Ri}>z9++G+&W_
zx{J@h{{SV<-!3MXP}t44A12OD?YfLrSj}zDrdll^Eg?n`!=bdzsbj9ib^7JiJT9(g
z*V%-4G4(_3Gh8XEw2{ULg*6ep`O?W0s$=S7wSG>yPM32#U99i<BF^Wt`300bUc_s=
zSWZ0hGnD2tcrw#)akX6DqIvx13M#e!WikHU?>>I~SluVC{H&!q=Fu+Jb^2d+avj6y
zk=4a08yrm*qf1BzO<=UVveS{M@NY)n`_+67l|HI(G^b(YH$RNhY(8ozV4LyPb*wz(
zd^wwcYA(aN2%Ea!l@XM9bra`x{nhPpSL&&~sr$>1fBt!NZ}yi*X8$*v{eCu$KkUln
zc0LO$e{b^kW>?bu&qeN}7cV{GUAe4Q>#GGNE)a_m!!aO2qDMv(=+?pqoUD(|w$&B1
zv-xtn+hIKBq!L2>wf(wf-DkFX-;-pyXTxnwFCTY!NOZZ3JB{9_{M?-D!+jU%*Yhks
z&gLJ|_3Y!t=0;|>ak`ayaSPQ44=Jbk+ot^Y()Li!zdyh1F3uPC>ZB`N;Z45KNPJu@
zX7j3+shr}`gWsgfnmPdmh|{|X^qZUev@dn%hsz!s^v>?Lw3qdLZHoV>DAfZ)9?Qx4
zhChFo|Ns2mcfWRL4fk3>BPA#$Mi94HAZ;;6nz2ZOHCzilux6jE;g!LZF}NRLjN(jw
zD{E%AF2Wb+_S5nTzVQ*R|8%idy{C=$P*4%~P<dLCfhPk`_QI0_jq1P?>px6qAK}qo
z#_ifVHm)@F;^!=B>vi2QvX+al2Z*$cYpDqeOmM^nPsoZ8PzWg{j-@x64glFBKuAl*
z<-qudy|Wh&4oQ!^Aov+CazO@K47At_EeZtbT)dAGN<8gr-5BxBUIwFHC+WZsgr|VG
zp%iH)B0Q4-17RSzRC0jCULo<#l;|{t1un0h`zxpwH~SYf@L;Pjx0fKZAx^7*+}dkz
zuPx|qtMKiSDtMUN8t8Ihx)dncxzOcn`}xt%d3hRD6gZ;DY4#_TK$cQy#fC)^eAFu0
zfku0z5vS0_7%_xv!z59Cq3L=Ct@3KNSdJOc;ot<~Yyi*zpaTP_K)lWjKyAJGXgL$K
z=bBNAm^2P?W&*M<V&n<sET*i5!`jMTy`FDgOX*4$VrWIAu1H0R>W3~w4s;pla$vd?
zNY<IrWmk_rTEfueBFE7nL5M{hJA$ki1|{ivV1f8ZUprEa=rI;R7_x&f{(8392VfWx
z*pPO<tTTMMd|jwS3)~;l8A}~d^c7KKKjmCUezpRhJf{s6O`Z(-X4E{kd0@P(P5rSp
zb!eoNVI)u-QeZVk{9Z6Z=vd%N3j8ug=F!hUH5*pBzk(zUb|L9?W718J>IR(x6+2?+
zJj%9iB-@!b1L)CpE#12{qx(+q*m6UM-Mah>p}v|sE;1IPkcb5)5vSNAn~Xp_YV9yh
z-b?e!+`&3~HbVEp9i=g$W!z~h-=4WcyHB(o33sR(xO1G`!E{V<C8X(@I}LW*xbvt-
zb>mKfiVfU(oYAXsM=28sjuHheG`OeSA{UiKSSl;6BT>ZH_IJSLCLCOD+yi$Am6#Oz
zJ5A-=H+Q;E!yOBE<iMR{<PIMTa3(<1S-;$AwA;#^O^@ovodOl>z@68QXMRikq0w>}
z8%RXCk1%3T7#SHDiY5dbw33MxujpLQE*E<PP(9&0=Cs0u_2Kw1O(<6-2x=)|7X+#9
z2-4klaQ?@ODA9Zb4`>ASGoQr8==+=5Jgz~a#1EqzyYyG^YXsq+hDp7sQ*|ZAe?z_p
zB*ik%EO!J$Zi6Lc*tFRSI?O8f=&D9v7f2W#nDQb+g32`{G)@7Lz(M-7;aaB7kkAh^
zPNou^_6LbJyN!@|+UC1KqCjen#yR<Rf%TeeBXB^{10Ojw6l9=5Kt0l=R0u(l;)$ib
z3ha8#JkM_$(aV}Sm8350p_Gzy(@84R<T^SSN2ANRzHAF|+~_7`TPmFO2>hv;!)obE
zs`sFzPcjE@Vz#;+xld(7?_L$wc>{lBJq%C#S$0rkVJc~QUA=x}w3}uYsK*&;rr;R<
zP=lnbx7%xQCmi@-iWx1Pw*>0oZE2<vj1hTA(ZsTwYQ8+c%vqi45c8=pe!u)UJ5D`R
zPD;+!(-Lkk(-K^b8LhbLFfFk!J$z!cn;sS@!x`xz!@)@hBWFpxL)?de9CIG=<Ty4Y
zNMrC3=wW|xmlP{QwK`zjrP-GnLQZXBcv@O`v|~fgtcf|KZ+}`S@-U6d4&L`3wQys!
zn-&(R!Wn5{GDbM865KVRh?`(xM65aTMq$Rea#s7-)j~cNV$4J(<gOL7y=kGuTx)tr
zhng9-CozPaPIYAXHYOjT`Lb~qBMB()5Rtbp`FmotoBS0B!5PUPS4?WJ4Pp_9$FWdI
z3zm=%HV=&{cPW+1-%W(x==VJuq_Q%K_o9G|mc~dom2a1{U4DotuSY`7LCrkW(Cut?
zjhMiW^AHic<F_v=;2;0|m(glrFSj?z*hhn{SptW=DT*0a`hL&Mx0dL+eEw;gt3Us;
zcj^3j-M&VX2NN9zlXh-z>W=yA`*+h>h`&JZc>iwv{$1WK_x{~)-@o(o3Dn)h!l!?O
zMC(ReC-Jwdb&A<d&Ic^kAOF7o@Jl7<>p1><{s`Lf|4sg#^C$Pe{$)B@))(EZb6PEy
zvzwnEOn|xNLwVL;)u|?-{-nMQwEi4D6brsilX$&OQU7W$;qhPA&3Jv;-R1jtpFigU
zt^3-a)`{;QEqvD%Ka**i+r@Ie^2^nHXOzQp5Is?X>dW)0I&pO)%pxYn_ck6EV`9dX
zRZ_PuuO2EyeB17*C1m1}pmf7mfsmgOzQ9lO$(sOhp#bfK2{KkwBz!VfQEI6f@bx<Q
zx>I-V!1xlZ;syBHRiXi31HJ})y&k>_g#3)~WjRYYD2IfO8gc6)vRY$AH8|j&QN?ue
zMEon^>uHsLHN0M%TAqd0UcE1;OH{OgTDwX#P-~#psZi_1-g+QvHQ3!7wF>n6jHpF1
zk3I&Aq!$rf&6JS!o*>Ty2Y1tHgWVBO3x+GgR2ui<ba77Vc$%Vv6&ecoZR;V6Pm5)|
zsX#lSRB>M2`t9vK&k#k3Xgo`Y(=WbNtKH}LS!?SdS4|!$^p)$#`x4b6DYZgH>->I?
zIAFSxyl*LOu-hi3kJ@%ODJ>9{bCOaDcqLKg*ELwg39#15ppj69F=d$#p*WiRFjBhZ
zaUO2VrZ9X*Xkv?!?)Hd}(-V-gX!&LE1O`vw96SM{;BTdv>Kk9%c6Z?GK~Os4tGke&
z5xxWl$A?mnV0=Rn_Y|N_l|)ig8-%6Y==kdR;$uN`Y`ws{VoCRfFUc_0CG=`8-YEnR
z&`J)$0|UL@6uqFgk};;xTU(E%I@Ea!+jg7j^+Zs*(W^km&xl^haId1GC@_r?kJ2FR
z7$}u<gbSsO<Hav#I|RL0K4^oRKF(>&&X*~g#%eC#2?P&tQG~A{cwoTSfUkb=wGotV
z_$m<cGr|`oRI)?`z=g1UBws+9N%%*oK%qL6Ca)j+22WFFuUoLb<_^nZ-<r#J3f>p5
z*x-E)_<C#j;$uSkJ;<odZY#bvg3@vBu)C0-5xzV%hRNiC(orE!3`5SckblzAv*3a%
zJ}K@H_)_)px>WacS}7HU_-ZKM33y)u7X`r$-q(Pyv%r_APeR50hHf|7ZN=9{P`cr(
zK*-MsUx_7cq|MEOc*LFN$eLhK@Rp|(qUGlGClAFK^ZNZ(vX7-Nq75cH4pC`5Y`dX+
zClI*-_)<gU#(=Lkg)iu>B%iM(M8DowqupkFJrR_SlZV}f{EYDBsq_{@V+fYihvz!v
zf-uN34b@3x)T#JA5hsqX9Jx{Cd>w{feJp*kiVV)zK(Dt(FIK<)NcJ5z-(Yud^eWKt
zGoqIx-lUWi5+*WmG*v)aVTF_o3Y#RkFyt8MrRrBgl3i!|?sM*t6$KtPm+usuFIu$p
zH8@`bzRm()V$69ZRNrCq4R%}cwGotV_$m<cbHbO`JX%2!;{qejtwkm|fOf*zQmli-
zN3rXxVV}l9@l`l?_~Jg2BaPg^l^7y727J9SeC5BSf-c_ouCHyoZTNa5C>`<DUC7S}
zUs1cLs3r(oB@t&nA`^{8K}ZP=g&FCN;rxfD$?8Mm3zxp%{H4kCBb_|tL*&MQuQ!G-
zJ{BgQ4YcE}(1(iL*tXm1eQgA#8@>vJyaT@aea-G3;^(bNEF^=B7YT7i7}CTuU^#Y4
zC7~lOek<4^yfB(KPDtE~7pAq*rqBy(DBmeeBI2U6V~0t^0b{3+F<^uq3sy<e8ZLaO
zNyKfttzOthP`Y8PK*&2_tk%+#0GMY4Q=0_xGQR*h8H}7!7|9@wj5sMm#4!Nu4NfEW
z6G1=hUmgJV)&O>n(})E^eujRSa2!kTJ)$@o#Dj3iTCR`?;EbdoBD9oaz*s}WJLo><
z!dS!?JH~PPVNwr~^aIA;9>!Sxx_8_fdUYs_ZQE_d*hWygVXQ#N&k$q8dK0Y`NKqva
zmo6fWtwxkdDlAWqiPv8hYu<r)D2!1-3s=QD?2tT8j0rhlY{1wX!`Nw@CbbciZWt>N
z@(vg~m7oqGMa-Lb5%E4C9z{f!=Uv>II1{-i;Rs?9o0nk^dK^b7zFt};K2Cf|I;@5b
z_<DQzdg<_-L*Z-NZY#bvg3{3o>n`MHgfFeBfmUHq;1cfDd5bL830a4=3!XaVj^a2D
zJf@}+ypOYdB`rJ)vAKAs5K&+D9^fIOexTP`(CY+35;ua<ja~&hen#|?!V#VVMk0A|
zIhm$NJ8Y4(fq6%Hpz-z3LWHMD^TEtQ$R6m$l*Xd)HDFEU+l8-QU#Q5)mw1igg^EY@
zLdANHNWgf!=b(Z{yRAyPY1`eDv_MnNNJ#~AUKrs~&@j^Dj#y+QwJ2JZq%tu`cMNY-
z$7U>KC2=38$}%D_D-7yxD&HwM0(dwSeQ*Tcm?O~P7_vhJb#L2k#n(nqI!<GC7xFX0
zmluS%5G|t63J~XT*E%SL9FA7ANTicT5ewJjo+L?)ERE<sz?P(bUZ^-sV-56rYxE*G
zzbanx-XprV?Y7aYcuP`&j-L^|6pNZ@aLj2w6N76kkk-y4N||(#C!CJpl^$=BUVWSk
zfrmq72YL<kIs<wY==d4YiyGmm4FP%09O6_$+u+e4&4hG9!0+buBj9pO{+J1P@O{0}
zLzV7BYAD~)EW%JWEWsS(5=?zSKweZ<y&ulKZMRiNH!ZuHjut4&8R;mtOd3iO;v#PY
z!byVLBPB|l3GJLS!XHH_R^F%!PqUB3Y{{@LdaHVK@s3AE$(P+OgODDZkn(!JgKTX$
zhg%GIZnt$YVAHm{32A|(bP&?hIpKvkC0v4A4m1hG75wC^&o{4W2*#Ue)XP!|ckVyz
zPda&y>SDT5JBOh8r@Ot3L7BpA*Dk_bbL;e*o;MyL@?!FbD%UMJKU3I$uHyXD=*BMn
zRcnvgsO^8wJSZ5brk|~*wa{ujnoL2Q;^-P=W<)R!`Gabm!9|_HWO{kw?IPw033!~<
z=*Rr&=;KwKJ{4+2s;<KOQ#J?k6z$w!jq1DTs=Z;ds1>4%`u?=|pSps&T=Q6V>(=?>
ziz5GAbE~*OFW$?Sftc`w8;Vh~Rv~VUg)tcR$VW!KrUd)~Rj9JKUiuUr_HRG$3Ev>G
s8>1ZupbT!zD1)+$Anv3_mO^$u3JgO~!(bqK8UxV(2U;<`jvWF40CwK;1poj5

diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/data.json.gz b/x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/data.json.gz
index 50d664aa24ced0c18a63810e7ce53f9e2cf7f407..bebcb0d90f838f469e5d9f06021dfba1262e2206 100644
GIT binary patch
literal 9487
zcmch6by$?$-Yy_0jfnJ%C@IZIBOwwm-H3FzfRso%(hW+;z|h@@Ff<H}zyQ(>0y6Xv
zBQfNe(RW`v&fedt?>hgind`Zp=U4YH?zI+UG(J8yHkBRLEo%!;3tmSLR~M|kMF)=s
zg*5hq)ARepZF774#VzsgAWlY^i!+ej;}gz8$ra5X9BwdK+mBx)D6SD;tTIKcP|g=6
zr0=Je<6IJPKP2CYgPE~qo{vzovlrC^{S}LV(qggGD?iK5$ru-VOs-OHxS>gABUP5?
zy8Ex+yz>IPR4(+SHY<wM*EoLaTpU8}F-9+24ImJ!bxg<7wMykuQd4(4R%>BO#b5K{
zXMH#-EJDi4Ap%+-yO|1-Sj(P_i@$cov6}VegXGNdX!|`SnilawY+jPp>@<T9K#NBy
zW+Sc5?skmhL%WyfrPr@L6h^*Eg!VC{8D}jnnB>=dcNuTq0ZVUZ+-&Gc@IlR%)BX2d
zx-Js421uRaTienWO$x#1GqXNT#`Uh}x~02yKel%fh&I#vb`xwnTuj!*a$jmWp}kQm
z%t@<KccCZaRSP!bzV-XA3C$I}JKXvr8rG<;A+Hu9uubDNwEkG^=tQdP_<CIxG(D=5
zT=ST1MR4Gm;=14<WdVoou&AknM(`uUjrNrB)PUDH*E0r6E6ectfhm;38}XY#J}0T`
zsa7Y_cMBWP#Z0rp*^1^%O}l9FUd~P~#~YcM<xtd98@s6JEXJDErGm2gsad`2+Tx?0
zEi;pJv&Dc?dxyn@SEvb)loZRsYizm1<S|uU3F{XGm9py&D7{AW8onawqS}Co)i1CO
z>i(2MXICR}$Oib@|LaN5akER|j<q<D19<V>WqI16rRDnd#nEIacri0P<))SQU~toA
zanSRosI(+_K<fcF&_Fx0HC?1*P##{|#6-YeyK1L@xNOJjO2+upj%#gNY((26LziZ7
zNV~49=h$S|b|JuXgL*j2EGg~X1>>~7TEW6lspgUA8m~R2xL1JQ+zBT)rI#KU5*J|4
zVO5b-AOr#g8F0neb`@}>jP@bl0%==`80S!+0&x6BS<NBeatodM(OBr|hQ3N4k9wGQ
zZJJ3_baXNbb$Z|B;?8o4<0xq8Sn6#9(aJf(vAHY7kU!L*{wh;Sf7xurSO4Wz3W?$F
zPv5DL-Kur$WZvzyZd!<4er}<odg*|P0&CL{L#36We+(3y9B$-&VL4ylpVeHJ2=uwS
zF}>awr&w&Ia`vch;b<O2M#FRNfmxc2jD%$S`+<!k9l$*Va;0+-z5^b7K^N?-|KNFj
zWxA-y#?8m=lL3U~r@3i)kLJ9eG34$F%9FKamWgF+6N^a#$hve>@1eERpNU$oDxtg(
z_$3VZmY-)4sy=w-{lbOgxcA0y$7SD^9SKdBMCdF7mxf&i1@_!g@OcSpgwu~}CH~j*
z<*qt=&}o9DWnZeIqj`AUo0AXFf`kQW?PkWTN|)iTi$Qnu(;Uw+F_L{hwNs6+=V#K;
zZ5LRHLw*5NL}UNHANz5@@v^B|W;na6#c6+5Q8YZaqAKqq?B(3Xb?No=Y1Oscl{9Sn
zCi>;+;vV$+^4ME?`1Xm(PpplM82G6RUlrsu7w>`NcW0gQdbOhb8e|q<*t=^RROV5&
zOL1YNvTJra)v=NeP_8j(SjA$^!F3v0=Dkk4tZRKkUUkEJOgp{3aShPOdf0UpbM7F(
zRj`{$cFS9Hx@>2E$^T~lAS1tDbHBgVKFD_dl@~>l)2b{|mt93<i;|(BZ`*U_<Z`VP
zv9Lca0)<EKEE`P%uO69H%=mpIYRdKaw6J?UJe{=h<9s_GXqXjpZme>c?+;h<nCRDL
zJbl$uG@>0~yKwCWWIhYfyL0S+veWfCsA9lj-0Y3WIuob&#!?MWp+SS#&FiPo=;p*(
zpGE9+yPx^}n@U9jrlf|4)k75?qVrzB$_4Ez+o9RfMvmphHdhxwyyODBTF2$uRoZxD
zc;_UY$GNT1C6ir$8me!cEKux`_v-xO)UN!;F{(#Zp0=cqP5YC&-$T8h-CyMLRT_~r
zjh<Oc!^6wT<d#>dNgq12Q|3Fu$<_(??3}dD_2wB}`WB(4Bhh0VvIARelhn4r(>^<w
z=GF0{4{0ybTU$l5cmjG+>+6dZNVPjnH|8eBHK&cu&`B@4VUyNou=L)$Ru!9w*{zBt
zv&p>;#Z$tY`89@`jJ)NvB;^F46T3b_7wO@dy}Croi2Sf0E^c<ETIRQ~QF8O$Xvr-z
zm7Vc<#kP_EbvrLnoIUHr{MN|uKD32q?uq6jC$MeXh&hqhgJ3Sh&BHU4>}$YG)AE66
zkSW5Odl|S*?;$4E%sh)7*#Na_bFNGXtmYB3nz(G)c9~J{xEb{&t;CBhJ8vqUN1ecV
zD`u;!^Tv|YL_B#!7Xl)lezN@7*<0|^kDP25dKCb~e<A$t^3|DWnKy&4I&p^P;7Dv>
z>y+f5VQ<W?j1AV6vkuc~6&=?-?3^per0k|9t_v^7B#OdL41HZlY~GxS34h*b_i+Be
zs4u+{RynIT(u!!C7TMSzR#}HuI5^kvo*o<;{X|Z)em2<$nkXB^5Fp6TAPZAqfT4$Q
z<=KbONQCOD+V(LsVuTvl_Et+eI6efGa92Y#Zw#NuIGgEqe=4<b$ajHbr3Bc$qDP?*
zS;;xl6pL+PgouUUpE$@s)SW*6D+AETw3U>W!q}#LfzMcScBKA`KlRpC^DH~k+-0!P
zFSTDnKqG-DS?78oco_*lRA;*VGBJ_EQcC)&6uJ)w-HcQ<w_gr<SGnFkxhk`eBKO6G
z-IN$jS8c}Af}n&*F@8o68SD=H7Dkr8xfK76fz`YEK}k-yYi4qn<@GSjQoht}xL=p(
zV6U=cIp6G{1dYiTntXg=0rEV8b<%8{Q?Y|`ylDyK4;4hgq#Ixt8!d}078L}fg4Y~_
zTs`mV_Pr#h&~vb7<D^cm0DbHLgH#>-(3%)QP%0!XKd^YOuJ>}ddxg!51STz($^@?&
zuR6bQseW>!<7y*yb?s=r45fmX2@IX#gO<UfK3<2xci>f>{<r_pY>XGcUeNNsdwc|H
z-g^Br2r3XMQW77CO7&wDm{i!zCeSeM`(ADiD1MfwFYL4SL`XgQS&g-+{A%6{86O0P
z*~~4pMZniEef*kRXvwbbXWB$eFm<Q#5CEgan`<UeJpa>qE2-(-GtiBP>*|k5@U%2G
zlH9gv(E;mM_!dpx{|+J0OS}DY>)(Y@M=d5n$ssj&yj0hnty_7dL96Z^@R<N*4gM!_
z-iFb2YL^z>0lTz((^_VXG4`+&T#Gkosh4V`W{xr;vkuN_{BUO2uo*5|v7H}`{dvrL
zRBL3S>sGw~nK};aPY{FoJK$6Po5N@3=$ZN}$QX31w%lT4P>Z~$#UQB93({!R)5N!l
z=QJSKJjyt+!c>+>$0A~8L0{KeayD^R`8Q&BR(*04+#Fj@rtAmaW*6Agfuz%!_<=W|
zk-N5c(2-vLaZo@d2g;Z#B(Rd|+`W|NM~A4c$KR)LmWB)I2S7qw&sNqBGH@|LYrnjH
zV}89B*nW8;{VT;VSecEl(NQ8VOc3M%Ah`SwDx^2tA=@#4U%G^ahc&KDm4G?@j=COO
znBQP*?eKUu&xoNG*dVHda9yo7HK{fCFxn6B8?Kc960SB)TU^+FE8gKAc**E)yMM?m
zCOrdD8UHJ+2;uZr65hJj%myF&ztIH6JmK1FfKNQ8vcGDQ8Rk{$#2sbb7{z5%No~0W
zCo95-Elb1ce+w58^Dn_erv=2J6XQLQ9F0oG9w6%t(-s2(@@CeLXmx(y)XD}OH!P%I
z0jBikn}3zEzxnlc{(IDT-=#~6pDt`!g6mH2rHN9DQUEcGy<eFVL^vz&r1*N+PiC<A
z#nZF|l>u_<lE@^ZZObnlIs@*WnNH3XJp-4N95~3+I8+o9j1*I2{VOUw5&Tap)F^t<
z?xUj3(TZP1qgG*`0sPQYs&0{=7xODm2`~u0M_ui;U-sP!MC}3p%4M{G!agBR_-XS3
zv*oq0ffzS@AJf;Y%%w&?I<b*dC-lFP(-h}SjL_<!0Sl22ynFx>>93}F)fgfGc;4{k
zPtT)ALYTJl4KzajU*t}o|09Kn)SD4g*rn^z<$Jz%c}yx-{X{3sJ3s2b64@-{K0ojr
zw7lmYAB6(j{X>ywDi_{T5tHkE`<<I0M--sSk(*ldqLI7hp_n6|0hIv_s{`kJ3_%ii
zF3um=$Qv!*-r0+t=(py*)T)FCrYiUEU+#VSF<@lLX&L#jyEk9LD8&+d2)=x<bigR(
zXw_AeCeAP)wjZpf7xn3J9}Wlm{(a)C8G({{q*pvcpO^npYL~B4`3K{3<)m;u*2wSc
zE37Y*(^u!_x?_)?k|J-W7Pk!I4#NLL#uuF@g&&=Ye6W*<(^#-g^;s{-)oY~h8z3Cy
zVrYnqu}^TYb3RRxigTUw3kp8F@ISVdpjz8SeDHt!`BG&=>dPkGw}OkWD}A|gDOw8y
zLX;ym+{&=j{MFZ1qln0c^=F>nD?_z5o3u8Cy_I5~XRSQe&2p=FVNyYs0-HZtZgQI2
zdXPllyG|kSP9ta|&zkpG#^{11aoy6^lvv_MKh7-$0nY*`F8UOU%smvM?TjQ7JSyL@
zsO#5KMsP6e`a1cevXYIJY-CrT14@;CD1UfZOp(MVzDJX9`C+d4!Ktuf0X?a<K4hRb
zcp@88HyjdWXT?>bR+_F|eJ_*qqrv0ps@;VOe#M@Ll)<{h+JL|Rk(_#{m*LRME~;n)
zCeucR1y8^$N&|?sy&r7HiYStV-R2vF2HqKQXHuWsXQU}iegsQ+^1)VB&O#zF^0rd?
zAt13`6r#!<2Ku`x>u6I@Q3<XRipP<hS=)+sonU2OHqMdcs*sN`q`B2@l~?coWJk}#
zV|#%TxlID}w{3SykfKX|wD}0}33}%bbToO~ay+2HR2982cJ4@PIdi6vC-4)~-uu=Q
zO5c2w3iJ6UdqFWU$0nLe28$2prCX1H9swRYnPkVIZr?jf^R?)=UKQk#CTsTU3Ug@L
zI1{LG(63!J-KUl<`8nUS5?-<{E6k7$FK6Hh9`${nRw(gI&u)E8rhznM=UGD>dIY?S
zdt}_V#ul>kc6denE-Q`}lOu`A&w>|X#n7kFh=RT4^XQ#}o%wKH&;1|iRGFWiOIit2
z0<@DMmDVu@0tG=O+X$Ov2Wv6El8{}0or4ruVL^d@po8l;!dP5oy-&L-5$K^0OuxKt
zOM;L?%|2a!9?(lcbl$O2*UAj#TAmLOhH;F9B!pWGpUhU{z2;pscm{T|_b7WxYmcNI
zV|z|XJhPsO`#I~f8NAa>W{0%L*DbMD<z`%`U{=`rkV-D7%_V<QnNL%pC;XI+327rj
zAt@v#Ko!d5a`h*SG5K_H5kRcxVe51CrU4R%tL<1oWu}}S75BqDlDdF1HpNubC0L2u
z(DfdB!r<m4ITUs`>>Q7-wEL90Q`4dt{72hF(Ajk-dM43xwm}ch!lJ5%z%4nX0nQJI
zDZ>b5Lvt{%ae0TMe?@jqV;zfiP>4E70&{6p9{u)}3Td8y_`<uWJLnf5bZSoe%7(fO
zm)&kc^=z?C992KwnY;%-%NKiB$@m~?nFdyN{3^(&qveedpE(sj5eN?^PHMYHkawb>
zcq)*XVdw8UeO&*|?x3?@f9DINo-#ax>8E3(QP>Lc_^=t6eyxzd+Cr-jTxklfX!TiV
zF*Ls(FE#2-1boU&BVT@<<}!`<_0Mlh;Z^MOLMZC!DCs(il*9V3sUUmpd&)#<4N0m7
z<P?;0z3yLn&E??$TLw^34E?(32opXcD3GE`nOwc4nZi3r$fANrkd7`EQa55;Q9VWF
z<os&^?7xok3AdBle-EhxWw!ssEo5gCk_?2@8C5_Q6R}PbU3bbL9CGrs6uB{QTDPT!
z>~fvn)MphrLF|3bC9Fdg+3G&bt(pbk-B@MMqeDVP4z+#=^AeYOE;BcQ{y=VpU|W*9
z`#NzBCtafDPo|Q`k`Rffi~~^q2|bQZ%~SK@ENWzOmB@s4=U7ABi!^qVNs-ur?c!47
z%ui8xMhIGl>GwIq^jK)j7|xlpDQLE>)LuCkGg!{#S6UQ5rQ4R6yBQ@p)|u9XULlVA
zRw!t~4Ap&TIEf)yJm~c|)>05@;^VD%%MoEsYA;Cts4|zvnbEl33==nP36i8FL(7&7
z$#L)IdO0BMNzvqk1Mx2>=;qo?!9652H|6I8QS&<m5Vmt;z&#{9VW=`sa~<4w?y)Gs
zACJ-JpYuGPd$l*j#XgFI%*vE+2@)!M7oXiq<To$&7hLr4+(LyEis>+xpoBDQrThK;
zgT+sX;^<{{HN`{ROS?A*9Gv8cbCb0AmUhA@x+2L|x;45XJ%&d1KLf60@=^@%IyoDG
z3-hL4Iz>b3ek~wx(Vmtrfh_NKLnBoUb6=csio~?ccEkCKsX2ra)<u8)@nrEXbAO0I
z>3zVgxO}aWlEMgOiV|JbW07IjUIW2|4@cE=<OXm0Q>&OdOS-u}bOYGZkCkuJT9Wdz
z$}0!jsLR}O;?B|4s&MA8)>R1Aemq#qW^4_n-k?B7)fZn@D9fhUvo%NI_c_v!qt8DI
zd?b0GoYb#Q@{PaNN^*zh@Y4Ol%>_W?SoYY6&as(OxKZ4^xS8J3C!KLw6L{TZSL|xK
zOq|uuKjA*mg|5h}R~_h;Ul$GCamkfMvBv3zg3!cJjr&X4U&$!lloLl?Wv<Z^j4oU<
zi(;xn!cSjF7DHSzpYbp{;T#g4v&yvKfT&?aa6Fh{7S69~eBKfi(8mRW&mZ|2xy^8N
zvaC_Yh?ukr8~Gszlxo{Ai|p=JneUY@Gu!WXr7fEz0;`M9^7<eJosWC&O@1_D4`}2G
zF?<&^o>ulF|6%4)dN5#ul@f3CMRKl~j5VBAz2%9#=pjNKmKlM8=iBDRd9VT><l)p@
zov_-U|A(bEz!?o{xEm#qg(oECz?8Tq$8NCQt6U^!u5_EC_5KSnwc@-Nx9wW|m{>YD
z4+&#Fi`%DY_rLleW4jT<CYAt8T+dDVfNv5dFLeBA+Z>dXiqD)updk5}={IJ{Xv|)<
z=Fl+=p#HFuSJh2cRMq9>Gy*UOivVap&LN}tC**InqY<bmBMuXvcw<EG$lmr7y&02T
zoYfSvVy4;Fkd$pb!v>h?({W-TxR?$4)k)EaZR=cgX=WiXy%bHy+5u*#%<r#$#Jd!)
z^>EGT9GVyNPsq}2Q!In=7Sr`fJdx4kYQ^hTT6e3mjqY`Gy+`*?bJO<nV-BpE_Xh3U
z-CQ#sEkTiOJkVeLQdPjT!+w0ysRklal`cmF1Nx$opDI6>3_9W6b>8@4#?5&>qpn&)
zIiaK!<1uy)%J@F|mNtngv&1@snZu_bgKE8{T0*hPeylWoX=zJ-<c>NqyHp5;H2E~T
z5$24Z9^Z*Ib(ATGI6J4s8Cq5FOwC#TT9#JsBS}a6m$03j0g{1R1gaXUj=nff&h>^)
z&Ft8_?8}i<P6Y{Z9~ATSwcN;)llpx#LlhV0UOA3Dd_uVKCH@8KaqW?IqN4UEop}BB
zV9w+30~KA#excQZ)+NEiY?`*otaAW|#`^B@U5b9dTlGA3K*X~|*zfM>EuuRtHK>X5
zmE~dOj@`j*`}G<D2fx~5C00+65Wv&;R+zXe7N*~MC3k3s&$&3s?%nPBh1jU(BrUlm
zu57@vfbKanqg0?p@p=+w;Qc$$?29oQ<*+7<Pe4yu20qh{%)gDltg|KVO?ZoAHrOoP
z<v9;ybkJM8#e|2Z*qACq;@DPbV54Uqj_o7Uj<z*QRirbjwL*0FzD3$0p~62+wVDY1
z&$g5M<h7@d+7Olf(3iTG)fuA6Q{F6&jFM~pA+H8YO7g7O*b`dR`d=m#-&<;MpE4|h
z9F$9ZcDP@gzVUh$Ju@OtzyEi1$K+^pNbOXlDnoSl?6ZdTPP+{J!-bb0S%lb#oO7v-
z#rhfsyWu}rsV%SmjCoL%{i7jC_GxNtY<E&ngeK=uzdPCJN4k<={@SE5kCB0IOZJ1r
zA8m--IJ@Ql%Jfncw`{=<iBMX3l5Otlqm*z~zM-Ap=j`l}ZgUSlb!t+RV4?X1X*~@w
zL@$Yl1Y$x7HfG?TSR_f_0a&)Z+oszt6R83Q<y1b=#W0qW8oa-F3;#sXNqCOb;y(SP
zrpU;E1&No&zYa8p4$T}evNX`;om&$D#GjjRmC{oMjT>f~!H7T*DZF1)CG;)cMVvnW
zQ2qL8-RftZ5Qkna8s{co=eiSka-w}8N@L`qX~&!%6vIExnwr^eEVT~%-dNh!P;sJm
zpCl@MLUza@m<tqUxWz~e@t7!i@RXk@%d_MxC2xq<C!w-ey34dfDE1NEtH?HbVoarx
zfwM=WyQ-&7JaHV+T;y*P%_m$3_EZAtbEh2AgW(|jl7Nyef^x{BW5phZM*16>F}Sf<
z+Y&@BiElBj8M5wup;Y%sU|^4=r;YrY{_!CsD)VV+Y?5&3?i8>a-5PVp#5wXRR69Qx
z6I08Dwkt!Pq&2XzvB>&UiQ6(q-d|s8SMDhG5J!_D;^WU@oai!}^_3M8$1k-ikBBV2
z7a2JqZ^LD4eZa=XoZ!reCz~OHh3=tqO#|k|=mR!L&YM*gSM6#3i3}1wfp`A0US_An
z$E$aw{c*Z92RX?8Kf$GhhRgMz;9@fENc#m>XzO13Wwd+`<9wt}Tuh^NBN6w&AD(r!
z67kLn<-|iJ^)L8)5|4C4xl;=Tamy?@xFBNd;S=AxU$5R0t?orr4?#iSMD)GL{}uH}
z#%I<!m`(Vj@xGvM0dBIgGUH>B+{;)yyI`RZmFKhqQqk6lZ^9ls{Wy=Oku=3VRc2>s
z$rD#v(PpT9Nx_>G|Gb$cV_M>?oCAw`*rw=dfo354Jvq29`4Jt4tG&-rJ~9X!n5K8+
zuy8Q`lWQok5?8I|i+Cw#icz@bx^i638Xf<H&%X?^a2nwfCz|cJu+kAlyEllJVdpv{
znp^R-VNC;?Vi;&gsL<>0twGitW7xST)KyM)k&P={XyR`hgSTk<rz?RWCwIe?$*asc
z=D(?J!U@n@0ygv<GyCtFW3M7KxZO=XH1I=iYh`whY02b@0N!$fYK)8AgTi4tUt}oy
z@F-x9D@j%<%T<5T`!e=)n*X;sHl?p(z<mq#bz2rxu9Mr%nV69$=$M-jJLSgsve8_}
zJdH-ZVQ7kr&)$EPSs`BkdpVP72+O@9WATFYIw>MXNOclR4#7tE?9sBhZbUCv7fbRB
zm4cU=(d?MALDR+c|4bKI0P6Ey+BDm_*cg(qLKU1-7xkqerw()Xbt|l?Imf+1fq&xE
zMD_|XbPDaz)Tiad?BD*~82iON{=*n!U8Ur<p>HBsln6AGn!;VB{Q1A%5CiH?*8jC3
z{zHWcxD7uxQNL^3s;{Ng9}zc&+;r{-moOek-Ih&G;WpBX+Hz(|b#%s&UiA(R@X$w$
zrm)`>Azm_qB0L(o6#mpMctV{VVXR-bAjQ=eTWE^+C~`3*0xZ+M^05I0icJ+&R@X_B
zqCg7t<9?dM$qO9)wZDDoI6o)IP}{3LKbkTZCGcqGFlFw#M#T3LK19ZalWbA4cc4Ar
zcRf*>(=+3NuSS}6$Q`sIX2ap$Q=6ZhJ*B4*p__RqkqoHh4u6w*WOl^eDS23LR4x>M
z-~?Pl2oM10ErQH7qAeYKOe<o@&R)UEXHw0%rW^N!<G)F=*MXF18r;lzEryIcUx;wR
zSXJNfT0r)W{T!HiV=z@?LenfTEmRVZ9XnRDDX}JqOO;-&E}&dd@JW-(9#x|?>t0IC
z9Cq9JmYXns8R(u8hb>m@``#{@JQTOR^-j*{=ELH+Y9_W)WtP8R7Q`sl1>DbeTf%y;
z@XTt5^OhhfWO3@-Ok_uklF2PP@37u6FfBHnUo=Zw&hj#8R{Q&2_kmk<*s<u>nX}2i
z;oD!{%c-7Mp{Jz7jLjT3yGkc*##?k^WFZt9Azn#DX{xqEgvQjegn@}aghtZwOEOfA
zOU*N=Q>*hMrbD=wo?!{%(4CUSt|EiNSBXGav1DMZ*yyf9JXIc+bW%a|qd1b-qnH6e
z_Mr|n-QRYk-$XC*RDYRp*d~u1%XNy2mVzBS!a#S?T1%eehB@=5^M*H}&%CoopAMD)
z`ak~=%b7FkP2#!f-Bf)ehMO3yxj>QOb<l}d3R;`OXHuc1mSID?)qCq%UT4`jTJ{=S
zINuJjX~w$+K@0otvhlufg&f#n&f!Lt-?uaP@z4PQG3GHQZZ%}TLV+vz&ga|AUO_Bj
zEav$1Tf<*yabA4QLxz=o5Ax<Ukjd3dv(D0sO5<9q<p}mqX*glScgj;e9vE^rYcCrQ
z=0HaSH<qeO9TQ}9QkDz6^*VPO56K~~QfFkO6QX~lur|_46T57B`JOWNtrr~{0$jmN
zjQ1Fu2TbRRzcrvQA&6q1dYB}hKjxxqv<@QIa!hctO@3myZhyZ%vq`(uI<^?9&FR7C
z#cv>%DF7H_=|~nJ`iT7-iiDL(2Q;{D=vn1;yGmW!C5>Njb#lu}Hcy=Sc??!8M*A4!
zp$-4P(;o4y0ev9QlIy1bI}tcWWWIdQg`~4lQ}ml^YBcD{a8&JlO;l1SRMHH5tdf_l
z8}(HYrK0*<I~i8&z5nF83cE9|{cexF|1tbn<Gn(QI0@SEzx+m9Ys2TPYri1D6&~7~
z(O8K-)VH6Av@3jT$q}{rRxpg7&OhNfxlM!!6Tm^pdn`f~GCk0f4myR2sWsd}OCh@x
zdp7mU>%4#VdQCRZ_VVo8rZ0fb%;fTWxQ6*NX48z@=uf}_=<32$!Qo(Vugkw^Poj){
zUXZS*I%ZcDB-9U2-@duW5lfPrUJnanVWoING4fb{iM*)XCY>GQ#RFnG%AS9pbYThs
z3Ly{B6^Pb9$|#VHPJ@3cKjT>ydUCq@{((S!LBxO;`s(1B)kL5sSEBHoUkZgCFS$#(
z9j6wxVEoveYQ#aDM@~Rts(gh%u?+3nfek-8-Jdh}{d>*f3YC-i-)5pm&lbV^z+31P
pz{Cer^1s8*<>!$1d<~Aivk*kU(2B{vo!wwp-;<hr%8iTlKLAg*)tUeR

literal 9456
zcmbW4by$>N*Y8Q`mM$fvOS;t|q`QVjVx&_#g`q(jB}clYyGvl`ZfR*@2<bEU^EvNx
zo^#&oy{_}mp8J~F_ugx-&-c6b8rn#7bbdL}cL>Plrmm)()-DeA2nQK@36z5I0juY1
zWOp_Dj%p2fl7|cNmV%ZXqAf=Kx<oO!=^Qb0=4qkq!@>7AUn5E_Gi=ov(rksdzHyMm
z$Uj45I7LpqovrTtVSRGKY2eG-aH`>c?sos9m7EL4^dL_=(Ldf3isuPl1683{hm+$C
z3qeU>wlqu50ze;j$s7D(=a%oP_h_U^TU)+HsdV(7*oq!|WwCwE<;1TwrC6d*kx<up
z`WQe2;fXQ8E%fjOASZEhe(9mtQGT_7NQ)nL7N?axy}j3|z4>qt_G;+74`0S6mkvNo
zYM(-Y9J462dP@j9LoYaO_uyUTRXdYkqJ)ao$K&CyR_fctm$n?D8PJq^)8v$l*sjC6
zmNmd$m2|vygF*SVv}%ysm;fNEISMtp`fS`Pk?jRaE$)1oLsshI8}G>aY7>%qJ5FZ-
z?^m16^HW^Q_H;WBjU)Zv&*guJ`BPx*OL!H!3|i7fh`Xa($i%0bQW;n#LO$2bu`pP;
z))<c7jx^lX!Zf>AXWz59i9^e0RQwiCuR|JHFda^B`^{V_x3OHjQzE7DpOb$jpOK_L
z#nD(bdHFQ4bw13@zRO&V+;CTIerxO3XkX62DFB@CL8ErJOroW|;)frS2XV-!V2df~
zcpg?mOQ&n*sLApCH5H!nWYz);s_2hO#bx=m;0ux6$=11zT_wYxEngNA&JIS{SGL{6
zvQ{`U+o{s7%r-M0tX6*Ptgu62-@FoueLs;aX5^1*48wM8h{d=<hE8Loo~}jVGTqa{
z7#8m$CA3ho`h@U2-Ocj(v^Xl4J(|wkI)}Y^DJVrL3NqX7cU;w72c0t;8784oPTSVL
z;&M$H4cZzvuG%c#6)buDJ93m#EHX8g^6^JAx$n>XHgzU{_AP5|rH0PmsI`;%UmaPv
zC)M}0QY!(s20I-;R$rBo$9ivF$vQ?_u4$FXTadt7s~eo`o6-+-TJk!7Y`fiwi)pVa
z??jU)OU}Q3r!(oPG3P$;D#Xbs2B(tdD|SgKndaxl^PuVJ!+eRvipn9+m-gppFAt@^
z(eskuZk<1fKV%t%d6laRZhTPZtIu&V)$~!57O$P)CBwP5W9)37g)K!7(<xikCy9u-
zr9_Q&<p%On-tlf;M_7vCO?#@byOZHzya6OO<u4F7Lu1%@73f{!z_V4{?K-rH4a(FD
z6Wd;!tCaaO*KSEOtDZph)1C*z)Lv%^T}g8L)6M<SbDucd1v~E(j)SgZS?%QPck|Gc
zqCHqk*Yt!2?$*AU9_7l=to6WP?u;?*i|ROU?=;Mr=!t9rY@O!(q!8$k|8-L)832+y
z1MBiaTP2$+IWksskUi>TwAH#}j*65^8_h|g1A1y#UpqJ$-;3RGogW&<2~?2yd&3S(
zXm_YRhp2yeC8+t7AD^-|D&Q<#cDRj~?we_-58dwS&93^}RInVoNE7eLHwW^upT16L
zryI^zvo3A7Hm6pykB{aOsd~S@C1`+K^wi;t1r5!!<(sIb1*itw{s!b7Dt~mF-}%sG
zyL$yg$Sa&7&Eo90X_qC>hQph?igRY@maEkkTnn5c$8XvWmuM&Fn}ss()pqZ94O7oH
zIrBQi)2dCjOOh%;qb4Hce4*zZTkkl2zxLY6X66SSI)#cmWQF>evrCkd1W8^C6y{tt
zd%Fjn$pH^ihS`<A)`$q&rs25=QZ94Mlr)e-Wv`w%a{SE3cU4`CDtIGa!I3;-UkST2
z0ID;=%v`5Pwzk&oDtl}{G=$8{MLwJ_yGjh63p+55=7)%XR($wg_?Et~PL<^5ZaQp>
zkJebqA~kzSa81l^fqJk-`U^^rQW!t4vyFtosI1@s0J<7ZuxINA#63Eiz_yFfs%zuA
z^Aj$Y%qUM&w*iEilAMOmL)$7Fr(^JF4VY_$+G%39%iN>v9a6B~MdG+leoJ=wz_@H(
zRKhZ%XrF9jb7@Z=AE~!kR&MDw9W!P1TPKaUnsxkGTB&HTqIfzl$y!`SROG0s8QQvZ
z>AT`Ec}jiB%!gwvx&cf@i&o9M8N75iXK|9s`zn*KQajo%zAwM~^HW)|-p=ln>M-^N
z2&Ca>hoWF*ll1K*d+{db;yQr~`rdIyd>)su639~#sW-8<`1N_`p3<tdZds>a>0D>o
zt9S9Ekp`oY^Dk`&bid`~4w_Lm5eu;&-v*X3+sri*>oYmY-rvpMaek|+zM3CT-_mP7
zkeUs!UW|@0SUh;EbK%!K(VryIJ>sf4ZR1{d;Z=|^KXKE%ef&+suo3v7L}AWebSAF4
zyWDNP-%oUw-|FVTNc`AUpou(hq<v(3!CwF9=+yfFR<HGK^~hge$@@1-3DWUImC<id
zFX+HiZa@l8W?lNQG5qH2V6xh(5yy`qb(Ekgj1Wqk02P9^Y$WRDXSfKMQ3^#cs2&8l
zq|=kMoT4kd;mhe;N-zqzLV&5@!nUkBeVVAZ=^;WFPpsmfeCDA7<>!&=Ma^NY*T@qg
znMic_1YGHxN}#5$<~6sPw#^}K&t6lQ+?zOtb7vX(E<>9|p%3SaA}04o)BAd|D_l6+
z^e;vcVE)CI=L)y)P*PXXU@VVoAixl}k)dd*c-*w`MQ@pKVEg(<)m^vC(!v~2NwRR#
z+AQR4eQD-!d6&`}rFH4OL`6E0k@T2g&k6$|VsMUt2nAzKybOhHe5TE=LOt5!A{yO3
zGLl%^35VRqa{b@VBmjevxuC9>8zCcM>m#hRniJyx>|EdFgT&pg;O^ahyU@AD>5Ied
z&)p!Es#4x&zrDO+c^}$0>~njUOMje#3hPxR^m>xIDkS77eBX%#J^pxw@=p@}{Q&nw
z;HzPdOLEhDiLdD-+q6+Vkqe`UF#6gVS$5(CWjcz&vk{O?3lXk2o9nkhsnRHOTv_GP
zU*El0(!Wia0jtpdW*;?p9ub}q|CDtOoHwZ%@)M}tKIql3kPi4*EeS1%7n6YcPr_rl
z8rsi7*aoC#?Byf=6V5sNzXDn{ChoW$3cWh#xYRSfKl=B8Dy8IqJ!8OIc^fApOqbip
zsELu`@BfN$joyWVa<DLd7g;MA%ak71AlVBA9>&8IcNRT*H8PygJ!h{zMKHH$QZ5$w
z3g2=ED-b?f`KQK`i6TQCsM1?HBqxrN;F)<mz^WozYC8)$cl-4tmA|YV=AAOgw`c2@
ztU|7uBb|Y%{@jFI){<z@StDKmc3f~yKpsKFvx71%b)K#0AM9VqsH^x)l$o`)fn^LY
zrq-tTFu2>BWdg4HL$6S}4iMnVX;(N&e)1fu%(xq53g7qY&ExL#q}wnE!%oBJ)v(VG
zX1Cop|8rEt+k)_@g0F7E{w*pzI>+cZ2%VV}eqM|jLEKkujo#YIIXR`Ar@FF)Et876
zTW(S;DLQoqk&iN#6o&5LTmI3YVMIM2y6Fd2IZ|xcbLa>u(&Ko~orU2BSJ7{ho=9Vg
z)gXjaJkt*dfAnuWg!IP&@HE|NAwt`IQjJ%gvxv8kIS1dH-gmxjDZFFnHfFIX>SSkC
zrozMY-f7rTdkbLfmB$Z-RZ#YTkYt0Oe`dHGB*<Ja$LY8|qCniHrQK%xAGq1XozY-y
zKP)^(q*JkG`42eIAA?N)_fjI;rj7VV+iGJ}ymSV9Mr@l=mC0+H)AAny+^@;Z#k6TO
zqNDLdq@v```qWu!XB>Ik3*gvfL$8nksnm};cV}6dcosZg#9+t`4doU!Mt>Y{x_ksQ
zH>tSWPdLJke_clYe_|^b*N|&?^M#0p*yW8E1WCP%B`-%xky(kll9g;dLs>(Jt~XUq
zxMl6K77?x>f9q70=TO{7i8eoVc#q$8pc&6e_Gl|El*jSTRN|c#Tt_zamiO-Mw+NB}
zSdZ8QfsaMYk00w_+P>65<$gFd_46I_)lO}1W-bW1LZd(Vdg0RH6Db@Q6Z})``IH(V
z8PQV~I+XYxGY&=bWXR9FErzP^i9dvL`SPe_EHndT1Fj?s288@Ysc(qh`N#<6^i8sh
z4D#lyK}%&=0TevJHF#a|cKq5re$S70$?xw<K3M+NHKX@UTGKB8khI8j;fGHAXhi|X
zo_!kH^IW#vXu!$x$=4r^vrKnRt28ft8AGPj7a7M+_BwASkku5=71myC<rPokS1;I3
zzL#<^SV8iM>7XC2m_C-T+TaI!S)atD;-sPotN3d|X@lm)JFCkLEMMbnqW1U_r**aK
zdAF37MZNp7x|l?L<Rzf2@^K{H=az;QQDT)|Qfce&Jfay~K-w^Gk+0MxBp#5(mN8##
zxnFOxvPoG(H6z;Qy(BHlCm&#C@9n%lkwh(`Dc{ndWKzb@FMQNKb)z3THP3XLdoZG{
zul?c=PVo9x;x53%&ny+^HaE%aBB(DtDqNfT3|giwa91KsYycu<CPGozEHe4dV@sC5
zl~0|n>8MT#I{_)Pu8hkaP7aPJ7bmD&=NQQ3OpvFrn#-VP@kF9V_T*g+*_03q75&H!
zO2AZR{kMnMt=tF*!x>VBW>s^7yt}J<q=Oc9x19Lgv}jhs-qR1s1^!fS$vpv4-`oAO
z!=7RiM90%Bp~DpQx{yCmkz4pm#i*8Iuo)^ks&~rSLHl!ri(F-yk}hg|teB>su-ks8
z&)_L}X^%0)PAu>)f=D6bqRn%b{4wfIIaDU%|9Y5`6_t}#G|Enpk3GyS-|(RAl@p(u
z7EMdoL+|YI90&`KbB<dgBGgrd5^NisHkNHk2pw6N2whH~)E6zHuVsS572FRA(x*~-
zaj%+pZIcfG5<JQWrOpR=>oQgo3Mo7g&HRrhdWjTk_+Qm$>`N+L^SX{VCYy_P8Jk54
zdE`GP@O}|3T#KjH<WbZ>>vDV5fQvp`sc=$9{n3#+jRAf3B(dA=RU&#AVcg`HGuL$g
z>qBS03%SeL4`Ob|<;V47(Vd=pzxep~Fy3iwi<77gMtNrmXmk~^uNqkrcoXJq1)VH#
zp+0=Bd_Unz%WcO%9iy=G{EolY{+B!NmC)}EJ8PTQw|+L_KR1fYw0@hXCNS#H-Lx(<
zeH6a>gyBa4)uX2NMi`kHL;|^BEiBnEBG+7@jK2tG{b`aSOBXP_=U_Rxwd_cZgNQ|t
zc)F`4fS()e8pjM4pGlXtQI9sVf#f`g5~WqKI8;W&;g6!cTr{o}NGdrz5+*Com72U=
zTmw>Ws_rGF|28uZ7GxHQW>+vQVy}m)9%?=_(kEtKPxNM^IqAm^gxq70vxcs6p@1>5
z-5&4nu47W|c+OM^{8K^#5Rx_A>;YalulDRv4TK;8P~p>v$*dhdm=t!Xx-VX4BteV@
z9qOsW5d=#7UBOM)@!fiUfFq${WcbAMr`TGyR)wzwXAO~EVJfnMfk68&RT)4e7oShU
zew>nGEPnJIEv$7IsifQ$fX}2I>;ZZR)d-g2xKI(oC=rS`zzoG1TOa!U3&t}HpS8_>
zJ2UFTKGQOcXruCah`xz|H;_H5IVhYu&8ux=ugr`(TE{5($&CNL{!5yu%CoWX-!c8J
zp+>L#P!_x&VCJFP52Xjc`?q@r9xQq2wzSX{--401($R-~I<TFxo|L$Mk>2x7jL}sr
zBm_@<r^@ML`O)LckHjRAPBa_D-)X3yJ^m_Zt^AOvV8(Hl<Y=MGP`|+jYX?`y@#t62
zDD{tW4l0$76BH^HgQ*jgrP}5F^20cElj>_$-)RvcF7D@1j1HO4-X%G`p@c*^>#{*X
z+?oYO@tVB0!CFf%<LU;q!vnY^j1c9^<kTt6%d)>yN+IzUaj3gkXzU9S%RFaqQSbB~
z3i`EVrj%33d54T$TOngoC~H!fMG8x@w<;_Ok!$?Z`))<bJodhdGwS#SlV8*}C^}SU
zF%jTAYWG6}o^+@RidPB(%ASJ_uPMm(0<qnw4<E+K_d-Pgz9)O<H%Exr*!(!2k9^b2
z5dQ*a<(>*XMF#kKth&p9n_`)nVssp-kmgG7;V)jT6H^uakw<0_L_JJrjF9r@i?Lxu
z)gdL7S1m!73eSuXxw%Y?I$97c?J5vWNFFicSNxbe!Q_N3p2{{m>DqKz^sxyoI-P4*
z#`Ljqy+Ph@7Z3M9)wjQsKsw}@U+kQgWD~uw6t1M}Qz$j3XjnkqMoD3IW>CdW_9h7D
z)ns8v|1^>ZS#Oo=*5*0Zwa#I0pT$Wh6FOlLIze`_TPx=n`>FMS7;XO^|7ZcO?oeR&
zA9n7KKc$NrbT)PqNxBC#*ExzI_7gdZIjO<N*$)-Xb$`5Aa;6my5|0Q2v7@M~Q3mE>
z26`)?ZUwTjaclLVyb0H#f}8>0<E!YI<@$#GQeP)_G)Fg;(eI>omk=QedR5dZ_Jk=z
zo5Ga+TcQa61Qw%#b>a(ky1}n8TOLS%UE)gu=v^c))=@*3)0Ht)?2CVK4osK8+;FX7
zRx&qmQwW44|3gs!U56^0(tH9$yV)#d9ufQ85&Q*uwZS_jxGF%l$5mmqj7&ymO>z3@
zR)OBf<%!8yxiw7+@wU*w*T341OR?SD)s%-+W2F$%rX@uH;>ImO^!#}6NmCl!nm8wz
zKr`fJlqO*W>&9ISI80lN9yWw+R47&|X-DZHKLQjf6_pzcj$G8J)51^x9wdlsqtx)-
z19eBVe1&yp++#}`WO7%}gkNE@U$!cn-FoTnhgWv5H-8dKGfTqDh=QT(Rg6>rUe8hZ
z%1K6^HE0c6Pw}0ryeUzz)m!VhFP3EMaWX%8TL1A~0^0hc&9cW!?vW{$C!Q_UmN6LO
z)`H=r{yI>|y&=dYl*#W10S?mxDTe93z14fyj$U>h!EdyHY_lN%J6?-De)jXg(u;wS
z=N%)_D%juVyV*aG!cI~?l<HdVzds-PMJwDRSMpv0sJ^e$OV~wJf~oRs_M+HeF%HFX
z?zX&5KA|s<u=<l+bgjxXi#|Pzj$KxoNsgnyw54(U*0XUIYPWB~*H1?irF2`20(X8?
zMb=)7Sf<%Uj*Cu5SZg9X(L&5-L-R6}UpF5_*D6)kk6UrA5)*(i0U2GYhmqLR=>nR^
z&h42B^UTKP-P6BbkYG@5*eSPZj=Bk!qXU*X5wMBDO)&P45E@`}365Ju+Zm$^4xn{j
zHG>C>Y|jB1aCeQtZyZZe90=)B4P6d`kEVs(nq+&8{oSggtCt+sg(>b9>t8B1(0_cp
zn#XZ#^g^Y_!TTqGQ6C2qSD2G^cAA5-AS77@@VYhVE-u>$5sI~q3PZBYut!Wqg(6u(
zj5@!cV`?|)`_)8sw>~eeHtIB6+e=uc7-rL{M2eMcjqpNcs`9fMTPbT@Ub<~Q>=`}m
z0iw-}1GnDQJWnF|9HAl*S!kXMCetdDGjLt1NP9K^VtiVzy+y-yQIuAQC*1>+NkU_m
zq_J-7rvnTv+OIC?d+oAt4Na{~Ift`doK2*Geh>8u{n4+%4czaw(jG`_7{N^1#F?+k
z549TW=rQ1DYqhTIjEI&eHjIDzoYTw>C!EzK5C2R1CAI}t|C~BTJf^7JOwm{CYMTn3
zS9;fCJ@*p?H#Q-7B7*x>HWD^O49uj_IEg{>O?kz@fpAx+TJw>ng(m><89MCq4**6O
z9UyNKydXPAD!3P&vnOyD5-89~JYRE<ji2z5%X5_9q%al>0T2Q?5*sop44pZ$1}xKq
z6}BnBUOAA#3^St+)dw=N;(NtVE)z2A_DwjXDbsqBM^vnE#9l`y+*7biUo46}e#6f*
zs<MO~rm$+tJ?C>w844Qs1d$L(=G6-O&+Uz=SAwhQ_HQ_{z(HQ9H}tPtky1$?c|k>%
zk+`woyxz11Rqhj)y42r-$V0sWx>l`0y<O8x&HP_<%FR$|{Jn_JF_q2lMzUL1_xD#8
z{^F{w@YC$gi^tZ=(*K!~&o=&BTT2O|O{+QGHPG)j4gN{RG`afC&2+iKMd+lGWUYr@
z=;U)#-S^rM8UHj%&{;LHRQcfu<h+poFRsl6x}#q-PN6z9?yt%@x`@zKo{3c!|3Y!L
zs~D`MmO}^~KHg(<!W{wQH|~NWBA&Bh_7pW1Ytqp+01tiN?I@VVli~E{zbP3YgzXwv
zdb9?uY)Ige+QA^qt7u(~D!`gM{vP7PvY`VvT8ppd*RtNnK_`P3^sMrni))>54``4T
z`^Q1{Cc!`-A}6q5qP~B1Zd;4orN2BB!l;F_yBwRxJ#~oG0iPPGgAH!tO=QDyb7$rB
z{LrE5AgJlAFy(V+v#KiTbM>1N`#cq54d>)G$MJ_2CY*Dow;1;Mt?%kru$QM!KL6C8
zdT{`5GH4Bo1EawwaGDg34fhuX+P4WW2LmN=P|q<hWZ}rTxgL3?x;3GikidC`c%i<V
zWz*fUzZ!pudkOwF;)NO+Qlj#~hOfe)7gOy140De-9eSPd+Pi&rwzc-keK9<1F<c20
zlb27DRylpK-$^PjZ8Hkdo0yl=)^?>;t?iAdk}sHB?PmccRDC3(wINXUX(oaVwNYX}
z+Uqzpdwg*+&gRAs)jHZhACBqKc449|vP)}8{nVdqB7dPg(kf*Y3p7|Pakl#-#pY`Y
zEzQQy*_v|C7j&_Oi#Y2##^bExG#MQt*JWfZ_H!8`7CdbL!yK9S#F4XX%<Bfk$3bNW
zN(3sU3|5l`(?8{3Um3K@M;pFhVI8`w?K}(IB{P&R=fHLY0=7uWi-qk9S1e}A6QfV1
z1q^T;%;LWBtZZ*8oEvl>>2Xi>qXxk1ntP@N_Y}a!y%usboziArZdxcvS<K7V4(X$X
zUvTFdB0h-SsyB>y@Z94zqr%5OrEtn6HWZTCeyl&G%5^+g0~U!#z)j0qR!u3<;hy*f
zH{cX1HgVIH5dYY)U_qMdPyr;{sPq1<Y6bl2g9UjaRx8)TZ$3-JYSjvp125G5B@Rho
z-`WbkwqAuvqvQF2ee`xxiEdzjmXUO85RqOxFX(t?#oqpY`NR6ohxLUBp2{Z?^G_G6
zY+hepZm5>+(hj>}21ctU<uVG|q|XSWvG|sX)GV~sKVbqBsr=}{g);(y&KL_M^<Qr;
z98m#df%K1n;6<;TV;%RHz};iZ2@Ot7Ebx)je_mIt7j@fHLDnJc`|(n``jr9}N|`qg
zYLU;;D!#MYMX5yF6mohob}mk~o1J)}CiZBhXiSv@W6s+^l^Q+qn9aI&iZNAXKvH5m
z&N$}t*A~UBF7)*ro;dJiDw`B)w|-aMt$|z+T=YhJZ4@@)?8~S9h_D6v@8VBp4KN-z
zKEXbBLVQeVh7~#X`PhP?U7>f6<A6c8sso><d%?w57Z>u!J8L@YkEIA7>)HVce0(%i
zm+GiE4cP0x&EYkmHJ@#gV(%@IkgeYbfMK~&=iBa&@CgOnn$cdUqfI!=!S?qEwLV`k
zrr5}0P|h(;j2>OZz3+<E!T#tfc-1V|`8Kh9nqxtAgkzd<j!A;0lXWlyGHQ$<_PE{E
znqm`*I~V<UVSjkIy}fG3<Y&)x!K$SZcGSpZmB)MOZc52t67Mr0R~;T`a7gN5uW9pL
zS=y|-4@)@K3sqJ>m}vE=$GI;&&IT*`Uci6srxjb6!D0qrU(M#Pq2Roh*2LFwE5wch
z4D^GU@H1a|m}#wHY%Ulj*@!-BaCLe%TWObeGqO>#ckU*+26J6M3P@Uz3nrw?v%My&
zv)o8zl7@sZgu4mD*hngL@IMyzG&(aX2}DSds&8nf;{mlkM7-@Cdl)ftK9OswTzFz7
zt(bf$`q(kRZ;OdYcqtc{T2Bk(ZGkLZr!k&yDK$N4nBj61S-(B@V-JDYlfwTQ0K{9&
z;JhFP?+cqXoCd0q!CuXf_ykn!^H^WN-PTZrf0t@3c`+EC{r|SR00REh^HKZ4p=ma<
z_a2Y!$5XJiTE!2&dPv&XFl~0S3U8nnYWM%UwU|4{oN4?&TZ_qMilM))1-xQ1RsTn8
zq15}c_Z+JyI59V@R;H1VFzKn+>g^q+59_>*+)T|g-&B^T(={#<lToWU7nA-sHfQaA
zzi;lM&wHenu1n0qi|um>92!0?2H&4HhHqvl$Ill#Vh~9Bpr_J=)A|kfDjKlw0%u2i
zT&-~Er%A|gqS`jk;D9wB0l&7%UEs{L9&(3T-fJ%UV@rtNpKVRXy|H*(E1qtB<0|QP
zkkdQC6C6s@w$2<>pq;i=$1}2rvyU&B*?4j3QGCZ+epqnSI@G?!+$FfaYFL>e)Fl~;
z<`Bzpdk9A8d@EPk)NV{&hWFcg9eq1ycwDT0aUK0;wud+_7@3PIj4?fo(ct_|h;Enl
zJB)ri2al9G6SD(&%OJpWVOj1C^2Gqv3?!yv@1`roNJv@L;J!x7Q<}MJZ>@O+Y*90^
zBCU#e?t)KmARUFqheT2EQRaaT#8&_rZ-y=;RjIXo2bZiVu@egPEvEYvW!lV%V~zc8
zKnRd|wJ}nSJ>~&AEC=_sQb1Fn{Mjd#paXYatXCV)<kp$)_Wf~<I|BOr29PNbqv7-E
zvkAt~K|YaV4gM*0%zQ>GN$(*ie*<I~jL=l4`ubvKS`hXrkW!&sIH7nzjlOqAT7N(u
zm&b`WKSEx)=nxkLzKW9%XfuTvua}e?k)oXziO*i8pOpLX*_u~2fpG_)Am4(hT}nV-
z`vv4=$5`V2_!lZRNbD9>@lOONixEf^u@Z#vKv4MFK7goJ@;K0=XI(9Tpq9`3G(ck{
z3JvVs){2!WDf#B7QE_7riG;q999F9@u^6|$428d&F{48r9lYSNk5oj0AB*T!j>$eB
z{9qmfyQ6MT^b4|Z%g87y-Msuj<|i<~#<3)B_Q_DcKW$q8V)UE{4t!S$u_u3aN1|Az
z;X7K*<G_rDcjN!He_q}j#uqB_@059FI*PvuO{*sWslsDNF7d7^;}s-a(0gZYpu_h~
z0cDeD`Y3!cDA9=e1@Qd#DJc7w^UjIfxq^Df!pbILfE-?|DbTI2YR<_{Mb@Wr_;>%L
zK>QB}6h4|(1^uTKj~C#W2k)$SP1{=;dcAHLrz|<=7hxVuWgd`Et_L~Aov=F{d4BmB
zi&X}7n?Zf!&kWaP-x1(v-vH$B|8pcG=WCaY&Y9f;02^4wHY1agVoRBa3nBU=MYQDp
z=<k<gwi!?0(n5?r{wsu&pN0!TV;)L6FGfHuN&n=Xzt&bMh7o0gKe-ramhlvIfNo$}
zC$qGUtf0!A@ipnpf-_I?gG!Np93p%vrU049Kj+zi--@&3wi$jRHD;imncXW$<!Ua+
zpRH-zd~R_bQ}MsGhXQ{y7Eb&>GH#e>8C+ZxqL8~T?wO%c%P!v{pIK7bsaBJj_F+Jd
zz3fY(VwAGl<I8Y!`22%={6BHKg11BagbK%huk9DO{ziJjXZB~}?_Xs962ABUE&RAB
zndF5piPjnl@gFN7wO$YPRWqT`yC(kUIyN|q`SIfnEXB;v$-eF(zyS|rtMSz-Kbk2e
z{ocUpo7?s7SOkPXzhDO}<6bcL_t0lMPvCiY|98{Jpb?{Gk0(fi`)rzCI>~I58C;HC
z6OQQ`Xp7A4wJ5OE$-mH+mSCXQ>OUx)!~de5PDju@<;vSD$0{6oNnrd08I+Dsf$`r+
zj9yp|fdY-6!vE@YKPv!^{vXVL6Yg=wX{QEiX<?guvoZX*tvl#evXW3@T9h3H;eP>S
CHeI6t

diff --git a/x-pack/test/functional_execution_context/plugins/alerts/server/plugin.ts b/x-pack/test/functional_execution_context/plugins/alerts/server/plugin.ts
index 9f6d33d9ca164..78c79375f3e9f 100644
--- a/x-pack/test/functional_execution_context/plugins/alerts/server/plugin.ts
+++ b/x-pack/test/functional_execution_context/plugins/alerts/server/plugin.ts
@@ -7,7 +7,7 @@
 import apmAgent from 'elastic-apm-node';
 
 import type { Plugin, CoreSetup } from '@kbn/core/server';
-import { PluginSetupContract as AlertingPluginSetup } from '@kbn/alerting-plugin/server/plugin';
+import { AlertingServerSetup } from '@kbn/alerting-plugin/server/plugin';
 import { EncryptedSavedObjectsPluginStart } from '@kbn/encrypted-saved-objects-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 import { SpacesPluginStart } from '@kbn/spaces-plugin/server';
@@ -16,7 +16,7 @@ import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 
 export interface FixtureSetupDeps {
   features: FeaturesPluginSetup;
-  alerting: AlertingPluginSetup;
+  alerting: AlertingServerSetup;
 }
 
 export interface FixtureStartDeps {
@@ -34,8 +34,8 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
       name: 'Alerts',
       app: ['alerts', 'kibana'],
       category: { id: 'foo', label: 'foo' },
+      alerting: [{ ruleTypeId: 'test.executionContext', consumers: ['fecAlertsTestPlugin'] }],
       scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
-      alerting: ['test.executionContext'],
       privileges: {
         all: {
           app: ['alerts', 'kibana'],
@@ -45,7 +45,7 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
           },
           alerting: {
             rule: {
-              all: ['test.executionContext'],
+              all: [{ ruleTypeId: 'test.executionContext', consumers: ['fecAlertsTestPlugin'] }],
             },
           },
           ui: [],
@@ -58,7 +58,7 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
           },
           alerting: {
             rule: {
-              read: ['test.executionContext'],
+              read: [{ ruleTypeId: 'test.executionContext', consumers: ['fecAlertsTestPlugin'] }],
             },
           },
           ui: [],
diff --git a/x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/home_page.ts b/x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/home_page.ts
index 6d6e614b12344..bffe63a97634f 100644
--- a/x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/home_page.ts
+++ b/x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/home_page.ts
@@ -8,7 +8,7 @@
 import expect from '@kbn/expect';
 import { FtrProviderContext } from '../../ftr_provider_context';
 import { ObjectRemover } from '../../lib/object_remover';
-import { getTestAlertData, getTestActionData } from '../../lib/get_test_data';
+import { getTestAlertData } from '../../lib/get_test_data';
 
 export default ({ getPageObjects, getService }: FtrProviderContext) => {
   const testSubjects = getService('testSubjects');
@@ -24,6 +24,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
       before(async () => {
         await security.testUser.setRoles(['alerts_and_actions_role']);
       });
+
       after(async () => {
         await security.testUser.restoreDefaults();
       });
@@ -41,6 +42,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
       before(async () => {
         await security.testUser.setRoles(['only_actions_role']);
       });
+
       after(async () => {
         await security.testUser.restoreDefaults();
       });
@@ -57,19 +59,35 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
         await pageObjects.common.navigateToApp('triggersActions');
       });
 
-      after(async () => {
-        await objectRemover.removeAll();
-      });
-
       it('Loads the Alerts page', async () => {
-        await log.debug('Checking for section heading to say Rules.');
+        log.debug('Checking for section heading to say Rules.');
 
         const headingText = await pageObjects.triggersActionsUI.getSectionHeadingText();
         expect(headingText).to.be('Rules');
       });
 
       describe('Alerts tab', () => {
+        let createdRule: { name: string; id: string };
+
+        before(async () => {
+          const resRule = await supertest
+            .post(`/api/alerting/rule`)
+            .set('kbn-xsrf', 'foo')
+            .send(getTestAlertData())
+            .expect(200);
+
+          createdRule = resRule.body;
+          objectRemover.add(createdRule.id, 'rule', 'alerting');
+        });
+
+        after(async () => {
+          await objectRemover.removeAll();
+        });
+
         it('renders the alerts tab', async () => {
+          // refresh to see alert
+          await browser.refresh();
+
           // Navigate to the alerts tab
           await pageObjects.triggersActionsUI.changeTabs('rulesTab');
 
@@ -84,20 +102,6 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
         });
 
         it('navigates to an alert details page', async () => {
-          const { body: createdAction } = await supertest
-            .post(`/api/actions/connector`)
-            .set('kbn-xsrf', 'foo')
-            .send(getTestActionData())
-            .expect(200);
-          objectRemover.add(createdAction.id, 'action', 'actions');
-
-          const { body: createdAlert } = await supertest
-            .post(`/api/alerting/rule`)
-            .set('kbn-xsrf', 'foo')
-            .send(getTestAlertData())
-            .expect(200);
-          objectRemover.add(createdAlert.id, 'alert', 'alerts');
-
           // refresh to see alert
           await browser.refresh();
 
@@ -107,10 +111,10 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
           await testSubjects.existOrFail('rulesList');
 
           // click on first alert
-          await pageObjects.triggersActionsUI.clickOnAlertInAlertsList(createdAlert.name);
+          await pageObjects.triggersActionsUI.clickOnAlertInAlertsList(createdRule.name);
 
           // Verify url
-          expect(await browser.getCurrentUrl()).to.contain(`/rule/${createdAlert.id}`);
+          expect(await browser.getCurrentUrl()).to.contain(`/rule/${createdRule.id}`);
         });
       });
     });
diff --git a/x-pack/test/functional_with_es_ssl/plugins/alerts/server/plugin.ts b/x-pack/test/functional_with_es_ssl/plugins/alerts/server/plugin.ts
index 972b9cf2b3af6..b4a2ee84566cc 100644
--- a/x-pack/test/functional_with_es_ssl/plugins/alerts/server/plugin.ts
+++ b/x-pack/test/functional_with_es_ssl/plugins/alerts/server/plugin.ts
@@ -6,17 +6,14 @@
  */
 
 import { Plugin, CoreSetup } from '@kbn/core/server';
-import {
-  PluginSetupContract as AlertingSetup,
-  RuleType,
-  RuleTypeParams,
-} from '@kbn/alerting-plugin/server';
+import { AlertingServerSetup, RuleType, RuleTypeParams } from '@kbn/alerting-plugin/server';
 import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
+import { ALERTING_FEATURE_ID } from '@kbn/alerting-plugin/common';
 import { KibanaFeatureScope } from '@kbn/features-plugin/common';
 
 // this plugin's dependendencies
 export interface AlertingExampleDeps {
-  alerting: AlertingSetup;
+  alerting: AlertingServerSetup;
   features: FeaturesPluginSetup;
 }
 
@@ -117,13 +114,27 @@ export class AlertingFixturePlugin implements Plugin<void, void, AlertingExample
       name: 'alerting_fixture',
       app: [],
       category: { id: 'foo', label: 'foo' },
+      alerting: [
+        { ruleTypeId: 'test.always-firing', consumers: ['alerting_fixture', ALERTING_FEATURE_ID] },
+        { ruleTypeId: 'test.noop', consumers: ['alerting_fixture', ALERTING_FEATURE_ID] },
+        { ruleTypeId: 'test.failing', consumers: ['alerting_fixture', ALERTING_FEATURE_ID] },
+      ],
       scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
-      alerting: ['test.always-firing', 'test.noop', 'test.failing'],
       privileges: {
         all: {
           alerting: {
             rule: {
-              all: ['test.always-firing', 'test.noop', 'test.failing'],
+              all: [
+                {
+                  ruleTypeId: 'test.always-firing',
+                  consumers: ['alerting_fixture', ALERTING_FEATURE_ID],
+                },
+                { ruleTypeId: 'test.noop', consumers: ['alerting_fixture', ALERTING_FEATURE_ID] },
+                {
+                  ruleTypeId: 'test.failing',
+                  consumers: ['alerting_fixture', ALERTING_FEATURE_ID],
+                },
+              ],
             },
           },
           savedObject: {
@@ -135,7 +146,17 @@ export class AlertingFixturePlugin implements Plugin<void, void, AlertingExample
         read: {
           alerting: {
             rule: {
-              all: ['test.always-firing', 'test.noop', 'test.failing'],
+              all: [
+                {
+                  ruleTypeId: 'test.always-firing',
+                  consumers: ['alerting_fixture', ALERTING_FEATURE_ID],
+                },
+                { ruleTypeId: 'test.noop', consumers: ['alerting_fixture', ALERTING_FEATURE_ID] },
+                {
+                  ruleTypeId: 'test.failing',
+                  consumers: ['alerting_fixture', ALERTING_FEATURE_ID],
+                },
+              ],
             },
           },
           savedObject: {
diff --git a/x-pack/test/observability_functional/apps/observability/pages/rules_page.ts b/x-pack/test/observability_functional/apps/observability/pages/rules_page.ts
index 4ec0f412e1f03..f084c4ec2a0aa 100644
--- a/x-pack/test/observability_functional/apps/observability/pages/rules_page.ts
+++ b/x-pack/test/observability_functional/apps/observability/pages/rules_page.ts
@@ -36,6 +36,7 @@ export default ({ getService, getPageObjects }: FtrProviderContext) => {
         search_fields: ['name'],
       })
       .expect(200);
+
     return rules.find((rule: any) => rule.name === name);
   }
 
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
index 68feb37137397..e54af674f6572 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
@@ -102,7 +102,6 @@ export default ({ getService }: FtrProviderContext) => {
     function addTests({ space, authorizedUsers, unauthorizedUsers, alertId, index }: TestCase) {
       authorizedUsers.forEach(({ username, password }) => {
         it(`${username} should bulk update alert with given id ${alertId} in ${space}/${index}`, async () => {
-          await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); // since this is a success case, reload the test data immediately beforehand
           const { body: updated } = await supertestWithoutAuth
             .post(`${getSpaceUrlPrefix(space)}${TEST_URL}/bulk_update`)
             .auth(username, password)
@@ -119,7 +118,6 @@ export default ({ getService }: FtrProviderContext) => {
         });
 
         it(`${username} should bulk update alerts which match KQL query string in ${space}/${index}`, async () => {
-          await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); // since this is a success case, reload the test data immediately beforehand
           const { body: updated } = await supertestWithoutAuth
             .post(`${getSpaceUrlPrefix(space)}${TEST_URL}/bulk_update`)
             .auth(username, password)
@@ -134,7 +132,6 @@ export default ({ getService }: FtrProviderContext) => {
         });
 
         it(`${username} should bulk update alerts which match query in DSL in ${space}/${index}`, async () => {
-          await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); // since this is a success case, reload the test data immediately beforehand
           const { body: updated } = await supertestWithoutAuth
             .post(`${getSpaceUrlPrefix(space)}${TEST_URL}/bulk_update`)
             .auth(username, password)
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts
index 694c27060f191..404250a169e0a 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts
@@ -7,7 +7,7 @@
 import expect from '@kbn/expect';
 
 import {
-  ALERT_RULE_CONSUMER,
+  ALERT_RULE_TYPE_ID,
   ALERT_WORKFLOW_STATUS,
 } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
 import {
@@ -268,30 +268,30 @@ export default ({ getService }: FtrProviderContext) => {
       expect(found.body.aggregations.nbr_consumer.value).to.be.equal(2);
     });
 
-    it(`${superUser.username} should handle 'siem' featureIds`, async () => {
+    it(`${superUser.username} should handle 'siem' rule type IDs`, async () => {
       const found = await supertestWithoutAuth
         .post(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}/find`)
         .auth(superUser.username, superUser.password)
         .set('kbn-xsrf', 'true')
         .send({
-          feature_ids: ['siem'],
+          rule_type_ids: ['siem.queryRule'],
         });
 
-      expect(found.body.hits.hits.every((hit: any) => hit[ALERT_RULE_CONSUMER] === 'siem')).equal(
+      expect(found.body.hits.hits.every((hit: any) => hit[ALERT_RULE_TYPE_ID] === 'siem')).equal(
         true
       );
     });
 
-    it(`${superUser.username} should handle 'apm' featureIds`, async () => {
+    it(`${superUser.username} should handle 'apm' rule type IDs`, async () => {
       const found = await supertestWithoutAuth
         .post(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}/find`)
         .auth(superUser.username, superUser.password)
         .set('kbn-xsrf', 'true')
         .send({
-          feature_ids: ['apm'],
+          rule_type_ids: ['apm.error_rate'],
         });
 
-      expect(found.body.hits.hits.every((hit: any) => hit[ALERT_RULE_CONSUMER] === 'apm')).equal(
+      expect(found.body.hits.hits.every((hit: any) => hit[ALERT_RULE_TYPE_ID] === 'apm')).equal(
         true
       );
     });
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_aad_fields_by_rule_type.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_aad_fields_by_rule_type.ts
index 4d8fed02a7c71..1e7759b06c30d 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_aad_fields_by_rule_type.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_aad_fields_by_rule_type.ts
@@ -38,8 +38,12 @@ export default ({ getService }: FtrProviderContext) => {
       await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts');
     });
 
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/rule_registry/alerts');
+    });
+
     describe('Users:', () => {
-      it(`${obsOnlySpacesAll.username} should be able to get browser fields for o11y featureIds`, async () => {
+      it(`${obsOnlySpacesAll.username} should be able to get browser fields for o11y rule type ids`, async () => {
         await retry.try(async () => {
           const aadFields = await getAADFieldsByRuleType(
             obsOnlySpacesAll,
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alert_summary.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alert_summary.ts
index 5da72c7f6a76a..abfc4c9d5aa79 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alert_summary.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alert_summary.ts
@@ -39,7 +39,7 @@ export default ({ getService }: FtrProviderContext) => {
         .send({
           gte: '2020-12-16T15:00:00.000Z',
           lte: '2020-12-16T16:00:00.000Z',
-          featureIds: ['logs'],
+          ruleTypeIds: ['logs.alert.document.count'],
           fixed_interval: '10m',
         })
         .expect(200);
@@ -83,7 +83,7 @@ export default ({ getService }: FtrProviderContext) => {
               },
             },
           ],
-          featureIds: ['logs'],
+          ruleTypeIds: ['logs.alert.document.count'],
           fixed_interval: '10m',
         })
         .expect(200);
@@ -127,7 +127,7 @@ export default ({ getService }: FtrProviderContext) => {
               },
             },
           ],
-          featureIds: ['logs'],
+          ruleTypeIds: ['logs.alert.document.count'],
           fixed_interval: '10m',
         })
         .expect(200);
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alerts_index.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alerts_index.ts
index 530c0a57b02ef..604cff34865d9 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alerts_index.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alerts_index.ts
@@ -30,16 +30,18 @@ export default ({ getService }: FtrProviderContext) => {
   const STACK_ALERT_INDEX = '.alerts-stack.alerts-default';
 
   const getIndexName = async (
-    featureIds: string[],
+    ruleTypeIds: string[],
     user: User,
     space: string,
     expectedStatusCode: number = 200
   ) => {
     const resp = await supertestWithoutAuth
-      .get(`${getSpaceUrlPrefix(space)}${ALERTS_INDEX_URL}?features=${featureIds.join(',')}`)
+      .get(`${getSpaceUrlPrefix(space)}${ALERTS_INDEX_URL}`)
+      .query({ ruleTypeIds })
       .auth(user.username, user.password)
       .set('kbn-xsrf', 'true')
       .expect(expectedStatusCode);
+
     return resp.body.index_name as string[];
   };
 
@@ -47,33 +49,34 @@ export default ({ getService }: FtrProviderContext) => {
     before(async () => {
       await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts');
     });
+
+    before(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/rule_registry/alerts');
+    });
+
     describe('Users:', () => {
       it(`${obsOnlySpacesAll.username} should be able to access the APM alert in ${SPACE1}`, async () => {
-        const indexNames = await getIndexName(['apm'], obsOnlySpacesAll, SPACE1);
+        const indexNames = await getIndexName(['apm.error_rate'], obsOnlySpacesAll, SPACE1);
         expect(indexNames.includes(APM_ALERT_INDEX)).to.eql(true); // assert this here so we can use constants in the dynamically-defined test cases below
       });
 
       it(`${superUser.username} should be able to access the APM alert in ${SPACE1}`, async () => {
-        const indexNames = await getIndexName(['apm'], superUser, SPACE1);
+        const indexNames = await getIndexName(['apm.error_rate'], superUser, SPACE1);
         expect(indexNames.includes(APM_ALERT_INDEX)).to.eql(true); // assert this here so we can use constants in the dynamically-defined test cases below
       });
 
       it(`${secOnlyRead.username} should NOT be able to access the APM alert in ${SPACE1}`, async () => {
-        const indexNames = await getIndexName(['apm'], secOnlyRead, SPACE1);
+        const indexNames = await getIndexName(['apm.error_rate'], secOnlyRead, SPACE1);
         expect(indexNames?.length).to.eql(0);
       });
 
       it(`${secOnlyRead.username} should be able to access the security solution alert in ${SPACE1}`, async () => {
-        const indexNames = await getIndexName(['siem'], secOnlyRead, SPACE1);
+        const indexNames = await getIndexName(['siem.esqlRule'], secOnlyRead, SPACE1);
         expect(indexNames.includes(`${SECURITY_SOLUTION_ALERT_INDEX}-${SPACE1}`)).to.eql(true); // assert this here so we can use constants in the dynamically-defined test cases below
       });
 
       it(`${stackAlertsOnlyReadSpacesAll.username} should be able to access the stack alert in ${SPACE1}`, async () => {
-        const indexNames = await getIndexName(
-          ['stackAlerts'],
-          stackAlertsOnlyReadSpacesAll,
-          SPACE1
-        );
+        const indexNames = await getIndexName(['.es-query'], stackAlertsOnlyReadSpacesAll, SPACE1);
         expect(indexNames.includes(STACK_ALERT_INDEX)).to.eql(true);
       });
     });
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_browser_fields_by_feature_id.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_browser_fields_by_rule_type_ids.ts
similarity index 74%
rename from x-pack/test/rule_registry/security_and_spaces/tests/basic/get_browser_fields_by_feature_id.ts
rename to x-pack/test/rule_registry/security_and_spaces/tests/basic/get_browser_fields_by_rule_type_ids.ts
index 352ff0188b015..ac05dad573c65 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_browser_fields_by_feature_id.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_browser_fields_by_rule_type_ids.ts
@@ -6,6 +6,7 @@
  */
 
 import expect from 'expect';
+import { OBSERVABILITY_RULE_TYPE_IDS } from '@kbn/rule-data-utils';
 import { superUser, obsOnlySpacesAll, secOnlyRead } from '../../../common/lib/authentication/users';
 import type { User } from '../../../common/lib/authentication/types';
 import { FtrProviderContext } from '../../../common/ftr_provider_context';
@@ -20,31 +21,38 @@ export default ({ getService }: FtrProviderContext) => {
 
   const getBrowserFieldsByFeatureId = async (
     user: User,
-    featureIds: string[],
+    ruleTypeIds: string[],
     expectedStatusCode: number = 200
   ) => {
     const resp = await supertestWithoutAuth
       .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}`)
-      .query({ featureIds })
+      .query({ ruleTypeIds })
       .auth(user.username, user.password)
       .set('kbn-xsrf', 'true')
       .expect(expectedStatusCode);
+
     return resp.body;
   };
 
-  describe('Alert - Get browser fields by featureId', () => {
+  describe('Alert - Get browser fields by rule type IDs', () => {
+    const ruleTypeIds = [
+      ...OBSERVABILITY_RULE_TYPE_IDS,
+      '.es-query',
+      'xpack.ml.anomaly_detection_alert',
+    ];
+
     before(async () => {
       await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts');
     });
 
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/rule_registry/alerts');
+    });
+
     describe('Users:', () => {
-      it(`${obsOnlySpacesAll.username} should be able to get browser fields for o11y featureIds`, async () => {
-        const resp = await getBrowserFieldsByFeatureId(obsOnlySpacesAll, [
-          'apm',
-          'infrastructure',
-          'logs',
-          'uptime',
-        ]);
+      it(`${obsOnlySpacesAll.username} should be able to get browser fields for o11y ruleTypeIds that has access to`, async () => {
+        const resp = await getBrowserFieldsByFeatureId(obsOnlySpacesAll, ruleTypeIds);
+
         expect(Object.keys(resp.browserFields)).toEqual([
           'base',
           'agent',
@@ -61,13 +69,9 @@ export default ({ getService }: FtrProviderContext) => {
         ]);
       });
 
-      it(`${superUser.username} should be able to get browser fields for o11y featureIds`, async () => {
-        const resp = await getBrowserFieldsByFeatureId(superUser, [
-          'apm',
-          'infrastructure',
-          'logs',
-          'uptime',
-        ]);
+      it(`${superUser.username} should be able to get browser fields for all o11y ruleTypeIds`, async () => {
+        const resp = await getBrowserFieldsByFeatureId(superUser, ruleTypeIds);
+
         expect(Object.keys(resp.browserFields)).toEqual([
           'base',
           'agent',
@@ -82,17 +86,18 @@ export default ({ getService }: FtrProviderContext) => {
           'observer',
           'orchestrator',
           'service',
+          'slo',
           'tls',
           'url',
         ]);
       });
 
-      it(`${superUser.username} should NOT be able to get browser fields for siem featureId`, async () => {
-        await getBrowserFieldsByFeatureId(superUser, ['siem'], 404);
+      it(`${superUser.username} should NOT be able to get browser fields for siem rule types`, async () => {
+        await getBrowserFieldsByFeatureId(superUser, ['siem.queryRule'], 404);
       });
 
-      it(`${secOnlyRead.username} should NOT be able to get browser fields for siem featureId`, async () => {
-        await getBrowserFieldsByFeatureId(secOnlyRead, ['siem'], 404);
+      it(`${secOnlyRead.username} should NOT be able to get browser fields for siem rule types`, async () => {
+        await getBrowserFieldsByFeatureId(secOnlyRead, ['siem.queryRule'], 404);
       });
     });
   });
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_feature_ids_by_registration_contexts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_feature_ids_by_registration_contexts.ts
deleted file mode 100644
index 5b4063cfe5285..0000000000000
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_feature_ids_by_registration_contexts.ts
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import expect from '@kbn/expect';
-
-import { superUser, obsOnlySpacesAll, secOnlyRead } from '../../../common/lib/authentication/users';
-import type { User } from '../../../common/lib/authentication/types';
-import { FtrProviderContext } from '../../../common/ftr_provider_context';
-import { getSpaceUrlPrefix } from '../../../common/lib/authentication/spaces';
-
-// eslint-disable-next-line import/no-default-export
-export default ({ getService }: FtrProviderContext) => {
-  const supertestWithoutAuth = getService('supertestWithoutAuth');
-  const esArchiver = getService('esArchiver');
-
-  const TEST_URL = '/internal/rac/alerts';
-  const ALERTS_FEATURE_IDS_URL = `${TEST_URL}/_feature_ids`;
-  const SPACE1 = 'space1';
-
-  const getApmFeatureIdByRegistrationContexts = async (
-    user: User,
-    space: string,
-    expectedStatusCode: number = 200
-  ) => {
-    const resp = await supertestWithoutAuth
-      .get(
-        `${getSpaceUrlPrefix(space)}${ALERTS_FEATURE_IDS_URL}?registrationContext=observability.apm`
-      )
-      .auth(user.username, user.password)
-      .set('kbn-xsrf', 'true')
-      .expect(expectedStatusCode);
-    return resp.body as string[];
-  };
-
-  const getSecurityFeatureIdByRegistrationContexts = async (
-    user: User,
-    space: string,
-    expectedStatusCode: number = 200
-  ) => {
-    const resp = await supertestWithoutAuth
-      .get(`${getSpaceUrlPrefix(space)}${ALERTS_FEATURE_IDS_URL}?registrationContext=security`)
-      .auth(user.username, user.password)
-      .set('kbn-xsrf', 'true')
-      .expect(expectedStatusCode);
-
-    return resp.body as string[];
-  };
-
-  describe('Alert - Get feature ids by registration context', () => {
-    before(async () => {
-      await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts');
-    });
-    describe('Users:', () => {
-      it(`${obsOnlySpacesAll.username} should be able to get feature id for registration context 'observability.apm' in ${SPACE1}`, async () => {
-        const featureIds = await getApmFeatureIdByRegistrationContexts(obsOnlySpacesAll, SPACE1);
-        expect(featureIds).to.eql(['apm']);
-      });
-
-      it(`${superUser.username} should be able to get feature id for registration context 'observability.apm' in ${SPACE1}`, async () => {
-        const featureIds = await getApmFeatureIdByRegistrationContexts(superUser, SPACE1);
-        expect(featureIds).to.eql(['apm']);
-      });
-
-      it(`${secOnlyRead.username} should NOT be able to get feature id  for registration context 'observability.apm' in ${SPACE1}`, async () => {
-        const featureIds = await getApmFeatureIdByRegistrationContexts(secOnlyRead, SPACE1);
-        expect(featureIds).to.eql([]);
-      });
-
-      it(`${secOnlyRead.username} should be able to get feature id for registration context 'security' in ${SPACE1}`, async () => {
-        const featureIds = await getSecurityFeatureIdByRegistrationContexts(secOnlyRead, SPACE1);
-        expect(featureIds).to.eql(['siem']);
-      });
-    });
-  });
-};
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts
index 5237cd02c0c89..e7593121bc2d0 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts
@@ -25,11 +25,10 @@ export default ({ loadTestFile, getService }: FtrProviderContext): void => {
     // loadTestFile(require.resolve('./update_alert'));
     // loadTestFile(require.resolve('./bulk_update_alerts'));
 
-    loadTestFile(require.resolve('./get_feature_ids_by_registration_contexts'));
     loadTestFile(require.resolve('./get_alerts_index'));
     loadTestFile(require.resolve('./find_alerts'));
     loadTestFile(require.resolve('./search_strategy'));
-    loadTestFile(require.resolve('./get_browser_fields_by_feature_id'));
+    loadTestFile(require.resolve('./get_browser_fields_by_rule_type_ids'));
     loadTestFile(require.resolve('./get_alert_summary'));
     loadTestFile(require.resolve('./get_aad_fields_by_rule_type'));
   });
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/search_strategy.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/search_strategy.ts
index 289fe4347e8f6..78ef1da93cec1 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/search_strategy.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/search_strategy.ts
@@ -5,7 +5,6 @@
  * 2.0.
  */
 import expect from '@kbn/expect';
-import { AlertConsumers } from '@kbn/rule-data-utils';
 
 import type { RuleRegistrySearchResponse } from '@kbn/rule-registry-plugin/common';
 import type { FtrProviderContext } from '../../../common/ftr_provider_context';
@@ -39,6 +38,7 @@ export default ({ getService }: FtrProviderContext) => {
       before(async () => {
         await esArchiver.load('x-pack/test/functional/es_archives/observability/alerts');
       });
+
       after(async () => {
         await esArchiver.unload('x-pack/test/functional/es_archives/observability/alerts');
       });
@@ -54,15 +54,14 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.LOGS],
+            ruleTypeIds: ['logs.alert.document.count'],
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
+
         expect(result.rawResponse.hits.total).to.eql(5);
-        const consumers = result.rawResponse.hits.hits.map((hit) => {
-          return hit.fields?.['kibana.alert.rule.consumer'];
-        });
-        expect(consumers.every((consumer) => consumer === AlertConsumers.LOGS));
+
+        validateRuleTypeIds(result, ['logs.alert.document.count']);
       });
 
       it('should support pagination and sorting', async () => {
@@ -76,7 +75,7 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.LOGS],
+            ruleTypeIds: ['logs.alert.document.count'],
             pagination: {
               pageSize: 2,
               pageIndex: 1,
@@ -91,25 +90,35 @@ export default ({ getService }: FtrProviderContext) => {
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
+
         expect(result.rawResponse.hits.total).to.eql(5);
         expect(result.rawResponse.hits.hits.length).to.eql(2);
+
         const first = result.rawResponse.hits.hits[0].fields?.['kibana.alert.evaluation.value'];
         const second = result.rawResponse.hits.hits[1].fields?.['kibana.alert.evaluation.value'];
+
         expect(first > second).to.be(true);
       });
     });
 
     describe('siem', () => {
+      const siemRuleTypeIds = [
+        'siem.indicatorRule',
+        'siem.thresholdRule',
+        'siem.eqlRule',
+        'siem.queryRule',
+      ];
+
       before(async () => {
         await esArchiver.load('x-pack/test/functional/es_archives/observability/alerts');
         await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0');
       });
 
       after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/observability/alerts');
         await esArchiver.unload(
           'x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'
         );
-        await esArchiver.unload('x-pack/test/functional/es_archives/observability/alerts');
       });
 
       it('should return alerts from siem rules', async () => {
@@ -123,15 +132,14 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.SIEM],
+            ruleTypeIds: siemRuleTypeIds,
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
+
         expect(result.rawResponse.hits.total).to.eql(50);
-        const consumers = result.rawResponse.hits.hits.map(
-          (hit) => hit.fields?.['kibana.alert.rule.consumer']
-        );
-        expect(consumers.every((consumer) => consumer === AlertConsumers.SIEM));
+
+        validateRuleTypeIds(result, siemRuleTypeIds);
       });
 
       it('should throw an error when trying to to search for more than just siem', async () => {
@@ -145,13 +153,14 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.SIEM, AlertConsumers.LOGS],
+            ruleTypeIds: ['siem.indicatorRule', 'logs.alert.document.count'],
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
-        expect(result.statusCode).to.be(500);
+
+        expect(result.statusCode).to.be(400);
         expect(result.message).to.be(
-          `The privateRuleRegistryAlertsSearchStrategy search strategy is unable to accommodate requests containing multiple feature IDs and one of those IDs is SIEM.`
+          'The privateRuleRegistryAlertsSearchStrategy search strategy is unable to accommodate requests containing multiple rule types with mixed authorization.'
         );
       });
 
@@ -168,7 +177,7 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.SIEM],
+            ruleTypeIds: siemRuleTypeIds,
             runtimeMappings: {
               [runtimeFieldKey]: {
                 type: 'keyword',
@@ -180,18 +189,24 @@ export default ({ getService }: FtrProviderContext) => {
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
+
         expect(result.rawResponse.hits.total).to.eql(50);
+
         const runtimeFields = result.rawResponse.hits.hits.map(
           (hit) => hit.fields?.[runtimeFieldKey]
         );
+
         expect(runtimeFields.every((field) => field === runtimeFieldValue));
       });
     });
 
     describe('apm', () => {
+      const apmRuleTypeIds = ['apm.transaction_error_rate', 'apm.error_rate'];
+
       before(async () => {
         await esArchiver.load('x-pack/test/functional/es_archives/observability/alerts');
       });
+
       after(async () => {
         await esArchiver.unload('x-pack/test/functional/es_archives/observability/alerts');
       });
@@ -207,19 +222,20 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.APM],
+            ruleTypeIds: apmRuleTypeIds,
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
           space: 'default',
         });
+
         expect(result.rawResponse.hits.total).to.eql(9);
-        const consumers = result.rawResponse.hits.hits.map(
-          (hit) => hit.fields?.['kibana.alert.rule.consumer']
-        );
-        expect(consumers.every((consumer) => consumer === AlertConsumers.APM));
+
+        validateRuleTypeIds(result, apmRuleTypeIds);
       });
 
-      it('should not by pass our RBAC authz filter with a should filter', async () => {
+      it('should return alerts from different rules', async () => {
+        const ruleTypeIds = [...apmRuleTypeIds, 'logs.alert.document.count'];
+
         const result = await secureBsearch.send<RuleRegistrySearchResponse>({
           supertestWithoutAuth,
           auth: {
@@ -230,7 +246,83 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.APM],
+            ruleTypeIds,
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(14);
+
+        validateRuleTypeIds(result, ruleTypeIds);
+      });
+
+      it('should filter alerts by rule type IDs with consumers', async () => {
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds: apmRuleTypeIds,
+            consumers: ['alerts', 'logs'],
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(9);
+
+        validateRuleTypeIds(result, apmRuleTypeIds);
+      });
+
+      it('should filter alerts by consumers with rule type IDs', async () => {
+        const ruleTypeIds = [...apmRuleTypeIds, 'logs.alert.document.count'];
+
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds,
+            consumers: ['alerts'],
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        /**
+         *There are five documents of rule type logs.alert.document.count
+         * The four have the consumer set to alerts
+         * and the one has the consumer set to logs.
+         * All apm rule types (nine in total) have consumer set to alerts.
+         */
+        expect(result.rawResponse.hits.total).to.eql(13);
+
+        validateRuleTypeIds(result, ruleTypeIds);
+      });
+
+      it('should not by pass our RBAC authz filter with a should filter for rule type ids', async () => {
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds: apmRuleTypeIds,
             query: {
               bool: {
                 filter: [],
@@ -240,7 +332,7 @@ export default ({ getService }: FtrProviderContext) => {
                       should: [
                         {
                           match: {
-                            'kibana.alert.rule.consumer': 'logs',
+                            'kibana.alert.rule.rule_type_id': 'metrics.alert.inventory.threshold',
                           },
                         },
                       ],
@@ -256,14 +348,56 @@ export default ({ getService }: FtrProviderContext) => {
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
           space: 'default',
         });
+
         expect(result.rawResponse.hits.total).to.eql(9);
-        const consumers = result.rawResponse.hits.hits.map(
-          (hit) => hit.fields?.['kibana.alert.rule.consumer']
-        );
-        expect(consumers.every((consumer) => consumer === AlertConsumers.APM));
+
+        validateRuleTypeIds(result, apmRuleTypeIds);
+      });
+
+      it('should not by pass our RBAC authz filter with a should filter for consumers', async () => {
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds: apmRuleTypeIds,
+            query: {
+              bool: {
+                filter: [],
+                should: [
+                  {
+                    bool: {
+                      should: [
+                        {
+                          match: {
+                            'kibana.alert.rule.consumer': 'infrastructure',
+                          },
+                        },
+                      ],
+                      minimum_should_match: 1,
+                    },
+                  },
+                ],
+                must: [],
+                must_not: [],
+              },
+            },
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(9);
+
+        validateRuleTypeIds(result, apmRuleTypeIds);
       });
 
-      it('should return an empty response with must filter and our RBAC authz filter', async () => {
+      it('should return an empty response with must filter and our RBAC authz filter for rule type ids', async () => {
         const result = await secureBsearch.send<RuleRegistrySearchResponse>({
           supertestWithoutAuth,
           auth: {
@@ -274,7 +408,7 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.APM],
+            ruleTypeIds: apmRuleTypeIds,
             query: {
               bool: {
                 filter: [],
@@ -284,7 +418,7 @@ export default ({ getService }: FtrProviderContext) => {
                       should: [
                         {
                           match: {
-                            'kibana.alert.rule.consumer': 'logs',
+                            'kibana.alert.rule.rule_type_id': 'metrics.alert.inventory.threshold',
                           },
                         },
                       ],
@@ -300,10 +434,11 @@ export default ({ getService }: FtrProviderContext) => {
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
           space: 'default',
         });
+
         expect(result.rawResponse.hits.total).to.eql(0);
       });
 
-      it('should not by pass our RBAC authz filter with must_not filter', async () => {
+      it('should return an empty response with must filter and our RBAC authz filter for consumers', async () => {
         const result = await secureBsearch.send<RuleRegistrySearchResponse>({
           supertestWithoutAuth,
           auth: {
@@ -314,7 +449,91 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [AlertConsumers.APM],
+            ruleTypeIds: apmRuleTypeIds,
+            query: {
+              bool: {
+                filter: [],
+                must: [
+                  {
+                    bool: {
+                      should: [
+                        {
+                          match: {
+                            'kibana.alert.rule.consumer': 'infrastructure',
+                          },
+                        },
+                      ],
+                      minimum_should_match: 1,
+                    },
+                  },
+                ],
+                should: [],
+                must_not: [],
+              },
+            },
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(0);
+      });
+
+      it('should not by pass our RBAC authz filter with must_not filter for rule type ids', async () => {
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds: apmRuleTypeIds,
+            query: {
+              bool: {
+                filter: [],
+                must: [],
+                must_not: [
+                  {
+                    bool: {
+                      should: [
+                        ...apmRuleTypeIds.map((apmRuleTypeId) => ({
+                          match: {
+                            'kibana.alert.rule.rule_type_id': apmRuleTypeId,
+                          },
+                        })),
+                      ],
+                      minimum_should_match: apmRuleTypeIds.length,
+                    },
+                  },
+                ],
+                should: [],
+              },
+            },
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(9);
+
+        validateRuleTypeIds(result, apmRuleTypeIds);
+      });
+
+      it('should not by pass our RBAC authz filter with must_not filter for consumers', async () => {
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds: apmRuleTypeIds,
             query: {
               bool: {
                 filter: [],
@@ -340,11 +559,136 @@ export default ({ getService }: FtrProviderContext) => {
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
           space: 'default',
         });
+
         expect(result.rawResponse.hits.total).to.eql(9);
-        const consumers = result.rawResponse.hits.hits.map(
-          (hit) => hit.fields?.['kibana.alert.rule.consumer']
-        );
-        expect(consumers.every((consumer) => consumer === AlertConsumers.APM));
+
+        validateRuleTypeIds(result, apmRuleTypeIds);
+      });
+
+      it('should not by pass our RBAC authz filter with the ruleTypeIds and consumers parameter', async () => {
+        const ruleTypeIds = [
+          ...apmRuleTypeIds,
+          'metrics.alert.inventory.threshold',
+          'metrics.alert.threshold',
+          '.es-query',
+        ];
+
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            /**
+             * obsOnlySpacesAll does not have access to the following pairs:
+             *
+             * Rule type ID: metrics.alert.inventory.threshold
+             * Consumer: alerts
+             *
+             * Rule type ID: metrics.alert.threshold
+             * Consumer: alerts
+             *
+             * Rule type ID: .es-query
+             * Consumer: discover
+             */
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds,
+            consumers: ['alerts', 'discover'],
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(9);
+
+        validateRuleTypeIds(result, apmRuleTypeIds);
+      });
+
+      it('should not return any alerts if the user does not have access to any alerts', async () => {
+        const result = await secureBsearch.send<RuleRegistrySearchResponseWithErrors>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds: ['metrics.alert.threshold', 'metrics.alert.inventory.threshold'],
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(0);
+      });
+
+      it('should not return alerts that the user does not have access to', async () => {
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds: ['metrics.alert.threshold', 'logs.alert.document.count'],
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(5);
+        validateRuleTypeIds(result, ['logs.alert.document.count']);
+      });
+
+      it('should not return alerts if the user does not have access to using a filter', async () => {
+        const result = await secureBsearch.send<RuleRegistrySearchResponse>({
+          supertestWithoutAuth,
+          auth: {
+            username: obsOnlySpacesAll.username,
+            password: obsOnlySpacesAll.password,
+          },
+          referer: 'test',
+          kibanaVersion,
+          internalOrigin: 'Kibana',
+          options: {
+            ruleTypeIds: apmRuleTypeIds,
+            query: {
+              bool: {
+                filter: [],
+                should: [
+                  {
+                    bool: {
+                      should: [
+                        {
+                          match: {
+                            'kibana.alert.rule.rule_type_id': 'metrics.alert.inventory.threshold',
+                          },
+                        },
+                      ],
+                      minimum_should_match: 1,
+                    },
+                  },
+                ],
+                must: [],
+                must_not: [],
+              },
+            },
+          },
+          strategy: 'privateRuleRegistryAlertsSearchStrategy',
+          space: 'default',
+        });
+
+        expect(result.rawResponse.hits.total).to.eql(9);
+
+        validateRuleTypeIds(result, apmRuleTypeIds);
       });
     });
 
@@ -367,11 +711,13 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: ['discover'],
+            ruleTypeIds: ['.es-query'],
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
 
+        validateRuleTypeIds(result, ['.es-query']);
+
         expect(result.rawResponse.hits.total).to.eql(1);
 
         const consumers = result.rawResponse.hits.hits.map((hit) => {
@@ -392,11 +738,13 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: ['discover'],
+            ruleTypeIds: ['.es-query'],
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
 
+        validateRuleTypeIds(result, ['.es-query']);
+
         expect(result.rawResponse.hits.total).to.eql(1);
 
         const consumers = result.rawResponse.hits.hits.map((hit) => {
@@ -417,13 +765,12 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: ['discover'],
+            ruleTypeIds: ['.es-query'],
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
 
-        expect(result.statusCode).to.be(500);
-        expect(result.message).to.be('Unauthorized to find alerts for any rule types');
+        expect(result.rawResponse.hits.total).to.eql(0);
       });
     });
 
@@ -439,12 +786,29 @@ export default ({ getService }: FtrProviderContext) => {
           kibanaVersion,
           internalOrigin: 'Kibana',
           options: {
-            featureIds: [],
+            ruleTypeIds: [],
           },
           strategy: 'privateRuleRegistryAlertsSearchStrategy',
         });
-        expect(result.rawResponse).to.eql({});
+
+        expect(result.rawResponse.hits.total).to.eql(0);
       });
     });
   });
 };
+
+const validateRuleTypeIds = (result: RuleRegistrySearchResponse, ruleTypeIdsToVerify: string[]) => {
+  expect(result.rawResponse.hits.total).to.greaterThan(0);
+
+  const ruleTypeIds = result.rawResponse.hits.hits
+    .map((hit) => {
+      return hit.fields?.['kibana.alert.rule.rule_type_id'];
+    })
+    .flat();
+
+  expect(
+    ruleTypeIds.every((ruleTypeId) =>
+      ruleTypeIdsToVerify.some((ruleTypeIdToVerify) => ruleTypeIdToVerify === ruleTypeId)
+    )
+  ).to.eql(true);
+};
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/update_alert.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/update_alert.ts
index 4d7607442fbcb..237f492ebf363 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/update_alert.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/update_alert.ts
@@ -101,7 +101,6 @@ export default ({ getService }: FtrProviderContext) => {
     function addTests({ space, authorizedUsers, unauthorizedUsers, alertId, index }: TestCase) {
       authorizedUsers.forEach(({ username, password }) => {
         it(`${username} should be able to update alert ${alertId} in ${space}/${index}`, async () => {
-          await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); // since this is a success case, reload the test data immediately beforehand
           await supertestWithoutAuth
             .post(`${getSpaceUrlPrefix(space)}${TEST_URL}`)
             .auth(username, password)
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/trial/get_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/trial/get_alerts.ts
index f4aa5c503bc19..f3c4a4e6146a2 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/trial/get_alerts.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/trial/get_alerts.ts
@@ -47,6 +47,11 @@ export default ({ getService }: FtrProviderContext) => {
     before(async () => {
       await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts');
     });
+
+    after(async () => {
+      await esArchiver.unload('x-pack/test/functional/es_archives/rule_registry/alerts');
+    });
+
     describe('Users:', () => {
       // user with minimal_read and alerts_read privileges should be able to access apm alert
       it(`${obsMinReadAlertsRead.username} should be able to access the APM alert in ${SPACE1}`, async () => {
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/trial/update_alert.ts b/x-pack/test/rule_registry/security_and_spaces/tests/trial/update_alert.ts
index 9b4e4b70d59c8..0de2adbf0f57f 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/trial/update_alert.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/trial/update_alert.ts
@@ -46,9 +46,11 @@ export default ({ getService }: FtrProviderContext) => {
       beforeEach(async () => {
         await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts');
       });
+
       afterEach(async () => {
         await esArchiver.unload('x-pack/test/functional/es_archives/rule_registry/alerts');
       });
+
       it(`${superUser.username} should be able to update the APM alert in ${SPACE1}`, async () => {
         const apmIndex = await getAPMIndexName(superUser);
         await supertestWithoutAuth
diff --git a/x-pack/test/rule_registry/spaces_only/tests/trial/update_alert.ts b/x-pack/test/rule_registry/spaces_only/tests/trial/update_alert.ts
index 31c3cfdecb9ee..2fe7ff9dac0c4 100644
--- a/x-pack/test/rule_registry/spaces_only/tests/trial/update_alert.ts
+++ b/x-pack/test/rule_registry/spaces_only/tests/trial/update_alert.ts
@@ -90,7 +90,6 @@ export default ({ getService }: FtrProviderContext) => {
     });
 
     it(`${superUser.username} should be able to update alert ${APM_ALERT_ID} in ${SPACE2}/${APM_ALERT_INDEX}`, async () => {
-      await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); // since this is a success case, reload the test data immediately beforehand
       await supertestWithoutAuth
         .post(`${getSpaceUrlPrefix(SPACE2)}${TEST_URL}`)
         .set('kbn-xsrf', 'true')
diff --git a/x-pack/test/security_api_integration/plugins/features_provider/server/index.ts b/x-pack/test/security_api_integration/plugins/features_provider/server/index.ts
index 61100babefea7..9b7158aca7b32 100644
--- a/x-pack/test/security_api_integration/plugins/features_provider/server/index.ts
+++ b/x-pack/test/security_api_integration/plugins/features_provider/server/index.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { PluginSetupContract as AlertingPluginsSetup } from '@kbn/alerting-plugin/server/plugin';
+import type { AlertingServerSetup } from '@kbn/alerting-plugin/server/plugin';
 import { schema } from '@kbn/config-schema';
 import type { CoreSetup, Plugin, PluginInitializer } from '@kbn/core/server';
 import { DEFAULT_APP_CATEGORIES } from '@kbn/core/server';
@@ -16,7 +16,7 @@ import { initRoutes } from './init_routes';
 
 export interface PluginSetupDependencies {
   features: FeaturesPluginSetup;
-  alerting: AlertingPluginsSetup;
+  alerting: AlertingServerSetup;
 }
 
 export interface PluginStartDependencies {
@@ -110,7 +110,10 @@ function case2FeatureSplit(deps: PluginSetupDependencies) {
     category: DEFAULT_APP_CATEGORIES.kibana,
     id: 'case_2_feature_a',
     name: 'Case #2 feature A (DEPRECATED)',
-    alerting: ['alerting_rule_type_one', 'alerting_rule_type_two'],
+    alerting: [
+      { ruleTypeId: 'alerting_rule_type_one', consumers: ['case_2_feature_a'] },
+      { ruleTypeId: 'alerting_rule_type_two', consumers: ['case_2_feature_a'] },
+    ],
     cases: ['cases_owner_one', 'cases_owner_two'],
     privileges: {
       all: {
@@ -122,12 +125,18 @@ function case2FeatureSplit(deps: PluginSetupDependencies) {
         management: { kibana: ['management_one', 'management_two'] },
         alerting: {
           rule: {
-            all: ['alerting_rule_type_one', 'alerting_rule_type_two'],
-            read: ['alerting_rule_type_one', 'alerting_rule_type_two'],
+            all: [
+              { ruleTypeId: 'alerting_rule_type_one', consumers: ['case_2_feature_a'] },
+              { ruleTypeId: 'alerting_rule_type_two', consumers: ['case_2_feature_a'] },
+            ],
+            read: [
+              { ruleTypeId: 'alerting_rule_type_one', consumers: ['case_2_feature_a'] },
+              { ruleTypeId: 'alerting_rule_type_two', consumers: ['case_2_feature_a'] },
+            ],
           },
           alert: {
-            all: ['alerting_rule_type_one', 'alerting_rule_type_two'],
-            read: ['alerting_rule_type_one', 'alerting_rule_type_two'],
+            all: [{ ruleTypeId: 'alerting_rule_type_one', consumers: ['case_2_feature_a'] }],
+            read: [{ ruleTypeId: 'alerting_rule_type_two', consumers: ['case_2_feature_a'] }],
           },
         },
         cases: {
@@ -167,7 +176,12 @@ function case2FeatureSplit(deps: PluginSetupDependencies) {
     app: ['app_one'],
     catalogue: ['cat_one'],
     management: { kibana: ['management_one'] },
-    alerting: ['alerting_rule_type_one'],
+    // In addition to registering the `case_2_feature_b` consumer, we also need to register
+    // `case_2_feature_a` as an additional consumer to ensure that users with either deprecated or
+    // replacement privileges can access the rules, regardless of which one created them.
+    alerting: [
+      { ruleTypeId: 'alerting_rule_type_one', consumers: ['case_2_feature_a', 'case_2_feature_b'] },
+    ],
     cases: ['cases_owner_one'],
     privileges: {
       all: {
@@ -178,8 +192,34 @@ function case2FeatureSplit(deps: PluginSetupDependencies) {
         catalogue: ['cat_one'],
         management: { kibana: ['management_one'] },
         alerting: {
-          rule: { all: ['alerting_rule_type_one'], read: ['alerting_rule_type_one'] },
-          alert: { all: ['alerting_rule_type_one'], read: ['alerting_rule_type_one'] },
+          rule: {
+            all: [
+              {
+                ruleTypeId: 'alerting_rule_type_one',
+                consumers: ['case_2_feature_a', 'case_2_feature_b'],
+              },
+            ],
+            read: [
+              {
+                ruleTypeId: 'alerting_rule_type_one',
+                consumers: ['case_2_feature_a', 'case_2_feature_b'],
+              },
+            ],
+          },
+          alert: {
+            all: [
+              {
+                ruleTypeId: 'alerting_rule_type_one',
+                consumers: ['case_2_feature_a', 'case_2_feature_b'],
+              },
+            ],
+            read: [
+              {
+                ruleTypeId: 'alerting_rule_type_one',
+                consumers: ['case_2_feature_a', 'case_2_feature_b'],
+              },
+            ],
+          },
         },
         cases: {
           all: ['cases_owner_one'],
@@ -208,7 +248,12 @@ function case2FeatureSplit(deps: PluginSetupDependencies) {
     app: ['app_two'],
     catalogue: ['cat_two'],
     management: { kibana: ['management_two'] },
-    alerting: ['alerting_rule_type_two'],
+    // In addition to registering the `case_2_feature_c` consumer, we also need to register
+    // `case_2_feature_a` as an additional consumer to ensure that users with either deprecated or
+    // replacement privileges can access the rules, regardless of which one created them.
+    alerting: [
+      { ruleTypeId: 'alerting_rule_type_two', consumers: ['case_2_feature_a', 'case_2_feature_c'] },
+    ],
     cases: ['cases_owner_two'],
     privileges: {
       all: {
@@ -219,8 +264,34 @@ function case2FeatureSplit(deps: PluginSetupDependencies) {
         catalogue: ['cat_two'],
         management: { kibana: ['management_two'] },
         alerting: {
-          rule: { all: ['alerting_rule_type_two'], read: ['alerting_rule_type_two'] },
-          alert: { all: ['alerting_rule_type_two'], read: ['alerting_rule_type_two'] },
+          rule: {
+            all: [
+              {
+                ruleTypeId: 'alerting_rule_type_two',
+                consumers: ['case_2_feature_a', 'case_2_feature_c'],
+              },
+            ],
+            read: [
+              {
+                ruleTypeId: 'alerting_rule_type_two',
+                consumers: ['case_2_feature_a', 'case_2_feature_c'],
+              },
+            ],
+          },
+          alert: {
+            all: [
+              {
+                ruleTypeId: 'alerting_rule_type_two',
+                consumers: ['case_2_feature_a', 'case_2_feature_c'],
+              },
+            ],
+            read: [
+              {
+                ruleTypeId: 'alerting_rule_type_two',
+                consumers: ['case_2_feature_a', 'case_2_feature_c'],
+              },
+            ],
+          },
         },
         cases: {
           all: ['cases_owner_two'],
diff --git a/x-pack/test/security_api_integration/tests/features/deprecated_features.ts b/x-pack/test/security_api_integration/tests/features/deprecated_features.ts
index 29135ff2440b2..7887cd6a23dc0 100644
--- a/x-pack/test/security_api_integration/tests/features/deprecated_features.ts
+++ b/x-pack/test/security_api_integration/tests/features/deprecated_features.ts
@@ -492,56 +492,88 @@ export default function ({ getService }: FtrProviderContext) {
       const ruleOneTransformed = await createRule(
         transformedUser,
         'case_2_a_transform_one',
-        'case_2_feature_b',
+        'case_2_feature_a',
         'alerting_rule_type_one'
       );
       const ruleTwoTransformed = await createRule(
         transformedUser,
         'case_2_a_transform_two',
+        'case_2_feature_a',
+        'alerting_rule_type_two'
+      );
+
+      // Create rules as user with new privileges (B).
+      const newUserB = getUserCredentials('case_2_b_new');
+      const ruleOneNewBConsumerA = await createRule(
+        newUserB,
+        'case_2_b_new_one',
+        'case_2_feature_a',
+        'alerting_rule_type_one'
+      );
+      const ruleOneNewBConsumerB = await createRule(
+        newUserB,
+        'case_2_b_new_one',
+        'case_2_feature_b',
+        'alerting_rule_type_one'
+      );
+
+      // Create cases as user with new privileges (C).
+      const newUserC = getUserCredentials('case_2_c_new');
+      const ruleTwoNewCConsumerA = await createRule(
+        newUserC,
+        'case_2_c_new_two',
+        'case_2_feature_a',
+        'alerting_rule_type_two'
+      );
+      const ruleTwoNewCConsumerC = await createRule(
+        newUserC,
+        'case_2_c_new_two',
         'case_2_feature_c',
         'alerting_rule_type_two'
       );
 
       // Users with deprecated privileges should be able to access rules created by themselves and
-      // users with new privileges.
+      // users with new privileges assuming the consumer is the same.
       for (const ruleToCheck of [
         ruleOneDeprecated,
         ruleTwoDeprecated,
         ruleOneTransformed,
         ruleTwoTransformed,
+        ruleOneNewBConsumerA,
+        ruleTwoNewCConsumerA,
       ]) {
         expect(await getRule(deprecatedUser, ruleToCheck.id)).toBeDefined();
+        expect(await getRule(transformedUser, ruleToCheck.id)).toBeDefined();
       }
 
-      // NOTE: Scenarios below require SO migrations for both alerting rules and alerts to switch to
-      // a new producer that is tied to feature ID. Presumably we won't have this requirement once
-      // https://github.com/elastic/kibana/pull/183756 is resolved.
-
-      // Create rules as user with new privileges (B).
-      // const newUserB = getUserCredentials('case_2_b_new');
-      // const caseOneNewB = await createRule(newUserB, {
-      //   title: 'case_2_b_new_one',
-      //   owner: 'cases_owner_one',
-      // });
-      //
-      // // Create cases as user with new privileges (C).
-      // const newUserC = getUserCredentials('case_2_c_new');
-      // const caseTwoNewC = await createRule(newUserC, {
-      //   title: 'case_2_c_new_two',
-      //   owner: 'cases_owner_two',
-      // });
-      //
+      // Any new consumer that is not known to the deprecated feature shouldn't be available to the
+      // users with the deprecated privileges unless deprecated features are update to explicitly
+      // support new consumers.
+      for (const ruleToCheck of [ruleOneNewBConsumerB, ruleTwoNewCConsumerC]) {
+        expect(await getRule(deprecatedUser, ruleToCheck.id)).toBeUndefined();
+        expect(await getRule(transformedUser, ruleToCheck.id)).toBeDefined();
+      }
 
-      // User B and User C should be able to access cases created by themselves and users with
-      // deprecated and transformed privileges, but only for the specific owner.
-      // for (const caseToCheck of [ruleOneDeprecated, ruleOneTransformed, caseOneNewB]) {
-      //   expect(await getRule(newUserB, caseToCheck.id)).toBeDefined();
-      //   expect(await getRule(newUserC, caseToCheck.id)).toBeUndefined();
-      // }
-      // for (const caseToCheck of [ruleTwoDeprecated, ruleTwoTransformed, caseTwoNewC]) {
-      //   expect(await getRule(newUserC, caseToCheck.id)).toBeDefined();
-      //   expect(await getRule(newUserB, caseToCheck.id)).toBeUndefined();
-      // }
+      // User B and User C should be able to access rule types created by themselves and users with
+      // deprecated and transformed privileges, but only for the specific consumer.
+      for (const ruleToCheck of [
+        ruleOneDeprecated,
+        ruleOneTransformed,
+        ruleOneNewBConsumerA,
+        ruleOneNewBConsumerB,
+      ]) {
+        expect(await getRule(newUserB, ruleToCheck.id)).toBeDefined();
+        expect(await getRule(newUserC, ruleToCheck.id)).toBeUndefined();
+      }
+      for (const ruleToCheck of [
+        ruleTwoDeprecated,
+        ruleTwoTransformed,
+        ruleTwoNewCConsumerA,
+        ruleTwoNewCConsumerC,
+      ]) {
+        expect(await getRule(newUserC, ruleToCheck.id)).toBeDefined();
+        expect(await getRule(newUserB, ruleToCheck.id)).toBeUndefined();
+      }
     });
   });
 }
diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts
index c77d5041aba06..b6dbceedfe65e 100644
--- a/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts
@@ -44,6 +44,7 @@ export default function ({ getService }: FtrProviderContext) {
         const features = Object.fromEntries(
           Object.entries(body.features).filter(([key]) => compositeFeatureIds.includes(key))
         );
+
         expectSnapshot(features).toMatchInline(`
           Object {
             "apm": Object {
@@ -126,6 +127,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/apm/rule/runSoon",
                 "alerting:apm.error_rate/apm/rule/scheduleBackfill",
                 "alerting:apm.error_rate/apm/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_error_rate/apm/rule/get",
                 "alerting:apm.transaction_error_rate/apm/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/apm/rule/getAlertSummary",
@@ -154,6 +183,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/apm/rule/runSoon",
                 "alerting:apm.transaction_error_rate/apm/rule/scheduleBackfill",
                 "alerting:apm.transaction_error_rate/apm/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_duration/apm/rule/get",
                 "alerting:apm.transaction_duration/apm/rule/getRuleState",
                 "alerting:apm.transaction_duration/apm/rule/getAlertSummary",
@@ -182,6 +239,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/apm/rule/runSoon",
                 "alerting:apm.transaction_duration/apm/rule/scheduleBackfill",
                 "alerting:apm.transaction_duration/apm/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
                 "alerting:apm.anomaly/apm/rule/get",
                 "alerting:apm.anomaly/apm/rule/getRuleState",
                 "alerting:apm.anomaly/apm/rule/getAlertSummary",
@@ -210,26 +295,74 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/apm/rule/runSoon",
                 "alerting:apm.anomaly/apm/rule/scheduleBackfill",
                 "alerting:apm.anomaly/apm/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
                 "alerting:apm.error_rate/apm/alert/get",
                 "alerting:apm.error_rate/apm/alert/find",
                 "alerting:apm.error_rate/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/apm/alert/getAlertSummary",
                 "alerting:apm.error_rate/apm/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
                 "alerting:apm.transaction_error_rate/apm/alert/get",
                 "alerting:apm.transaction_error_rate/apm/alert/find",
                 "alerting:apm.transaction_error_rate/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/apm/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/apm/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
                 "alerting:apm.transaction_duration/apm/alert/get",
                 "alerting:apm.transaction_duration/apm/alert/find",
                 "alerting:apm.transaction_duration/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/apm/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/apm/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
                 "alerting:apm.anomaly/apm/alert/get",
                 "alerting:apm.anomaly/apm/alert/find",
                 "alerting:apm.anomaly/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/apm/alert/getAlertSummary",
                 "alerting:apm.anomaly/apm/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
                 "api:infra",
                 "app:infra",
                 "app:logs",
@@ -294,6 +427,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:logs.alert.document.count/logs/rule/runSoon",
                 "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
                 "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
                 "alerting:.es-query/logs/rule/get",
                 "alerting:.es-query/logs/rule/getRuleState",
                 "alerting:.es-query/logs/rule/getAlertSummary",
@@ -322,6 +483,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/logs/rule/runSoon",
                 "alerting:.es-query/logs/rule/scheduleBackfill",
                 "alerting:.es-query/logs/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/get",
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
@@ -350,6 +539,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
                 "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
@@ -378,171 +595,79 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
                 "alerting:logs.alert.document.count/logs/alert/get",
                 "alerting:logs.alert.document.count/logs/alert/find",
                 "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
                 "alerting:logs.alert.document.count/logs/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
                 "alerting:.es-query/logs/alert/get",
                 "alerting:.es-query/logs/alert/find",
                 "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:.es-query/logs/alert/getAlertSummary",
                 "alerting:.es-query/logs/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
                 "alerting:observability.rules.custom_threshold/logs/alert/get",
                 "alerting:observability.rules.custom_threshold/logs/alert/find",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
                 "alerting:observability.rules.custom_threshold/logs/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
                 "ui:observability/write",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/create",
-                "alerting:slo.rules.burnRate/observability/rule/delete",
-                "alerting:slo.rules.burnRate/observability/rule/update",
-                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/observability/rule/enable",
-                "alerting:slo.rules.burnRate/observability/rule/disable",
-                "alerting:slo.rules.burnRate/observability/rule/muteAll",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/snooze",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
-                "alerting:slo.rules.burnRate/observability/rule/runSoon",
-                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/create",
-                "alerting:observability.rules.custom_threshold/observability/rule/delete",
-                "alerting:observability.rules.custom_threshold/observability/rule/update",
-                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/observability/rule/enable",
-                "alerting:observability.rules.custom_threshold/observability/rule/disable",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -683,6 +808,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -711,121 +864,728 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
-                "alerting:apm.error_rate/observability/alert/get",
-                "alerting:apm.error_rate/observability/alert/find",
-                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/update",
-                "alerting:apm.transaction_error_rate/observability/alert/get",
-                "alerting:apm.transaction_error_rate/observability/alert/find",
-                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/update",
-                "alerting:apm.transaction_duration/observability/alert/get",
-                "alerting:apm.transaction_duration/observability/alert/find",
-                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/update",
-                "alerting:apm.anomaly/observability/alert/get",
-                "alerting:apm.anomaly/observability/alert/find",
-                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
-              ],
-              "minimal_all": Array [
-                "login:",
-                "api:apm",
-                "api:apm_write",
-                "api:rac",
-                "app:apm",
-                "app:ux",
-                "app:kibana",
-                "ui:catalogue/apm",
-                "ui:management/insightsAndAlerting/triggersActions",
-                "ui:navLinks/apm",
-                "ui:navLinks/ux",
-                "ui:navLinks/kibana",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:apm-indices/bulk_get",
-                "saved_object:apm-indices/get",
-                "saved_object:apm-indices/find",
-                "saved_object:apm-indices/open_point_in_time",
-                "saved_object:apm-indices/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:apm/show",
-                "ui:apm/save",
-                "ui:apm/alerting:show",
-                "ui:apm/alerting:save",
-                "alerting:apm.error_rate/apm/rule/get",
-                "alerting:apm.error_rate/apm/rule/getRuleState",
-                "alerting:apm.error_rate/apm/rule/getAlertSummary",
-                "alerting:apm.error_rate/apm/rule/getExecutionLog",
-                "alerting:apm.error_rate/apm/rule/getActionErrorLog",
-                "alerting:apm.error_rate/apm/rule/find",
-                "alerting:apm.error_rate/apm/rule/getRuleExecutionKPI",
-                "alerting:apm.error_rate/apm/rule/getBackfill",
-                "alerting:apm.error_rate/apm/rule/findBackfill",
-                "alerting:apm.error_rate/apm/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/create",
+                "alerting:slo.rules.burnRate/observability/rule/delete",
+                "alerting:slo.rules.burnRate/observability/rule/update",
+                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/observability/rule/enable",
+                "alerting:slo.rules.burnRate/observability/rule/disable",
+                "alerting:slo.rules.burnRate/observability/rule/muteAll",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/snooze",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
+                "alerting:slo.rules.burnRate/observability/rule/runSoon",
+                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/create",
+                "alerting:observability.rules.custom_threshold/observability/rule/delete",
+                "alerting:observability.rules.custom_threshold/observability/rule/update",
+                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/observability/rule/enable",
+                "alerting:observability.rules.custom_threshold/observability/rule/disable",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/observability/alert/get",
+                "alerting:apm.error_rate/observability/alert/find",
+                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/observability/alert/get",
+                "alerting:apm.transaction_error_rate/observability/alert/find",
+                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_duration/observability/alert/get",
+                "alerting:apm.transaction_duration/observability/alert/find",
+                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.anomaly/observability/alert/get",
+                "alerting:apm.anomaly/observability/alert/find",
+                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
+              ],
+              "minimal_all": Array [
+                "login:",
+                "api:apm",
+                "api:apm_write",
+                "api:rac",
+                "app:apm",
+                "app:ux",
+                "app:kibana",
+                "ui:catalogue/apm",
+                "ui:management/insightsAndAlerting/triggersActions",
+                "ui:navLinks/apm",
+                "ui:navLinks/ux",
+                "ui:navLinks/kibana",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:apm-indices/bulk_get",
+                "saved_object:apm-indices/get",
+                "saved_object:apm-indices/find",
+                "saved_object:apm-indices/open_point_in_time",
+                "saved_object:apm-indices/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:apm/show",
+                "ui:apm/save",
+                "ui:apm/alerting:show",
+                "ui:apm/alerting:save",
+                "alerting:apm.error_rate/apm/rule/get",
+                "alerting:apm.error_rate/apm/rule/getRuleState",
+                "alerting:apm.error_rate/apm/rule/getAlertSummary",
+                "alerting:apm.error_rate/apm/rule/getExecutionLog",
+                "alerting:apm.error_rate/apm/rule/getActionErrorLog",
+                "alerting:apm.error_rate/apm/rule/find",
+                "alerting:apm.error_rate/apm/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/apm/rule/getBackfill",
+                "alerting:apm.error_rate/apm/rule/findBackfill",
+                "alerting:apm.error_rate/apm/rule/create",
                 "alerting:apm.error_rate/apm/rule/delete",
                 "alerting:apm.error_rate/apm/rule/update",
                 "alerting:apm.error_rate/apm/rule/updateApiKey",
@@ -844,6 +1604,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/apm/rule/runSoon",
                 "alerting:apm.error_rate/apm/rule/scheduleBackfill",
                 "alerting:apm.error_rate/apm/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_error_rate/apm/rule/get",
                 "alerting:apm.transaction_error_rate/apm/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/apm/rule/getAlertSummary",
@@ -872,6 +1660,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/apm/rule/runSoon",
                 "alerting:apm.transaction_error_rate/apm/rule/scheduleBackfill",
                 "alerting:apm.transaction_error_rate/apm/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_duration/apm/rule/get",
                 "alerting:apm.transaction_duration/apm/rule/getRuleState",
                 "alerting:apm.transaction_duration/apm/rule/getAlertSummary",
@@ -900,6 +1716,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/apm/rule/runSoon",
                 "alerting:apm.transaction_duration/apm/rule/scheduleBackfill",
                 "alerting:apm.transaction_duration/apm/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
                 "alerting:apm.anomaly/apm/rule/get",
                 "alerting:apm.anomaly/apm/rule/getRuleState",
                 "alerting:apm.anomaly/apm/rule/getAlertSummary",
@@ -928,26 +1772,74 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/apm/rule/runSoon",
                 "alerting:apm.anomaly/apm/rule/scheduleBackfill",
                 "alerting:apm.anomaly/apm/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
                 "alerting:apm.error_rate/apm/alert/get",
                 "alerting:apm.error_rate/apm/alert/find",
                 "alerting:apm.error_rate/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/apm/alert/getAlertSummary",
                 "alerting:apm.error_rate/apm/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
                 "alerting:apm.transaction_error_rate/apm/alert/get",
                 "alerting:apm.transaction_error_rate/apm/alert/find",
                 "alerting:apm.transaction_error_rate/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/apm/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/apm/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
                 "alerting:apm.transaction_duration/apm/alert/get",
                 "alerting:apm.transaction_duration/apm/alert/find",
                 "alerting:apm.transaction_duration/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/apm/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/apm/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
                 "alerting:apm.anomaly/apm/alert/get",
                 "alerting:apm.anomaly/apm/alert/find",
                 "alerting:apm.anomaly/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/apm/alert/getAlertSummary",
                 "alerting:apm.anomaly/apm/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
                 "api:infra",
                 "app:infra",
                 "app:logs",
@@ -1012,6 +1904,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:logs.alert.document.count/logs/rule/runSoon",
                 "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
                 "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
                 "alerting:.es-query/logs/rule/get",
                 "alerting:.es-query/logs/rule/getRuleState",
                 "alerting:.es-query/logs/rule/getAlertSummary",
@@ -1040,6 +1960,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/logs/rule/runSoon",
                 "alerting:.es-query/logs/rule/scheduleBackfill",
                 "alerting:.es-query/logs/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/get",
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
@@ -1068,6 +2016,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
                 "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
@@ -1096,171 +2072,79 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
                 "alerting:logs.alert.document.count/logs/alert/get",
                 "alerting:logs.alert.document.count/logs/alert/find",
                 "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
                 "alerting:logs.alert.document.count/logs/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
                 "alerting:.es-query/logs/alert/get",
                 "alerting:.es-query/logs/alert/find",
                 "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:.es-query/logs/alert/getAlertSummary",
                 "alerting:.es-query/logs/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
                 "alerting:observability.rules.custom_threshold/logs/alert/get",
                 "alerting:observability.rules.custom_threshold/logs/alert/find",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
                 "alerting:observability.rules.custom_threshold/logs/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
                 "ui:observability/write",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/create",
-                "alerting:slo.rules.burnRate/observability/rule/delete",
-                "alerting:slo.rules.burnRate/observability/rule/update",
-                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/observability/rule/enable",
-                "alerting:slo.rules.burnRate/observability/rule/disable",
-                "alerting:slo.rules.burnRate/observability/rule/muteAll",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/snooze",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
-                "alerting:slo.rules.burnRate/observability/rule/runSoon",
-                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/create",
-                "alerting:observability.rules.custom_threshold/observability/rule/delete",
-                "alerting:observability.rules.custom_threshold/observability/rule/update",
-                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/observability/rule/enable",
-                "alerting:observability.rules.custom_threshold/observability/rule/disable",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -1401,6 +2285,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -1429,229 +2341,398 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
-                "alerting:apm.error_rate/observability/alert/get",
-                "alerting:apm.error_rate/observability/alert/find",
-                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/update",
-                "alerting:apm.transaction_error_rate/observability/alert/get",
-                "alerting:apm.transaction_error_rate/observability/alert/find",
-                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/update",
-                "alerting:apm.transaction_duration/observability/alert/get",
-                "alerting:apm.transaction_duration/observability/alert/find",
-                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/update",
-                "alerting:apm.anomaly/observability/alert/get",
-                "alerting:apm.anomaly/observability/alert/find",
-                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
-              ],
-              "minimal_read": Array [
-                "login:",
-                "api:apm",
-                "api:rac",
-                "app:apm",
-                "app:ux",
-                "app:kibana",
-                "ui:catalogue/apm",
-                "ui:management/insightsAndAlerting/triggersActions",
-                "ui:navLinks/apm",
-                "ui:navLinks/ux",
-                "ui:navLinks/kibana",
-                "saved_object:apm-indices/bulk_get",
-                "saved_object:apm-indices/get",
-                "saved_object:apm-indices/find",
-                "saved_object:apm-indices/open_point_in_time",
-                "saved_object:apm-indices/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:apm/show",
-                "ui:apm/alerting:show",
-                "alerting:apm.error_rate/apm/rule/get",
-                "alerting:apm.error_rate/apm/rule/getRuleState",
-                "alerting:apm.error_rate/apm/rule/getAlertSummary",
-                "alerting:apm.error_rate/apm/rule/getExecutionLog",
-                "alerting:apm.error_rate/apm/rule/getActionErrorLog",
-                "alerting:apm.error_rate/apm/rule/find",
-                "alerting:apm.error_rate/apm/rule/getRuleExecutionKPI",
-                "alerting:apm.error_rate/apm/rule/getBackfill",
-                "alerting:apm.error_rate/apm/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/apm/rule/get",
-                "alerting:apm.transaction_error_rate/apm/rule/getRuleState",
-                "alerting:apm.transaction_error_rate/apm/rule/getAlertSummary",
-                "alerting:apm.transaction_error_rate/apm/rule/getExecutionLog",
-                "alerting:apm.transaction_error_rate/apm/rule/getActionErrorLog",
-                "alerting:apm.transaction_error_rate/apm/rule/find",
-                "alerting:apm.transaction_error_rate/apm/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_error_rate/apm/rule/getBackfill",
-                "alerting:apm.transaction_error_rate/apm/rule/findBackfill",
-                "alerting:apm.transaction_duration/apm/rule/get",
-                "alerting:apm.transaction_duration/apm/rule/getRuleState",
-                "alerting:apm.transaction_duration/apm/rule/getAlertSummary",
-                "alerting:apm.transaction_duration/apm/rule/getExecutionLog",
-                "alerting:apm.transaction_duration/apm/rule/getActionErrorLog",
-                "alerting:apm.transaction_duration/apm/rule/find",
-                "alerting:apm.transaction_duration/apm/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_duration/apm/rule/getBackfill",
-                "alerting:apm.transaction_duration/apm/rule/findBackfill",
-                "alerting:apm.anomaly/apm/rule/get",
-                "alerting:apm.anomaly/apm/rule/getRuleState",
-                "alerting:apm.anomaly/apm/rule/getAlertSummary",
-                "alerting:apm.anomaly/apm/rule/getExecutionLog",
-                "alerting:apm.anomaly/apm/rule/getActionErrorLog",
-                "alerting:apm.anomaly/apm/rule/find",
-                "alerting:apm.anomaly/apm/rule/getRuleExecutionKPI",
-                "alerting:apm.anomaly/apm/rule/getBackfill",
-                "alerting:apm.anomaly/apm/rule/findBackfill",
-                "alerting:apm.error_rate/apm/alert/get",
-                "alerting:apm.error_rate/apm/alert/find",
-                "alerting:apm.error_rate/apm/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.error_rate/apm/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/apm/alert/get",
-                "alerting:apm.transaction_error_rate/apm/alert/find",
-                "alerting:apm.transaction_error_rate/apm/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_error_rate/apm/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/apm/alert/get",
-                "alerting:apm.transaction_duration/apm/alert/find",
-                "alerting:apm.transaction_duration/apm/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_duration/apm/alert/getAlertSummary",
-                "alerting:apm.anomaly/apm/alert/get",
-                "alerting:apm.anomaly/apm/alert/find",
-                "alerting:apm.anomaly/apm/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.anomaly/apm/alert/getAlertSummary",
-                "api:infra",
-                "app:infra",
-                "app:logs",
-                "app:observability-logs-explorer",
-                "ui:catalogue/infralogging",
-                "ui:catalogue/logs",
-                "ui:navLinks/infra",
-                "ui:navLinks/logs",
-                "ui:navLinks/observability-logs-explorer",
-                "saved_object:infrastructure-ui-source/bulk_get",
-                "saved_object:infrastructure-ui-source/get",
-                "saved_object:infrastructure-ui-source/find",
-                "saved_object:infrastructure-ui-source/open_point_in_time",
-                "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/bulk_get",
-                "saved_object:infrastructure-monitoring-log-view/get",
-                "saved_object:infrastructure-monitoring-log-view/find",
-                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
-                "ui:logs/show",
-                "alerting:logs.alert.document.count/logs/rule/get",
-                "alerting:logs.alert.document.count/logs/rule/getRuleState",
-                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
-                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
-                "alerting:logs.alert.document.count/logs/rule/find",
-                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
-                "alerting:logs.alert.document.count/logs/rule/getBackfill",
-                "alerting:logs.alert.document.count/logs/rule/findBackfill",
-                "alerting:.es-query/logs/rule/get",
-                "alerting:.es-query/logs/rule/getRuleState",
-                "alerting:.es-query/logs/rule/getAlertSummary",
-                "alerting:.es-query/logs/rule/getExecutionLog",
-                "alerting:.es-query/logs/rule/getActionErrorLog",
-                "alerting:.es-query/logs/rule/find",
-                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
-                "alerting:.es-query/logs/rule/getBackfill",
-                "alerting:.es-query/logs/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/get",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/find",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
-                "alerting:logs.alert.document.count/logs/alert/get",
-                "alerting:logs.alert.document.count/logs/alert/find",
-                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
-                "alerting:.es-query/logs/alert/get",
-                "alerting:.es-query/logs/alert/find",
-                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/logs/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/alert/get",
-                "alerting:observability.rules.custom_threshold/logs/alert/find",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
-                "app:observability",
-                "ui:catalogue/observability",
-                "ui:navLinks/observability",
-                "ui:observability/read",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
                 "alerting:slo.rules.burnRate/observability/rule/get",
                 "alerting:slo.rules.burnRate/observability/rule/getRuleState",
                 "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
@@ -1661,6 +2742,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
                 "alerting:slo.rules.burnRate/observability/rule/getBackfill",
                 "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/create",
+                "alerting:slo.rules.burnRate/observability/rule/delete",
+                "alerting:slo.rules.burnRate/observability/rule/update",
+                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/observability/rule/enable",
+                "alerting:slo.rules.burnRate/observability/rule/disable",
+                "alerting:slo.rules.burnRate/observability/rule/muteAll",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/snooze",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
+                "alerting:slo.rules.burnRate/observability/rule/runSoon",
+                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
                 "alerting:observability.rules.custom_threshold/observability/rule/get",
                 "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
@@ -1670,6 +2798,25 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
                 "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
                 "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/create",
+                "alerting:observability.rules.custom_threshold/observability/rule/delete",
+                "alerting:observability.rules.custom_threshold/observability/rule/update",
+                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/observability/rule/enable",
+                "alerting:observability.rules.custom_threshold/observability/rule/disable",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
                 "alerting:.es-query/observability/rule/get",
                 "alerting:.es-query/observability/rule/getRuleState",
                 "alerting:.es-query/observability/rule/getAlertSummary",
@@ -1679,6 +2826,25 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/observability/rule/getRuleExecutionKPI",
                 "alerting:.es-query/observability/rule/getBackfill",
                 "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
@@ -1688,115 +2854,157 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:apm.error_rate/observability/rule/get",
-                "alerting:apm.error_rate/observability/rule/getRuleState",
-                "alerting:apm.error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.error_rate/observability/rule/find",
-                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.error_rate/observability/rule/getBackfill",
-                "alerting:apm.error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/get",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
-                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_error_rate/observability/rule/find",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_duration/observability/rule/get",
-                "alerting:apm.transaction_duration/observability/rule/getRuleState",
-                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_duration/observability/rule/find",
-                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_duration/observability/rule/getBackfill",
-                "alerting:apm.transaction_duration/observability/rule/findBackfill",
-                "alerting:apm.anomaly/observability/rule/get",
-                "alerting:apm.anomaly/observability/rule/getRuleState",
-                "alerting:apm.anomaly/observability/rule/getAlertSummary",
-                "alerting:apm.anomaly/observability/rule/getExecutionLog",
-                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
-                "alerting:apm.anomaly/observability/rule/find",
-                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.anomaly/observability/rule/getBackfill",
-                "alerting:apm.anomaly/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/observability/alert/update",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/update",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/update",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/update",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
               ],
-              "read": Array [
+              "minimal_read": Array [
                 "login:",
                 "api:apm",
                 "api:rac",
@@ -1844,6 +3052,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/apm/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/apm/rule/getBackfill",
                 "alerting:apm.error_rate/apm/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_error_rate/apm/rule/get",
                 "alerting:apm.transaction_error_rate/apm/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/apm/rule/getAlertSummary",
@@ -1853,6 +3070,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/apm/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_error_rate/apm/rule/getBackfill",
                 "alerting:apm.transaction_error_rate/apm/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_duration/apm/rule/get",
                 "alerting:apm.transaction_duration/apm/rule/getRuleState",
                 "alerting:apm.transaction_duration/apm/rule/getAlertSummary",
@@ -1862,6 +3088,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/apm/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_duration/apm/rule/getBackfill",
                 "alerting:apm.transaction_duration/apm/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
                 "alerting:apm.anomaly/apm/rule/get",
                 "alerting:apm.anomaly/apm/rule/getRuleState",
                 "alerting:apm.anomaly/apm/rule/getAlertSummary",
@@ -1871,22 +3106,47 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/apm/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/apm/rule/getBackfill",
                 "alerting:apm.anomaly/apm/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
                 "alerting:apm.error_rate/apm/alert/get",
                 "alerting:apm.error_rate/apm/alert/find",
                 "alerting:apm.error_rate/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/apm/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/apm/alert/get",
                 "alerting:apm.transaction_error_rate/apm/alert/find",
                 "alerting:apm.transaction_error_rate/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/apm/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/apm/alert/get",
                 "alerting:apm.transaction_duration/apm/alert/find",
                 "alerting:apm.transaction_duration/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/apm/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
                 "alerting:apm.anomaly/apm/alert/get",
                 "alerting:apm.anomaly/apm/alert/find",
                 "alerting:apm.anomaly/apm/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/apm/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
                 "api:infra",
                 "app:infra",
                 "app:logs",
@@ -1916,6 +3176,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
                 "alerting:logs.alert.document.count/logs/rule/getBackfill",
                 "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
                 "alerting:.es-query/logs/rule/get",
                 "alerting:.es-query/logs/rule/getRuleState",
                 "alerting:.es-query/logs/rule/getAlertSummary",
@@ -1925,6 +3194,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/logs/rule/getRuleExecutionKPI",
                 "alerting:.es-query/logs/rule/getBackfill",
                 "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/get",
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
@@ -1934,6 +3212,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
                 "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
@@ -1943,71 +3230,51 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
                 "alerting:logs.alert.document.count/logs/alert/get",
                 "alerting:logs.alert.document.count/logs/alert/find",
                 "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
                 "alerting:.es-query/logs/alert/get",
                 "alerting:.es-query/logs/alert/find",
                 "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
                 "alerting:observability.rules.custom_threshold/logs/alert/get",
                 "alerting:observability.rules.custom_threshold/logs/alert/find",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -2053,6 +3320,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -2062,26 +3338,177 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
@@ -2102,132 +3529,108 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
               ],
-              "settings_save": Array [
-                "login:",
-                "api:apm_settings_write",
-                "ui:apm/settings:save",
-              ],
-            },
-            "dashboard": Object {
-              "all": Array [
+              "read": Array [
                 "login:",
-                "api:bulkGetUserProfiles",
-                "api:dashboardUsageStats",
-                "api:store_search_session",
-                "api:generateReport",
-                "api:downloadCsv",
-                "app:dashboards",
+                "api:apm",
+                "api:rac",
+                "app:apm",
+                "app:ux",
                 "app:kibana",
-                "ui:catalogue/dashboard",
-                "ui:management/kibana/search_sessions",
-                "ui:management/insightsAndAlerting/reporting",
-                "ui:navLinks/dashboards",
+                "ui:catalogue/apm",
+                "ui:management/insightsAndAlerting/triggersActions",
+                "ui:navLinks/apm",
+                "ui:navLinks/ux",
                 "ui:navLinks/kibana",
-                "saved_object:dashboard/bulk_get",
-                "saved_object:dashboard/get",
-                "saved_object:dashboard/find",
-                "saved_object:dashboard/open_point_in_time",
-                "saved_object:dashboard/close_point_in_time",
-                "saved_object:dashboard/create",
-                "saved_object:dashboard/bulk_create",
-                "saved_object:dashboard/update",
-                "saved_object:dashboard/bulk_update",
-                "saved_object:dashboard/delete",
-                "saved_object:dashboard/bulk_delete",
-                "saved_object:dashboard/share_to_space",
-                "saved_object:query/bulk_get",
-                "saved_object:query/get",
-                "saved_object:query/find",
-                "saved_object:query/open_point_in_time",
-                "saved_object:query/close_point_in_time",
-                "saved_object:query/create",
-                "saved_object:query/bulk_create",
-                "saved_object:query/update",
-                "saved_object:query/bulk_update",
-                "saved_object:query/delete",
-                "saved_object:query/bulk_delete",
-                "saved_object:query/share_to_space",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "saved_object:url/create",
-                "saved_object:url/bulk_create",
-                "saved_object:url/update",
-                "saved_object:url/bulk_update",
-                "saved_object:url/delete",
-                "saved_object:url/bulk_delete",
-                "saved_object:url/share_to_space",
-                "saved_object:search-session/bulk_get",
-                "saved_object:search-session/get",
-                "saved_object:search-session/find",
-                "saved_object:search-session/open_point_in_time",
-                "saved_object:search-session/close_point_in_time",
-                "saved_object:search-session/create",
-                "saved_object:search-session/bulk_create",
-                "saved_object:search-session/update",
-                "saved_object:search-session/bulk_update",
-                "saved_object:search-session/delete",
-                "saved_object:search-session/bulk_delete",
-                "saved_object:search-session/share_to_space",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:search/bulk_get",
-                "saved_object:search/get",
-                "saved_object:search/find",
-                "saved_object:search/open_point_in_time",
-                "saved_object:search/close_point_in_time",
-                "saved_object:visualization/bulk_get",
-                "saved_object:visualization/get",
-                "saved_object:visualization/find",
-                "saved_object:visualization/open_point_in_time",
-                "saved_object:visualization/close_point_in_time",
-                "saved_object:canvas-workpad/bulk_get",
-                "saved_object:canvas-workpad/get",
-                "saved_object:canvas-workpad/find",
-                "saved_object:canvas-workpad/open_point_in_time",
-                "saved_object:canvas-workpad/close_point_in_time",
-                "saved_object:lens/bulk_get",
-                "saved_object:lens/get",
-                "saved_object:lens/find",
-                "saved_object:lens/open_point_in_time",
-                "saved_object:lens/close_point_in_time",
-                "saved_object:links/bulk_get",
-                "saved_object:links/get",
-                "saved_object:links/find",
-                "saved_object:links/open_point_in_time",
-                "saved_object:links/close_point_in_time",
-                "saved_object:map/bulk_get",
-                "saved_object:map/get",
-                "saved_object:map/find",
-                "saved_object:map/open_point_in_time",
-                "saved_object:map/close_point_in_time",
-                "saved_object:tag/bulk_get",
-                "saved_object:tag/get",
-                "saved_object:tag/find",
-                "saved_object:tag/open_point_in_time",
-                "saved_object:tag/close_point_in_time",
+                "saved_object:apm-indices/bulk_get",
+                "saved_object:apm-indices/get",
+                "saved_object:apm-indices/find",
+                "saved_object:apm-indices/open_point_in_time",
+                "saved_object:apm-indices/close_point_in_time",
                 "saved_object:config/bulk_get",
                 "saved_object:config/get",
                 "saved_object:config/find",
@@ -2238,3839 +3641,142 @@ export default function ({ getService }: FtrProviderContext) {
                 "saved_object:config-global/find",
                 "saved_object:config-global/open_point_in_time",
                 "saved_object:config-global/close_point_in_time",
-                "ui:dashboard/createNew",
-                "ui:dashboard/show",
-                "ui:dashboard/showWriteControls",
-                "ui:dashboard/saveQuery",
-                "ui:dashboard/createShortUrl",
-                "ui:dashboard/storeSearchSession",
-                "ui:dashboard/generateScreenshot",
-                "ui:dashboard/downloadCsv",
-                "app:maps",
-                "ui:catalogue/maps",
-                "ui:navLinks/maps",
-                "saved_object:map/create",
-                "saved_object:map/bulk_create",
-                "saved_object:map/update",
-                "saved_object:map/bulk_update",
-                "saved_object:map/delete",
-                "saved_object:map/bulk_delete",
-                "saved_object:map/share_to_space",
-                "ui:maps/save",
-                "ui:maps/show",
-                "ui:maps/saveQuery",
-                "app:visualize",
-                "app:lens",
-                "ui:catalogue/visualize",
-                "ui:navLinks/visualize",
-                "ui:navLinks/lens",
-                "saved_object:visualization/create",
-                "saved_object:visualization/bulk_create",
-                "saved_object:visualization/update",
-                "saved_object:visualization/bulk_update",
-                "saved_object:visualization/delete",
-                "saved_object:visualization/bulk_delete",
-                "saved_object:visualization/share_to_space",
-                "saved_object:lens/create",
-                "saved_object:lens/bulk_create",
-                "saved_object:lens/update",
-                "saved_object:lens/bulk_update",
-                "saved_object:lens/delete",
-                "saved_object:lens/bulk_delete",
-                "saved_object:lens/share_to_space",
-                "ui:visualize/show",
-                "ui:visualize/delete",
-                "ui:visualize/save",
-                "ui:visualize/saveQuery",
-                "ui:visualize/createShortUrl",
-                "ui:visualize/generateScreenshot",
-              ],
-              "download_csv_report": Array [
-                "login:",
-                "api:downloadCsv",
-                "ui:management/insightsAndAlerting/reporting",
-                "ui:dashboard/downloadCsv",
-              ],
-              "generate_report": Array [
-                "login:",
-                "api:generateReport",
-                "ui:management/insightsAndAlerting/reporting",
-                "ui:dashboard/generateScreenshot",
-              ],
-              "minimal_all": Array [
-                "login:",
-                "api:bulkGetUserProfiles",
-                "api:dashboardUsageStats",
-                "app:dashboards",
-                "app:kibana",
-                "ui:catalogue/dashboard",
-                "ui:navLinks/dashboards",
-                "ui:navLinks/kibana",
-                "saved_object:dashboard/bulk_get",
-                "saved_object:dashboard/get",
-                "saved_object:dashboard/find",
-                "saved_object:dashboard/open_point_in_time",
-                "saved_object:dashboard/close_point_in_time",
-                "saved_object:dashboard/create",
-                "saved_object:dashboard/bulk_create",
-                "saved_object:dashboard/update",
-                "saved_object:dashboard/bulk_update",
-                "saved_object:dashboard/delete",
-                "saved_object:dashboard/bulk_delete",
-                "saved_object:dashboard/share_to_space",
-                "saved_object:query/bulk_get",
-                "saved_object:query/get",
-                "saved_object:query/find",
-                "saved_object:query/open_point_in_time",
-                "saved_object:query/close_point_in_time",
-                "saved_object:query/create",
-                "saved_object:query/bulk_create",
-                "saved_object:query/update",
-                "saved_object:query/bulk_update",
-                "saved_object:query/delete",
-                "saved_object:query/bulk_delete",
-                "saved_object:query/share_to_space",
                 "saved_object:telemetry/bulk_get",
                 "saved_object:telemetry/get",
                 "saved_object:telemetry/find",
                 "saved_object:telemetry/open_point_in_time",
                 "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:search/bulk_get",
-                "saved_object:search/get",
-                "saved_object:search/find",
-                "saved_object:search/open_point_in_time",
-                "saved_object:search/close_point_in_time",
-                "saved_object:visualization/bulk_get",
-                "saved_object:visualization/get",
-                "saved_object:visualization/find",
-                "saved_object:visualization/open_point_in_time",
-                "saved_object:visualization/close_point_in_time",
-                "saved_object:canvas-workpad/bulk_get",
-                "saved_object:canvas-workpad/get",
-                "saved_object:canvas-workpad/find",
-                "saved_object:canvas-workpad/open_point_in_time",
-                "saved_object:canvas-workpad/close_point_in_time",
-                "saved_object:lens/bulk_get",
-                "saved_object:lens/get",
-                "saved_object:lens/find",
-                "saved_object:lens/open_point_in_time",
-                "saved_object:lens/close_point_in_time",
-                "saved_object:links/bulk_get",
-                "saved_object:links/get",
-                "saved_object:links/find",
-                "saved_object:links/open_point_in_time",
-                "saved_object:links/close_point_in_time",
-                "saved_object:map/bulk_get",
-                "saved_object:map/get",
-                "saved_object:map/find",
-                "saved_object:map/open_point_in_time",
-                "saved_object:map/close_point_in_time",
-                "saved_object:tag/bulk_get",
-                "saved_object:tag/get",
-                "saved_object:tag/find",
-                "saved_object:tag/open_point_in_time",
-                "saved_object:tag/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
                 "saved_object:url/bulk_get",
                 "saved_object:url/get",
                 "saved_object:url/find",
                 "saved_object:url/open_point_in_time",
                 "saved_object:url/close_point_in_time",
-                "ui:dashboard/createNew",
-                "ui:dashboard/show",
-                "ui:dashboard/showWriteControls",
-                "ui:dashboard/saveQuery",
-                "app:maps",
-                "ui:catalogue/maps",
-                "ui:navLinks/maps",
-                "saved_object:map/create",
-                "saved_object:map/bulk_create",
-                "saved_object:map/update",
-                "saved_object:map/bulk_update",
-                "saved_object:map/delete",
-                "saved_object:map/bulk_delete",
-                "saved_object:map/share_to_space",
-                "ui:maps/save",
-                "ui:maps/show",
-                "ui:maps/saveQuery",
-                "api:generateReport",
-                "app:visualize",
-                "app:lens",
-                "ui:catalogue/visualize",
-                "ui:management/insightsAndAlerting/reporting",
-                "ui:navLinks/visualize",
-                "ui:navLinks/lens",
-                "saved_object:visualization/create",
-                "saved_object:visualization/bulk_create",
-                "saved_object:visualization/update",
-                "saved_object:visualization/bulk_update",
-                "saved_object:visualization/delete",
-                "saved_object:visualization/bulk_delete",
-                "saved_object:visualization/share_to_space",
-                "saved_object:lens/create",
-                "saved_object:lens/bulk_create",
-                "saved_object:lens/update",
-                "saved_object:lens/bulk_update",
-                "saved_object:lens/delete",
-                "saved_object:lens/bulk_delete",
-                "saved_object:lens/share_to_space",
-                "saved_object:url/create",
-                "saved_object:url/bulk_create",
-                "saved_object:url/update",
-                "saved_object:url/bulk_update",
-                "saved_object:url/delete",
-                "saved_object:url/bulk_delete",
-                "saved_object:url/share_to_space",
-                "ui:visualize/show",
-                "ui:visualize/delete",
-                "ui:visualize/save",
-                "ui:visualize/saveQuery",
-                "ui:visualize/createShortUrl",
-                "ui:visualize/generateScreenshot",
-              ],
-              "minimal_read": Array [
-                "login:",
-                "api:bulkGetUserProfiles",
-                "api:dashboardUsageStats",
-                "app:dashboards",
-                "app:kibana",
-                "ui:catalogue/dashboard",
-                "ui:navLinks/dashboards",
-                "ui:navLinks/kibana",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:search/bulk_get",
-                "saved_object:search/get",
-                "saved_object:search/find",
-                "saved_object:search/open_point_in_time",
-                "saved_object:search/close_point_in_time",
-                "saved_object:visualization/bulk_get",
-                "saved_object:visualization/get",
-                "saved_object:visualization/find",
-                "saved_object:visualization/open_point_in_time",
-                "saved_object:visualization/close_point_in_time",
-                "saved_object:canvas-workpad/bulk_get",
-                "saved_object:canvas-workpad/get",
-                "saved_object:canvas-workpad/find",
-                "saved_object:canvas-workpad/open_point_in_time",
-                "saved_object:canvas-workpad/close_point_in_time",
-                "saved_object:lens/bulk_get",
-                "saved_object:lens/get",
-                "saved_object:lens/find",
-                "saved_object:lens/open_point_in_time",
-                "saved_object:lens/close_point_in_time",
-                "saved_object:links/bulk_get",
-                "saved_object:links/get",
-                "saved_object:links/find",
-                "saved_object:links/open_point_in_time",
-                "saved_object:links/close_point_in_time",
-                "saved_object:map/bulk_get",
-                "saved_object:map/get",
-                "saved_object:map/find",
-                "saved_object:map/open_point_in_time",
-                "saved_object:map/close_point_in_time",
-                "saved_object:dashboard/bulk_get",
-                "saved_object:dashboard/get",
-                "saved_object:dashboard/find",
-                "saved_object:dashboard/open_point_in_time",
-                "saved_object:dashboard/close_point_in_time",
-                "saved_object:query/bulk_get",
-                "saved_object:query/get",
-                "saved_object:query/find",
-                "saved_object:query/open_point_in_time",
-                "saved_object:query/close_point_in_time",
-                "saved_object:tag/bulk_get",
-                "saved_object:tag/get",
-                "saved_object:tag/find",
-                "saved_object:tag/open_point_in_time",
-                "saved_object:tag/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:dashboard/show",
-                "app:maps",
-                "ui:catalogue/maps",
-                "ui:navLinks/maps",
-                "ui:maps/show",
-                "app:visualize",
-                "app:lens",
-                "ui:catalogue/visualize",
-                "ui:navLinks/visualize",
-                "ui:navLinks/lens",
-                "saved_object:url/create",
-                "saved_object:url/bulk_create",
-                "saved_object:url/update",
-                "saved_object:url/bulk_update",
-                "saved_object:url/delete",
-                "saved_object:url/bulk_delete",
-                "saved_object:url/share_to_space",
-                "ui:visualize/show",
-                "ui:visualize/createShortUrl",
-              ],
-              "read": Array [
-                "login:",
-                "api:bulkGetUserProfiles",
-                "api:dashboardUsageStats",
-                "app:dashboards",
-                "app:kibana",
-                "ui:catalogue/dashboard",
-                "ui:navLinks/dashboards",
-                "ui:navLinks/kibana",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "saved_object:url/create",
-                "saved_object:url/bulk_create",
-                "saved_object:url/update",
-                "saved_object:url/bulk_update",
-                "saved_object:url/delete",
-                "saved_object:url/bulk_delete",
-                "saved_object:url/share_to_space",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:search/bulk_get",
-                "saved_object:search/get",
-                "saved_object:search/find",
-                "saved_object:search/open_point_in_time",
-                "saved_object:search/close_point_in_time",
-                "saved_object:visualization/bulk_get",
-                "saved_object:visualization/get",
-                "saved_object:visualization/find",
-                "saved_object:visualization/open_point_in_time",
-                "saved_object:visualization/close_point_in_time",
-                "saved_object:canvas-workpad/bulk_get",
-                "saved_object:canvas-workpad/get",
-                "saved_object:canvas-workpad/find",
-                "saved_object:canvas-workpad/open_point_in_time",
-                "saved_object:canvas-workpad/close_point_in_time",
-                "saved_object:lens/bulk_get",
-                "saved_object:lens/get",
-                "saved_object:lens/find",
-                "saved_object:lens/open_point_in_time",
-                "saved_object:lens/close_point_in_time",
-                "saved_object:links/bulk_get",
-                "saved_object:links/get",
-                "saved_object:links/find",
-                "saved_object:links/open_point_in_time",
-                "saved_object:links/close_point_in_time",
-                "saved_object:map/bulk_get",
-                "saved_object:map/get",
-                "saved_object:map/find",
-                "saved_object:map/open_point_in_time",
-                "saved_object:map/close_point_in_time",
-                "saved_object:dashboard/bulk_get",
-                "saved_object:dashboard/get",
-                "saved_object:dashboard/find",
-                "saved_object:dashboard/open_point_in_time",
-                "saved_object:dashboard/close_point_in_time",
-                "saved_object:query/bulk_get",
-                "saved_object:query/get",
-                "saved_object:query/find",
-                "saved_object:query/open_point_in_time",
-                "saved_object:query/close_point_in_time",
-                "saved_object:tag/bulk_get",
-                "saved_object:tag/get",
-                "saved_object:tag/find",
-                "saved_object:tag/open_point_in_time",
-                "saved_object:tag/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "ui:dashboard/show",
-                "ui:dashboard/createShortUrl",
-                "app:maps",
-                "ui:catalogue/maps",
-                "ui:navLinks/maps",
-                "ui:maps/show",
-                "app:visualize",
-                "app:lens",
-                "ui:catalogue/visualize",
-                "ui:navLinks/visualize",
-                "ui:navLinks/lens",
-                "ui:visualize/show",
-                "ui:visualize/createShortUrl",
-              ],
-              "store_search_session": Array [
-                "login:",
-                "api:store_search_session",
-                "ui:management/kibana/search_sessions",
-                "saved_object:search-session/bulk_get",
-                "saved_object:search-session/get",
-                "saved_object:search-session/find",
-                "saved_object:search-session/open_point_in_time",
-                "saved_object:search-session/close_point_in_time",
-                "saved_object:search-session/create",
-                "saved_object:search-session/bulk_create",
-                "saved_object:search-session/update",
-                "saved_object:search-session/bulk_update",
-                "saved_object:search-session/delete",
-                "saved_object:search-session/bulk_delete",
-                "saved_object:search-session/share_to_space",
-                "ui:dashboard/storeSearchSession",
-              ],
-              "url_create": Array [
-                "login:",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "saved_object:url/create",
-                "saved_object:url/bulk_create",
-                "saved_object:url/update",
-                "saved_object:url/bulk_update",
-                "saved_object:url/delete",
-                "saved_object:url/bulk_delete",
-                "saved_object:url/share_to_space",
-                "ui:dashboard/createShortUrl",
-              ],
-            },
-            "discover": Object {
-              "all": Array [
-                "login:",
-                "api:fileUpload:analyzeFile",
-                "api:store_search_session",
-                "api:generateReport",
-                "app:discover",
-                "app:kibana",
-                "ui:catalogue/discover",
-                "ui:management/kibana/search_sessions",
-                "ui:management/insightsAndAlerting/reporting",
-                "ui:navLinks/discover",
-                "ui:navLinks/kibana",
-                "saved_object:search/bulk_get",
-                "saved_object:search/get",
-                "saved_object:search/find",
-                "saved_object:search/open_point_in_time",
-                "saved_object:search/close_point_in_time",
-                "saved_object:search/create",
-                "saved_object:search/bulk_create",
-                "saved_object:search/update",
-                "saved_object:search/bulk_update",
-                "saved_object:search/delete",
-                "saved_object:search/bulk_delete",
-                "saved_object:search/share_to_space",
-                "saved_object:query/bulk_get",
-                "saved_object:query/get",
-                "saved_object:query/find",
-                "saved_object:query/open_point_in_time",
-                "saved_object:query/close_point_in_time",
-                "saved_object:query/create",
-                "saved_object:query/bulk_create",
-                "saved_object:query/update",
-                "saved_object:query/bulk_update",
-                "saved_object:query/delete",
-                "saved_object:query/bulk_delete",
-                "saved_object:query/share_to_space",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "saved_object:url/create",
-                "saved_object:url/bulk_create",
-                "saved_object:url/update",
-                "saved_object:url/bulk_update",
-                "saved_object:url/delete",
-                "saved_object:url/bulk_delete",
-                "saved_object:url/share_to_space",
-                "saved_object:search-session/bulk_get",
-                "saved_object:search-session/get",
-                "saved_object:search-session/find",
-                "saved_object:search-session/open_point_in_time",
-                "saved_object:search-session/close_point_in_time",
-                "saved_object:search-session/create",
-                "saved_object:search-session/bulk_create",
-                "saved_object:search-session/update",
-                "saved_object:search-session/bulk_update",
-                "saved_object:search-session/delete",
-                "saved_object:search-session/bulk_delete",
-                "saved_object:search-session/share_to_space",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "ui:discover/show",
-                "ui:discover/save",
-                "ui:discover/saveQuery",
-                "ui:discover/createShortUrl",
-                "ui:discover/storeSearchSession",
-                "ui:discover/generateCsv",
-                "api:rac",
-                "app:observability",
-                "ui:catalogue/observability",
-                "ui:navLinks/observability",
-                "ui:observability/read",
-                "ui:observability/write",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/create",
-                "alerting:slo.rules.burnRate/observability/rule/delete",
-                "alerting:slo.rules.burnRate/observability/rule/update",
-                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/observability/rule/enable",
-                "alerting:slo.rules.burnRate/observability/rule/disable",
-                "alerting:slo.rules.burnRate/observability/rule/muteAll",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/snooze",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
-                "alerting:slo.rules.burnRate/observability/rule/runSoon",
-                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/create",
-                "alerting:observability.rules.custom_threshold/observability/rule/delete",
-                "alerting:observability.rules.custom_threshold/observability/rule/update",
-                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/observability/rule/enable",
-                "alerting:observability.rules.custom_threshold/observability/rule/disable",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
-                "alerting:apm.error_rate/observability/rule/get",
-                "alerting:apm.error_rate/observability/rule/getRuleState",
-                "alerting:apm.error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.error_rate/observability/rule/find",
-                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.error_rate/observability/rule/getBackfill",
-                "alerting:apm.error_rate/observability/rule/findBackfill",
-                "alerting:apm.error_rate/observability/rule/create",
-                "alerting:apm.error_rate/observability/rule/delete",
-                "alerting:apm.error_rate/observability/rule/update",
-                "alerting:apm.error_rate/observability/rule/updateApiKey",
-                "alerting:apm.error_rate/observability/rule/enable",
-                "alerting:apm.error_rate/observability/rule/disable",
-                "alerting:apm.error_rate/observability/rule/muteAll",
-                "alerting:apm.error_rate/observability/rule/unmuteAll",
-                "alerting:apm.error_rate/observability/rule/muteAlert",
-                "alerting:apm.error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.error_rate/observability/rule/snooze",
-                "alerting:apm.error_rate/observability/rule/bulkEdit",
-                "alerting:apm.error_rate/observability/rule/bulkDelete",
-                "alerting:apm.error_rate/observability/rule/bulkEnable",
-                "alerting:apm.error_rate/observability/rule/bulkDisable",
-                "alerting:apm.error_rate/observability/rule/unsnooze",
-                "alerting:apm.error_rate/observability/rule/runSoon",
-                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.error_rate/observability/rule/deleteBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/get",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
-                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_error_rate/observability/rule/find",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/create",
-                "alerting:apm.transaction_error_rate/observability/rule/delete",
-                "alerting:apm.transaction_error_rate/observability/rule/update",
-                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
-                "alerting:apm.transaction_error_rate/observability/rule/enable",
-                "alerting:apm.transaction_error_rate/observability/rule/disable",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/snooze",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
-                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
-                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
-                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
-                "alerting:apm.transaction_duration/observability/rule/get",
-                "alerting:apm.transaction_duration/observability/rule/getRuleState",
-                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_duration/observability/rule/find",
-                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_duration/observability/rule/getBackfill",
-                "alerting:apm.transaction_duration/observability/rule/findBackfill",
-                "alerting:apm.transaction_duration/observability/rule/create",
-                "alerting:apm.transaction_duration/observability/rule/delete",
-                "alerting:apm.transaction_duration/observability/rule/update",
-                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
-                "alerting:apm.transaction_duration/observability/rule/enable",
-                "alerting:apm.transaction_duration/observability/rule/disable",
-                "alerting:apm.transaction_duration/observability/rule/muteAll",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
-                "alerting:apm.transaction_duration/observability/rule/muteAlert",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_duration/observability/rule/snooze",
-                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
-                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
-                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
-                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
-                "alerting:apm.transaction_duration/observability/rule/unsnooze",
-                "alerting:apm.transaction_duration/observability/rule/runSoon",
-                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
-                "alerting:apm.anomaly/observability/rule/get",
-                "alerting:apm.anomaly/observability/rule/getRuleState",
-                "alerting:apm.anomaly/observability/rule/getAlertSummary",
-                "alerting:apm.anomaly/observability/rule/getExecutionLog",
-                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
-                "alerting:apm.anomaly/observability/rule/find",
-                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.anomaly/observability/rule/getBackfill",
-                "alerting:apm.anomaly/observability/rule/findBackfill",
-                "alerting:apm.anomaly/observability/rule/create",
-                "alerting:apm.anomaly/observability/rule/delete",
-                "alerting:apm.anomaly/observability/rule/update",
-                "alerting:apm.anomaly/observability/rule/updateApiKey",
-                "alerting:apm.anomaly/observability/rule/enable",
-                "alerting:apm.anomaly/observability/rule/disable",
-                "alerting:apm.anomaly/observability/rule/muteAll",
-                "alerting:apm.anomaly/observability/rule/unmuteAll",
-                "alerting:apm.anomaly/observability/rule/muteAlert",
-                "alerting:apm.anomaly/observability/rule/unmuteAlert",
-                "alerting:apm.anomaly/observability/rule/snooze",
-                "alerting:apm.anomaly/observability/rule/bulkEdit",
-                "alerting:apm.anomaly/observability/rule/bulkDelete",
-                "alerting:apm.anomaly/observability/rule/bulkEnable",
-                "alerting:apm.anomaly/observability/rule/bulkDisable",
-                "alerting:apm.anomaly/observability/rule/unsnooze",
-                "alerting:apm.anomaly/observability/rule/runSoon",
-                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
-                "alerting:apm.anomaly/observability/rule/deleteBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
-                "alerting:apm.error_rate/observability/alert/get",
-                "alerting:apm.error_rate/observability/alert/find",
-                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/update",
-                "alerting:apm.transaction_error_rate/observability/alert/get",
-                "alerting:apm.transaction_error_rate/observability/alert/find",
-                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/update",
-                "alerting:apm.transaction_duration/observability/alert/get",
-                "alerting:apm.transaction_duration/observability/alert/find",
-                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/update",
-                "alerting:apm.anomaly/observability/alert/get",
-                "alerting:apm.anomaly/observability/alert/find",
-                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
-              ],
-              "generate_report": Array [
-                "login:",
-                "api:generateReport",
-                "ui:management/insightsAndAlerting/reporting",
-                "ui:discover/generateCsv",
-              ],
-              "minimal_all": Array [
-                "login:",
-                "api:fileUpload:analyzeFile",
-                "app:discover",
-                "app:kibana",
-                "ui:catalogue/discover",
-                "ui:navLinks/discover",
-                "ui:navLinks/kibana",
-                "saved_object:search/bulk_get",
-                "saved_object:search/get",
-                "saved_object:search/find",
-                "saved_object:search/open_point_in_time",
-                "saved_object:search/close_point_in_time",
-                "saved_object:search/create",
-                "saved_object:search/bulk_create",
-                "saved_object:search/update",
-                "saved_object:search/bulk_update",
-                "saved_object:search/delete",
-                "saved_object:search/bulk_delete",
-                "saved_object:search/share_to_space",
-                "saved_object:query/bulk_get",
-                "saved_object:query/get",
-                "saved_object:query/find",
-                "saved_object:query/open_point_in_time",
-                "saved_object:query/close_point_in_time",
-                "saved_object:query/create",
-                "saved_object:query/bulk_create",
-                "saved_object:query/update",
-                "saved_object:query/bulk_update",
-                "saved_object:query/delete",
-                "saved_object:query/bulk_delete",
-                "saved_object:query/share_to_space",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:discover/show",
-                "ui:discover/save",
-                "ui:discover/saveQuery",
-                "api:rac",
-                "app:observability",
-                "ui:catalogue/observability",
-                "ui:navLinks/observability",
-                "ui:observability/read",
-                "ui:observability/write",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/create",
-                "alerting:slo.rules.burnRate/observability/rule/delete",
-                "alerting:slo.rules.burnRate/observability/rule/update",
-                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/observability/rule/enable",
-                "alerting:slo.rules.burnRate/observability/rule/disable",
-                "alerting:slo.rules.burnRate/observability/rule/muteAll",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/snooze",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
-                "alerting:slo.rules.burnRate/observability/rule/runSoon",
-                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/create",
-                "alerting:observability.rules.custom_threshold/observability/rule/delete",
-                "alerting:observability.rules.custom_threshold/observability/rule/update",
-                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/observability/rule/enable",
-                "alerting:observability.rules.custom_threshold/observability/rule/disable",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
-                "alerting:apm.error_rate/observability/rule/get",
-                "alerting:apm.error_rate/observability/rule/getRuleState",
-                "alerting:apm.error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.error_rate/observability/rule/find",
-                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.error_rate/observability/rule/getBackfill",
-                "alerting:apm.error_rate/observability/rule/findBackfill",
-                "alerting:apm.error_rate/observability/rule/create",
-                "alerting:apm.error_rate/observability/rule/delete",
-                "alerting:apm.error_rate/observability/rule/update",
-                "alerting:apm.error_rate/observability/rule/updateApiKey",
-                "alerting:apm.error_rate/observability/rule/enable",
-                "alerting:apm.error_rate/observability/rule/disable",
-                "alerting:apm.error_rate/observability/rule/muteAll",
-                "alerting:apm.error_rate/observability/rule/unmuteAll",
-                "alerting:apm.error_rate/observability/rule/muteAlert",
-                "alerting:apm.error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.error_rate/observability/rule/snooze",
-                "alerting:apm.error_rate/observability/rule/bulkEdit",
-                "alerting:apm.error_rate/observability/rule/bulkDelete",
-                "alerting:apm.error_rate/observability/rule/bulkEnable",
-                "alerting:apm.error_rate/observability/rule/bulkDisable",
-                "alerting:apm.error_rate/observability/rule/unsnooze",
-                "alerting:apm.error_rate/observability/rule/runSoon",
-                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.error_rate/observability/rule/deleteBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/get",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
-                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_error_rate/observability/rule/find",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/create",
-                "alerting:apm.transaction_error_rate/observability/rule/delete",
-                "alerting:apm.transaction_error_rate/observability/rule/update",
-                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
-                "alerting:apm.transaction_error_rate/observability/rule/enable",
-                "alerting:apm.transaction_error_rate/observability/rule/disable",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/snooze",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
-                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
-                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
-                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
-                "alerting:apm.transaction_duration/observability/rule/get",
-                "alerting:apm.transaction_duration/observability/rule/getRuleState",
-                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_duration/observability/rule/find",
-                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_duration/observability/rule/getBackfill",
-                "alerting:apm.transaction_duration/observability/rule/findBackfill",
-                "alerting:apm.transaction_duration/observability/rule/create",
-                "alerting:apm.transaction_duration/observability/rule/delete",
-                "alerting:apm.transaction_duration/observability/rule/update",
-                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
-                "alerting:apm.transaction_duration/observability/rule/enable",
-                "alerting:apm.transaction_duration/observability/rule/disable",
-                "alerting:apm.transaction_duration/observability/rule/muteAll",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
-                "alerting:apm.transaction_duration/observability/rule/muteAlert",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_duration/observability/rule/snooze",
-                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
-                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
-                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
-                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
-                "alerting:apm.transaction_duration/observability/rule/unsnooze",
-                "alerting:apm.transaction_duration/observability/rule/runSoon",
-                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
-                "alerting:apm.anomaly/observability/rule/get",
-                "alerting:apm.anomaly/observability/rule/getRuleState",
-                "alerting:apm.anomaly/observability/rule/getAlertSummary",
-                "alerting:apm.anomaly/observability/rule/getExecutionLog",
-                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
-                "alerting:apm.anomaly/observability/rule/find",
-                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.anomaly/observability/rule/getBackfill",
-                "alerting:apm.anomaly/observability/rule/findBackfill",
-                "alerting:apm.anomaly/observability/rule/create",
-                "alerting:apm.anomaly/observability/rule/delete",
-                "alerting:apm.anomaly/observability/rule/update",
-                "alerting:apm.anomaly/observability/rule/updateApiKey",
-                "alerting:apm.anomaly/observability/rule/enable",
-                "alerting:apm.anomaly/observability/rule/disable",
-                "alerting:apm.anomaly/observability/rule/muteAll",
-                "alerting:apm.anomaly/observability/rule/unmuteAll",
-                "alerting:apm.anomaly/observability/rule/muteAlert",
-                "alerting:apm.anomaly/observability/rule/unmuteAlert",
-                "alerting:apm.anomaly/observability/rule/snooze",
-                "alerting:apm.anomaly/observability/rule/bulkEdit",
-                "alerting:apm.anomaly/observability/rule/bulkDelete",
-                "alerting:apm.anomaly/observability/rule/bulkEnable",
-                "alerting:apm.anomaly/observability/rule/bulkDisable",
-                "alerting:apm.anomaly/observability/rule/unsnooze",
-                "alerting:apm.anomaly/observability/rule/runSoon",
-                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
-                "alerting:apm.anomaly/observability/rule/deleteBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
-                "alerting:apm.error_rate/observability/alert/get",
-                "alerting:apm.error_rate/observability/alert/find",
-                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/update",
-                "alerting:apm.transaction_error_rate/observability/alert/get",
-                "alerting:apm.transaction_error_rate/observability/alert/find",
-                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/update",
-                "alerting:apm.transaction_duration/observability/alert/get",
-                "alerting:apm.transaction_duration/observability/alert/find",
-                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/update",
-                "alerting:apm.anomaly/observability/alert/get",
-                "alerting:apm.anomaly/observability/alert/find",
-                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
-              ],
-              "minimal_read": Array [
-                "login:",
-                "app:discover",
-                "app:kibana",
-                "ui:catalogue/discover",
-                "ui:navLinks/discover",
-                "ui:navLinks/kibana",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:search/bulk_get",
-                "saved_object:search/get",
-                "saved_object:search/find",
-                "saved_object:search/open_point_in_time",
-                "saved_object:search/close_point_in_time",
-                "saved_object:query/bulk_get",
-                "saved_object:query/get",
-                "saved_object:query/find",
-                "saved_object:query/open_point_in_time",
-                "saved_object:query/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:discover/show",
-                "api:rac",
-                "app:observability",
-                "ui:catalogue/observability",
-                "ui:navLinks/observability",
-                "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:apm.error_rate/observability/rule/get",
-                "alerting:apm.error_rate/observability/rule/getRuleState",
-                "alerting:apm.error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.error_rate/observability/rule/find",
-                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.error_rate/observability/rule/getBackfill",
-                "alerting:apm.error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/get",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
-                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_error_rate/observability/rule/find",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_duration/observability/rule/get",
-                "alerting:apm.transaction_duration/observability/rule/getRuleState",
-                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_duration/observability/rule/find",
-                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_duration/observability/rule/getBackfill",
-                "alerting:apm.transaction_duration/observability/rule/findBackfill",
-                "alerting:apm.anomaly/observability/rule/get",
-                "alerting:apm.anomaly/observability/rule/getRuleState",
-                "alerting:apm.anomaly/observability/rule/getAlertSummary",
-                "alerting:apm.anomaly/observability/rule/getExecutionLog",
-                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
-                "alerting:apm.anomaly/observability/rule/find",
-                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.anomaly/observability/rule/getBackfill",
-                "alerting:apm.anomaly/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/get",
-                "alerting:apm.error_rate/observability/alert/find",
-                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/get",
-                "alerting:apm.transaction_error_rate/observability/alert/find",
-                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/get",
-                "alerting:apm.transaction_duration/observability/alert/find",
-                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/get",
-                "alerting:apm.anomaly/observability/alert/find",
-                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-              ],
-              "read": Array [
-                "login:",
-                "app:discover",
-                "app:kibana",
-                "ui:catalogue/discover",
-                "ui:navLinks/discover",
-                "ui:navLinks/kibana",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "saved_object:url/create",
-                "saved_object:url/bulk_create",
-                "saved_object:url/update",
-                "saved_object:url/bulk_update",
-                "saved_object:url/delete",
-                "saved_object:url/bulk_delete",
-                "saved_object:url/share_to_space",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:search/bulk_get",
-                "saved_object:search/get",
-                "saved_object:search/find",
-                "saved_object:search/open_point_in_time",
-                "saved_object:search/close_point_in_time",
-                "saved_object:query/bulk_get",
-                "saved_object:query/get",
-                "saved_object:query/find",
-                "saved_object:query/open_point_in_time",
-                "saved_object:query/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "ui:discover/show",
-                "ui:discover/createShortUrl",
-                "api:rac",
-                "app:observability",
-                "ui:catalogue/observability",
-                "ui:navLinks/observability",
-                "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:apm.error_rate/observability/rule/get",
-                "alerting:apm.error_rate/observability/rule/getRuleState",
-                "alerting:apm.error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.error_rate/observability/rule/find",
-                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.error_rate/observability/rule/getBackfill",
-                "alerting:apm.error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/get",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
-                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_error_rate/observability/rule/find",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_duration/observability/rule/get",
-                "alerting:apm.transaction_duration/observability/rule/getRuleState",
-                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_duration/observability/rule/find",
-                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_duration/observability/rule/getBackfill",
-                "alerting:apm.transaction_duration/observability/rule/findBackfill",
-                "alerting:apm.anomaly/observability/rule/get",
-                "alerting:apm.anomaly/observability/rule/getRuleState",
-                "alerting:apm.anomaly/observability/rule/getAlertSummary",
-                "alerting:apm.anomaly/observability/rule/getExecutionLog",
-                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
-                "alerting:apm.anomaly/observability/rule/find",
-                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.anomaly/observability/rule/getBackfill",
-                "alerting:apm.anomaly/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/get",
-                "alerting:apm.error_rate/observability/alert/find",
-                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/get",
-                "alerting:apm.transaction_error_rate/observability/alert/find",
-                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/get",
-                "alerting:apm.transaction_duration/observability/alert/find",
-                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/get",
-                "alerting:apm.anomaly/observability/alert/find",
-                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-              ],
-              "store_search_session": Array [
-                "login:",
-                "api:store_search_session",
-                "ui:management/kibana/search_sessions",
-                "saved_object:search-session/bulk_get",
-                "saved_object:search-session/get",
-                "saved_object:search-session/find",
-                "saved_object:search-session/open_point_in_time",
-                "saved_object:search-session/close_point_in_time",
-                "saved_object:search-session/create",
-                "saved_object:search-session/bulk_create",
-                "saved_object:search-session/update",
-                "saved_object:search-session/bulk_update",
-                "saved_object:search-session/delete",
-                "saved_object:search-session/bulk_delete",
-                "saved_object:search-session/share_to_space",
-                "ui:discover/storeSearchSession",
-              ],
-              "url_create": Array [
-                "login:",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "saved_object:url/create",
-                "saved_object:url/bulk_create",
-                "saved_object:url/update",
-                "saved_object:url/bulk_update",
-                "saved_object:url/delete",
-                "saved_object:url/bulk_delete",
-                "saved_object:url/share_to_space",
-                "ui:discover/createShortUrl",
-              ],
-            },
-            "fleetv2": Object {
-              "all": Array [
-                "login:",
-                "api:fleet-read",
-                "api:fleet-all",
-                "app:fleet",
-                "ui:catalogue/fleet",
-                "ui:navLinks/fleet",
-                "saved_object:ingest-outputs/bulk_get",
-                "saved_object:ingest-outputs/get",
-                "saved_object:ingest-outputs/find",
-                "saved_object:ingest-outputs/open_point_in_time",
-                "saved_object:ingest-outputs/close_point_in_time",
-                "saved_object:ingest-outputs/create",
-                "saved_object:ingest-outputs/bulk_create",
-                "saved_object:ingest-outputs/update",
-                "saved_object:ingest-outputs/bulk_update",
-                "saved_object:ingest-outputs/delete",
-                "saved_object:ingest-outputs/bulk_delete",
-                "saved_object:ingest-outputs/share_to_space",
-                "saved_object:ingest-agent-policies/bulk_get",
-                "saved_object:ingest-agent-policies/get",
-                "saved_object:ingest-agent-policies/find",
-                "saved_object:ingest-agent-policies/open_point_in_time",
-                "saved_object:ingest-agent-policies/close_point_in_time",
-                "saved_object:ingest-agent-policies/create",
-                "saved_object:ingest-agent-policies/bulk_create",
-                "saved_object:ingest-agent-policies/update",
-                "saved_object:ingest-agent-policies/bulk_update",
-                "saved_object:ingest-agent-policies/delete",
-                "saved_object:ingest-agent-policies/bulk_delete",
-                "saved_object:ingest-agent-policies/share_to_space",
-                "saved_object:fleet-agent-policies/bulk_get",
-                "saved_object:fleet-agent-policies/get",
-                "saved_object:fleet-agent-policies/find",
-                "saved_object:fleet-agent-policies/open_point_in_time",
-                "saved_object:fleet-agent-policies/close_point_in_time",
-                "saved_object:fleet-agent-policies/create",
-                "saved_object:fleet-agent-policies/bulk_create",
-                "saved_object:fleet-agent-policies/update",
-                "saved_object:fleet-agent-policies/bulk_update",
-                "saved_object:fleet-agent-policies/delete",
-                "saved_object:fleet-agent-policies/bulk_delete",
-                "saved_object:fleet-agent-policies/share_to_space",
-                "saved_object:ingest-package-policies/bulk_get",
-                "saved_object:ingest-package-policies/get",
-                "saved_object:ingest-package-policies/find",
-                "saved_object:ingest-package-policies/open_point_in_time",
-                "saved_object:ingest-package-policies/close_point_in_time",
-                "saved_object:ingest-package-policies/create",
-                "saved_object:ingest-package-policies/bulk_create",
-                "saved_object:ingest-package-policies/update",
-                "saved_object:ingest-package-policies/bulk_update",
-                "saved_object:ingest-package-policies/delete",
-                "saved_object:ingest-package-policies/bulk_delete",
-                "saved_object:ingest-package-policies/share_to_space",
-                "saved_object:fleet-package-policies/bulk_get",
-                "saved_object:fleet-package-policies/get",
-                "saved_object:fleet-package-policies/find",
-                "saved_object:fleet-package-policies/open_point_in_time",
-                "saved_object:fleet-package-policies/close_point_in_time",
-                "saved_object:fleet-package-policies/create",
-                "saved_object:fleet-package-policies/bulk_create",
-                "saved_object:fleet-package-policies/update",
-                "saved_object:fleet-package-policies/bulk_update",
-                "saved_object:fleet-package-policies/delete",
-                "saved_object:fleet-package-policies/bulk_delete",
-                "saved_object:fleet-package-policies/share_to_space",
-                "saved_object:epm-packages/bulk_get",
-                "saved_object:epm-packages/get",
-                "saved_object:epm-packages/find",
-                "saved_object:epm-packages/open_point_in_time",
-                "saved_object:epm-packages/close_point_in_time",
-                "saved_object:epm-packages/create",
-                "saved_object:epm-packages/bulk_create",
-                "saved_object:epm-packages/update",
-                "saved_object:epm-packages/bulk_update",
-                "saved_object:epm-packages/delete",
-                "saved_object:epm-packages/bulk_delete",
-                "saved_object:epm-packages/share_to_space",
-                "saved_object:epm-packages-assets/bulk_get",
-                "saved_object:epm-packages-assets/get",
-                "saved_object:epm-packages-assets/find",
-                "saved_object:epm-packages-assets/open_point_in_time",
-                "saved_object:epm-packages-assets/close_point_in_time",
-                "saved_object:epm-packages-assets/create",
-                "saved_object:epm-packages-assets/bulk_create",
-                "saved_object:epm-packages-assets/update",
-                "saved_object:epm-packages-assets/bulk_update",
-                "saved_object:epm-packages-assets/delete",
-                "saved_object:epm-packages-assets/bulk_delete",
-                "saved_object:epm-packages-assets/share_to_space",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_get",
-                "saved_object:fleet-preconfiguration-deletion-record/get",
-                "saved_object:fleet-preconfiguration-deletion-record/find",
-                "saved_object:fleet-preconfiguration-deletion-record/open_point_in_time",
-                "saved_object:fleet-preconfiguration-deletion-record/close_point_in_time",
-                "saved_object:fleet-preconfiguration-deletion-record/create",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_create",
-                "saved_object:fleet-preconfiguration-deletion-record/update",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_update",
-                "saved_object:fleet-preconfiguration-deletion-record/delete",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_delete",
-                "saved_object:fleet-preconfiguration-deletion-record/share_to_space",
-                "saved_object:ingest-download-sources/bulk_get",
-                "saved_object:ingest-download-sources/get",
-                "saved_object:ingest-download-sources/find",
-                "saved_object:ingest-download-sources/open_point_in_time",
-                "saved_object:ingest-download-sources/close_point_in_time",
-                "saved_object:ingest-download-sources/create",
-                "saved_object:ingest-download-sources/bulk_create",
-                "saved_object:ingest-download-sources/update",
-                "saved_object:ingest-download-sources/bulk_update",
-                "saved_object:ingest-download-sources/delete",
-                "saved_object:ingest-download-sources/bulk_delete",
-                "saved_object:ingest-download-sources/share_to_space",
-                "saved_object:fleet-fleet-server-host/bulk_get",
-                "saved_object:fleet-fleet-server-host/get",
-                "saved_object:fleet-fleet-server-host/find",
-                "saved_object:fleet-fleet-server-host/open_point_in_time",
-                "saved_object:fleet-fleet-server-host/close_point_in_time",
-                "saved_object:fleet-fleet-server-host/create",
-                "saved_object:fleet-fleet-server-host/bulk_create",
-                "saved_object:fleet-fleet-server-host/update",
-                "saved_object:fleet-fleet-server-host/bulk_update",
-                "saved_object:fleet-fleet-server-host/delete",
-                "saved_object:fleet-fleet-server-host/bulk_delete",
-                "saved_object:fleet-fleet-server-host/share_to_space",
-                "saved_object:fleet-proxy/bulk_get",
-                "saved_object:fleet-proxy/get",
-                "saved_object:fleet-proxy/find",
-                "saved_object:fleet-proxy/open_point_in_time",
-                "saved_object:fleet-proxy/close_point_in_time",
-                "saved_object:fleet-proxy/create",
-                "saved_object:fleet-proxy/bulk_create",
-                "saved_object:fleet-proxy/update",
-                "saved_object:fleet-proxy/bulk_update",
-                "saved_object:fleet-proxy/delete",
-                "saved_object:fleet-proxy/bulk_delete",
-                "saved_object:fleet-proxy/share_to_space",
-                "saved_object:fleet-space-settings/bulk_get",
-                "saved_object:fleet-space-settings/get",
-                "saved_object:fleet-space-settings/find",
-                "saved_object:fleet-space-settings/open_point_in_time",
-                "saved_object:fleet-space-settings/close_point_in_time",
-                "saved_object:fleet-space-settings/create",
-                "saved_object:fleet-space-settings/bulk_create",
-                "saved_object:fleet-space-settings/update",
-                "saved_object:fleet-space-settings/bulk_update",
-                "saved_object:fleet-space-settings/delete",
-                "saved_object:fleet-space-settings/bulk_delete",
-                "saved_object:fleet-space-settings/share_to_space",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:fleetv2/read",
-                "ui:fleetv2/all",
-                "api:infra",
-                "api:rac",
-                "app:infra",
-                "app:logs",
-                "app:kibana",
-                "app:observability-logs-explorer",
-                "ui:catalogue/infralogging",
-                "ui:catalogue/logs",
-                "ui:management/insightsAndAlerting/triggersActions",
-                "ui:navLinks/infra",
-                "ui:navLinks/logs",
-                "ui:navLinks/kibana",
-                "ui:navLinks/observability-logs-explorer",
-                "saved_object:infrastructure-ui-source/bulk_get",
-                "saved_object:infrastructure-ui-source/get",
-                "saved_object:infrastructure-ui-source/find",
-                "saved_object:infrastructure-ui-source/open_point_in_time",
-                "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:infrastructure-ui-source/create",
-                "saved_object:infrastructure-ui-source/bulk_create",
-                "saved_object:infrastructure-ui-source/update",
-                "saved_object:infrastructure-ui-source/bulk_update",
-                "saved_object:infrastructure-ui-source/delete",
-                "saved_object:infrastructure-ui-source/bulk_delete",
-                "saved_object:infrastructure-ui-source/share_to_space",
-                "saved_object:infrastructure-monitoring-log-view/bulk_get",
-                "saved_object:infrastructure-monitoring-log-view/get",
-                "saved_object:infrastructure-monitoring-log-view/find",
-                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/create",
-                "saved_object:infrastructure-monitoring-log-view/bulk_create",
-                "saved_object:infrastructure-monitoring-log-view/update",
-                "saved_object:infrastructure-monitoring-log-view/bulk_update",
-                "saved_object:infrastructure-monitoring-log-view/delete",
-                "saved_object:infrastructure-monitoring-log-view/bulk_delete",
-                "saved_object:infrastructure-monitoring-log-view/share_to_space",
-                "ui:logs/show",
-                "ui:logs/configureSource",
-                "ui:logs/save",
-                "alerting:logs.alert.document.count/logs/rule/get",
-                "alerting:logs.alert.document.count/logs/rule/getRuleState",
-                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
-                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
-                "alerting:logs.alert.document.count/logs/rule/find",
-                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
-                "alerting:logs.alert.document.count/logs/rule/getBackfill",
-                "alerting:logs.alert.document.count/logs/rule/findBackfill",
-                "alerting:logs.alert.document.count/logs/rule/create",
-                "alerting:logs.alert.document.count/logs/rule/delete",
-                "alerting:logs.alert.document.count/logs/rule/update",
-                "alerting:logs.alert.document.count/logs/rule/updateApiKey",
-                "alerting:logs.alert.document.count/logs/rule/enable",
-                "alerting:logs.alert.document.count/logs/rule/disable",
-                "alerting:logs.alert.document.count/logs/rule/muteAll",
-                "alerting:logs.alert.document.count/logs/rule/unmuteAll",
-                "alerting:logs.alert.document.count/logs/rule/muteAlert",
-                "alerting:logs.alert.document.count/logs/rule/unmuteAlert",
-                "alerting:logs.alert.document.count/logs/rule/snooze",
-                "alerting:logs.alert.document.count/logs/rule/bulkEdit",
-                "alerting:logs.alert.document.count/logs/rule/bulkDelete",
-                "alerting:logs.alert.document.count/logs/rule/bulkEnable",
-                "alerting:logs.alert.document.count/logs/rule/bulkDisable",
-                "alerting:logs.alert.document.count/logs/rule/unsnooze",
-                "alerting:logs.alert.document.count/logs/rule/runSoon",
-                "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
-                "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
-                "alerting:.es-query/logs/rule/get",
-                "alerting:.es-query/logs/rule/getRuleState",
-                "alerting:.es-query/logs/rule/getAlertSummary",
-                "alerting:.es-query/logs/rule/getExecutionLog",
-                "alerting:.es-query/logs/rule/getActionErrorLog",
-                "alerting:.es-query/logs/rule/find",
-                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
-                "alerting:.es-query/logs/rule/getBackfill",
-                "alerting:.es-query/logs/rule/findBackfill",
-                "alerting:.es-query/logs/rule/create",
-                "alerting:.es-query/logs/rule/delete",
-                "alerting:.es-query/logs/rule/update",
-                "alerting:.es-query/logs/rule/updateApiKey",
-                "alerting:.es-query/logs/rule/enable",
-                "alerting:.es-query/logs/rule/disable",
-                "alerting:.es-query/logs/rule/muteAll",
-                "alerting:.es-query/logs/rule/unmuteAll",
-                "alerting:.es-query/logs/rule/muteAlert",
-                "alerting:.es-query/logs/rule/unmuteAlert",
-                "alerting:.es-query/logs/rule/snooze",
-                "alerting:.es-query/logs/rule/bulkEdit",
-                "alerting:.es-query/logs/rule/bulkDelete",
-                "alerting:.es-query/logs/rule/bulkEnable",
-                "alerting:.es-query/logs/rule/bulkDisable",
-                "alerting:.es-query/logs/rule/unsnooze",
-                "alerting:.es-query/logs/rule/runSoon",
-                "alerting:.es-query/logs/rule/scheduleBackfill",
-                "alerting:.es-query/logs/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/get",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/find",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/create",
-                "alerting:observability.rules.custom_threshold/logs/rule/delete",
-                "alerting:observability.rules.custom_threshold/logs/rule/update",
-                "alerting:observability.rules.custom_threshold/logs/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/logs/rule/enable",
-                "alerting:observability.rules.custom_threshold/logs/rule/disable",
-                "alerting:observability.rules.custom_threshold/logs/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/logs/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/logs/rule/snooze",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/logs/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
-                "alerting:logs.alert.document.count/logs/alert/get",
-                "alerting:logs.alert.document.count/logs/alert/find",
-                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/alert/update",
-                "alerting:.es-query/logs/alert/get",
-                "alerting:.es-query/logs/alert/find",
-                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/logs/alert/getAlertSummary",
-                "alerting:.es-query/logs/alert/update",
-                "alerting:observability.rules.custom_threshold/logs/alert/get",
-                "alerting:observability.rules.custom_threshold/logs/alert/find",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
-              ],
-              "minimal_all": Array [
-                "login:",
-                "api:fleet-read",
-                "api:fleet-all",
-                "app:fleet",
-                "ui:catalogue/fleet",
-                "ui:navLinks/fleet",
-                "saved_object:ingest-outputs/bulk_get",
-                "saved_object:ingest-outputs/get",
-                "saved_object:ingest-outputs/find",
-                "saved_object:ingest-outputs/open_point_in_time",
-                "saved_object:ingest-outputs/close_point_in_time",
-                "saved_object:ingest-outputs/create",
-                "saved_object:ingest-outputs/bulk_create",
-                "saved_object:ingest-outputs/update",
-                "saved_object:ingest-outputs/bulk_update",
-                "saved_object:ingest-outputs/delete",
-                "saved_object:ingest-outputs/bulk_delete",
-                "saved_object:ingest-outputs/share_to_space",
-                "saved_object:ingest-agent-policies/bulk_get",
-                "saved_object:ingest-agent-policies/get",
-                "saved_object:ingest-agent-policies/find",
-                "saved_object:ingest-agent-policies/open_point_in_time",
-                "saved_object:ingest-agent-policies/close_point_in_time",
-                "saved_object:ingest-agent-policies/create",
-                "saved_object:ingest-agent-policies/bulk_create",
-                "saved_object:ingest-agent-policies/update",
-                "saved_object:ingest-agent-policies/bulk_update",
-                "saved_object:ingest-agent-policies/delete",
-                "saved_object:ingest-agent-policies/bulk_delete",
-                "saved_object:ingest-agent-policies/share_to_space",
-                "saved_object:fleet-agent-policies/bulk_get",
-                "saved_object:fleet-agent-policies/get",
-                "saved_object:fleet-agent-policies/find",
-                "saved_object:fleet-agent-policies/open_point_in_time",
-                "saved_object:fleet-agent-policies/close_point_in_time",
-                "saved_object:fleet-agent-policies/create",
-                "saved_object:fleet-agent-policies/bulk_create",
-                "saved_object:fleet-agent-policies/update",
-                "saved_object:fleet-agent-policies/bulk_update",
-                "saved_object:fleet-agent-policies/delete",
-                "saved_object:fleet-agent-policies/bulk_delete",
-                "saved_object:fleet-agent-policies/share_to_space",
-                "saved_object:ingest-package-policies/bulk_get",
-                "saved_object:ingest-package-policies/get",
-                "saved_object:ingest-package-policies/find",
-                "saved_object:ingest-package-policies/open_point_in_time",
-                "saved_object:ingest-package-policies/close_point_in_time",
-                "saved_object:ingest-package-policies/create",
-                "saved_object:ingest-package-policies/bulk_create",
-                "saved_object:ingest-package-policies/update",
-                "saved_object:ingest-package-policies/bulk_update",
-                "saved_object:ingest-package-policies/delete",
-                "saved_object:ingest-package-policies/bulk_delete",
-                "saved_object:ingest-package-policies/share_to_space",
-                "saved_object:fleet-package-policies/bulk_get",
-                "saved_object:fleet-package-policies/get",
-                "saved_object:fleet-package-policies/find",
-                "saved_object:fleet-package-policies/open_point_in_time",
-                "saved_object:fleet-package-policies/close_point_in_time",
-                "saved_object:fleet-package-policies/create",
-                "saved_object:fleet-package-policies/bulk_create",
-                "saved_object:fleet-package-policies/update",
-                "saved_object:fleet-package-policies/bulk_update",
-                "saved_object:fleet-package-policies/delete",
-                "saved_object:fleet-package-policies/bulk_delete",
-                "saved_object:fleet-package-policies/share_to_space",
-                "saved_object:epm-packages/bulk_get",
-                "saved_object:epm-packages/get",
-                "saved_object:epm-packages/find",
-                "saved_object:epm-packages/open_point_in_time",
-                "saved_object:epm-packages/close_point_in_time",
-                "saved_object:epm-packages/create",
-                "saved_object:epm-packages/bulk_create",
-                "saved_object:epm-packages/update",
-                "saved_object:epm-packages/bulk_update",
-                "saved_object:epm-packages/delete",
-                "saved_object:epm-packages/bulk_delete",
-                "saved_object:epm-packages/share_to_space",
-                "saved_object:epm-packages-assets/bulk_get",
-                "saved_object:epm-packages-assets/get",
-                "saved_object:epm-packages-assets/find",
-                "saved_object:epm-packages-assets/open_point_in_time",
-                "saved_object:epm-packages-assets/close_point_in_time",
-                "saved_object:epm-packages-assets/create",
-                "saved_object:epm-packages-assets/bulk_create",
-                "saved_object:epm-packages-assets/update",
-                "saved_object:epm-packages-assets/bulk_update",
-                "saved_object:epm-packages-assets/delete",
-                "saved_object:epm-packages-assets/bulk_delete",
-                "saved_object:epm-packages-assets/share_to_space",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_get",
-                "saved_object:fleet-preconfiguration-deletion-record/get",
-                "saved_object:fleet-preconfiguration-deletion-record/find",
-                "saved_object:fleet-preconfiguration-deletion-record/open_point_in_time",
-                "saved_object:fleet-preconfiguration-deletion-record/close_point_in_time",
-                "saved_object:fleet-preconfiguration-deletion-record/create",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_create",
-                "saved_object:fleet-preconfiguration-deletion-record/update",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_update",
-                "saved_object:fleet-preconfiguration-deletion-record/delete",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_delete",
-                "saved_object:fleet-preconfiguration-deletion-record/share_to_space",
-                "saved_object:ingest-download-sources/bulk_get",
-                "saved_object:ingest-download-sources/get",
-                "saved_object:ingest-download-sources/find",
-                "saved_object:ingest-download-sources/open_point_in_time",
-                "saved_object:ingest-download-sources/close_point_in_time",
-                "saved_object:ingest-download-sources/create",
-                "saved_object:ingest-download-sources/bulk_create",
-                "saved_object:ingest-download-sources/update",
-                "saved_object:ingest-download-sources/bulk_update",
-                "saved_object:ingest-download-sources/delete",
-                "saved_object:ingest-download-sources/bulk_delete",
-                "saved_object:ingest-download-sources/share_to_space",
-                "saved_object:fleet-fleet-server-host/bulk_get",
-                "saved_object:fleet-fleet-server-host/get",
-                "saved_object:fleet-fleet-server-host/find",
-                "saved_object:fleet-fleet-server-host/open_point_in_time",
-                "saved_object:fleet-fleet-server-host/close_point_in_time",
-                "saved_object:fleet-fleet-server-host/create",
-                "saved_object:fleet-fleet-server-host/bulk_create",
-                "saved_object:fleet-fleet-server-host/update",
-                "saved_object:fleet-fleet-server-host/bulk_update",
-                "saved_object:fleet-fleet-server-host/delete",
-                "saved_object:fleet-fleet-server-host/bulk_delete",
-                "saved_object:fleet-fleet-server-host/share_to_space",
-                "saved_object:fleet-proxy/bulk_get",
-                "saved_object:fleet-proxy/get",
-                "saved_object:fleet-proxy/find",
-                "saved_object:fleet-proxy/open_point_in_time",
-                "saved_object:fleet-proxy/close_point_in_time",
-                "saved_object:fleet-proxy/create",
-                "saved_object:fleet-proxy/bulk_create",
-                "saved_object:fleet-proxy/update",
-                "saved_object:fleet-proxy/bulk_update",
-                "saved_object:fleet-proxy/delete",
-                "saved_object:fleet-proxy/bulk_delete",
-                "saved_object:fleet-proxy/share_to_space",
-                "saved_object:fleet-space-settings/bulk_get",
-                "saved_object:fleet-space-settings/get",
-                "saved_object:fleet-space-settings/find",
-                "saved_object:fleet-space-settings/open_point_in_time",
-                "saved_object:fleet-space-settings/close_point_in_time",
-                "saved_object:fleet-space-settings/create",
-                "saved_object:fleet-space-settings/bulk_create",
-                "saved_object:fleet-space-settings/update",
-                "saved_object:fleet-space-settings/bulk_update",
-                "saved_object:fleet-space-settings/delete",
-                "saved_object:fleet-space-settings/bulk_delete",
-                "saved_object:fleet-space-settings/share_to_space",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:fleetv2/read",
-                "ui:fleetv2/all",
-                "api:infra",
-                "api:rac",
-                "app:infra",
-                "app:logs",
-                "app:kibana",
-                "app:observability-logs-explorer",
-                "ui:catalogue/infralogging",
-                "ui:catalogue/logs",
-                "ui:management/insightsAndAlerting/triggersActions",
-                "ui:navLinks/infra",
-                "ui:navLinks/logs",
-                "ui:navLinks/kibana",
-                "ui:navLinks/observability-logs-explorer",
-                "saved_object:infrastructure-ui-source/bulk_get",
-                "saved_object:infrastructure-ui-source/get",
-                "saved_object:infrastructure-ui-source/find",
-                "saved_object:infrastructure-ui-source/open_point_in_time",
-                "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:infrastructure-ui-source/create",
-                "saved_object:infrastructure-ui-source/bulk_create",
-                "saved_object:infrastructure-ui-source/update",
-                "saved_object:infrastructure-ui-source/bulk_update",
-                "saved_object:infrastructure-ui-source/delete",
-                "saved_object:infrastructure-ui-source/bulk_delete",
-                "saved_object:infrastructure-ui-source/share_to_space",
-                "saved_object:infrastructure-monitoring-log-view/bulk_get",
-                "saved_object:infrastructure-monitoring-log-view/get",
-                "saved_object:infrastructure-monitoring-log-view/find",
-                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/create",
-                "saved_object:infrastructure-monitoring-log-view/bulk_create",
-                "saved_object:infrastructure-monitoring-log-view/update",
-                "saved_object:infrastructure-monitoring-log-view/bulk_update",
-                "saved_object:infrastructure-monitoring-log-view/delete",
-                "saved_object:infrastructure-monitoring-log-view/bulk_delete",
-                "saved_object:infrastructure-monitoring-log-view/share_to_space",
-                "ui:logs/show",
-                "ui:logs/configureSource",
-                "ui:logs/save",
-                "alerting:logs.alert.document.count/logs/rule/get",
-                "alerting:logs.alert.document.count/logs/rule/getRuleState",
-                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
-                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
-                "alerting:logs.alert.document.count/logs/rule/find",
-                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
-                "alerting:logs.alert.document.count/logs/rule/getBackfill",
-                "alerting:logs.alert.document.count/logs/rule/findBackfill",
-                "alerting:logs.alert.document.count/logs/rule/create",
-                "alerting:logs.alert.document.count/logs/rule/delete",
-                "alerting:logs.alert.document.count/logs/rule/update",
-                "alerting:logs.alert.document.count/logs/rule/updateApiKey",
-                "alerting:logs.alert.document.count/logs/rule/enable",
-                "alerting:logs.alert.document.count/logs/rule/disable",
-                "alerting:logs.alert.document.count/logs/rule/muteAll",
-                "alerting:logs.alert.document.count/logs/rule/unmuteAll",
-                "alerting:logs.alert.document.count/logs/rule/muteAlert",
-                "alerting:logs.alert.document.count/logs/rule/unmuteAlert",
-                "alerting:logs.alert.document.count/logs/rule/snooze",
-                "alerting:logs.alert.document.count/logs/rule/bulkEdit",
-                "alerting:logs.alert.document.count/logs/rule/bulkDelete",
-                "alerting:logs.alert.document.count/logs/rule/bulkEnable",
-                "alerting:logs.alert.document.count/logs/rule/bulkDisable",
-                "alerting:logs.alert.document.count/logs/rule/unsnooze",
-                "alerting:logs.alert.document.count/logs/rule/runSoon",
-                "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
-                "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
-                "alerting:.es-query/logs/rule/get",
-                "alerting:.es-query/logs/rule/getRuleState",
-                "alerting:.es-query/logs/rule/getAlertSummary",
-                "alerting:.es-query/logs/rule/getExecutionLog",
-                "alerting:.es-query/logs/rule/getActionErrorLog",
-                "alerting:.es-query/logs/rule/find",
-                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
-                "alerting:.es-query/logs/rule/getBackfill",
-                "alerting:.es-query/logs/rule/findBackfill",
-                "alerting:.es-query/logs/rule/create",
-                "alerting:.es-query/logs/rule/delete",
-                "alerting:.es-query/logs/rule/update",
-                "alerting:.es-query/logs/rule/updateApiKey",
-                "alerting:.es-query/logs/rule/enable",
-                "alerting:.es-query/logs/rule/disable",
-                "alerting:.es-query/logs/rule/muteAll",
-                "alerting:.es-query/logs/rule/unmuteAll",
-                "alerting:.es-query/logs/rule/muteAlert",
-                "alerting:.es-query/logs/rule/unmuteAlert",
-                "alerting:.es-query/logs/rule/snooze",
-                "alerting:.es-query/logs/rule/bulkEdit",
-                "alerting:.es-query/logs/rule/bulkDelete",
-                "alerting:.es-query/logs/rule/bulkEnable",
-                "alerting:.es-query/logs/rule/bulkDisable",
-                "alerting:.es-query/logs/rule/unsnooze",
-                "alerting:.es-query/logs/rule/runSoon",
-                "alerting:.es-query/logs/rule/scheduleBackfill",
-                "alerting:.es-query/logs/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/get",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/find",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/create",
-                "alerting:observability.rules.custom_threshold/logs/rule/delete",
-                "alerting:observability.rules.custom_threshold/logs/rule/update",
-                "alerting:observability.rules.custom_threshold/logs/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/logs/rule/enable",
-                "alerting:observability.rules.custom_threshold/logs/rule/disable",
-                "alerting:observability.rules.custom_threshold/logs/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/logs/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/logs/rule/snooze",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/logs/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
-                "alerting:logs.alert.document.count/logs/alert/get",
-                "alerting:logs.alert.document.count/logs/alert/find",
-                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/alert/update",
-                "alerting:.es-query/logs/alert/get",
-                "alerting:.es-query/logs/alert/find",
-                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/logs/alert/getAlertSummary",
-                "alerting:.es-query/logs/alert/update",
-                "alerting:observability.rules.custom_threshold/logs/alert/get",
-                "alerting:observability.rules.custom_threshold/logs/alert/find",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
-              ],
-              "minimal_read": Array [
-                "login:",
-                "api:fleet-read",
-                "app:fleet",
-                "ui:catalogue/fleet",
-                "ui:navLinks/fleet",
-                "saved_object:ingest-outputs/bulk_get",
-                "saved_object:ingest-outputs/get",
-                "saved_object:ingest-outputs/find",
-                "saved_object:ingest-outputs/open_point_in_time",
-                "saved_object:ingest-outputs/close_point_in_time",
-                "saved_object:ingest-agent-policies/bulk_get",
-                "saved_object:ingest-agent-policies/get",
-                "saved_object:ingest-agent-policies/find",
-                "saved_object:ingest-agent-policies/open_point_in_time",
-                "saved_object:ingest-agent-policies/close_point_in_time",
-                "saved_object:fleet-agent-policies/bulk_get",
-                "saved_object:fleet-agent-policies/get",
-                "saved_object:fleet-agent-policies/find",
-                "saved_object:fleet-agent-policies/open_point_in_time",
-                "saved_object:fleet-agent-policies/close_point_in_time",
-                "saved_object:ingest-package-policies/bulk_get",
-                "saved_object:ingest-package-policies/get",
-                "saved_object:ingest-package-policies/find",
-                "saved_object:ingest-package-policies/open_point_in_time",
-                "saved_object:ingest-package-policies/close_point_in_time",
-                "saved_object:fleet-package-policies/bulk_get",
-                "saved_object:fleet-package-policies/get",
-                "saved_object:fleet-package-policies/find",
-                "saved_object:fleet-package-policies/open_point_in_time",
-                "saved_object:fleet-package-policies/close_point_in_time",
-                "saved_object:epm-packages/bulk_get",
-                "saved_object:epm-packages/get",
-                "saved_object:epm-packages/find",
-                "saved_object:epm-packages/open_point_in_time",
-                "saved_object:epm-packages/close_point_in_time",
-                "saved_object:epm-packages-assets/bulk_get",
-                "saved_object:epm-packages-assets/get",
-                "saved_object:epm-packages-assets/find",
-                "saved_object:epm-packages-assets/open_point_in_time",
-                "saved_object:epm-packages-assets/close_point_in_time",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_get",
-                "saved_object:fleet-preconfiguration-deletion-record/get",
-                "saved_object:fleet-preconfiguration-deletion-record/find",
-                "saved_object:fleet-preconfiguration-deletion-record/open_point_in_time",
-                "saved_object:fleet-preconfiguration-deletion-record/close_point_in_time",
-                "saved_object:ingest-download-sources/bulk_get",
-                "saved_object:ingest-download-sources/get",
-                "saved_object:ingest-download-sources/find",
-                "saved_object:ingest-download-sources/open_point_in_time",
-                "saved_object:ingest-download-sources/close_point_in_time",
-                "saved_object:fleet-fleet-server-host/bulk_get",
-                "saved_object:fleet-fleet-server-host/get",
-                "saved_object:fleet-fleet-server-host/find",
-                "saved_object:fleet-fleet-server-host/open_point_in_time",
-                "saved_object:fleet-fleet-server-host/close_point_in_time",
-                "saved_object:fleet-proxy/bulk_get",
-                "saved_object:fleet-proxy/get",
-                "saved_object:fleet-proxy/find",
-                "saved_object:fleet-proxy/open_point_in_time",
-                "saved_object:fleet-proxy/close_point_in_time",
-                "saved_object:fleet-space-settings/bulk_get",
-                "saved_object:fleet-space-settings/get",
-                "saved_object:fleet-space-settings/find",
-                "saved_object:fleet-space-settings/open_point_in_time",
-                "saved_object:fleet-space-settings/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:fleetv2/read",
-                "api:infra",
-                "api:rac",
-                "app:infra",
-                "app:logs",
-                "app:kibana",
-                "app:observability-logs-explorer",
-                "ui:catalogue/infralogging",
-                "ui:catalogue/logs",
-                "ui:management/insightsAndAlerting/triggersActions",
-                "ui:navLinks/infra",
-                "ui:navLinks/logs",
-                "ui:navLinks/kibana",
-                "ui:navLinks/observability-logs-explorer",
-                "saved_object:infrastructure-ui-source/bulk_get",
-                "saved_object:infrastructure-ui-source/get",
-                "saved_object:infrastructure-ui-source/find",
-                "saved_object:infrastructure-ui-source/open_point_in_time",
-                "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/bulk_get",
-                "saved_object:infrastructure-monitoring-log-view/get",
-                "saved_object:infrastructure-monitoring-log-view/find",
-                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
-                "ui:logs/show",
-                "alerting:logs.alert.document.count/logs/rule/get",
-                "alerting:logs.alert.document.count/logs/rule/getRuleState",
-                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
-                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
-                "alerting:logs.alert.document.count/logs/rule/find",
-                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
-                "alerting:logs.alert.document.count/logs/rule/getBackfill",
-                "alerting:logs.alert.document.count/logs/rule/findBackfill",
-                "alerting:.es-query/logs/rule/get",
-                "alerting:.es-query/logs/rule/getRuleState",
-                "alerting:.es-query/logs/rule/getAlertSummary",
-                "alerting:.es-query/logs/rule/getExecutionLog",
-                "alerting:.es-query/logs/rule/getActionErrorLog",
-                "alerting:.es-query/logs/rule/find",
-                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
-                "alerting:.es-query/logs/rule/getBackfill",
-                "alerting:.es-query/logs/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/get",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/find",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
-                "alerting:logs.alert.document.count/logs/alert/get",
-                "alerting:logs.alert.document.count/logs/alert/find",
-                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
-                "alerting:.es-query/logs/alert/get",
-                "alerting:.es-query/logs/alert/find",
-                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/logs/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/alert/get",
-                "alerting:observability.rules.custom_threshold/logs/alert/find",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
-              ],
-              "read": Array [
-                "login:",
-                "api:fleet-read",
-                "app:fleet",
-                "ui:catalogue/fleet",
-                "ui:navLinks/fleet",
-                "saved_object:ingest-outputs/bulk_get",
-                "saved_object:ingest-outputs/get",
-                "saved_object:ingest-outputs/find",
-                "saved_object:ingest-outputs/open_point_in_time",
-                "saved_object:ingest-outputs/close_point_in_time",
-                "saved_object:ingest-agent-policies/bulk_get",
-                "saved_object:ingest-agent-policies/get",
-                "saved_object:ingest-agent-policies/find",
-                "saved_object:ingest-agent-policies/open_point_in_time",
-                "saved_object:ingest-agent-policies/close_point_in_time",
-                "saved_object:fleet-agent-policies/bulk_get",
-                "saved_object:fleet-agent-policies/get",
-                "saved_object:fleet-agent-policies/find",
-                "saved_object:fleet-agent-policies/open_point_in_time",
-                "saved_object:fleet-agent-policies/close_point_in_time",
-                "saved_object:ingest-package-policies/bulk_get",
-                "saved_object:ingest-package-policies/get",
-                "saved_object:ingest-package-policies/find",
-                "saved_object:ingest-package-policies/open_point_in_time",
-                "saved_object:ingest-package-policies/close_point_in_time",
-                "saved_object:fleet-package-policies/bulk_get",
-                "saved_object:fleet-package-policies/get",
-                "saved_object:fleet-package-policies/find",
-                "saved_object:fleet-package-policies/open_point_in_time",
-                "saved_object:fleet-package-policies/close_point_in_time",
-                "saved_object:epm-packages/bulk_get",
-                "saved_object:epm-packages/get",
-                "saved_object:epm-packages/find",
-                "saved_object:epm-packages/open_point_in_time",
-                "saved_object:epm-packages/close_point_in_time",
-                "saved_object:epm-packages-assets/bulk_get",
-                "saved_object:epm-packages-assets/get",
-                "saved_object:epm-packages-assets/find",
-                "saved_object:epm-packages-assets/open_point_in_time",
-                "saved_object:epm-packages-assets/close_point_in_time",
-                "saved_object:fleet-preconfiguration-deletion-record/bulk_get",
-                "saved_object:fleet-preconfiguration-deletion-record/get",
-                "saved_object:fleet-preconfiguration-deletion-record/find",
-                "saved_object:fleet-preconfiguration-deletion-record/open_point_in_time",
-                "saved_object:fleet-preconfiguration-deletion-record/close_point_in_time",
-                "saved_object:ingest-download-sources/bulk_get",
-                "saved_object:ingest-download-sources/get",
-                "saved_object:ingest-download-sources/find",
-                "saved_object:ingest-download-sources/open_point_in_time",
-                "saved_object:ingest-download-sources/close_point_in_time",
-                "saved_object:fleet-fleet-server-host/bulk_get",
-                "saved_object:fleet-fleet-server-host/get",
-                "saved_object:fleet-fleet-server-host/find",
-                "saved_object:fleet-fleet-server-host/open_point_in_time",
-                "saved_object:fleet-fleet-server-host/close_point_in_time",
-                "saved_object:fleet-proxy/bulk_get",
-                "saved_object:fleet-proxy/get",
-                "saved_object:fleet-proxy/find",
-                "saved_object:fleet-proxy/open_point_in_time",
-                "saved_object:fleet-proxy/close_point_in_time",
-                "saved_object:fleet-space-settings/bulk_get",
-                "saved_object:fleet-space-settings/get",
-                "saved_object:fleet-space-settings/find",
-                "saved_object:fleet-space-settings/open_point_in_time",
-                "saved_object:fleet-space-settings/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:fleetv2/read",
-                "api:infra",
-                "api:rac",
-                "app:infra",
-                "app:logs",
-                "app:kibana",
-                "app:observability-logs-explorer",
-                "ui:catalogue/infralogging",
-                "ui:catalogue/logs",
-                "ui:management/insightsAndAlerting/triggersActions",
-                "ui:navLinks/infra",
-                "ui:navLinks/logs",
-                "ui:navLinks/kibana",
-                "ui:navLinks/observability-logs-explorer",
-                "saved_object:infrastructure-ui-source/bulk_get",
-                "saved_object:infrastructure-ui-source/get",
-                "saved_object:infrastructure-ui-source/find",
-                "saved_object:infrastructure-ui-source/open_point_in_time",
-                "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/bulk_get",
-                "saved_object:infrastructure-monitoring-log-view/get",
-                "saved_object:infrastructure-monitoring-log-view/find",
-                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
-                "ui:logs/show",
-                "alerting:logs.alert.document.count/logs/rule/get",
-                "alerting:logs.alert.document.count/logs/rule/getRuleState",
-                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
-                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
-                "alerting:logs.alert.document.count/logs/rule/find",
-                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
-                "alerting:logs.alert.document.count/logs/rule/getBackfill",
-                "alerting:logs.alert.document.count/logs/rule/findBackfill",
-                "alerting:.es-query/logs/rule/get",
-                "alerting:.es-query/logs/rule/getRuleState",
-                "alerting:.es-query/logs/rule/getAlertSummary",
-                "alerting:.es-query/logs/rule/getExecutionLog",
-                "alerting:.es-query/logs/rule/getActionErrorLog",
-                "alerting:.es-query/logs/rule/find",
-                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
-                "alerting:.es-query/logs/rule/getBackfill",
-                "alerting:.es-query/logs/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/get",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/find",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
-                "alerting:logs.alert.document.count/logs/alert/get",
-                "alerting:logs.alert.document.count/logs/alert/find",
-                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
-                "alerting:.es-query/logs/alert/get",
-                "alerting:.es-query/logs/alert/find",
-                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/logs/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/alert/get",
-                "alerting:observability.rules.custom_threshold/logs/alert/find",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
-              ],
-            },
-            "infrastructure": Object {
-              "all": Array [
-                "login:",
-                "api:infra",
-                "api:rac",
-                "app:infra",
-                "app:metrics",
-                "app:kibana",
-                "ui:catalogue/infraops",
-                "ui:catalogue/metrics",
-                "ui:management/insightsAndAlerting/triggersActions",
-                "ui:navLinks/infra",
-                "ui:navLinks/metrics",
-                "ui:navLinks/kibana",
-                "saved_object:infrastructure-ui-source/bulk_get",
-                "saved_object:infrastructure-ui-source/get",
-                "saved_object:infrastructure-ui-source/find",
-                "saved_object:infrastructure-ui-source/open_point_in_time",
-                "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:infrastructure-ui-source/create",
-                "saved_object:infrastructure-ui-source/bulk_create",
-                "saved_object:infrastructure-ui-source/update",
-                "saved_object:infrastructure-ui-source/bulk_update",
-                "saved_object:infrastructure-ui-source/delete",
-                "saved_object:infrastructure-ui-source/bulk_delete",
-                "saved_object:infrastructure-ui-source/share_to_space",
-                "saved_object:metrics-data-source/bulk_get",
-                "saved_object:metrics-data-source/get",
-                "saved_object:metrics-data-source/find",
-                "saved_object:metrics-data-source/open_point_in_time",
-                "saved_object:metrics-data-source/close_point_in_time",
-                "saved_object:metrics-data-source/create",
-                "saved_object:metrics-data-source/bulk_create",
-                "saved_object:metrics-data-source/update",
-                "saved_object:metrics-data-source/bulk_update",
-                "saved_object:metrics-data-source/delete",
-                "saved_object:metrics-data-source/bulk_delete",
-                "saved_object:metrics-data-source/share_to_space",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:infrastructure/show",
-                "ui:infrastructure/configureSource",
-                "ui:infrastructure/save",
-                "alerting:metrics.alert.threshold/infrastructure/rule/get",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getRuleState",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getAlertSummary",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getExecutionLog",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getActionErrorLog",
-                "alerting:metrics.alert.threshold/infrastructure/rule/find",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getBackfill",
-                "alerting:metrics.alert.threshold/infrastructure/rule/findBackfill",
-                "alerting:metrics.alert.threshold/infrastructure/rule/create",
-                "alerting:metrics.alert.threshold/infrastructure/rule/delete",
-                "alerting:metrics.alert.threshold/infrastructure/rule/update",
-                "alerting:metrics.alert.threshold/infrastructure/rule/updateApiKey",
-                "alerting:metrics.alert.threshold/infrastructure/rule/enable",
-                "alerting:metrics.alert.threshold/infrastructure/rule/disable",
-                "alerting:metrics.alert.threshold/infrastructure/rule/muteAll",
-                "alerting:metrics.alert.threshold/infrastructure/rule/unmuteAll",
-                "alerting:metrics.alert.threshold/infrastructure/rule/muteAlert",
-                "alerting:metrics.alert.threshold/infrastructure/rule/unmuteAlert",
-                "alerting:metrics.alert.threshold/infrastructure/rule/snooze",
-                "alerting:metrics.alert.threshold/infrastructure/rule/bulkEdit",
-                "alerting:metrics.alert.threshold/infrastructure/rule/bulkDelete",
-                "alerting:metrics.alert.threshold/infrastructure/rule/bulkEnable",
-                "alerting:metrics.alert.threshold/infrastructure/rule/bulkDisable",
-                "alerting:metrics.alert.threshold/infrastructure/rule/unsnooze",
-                "alerting:metrics.alert.threshold/infrastructure/rule/runSoon",
-                "alerting:metrics.alert.threshold/infrastructure/rule/scheduleBackfill",
-                "alerting:metrics.alert.threshold/infrastructure/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/get",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/find",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/create",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/update",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/deleteBackfill",
-                "alerting:.es-query/infrastructure/rule/get",
-                "alerting:.es-query/infrastructure/rule/getRuleState",
-                "alerting:.es-query/infrastructure/rule/getAlertSummary",
-                "alerting:.es-query/infrastructure/rule/getExecutionLog",
-                "alerting:.es-query/infrastructure/rule/getActionErrorLog",
-                "alerting:.es-query/infrastructure/rule/find",
-                "alerting:.es-query/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:.es-query/infrastructure/rule/getBackfill",
-                "alerting:.es-query/infrastructure/rule/findBackfill",
-                "alerting:.es-query/infrastructure/rule/create",
-                "alerting:.es-query/infrastructure/rule/delete",
-                "alerting:.es-query/infrastructure/rule/update",
-                "alerting:.es-query/infrastructure/rule/updateApiKey",
-                "alerting:.es-query/infrastructure/rule/enable",
-                "alerting:.es-query/infrastructure/rule/disable",
-                "alerting:.es-query/infrastructure/rule/muteAll",
-                "alerting:.es-query/infrastructure/rule/unmuteAll",
-                "alerting:.es-query/infrastructure/rule/muteAlert",
-                "alerting:.es-query/infrastructure/rule/unmuteAlert",
-                "alerting:.es-query/infrastructure/rule/snooze",
-                "alerting:.es-query/infrastructure/rule/bulkEdit",
-                "alerting:.es-query/infrastructure/rule/bulkDelete",
-                "alerting:.es-query/infrastructure/rule/bulkEnable",
-                "alerting:.es-query/infrastructure/rule/bulkDisable",
-                "alerting:.es-query/infrastructure/rule/unsnooze",
-                "alerting:.es-query/infrastructure/rule/runSoon",
-                "alerting:.es-query/infrastructure/rule/scheduleBackfill",
-                "alerting:.es-query/infrastructure/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/get",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/find",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/create",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/delete",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/update",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/enable",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/disable",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/snooze",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/deleteBackfill",
-                "alerting:metrics.alert.threshold/infrastructure/alert/get",
-                "alerting:metrics.alert.threshold/infrastructure/alert/find",
-                "alerting:metrics.alert.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.threshold/infrastructure/alert/getAlertSummary",
-                "alerting:metrics.alert.threshold/infrastructure/alert/update",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/get",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/find",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/update",
-                "alerting:.es-query/infrastructure/alert/get",
-                "alerting:.es-query/infrastructure/alert/find",
-                "alerting:.es-query/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/infrastructure/alert/getAlertSummary",
-                "alerting:.es-query/infrastructure/alert/update",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/get",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/find",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/update",
-                "app:logs",
-                "app:observability-logs-explorer",
-                "ui:catalogue/infralogging",
-                "ui:catalogue/logs",
-                "ui:navLinks/logs",
-                "ui:navLinks/observability-logs-explorer",
-                "saved_object:infrastructure-monitoring-log-view/bulk_get",
-                "saved_object:infrastructure-monitoring-log-view/get",
-                "saved_object:infrastructure-monitoring-log-view/find",
-                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/create",
-                "saved_object:infrastructure-monitoring-log-view/bulk_create",
-                "saved_object:infrastructure-monitoring-log-view/update",
-                "saved_object:infrastructure-monitoring-log-view/bulk_update",
-                "saved_object:infrastructure-monitoring-log-view/delete",
-                "saved_object:infrastructure-monitoring-log-view/bulk_delete",
-                "saved_object:infrastructure-monitoring-log-view/share_to_space",
-                "ui:logs/show",
-                "ui:logs/configureSource",
-                "ui:logs/save",
-                "alerting:logs.alert.document.count/logs/rule/get",
-                "alerting:logs.alert.document.count/logs/rule/getRuleState",
-                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
-                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
-                "alerting:logs.alert.document.count/logs/rule/find",
-                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
-                "alerting:logs.alert.document.count/logs/rule/getBackfill",
-                "alerting:logs.alert.document.count/logs/rule/findBackfill",
-                "alerting:logs.alert.document.count/logs/rule/create",
-                "alerting:logs.alert.document.count/logs/rule/delete",
-                "alerting:logs.alert.document.count/logs/rule/update",
-                "alerting:logs.alert.document.count/logs/rule/updateApiKey",
-                "alerting:logs.alert.document.count/logs/rule/enable",
-                "alerting:logs.alert.document.count/logs/rule/disable",
-                "alerting:logs.alert.document.count/logs/rule/muteAll",
-                "alerting:logs.alert.document.count/logs/rule/unmuteAll",
-                "alerting:logs.alert.document.count/logs/rule/muteAlert",
-                "alerting:logs.alert.document.count/logs/rule/unmuteAlert",
-                "alerting:logs.alert.document.count/logs/rule/snooze",
-                "alerting:logs.alert.document.count/logs/rule/bulkEdit",
-                "alerting:logs.alert.document.count/logs/rule/bulkDelete",
-                "alerting:logs.alert.document.count/logs/rule/bulkEnable",
-                "alerting:logs.alert.document.count/logs/rule/bulkDisable",
-                "alerting:logs.alert.document.count/logs/rule/unsnooze",
-                "alerting:logs.alert.document.count/logs/rule/runSoon",
-                "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
-                "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
-                "alerting:.es-query/logs/rule/get",
-                "alerting:.es-query/logs/rule/getRuleState",
-                "alerting:.es-query/logs/rule/getAlertSummary",
-                "alerting:.es-query/logs/rule/getExecutionLog",
-                "alerting:.es-query/logs/rule/getActionErrorLog",
-                "alerting:.es-query/logs/rule/find",
-                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
-                "alerting:.es-query/logs/rule/getBackfill",
-                "alerting:.es-query/logs/rule/findBackfill",
-                "alerting:.es-query/logs/rule/create",
-                "alerting:.es-query/logs/rule/delete",
-                "alerting:.es-query/logs/rule/update",
-                "alerting:.es-query/logs/rule/updateApiKey",
-                "alerting:.es-query/logs/rule/enable",
-                "alerting:.es-query/logs/rule/disable",
-                "alerting:.es-query/logs/rule/muteAll",
-                "alerting:.es-query/logs/rule/unmuteAll",
-                "alerting:.es-query/logs/rule/muteAlert",
-                "alerting:.es-query/logs/rule/unmuteAlert",
-                "alerting:.es-query/logs/rule/snooze",
-                "alerting:.es-query/logs/rule/bulkEdit",
-                "alerting:.es-query/logs/rule/bulkDelete",
-                "alerting:.es-query/logs/rule/bulkEnable",
-                "alerting:.es-query/logs/rule/bulkDisable",
-                "alerting:.es-query/logs/rule/unsnooze",
-                "alerting:.es-query/logs/rule/runSoon",
-                "alerting:.es-query/logs/rule/scheduleBackfill",
-                "alerting:.es-query/logs/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/get",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/logs/rule/find",
-                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/create",
-                "alerting:observability.rules.custom_threshold/logs/rule/delete",
-                "alerting:observability.rules.custom_threshold/logs/rule/update",
-                "alerting:observability.rules.custom_threshold/logs/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/logs/rule/enable",
-                "alerting:observability.rules.custom_threshold/logs/rule/disable",
-                "alerting:observability.rules.custom_threshold/logs/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/logs/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/logs/rule/snooze",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/logs/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
-                "alerting:logs.alert.document.count/logs/alert/get",
-                "alerting:logs.alert.document.count/logs/alert/find",
-                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/alert/update",
-                "alerting:.es-query/logs/alert/get",
-                "alerting:.es-query/logs/alert/find",
-                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/logs/alert/getAlertSummary",
-                "alerting:.es-query/logs/alert/update",
-                "alerting:observability.rules.custom_threshold/logs/alert/get",
-                "alerting:observability.rules.custom_threshold/logs/alert/find",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
-                "app:observability",
-                "ui:catalogue/observability",
-                "ui:navLinks/observability",
-                "ui:observability/read",
-                "ui:observability/write",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/create",
-                "alerting:slo.rules.burnRate/observability/rule/delete",
-                "alerting:slo.rules.burnRate/observability/rule/update",
-                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/observability/rule/enable",
-                "alerting:slo.rules.burnRate/observability/rule/disable",
-                "alerting:slo.rules.burnRate/observability/rule/muteAll",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/snooze",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
-                "alerting:slo.rules.burnRate/observability/rule/runSoon",
-                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/create",
-                "alerting:observability.rules.custom_threshold/observability/rule/delete",
-                "alerting:observability.rules.custom_threshold/observability/rule/update",
-                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/observability/rule/enable",
-                "alerting:observability.rules.custom_threshold/observability/rule/disable",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
-                "alerting:apm.error_rate/observability/rule/get",
-                "alerting:apm.error_rate/observability/rule/getRuleState",
-                "alerting:apm.error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.error_rate/observability/rule/find",
-                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.error_rate/observability/rule/getBackfill",
-                "alerting:apm.error_rate/observability/rule/findBackfill",
-                "alerting:apm.error_rate/observability/rule/create",
-                "alerting:apm.error_rate/observability/rule/delete",
-                "alerting:apm.error_rate/observability/rule/update",
-                "alerting:apm.error_rate/observability/rule/updateApiKey",
-                "alerting:apm.error_rate/observability/rule/enable",
-                "alerting:apm.error_rate/observability/rule/disable",
-                "alerting:apm.error_rate/observability/rule/muteAll",
-                "alerting:apm.error_rate/observability/rule/unmuteAll",
-                "alerting:apm.error_rate/observability/rule/muteAlert",
-                "alerting:apm.error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.error_rate/observability/rule/snooze",
-                "alerting:apm.error_rate/observability/rule/bulkEdit",
-                "alerting:apm.error_rate/observability/rule/bulkDelete",
-                "alerting:apm.error_rate/observability/rule/bulkEnable",
-                "alerting:apm.error_rate/observability/rule/bulkDisable",
-                "alerting:apm.error_rate/observability/rule/unsnooze",
-                "alerting:apm.error_rate/observability/rule/runSoon",
-                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.error_rate/observability/rule/deleteBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/get",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
-                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_error_rate/observability/rule/find",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/create",
-                "alerting:apm.transaction_error_rate/observability/rule/delete",
-                "alerting:apm.transaction_error_rate/observability/rule/update",
-                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
-                "alerting:apm.transaction_error_rate/observability/rule/enable",
-                "alerting:apm.transaction_error_rate/observability/rule/disable",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/snooze",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
-                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
-                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
-                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
-                "alerting:apm.transaction_duration/observability/rule/get",
-                "alerting:apm.transaction_duration/observability/rule/getRuleState",
-                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_duration/observability/rule/find",
-                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_duration/observability/rule/getBackfill",
-                "alerting:apm.transaction_duration/observability/rule/findBackfill",
-                "alerting:apm.transaction_duration/observability/rule/create",
-                "alerting:apm.transaction_duration/observability/rule/delete",
-                "alerting:apm.transaction_duration/observability/rule/update",
-                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
-                "alerting:apm.transaction_duration/observability/rule/enable",
-                "alerting:apm.transaction_duration/observability/rule/disable",
-                "alerting:apm.transaction_duration/observability/rule/muteAll",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
-                "alerting:apm.transaction_duration/observability/rule/muteAlert",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_duration/observability/rule/snooze",
-                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
-                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
-                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
-                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
-                "alerting:apm.transaction_duration/observability/rule/unsnooze",
-                "alerting:apm.transaction_duration/observability/rule/runSoon",
-                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
-                "alerting:apm.anomaly/observability/rule/get",
-                "alerting:apm.anomaly/observability/rule/getRuleState",
-                "alerting:apm.anomaly/observability/rule/getAlertSummary",
-                "alerting:apm.anomaly/observability/rule/getExecutionLog",
-                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
-                "alerting:apm.anomaly/observability/rule/find",
-                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.anomaly/observability/rule/getBackfill",
-                "alerting:apm.anomaly/observability/rule/findBackfill",
-                "alerting:apm.anomaly/observability/rule/create",
-                "alerting:apm.anomaly/observability/rule/delete",
-                "alerting:apm.anomaly/observability/rule/update",
-                "alerting:apm.anomaly/observability/rule/updateApiKey",
-                "alerting:apm.anomaly/observability/rule/enable",
-                "alerting:apm.anomaly/observability/rule/disable",
-                "alerting:apm.anomaly/observability/rule/muteAll",
-                "alerting:apm.anomaly/observability/rule/unmuteAll",
-                "alerting:apm.anomaly/observability/rule/muteAlert",
-                "alerting:apm.anomaly/observability/rule/unmuteAlert",
-                "alerting:apm.anomaly/observability/rule/snooze",
-                "alerting:apm.anomaly/observability/rule/bulkEdit",
-                "alerting:apm.anomaly/observability/rule/bulkDelete",
-                "alerting:apm.anomaly/observability/rule/bulkEnable",
-                "alerting:apm.anomaly/observability/rule/bulkDisable",
-                "alerting:apm.anomaly/observability/rule/unsnooze",
-                "alerting:apm.anomaly/observability/rule/runSoon",
-                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
-                "alerting:apm.anomaly/observability/rule/deleteBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
-                "alerting:apm.error_rate/observability/alert/get",
-                "alerting:apm.error_rate/observability/alert/find",
-                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/update",
-                "alerting:apm.transaction_error_rate/observability/alert/get",
-                "alerting:apm.transaction_error_rate/observability/alert/find",
-                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/update",
-                "alerting:apm.transaction_duration/observability/alert/get",
-                "alerting:apm.transaction_duration/observability/alert/find",
-                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/update",
-                "alerting:apm.anomaly/observability/alert/get",
-                "alerting:apm.anomaly/observability/alert/find",
-                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
-              ],
-              "minimal_all": Array [
-                "login:",
-                "api:infra",
-                "api:rac",
-                "app:infra",
-                "app:metrics",
-                "app:kibana",
-                "ui:catalogue/infraops",
-                "ui:catalogue/metrics",
-                "ui:management/insightsAndAlerting/triggersActions",
-                "ui:navLinks/infra",
-                "ui:navLinks/metrics",
-                "ui:navLinks/kibana",
-                "saved_object:infrastructure-ui-source/bulk_get",
-                "saved_object:infrastructure-ui-source/get",
-                "saved_object:infrastructure-ui-source/find",
-                "saved_object:infrastructure-ui-source/open_point_in_time",
-                "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:infrastructure-ui-source/create",
-                "saved_object:infrastructure-ui-source/bulk_create",
-                "saved_object:infrastructure-ui-source/update",
-                "saved_object:infrastructure-ui-source/bulk_update",
-                "saved_object:infrastructure-ui-source/delete",
-                "saved_object:infrastructure-ui-source/bulk_delete",
-                "saved_object:infrastructure-ui-source/share_to_space",
-                "saved_object:metrics-data-source/bulk_get",
-                "saved_object:metrics-data-source/get",
-                "saved_object:metrics-data-source/find",
-                "saved_object:metrics-data-source/open_point_in_time",
-                "saved_object:metrics-data-source/close_point_in_time",
-                "saved_object:metrics-data-source/create",
-                "saved_object:metrics-data-source/bulk_create",
-                "saved_object:metrics-data-source/update",
-                "saved_object:metrics-data-source/bulk_update",
-                "saved_object:metrics-data-source/delete",
-                "saved_object:metrics-data-source/bulk_delete",
-                "saved_object:metrics-data-source/share_to_space",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "ui:infrastructure/show",
-                "ui:infrastructure/configureSource",
-                "ui:infrastructure/save",
-                "alerting:metrics.alert.threshold/infrastructure/rule/get",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getRuleState",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getAlertSummary",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getExecutionLog",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getActionErrorLog",
-                "alerting:metrics.alert.threshold/infrastructure/rule/find",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.threshold/infrastructure/rule/getBackfill",
-                "alerting:metrics.alert.threshold/infrastructure/rule/findBackfill",
-                "alerting:metrics.alert.threshold/infrastructure/rule/create",
-                "alerting:metrics.alert.threshold/infrastructure/rule/delete",
-                "alerting:metrics.alert.threshold/infrastructure/rule/update",
-                "alerting:metrics.alert.threshold/infrastructure/rule/updateApiKey",
-                "alerting:metrics.alert.threshold/infrastructure/rule/enable",
-                "alerting:metrics.alert.threshold/infrastructure/rule/disable",
-                "alerting:metrics.alert.threshold/infrastructure/rule/muteAll",
-                "alerting:metrics.alert.threshold/infrastructure/rule/unmuteAll",
-                "alerting:metrics.alert.threshold/infrastructure/rule/muteAlert",
-                "alerting:metrics.alert.threshold/infrastructure/rule/unmuteAlert",
-                "alerting:metrics.alert.threshold/infrastructure/rule/snooze",
-                "alerting:metrics.alert.threshold/infrastructure/rule/bulkEdit",
-                "alerting:metrics.alert.threshold/infrastructure/rule/bulkDelete",
-                "alerting:metrics.alert.threshold/infrastructure/rule/bulkEnable",
-                "alerting:metrics.alert.threshold/infrastructure/rule/bulkDisable",
-                "alerting:metrics.alert.threshold/infrastructure/rule/unsnooze",
-                "alerting:metrics.alert.threshold/infrastructure/rule/runSoon",
-                "alerting:metrics.alert.threshold/infrastructure/rule/scheduleBackfill",
-                "alerting:metrics.alert.threshold/infrastructure/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/get",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/find",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/create",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/update",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/deleteBackfill",
-                "alerting:.es-query/infrastructure/rule/get",
-                "alerting:.es-query/infrastructure/rule/getRuleState",
-                "alerting:.es-query/infrastructure/rule/getAlertSummary",
-                "alerting:.es-query/infrastructure/rule/getExecutionLog",
-                "alerting:.es-query/infrastructure/rule/getActionErrorLog",
-                "alerting:.es-query/infrastructure/rule/find",
-                "alerting:.es-query/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:.es-query/infrastructure/rule/getBackfill",
-                "alerting:.es-query/infrastructure/rule/findBackfill",
-                "alerting:.es-query/infrastructure/rule/create",
-                "alerting:.es-query/infrastructure/rule/delete",
-                "alerting:.es-query/infrastructure/rule/update",
-                "alerting:.es-query/infrastructure/rule/updateApiKey",
-                "alerting:.es-query/infrastructure/rule/enable",
-                "alerting:.es-query/infrastructure/rule/disable",
-                "alerting:.es-query/infrastructure/rule/muteAll",
-                "alerting:.es-query/infrastructure/rule/unmuteAll",
-                "alerting:.es-query/infrastructure/rule/muteAlert",
-                "alerting:.es-query/infrastructure/rule/unmuteAlert",
-                "alerting:.es-query/infrastructure/rule/snooze",
-                "alerting:.es-query/infrastructure/rule/bulkEdit",
-                "alerting:.es-query/infrastructure/rule/bulkDelete",
-                "alerting:.es-query/infrastructure/rule/bulkEnable",
-                "alerting:.es-query/infrastructure/rule/bulkDisable",
-                "alerting:.es-query/infrastructure/rule/unsnooze",
-                "alerting:.es-query/infrastructure/rule/runSoon",
-                "alerting:.es-query/infrastructure/rule/scheduleBackfill",
-                "alerting:.es-query/infrastructure/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/get",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/find",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/create",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/delete",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/update",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/enable",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/disable",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/snooze",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/infrastructure/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/deleteBackfill",
-                "alerting:metrics.alert.threshold/infrastructure/alert/get",
-                "alerting:metrics.alert.threshold/infrastructure/alert/find",
-                "alerting:metrics.alert.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.threshold/infrastructure/alert/getAlertSummary",
-                "alerting:metrics.alert.threshold/infrastructure/alert/update",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/get",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/find",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/update",
-                "alerting:.es-query/infrastructure/alert/get",
-                "alerting:.es-query/infrastructure/alert/find",
-                "alerting:.es-query/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/infrastructure/alert/getAlertSummary",
-                "alerting:.es-query/infrastructure/alert/update",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/get",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/find",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/infrastructure/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/update",
+                "ui:apm/show",
+                "ui:apm/alerting:show",
+                "alerting:apm.error_rate/apm/rule/get",
+                "alerting:apm.error_rate/apm/rule/getRuleState",
+                "alerting:apm.error_rate/apm/rule/getAlertSummary",
+                "alerting:apm.error_rate/apm/rule/getExecutionLog",
+                "alerting:apm.error_rate/apm/rule/getActionErrorLog",
+                "alerting:apm.error_rate/apm/rule/find",
+                "alerting:apm.error_rate/apm/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/apm/rule/getBackfill",
+                "alerting:apm.error_rate/apm/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/apm/rule/get",
+                "alerting:apm.transaction_error_rate/apm/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/apm/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/apm/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/apm/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/apm/rule/find",
+                "alerting:apm.transaction_error_rate/apm/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/apm/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/apm/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/apm/rule/get",
+                "alerting:apm.transaction_duration/apm/rule/getRuleState",
+                "alerting:apm.transaction_duration/apm/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/apm/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/apm/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/apm/rule/find",
+                "alerting:apm.transaction_duration/apm/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/apm/rule/getBackfill",
+                "alerting:apm.transaction_duration/apm/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/apm/rule/get",
+                "alerting:apm.anomaly/apm/rule/getRuleState",
+                "alerting:apm.anomaly/apm/rule/getAlertSummary",
+                "alerting:apm.anomaly/apm/rule/getExecutionLog",
+                "alerting:apm.anomaly/apm/rule/getActionErrorLog",
+                "alerting:apm.anomaly/apm/rule/find",
+                "alerting:apm.anomaly/apm/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/apm/rule/getBackfill",
+                "alerting:apm.anomaly/apm/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/apm/alert/get",
+                "alerting:apm.error_rate/apm/alert/find",
+                "alerting:apm.error_rate/apm/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/apm/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/apm/alert/get",
+                "alerting:apm.transaction_error_rate/apm/alert/find",
+                "alerting:apm.transaction_error_rate/apm/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/apm/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/apm/alert/get",
+                "alerting:apm.transaction_duration/apm/alert/find",
+                "alerting:apm.transaction_duration/apm/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/apm/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/apm/alert/get",
+                "alerting:apm.anomaly/apm/alert/find",
+                "alerting:apm.anomaly/apm/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/apm/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "api:infra",
+                "app:infra",
                 "app:logs",
                 "app:observability-logs-explorer",
                 "ui:catalogue/infralogging",
                 "ui:catalogue/logs",
+                "ui:navLinks/infra",
                 "ui:navLinks/logs",
                 "ui:navLinks/observability-logs-explorer",
+                "saved_object:infrastructure-ui-source/bulk_get",
+                "saved_object:infrastructure-ui-source/get",
+                "saved_object:infrastructure-ui-source/find",
+                "saved_object:infrastructure-ui-source/open_point_in_time",
+                "saved_object:infrastructure-ui-source/close_point_in_time",
                 "saved_object:infrastructure-monitoring-log-view/bulk_get",
                 "saved_object:infrastructure-monitoring-log-view/get",
                 "saved_object:infrastructure-monitoring-log-view/find",
                 "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
                 "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
-                "saved_object:infrastructure-monitoring-log-view/create",
-                "saved_object:infrastructure-monitoring-log-view/bulk_create",
-                "saved_object:infrastructure-monitoring-log-view/update",
-                "saved_object:infrastructure-monitoring-log-view/bulk_update",
-                "saved_object:infrastructure-monitoring-log-view/delete",
-                "saved_object:infrastructure-monitoring-log-view/bulk_delete",
-                "saved_object:infrastructure-monitoring-log-view/share_to_space",
                 "ui:logs/show",
-                "ui:logs/configureSource",
-                "ui:logs/save",
                 "alerting:logs.alert.document.count/logs/rule/get",
                 "alerting:logs.alert.document.count/logs/rule/getRuleState",
                 "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
@@ -6080,25 +3786,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
                 "alerting:logs.alert.document.count/logs/rule/getBackfill",
                 "alerting:logs.alert.document.count/logs/rule/findBackfill",
-                "alerting:logs.alert.document.count/logs/rule/create",
-                "alerting:logs.alert.document.count/logs/rule/delete",
-                "alerting:logs.alert.document.count/logs/rule/update",
-                "alerting:logs.alert.document.count/logs/rule/updateApiKey",
-                "alerting:logs.alert.document.count/logs/rule/enable",
-                "alerting:logs.alert.document.count/logs/rule/disable",
-                "alerting:logs.alert.document.count/logs/rule/muteAll",
-                "alerting:logs.alert.document.count/logs/rule/unmuteAll",
-                "alerting:logs.alert.document.count/logs/rule/muteAlert",
-                "alerting:logs.alert.document.count/logs/rule/unmuteAlert",
-                "alerting:logs.alert.document.count/logs/rule/snooze",
-                "alerting:logs.alert.document.count/logs/rule/bulkEdit",
-                "alerting:logs.alert.document.count/logs/rule/bulkDelete",
-                "alerting:logs.alert.document.count/logs/rule/bulkEnable",
-                "alerting:logs.alert.document.count/logs/rule/bulkDisable",
-                "alerting:logs.alert.document.count/logs/rule/unsnooze",
-                "alerting:logs.alert.document.count/logs/rule/runSoon",
-                "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
-                "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
                 "alerting:.es-query/logs/rule/get",
                 "alerting:.es-query/logs/rule/getRuleState",
                 "alerting:.es-query/logs/rule/getAlertSummary",
@@ -6108,25 +3804,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/logs/rule/getRuleExecutionKPI",
                 "alerting:.es-query/logs/rule/getBackfill",
                 "alerting:.es-query/logs/rule/findBackfill",
-                "alerting:.es-query/logs/rule/create",
-                "alerting:.es-query/logs/rule/delete",
-                "alerting:.es-query/logs/rule/update",
-                "alerting:.es-query/logs/rule/updateApiKey",
-                "alerting:.es-query/logs/rule/enable",
-                "alerting:.es-query/logs/rule/disable",
-                "alerting:.es-query/logs/rule/muteAll",
-                "alerting:.es-query/logs/rule/unmuteAll",
-                "alerting:.es-query/logs/rule/muteAlert",
-                "alerting:.es-query/logs/rule/unmuteAlert",
-                "alerting:.es-query/logs/rule/snooze",
-                "alerting:.es-query/logs/rule/bulkEdit",
-                "alerting:.es-query/logs/rule/bulkDelete",
-                "alerting:.es-query/logs/rule/bulkEnable",
-                "alerting:.es-query/logs/rule/bulkDisable",
-                "alerting:.es-query/logs/rule/unsnooze",
-                "alerting:.es-query/logs/rule/runSoon",
-                "alerting:.es-query/logs/rule/scheduleBackfill",
-                "alerting:.es-query/logs/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/get",
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
@@ -6136,25 +3822,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
                 "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/create",
-                "alerting:observability.rules.custom_threshold/logs/rule/delete",
-                "alerting:observability.rules.custom_threshold/logs/rule/update",
-                "alerting:observability.rules.custom_threshold/logs/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/logs/rule/enable",
-                "alerting:observability.rules.custom_threshold/logs/rule/disable",
-                "alerting:observability.rules.custom_threshold/logs/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/logs/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/logs/rule/snooze",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/logs/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/logs/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
@@ -6164,50 +3840,2996 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
                 "alerting:logs.alert.document.count/logs/alert/get",
                 "alerting:logs.alert.document.count/logs/alert/find",
                 "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
-                "alerting:logs.alert.document.count/logs/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
                 "alerting:.es-query/logs/alert/get",
                 "alerting:.es-query/logs/alert/find",
                 "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:.es-query/logs/alert/getAlertSummary",
-                "alerting:.es-query/logs/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
                 "alerting:observability.rules.custom_threshold/logs/alert/get",
                 "alerting:observability.rules.custom_threshold/logs/alert/find",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/logs/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "app:observability",
+                "ui:catalogue/observability",
+                "ui:navLinks/observability",
+                "ui:observability/read",
+                "alerting:apm.error_rate/observability/rule/get",
+                "alerting:apm.error_rate/observability/rule/getRuleState",
+                "alerting:apm.error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.error_rate/observability/rule/find",
+                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/observability/rule/getBackfill",
+                "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/get",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/observability/rule/find",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/get",
+                "alerting:apm.transaction_duration/observability/rule/getRuleState",
+                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/observability/rule/find",
+                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/observability/rule/getBackfill",
+                "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.anomaly/observability/rule/get",
+                "alerting:apm.anomaly/observability/rule/getRuleState",
+                "alerting:apm.anomaly/observability/rule/getAlertSummary",
+                "alerting:apm.anomaly/observability/rule/getExecutionLog",
+                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
+                "alerting:apm.anomaly/observability/rule/find",
+                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/observability/rule/getBackfill",
+                "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:apm.error_rate/observability/alert/get",
+                "alerting:apm.error_rate/observability/alert/find",
+                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/get",
+                "alerting:apm.transaction_error_rate/observability/alert/find",
+                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/get",
+                "alerting:apm.transaction_duration/observability/alert/find",
+                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/get",
+                "alerting:apm.anomaly/observability/alert/find",
+                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+              ],
+              "settings_save": Array [
+                "login:",
+                "api:apm_settings_write",
+                "ui:apm/settings:save",
+              ],
+            },
+            "dashboard": Object {
+              "all": Array [
+                "login:",
+                "api:bulkGetUserProfiles",
+                "api:dashboardUsageStats",
+                "api:store_search_session",
+                "api:generateReport",
+                "api:downloadCsv",
+                "app:dashboards",
+                "app:kibana",
+                "ui:catalogue/dashboard",
+                "ui:management/kibana/search_sessions",
+                "ui:management/insightsAndAlerting/reporting",
+                "ui:navLinks/dashboards",
+                "ui:navLinks/kibana",
+                "saved_object:dashboard/bulk_get",
+                "saved_object:dashboard/get",
+                "saved_object:dashboard/find",
+                "saved_object:dashboard/open_point_in_time",
+                "saved_object:dashboard/close_point_in_time",
+                "saved_object:dashboard/create",
+                "saved_object:dashboard/bulk_create",
+                "saved_object:dashboard/update",
+                "saved_object:dashboard/bulk_update",
+                "saved_object:dashboard/delete",
+                "saved_object:dashboard/bulk_delete",
+                "saved_object:dashboard/share_to_space",
+                "saved_object:query/bulk_get",
+                "saved_object:query/get",
+                "saved_object:query/find",
+                "saved_object:query/open_point_in_time",
+                "saved_object:query/close_point_in_time",
+                "saved_object:query/create",
+                "saved_object:query/bulk_create",
+                "saved_object:query/update",
+                "saved_object:query/bulk_update",
+                "saved_object:query/delete",
+                "saved_object:query/bulk_delete",
+                "saved_object:query/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "saved_object:url/create",
+                "saved_object:url/bulk_create",
+                "saved_object:url/update",
+                "saved_object:url/bulk_update",
+                "saved_object:url/delete",
+                "saved_object:url/bulk_delete",
+                "saved_object:url/share_to_space",
+                "saved_object:search-session/bulk_get",
+                "saved_object:search-session/get",
+                "saved_object:search-session/find",
+                "saved_object:search-session/open_point_in_time",
+                "saved_object:search-session/close_point_in_time",
+                "saved_object:search-session/create",
+                "saved_object:search-session/bulk_create",
+                "saved_object:search-session/update",
+                "saved_object:search-session/bulk_update",
+                "saved_object:search-session/delete",
+                "saved_object:search-session/bulk_delete",
+                "saved_object:search-session/share_to_space",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:search/bulk_get",
+                "saved_object:search/get",
+                "saved_object:search/find",
+                "saved_object:search/open_point_in_time",
+                "saved_object:search/close_point_in_time",
+                "saved_object:visualization/bulk_get",
+                "saved_object:visualization/get",
+                "saved_object:visualization/find",
+                "saved_object:visualization/open_point_in_time",
+                "saved_object:visualization/close_point_in_time",
+                "saved_object:canvas-workpad/bulk_get",
+                "saved_object:canvas-workpad/get",
+                "saved_object:canvas-workpad/find",
+                "saved_object:canvas-workpad/open_point_in_time",
+                "saved_object:canvas-workpad/close_point_in_time",
+                "saved_object:lens/bulk_get",
+                "saved_object:lens/get",
+                "saved_object:lens/find",
+                "saved_object:lens/open_point_in_time",
+                "saved_object:lens/close_point_in_time",
+                "saved_object:links/bulk_get",
+                "saved_object:links/get",
+                "saved_object:links/find",
+                "saved_object:links/open_point_in_time",
+                "saved_object:links/close_point_in_time",
+                "saved_object:map/bulk_get",
+                "saved_object:map/get",
+                "saved_object:map/find",
+                "saved_object:map/open_point_in_time",
+                "saved_object:map/close_point_in_time",
+                "saved_object:tag/bulk_get",
+                "saved_object:tag/get",
+                "saved_object:tag/find",
+                "saved_object:tag/open_point_in_time",
+                "saved_object:tag/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "ui:dashboard/createNew",
+                "ui:dashboard/show",
+                "ui:dashboard/showWriteControls",
+                "ui:dashboard/saveQuery",
+                "ui:dashboard/createShortUrl",
+                "ui:dashboard/storeSearchSession",
+                "ui:dashboard/generateScreenshot",
+                "ui:dashboard/downloadCsv",
+                "app:maps",
+                "ui:catalogue/maps",
+                "ui:navLinks/maps",
+                "saved_object:map/create",
+                "saved_object:map/bulk_create",
+                "saved_object:map/update",
+                "saved_object:map/bulk_update",
+                "saved_object:map/delete",
+                "saved_object:map/bulk_delete",
+                "saved_object:map/share_to_space",
+                "ui:maps/save",
+                "ui:maps/show",
+                "ui:maps/saveQuery",
+                "app:visualize",
+                "app:lens",
+                "ui:catalogue/visualize",
+                "ui:navLinks/visualize",
+                "ui:navLinks/lens",
+                "saved_object:visualization/create",
+                "saved_object:visualization/bulk_create",
+                "saved_object:visualization/update",
+                "saved_object:visualization/bulk_update",
+                "saved_object:visualization/delete",
+                "saved_object:visualization/bulk_delete",
+                "saved_object:visualization/share_to_space",
+                "saved_object:lens/create",
+                "saved_object:lens/bulk_create",
+                "saved_object:lens/update",
+                "saved_object:lens/bulk_update",
+                "saved_object:lens/delete",
+                "saved_object:lens/bulk_delete",
+                "saved_object:lens/share_to_space",
+                "ui:visualize/show",
+                "ui:visualize/delete",
+                "ui:visualize/save",
+                "ui:visualize/saveQuery",
+                "ui:visualize/createShortUrl",
+                "ui:visualize/generateScreenshot",
+              ],
+              "download_csv_report": Array [
+                "login:",
+                "api:downloadCsv",
+                "ui:management/insightsAndAlerting/reporting",
+                "ui:dashboard/downloadCsv",
+              ],
+              "generate_report": Array [
+                "login:",
+                "api:generateReport",
+                "ui:management/insightsAndAlerting/reporting",
+                "ui:dashboard/generateScreenshot",
+              ],
+              "minimal_all": Array [
+                "login:",
+                "api:bulkGetUserProfiles",
+                "api:dashboardUsageStats",
+                "app:dashboards",
+                "app:kibana",
+                "ui:catalogue/dashboard",
+                "ui:navLinks/dashboards",
+                "ui:navLinks/kibana",
+                "saved_object:dashboard/bulk_get",
+                "saved_object:dashboard/get",
+                "saved_object:dashboard/find",
+                "saved_object:dashboard/open_point_in_time",
+                "saved_object:dashboard/close_point_in_time",
+                "saved_object:dashboard/create",
+                "saved_object:dashboard/bulk_create",
+                "saved_object:dashboard/update",
+                "saved_object:dashboard/bulk_update",
+                "saved_object:dashboard/delete",
+                "saved_object:dashboard/bulk_delete",
+                "saved_object:dashboard/share_to_space",
+                "saved_object:query/bulk_get",
+                "saved_object:query/get",
+                "saved_object:query/find",
+                "saved_object:query/open_point_in_time",
+                "saved_object:query/close_point_in_time",
+                "saved_object:query/create",
+                "saved_object:query/bulk_create",
+                "saved_object:query/update",
+                "saved_object:query/bulk_update",
+                "saved_object:query/delete",
+                "saved_object:query/bulk_delete",
+                "saved_object:query/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:search/bulk_get",
+                "saved_object:search/get",
+                "saved_object:search/find",
+                "saved_object:search/open_point_in_time",
+                "saved_object:search/close_point_in_time",
+                "saved_object:visualization/bulk_get",
+                "saved_object:visualization/get",
+                "saved_object:visualization/find",
+                "saved_object:visualization/open_point_in_time",
+                "saved_object:visualization/close_point_in_time",
+                "saved_object:canvas-workpad/bulk_get",
+                "saved_object:canvas-workpad/get",
+                "saved_object:canvas-workpad/find",
+                "saved_object:canvas-workpad/open_point_in_time",
+                "saved_object:canvas-workpad/close_point_in_time",
+                "saved_object:lens/bulk_get",
+                "saved_object:lens/get",
+                "saved_object:lens/find",
+                "saved_object:lens/open_point_in_time",
+                "saved_object:lens/close_point_in_time",
+                "saved_object:links/bulk_get",
+                "saved_object:links/get",
+                "saved_object:links/find",
+                "saved_object:links/open_point_in_time",
+                "saved_object:links/close_point_in_time",
+                "saved_object:map/bulk_get",
+                "saved_object:map/get",
+                "saved_object:map/find",
+                "saved_object:map/open_point_in_time",
+                "saved_object:map/close_point_in_time",
+                "saved_object:tag/bulk_get",
+                "saved_object:tag/get",
+                "saved_object:tag/find",
+                "saved_object:tag/open_point_in_time",
+                "saved_object:tag/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:dashboard/createNew",
+                "ui:dashboard/show",
+                "ui:dashboard/showWriteControls",
+                "ui:dashboard/saveQuery",
+                "app:maps",
+                "ui:catalogue/maps",
+                "ui:navLinks/maps",
+                "saved_object:map/create",
+                "saved_object:map/bulk_create",
+                "saved_object:map/update",
+                "saved_object:map/bulk_update",
+                "saved_object:map/delete",
+                "saved_object:map/bulk_delete",
+                "saved_object:map/share_to_space",
+                "ui:maps/save",
+                "ui:maps/show",
+                "ui:maps/saveQuery",
+                "api:generateReport",
+                "app:visualize",
+                "app:lens",
+                "ui:catalogue/visualize",
+                "ui:management/insightsAndAlerting/reporting",
+                "ui:navLinks/visualize",
+                "ui:navLinks/lens",
+                "saved_object:visualization/create",
+                "saved_object:visualization/bulk_create",
+                "saved_object:visualization/update",
+                "saved_object:visualization/bulk_update",
+                "saved_object:visualization/delete",
+                "saved_object:visualization/bulk_delete",
+                "saved_object:visualization/share_to_space",
+                "saved_object:lens/create",
+                "saved_object:lens/bulk_create",
+                "saved_object:lens/update",
+                "saved_object:lens/bulk_update",
+                "saved_object:lens/delete",
+                "saved_object:lens/bulk_delete",
+                "saved_object:lens/share_to_space",
+                "saved_object:url/create",
+                "saved_object:url/bulk_create",
+                "saved_object:url/update",
+                "saved_object:url/bulk_update",
+                "saved_object:url/delete",
+                "saved_object:url/bulk_delete",
+                "saved_object:url/share_to_space",
+                "ui:visualize/show",
+                "ui:visualize/delete",
+                "ui:visualize/save",
+                "ui:visualize/saveQuery",
+                "ui:visualize/createShortUrl",
+                "ui:visualize/generateScreenshot",
+              ],
+              "minimal_read": Array [
+                "login:",
+                "api:bulkGetUserProfiles",
+                "api:dashboardUsageStats",
+                "app:dashboards",
+                "app:kibana",
+                "ui:catalogue/dashboard",
+                "ui:navLinks/dashboards",
+                "ui:navLinks/kibana",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:search/bulk_get",
+                "saved_object:search/get",
+                "saved_object:search/find",
+                "saved_object:search/open_point_in_time",
+                "saved_object:search/close_point_in_time",
+                "saved_object:visualization/bulk_get",
+                "saved_object:visualization/get",
+                "saved_object:visualization/find",
+                "saved_object:visualization/open_point_in_time",
+                "saved_object:visualization/close_point_in_time",
+                "saved_object:canvas-workpad/bulk_get",
+                "saved_object:canvas-workpad/get",
+                "saved_object:canvas-workpad/find",
+                "saved_object:canvas-workpad/open_point_in_time",
+                "saved_object:canvas-workpad/close_point_in_time",
+                "saved_object:lens/bulk_get",
+                "saved_object:lens/get",
+                "saved_object:lens/find",
+                "saved_object:lens/open_point_in_time",
+                "saved_object:lens/close_point_in_time",
+                "saved_object:links/bulk_get",
+                "saved_object:links/get",
+                "saved_object:links/find",
+                "saved_object:links/open_point_in_time",
+                "saved_object:links/close_point_in_time",
+                "saved_object:map/bulk_get",
+                "saved_object:map/get",
+                "saved_object:map/find",
+                "saved_object:map/open_point_in_time",
+                "saved_object:map/close_point_in_time",
+                "saved_object:dashboard/bulk_get",
+                "saved_object:dashboard/get",
+                "saved_object:dashboard/find",
+                "saved_object:dashboard/open_point_in_time",
+                "saved_object:dashboard/close_point_in_time",
+                "saved_object:query/bulk_get",
+                "saved_object:query/get",
+                "saved_object:query/find",
+                "saved_object:query/open_point_in_time",
+                "saved_object:query/close_point_in_time",
+                "saved_object:tag/bulk_get",
+                "saved_object:tag/get",
+                "saved_object:tag/find",
+                "saved_object:tag/open_point_in_time",
+                "saved_object:tag/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:dashboard/show",
+                "app:maps",
+                "ui:catalogue/maps",
+                "ui:navLinks/maps",
+                "ui:maps/show",
+                "app:visualize",
+                "app:lens",
+                "ui:catalogue/visualize",
+                "ui:navLinks/visualize",
+                "ui:navLinks/lens",
+                "saved_object:url/create",
+                "saved_object:url/bulk_create",
+                "saved_object:url/update",
+                "saved_object:url/bulk_update",
+                "saved_object:url/delete",
+                "saved_object:url/bulk_delete",
+                "saved_object:url/share_to_space",
+                "ui:visualize/show",
+                "ui:visualize/createShortUrl",
+              ],
+              "read": Array [
+                "login:",
+                "api:bulkGetUserProfiles",
+                "api:dashboardUsageStats",
+                "app:dashboards",
+                "app:kibana",
+                "ui:catalogue/dashboard",
+                "ui:navLinks/dashboards",
+                "ui:navLinks/kibana",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "saved_object:url/create",
+                "saved_object:url/bulk_create",
+                "saved_object:url/update",
+                "saved_object:url/bulk_update",
+                "saved_object:url/delete",
+                "saved_object:url/bulk_delete",
+                "saved_object:url/share_to_space",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:search/bulk_get",
+                "saved_object:search/get",
+                "saved_object:search/find",
+                "saved_object:search/open_point_in_time",
+                "saved_object:search/close_point_in_time",
+                "saved_object:visualization/bulk_get",
+                "saved_object:visualization/get",
+                "saved_object:visualization/find",
+                "saved_object:visualization/open_point_in_time",
+                "saved_object:visualization/close_point_in_time",
+                "saved_object:canvas-workpad/bulk_get",
+                "saved_object:canvas-workpad/get",
+                "saved_object:canvas-workpad/find",
+                "saved_object:canvas-workpad/open_point_in_time",
+                "saved_object:canvas-workpad/close_point_in_time",
+                "saved_object:lens/bulk_get",
+                "saved_object:lens/get",
+                "saved_object:lens/find",
+                "saved_object:lens/open_point_in_time",
+                "saved_object:lens/close_point_in_time",
+                "saved_object:links/bulk_get",
+                "saved_object:links/get",
+                "saved_object:links/find",
+                "saved_object:links/open_point_in_time",
+                "saved_object:links/close_point_in_time",
+                "saved_object:map/bulk_get",
+                "saved_object:map/get",
+                "saved_object:map/find",
+                "saved_object:map/open_point_in_time",
+                "saved_object:map/close_point_in_time",
+                "saved_object:dashboard/bulk_get",
+                "saved_object:dashboard/get",
+                "saved_object:dashboard/find",
+                "saved_object:dashboard/open_point_in_time",
+                "saved_object:dashboard/close_point_in_time",
+                "saved_object:query/bulk_get",
+                "saved_object:query/get",
+                "saved_object:query/find",
+                "saved_object:query/open_point_in_time",
+                "saved_object:query/close_point_in_time",
+                "saved_object:tag/bulk_get",
+                "saved_object:tag/get",
+                "saved_object:tag/find",
+                "saved_object:tag/open_point_in_time",
+                "saved_object:tag/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "ui:dashboard/show",
+                "ui:dashboard/createShortUrl",
+                "app:maps",
+                "ui:catalogue/maps",
+                "ui:navLinks/maps",
+                "ui:maps/show",
+                "app:visualize",
+                "app:lens",
+                "ui:catalogue/visualize",
+                "ui:navLinks/visualize",
+                "ui:navLinks/lens",
+                "ui:visualize/show",
+                "ui:visualize/createShortUrl",
+              ],
+              "store_search_session": Array [
+                "login:",
+                "api:store_search_session",
+                "ui:management/kibana/search_sessions",
+                "saved_object:search-session/bulk_get",
+                "saved_object:search-session/get",
+                "saved_object:search-session/find",
+                "saved_object:search-session/open_point_in_time",
+                "saved_object:search-session/close_point_in_time",
+                "saved_object:search-session/create",
+                "saved_object:search-session/bulk_create",
+                "saved_object:search-session/update",
+                "saved_object:search-session/bulk_update",
+                "saved_object:search-session/delete",
+                "saved_object:search-session/bulk_delete",
+                "saved_object:search-session/share_to_space",
+                "ui:dashboard/storeSearchSession",
+              ],
+              "url_create": Array [
+                "login:",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "saved_object:url/create",
+                "saved_object:url/bulk_create",
+                "saved_object:url/update",
+                "saved_object:url/bulk_update",
+                "saved_object:url/delete",
+                "saved_object:url/bulk_delete",
+                "saved_object:url/share_to_space",
+                "ui:dashboard/createShortUrl",
+              ],
+            },
+            "discover": Object {
+              "all": Array [
+                "login:",
+                "api:fileUpload:analyzeFile",
+                "api:store_search_session",
+                "api:generateReport",
+                "app:discover",
+                "app:kibana",
+                "ui:catalogue/discover",
+                "ui:management/kibana/search_sessions",
+                "ui:management/insightsAndAlerting/reporting",
+                "ui:navLinks/discover",
+                "ui:navLinks/kibana",
+                "saved_object:search/bulk_get",
+                "saved_object:search/get",
+                "saved_object:search/find",
+                "saved_object:search/open_point_in_time",
+                "saved_object:search/close_point_in_time",
+                "saved_object:search/create",
+                "saved_object:search/bulk_create",
+                "saved_object:search/update",
+                "saved_object:search/bulk_update",
+                "saved_object:search/delete",
+                "saved_object:search/bulk_delete",
+                "saved_object:search/share_to_space",
+                "saved_object:query/bulk_get",
+                "saved_object:query/get",
+                "saved_object:query/find",
+                "saved_object:query/open_point_in_time",
+                "saved_object:query/close_point_in_time",
+                "saved_object:query/create",
+                "saved_object:query/bulk_create",
+                "saved_object:query/update",
+                "saved_object:query/bulk_update",
+                "saved_object:query/delete",
+                "saved_object:query/bulk_delete",
+                "saved_object:query/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "saved_object:url/create",
+                "saved_object:url/bulk_create",
+                "saved_object:url/update",
+                "saved_object:url/bulk_update",
+                "saved_object:url/delete",
+                "saved_object:url/bulk_delete",
+                "saved_object:url/share_to_space",
+                "saved_object:search-session/bulk_get",
+                "saved_object:search-session/get",
+                "saved_object:search-session/find",
+                "saved_object:search-session/open_point_in_time",
+                "saved_object:search-session/close_point_in_time",
+                "saved_object:search-session/create",
+                "saved_object:search-session/bulk_create",
+                "saved_object:search-session/update",
+                "saved_object:search-session/bulk_update",
+                "saved_object:search-session/delete",
+                "saved_object:search-session/bulk_delete",
+                "saved_object:search-session/share_to_space",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "ui:discover/show",
+                "ui:discover/save",
+                "ui:discover/saveQuery",
+                "ui:discover/createShortUrl",
+                "ui:discover/storeSearchSession",
+                "ui:discover/generateCsv",
+                "api:rac",
+                "app:observability",
+                "ui:catalogue/observability",
+                "ui:navLinks/observability",
+                "ui:observability/read",
+                "ui:observability/write",
+                "alerting:apm.error_rate/observability/rule/get",
+                "alerting:apm.error_rate/observability/rule/getRuleState",
+                "alerting:apm.error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.error_rate/observability/rule/find",
+                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/observability/rule/getBackfill",
+                "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/observability/rule/create",
+                "alerting:apm.error_rate/observability/rule/delete",
+                "alerting:apm.error_rate/observability/rule/update",
+                "alerting:apm.error_rate/observability/rule/updateApiKey",
+                "alerting:apm.error_rate/observability/rule/enable",
+                "alerting:apm.error_rate/observability/rule/disable",
+                "alerting:apm.error_rate/observability/rule/muteAll",
+                "alerting:apm.error_rate/observability/rule/unmuteAll",
+                "alerting:apm.error_rate/observability/rule/muteAlert",
+                "alerting:apm.error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.error_rate/observability/rule/snooze",
+                "alerting:apm.error_rate/observability/rule/bulkEdit",
+                "alerting:apm.error_rate/observability/rule/bulkDelete",
+                "alerting:apm.error_rate/observability/rule/bulkEnable",
+                "alerting:apm.error_rate/observability/rule/bulkDisable",
+                "alerting:apm.error_rate/observability/rule/unsnooze",
+                "alerting:apm.error_rate/observability/rule/runSoon",
+                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/get",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/observability/rule/find",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/create",
+                "alerting:apm.transaction_error_rate/observability/rule/delete",
+                "alerting:apm.transaction_error_rate/observability/rule/update",
+                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/observability/rule/enable",
+                "alerting:apm.transaction_error_rate/observability/rule/disable",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/snooze",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
+                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/observability/rule/get",
+                "alerting:apm.transaction_duration/observability/rule/getRuleState",
+                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/observability/rule/find",
+                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/observability/rule/getBackfill",
+                "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/create",
+                "alerting:apm.transaction_duration/observability/rule/delete",
+                "alerting:apm.transaction_duration/observability/rule/update",
+                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
+                "alerting:apm.transaction_duration/observability/rule/enable",
+                "alerting:apm.transaction_duration/observability/rule/disable",
+                "alerting:apm.transaction_duration/observability/rule/muteAll",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
+                "alerting:apm.transaction_duration/observability/rule/muteAlert",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/observability/rule/snooze",
+                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
+                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
+                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
+                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
+                "alerting:apm.transaction_duration/observability/rule/unsnooze",
+                "alerting:apm.transaction_duration/observability/rule/runSoon",
+                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
+                "alerting:apm.anomaly/observability/rule/get",
+                "alerting:apm.anomaly/observability/rule/getRuleState",
+                "alerting:apm.anomaly/observability/rule/getAlertSummary",
+                "alerting:apm.anomaly/observability/rule/getExecutionLog",
+                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
+                "alerting:apm.anomaly/observability/rule/find",
+                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/observability/rule/getBackfill",
+                "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/observability/rule/create",
+                "alerting:apm.anomaly/observability/rule/delete",
+                "alerting:apm.anomaly/observability/rule/update",
+                "alerting:apm.anomaly/observability/rule/updateApiKey",
+                "alerting:apm.anomaly/observability/rule/enable",
+                "alerting:apm.anomaly/observability/rule/disable",
+                "alerting:apm.anomaly/observability/rule/muteAll",
+                "alerting:apm.anomaly/observability/rule/unmuteAll",
+                "alerting:apm.anomaly/observability/rule/muteAlert",
+                "alerting:apm.anomaly/observability/rule/unmuteAlert",
+                "alerting:apm.anomaly/observability/rule/snooze",
+                "alerting:apm.anomaly/observability/rule/bulkEdit",
+                "alerting:apm.anomaly/observability/rule/bulkDelete",
+                "alerting:apm.anomaly/observability/rule/bulkEnable",
+                "alerting:apm.anomaly/observability/rule/bulkDisable",
+                "alerting:apm.anomaly/observability/rule/unsnooze",
+                "alerting:apm.anomaly/observability/rule/runSoon",
+                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
+                "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/create",
+                "alerting:slo.rules.burnRate/observability/rule/delete",
+                "alerting:slo.rules.burnRate/observability/rule/update",
+                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/observability/rule/enable",
+                "alerting:slo.rules.burnRate/observability/rule/disable",
+                "alerting:slo.rules.burnRate/observability/rule/muteAll",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/snooze",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
+                "alerting:slo.rules.burnRate/observability/rule/runSoon",
+                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/create",
+                "alerting:observability.rules.custom_threshold/observability/rule/delete",
+                "alerting:observability.rules.custom_threshold/observability/rule/update",
+                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/observability/rule/enable",
+                "alerting:observability.rules.custom_threshold/observability/rule/disable",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
+                "alerting:apm.error_rate/observability/alert/get",
+                "alerting:apm.error_rate/observability/alert/find",
+                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
+                "alerting:apm.transaction_error_rate/observability/alert/get",
+                "alerting:apm.transaction_error_rate/observability/alert/find",
+                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
+                "alerting:apm.transaction_duration/observability/alert/get",
+                "alerting:apm.transaction_duration/observability/alert/find",
+                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
+                "alerting:apm.anomaly/observability/alert/get",
+                "alerting:apm.anomaly/observability/alert/find",
+                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
+              ],
+              "generate_report": Array [
+                "login:",
+                "api:generateReport",
+                "ui:management/insightsAndAlerting/reporting",
+                "ui:discover/generateCsv",
+              ],
+              "minimal_all": Array [
+                "login:",
+                "api:fileUpload:analyzeFile",
+                "app:discover",
+                "app:kibana",
+                "ui:catalogue/discover",
+                "ui:navLinks/discover",
+                "ui:navLinks/kibana",
+                "saved_object:search/bulk_get",
+                "saved_object:search/get",
+                "saved_object:search/find",
+                "saved_object:search/open_point_in_time",
+                "saved_object:search/close_point_in_time",
+                "saved_object:search/create",
+                "saved_object:search/bulk_create",
+                "saved_object:search/update",
+                "saved_object:search/bulk_update",
+                "saved_object:search/delete",
+                "saved_object:search/bulk_delete",
+                "saved_object:search/share_to_space",
+                "saved_object:query/bulk_get",
+                "saved_object:query/get",
+                "saved_object:query/find",
+                "saved_object:query/open_point_in_time",
+                "saved_object:query/close_point_in_time",
+                "saved_object:query/create",
+                "saved_object:query/bulk_create",
+                "saved_object:query/update",
+                "saved_object:query/bulk_update",
+                "saved_object:query/delete",
+                "saved_object:query/bulk_delete",
+                "saved_object:query/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:discover/show",
+                "ui:discover/save",
+                "ui:discover/saveQuery",
+                "api:rac",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
                 "ui:observability/write",
+                "alerting:apm.error_rate/observability/rule/get",
+                "alerting:apm.error_rate/observability/rule/getRuleState",
+                "alerting:apm.error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.error_rate/observability/rule/find",
+                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/observability/rule/getBackfill",
+                "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/observability/rule/create",
+                "alerting:apm.error_rate/observability/rule/delete",
+                "alerting:apm.error_rate/observability/rule/update",
+                "alerting:apm.error_rate/observability/rule/updateApiKey",
+                "alerting:apm.error_rate/observability/rule/enable",
+                "alerting:apm.error_rate/observability/rule/disable",
+                "alerting:apm.error_rate/observability/rule/muteAll",
+                "alerting:apm.error_rate/observability/rule/unmuteAll",
+                "alerting:apm.error_rate/observability/rule/muteAlert",
+                "alerting:apm.error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.error_rate/observability/rule/snooze",
+                "alerting:apm.error_rate/observability/rule/bulkEdit",
+                "alerting:apm.error_rate/observability/rule/bulkDelete",
+                "alerting:apm.error_rate/observability/rule/bulkEnable",
+                "alerting:apm.error_rate/observability/rule/bulkDisable",
+                "alerting:apm.error_rate/observability/rule/unsnooze",
+                "alerting:apm.error_rate/observability/rule/runSoon",
+                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/get",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/observability/rule/find",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/create",
+                "alerting:apm.transaction_error_rate/observability/rule/delete",
+                "alerting:apm.transaction_error_rate/observability/rule/update",
+                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/observability/rule/enable",
+                "alerting:apm.transaction_error_rate/observability/rule/disable",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/snooze",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
+                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/observability/rule/get",
+                "alerting:apm.transaction_duration/observability/rule/getRuleState",
+                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/observability/rule/find",
+                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/observability/rule/getBackfill",
+                "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/create",
+                "alerting:apm.transaction_duration/observability/rule/delete",
+                "alerting:apm.transaction_duration/observability/rule/update",
+                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
+                "alerting:apm.transaction_duration/observability/rule/enable",
+                "alerting:apm.transaction_duration/observability/rule/disable",
+                "alerting:apm.transaction_duration/observability/rule/muteAll",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
+                "alerting:apm.transaction_duration/observability/rule/muteAlert",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/observability/rule/snooze",
+                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
+                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
+                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
+                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
+                "alerting:apm.transaction_duration/observability/rule/unsnooze",
+                "alerting:apm.transaction_duration/observability/rule/runSoon",
+                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
+                "alerting:apm.anomaly/observability/rule/get",
+                "alerting:apm.anomaly/observability/rule/getRuleState",
+                "alerting:apm.anomaly/observability/rule/getAlertSummary",
+                "alerting:apm.anomaly/observability/rule/getExecutionLog",
+                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
+                "alerting:apm.anomaly/observability/rule/find",
+                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/observability/rule/getBackfill",
+                "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/observability/rule/create",
+                "alerting:apm.anomaly/observability/rule/delete",
+                "alerting:apm.anomaly/observability/rule/update",
+                "alerting:apm.anomaly/observability/rule/updateApiKey",
+                "alerting:apm.anomaly/observability/rule/enable",
+                "alerting:apm.anomaly/observability/rule/disable",
+                "alerting:apm.anomaly/observability/rule/muteAll",
+                "alerting:apm.anomaly/observability/rule/unmuteAll",
+                "alerting:apm.anomaly/observability/rule/muteAlert",
+                "alerting:apm.anomaly/observability/rule/unmuteAlert",
+                "alerting:apm.anomaly/observability/rule/snooze",
+                "alerting:apm.anomaly/observability/rule/bulkEdit",
+                "alerting:apm.anomaly/observability/rule/bulkDelete",
+                "alerting:apm.anomaly/observability/rule/bulkEnable",
+                "alerting:apm.anomaly/observability/rule/bulkDisable",
+                "alerting:apm.anomaly/observability/rule/unsnooze",
+                "alerting:apm.anomaly/observability/rule/runSoon",
+                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
+                "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
                 "alerting:slo.rules.burnRate/observability/rule/get",
                 "alerting:slo.rules.burnRate/observability/rule/getRuleState",
                 "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
@@ -6236,6 +6858,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:slo.rules.burnRate/observability/rule/runSoon",
                 "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
                 "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
                 "alerting:observability.rules.custom_threshold/observability/rule/get",
                 "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
@@ -6264,6 +6914,635 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
                 "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
                 "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
+                "alerting:apm.error_rate/observability/alert/get",
+                "alerting:apm.error_rate/observability/alert/find",
+                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
+                "alerting:apm.transaction_error_rate/observability/alert/get",
+                "alerting:apm.transaction_error_rate/observability/alert/find",
+                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
+                "alerting:apm.transaction_duration/observability/alert/get",
+                "alerting:apm.transaction_duration/observability/alert/find",
+                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
+                "alerting:apm.anomaly/observability/alert/get",
+                "alerting:apm.anomaly/observability/alert/find",
+                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
+              ],
+              "minimal_read": Array [
+                "login:",
+                "app:discover",
+                "app:kibana",
+                "ui:catalogue/discover",
+                "ui:navLinks/discover",
+                "ui:navLinks/kibana",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:search/bulk_get",
+                "saved_object:search/get",
+                "saved_object:search/find",
+                "saved_object:search/open_point_in_time",
+                "saved_object:search/close_point_in_time",
+                "saved_object:query/bulk_get",
+                "saved_object:query/get",
+                "saved_object:query/find",
+                "saved_object:query/open_point_in_time",
+                "saved_object:query/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:discover/show",
+                "api:rac",
+                "app:observability",
+                "ui:catalogue/observability",
+                "ui:navLinks/observability",
+                "ui:observability/read",
+                "alerting:apm.error_rate/observability/rule/get",
+                "alerting:apm.error_rate/observability/rule/getRuleState",
+                "alerting:apm.error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.error_rate/observability/rule/find",
+                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/observability/rule/getBackfill",
+                "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/get",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/observability/rule/find",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/get",
+                "alerting:apm.transaction_duration/observability/rule/getRuleState",
+                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/observability/rule/find",
+                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/observability/rule/getBackfill",
+                "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/observability/rule/get",
+                "alerting:apm.anomaly/observability/rule/getRuleState",
+                "alerting:apm.anomaly/observability/rule/getAlertSummary",
+                "alerting:apm.anomaly/observability/rule/getExecutionLog",
+                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
+                "alerting:apm.anomaly/observability/rule/find",
+                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/observability/rule/getBackfill",
+                "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
                 "alerting:.es-query/observability/rule/get",
                 "alerting:.es-query/observability/rule/getRuleState",
                 "alerting:.es-query/observability/rule/getAlertSummary",
@@ -6273,25 +7552,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/observability/rule/getRuleExecutionKPI",
                 "alerting:.es-query/observability/rule/getBackfill",
                 "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
@@ -6301,53 +7570,208 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/observability/alert/get",
+                "alerting:apm.error_rate/observability/alert/find",
+                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/get",
+                "alerting:apm.transaction_error_rate/observability/alert/find",
+                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/get",
+                "alerting:apm.transaction_duration/observability/alert/find",
+                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/get",
+                "alerting:apm.anomaly/observability/alert/find",
+                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+              ],
+              "read": Array [
+                "login:",
+                "app:discover",
+                "app:kibana",
+                "ui:catalogue/discover",
+                "ui:navLinks/discover",
+                "ui:navLinks/kibana",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "saved_object:url/create",
+                "saved_object:url/bulk_create",
+                "saved_object:url/update",
+                "saved_object:url/bulk_update",
+                "saved_object:url/delete",
+                "saved_object:url/bulk_delete",
+                "saved_object:url/share_to_space",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:search/bulk_get",
+                "saved_object:search/get",
+                "saved_object:search/find",
+                "saved_object:search/open_point_in_time",
+                "saved_object:search/close_point_in_time",
+                "saved_object:query/bulk_get",
+                "saved_object:query/get",
+                "saved_object:query/find",
+                "saved_object:query/open_point_in_time",
+                "saved_object:query/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "ui:discover/show",
+                "ui:discover/createShortUrl",
+                "api:rac",
+                "app:observability",
+                "ui:catalogue/observability",
+                "ui:navLinks/observability",
+                "ui:observability/read",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -6357,81 +7781,51 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/observability/rule/getBackfill",
                 "alerting:apm.error_rate/observability/rule/findBackfill",
-                "alerting:apm.error_rate/observability/rule/create",
-                "alerting:apm.error_rate/observability/rule/delete",
-                "alerting:apm.error_rate/observability/rule/update",
-                "alerting:apm.error_rate/observability/rule/updateApiKey",
-                "alerting:apm.error_rate/observability/rule/enable",
-                "alerting:apm.error_rate/observability/rule/disable",
-                "alerting:apm.error_rate/observability/rule/muteAll",
-                "alerting:apm.error_rate/observability/rule/unmuteAll",
-                "alerting:apm.error_rate/observability/rule/muteAlert",
-                "alerting:apm.error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.error_rate/observability/rule/snooze",
-                "alerting:apm.error_rate/observability/rule/bulkEdit",
-                "alerting:apm.error_rate/observability/rule/bulkDelete",
-                "alerting:apm.error_rate/observability/rule/bulkEnable",
-                "alerting:apm.error_rate/observability/rule/bulkDisable",
-                "alerting:apm.error_rate/observability/rule/unsnooze",
-                "alerting:apm.error_rate/observability/rule/runSoon",
-                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
-                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_error_rate/observability/rule/find",
-                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/create",
-                "alerting:apm.transaction_error_rate/observability/rule/delete",
-                "alerting:apm.transaction_error_rate/observability/rule/update",
-                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
-                "alerting:apm.transaction_error_rate/observability/rule/enable",
-                "alerting:apm.transaction_error_rate/observability/rule/disable",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/snooze",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
-                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
-                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
-                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
-                "alerting:apm.transaction_duration/observability/rule/get",
-                "alerting:apm.transaction_duration/observability/rule/getRuleState",
-                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
-                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
-                "alerting:apm.transaction_duration/observability/rule/find",
-                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
-                "alerting:apm.transaction_duration/observability/rule/getBackfill",
-                "alerting:apm.transaction_duration/observability/rule/findBackfill",
-                "alerting:apm.transaction_duration/observability/rule/create",
-                "alerting:apm.transaction_duration/observability/rule/delete",
-                "alerting:apm.transaction_duration/observability/rule/update",
-                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
-                "alerting:apm.transaction_duration/observability/rule/enable",
-                "alerting:apm.transaction_duration/observability/rule/disable",
-                "alerting:apm.transaction_duration/observability/rule/muteAll",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
-                "alerting:apm.transaction_duration/observability/rule/muteAlert",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_duration/observability/rule/snooze",
-                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
-                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
-                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
-                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
-                "alerting:apm.transaction_duration/observability/rule/unsnooze",
-                "alerting:apm.transaction_duration/observability/rule/runSoon",
-                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/observability/rule/find",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/get",
+                "alerting:apm.transaction_duration/observability/rule/getRuleState",
+                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/observability/rule/find",
+                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/observability/rule/getBackfill",
+                "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -6441,25 +7835,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/observability/rule/getBackfill",
                 "alerting:apm.anomaly/observability/rule/findBackfill",
-                "alerting:apm.anomaly/observability/rule/create",
-                "alerting:apm.anomaly/observability/rule/delete",
-                "alerting:apm.anomaly/observability/rule/update",
-                "alerting:apm.anomaly/observability/rule/updateApiKey",
-                "alerting:apm.anomaly/observability/rule/enable",
-                "alerting:apm.anomaly/observability/rule/disable",
-                "alerting:apm.anomaly/observability/rule/muteAll",
-                "alerting:apm.anomaly/observability/rule/unmuteAll",
-                "alerting:apm.anomaly/observability/rule/muteAlert",
-                "alerting:apm.anomaly/observability/rule/unmuteAlert",
-                "alerting:apm.anomaly/observability/rule/snooze",
-                "alerting:apm.anomaly/observability/rule/bulkEdit",
-                "alerting:apm.anomaly/observability/rule/bulkDelete",
-                "alerting:apm.anomaly/observability/rule/bulkEnable",
-                "alerting:apm.anomaly/observability/rule/bulkDisable",
-                "alerting:apm.anomaly/observability/rule/unsnooze",
-                "alerting:apm.anomaly/observability/rule/runSoon",
-                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
-                "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -6469,25 +7853,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -6497,82 +7871,1791 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+              ],
+              "store_search_session": Array [
+                "login:",
+                "api:store_search_session",
+                "ui:management/kibana/search_sessions",
+                "saved_object:search-session/bulk_get",
+                "saved_object:search-session/get",
+                "saved_object:search-session/find",
+                "saved_object:search-session/open_point_in_time",
+                "saved_object:search-session/close_point_in_time",
+                "saved_object:search-session/create",
+                "saved_object:search-session/bulk_create",
+                "saved_object:search-session/update",
+                "saved_object:search-session/bulk_update",
+                "saved_object:search-session/delete",
+                "saved_object:search-session/bulk_delete",
+                "saved_object:search-session/share_to_space",
+                "ui:discover/storeSearchSession",
+              ],
+              "url_create": Array [
+                "login:",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "saved_object:url/create",
+                "saved_object:url/bulk_create",
+                "saved_object:url/update",
+                "saved_object:url/bulk_update",
+                "saved_object:url/delete",
+                "saved_object:url/bulk_delete",
+                "saved_object:url/share_to_space",
+                "ui:discover/createShortUrl",
+              ],
+            },
+            "fleetv2": Object {
+              "all": Array [
+                "login:",
+                "api:fleet-read",
+                "api:fleet-all",
+                "app:fleet",
+                "ui:catalogue/fleet",
+                "ui:navLinks/fleet",
+                "saved_object:ingest-outputs/bulk_get",
+                "saved_object:ingest-outputs/get",
+                "saved_object:ingest-outputs/find",
+                "saved_object:ingest-outputs/open_point_in_time",
+                "saved_object:ingest-outputs/close_point_in_time",
+                "saved_object:ingest-outputs/create",
+                "saved_object:ingest-outputs/bulk_create",
+                "saved_object:ingest-outputs/update",
+                "saved_object:ingest-outputs/bulk_update",
+                "saved_object:ingest-outputs/delete",
+                "saved_object:ingest-outputs/bulk_delete",
+                "saved_object:ingest-outputs/share_to_space",
+                "saved_object:ingest-agent-policies/bulk_get",
+                "saved_object:ingest-agent-policies/get",
+                "saved_object:ingest-agent-policies/find",
+                "saved_object:ingest-agent-policies/open_point_in_time",
+                "saved_object:ingest-agent-policies/close_point_in_time",
+                "saved_object:ingest-agent-policies/create",
+                "saved_object:ingest-agent-policies/bulk_create",
+                "saved_object:ingest-agent-policies/update",
+                "saved_object:ingest-agent-policies/bulk_update",
+                "saved_object:ingest-agent-policies/delete",
+                "saved_object:ingest-agent-policies/bulk_delete",
+                "saved_object:ingest-agent-policies/share_to_space",
+                "saved_object:fleet-agent-policies/bulk_get",
+                "saved_object:fleet-agent-policies/get",
+                "saved_object:fleet-agent-policies/find",
+                "saved_object:fleet-agent-policies/open_point_in_time",
+                "saved_object:fleet-agent-policies/close_point_in_time",
+                "saved_object:fleet-agent-policies/create",
+                "saved_object:fleet-agent-policies/bulk_create",
+                "saved_object:fleet-agent-policies/update",
+                "saved_object:fleet-agent-policies/bulk_update",
+                "saved_object:fleet-agent-policies/delete",
+                "saved_object:fleet-agent-policies/bulk_delete",
+                "saved_object:fleet-agent-policies/share_to_space",
+                "saved_object:ingest-package-policies/bulk_get",
+                "saved_object:ingest-package-policies/get",
+                "saved_object:ingest-package-policies/find",
+                "saved_object:ingest-package-policies/open_point_in_time",
+                "saved_object:ingest-package-policies/close_point_in_time",
+                "saved_object:ingest-package-policies/create",
+                "saved_object:ingest-package-policies/bulk_create",
+                "saved_object:ingest-package-policies/update",
+                "saved_object:ingest-package-policies/bulk_update",
+                "saved_object:ingest-package-policies/delete",
+                "saved_object:ingest-package-policies/bulk_delete",
+                "saved_object:ingest-package-policies/share_to_space",
+                "saved_object:fleet-package-policies/bulk_get",
+                "saved_object:fleet-package-policies/get",
+                "saved_object:fleet-package-policies/find",
+                "saved_object:fleet-package-policies/open_point_in_time",
+                "saved_object:fleet-package-policies/close_point_in_time",
+                "saved_object:fleet-package-policies/create",
+                "saved_object:fleet-package-policies/bulk_create",
+                "saved_object:fleet-package-policies/update",
+                "saved_object:fleet-package-policies/bulk_update",
+                "saved_object:fleet-package-policies/delete",
+                "saved_object:fleet-package-policies/bulk_delete",
+                "saved_object:fleet-package-policies/share_to_space",
+                "saved_object:epm-packages/bulk_get",
+                "saved_object:epm-packages/get",
+                "saved_object:epm-packages/find",
+                "saved_object:epm-packages/open_point_in_time",
+                "saved_object:epm-packages/close_point_in_time",
+                "saved_object:epm-packages/create",
+                "saved_object:epm-packages/bulk_create",
+                "saved_object:epm-packages/update",
+                "saved_object:epm-packages/bulk_update",
+                "saved_object:epm-packages/delete",
+                "saved_object:epm-packages/bulk_delete",
+                "saved_object:epm-packages/share_to_space",
+                "saved_object:epm-packages-assets/bulk_get",
+                "saved_object:epm-packages-assets/get",
+                "saved_object:epm-packages-assets/find",
+                "saved_object:epm-packages-assets/open_point_in_time",
+                "saved_object:epm-packages-assets/close_point_in_time",
+                "saved_object:epm-packages-assets/create",
+                "saved_object:epm-packages-assets/bulk_create",
+                "saved_object:epm-packages-assets/update",
+                "saved_object:epm-packages-assets/bulk_update",
+                "saved_object:epm-packages-assets/delete",
+                "saved_object:epm-packages-assets/bulk_delete",
+                "saved_object:epm-packages-assets/share_to_space",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_get",
+                "saved_object:fleet-preconfiguration-deletion-record/get",
+                "saved_object:fleet-preconfiguration-deletion-record/find",
+                "saved_object:fleet-preconfiguration-deletion-record/open_point_in_time",
+                "saved_object:fleet-preconfiguration-deletion-record/close_point_in_time",
+                "saved_object:fleet-preconfiguration-deletion-record/create",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_create",
+                "saved_object:fleet-preconfiguration-deletion-record/update",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_update",
+                "saved_object:fleet-preconfiguration-deletion-record/delete",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_delete",
+                "saved_object:fleet-preconfiguration-deletion-record/share_to_space",
+                "saved_object:ingest-download-sources/bulk_get",
+                "saved_object:ingest-download-sources/get",
+                "saved_object:ingest-download-sources/find",
+                "saved_object:ingest-download-sources/open_point_in_time",
+                "saved_object:ingest-download-sources/close_point_in_time",
+                "saved_object:ingest-download-sources/create",
+                "saved_object:ingest-download-sources/bulk_create",
+                "saved_object:ingest-download-sources/update",
+                "saved_object:ingest-download-sources/bulk_update",
+                "saved_object:ingest-download-sources/delete",
+                "saved_object:ingest-download-sources/bulk_delete",
+                "saved_object:ingest-download-sources/share_to_space",
+                "saved_object:fleet-fleet-server-host/bulk_get",
+                "saved_object:fleet-fleet-server-host/get",
+                "saved_object:fleet-fleet-server-host/find",
+                "saved_object:fleet-fleet-server-host/open_point_in_time",
+                "saved_object:fleet-fleet-server-host/close_point_in_time",
+                "saved_object:fleet-fleet-server-host/create",
+                "saved_object:fleet-fleet-server-host/bulk_create",
+                "saved_object:fleet-fleet-server-host/update",
+                "saved_object:fleet-fleet-server-host/bulk_update",
+                "saved_object:fleet-fleet-server-host/delete",
+                "saved_object:fleet-fleet-server-host/bulk_delete",
+                "saved_object:fleet-fleet-server-host/share_to_space",
+                "saved_object:fleet-proxy/bulk_get",
+                "saved_object:fleet-proxy/get",
+                "saved_object:fleet-proxy/find",
+                "saved_object:fleet-proxy/open_point_in_time",
+                "saved_object:fleet-proxy/close_point_in_time",
+                "saved_object:fleet-proxy/create",
+                "saved_object:fleet-proxy/bulk_create",
+                "saved_object:fleet-proxy/update",
+                "saved_object:fleet-proxy/bulk_update",
+                "saved_object:fleet-proxy/delete",
+                "saved_object:fleet-proxy/bulk_delete",
+                "saved_object:fleet-proxy/share_to_space",
+                "saved_object:fleet-space-settings/bulk_get",
+                "saved_object:fleet-space-settings/get",
+                "saved_object:fleet-space-settings/find",
+                "saved_object:fleet-space-settings/open_point_in_time",
+                "saved_object:fleet-space-settings/close_point_in_time",
+                "saved_object:fleet-space-settings/create",
+                "saved_object:fleet-space-settings/bulk_create",
+                "saved_object:fleet-space-settings/update",
+                "saved_object:fleet-space-settings/bulk_update",
+                "saved_object:fleet-space-settings/delete",
+                "saved_object:fleet-space-settings/bulk_delete",
+                "saved_object:fleet-space-settings/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:fleetv2/read",
+                "ui:fleetv2/all",
+                "api:infra",
+                "api:rac",
+                "app:infra",
+                "app:logs",
+                "app:kibana",
+                "app:observability-logs-explorer",
+                "ui:catalogue/infralogging",
+                "ui:catalogue/logs",
+                "ui:management/insightsAndAlerting/triggersActions",
+                "ui:navLinks/infra",
+                "ui:navLinks/logs",
+                "ui:navLinks/kibana",
+                "ui:navLinks/observability-logs-explorer",
+                "saved_object:infrastructure-ui-source/bulk_get",
+                "saved_object:infrastructure-ui-source/get",
+                "saved_object:infrastructure-ui-source/find",
+                "saved_object:infrastructure-ui-source/open_point_in_time",
+                "saved_object:infrastructure-ui-source/close_point_in_time",
+                "saved_object:infrastructure-ui-source/create",
+                "saved_object:infrastructure-ui-source/bulk_create",
+                "saved_object:infrastructure-ui-source/update",
+                "saved_object:infrastructure-ui-source/bulk_update",
+                "saved_object:infrastructure-ui-source/delete",
+                "saved_object:infrastructure-ui-source/bulk_delete",
+                "saved_object:infrastructure-ui-source/share_to_space",
+                "saved_object:infrastructure-monitoring-log-view/bulk_get",
+                "saved_object:infrastructure-monitoring-log-view/get",
+                "saved_object:infrastructure-monitoring-log-view/find",
+                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/create",
+                "saved_object:infrastructure-monitoring-log-view/bulk_create",
+                "saved_object:infrastructure-monitoring-log-view/update",
+                "saved_object:infrastructure-monitoring-log-view/bulk_update",
+                "saved_object:infrastructure-monitoring-log-view/delete",
+                "saved_object:infrastructure-monitoring-log-view/bulk_delete",
+                "saved_object:infrastructure-monitoring-log-view/share_to_space",
+                "ui:logs/show",
+                "ui:logs/configureSource",
+                "ui:logs/save",
+                "alerting:logs.alert.document.count/logs/rule/get",
+                "alerting:logs.alert.document.count/logs/rule/getRuleState",
+                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/logs/rule/find",
+                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/logs/rule/getBackfill",
+                "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/logs/rule/create",
+                "alerting:logs.alert.document.count/logs/rule/delete",
+                "alerting:logs.alert.document.count/logs/rule/update",
+                "alerting:logs.alert.document.count/logs/rule/updateApiKey",
+                "alerting:logs.alert.document.count/logs/rule/enable",
+                "alerting:logs.alert.document.count/logs/rule/disable",
+                "alerting:logs.alert.document.count/logs/rule/muteAll",
+                "alerting:logs.alert.document.count/logs/rule/unmuteAll",
+                "alerting:logs.alert.document.count/logs/rule/muteAlert",
+                "alerting:logs.alert.document.count/logs/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/logs/rule/snooze",
+                "alerting:logs.alert.document.count/logs/rule/bulkEdit",
+                "alerting:logs.alert.document.count/logs/rule/bulkDelete",
+                "alerting:logs.alert.document.count/logs/rule/bulkEnable",
+                "alerting:logs.alert.document.count/logs/rule/bulkDisable",
+                "alerting:logs.alert.document.count/logs/rule/unsnooze",
+                "alerting:logs.alert.document.count/logs/rule/runSoon",
+                "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
+                "alerting:.es-query/logs/rule/get",
+                "alerting:.es-query/logs/rule/getRuleState",
+                "alerting:.es-query/logs/rule/getAlertSummary",
+                "alerting:.es-query/logs/rule/getExecutionLog",
+                "alerting:.es-query/logs/rule/getActionErrorLog",
+                "alerting:.es-query/logs/rule/find",
+                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
+                "alerting:.es-query/logs/rule/getBackfill",
+                "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:.es-query/logs/rule/create",
+                "alerting:.es-query/logs/rule/delete",
+                "alerting:.es-query/logs/rule/update",
+                "alerting:.es-query/logs/rule/updateApiKey",
+                "alerting:.es-query/logs/rule/enable",
+                "alerting:.es-query/logs/rule/disable",
+                "alerting:.es-query/logs/rule/muteAll",
+                "alerting:.es-query/logs/rule/unmuteAll",
+                "alerting:.es-query/logs/rule/muteAlert",
+                "alerting:.es-query/logs/rule/unmuteAlert",
+                "alerting:.es-query/logs/rule/snooze",
+                "alerting:.es-query/logs/rule/bulkEdit",
+                "alerting:.es-query/logs/rule/bulkDelete",
+                "alerting:.es-query/logs/rule/bulkEnable",
+                "alerting:.es-query/logs/rule/bulkDisable",
+                "alerting:.es-query/logs/rule/unsnooze",
+                "alerting:.es-query/logs/rule/runSoon",
+                "alerting:.es-query/logs/rule/scheduleBackfill",
+                "alerting:.es-query/logs/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/get",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/find",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/create",
+                "alerting:observability.rules.custom_threshold/logs/rule/delete",
+                "alerting:observability.rules.custom_threshold/logs/rule/update",
+                "alerting:observability.rules.custom_threshold/logs/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/logs/rule/enable",
+                "alerting:observability.rules.custom_threshold/logs/rule/disable",
+                "alerting:observability.rules.custom_threshold/logs/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/logs/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/logs/rule/snooze",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/logs/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/logs/alert/get",
+                "alerting:logs.alert.document.count/logs/alert/find",
+                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
+                "alerting:.es-query/logs/alert/get",
+                "alerting:.es-query/logs/alert/find",
+                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:.es-query/logs/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/logs/alert/get",
+                "alerting:observability.rules.custom_threshold/logs/alert/find",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
+              ],
+              "minimal_all": Array [
+                "login:",
+                "api:fleet-read",
+                "api:fleet-all",
+                "app:fleet",
+                "ui:catalogue/fleet",
+                "ui:navLinks/fleet",
+                "saved_object:ingest-outputs/bulk_get",
+                "saved_object:ingest-outputs/get",
+                "saved_object:ingest-outputs/find",
+                "saved_object:ingest-outputs/open_point_in_time",
+                "saved_object:ingest-outputs/close_point_in_time",
+                "saved_object:ingest-outputs/create",
+                "saved_object:ingest-outputs/bulk_create",
+                "saved_object:ingest-outputs/update",
+                "saved_object:ingest-outputs/bulk_update",
+                "saved_object:ingest-outputs/delete",
+                "saved_object:ingest-outputs/bulk_delete",
+                "saved_object:ingest-outputs/share_to_space",
+                "saved_object:ingest-agent-policies/bulk_get",
+                "saved_object:ingest-agent-policies/get",
+                "saved_object:ingest-agent-policies/find",
+                "saved_object:ingest-agent-policies/open_point_in_time",
+                "saved_object:ingest-agent-policies/close_point_in_time",
+                "saved_object:ingest-agent-policies/create",
+                "saved_object:ingest-agent-policies/bulk_create",
+                "saved_object:ingest-agent-policies/update",
+                "saved_object:ingest-agent-policies/bulk_update",
+                "saved_object:ingest-agent-policies/delete",
+                "saved_object:ingest-agent-policies/bulk_delete",
+                "saved_object:ingest-agent-policies/share_to_space",
+                "saved_object:fleet-agent-policies/bulk_get",
+                "saved_object:fleet-agent-policies/get",
+                "saved_object:fleet-agent-policies/find",
+                "saved_object:fleet-agent-policies/open_point_in_time",
+                "saved_object:fleet-agent-policies/close_point_in_time",
+                "saved_object:fleet-agent-policies/create",
+                "saved_object:fleet-agent-policies/bulk_create",
+                "saved_object:fleet-agent-policies/update",
+                "saved_object:fleet-agent-policies/bulk_update",
+                "saved_object:fleet-agent-policies/delete",
+                "saved_object:fleet-agent-policies/bulk_delete",
+                "saved_object:fleet-agent-policies/share_to_space",
+                "saved_object:ingest-package-policies/bulk_get",
+                "saved_object:ingest-package-policies/get",
+                "saved_object:ingest-package-policies/find",
+                "saved_object:ingest-package-policies/open_point_in_time",
+                "saved_object:ingest-package-policies/close_point_in_time",
+                "saved_object:ingest-package-policies/create",
+                "saved_object:ingest-package-policies/bulk_create",
+                "saved_object:ingest-package-policies/update",
+                "saved_object:ingest-package-policies/bulk_update",
+                "saved_object:ingest-package-policies/delete",
+                "saved_object:ingest-package-policies/bulk_delete",
+                "saved_object:ingest-package-policies/share_to_space",
+                "saved_object:fleet-package-policies/bulk_get",
+                "saved_object:fleet-package-policies/get",
+                "saved_object:fleet-package-policies/find",
+                "saved_object:fleet-package-policies/open_point_in_time",
+                "saved_object:fleet-package-policies/close_point_in_time",
+                "saved_object:fleet-package-policies/create",
+                "saved_object:fleet-package-policies/bulk_create",
+                "saved_object:fleet-package-policies/update",
+                "saved_object:fleet-package-policies/bulk_update",
+                "saved_object:fleet-package-policies/delete",
+                "saved_object:fleet-package-policies/bulk_delete",
+                "saved_object:fleet-package-policies/share_to_space",
+                "saved_object:epm-packages/bulk_get",
+                "saved_object:epm-packages/get",
+                "saved_object:epm-packages/find",
+                "saved_object:epm-packages/open_point_in_time",
+                "saved_object:epm-packages/close_point_in_time",
+                "saved_object:epm-packages/create",
+                "saved_object:epm-packages/bulk_create",
+                "saved_object:epm-packages/update",
+                "saved_object:epm-packages/bulk_update",
+                "saved_object:epm-packages/delete",
+                "saved_object:epm-packages/bulk_delete",
+                "saved_object:epm-packages/share_to_space",
+                "saved_object:epm-packages-assets/bulk_get",
+                "saved_object:epm-packages-assets/get",
+                "saved_object:epm-packages-assets/find",
+                "saved_object:epm-packages-assets/open_point_in_time",
+                "saved_object:epm-packages-assets/close_point_in_time",
+                "saved_object:epm-packages-assets/create",
+                "saved_object:epm-packages-assets/bulk_create",
+                "saved_object:epm-packages-assets/update",
+                "saved_object:epm-packages-assets/bulk_update",
+                "saved_object:epm-packages-assets/delete",
+                "saved_object:epm-packages-assets/bulk_delete",
+                "saved_object:epm-packages-assets/share_to_space",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_get",
+                "saved_object:fleet-preconfiguration-deletion-record/get",
+                "saved_object:fleet-preconfiguration-deletion-record/find",
+                "saved_object:fleet-preconfiguration-deletion-record/open_point_in_time",
+                "saved_object:fleet-preconfiguration-deletion-record/close_point_in_time",
+                "saved_object:fleet-preconfiguration-deletion-record/create",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_create",
+                "saved_object:fleet-preconfiguration-deletion-record/update",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_update",
+                "saved_object:fleet-preconfiguration-deletion-record/delete",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_delete",
+                "saved_object:fleet-preconfiguration-deletion-record/share_to_space",
+                "saved_object:ingest-download-sources/bulk_get",
+                "saved_object:ingest-download-sources/get",
+                "saved_object:ingest-download-sources/find",
+                "saved_object:ingest-download-sources/open_point_in_time",
+                "saved_object:ingest-download-sources/close_point_in_time",
+                "saved_object:ingest-download-sources/create",
+                "saved_object:ingest-download-sources/bulk_create",
+                "saved_object:ingest-download-sources/update",
+                "saved_object:ingest-download-sources/bulk_update",
+                "saved_object:ingest-download-sources/delete",
+                "saved_object:ingest-download-sources/bulk_delete",
+                "saved_object:ingest-download-sources/share_to_space",
+                "saved_object:fleet-fleet-server-host/bulk_get",
+                "saved_object:fleet-fleet-server-host/get",
+                "saved_object:fleet-fleet-server-host/find",
+                "saved_object:fleet-fleet-server-host/open_point_in_time",
+                "saved_object:fleet-fleet-server-host/close_point_in_time",
+                "saved_object:fleet-fleet-server-host/create",
+                "saved_object:fleet-fleet-server-host/bulk_create",
+                "saved_object:fleet-fleet-server-host/update",
+                "saved_object:fleet-fleet-server-host/bulk_update",
+                "saved_object:fleet-fleet-server-host/delete",
+                "saved_object:fleet-fleet-server-host/bulk_delete",
+                "saved_object:fleet-fleet-server-host/share_to_space",
+                "saved_object:fleet-proxy/bulk_get",
+                "saved_object:fleet-proxy/get",
+                "saved_object:fleet-proxy/find",
+                "saved_object:fleet-proxy/open_point_in_time",
+                "saved_object:fleet-proxy/close_point_in_time",
+                "saved_object:fleet-proxy/create",
+                "saved_object:fleet-proxy/bulk_create",
+                "saved_object:fleet-proxy/update",
+                "saved_object:fleet-proxy/bulk_update",
+                "saved_object:fleet-proxy/delete",
+                "saved_object:fleet-proxy/bulk_delete",
+                "saved_object:fleet-proxy/share_to_space",
+                "saved_object:fleet-space-settings/bulk_get",
+                "saved_object:fleet-space-settings/get",
+                "saved_object:fleet-space-settings/find",
+                "saved_object:fleet-space-settings/open_point_in_time",
+                "saved_object:fleet-space-settings/close_point_in_time",
+                "saved_object:fleet-space-settings/create",
+                "saved_object:fleet-space-settings/bulk_create",
+                "saved_object:fleet-space-settings/update",
+                "saved_object:fleet-space-settings/bulk_update",
+                "saved_object:fleet-space-settings/delete",
+                "saved_object:fleet-space-settings/bulk_delete",
+                "saved_object:fleet-space-settings/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:fleetv2/read",
+                "ui:fleetv2/all",
+                "api:infra",
+                "api:rac",
+                "app:infra",
+                "app:logs",
+                "app:kibana",
+                "app:observability-logs-explorer",
+                "ui:catalogue/infralogging",
+                "ui:catalogue/logs",
+                "ui:management/insightsAndAlerting/triggersActions",
+                "ui:navLinks/infra",
+                "ui:navLinks/logs",
+                "ui:navLinks/kibana",
+                "ui:navLinks/observability-logs-explorer",
+                "saved_object:infrastructure-ui-source/bulk_get",
+                "saved_object:infrastructure-ui-source/get",
+                "saved_object:infrastructure-ui-source/find",
+                "saved_object:infrastructure-ui-source/open_point_in_time",
+                "saved_object:infrastructure-ui-source/close_point_in_time",
+                "saved_object:infrastructure-ui-source/create",
+                "saved_object:infrastructure-ui-source/bulk_create",
+                "saved_object:infrastructure-ui-source/update",
+                "saved_object:infrastructure-ui-source/bulk_update",
+                "saved_object:infrastructure-ui-source/delete",
+                "saved_object:infrastructure-ui-source/bulk_delete",
+                "saved_object:infrastructure-ui-source/share_to_space",
+                "saved_object:infrastructure-monitoring-log-view/bulk_get",
+                "saved_object:infrastructure-monitoring-log-view/get",
+                "saved_object:infrastructure-monitoring-log-view/find",
+                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/create",
+                "saved_object:infrastructure-monitoring-log-view/bulk_create",
+                "saved_object:infrastructure-monitoring-log-view/update",
+                "saved_object:infrastructure-monitoring-log-view/bulk_update",
+                "saved_object:infrastructure-monitoring-log-view/delete",
+                "saved_object:infrastructure-monitoring-log-view/bulk_delete",
+                "saved_object:infrastructure-monitoring-log-view/share_to_space",
+                "ui:logs/show",
+                "ui:logs/configureSource",
+                "ui:logs/save",
+                "alerting:logs.alert.document.count/logs/rule/get",
+                "alerting:logs.alert.document.count/logs/rule/getRuleState",
+                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/logs/rule/find",
+                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/logs/rule/getBackfill",
+                "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/logs/rule/create",
+                "alerting:logs.alert.document.count/logs/rule/delete",
+                "alerting:logs.alert.document.count/logs/rule/update",
+                "alerting:logs.alert.document.count/logs/rule/updateApiKey",
+                "alerting:logs.alert.document.count/logs/rule/enable",
+                "alerting:logs.alert.document.count/logs/rule/disable",
+                "alerting:logs.alert.document.count/logs/rule/muteAll",
+                "alerting:logs.alert.document.count/logs/rule/unmuteAll",
+                "alerting:logs.alert.document.count/logs/rule/muteAlert",
+                "alerting:logs.alert.document.count/logs/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/logs/rule/snooze",
+                "alerting:logs.alert.document.count/logs/rule/bulkEdit",
+                "alerting:logs.alert.document.count/logs/rule/bulkDelete",
+                "alerting:logs.alert.document.count/logs/rule/bulkEnable",
+                "alerting:logs.alert.document.count/logs/rule/bulkDisable",
+                "alerting:logs.alert.document.count/logs/rule/unsnooze",
+                "alerting:logs.alert.document.count/logs/rule/runSoon",
+                "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
+                "alerting:.es-query/logs/rule/get",
+                "alerting:.es-query/logs/rule/getRuleState",
+                "alerting:.es-query/logs/rule/getAlertSummary",
+                "alerting:.es-query/logs/rule/getExecutionLog",
+                "alerting:.es-query/logs/rule/getActionErrorLog",
+                "alerting:.es-query/logs/rule/find",
+                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
+                "alerting:.es-query/logs/rule/getBackfill",
+                "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:.es-query/logs/rule/create",
+                "alerting:.es-query/logs/rule/delete",
+                "alerting:.es-query/logs/rule/update",
+                "alerting:.es-query/logs/rule/updateApiKey",
+                "alerting:.es-query/logs/rule/enable",
+                "alerting:.es-query/logs/rule/disable",
+                "alerting:.es-query/logs/rule/muteAll",
+                "alerting:.es-query/logs/rule/unmuteAll",
+                "alerting:.es-query/logs/rule/muteAlert",
+                "alerting:.es-query/logs/rule/unmuteAlert",
+                "alerting:.es-query/logs/rule/snooze",
+                "alerting:.es-query/logs/rule/bulkEdit",
+                "alerting:.es-query/logs/rule/bulkDelete",
+                "alerting:.es-query/logs/rule/bulkEnable",
+                "alerting:.es-query/logs/rule/bulkDisable",
+                "alerting:.es-query/logs/rule/unsnooze",
+                "alerting:.es-query/logs/rule/runSoon",
+                "alerting:.es-query/logs/rule/scheduleBackfill",
+                "alerting:.es-query/logs/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/get",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/find",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/create",
+                "alerting:observability.rules.custom_threshold/logs/rule/delete",
+                "alerting:observability.rules.custom_threshold/logs/rule/update",
+                "alerting:observability.rules.custom_threshold/logs/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/logs/rule/enable",
+                "alerting:observability.rules.custom_threshold/logs/rule/disable",
+                "alerting:observability.rules.custom_threshold/logs/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/logs/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/logs/rule/snooze",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/logs/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/logs/alert/get",
+                "alerting:logs.alert.document.count/logs/alert/find",
+                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
+                "alerting:.es-query/logs/alert/get",
+                "alerting:.es-query/logs/alert/find",
+                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:.es-query/logs/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/logs/alert/get",
+                "alerting:observability.rules.custom_threshold/logs/alert/find",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
+              ],
+              "minimal_read": Array [
+                "login:",
+                "api:fleet-read",
+                "app:fleet",
+                "ui:catalogue/fleet",
+                "ui:navLinks/fleet",
+                "saved_object:ingest-outputs/bulk_get",
+                "saved_object:ingest-outputs/get",
+                "saved_object:ingest-outputs/find",
+                "saved_object:ingest-outputs/open_point_in_time",
+                "saved_object:ingest-outputs/close_point_in_time",
+                "saved_object:ingest-agent-policies/bulk_get",
+                "saved_object:ingest-agent-policies/get",
+                "saved_object:ingest-agent-policies/find",
+                "saved_object:ingest-agent-policies/open_point_in_time",
+                "saved_object:ingest-agent-policies/close_point_in_time",
+                "saved_object:fleet-agent-policies/bulk_get",
+                "saved_object:fleet-agent-policies/get",
+                "saved_object:fleet-agent-policies/find",
+                "saved_object:fleet-agent-policies/open_point_in_time",
+                "saved_object:fleet-agent-policies/close_point_in_time",
+                "saved_object:ingest-package-policies/bulk_get",
+                "saved_object:ingest-package-policies/get",
+                "saved_object:ingest-package-policies/find",
+                "saved_object:ingest-package-policies/open_point_in_time",
+                "saved_object:ingest-package-policies/close_point_in_time",
+                "saved_object:fleet-package-policies/bulk_get",
+                "saved_object:fleet-package-policies/get",
+                "saved_object:fleet-package-policies/find",
+                "saved_object:fleet-package-policies/open_point_in_time",
+                "saved_object:fleet-package-policies/close_point_in_time",
+                "saved_object:epm-packages/bulk_get",
+                "saved_object:epm-packages/get",
+                "saved_object:epm-packages/find",
+                "saved_object:epm-packages/open_point_in_time",
+                "saved_object:epm-packages/close_point_in_time",
+                "saved_object:epm-packages-assets/bulk_get",
+                "saved_object:epm-packages-assets/get",
+                "saved_object:epm-packages-assets/find",
+                "saved_object:epm-packages-assets/open_point_in_time",
+                "saved_object:epm-packages-assets/close_point_in_time",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_get",
+                "saved_object:fleet-preconfiguration-deletion-record/get",
+                "saved_object:fleet-preconfiguration-deletion-record/find",
+                "saved_object:fleet-preconfiguration-deletion-record/open_point_in_time",
+                "saved_object:fleet-preconfiguration-deletion-record/close_point_in_time",
+                "saved_object:ingest-download-sources/bulk_get",
+                "saved_object:ingest-download-sources/get",
+                "saved_object:ingest-download-sources/find",
+                "saved_object:ingest-download-sources/open_point_in_time",
+                "saved_object:ingest-download-sources/close_point_in_time",
+                "saved_object:fleet-fleet-server-host/bulk_get",
+                "saved_object:fleet-fleet-server-host/get",
+                "saved_object:fleet-fleet-server-host/find",
+                "saved_object:fleet-fleet-server-host/open_point_in_time",
+                "saved_object:fleet-fleet-server-host/close_point_in_time",
+                "saved_object:fleet-proxy/bulk_get",
+                "saved_object:fleet-proxy/get",
+                "saved_object:fleet-proxy/find",
+                "saved_object:fleet-proxy/open_point_in_time",
+                "saved_object:fleet-proxy/close_point_in_time",
+                "saved_object:fleet-space-settings/bulk_get",
+                "saved_object:fleet-space-settings/get",
+                "saved_object:fleet-space-settings/find",
+                "saved_object:fleet-space-settings/open_point_in_time",
+                "saved_object:fleet-space-settings/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:fleetv2/read",
+                "api:infra",
+                "api:rac",
+                "app:infra",
+                "app:logs",
+                "app:kibana",
+                "app:observability-logs-explorer",
+                "ui:catalogue/infralogging",
+                "ui:catalogue/logs",
+                "ui:management/insightsAndAlerting/triggersActions",
+                "ui:navLinks/infra",
+                "ui:navLinks/logs",
+                "ui:navLinks/kibana",
+                "ui:navLinks/observability-logs-explorer",
+                "saved_object:infrastructure-ui-source/bulk_get",
+                "saved_object:infrastructure-ui-source/get",
+                "saved_object:infrastructure-ui-source/find",
+                "saved_object:infrastructure-ui-source/open_point_in_time",
+                "saved_object:infrastructure-ui-source/close_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/bulk_get",
+                "saved_object:infrastructure-monitoring-log-view/get",
+                "saved_object:infrastructure-monitoring-log-view/find",
+                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
+                "ui:logs/show",
+                "alerting:logs.alert.document.count/logs/rule/get",
+                "alerting:logs.alert.document.count/logs/rule/getRuleState",
+                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/logs/rule/find",
+                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/logs/rule/getBackfill",
+                "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:.es-query/logs/rule/get",
+                "alerting:.es-query/logs/rule/getRuleState",
+                "alerting:.es-query/logs/rule/getAlertSummary",
+                "alerting:.es-query/logs/rule/getExecutionLog",
+                "alerting:.es-query/logs/rule/getActionErrorLog",
+                "alerting:.es-query/logs/rule/find",
+                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
+                "alerting:.es-query/logs/rule/getBackfill",
+                "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/get",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/find",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/logs/alert/get",
+                "alerting:logs.alert.document.count/logs/alert/find",
+                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:.es-query/logs/alert/get",
+                "alerting:.es-query/logs/alert/find",
+                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/alert/get",
+                "alerting:observability.rules.custom_threshold/logs/alert/find",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
               ],
-              "minimal_read": Array [
+              "read": Array [
+                "login:",
+                "api:fleet-read",
+                "app:fleet",
+                "ui:catalogue/fleet",
+                "ui:navLinks/fleet",
+                "saved_object:ingest-outputs/bulk_get",
+                "saved_object:ingest-outputs/get",
+                "saved_object:ingest-outputs/find",
+                "saved_object:ingest-outputs/open_point_in_time",
+                "saved_object:ingest-outputs/close_point_in_time",
+                "saved_object:ingest-agent-policies/bulk_get",
+                "saved_object:ingest-agent-policies/get",
+                "saved_object:ingest-agent-policies/find",
+                "saved_object:ingest-agent-policies/open_point_in_time",
+                "saved_object:ingest-agent-policies/close_point_in_time",
+                "saved_object:fleet-agent-policies/bulk_get",
+                "saved_object:fleet-agent-policies/get",
+                "saved_object:fleet-agent-policies/find",
+                "saved_object:fleet-agent-policies/open_point_in_time",
+                "saved_object:fleet-agent-policies/close_point_in_time",
+                "saved_object:ingest-package-policies/bulk_get",
+                "saved_object:ingest-package-policies/get",
+                "saved_object:ingest-package-policies/find",
+                "saved_object:ingest-package-policies/open_point_in_time",
+                "saved_object:ingest-package-policies/close_point_in_time",
+                "saved_object:fleet-package-policies/bulk_get",
+                "saved_object:fleet-package-policies/get",
+                "saved_object:fleet-package-policies/find",
+                "saved_object:fleet-package-policies/open_point_in_time",
+                "saved_object:fleet-package-policies/close_point_in_time",
+                "saved_object:epm-packages/bulk_get",
+                "saved_object:epm-packages/get",
+                "saved_object:epm-packages/find",
+                "saved_object:epm-packages/open_point_in_time",
+                "saved_object:epm-packages/close_point_in_time",
+                "saved_object:epm-packages-assets/bulk_get",
+                "saved_object:epm-packages-assets/get",
+                "saved_object:epm-packages-assets/find",
+                "saved_object:epm-packages-assets/open_point_in_time",
+                "saved_object:epm-packages-assets/close_point_in_time",
+                "saved_object:fleet-preconfiguration-deletion-record/bulk_get",
+                "saved_object:fleet-preconfiguration-deletion-record/get",
+                "saved_object:fleet-preconfiguration-deletion-record/find",
+                "saved_object:fleet-preconfiguration-deletion-record/open_point_in_time",
+                "saved_object:fleet-preconfiguration-deletion-record/close_point_in_time",
+                "saved_object:ingest-download-sources/bulk_get",
+                "saved_object:ingest-download-sources/get",
+                "saved_object:ingest-download-sources/find",
+                "saved_object:ingest-download-sources/open_point_in_time",
+                "saved_object:ingest-download-sources/close_point_in_time",
+                "saved_object:fleet-fleet-server-host/bulk_get",
+                "saved_object:fleet-fleet-server-host/get",
+                "saved_object:fleet-fleet-server-host/find",
+                "saved_object:fleet-fleet-server-host/open_point_in_time",
+                "saved_object:fleet-fleet-server-host/close_point_in_time",
+                "saved_object:fleet-proxy/bulk_get",
+                "saved_object:fleet-proxy/get",
+                "saved_object:fleet-proxy/find",
+                "saved_object:fleet-proxy/open_point_in_time",
+                "saved_object:fleet-proxy/close_point_in_time",
+                "saved_object:fleet-space-settings/bulk_get",
+                "saved_object:fleet-space-settings/get",
+                "saved_object:fleet-space-settings/find",
+                "saved_object:fleet-space-settings/open_point_in_time",
+                "saved_object:fleet-space-settings/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:fleetv2/read",
+                "api:infra",
+                "api:rac",
+                "app:infra",
+                "app:logs",
+                "app:kibana",
+                "app:observability-logs-explorer",
+                "ui:catalogue/infralogging",
+                "ui:catalogue/logs",
+                "ui:management/insightsAndAlerting/triggersActions",
+                "ui:navLinks/infra",
+                "ui:navLinks/logs",
+                "ui:navLinks/kibana",
+                "ui:navLinks/observability-logs-explorer",
+                "saved_object:infrastructure-ui-source/bulk_get",
+                "saved_object:infrastructure-ui-source/get",
+                "saved_object:infrastructure-ui-source/find",
+                "saved_object:infrastructure-ui-source/open_point_in_time",
+                "saved_object:infrastructure-ui-source/close_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/bulk_get",
+                "saved_object:infrastructure-monitoring-log-view/get",
+                "saved_object:infrastructure-monitoring-log-view/find",
+                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
+                "ui:logs/show",
+                "alerting:logs.alert.document.count/logs/rule/get",
+                "alerting:logs.alert.document.count/logs/rule/getRuleState",
+                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/logs/rule/find",
+                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/logs/rule/getBackfill",
+                "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:.es-query/logs/rule/get",
+                "alerting:.es-query/logs/rule/getRuleState",
+                "alerting:.es-query/logs/rule/getAlertSummary",
+                "alerting:.es-query/logs/rule/getExecutionLog",
+                "alerting:.es-query/logs/rule/getActionErrorLog",
+                "alerting:.es-query/logs/rule/find",
+                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
+                "alerting:.es-query/logs/rule/getBackfill",
+                "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/get",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/find",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/logs/alert/get",
+                "alerting:logs.alert.document.count/logs/alert/find",
+                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:.es-query/logs/alert/get",
+                "alerting:.es-query/logs/alert/find",
+                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/alert/get",
+                "alerting:observability.rules.custom_threshold/logs/alert/find",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+              ],
+            },
+            "infrastructure": Object {
+              "all": Array [
                 "login:",
                 "api:infra",
                 "api:rac",
@@ -6590,16 +9673,42 @@ export default function ({ getService }: FtrProviderContext) {
                 "saved_object:infrastructure-ui-source/find",
                 "saved_object:infrastructure-ui-source/open_point_in_time",
                 "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:infrastructure-ui-source/create",
+                "saved_object:infrastructure-ui-source/bulk_create",
+                "saved_object:infrastructure-ui-source/update",
+                "saved_object:infrastructure-ui-source/bulk_update",
+                "saved_object:infrastructure-ui-source/delete",
+                "saved_object:infrastructure-ui-source/bulk_delete",
+                "saved_object:infrastructure-ui-source/share_to_space",
                 "saved_object:metrics-data-source/bulk_get",
                 "saved_object:metrics-data-source/get",
                 "saved_object:metrics-data-source/find",
                 "saved_object:metrics-data-source/open_point_in_time",
                 "saved_object:metrics-data-source/close_point_in_time",
+                "saved_object:metrics-data-source/create",
+                "saved_object:metrics-data-source/bulk_create",
+                "saved_object:metrics-data-source/update",
+                "saved_object:metrics-data-source/bulk_update",
+                "saved_object:metrics-data-source/delete",
+                "saved_object:metrics-data-source/bulk_delete",
+                "saved_object:metrics-data-source/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
                 "saved_object:config/bulk_get",
                 "saved_object:config/get",
                 "saved_object:config/find",
@@ -6610,17 +9719,14 @@ export default function ({ getService }: FtrProviderContext) {
                 "saved_object:config-global/find",
                 "saved_object:config-global/open_point_in_time",
                 "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
                 "saved_object:url/bulk_get",
                 "saved_object:url/get",
                 "saved_object:url/find",
                 "saved_object:url/open_point_in_time",
                 "saved_object:url/close_point_in_time",
                 "ui:infrastructure/show",
+                "ui:infrastructure/configureSource",
+                "ui:infrastructure/save",
                 "alerting:metrics.alert.threshold/infrastructure/rule/get",
                 "alerting:metrics.alert.threshold/infrastructure/rule/getRuleState",
                 "alerting:metrics.alert.threshold/infrastructure/rule/getAlertSummary",
@@ -6630,6 +9736,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:metrics.alert.threshold/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:metrics.alert.threshold/infrastructure/rule/getBackfill",
                 "alerting:metrics.alert.threshold/infrastructure/rule/findBackfill",
+                "alerting:metrics.alert.threshold/infrastructure/rule/create",
+                "alerting:metrics.alert.threshold/infrastructure/rule/delete",
+                "alerting:metrics.alert.threshold/infrastructure/rule/update",
+                "alerting:metrics.alert.threshold/infrastructure/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/infrastructure/rule/enable",
+                "alerting:metrics.alert.threshold/infrastructure/rule/disable",
+                "alerting:metrics.alert.threshold/infrastructure/rule/muteAll",
+                "alerting:metrics.alert.threshold/infrastructure/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/infrastructure/rule/muteAlert",
+                "alerting:metrics.alert.threshold/infrastructure/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/infrastructure/rule/snooze",
+                "alerting:metrics.alert.threshold/infrastructure/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/infrastructure/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/infrastructure/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/infrastructure/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/infrastructure/rule/unsnooze",
+                "alerting:metrics.alert.threshold/infrastructure/rule/runSoon",
+                "alerting:metrics.alert.threshold/infrastructure/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/infrastructure/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/get",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleState",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getAlertSummary",
@@ -6639,6 +9792,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getBackfill",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/create",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/update",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
                 "alerting:.es-query/infrastructure/rule/get",
                 "alerting:.es-query/infrastructure/rule/getRuleState",
                 "alerting:.es-query/infrastructure/rule/getAlertSummary",
@@ -6648,6 +9848,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:.es-query/infrastructure/rule/getBackfill",
                 "alerting:.es-query/infrastructure/rule/findBackfill",
+                "alerting:.es-query/infrastructure/rule/create",
+                "alerting:.es-query/infrastructure/rule/delete",
+                "alerting:.es-query/infrastructure/rule/update",
+                "alerting:.es-query/infrastructure/rule/updateApiKey",
+                "alerting:.es-query/infrastructure/rule/enable",
+                "alerting:.es-query/infrastructure/rule/disable",
+                "alerting:.es-query/infrastructure/rule/muteAll",
+                "alerting:.es-query/infrastructure/rule/unmuteAll",
+                "alerting:.es-query/infrastructure/rule/muteAlert",
+                "alerting:.es-query/infrastructure/rule/unmuteAlert",
+                "alerting:.es-query/infrastructure/rule/snooze",
+                "alerting:.es-query/infrastructure/rule/bulkEdit",
+                "alerting:.es-query/infrastructure/rule/bulkDelete",
+                "alerting:.es-query/infrastructure/rule/bulkEnable",
+                "alerting:.es-query/infrastructure/rule/bulkDisable",
+                "alerting:.es-query/infrastructure/rule/unsnooze",
+                "alerting:.es-query/infrastructure/rule/runSoon",
+                "alerting:.es-query/infrastructure/rule/scheduleBackfill",
+                "alerting:.es-query/infrastructure/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/get",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/getAlertSummary",
@@ -6657,6 +9904,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/getBackfill",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/create",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/delete",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/update",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/enable",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/disable",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/snooze",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getAlertSummary",
@@ -6666,26 +9960,103 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
                 "alerting:metrics.alert.threshold/infrastructure/alert/get",
                 "alerting:metrics.alert.threshold/infrastructure/alert/find",
                 "alerting:metrics.alert.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:metrics.alert.threshold/infrastructure/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/infrastructure/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/alert/get",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/alert/find",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
                 "alerting:.es-query/infrastructure/alert/get",
                 "alerting:.es-query/infrastructure/alert/find",
                 "alerting:.es-query/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:.es-query/infrastructure/alert/getAlertSummary",
+                "alerting:.es-query/infrastructure/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
                 "alerting:observability.rules.custom_threshold/infrastructure/alert/get",
                 "alerting:observability.rules.custom_threshold/infrastructure/alert/find",
                 "alerting:observability.rules.custom_threshold/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:observability.rules.custom_threshold/infrastructure/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/get",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/find",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
                 "app:logs",
                 "app:observability-logs-explorer",
                 "ui:catalogue/infralogging",
@@ -6697,7 +10068,16 @@ export default function ({ getService }: FtrProviderContext) {
                 "saved_object:infrastructure-monitoring-log-view/find",
                 "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
                 "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/create",
+                "saved_object:infrastructure-monitoring-log-view/bulk_create",
+                "saved_object:infrastructure-monitoring-log-view/update",
+                "saved_object:infrastructure-monitoring-log-view/bulk_update",
+                "saved_object:infrastructure-monitoring-log-view/delete",
+                "saved_object:infrastructure-monitoring-log-view/bulk_delete",
+                "saved_object:infrastructure-monitoring-log-view/share_to_space",
                 "ui:logs/show",
+                "ui:logs/configureSource",
+                "ui:logs/save",
                 "alerting:logs.alert.document.count/logs/rule/get",
                 "alerting:logs.alert.document.count/logs/rule/getRuleState",
                 "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
@@ -6707,6 +10087,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
                 "alerting:logs.alert.document.count/logs/rule/getBackfill",
                 "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/logs/rule/create",
+                "alerting:logs.alert.document.count/logs/rule/delete",
+                "alerting:logs.alert.document.count/logs/rule/update",
+                "alerting:logs.alert.document.count/logs/rule/updateApiKey",
+                "alerting:logs.alert.document.count/logs/rule/enable",
+                "alerting:logs.alert.document.count/logs/rule/disable",
+                "alerting:logs.alert.document.count/logs/rule/muteAll",
+                "alerting:logs.alert.document.count/logs/rule/unmuteAll",
+                "alerting:logs.alert.document.count/logs/rule/muteAlert",
+                "alerting:logs.alert.document.count/logs/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/logs/rule/snooze",
+                "alerting:logs.alert.document.count/logs/rule/bulkEdit",
+                "alerting:logs.alert.document.count/logs/rule/bulkDelete",
+                "alerting:logs.alert.document.count/logs/rule/bulkEnable",
+                "alerting:logs.alert.document.count/logs/rule/bulkDisable",
+                "alerting:logs.alert.document.count/logs/rule/unsnooze",
+                "alerting:logs.alert.document.count/logs/rule/runSoon",
+                "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
                 "alerting:.es-query/logs/rule/get",
                 "alerting:.es-query/logs/rule/getRuleState",
                 "alerting:.es-query/logs/rule/getAlertSummary",
@@ -6716,6 +10143,25 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/logs/rule/getRuleExecutionKPI",
                 "alerting:.es-query/logs/rule/getBackfill",
                 "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:.es-query/logs/rule/create",
+                "alerting:.es-query/logs/rule/delete",
+                "alerting:.es-query/logs/rule/update",
+                "alerting:.es-query/logs/rule/updateApiKey",
+                "alerting:.es-query/logs/rule/enable",
+                "alerting:.es-query/logs/rule/disable",
+                "alerting:.es-query/logs/rule/muteAll",
+                "alerting:.es-query/logs/rule/unmuteAll",
+                "alerting:.es-query/logs/rule/muteAlert",
+                "alerting:.es-query/logs/rule/unmuteAlert",
+                "alerting:.es-query/logs/rule/snooze",
+                "alerting:.es-query/logs/rule/bulkEdit",
+                "alerting:.es-query/logs/rule/bulkDelete",
+                "alerting:.es-query/logs/rule/bulkEnable",
+                "alerting:.es-query/logs/rule/bulkDisable",
+                "alerting:.es-query/logs/rule/unsnooze",
+                "alerting:.es-query/logs/rule/runSoon",
+                "alerting:.es-query/logs/rule/scheduleBackfill",
+                "alerting:.es-query/logs/rule/deleteBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/get",
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
@@ -6725,6 +10171,25 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
                 "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/create",
+                "alerting:observability.rules.custom_threshold/logs/rule/delete",
+                "alerting:observability.rules.custom_threshold/logs/rule/update",
+                "alerting:observability.rules.custom_threshold/logs/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/logs/rule/enable",
+                "alerting:observability.rules.custom_threshold/logs/rule/disable",
+                "alerting:observability.rules.custom_threshold/logs/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/logs/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/logs/rule/snooze",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/logs/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
@@ -6734,71 +10199,55 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
                 "alerting:logs.alert.document.count/logs/alert/get",
                 "alerting:logs.alert.document.count/logs/alert/find",
                 "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
                 "alerting:.es-query/logs/alert/get",
                 "alerting:.es-query/logs/alert/find",
                 "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:.es-query/logs/alert/update",
                 "alerting:observability.rules.custom_threshold/logs/alert/get",
                 "alerting:observability.rules.custom_threshold/logs/alert/find",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/alert/update",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "ui:observability/write",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -6808,6 +10257,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/observability/rule/getBackfill",
                 "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/observability/rule/create",
+                "alerting:apm.error_rate/observability/rule/delete",
+                "alerting:apm.error_rate/observability/rule/update",
+                "alerting:apm.error_rate/observability/rule/updateApiKey",
+                "alerting:apm.error_rate/observability/rule/enable",
+                "alerting:apm.error_rate/observability/rule/disable",
+                "alerting:apm.error_rate/observability/rule/muteAll",
+                "alerting:apm.error_rate/observability/rule/unmuteAll",
+                "alerting:apm.error_rate/observability/rule/muteAlert",
+                "alerting:apm.error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.error_rate/observability/rule/snooze",
+                "alerting:apm.error_rate/observability/rule/bulkEdit",
+                "alerting:apm.error_rate/observability/rule/bulkDelete",
+                "alerting:apm.error_rate/observability/rule/bulkEnable",
+                "alerting:apm.error_rate/observability/rule/bulkDisable",
+                "alerting:apm.error_rate/observability/rule/unsnooze",
+                "alerting:apm.error_rate/observability/rule/runSoon",
+                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -6817,6 +10313,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/create",
+                "alerting:apm.transaction_error_rate/observability/rule/delete",
+                "alerting:apm.transaction_error_rate/observability/rule/update",
+                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/observability/rule/enable",
+                "alerting:apm.transaction_error_rate/observability/rule/disable",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/snooze",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
+                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -6826,6 +10369,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_duration/observability/rule/getBackfill",
                 "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/create",
+                "alerting:apm.transaction_duration/observability/rule/delete",
+                "alerting:apm.transaction_duration/observability/rule/update",
+                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
+                "alerting:apm.transaction_duration/observability/rule/enable",
+                "alerting:apm.transaction_duration/observability/rule/disable",
+                "alerting:apm.transaction_duration/observability/rule/muteAll",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
+                "alerting:apm.transaction_duration/observability/rule/muteAlert",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/observability/rule/snooze",
+                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
+                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
+                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
+                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
+                "alerting:apm.transaction_duration/observability/rule/unsnooze",
+                "alerting:apm.transaction_duration/observability/rule/runSoon",
+                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -6835,6 +10425,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/observability/rule/getBackfill",
                 "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/observability/rule/create",
+                "alerting:apm.anomaly/observability/rule/delete",
+                "alerting:apm.anomaly/observability/rule/update",
+                "alerting:apm.anomaly/observability/rule/updateApiKey",
+                "alerting:apm.anomaly/observability/rule/enable",
+                "alerting:apm.anomaly/observability/rule/disable",
+                "alerting:apm.anomaly/observability/rule/muteAll",
+                "alerting:apm.anomaly/observability/rule/unmuteAll",
+                "alerting:apm.anomaly/observability/rule/muteAlert",
+                "alerting:apm.anomaly/observability/rule/unmuteAlert",
+                "alerting:apm.anomaly/observability/rule/snooze",
+                "alerting:apm.anomaly/observability/rule/bulkEdit",
+                "alerting:apm.anomaly/observability/rule/bulkDelete",
+                "alerting:apm.anomaly/observability/rule/bulkEnable",
+                "alerting:apm.anomaly/observability/rule/bulkDisable",
+                "alerting:apm.anomaly/observability/rule/unsnooze",
+                "alerting:apm.anomaly/observability/rule/runSoon",
+                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
+                "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -6844,6 +10481,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -6853,52 +10537,643 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/create",
+                "alerting:slo.rules.burnRate/observability/rule/delete",
+                "alerting:slo.rules.burnRate/observability/rule/update",
+                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/observability/rule/enable",
+                "alerting:slo.rules.burnRate/observability/rule/disable",
+                "alerting:slo.rules.burnRate/observability/rule/muteAll",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/snooze",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
+                "alerting:slo.rules.burnRate/observability/rule/runSoon",
+                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/create",
+                "alerting:observability.rules.custom_threshold/observability/rule/delete",
+                "alerting:observability.rules.custom_threshold/observability/rule/update",
+                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/observability/rule/enable",
+                "alerting:observability.rules.custom_threshold/observability/rule/disable",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
               ],
-              "read": Array [
+              "minimal_all": Array [
                 "login:",
                 "api:infra",
                 "api:rac",
@@ -6916,16 +11191,42 @@ export default function ({ getService }: FtrProviderContext) {
                 "saved_object:infrastructure-ui-source/find",
                 "saved_object:infrastructure-ui-source/open_point_in_time",
                 "saved_object:infrastructure-ui-source/close_point_in_time",
-                "saved_object:index-pattern/bulk_get",
-                "saved_object:index-pattern/get",
-                "saved_object:index-pattern/find",
-                "saved_object:index-pattern/open_point_in_time",
-                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:infrastructure-ui-source/create",
+                "saved_object:infrastructure-ui-source/bulk_create",
+                "saved_object:infrastructure-ui-source/update",
+                "saved_object:infrastructure-ui-source/bulk_update",
+                "saved_object:infrastructure-ui-source/delete",
+                "saved_object:infrastructure-ui-source/bulk_delete",
+                "saved_object:infrastructure-ui-source/share_to_space",
                 "saved_object:metrics-data-source/bulk_get",
                 "saved_object:metrics-data-source/get",
                 "saved_object:metrics-data-source/find",
                 "saved_object:metrics-data-source/open_point_in_time",
                 "saved_object:metrics-data-source/close_point_in_time",
+                "saved_object:metrics-data-source/create",
+                "saved_object:metrics-data-source/bulk_create",
+                "saved_object:metrics-data-source/update",
+                "saved_object:metrics-data-source/bulk_update",
+                "saved_object:metrics-data-source/delete",
+                "saved_object:metrics-data-source/bulk_delete",
+                "saved_object:metrics-data-source/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
                 "saved_object:config/bulk_get",
                 "saved_object:config/get",
                 "saved_object:config/find",
@@ -6936,17 +11237,14 @@ export default function ({ getService }: FtrProviderContext) {
                 "saved_object:config-global/find",
                 "saved_object:config-global/open_point_in_time",
                 "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
                 "saved_object:url/bulk_get",
                 "saved_object:url/get",
                 "saved_object:url/find",
                 "saved_object:url/open_point_in_time",
                 "saved_object:url/close_point_in_time",
                 "ui:infrastructure/show",
+                "ui:infrastructure/configureSource",
+                "ui:infrastructure/save",
                 "alerting:metrics.alert.threshold/infrastructure/rule/get",
                 "alerting:metrics.alert.threshold/infrastructure/rule/getRuleState",
                 "alerting:metrics.alert.threshold/infrastructure/rule/getAlertSummary",
@@ -6956,6 +11254,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:metrics.alert.threshold/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:metrics.alert.threshold/infrastructure/rule/getBackfill",
                 "alerting:metrics.alert.threshold/infrastructure/rule/findBackfill",
+                "alerting:metrics.alert.threshold/infrastructure/rule/create",
+                "alerting:metrics.alert.threshold/infrastructure/rule/delete",
+                "alerting:metrics.alert.threshold/infrastructure/rule/update",
+                "alerting:metrics.alert.threshold/infrastructure/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/infrastructure/rule/enable",
+                "alerting:metrics.alert.threshold/infrastructure/rule/disable",
+                "alerting:metrics.alert.threshold/infrastructure/rule/muteAll",
+                "alerting:metrics.alert.threshold/infrastructure/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/infrastructure/rule/muteAlert",
+                "alerting:metrics.alert.threshold/infrastructure/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/infrastructure/rule/snooze",
+                "alerting:metrics.alert.threshold/infrastructure/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/infrastructure/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/infrastructure/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/infrastructure/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/infrastructure/rule/unsnooze",
+                "alerting:metrics.alert.threshold/infrastructure/rule/runSoon",
+                "alerting:metrics.alert.threshold/infrastructure/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/infrastructure/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/get",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleState",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getAlertSummary",
@@ -6965,6 +11310,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getBackfill",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/create",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/update",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
                 "alerting:.es-query/infrastructure/rule/get",
                 "alerting:.es-query/infrastructure/rule/getRuleState",
                 "alerting:.es-query/infrastructure/rule/getAlertSummary",
@@ -6974,6 +11366,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:.es-query/infrastructure/rule/getBackfill",
                 "alerting:.es-query/infrastructure/rule/findBackfill",
+                "alerting:.es-query/infrastructure/rule/create",
+                "alerting:.es-query/infrastructure/rule/delete",
+                "alerting:.es-query/infrastructure/rule/update",
+                "alerting:.es-query/infrastructure/rule/updateApiKey",
+                "alerting:.es-query/infrastructure/rule/enable",
+                "alerting:.es-query/infrastructure/rule/disable",
+                "alerting:.es-query/infrastructure/rule/muteAll",
+                "alerting:.es-query/infrastructure/rule/unmuteAll",
+                "alerting:.es-query/infrastructure/rule/muteAlert",
+                "alerting:.es-query/infrastructure/rule/unmuteAlert",
+                "alerting:.es-query/infrastructure/rule/snooze",
+                "alerting:.es-query/infrastructure/rule/bulkEdit",
+                "alerting:.es-query/infrastructure/rule/bulkDelete",
+                "alerting:.es-query/infrastructure/rule/bulkEnable",
+                "alerting:.es-query/infrastructure/rule/bulkDisable",
+                "alerting:.es-query/infrastructure/rule/unsnooze",
+                "alerting:.es-query/infrastructure/rule/runSoon",
+                "alerting:.es-query/infrastructure/rule/scheduleBackfill",
+                "alerting:.es-query/infrastructure/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/get",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/getAlertSummary",
@@ -6983,6 +11422,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/getBackfill",
                 "alerting:observability.rules.custom_threshold/infrastructure/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/create",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/delete",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/update",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/enable",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/disable",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/snooze",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getAlertSummary",
@@ -6992,26 +11478,103 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
                 "alerting:metrics.alert.threshold/infrastructure/alert/get",
                 "alerting:metrics.alert.threshold/infrastructure/alert/find",
                 "alerting:metrics.alert.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:metrics.alert.threshold/infrastructure/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/infrastructure/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/alert/get",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/alert/find",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
                 "alerting:.es-query/infrastructure/alert/get",
                 "alerting:.es-query/infrastructure/alert/find",
                 "alerting:.es-query/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:.es-query/infrastructure/alert/getAlertSummary",
+                "alerting:.es-query/infrastructure/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
                 "alerting:observability.rules.custom_threshold/infrastructure/alert/get",
                 "alerting:observability.rules.custom_threshold/infrastructure/alert/find",
                 "alerting:observability.rules.custom_threshold/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:observability.rules.custom_threshold/infrastructure/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/get",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/find",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
                 "app:logs",
                 "app:observability-logs-explorer",
                 "ui:catalogue/infralogging",
@@ -7023,7 +11586,16 @@ export default function ({ getService }: FtrProviderContext) {
                 "saved_object:infrastructure-monitoring-log-view/find",
                 "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
                 "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/create",
+                "saved_object:infrastructure-monitoring-log-view/bulk_create",
+                "saved_object:infrastructure-monitoring-log-view/update",
+                "saved_object:infrastructure-monitoring-log-view/bulk_update",
+                "saved_object:infrastructure-monitoring-log-view/delete",
+                "saved_object:infrastructure-monitoring-log-view/bulk_delete",
+                "saved_object:infrastructure-monitoring-log-view/share_to_space",
                 "ui:logs/show",
+                "ui:logs/configureSource",
+                "ui:logs/save",
                 "alerting:logs.alert.document.count/logs/rule/get",
                 "alerting:logs.alert.document.count/logs/rule/getRuleState",
                 "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
@@ -7033,6 +11605,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
                 "alerting:logs.alert.document.count/logs/rule/getBackfill",
                 "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/logs/rule/create",
+                "alerting:logs.alert.document.count/logs/rule/delete",
+                "alerting:logs.alert.document.count/logs/rule/update",
+                "alerting:logs.alert.document.count/logs/rule/updateApiKey",
+                "alerting:logs.alert.document.count/logs/rule/enable",
+                "alerting:logs.alert.document.count/logs/rule/disable",
+                "alerting:logs.alert.document.count/logs/rule/muteAll",
+                "alerting:logs.alert.document.count/logs/rule/unmuteAll",
+                "alerting:logs.alert.document.count/logs/rule/muteAlert",
+                "alerting:logs.alert.document.count/logs/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/logs/rule/snooze",
+                "alerting:logs.alert.document.count/logs/rule/bulkEdit",
+                "alerting:logs.alert.document.count/logs/rule/bulkDelete",
+                "alerting:logs.alert.document.count/logs/rule/bulkEnable",
+                "alerting:logs.alert.document.count/logs/rule/bulkDisable",
+                "alerting:logs.alert.document.count/logs/rule/unsnooze",
+                "alerting:logs.alert.document.count/logs/rule/runSoon",
+                "alerting:logs.alert.document.count/logs/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/logs/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
                 "alerting:.es-query/logs/rule/get",
                 "alerting:.es-query/logs/rule/getRuleState",
                 "alerting:.es-query/logs/rule/getAlertSummary",
@@ -7042,6 +11661,25 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/logs/rule/getRuleExecutionKPI",
                 "alerting:.es-query/logs/rule/getBackfill",
                 "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:.es-query/logs/rule/create",
+                "alerting:.es-query/logs/rule/delete",
+                "alerting:.es-query/logs/rule/update",
+                "alerting:.es-query/logs/rule/updateApiKey",
+                "alerting:.es-query/logs/rule/enable",
+                "alerting:.es-query/logs/rule/disable",
+                "alerting:.es-query/logs/rule/muteAll",
+                "alerting:.es-query/logs/rule/unmuteAll",
+                "alerting:.es-query/logs/rule/muteAlert",
+                "alerting:.es-query/logs/rule/unmuteAlert",
+                "alerting:.es-query/logs/rule/snooze",
+                "alerting:.es-query/logs/rule/bulkEdit",
+                "alerting:.es-query/logs/rule/bulkDelete",
+                "alerting:.es-query/logs/rule/bulkEnable",
+                "alerting:.es-query/logs/rule/bulkDisable",
+                "alerting:.es-query/logs/rule/unsnooze",
+                "alerting:.es-query/logs/rule/runSoon",
+                "alerting:.es-query/logs/rule/scheduleBackfill",
+                "alerting:.es-query/logs/rule/deleteBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/get",
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
@@ -7051,6 +11689,25 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
                 "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
                 "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/create",
+                "alerting:observability.rules.custom_threshold/logs/rule/delete",
+                "alerting:observability.rules.custom_threshold/logs/rule/update",
+                "alerting:observability.rules.custom_threshold/logs/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/logs/rule/enable",
+                "alerting:observability.rules.custom_threshold/logs/rule/disable",
+                "alerting:observability.rules.custom_threshold/logs/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/logs/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/logs/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/logs/rule/snooze",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/logs/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/logs/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/logs/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/logs/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
@@ -7060,71 +11717,55 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/deleteBackfill",
                 "alerting:logs.alert.document.count/logs/alert/get",
                 "alerting:logs.alert.document.count/logs/alert/find",
                 "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
                 "alerting:.es-query/logs/alert/get",
                 "alerting:.es-query/logs/alert/find",
                 "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:.es-query/logs/alert/update",
                 "alerting:observability.rules.custom_threshold/logs/alert/get",
                 "alerting:observability.rules.custom_threshold/logs/alert/find",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/alert/update",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/update",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "ui:observability/write",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -7134,6 +11775,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/observability/rule/getBackfill",
                 "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/observability/rule/create",
+                "alerting:apm.error_rate/observability/rule/delete",
+                "alerting:apm.error_rate/observability/rule/update",
+                "alerting:apm.error_rate/observability/rule/updateApiKey",
+                "alerting:apm.error_rate/observability/rule/enable",
+                "alerting:apm.error_rate/observability/rule/disable",
+                "alerting:apm.error_rate/observability/rule/muteAll",
+                "alerting:apm.error_rate/observability/rule/unmuteAll",
+                "alerting:apm.error_rate/observability/rule/muteAlert",
+                "alerting:apm.error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.error_rate/observability/rule/snooze",
+                "alerting:apm.error_rate/observability/rule/bulkEdit",
+                "alerting:apm.error_rate/observability/rule/bulkDelete",
+                "alerting:apm.error_rate/observability/rule/bulkEnable",
+                "alerting:apm.error_rate/observability/rule/bulkDisable",
+                "alerting:apm.error_rate/observability/rule/unsnooze",
+                "alerting:apm.error_rate/observability/rule/runSoon",
+                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -7143,6 +11831,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/create",
+                "alerting:apm.transaction_error_rate/observability/rule/delete",
+                "alerting:apm.transaction_error_rate/observability/rule/update",
+                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/observability/rule/enable",
+                "alerting:apm.transaction_error_rate/observability/rule/disable",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/snooze",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
+                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -7152,6 +11887,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_duration/observability/rule/getBackfill",
                 "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/create",
+                "alerting:apm.transaction_duration/observability/rule/delete",
+                "alerting:apm.transaction_duration/observability/rule/update",
+                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
+                "alerting:apm.transaction_duration/observability/rule/enable",
+                "alerting:apm.transaction_duration/observability/rule/disable",
+                "alerting:apm.transaction_duration/observability/rule/muteAll",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
+                "alerting:apm.transaction_duration/observability/rule/muteAlert",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/observability/rule/snooze",
+                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
+                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
+                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
+                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
+                "alerting:apm.transaction_duration/observability/rule/unsnooze",
+                "alerting:apm.transaction_duration/observability/rule/runSoon",
+                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -7161,6 +11943,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/observability/rule/getBackfill",
                 "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/observability/rule/create",
+                "alerting:apm.anomaly/observability/rule/delete",
+                "alerting:apm.anomaly/observability/rule/update",
+                "alerting:apm.anomaly/observability/rule/updateApiKey",
+                "alerting:apm.anomaly/observability/rule/enable",
+                "alerting:apm.anomaly/observability/rule/disable",
+                "alerting:apm.anomaly/observability/rule/muteAll",
+                "alerting:apm.anomaly/observability/rule/unmuteAll",
+                "alerting:apm.anomaly/observability/rule/muteAlert",
+                "alerting:apm.anomaly/observability/rule/unmuteAlert",
+                "alerting:apm.anomaly/observability/rule/snooze",
+                "alerting:apm.anomaly/observability/rule/bulkEdit",
+                "alerting:apm.anomaly/observability/rule/bulkDelete",
+                "alerting:apm.anomaly/observability/rule/bulkEnable",
+                "alerting:apm.anomaly/observability/rule/bulkDisable",
+                "alerting:apm.anomaly/observability/rule/unsnooze",
+                "alerting:apm.anomaly/observability/rule/runSoon",
+                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
+                "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -7170,6 +11999,53 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -7179,218 +12055,670 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/create",
+                "alerting:slo.rules.burnRate/observability/rule/delete",
+                "alerting:slo.rules.burnRate/observability/rule/update",
+                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/observability/rule/enable",
+                "alerting:slo.rules.burnRate/observability/rule/disable",
+                "alerting:slo.rules.burnRate/observability/rule/muteAll",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/snooze",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
+                "alerting:slo.rules.burnRate/observability/rule/runSoon",
+                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/create",
+                "alerting:observability.rules.custom_threshold/observability/rule/delete",
+                "alerting:observability.rules.custom_threshold/observability/rule/update",
+                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/observability/rule/enable",
+                "alerting:observability.rules.custom_threshold/observability/rule/disable",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-              ],
-            },
-            "reporting": Object {
-              "all": Array [
-                "login:",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "api:downloadCsv",
-                "ui:management/insightsAndAlerting/reporting",
-                "ui:dashboard/downloadCsv",
-                "api:generateReport",
-                "ui:discover/generateCsv",
-              ],
-              "minimal_all": Array [
-                "login:",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-                "api:downloadCsv",
-                "ui:management/insightsAndAlerting/reporting",
-                "ui:dashboard/downloadCsv",
-                "api:generateReport",
-                "ui:discover/generateCsv",
-              ],
-              "minimal_read": Array [
-                "login:",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-              ],
-              "read": Array [
-                "login:",
-                "saved_object:config/bulk_get",
-                "saved_object:config/get",
-                "saved_object:config/find",
-                "saved_object:config/open_point_in_time",
-                "saved_object:config/close_point_in_time",
-                "saved_object:config-global/bulk_get",
-                "saved_object:config-global/get",
-                "saved_object:config-global/find",
-                "saved_object:config-global/open_point_in_time",
-                "saved_object:config-global/close_point_in_time",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:url/bulk_get",
-                "saved_object:url/get",
-                "saved_object:url/find",
-                "saved_object:url/open_point_in_time",
-                "saved_object:url/close_point_in_time",
-              ],
-            },
-            "slo": Object {
-              "all": Array [
-                "login:",
-                "api:slo_write",
-                "api:slo_read",
-                "api:rac",
-                "app:slo",
-                "app:kibana",
-                "ui:catalogue/slo",
-                "ui:catalogue/observability",
-                "ui:navLinks/slo",
-                "ui:navLinks/kibana",
-                "saved_object:slo/bulk_get",
-                "saved_object:slo/get",
-                "saved_object:slo/find",
-                "saved_object:slo/open_point_in_time",
-                "saved_object:slo/close_point_in_time",
-                "saved_object:slo/create",
-                "saved_object:slo/bulk_create",
-                "saved_object:slo/update",
-                "saved_object:slo/bulk_update",
-                "saved_object:slo/delete",
-                "saved_object:slo/bulk_delete",
-                "saved_object:slo/share_to_space",
-                "saved_object:slo-settings/bulk_get",
-                "saved_object:slo-settings/get",
-                "saved_object:slo-settings/find",
-                "saved_object:slo-settings/open_point_in_time",
-                "saved_object:slo-settings/close_point_in_time",
-                "saved_object:slo-settings/create",
-                "saved_object:slo-settings/bulk_create",
-                "saved_object:slo-settings/update",
-                "saved_object:slo-settings/bulk_update",
-                "saved_object:slo-settings/delete",
-                "saved_object:slo-settings/bulk_delete",
-                "saved_object:slo-settings/share_to_space",
-                "saved_object:telemetry/bulk_get",
-                "saved_object:telemetry/get",
-                "saved_object:telemetry/find",
-                "saved_object:telemetry/open_point_in_time",
-                "saved_object:telemetry/close_point_in_time",
-                "saved_object:telemetry/create",
-                "saved_object:telemetry/bulk_create",
-                "saved_object:telemetry/update",
-                "saved_object:telemetry/bulk_update",
-                "saved_object:telemetry/delete",
-                "saved_object:telemetry/bulk_delete",
-                "saved_object:telemetry/share_to_space",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
+              ],
+              "minimal_read": Array [
+                "login:",
+                "api:infra",
+                "api:rac",
+                "app:infra",
+                "app:metrics",
+                "app:kibana",
+                "ui:catalogue/infraops",
+                "ui:catalogue/metrics",
+                "ui:management/insightsAndAlerting/triggersActions",
+                "ui:navLinks/infra",
+                "ui:navLinks/metrics",
+                "ui:navLinks/kibana",
+                "saved_object:infrastructure-ui-source/bulk_get",
+                "saved_object:infrastructure-ui-source/get",
+                "saved_object:infrastructure-ui-source/find",
+                "saved_object:infrastructure-ui-source/open_point_in_time",
+                "saved_object:infrastructure-ui-source/close_point_in_time",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:metrics-data-source/bulk_get",
+                "saved_object:metrics-data-source/get",
+                "saved_object:metrics-data-source/find",
+                "saved_object:metrics-data-source/open_point_in_time",
+                "saved_object:metrics-data-source/close_point_in_time",
                 "saved_object:config/bulk_get",
                 "saved_object:config/get",
                 "saved_object:config/find",
@@ -7401,50 +12729,435 @@ export default function ({ getService }: FtrProviderContext) {
                 "saved_object:config-global/find",
                 "saved_object:config-global/open_point_in_time",
                 "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
                 "saved_object:url/bulk_get",
                 "saved_object:url/get",
                 "saved_object:url/find",
                 "saved_object:url/open_point_in_time",
                 "saved_object:url/close_point_in_time",
-                "ui:slo/read",
-                "ui:slo/write",
-                "alerting:slo.rules.burnRate/slo/rule/get",
-                "alerting:slo.rules.burnRate/slo/rule/getRuleState",
-                "alerting:slo.rules.burnRate/slo/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/slo/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/slo/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/slo/rule/find",
-                "alerting:slo.rules.burnRate/slo/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/slo/rule/getBackfill",
-                "alerting:slo.rules.burnRate/slo/rule/findBackfill",
-                "alerting:slo.rules.burnRate/slo/rule/create",
-                "alerting:slo.rules.burnRate/slo/rule/delete",
-                "alerting:slo.rules.burnRate/slo/rule/update",
-                "alerting:slo.rules.burnRate/slo/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/slo/rule/enable",
-                "alerting:slo.rules.burnRate/slo/rule/disable",
-                "alerting:slo.rules.burnRate/slo/rule/muteAll",
-                "alerting:slo.rules.burnRate/slo/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/slo/rule/muteAlert",
-                "alerting:slo.rules.burnRate/slo/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/slo/rule/snooze",
-                "alerting:slo.rules.burnRate/slo/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/slo/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/slo/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/slo/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/slo/rule/unsnooze",
-                "alerting:slo.rules.burnRate/slo/rule/runSoon",
-                "alerting:slo.rules.burnRate/slo/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/slo/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/slo/alert/get",
-                "alerting:slo.rules.burnRate/slo/alert/find",
-                "alerting:slo.rules.burnRate/slo/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/slo/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/slo/alert/update",
+                "ui:infrastructure/show",
+                "alerting:metrics.alert.threshold/infrastructure/rule/get",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getRuleState",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/infrastructure/rule/find",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getBackfill",
+                "alerting:metrics.alert.threshold/infrastructure/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/get",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/find",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:.es-query/infrastructure/rule/get",
+                "alerting:.es-query/infrastructure/rule/getRuleState",
+                "alerting:.es-query/infrastructure/rule/getAlertSummary",
+                "alerting:.es-query/infrastructure/rule/getExecutionLog",
+                "alerting:.es-query/infrastructure/rule/getActionErrorLog",
+                "alerting:.es-query/infrastructure/rule/find",
+                "alerting:.es-query/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:.es-query/infrastructure/rule/getBackfill",
+                "alerting:.es-query/infrastructure/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/get",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/find",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/infrastructure/alert/get",
+                "alerting:metrics.alert.threshold/infrastructure/alert/find",
+                "alerting:metrics.alert.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/infrastructure/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/get",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/find",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:.es-query/infrastructure/alert/get",
+                "alerting:.es-query/infrastructure/alert/find",
+                "alerting:.es-query/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/infrastructure/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/get",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/find",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "app:logs",
+                "app:observability-logs-explorer",
+                "ui:catalogue/infralogging",
+                "ui:catalogue/logs",
+                "ui:navLinks/logs",
+                "ui:navLinks/observability-logs-explorer",
+                "saved_object:infrastructure-monitoring-log-view/bulk_get",
+                "saved_object:infrastructure-monitoring-log-view/get",
+                "saved_object:infrastructure-monitoring-log-view/find",
+                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
+                "ui:logs/show",
+                "alerting:logs.alert.document.count/logs/rule/get",
+                "alerting:logs.alert.document.count/logs/rule/getRuleState",
+                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/logs/rule/find",
+                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/logs/rule/getBackfill",
+                "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:.es-query/logs/rule/get",
+                "alerting:.es-query/logs/rule/getRuleState",
+                "alerting:.es-query/logs/rule/getAlertSummary",
+                "alerting:.es-query/logs/rule/getExecutionLog",
+                "alerting:.es-query/logs/rule/getActionErrorLog",
+                "alerting:.es-query/logs/rule/find",
+                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
+                "alerting:.es-query/logs/rule/getBackfill",
+                "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/get",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/find",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/logs/alert/get",
+                "alerting:logs.alert.document.count/logs/alert/find",
+                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:.es-query/logs/alert/get",
+                "alerting:.es-query/logs/alert/find",
+                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/alert/get",
+                "alerting:observability.rules.custom_threshold/logs/alert/find",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
                 "app:observability",
+                "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
-                "ui:observability/write",
+                "alerting:apm.error_rate/observability/rule/get",
+                "alerting:apm.error_rate/observability/rule/getRuleState",
+                "alerting:apm.error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.error_rate/observability/rule/find",
+                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/observability/rule/getBackfill",
+                "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/get",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/observability/rule/find",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/get",
+                "alerting:apm.transaction_duration/observability/rule/getRuleState",
+                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/observability/rule/find",
+                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/observability/rule/getBackfill",
+                "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/observability/rule/get",
+                "alerting:apm.anomaly/observability/rule/getRuleState",
+                "alerting:apm.anomaly/observability/rule/getAlertSummary",
+                "alerting:apm.anomaly/observability/rule/getExecutionLog",
+                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
+                "alerting:apm.anomaly/observability/rule/find",
+                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/observability/rule/getBackfill",
+                "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
                 "alerting:slo.rules.burnRate/observability/rule/get",
                 "alerting:slo.rules.burnRate/observability/rule/getRuleState",
                 "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
@@ -7454,25 +13167,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
                 "alerting:slo.rules.burnRate/observability/rule/getBackfill",
                 "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/create",
-                "alerting:slo.rules.burnRate/observability/rule/delete",
-                "alerting:slo.rules.burnRate/observability/rule/update",
-                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/observability/rule/enable",
-                "alerting:slo.rules.burnRate/observability/rule/disable",
-                "alerting:slo.rules.burnRate/observability/rule/muteAll",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/snooze",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
-                "alerting:slo.rules.burnRate/observability/rule/runSoon",
-                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
                 "alerting:observability.rules.custom_threshold/observability/rule/get",
                 "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
                 "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
@@ -7482,25 +13185,6 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
                 "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
                 "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/create",
-                "alerting:observability.rules.custom_threshold/observability/rule/delete",
-                "alerting:observability.rules.custom_threshold/observability/rule/update",
-                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/observability/rule/enable",
-                "alerting:observability.rules.custom_threshold/observability/rule/disable",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
                 "alerting:.es-query/observability/rule/get",
                 "alerting:.es-query/observability/rule/getRuleState",
                 "alerting:.es-query/observability/rule/getAlertSummary",
@@ -7510,25 +13194,6 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/observability/rule/getRuleExecutionKPI",
                 "alerting:.es-query/observability/rule/getBackfill",
                 "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
@@ -7538,53 +13203,379 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/observability/alert/get",
+                "alerting:apm.error_rate/observability/alert/find",
+                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/get",
+                "alerting:apm.transaction_error_rate/observability/alert/find",
+                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/get",
+                "alerting:apm.transaction_duration/observability/alert/find",
+                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/get",
+                "alerting:apm.anomaly/observability/alert/find",
+                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+              ],
+              "read": Array [
+                "login:",
+                "api:infra",
+                "api:rac",
+                "app:infra",
+                "app:metrics",
+                "app:kibana",
+                "ui:catalogue/infraops",
+                "ui:catalogue/metrics",
+                "ui:management/insightsAndAlerting/triggersActions",
+                "ui:navLinks/infra",
+                "ui:navLinks/metrics",
+                "ui:navLinks/kibana",
+                "saved_object:infrastructure-ui-source/bulk_get",
+                "saved_object:infrastructure-ui-source/get",
+                "saved_object:infrastructure-ui-source/find",
+                "saved_object:infrastructure-ui-source/open_point_in_time",
+                "saved_object:infrastructure-ui-source/close_point_in_time",
+                "saved_object:index-pattern/bulk_get",
+                "saved_object:index-pattern/get",
+                "saved_object:index-pattern/find",
+                "saved_object:index-pattern/open_point_in_time",
+                "saved_object:index-pattern/close_point_in_time",
+                "saved_object:metrics-data-source/bulk_get",
+                "saved_object:metrics-data-source/get",
+                "saved_object:metrics-data-source/find",
+                "saved_object:metrics-data-source/open_point_in_time",
+                "saved_object:metrics-data-source/close_point_in_time",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:infrastructure/show",
+                "alerting:metrics.alert.threshold/infrastructure/rule/get",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getRuleState",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/infrastructure/rule/find",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/infrastructure/rule/getBackfill",
+                "alerting:metrics.alert.threshold/infrastructure/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/get",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/find",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:.es-query/infrastructure/rule/get",
+                "alerting:.es-query/infrastructure/rule/getRuleState",
+                "alerting:.es-query/infrastructure/rule/getAlertSummary",
+                "alerting:.es-query/infrastructure/rule/getExecutionLog",
+                "alerting:.es-query/infrastructure/rule/getActionErrorLog",
+                "alerting:.es-query/infrastructure/rule/find",
+                "alerting:.es-query/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:.es-query/infrastructure/rule/getBackfill",
+                "alerting:.es-query/infrastructure/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/get",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/find",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/infrastructure/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/infrastructure/alert/get",
+                "alerting:metrics.alert.threshold/infrastructure/alert/find",
+                "alerting:metrics.alert.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/infrastructure/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/get",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/find",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/infrastructure/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:.es-query/infrastructure/alert/get",
+                "alerting:.es-query/infrastructure/alert/find",
+                "alerting:.es-query/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/infrastructure/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/get",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/find",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/infrastructure/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/infrastructure/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "app:logs",
+                "app:observability-logs-explorer",
+                "ui:catalogue/infralogging",
+                "ui:catalogue/logs",
+                "ui:navLinks/logs",
+                "ui:navLinks/observability-logs-explorer",
+                "saved_object:infrastructure-monitoring-log-view/bulk_get",
+                "saved_object:infrastructure-monitoring-log-view/get",
+                "saved_object:infrastructure-monitoring-log-view/find",
+                "saved_object:infrastructure-monitoring-log-view/open_point_in_time",
+                "saved_object:infrastructure-monitoring-log-view/close_point_in_time",
+                "ui:logs/show",
+                "alerting:logs.alert.document.count/logs/rule/get",
+                "alerting:logs.alert.document.count/logs/rule/getRuleState",
+                "alerting:logs.alert.document.count/logs/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/logs/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/logs/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/logs/rule/find",
+                "alerting:logs.alert.document.count/logs/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/logs/rule/getBackfill",
+                "alerting:logs.alert.document.count/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:.es-query/logs/rule/get",
+                "alerting:.es-query/logs/rule/getRuleState",
+                "alerting:.es-query/logs/rule/getAlertSummary",
+                "alerting:.es-query/logs/rule/getExecutionLog",
+                "alerting:.es-query/logs/rule/getActionErrorLog",
+                "alerting:.es-query/logs/rule/find",
+                "alerting:.es-query/logs/rule/getRuleExecutionKPI",
+                "alerting:.es-query/logs/rule/getBackfill",
+                "alerting:.es-query/logs/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/get",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/logs/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/logs/rule/find",
+                "alerting:observability.rules.custom_threshold/logs/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/logs/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/logs/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/rule/findBackfill",
+                "alerting:logs.alert.document.count/logs/alert/get",
+                "alerting:logs.alert.document.count/logs/alert/find",
+                "alerting:logs.alert.document.count/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/logs/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:.es-query/logs/alert/get",
+                "alerting:.es-query/logs/alert/find",
+                "alerting:.es-query/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/logs/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/logs/alert/get",
+                "alerting:observability.rules.custom_threshold/logs/alert/find",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/logs/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/logs/alert/getAlertSummary",
+                "app:observability",
+                "ui:catalogue/observability",
+                "ui:navLinks/observability",
+                "ui:observability/read",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -7594,25 +13585,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/observability/rule/getBackfill",
                 "alerting:apm.error_rate/observability/rule/findBackfill",
-                "alerting:apm.error_rate/observability/rule/create",
-                "alerting:apm.error_rate/observability/rule/delete",
-                "alerting:apm.error_rate/observability/rule/update",
-                "alerting:apm.error_rate/observability/rule/updateApiKey",
-                "alerting:apm.error_rate/observability/rule/enable",
-                "alerting:apm.error_rate/observability/rule/disable",
-                "alerting:apm.error_rate/observability/rule/muteAll",
-                "alerting:apm.error_rate/observability/rule/unmuteAll",
-                "alerting:apm.error_rate/observability/rule/muteAlert",
-                "alerting:apm.error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.error_rate/observability/rule/snooze",
-                "alerting:apm.error_rate/observability/rule/bulkEdit",
-                "alerting:apm.error_rate/observability/rule/bulkDelete",
-                "alerting:apm.error_rate/observability/rule/bulkEnable",
-                "alerting:apm.error_rate/observability/rule/bulkDisable",
-                "alerting:apm.error_rate/observability/rule/unsnooze",
-                "alerting:apm.error_rate/observability/rule/runSoon",
-                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -7622,25 +13603,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/create",
-                "alerting:apm.transaction_error_rate/observability/rule/delete",
-                "alerting:apm.transaction_error_rate/observability/rule/update",
-                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
-                "alerting:apm.transaction_error_rate/observability/rule/enable",
-                "alerting:apm.transaction_error_rate/observability/rule/disable",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
-                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_error_rate/observability/rule/snooze",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
-                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
-                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
-                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
-                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -7650,25 +13621,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_duration/observability/rule/getBackfill",
                 "alerting:apm.transaction_duration/observability/rule/findBackfill",
-                "alerting:apm.transaction_duration/observability/rule/create",
-                "alerting:apm.transaction_duration/observability/rule/delete",
-                "alerting:apm.transaction_duration/observability/rule/update",
-                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
-                "alerting:apm.transaction_duration/observability/rule/enable",
-                "alerting:apm.transaction_duration/observability/rule/disable",
-                "alerting:apm.transaction_duration/observability/rule/muteAll",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
-                "alerting:apm.transaction_duration/observability/rule/muteAlert",
-                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
-                "alerting:apm.transaction_duration/observability/rule/snooze",
-                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
-                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
-                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
-                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
-                "alerting:apm.transaction_duration/observability/rule/unsnooze",
-                "alerting:apm.transaction_duration/observability/rule/runSoon",
-                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
-                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -7678,138 +13639,429 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/observability/rule/getBackfill",
                 "alerting:apm.anomaly/observability/rule/findBackfill",
-                "alerting:apm.anomaly/observability/rule/create",
-                "alerting:apm.anomaly/observability/rule/delete",
-                "alerting:apm.anomaly/observability/rule/update",
-                "alerting:apm.anomaly/observability/rule/updateApiKey",
-                "alerting:apm.anomaly/observability/rule/enable",
-                "alerting:apm.anomaly/observability/rule/disable",
-                "alerting:apm.anomaly/observability/rule/muteAll",
-                "alerting:apm.anomaly/observability/rule/unmuteAll",
-                "alerting:apm.anomaly/observability/rule/muteAlert",
-                "alerting:apm.anomaly/observability/rule/unmuteAlert",
-                "alerting:apm.anomaly/observability/rule/snooze",
-                "alerting:apm.anomaly/observability/rule/bulkEdit",
-                "alerting:apm.anomaly/observability/rule/bulkDelete",
-                "alerting:apm.anomaly/observability/rule/bulkEnable",
-                "alerting:apm.anomaly/observability/rule/bulkDisable",
-                "alerting:apm.anomaly/observability/rule/unsnooze",
-                "alerting:apm.anomaly/observability/rule/runSoon",
-                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
-                "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
-                "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
-                "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+              ],
+            },
+            "reporting": Object {
+              "all": Array [
+                "login:",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "api:downloadCsv",
+                "ui:management/insightsAndAlerting/reporting",
+                "ui:dashboard/downloadCsv",
+                "api:generateReport",
+                "ui:discover/generateCsv",
               ],
               "minimal_all": Array [
+                "login:",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "api:downloadCsv",
+                "ui:management/insightsAndAlerting/reporting",
+                "ui:dashboard/downloadCsv",
+                "api:generateReport",
+                "ui:discover/generateCsv",
+              ],
+              "minimal_read": Array [
+                "login:",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+              ],
+              "read": Array [
+                "login:",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+              ],
+            },
+            "slo": Object {
+              "all": Array [
                 "login:",
                 "api:slo_write",
                 "api:slo_read",
@@ -7901,15 +14153,776 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:slo.rules.burnRate/slo/rule/runSoon",
                 "alerting:slo.rules.burnRate/slo/rule/scheduleBackfill",
                 "alerting:slo.rules.burnRate/slo/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
                 "alerting:slo.rules.burnRate/slo/alert/get",
                 "alerting:slo.rules.burnRate/slo/alert/find",
                 "alerting:slo.rules.burnRate/slo/alert/getAuthorizedAlertsIndices",
                 "alerting:slo.rules.burnRate/slo/alert/getAlertSummary",
                 "alerting:slo.rules.burnRate/slo/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
                 "app:observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
                 "ui:observability/write",
+                "alerting:apm.error_rate/observability/rule/get",
+                "alerting:apm.error_rate/observability/rule/getRuleState",
+                "alerting:apm.error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.error_rate/observability/rule/find",
+                "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/observability/rule/getBackfill",
+                "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/observability/rule/create",
+                "alerting:apm.error_rate/observability/rule/delete",
+                "alerting:apm.error_rate/observability/rule/update",
+                "alerting:apm.error_rate/observability/rule/updateApiKey",
+                "alerting:apm.error_rate/observability/rule/enable",
+                "alerting:apm.error_rate/observability/rule/disable",
+                "alerting:apm.error_rate/observability/rule/muteAll",
+                "alerting:apm.error_rate/observability/rule/unmuteAll",
+                "alerting:apm.error_rate/observability/rule/muteAlert",
+                "alerting:apm.error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.error_rate/observability/rule/snooze",
+                "alerting:apm.error_rate/observability/rule/bulkEdit",
+                "alerting:apm.error_rate/observability/rule/bulkDelete",
+                "alerting:apm.error_rate/observability/rule/bulkEnable",
+                "alerting:apm.error_rate/observability/rule/bulkDisable",
+                "alerting:apm.error_rate/observability/rule/unsnooze",
+                "alerting:apm.error_rate/observability/rule/runSoon",
+                "alerting:apm.error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/get",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/observability/rule/find",
+                "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/create",
+                "alerting:apm.transaction_error_rate/observability/rule/delete",
+                "alerting:apm.transaction_error_rate/observability/rule/update",
+                "alerting:apm.transaction_error_rate/observability/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/observability/rule/enable",
+                "alerting:apm.transaction_error_rate/observability/rule/disable",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/observability/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/observability/rule/snooze",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/observability/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/observability/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/observability/rule/runSoon",
+                "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/observability/rule/get",
+                "alerting:apm.transaction_duration/observability/rule/getRuleState",
+                "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/observability/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/observability/rule/find",
+                "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/observability/rule/getBackfill",
+                "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/observability/rule/create",
+                "alerting:apm.transaction_duration/observability/rule/delete",
+                "alerting:apm.transaction_duration/observability/rule/update",
+                "alerting:apm.transaction_duration/observability/rule/updateApiKey",
+                "alerting:apm.transaction_duration/observability/rule/enable",
+                "alerting:apm.transaction_duration/observability/rule/disable",
+                "alerting:apm.transaction_duration/observability/rule/muteAll",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAll",
+                "alerting:apm.transaction_duration/observability/rule/muteAlert",
+                "alerting:apm.transaction_duration/observability/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/observability/rule/snooze",
+                "alerting:apm.transaction_duration/observability/rule/bulkEdit",
+                "alerting:apm.transaction_duration/observability/rule/bulkDelete",
+                "alerting:apm.transaction_duration/observability/rule/bulkEnable",
+                "alerting:apm.transaction_duration/observability/rule/bulkDisable",
+                "alerting:apm.transaction_duration/observability/rule/unsnooze",
+                "alerting:apm.transaction_duration/observability/rule/runSoon",
+                "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
+                "alerting:apm.anomaly/observability/rule/get",
+                "alerting:apm.anomaly/observability/rule/getRuleState",
+                "alerting:apm.anomaly/observability/rule/getAlertSummary",
+                "alerting:apm.anomaly/observability/rule/getExecutionLog",
+                "alerting:apm.anomaly/observability/rule/getActionErrorLog",
+                "alerting:apm.anomaly/observability/rule/find",
+                "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/observability/rule/getBackfill",
+                "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/observability/rule/create",
+                "alerting:apm.anomaly/observability/rule/delete",
+                "alerting:apm.anomaly/observability/rule/update",
+                "alerting:apm.anomaly/observability/rule/updateApiKey",
+                "alerting:apm.anomaly/observability/rule/enable",
+                "alerting:apm.anomaly/observability/rule/disable",
+                "alerting:apm.anomaly/observability/rule/muteAll",
+                "alerting:apm.anomaly/observability/rule/unmuteAll",
+                "alerting:apm.anomaly/observability/rule/muteAlert",
+                "alerting:apm.anomaly/observability/rule/unmuteAlert",
+                "alerting:apm.anomaly/observability/rule/snooze",
+                "alerting:apm.anomaly/observability/rule/bulkEdit",
+                "alerting:apm.anomaly/observability/rule/bulkDelete",
+                "alerting:apm.anomaly/observability/rule/bulkEnable",
+                "alerting:apm.anomaly/observability/rule/bulkDisable",
+                "alerting:apm.anomaly/observability/rule/unsnooze",
+                "alerting:apm.anomaly/observability/rule/runSoon",
+                "alerting:apm.anomaly/observability/rule/scheduleBackfill",
+                "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
                 "alerting:slo.rules.burnRate/observability/rule/get",
                 "alerting:slo.rules.burnRate/observability/rule/getRuleState",
                 "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
@@ -7966,6 +14979,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
                 "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
                 "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
                 "alerting:.es-query/observability/rule/get",
                 "alerting:.es-query/observability/rule/getRuleState",
                 "alerting:.es-query/observability/rule/getAlertSummary",
@@ -7994,6 +15035,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:.es-query/observability/rule/runSoon",
                 "alerting:.es-query/observability/rule/scheduleBackfill",
                 "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
@@ -8022,34 +15091,334 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
                 "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
+                "alerting:apm.error_rate/observability/alert/get",
+                "alerting:apm.error_rate/observability/alert/find",
+                "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
+                "alerting:apm.transaction_error_rate/observability/alert/get",
+                "alerting:apm.transaction_error_rate/observability/alert/find",
+                "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
+                "alerting:apm.transaction_duration/observability/alert/get",
+                "alerting:apm.transaction_duration/observability/alert/find",
+                "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
+                "alerting:apm.anomaly/observability/alert/get",
+                "alerting:apm.anomaly/observability/alert/find",
+                "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
+              ],
+              "minimal_all": Array [
+                "login:",
+                "api:slo_write",
+                "api:slo_read",
+                "api:rac",
+                "app:slo",
+                "app:kibana",
+                "ui:catalogue/slo",
+                "ui:catalogue/observability",
+                "ui:navLinks/slo",
+                "ui:navLinks/kibana",
+                "saved_object:slo/bulk_get",
+                "saved_object:slo/get",
+                "saved_object:slo/find",
+                "saved_object:slo/open_point_in_time",
+                "saved_object:slo/close_point_in_time",
+                "saved_object:slo/create",
+                "saved_object:slo/bulk_create",
+                "saved_object:slo/update",
+                "saved_object:slo/bulk_update",
+                "saved_object:slo/delete",
+                "saved_object:slo/bulk_delete",
+                "saved_object:slo/share_to_space",
+                "saved_object:slo-settings/bulk_get",
+                "saved_object:slo-settings/get",
+                "saved_object:slo-settings/find",
+                "saved_object:slo-settings/open_point_in_time",
+                "saved_object:slo-settings/close_point_in_time",
+                "saved_object:slo-settings/create",
+                "saved_object:slo-settings/bulk_create",
+                "saved_object:slo-settings/update",
+                "saved_object:slo-settings/bulk_update",
+                "saved_object:slo-settings/delete",
+                "saved_object:slo-settings/bulk_delete",
+                "saved_object:slo-settings/share_to_space",
+                "saved_object:telemetry/bulk_get",
+                "saved_object:telemetry/get",
+                "saved_object:telemetry/find",
+                "saved_object:telemetry/open_point_in_time",
+                "saved_object:telemetry/close_point_in_time",
+                "saved_object:telemetry/create",
+                "saved_object:telemetry/bulk_create",
+                "saved_object:telemetry/update",
+                "saved_object:telemetry/bulk_update",
+                "saved_object:telemetry/delete",
+                "saved_object:telemetry/bulk_delete",
+                "saved_object:telemetry/share_to_space",
+                "saved_object:config/bulk_get",
+                "saved_object:config/get",
+                "saved_object:config/find",
+                "saved_object:config/open_point_in_time",
+                "saved_object:config/close_point_in_time",
+                "saved_object:config-global/bulk_get",
+                "saved_object:config-global/get",
+                "saved_object:config-global/find",
+                "saved_object:config-global/open_point_in_time",
+                "saved_object:config-global/close_point_in_time",
+                "saved_object:url/bulk_get",
+                "saved_object:url/get",
+                "saved_object:url/find",
+                "saved_object:url/open_point_in_time",
+                "saved_object:url/close_point_in_time",
+                "ui:slo/read",
+                "ui:slo/write",
+                "alerting:slo.rules.burnRate/slo/rule/get",
+                "alerting:slo.rules.burnRate/slo/rule/getRuleState",
+                "alerting:slo.rules.burnRate/slo/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/slo/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/slo/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/slo/rule/find",
+                "alerting:slo.rules.burnRate/slo/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/slo/rule/getBackfill",
+                "alerting:slo.rules.burnRate/slo/rule/findBackfill",
+                "alerting:slo.rules.burnRate/slo/rule/create",
+                "alerting:slo.rules.burnRate/slo/rule/delete",
+                "alerting:slo.rules.burnRate/slo/rule/update",
+                "alerting:slo.rules.burnRate/slo/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/slo/rule/enable",
+                "alerting:slo.rules.burnRate/slo/rule/disable",
+                "alerting:slo.rules.burnRate/slo/rule/muteAll",
+                "alerting:slo.rules.burnRate/slo/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/slo/rule/muteAlert",
+                "alerting:slo.rules.burnRate/slo/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/slo/rule/snooze",
+                "alerting:slo.rules.burnRate/slo/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/slo/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/slo/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/slo/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/slo/rule/unsnooze",
+                "alerting:slo.rules.burnRate/slo/rule/runSoon",
+                "alerting:slo.rules.burnRate/slo/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/slo/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/slo/alert/get",
+                "alerting:slo.rules.burnRate/slo/alert/find",
+                "alerting:slo.rules.burnRate/slo/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/slo/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/slo/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "app:observability",
+                "ui:navLinks/observability",
+                "ui:observability/read",
+                "ui:observability/write",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -8078,6 +15447,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/runSoon",
                 "alerting:apm.error_rate/observability/rule/scheduleBackfill",
                 "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -8106,6 +15503,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/runSoon",
                 "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -8134,6 +15559,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/runSoon",
                 "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
                 "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -8162,6 +15615,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/runSoon",
                 "alerting:apm.anomaly/observability/rule/scheduleBackfill",
                 "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -8190,6 +15671,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -8218,61 +15727,787 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/create",
+                "alerting:slo.rules.burnRate/observability/rule/delete",
+                "alerting:slo.rules.burnRate/observability/rule/update",
+                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/observability/rule/enable",
+                "alerting:slo.rules.burnRate/observability/rule/disable",
+                "alerting:slo.rules.burnRate/observability/rule/muteAll",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/snooze",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
+                "alerting:slo.rules.burnRate/observability/rule/runSoon",
+                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/create",
+                "alerting:observability.rules.custom_threshold/observability/rule/delete",
+                "alerting:observability.rules.custom_threshold/observability/rule/update",
+                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/observability/rule/enable",
+                "alerting:observability.rules.custom_threshold/observability/rule/disable",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
                 "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
               ],
               "minimal_read": Array [
                 "login:",
@@ -8324,58 +16559,26 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:slo.rules.burnRate/slo/rule/getRuleExecutionKPI",
                 "alerting:slo.rules.burnRate/slo/rule/getBackfill",
                 "alerting:slo.rules.burnRate/slo/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
                 "alerting:slo.rules.burnRate/slo/alert/get",
                 "alerting:slo.rules.burnRate/slo/alert/find",
                 "alerting:slo.rules.burnRate/slo/alert/getAuthorizedAlertsIndices",
                 "alerting:slo.rules.burnRate/slo/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
                 "app:observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -8385,6 +16588,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/observability/rule/getBackfill",
                 "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -8394,6 +16606,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -8403,6 +16624,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_duration/observability/rule/getBackfill",
                 "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -8412,6 +16642,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/observability/rule/getBackfill",
                 "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -8421,6 +16660,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -8430,50 +16678,336 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
               ],
               "read": Array [
                 "login:",
@@ -8525,58 +17059,26 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:slo.rules.burnRate/slo/rule/getRuleExecutionKPI",
                 "alerting:slo.rules.burnRate/slo/rule/getBackfill",
                 "alerting:slo.rules.burnRate/slo/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
                 "alerting:slo.rules.burnRate/slo/alert/get",
                 "alerting:slo.rules.burnRate/slo/alert/find",
                 "alerting:slo.rules.burnRate/slo/alert/getAuthorizedAlertsIndices",
                 "alerting:slo.rules.burnRate/slo/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
                 "app:observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -8586,6 +17088,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/observability/rule/getBackfill",
                 "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -8595,6 +17106,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -8604,6 +17124,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_duration/observability/rule/getBackfill",
                 "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -8613,6 +17142,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/observability/rule/getBackfill",
                 "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -8622,6 +17160,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getAlertSummary",
@@ -8631,50 +17178,336 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
               ],
             },
             "uptime": Object {
@@ -8838,6 +17671,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/runSoon",
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/scheduleBackfill",
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getAlertSummary",
@@ -8866,6 +17727,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/runSoon",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/scheduleBackfill",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getAlertSummary",
@@ -8894,6 +17783,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/runSoon",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/scheduleBackfill",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getAlertSummary",
@@ -8922,6 +17839,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/runSoon",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/scheduleBackfill",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getAlertSummary",
@@ -8950,6 +17895,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/getAlertSummary",
@@ -8978,181 +17951,99 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
                 "ui:observability/write",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/create",
-                "alerting:slo.rules.burnRate/observability/rule/delete",
-                "alerting:slo.rules.burnRate/observability/rule/update",
-                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/observability/rule/enable",
-                "alerting:slo.rules.burnRate/observability/rule/disable",
-                "alerting:slo.rules.burnRate/observability/rule/muteAll",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/snooze",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
-                "alerting:slo.rules.burnRate/observability/rule/runSoon",
-                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/create",
-                "alerting:observability.rules.custom_threshold/observability/rule/delete",
-                "alerting:observability.rules.custom_threshold/observability/rule/update",
-                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/observability/rule/enable",
-                "alerting:observability.rules.custom_threshold/observability/rule/disable",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -9181,6 +18072,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/runSoon",
                 "alerting:apm.error_rate/observability/rule/scheduleBackfill",
                 "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -9209,6 +18128,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/runSoon",
                 "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -9237,6 +18184,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/runSoon",
                 "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
                 "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -9265,6 +18240,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/runSoon",
                 "alerting:apm.anomaly/observability/rule/scheduleBackfill",
                 "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -9321,51 +18324,550 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/create",
+                "alerting:slo.rules.burnRate/observability/rule/delete",
+                "alerting:slo.rules.burnRate/observability/rule/update",
+                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/observability/rule/enable",
+                "alerting:slo.rules.burnRate/observability/rule/disable",
+                "alerting:slo.rules.burnRate/observability/rule/muteAll",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/snooze",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
+                "alerting:slo.rules.burnRate/observability/rule/runSoon",
+                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/create",
+                "alerting:observability.rules.custom_threshold/observability/rule/delete",
+                "alerting:observability.rules.custom_threshold/observability/rule/update",
+                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/observability/rule/enable",
+                "alerting:observability.rules.custom_threshold/observability/rule/disable",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
                 "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
@@ -9376,6 +18878,96 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
               ],
               "can_manage_private_locations": Array [
                 "login:",
@@ -9553,6 +19145,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/runSoon",
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/scheduleBackfill",
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/deleteBackfill",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getAlertSummary",
@@ -9581,6 +19201,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/runSoon",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/scheduleBackfill",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/deleteBackfill",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getAlertSummary",
@@ -9609,6 +19257,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/runSoon",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/scheduleBackfill",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getAlertSummary",
@@ -9637,6 +19313,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/runSoon",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/scheduleBackfill",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getAlertSummary",
@@ -9665,6 +19369,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/getAlertSummary",
@@ -9693,181 +19425,99 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/runSoon",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/scheduleBackfill",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/deleteBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/create",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/delete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/updateApiKey",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/enable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/disable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAll",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/muteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unmuteAlert",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/snooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEdit",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDelete",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkEnable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/deleteBackfill",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/update",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/update",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/update",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/update",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/update",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/update",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
                 "ui:observability/write",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/create",
-                "alerting:slo.rules.burnRate/observability/rule/delete",
-                "alerting:slo.rules.burnRate/observability/rule/update",
-                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
-                "alerting:slo.rules.burnRate/observability/rule/enable",
-                "alerting:slo.rules.burnRate/observability/rule/disable",
-                "alerting:slo.rules.burnRate/observability/rule/muteAll",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
-                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
-                "alerting:slo.rules.burnRate/observability/rule/snooze",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
-                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
-                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
-                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
-                "alerting:slo.rules.burnRate/observability/rule/runSoon",
-                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/create",
-                "alerting:observability.rules.custom_threshold/observability/rule/delete",
-                "alerting:observability.rules.custom_threshold/observability/rule/update",
-                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
-                "alerting:observability.rules.custom_threshold/observability/rule/enable",
-                "alerting:observability.rules.custom_threshold/observability/rule/disable",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
-                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
-                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
-                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
-                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
-                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
-                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/create",
-                "alerting:.es-query/observability/rule/delete",
-                "alerting:.es-query/observability/rule/update",
-                "alerting:.es-query/observability/rule/updateApiKey",
-                "alerting:.es-query/observability/rule/enable",
-                "alerting:.es-query/observability/rule/disable",
-                "alerting:.es-query/observability/rule/muteAll",
-                "alerting:.es-query/observability/rule/unmuteAll",
-                "alerting:.es-query/observability/rule/muteAlert",
-                "alerting:.es-query/observability/rule/unmuteAlert",
-                "alerting:.es-query/observability/rule/snooze",
-                "alerting:.es-query/observability/rule/bulkEdit",
-                "alerting:.es-query/observability/rule/bulkDelete",
-                "alerting:.es-query/observability/rule/bulkEnable",
-                "alerting:.es-query/observability/rule/bulkDisable",
-                "alerting:.es-query/observability/rule/unsnooze",
-                "alerting:.es-query/observability/rule/runSoon",
-                "alerting:.es-query/observability/rule/scheduleBackfill",
-                "alerting:.es-query/observability/rule/deleteBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -9896,6 +19546,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/runSoon",
                 "alerting:apm.error_rate/observability/rule/scheduleBackfill",
                 "alerting:apm.error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/create",
+                "alerting:apm.error_rate/alerts/rule/delete",
+                "alerting:apm.error_rate/alerts/rule/update",
+                "alerting:apm.error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.error_rate/alerts/rule/enable",
+                "alerting:apm.error_rate/alerts/rule/disable",
+                "alerting:apm.error_rate/alerts/rule/muteAll",
+                "alerting:apm.error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.error_rate/alerts/rule/muteAlert",
+                "alerting:apm.error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.error_rate/alerts/rule/snooze",
+                "alerting:apm.error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.error_rate/alerts/rule/unsnooze",
+                "alerting:apm.error_rate/alerts/rule/runSoon",
+                "alerting:apm.error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -9924,6 +19602,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/runSoon",
                 "alerting:apm.transaction_error_rate/observability/rule/scheduleBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/create",
+                "alerting:apm.transaction_error_rate/alerts/rule/delete",
+                "alerting:apm.transaction_error_rate/alerts/rule/update",
+                "alerting:apm.transaction_error_rate/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_error_rate/alerts/rule/enable",
+                "alerting:apm.transaction_error_rate/alerts/rule/disable",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_error_rate/alerts/rule/muteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_error_rate/alerts/rule/snooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_error_rate/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_error_rate/alerts/rule/unsnooze",
+                "alerting:apm.transaction_error_rate/alerts/rule/runSoon",
+                "alerting:apm.transaction_error_rate/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/deleteBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -9952,6 +19658,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/runSoon",
                 "alerting:apm.transaction_duration/observability/rule/scheduleBackfill",
                 "alerting:apm.transaction_duration/observability/rule/deleteBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/create",
+                "alerting:apm.transaction_duration/alerts/rule/delete",
+                "alerting:apm.transaction_duration/alerts/rule/update",
+                "alerting:apm.transaction_duration/alerts/rule/updateApiKey",
+                "alerting:apm.transaction_duration/alerts/rule/enable",
+                "alerting:apm.transaction_duration/alerts/rule/disable",
+                "alerting:apm.transaction_duration/alerts/rule/muteAll",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAll",
+                "alerting:apm.transaction_duration/alerts/rule/muteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/unmuteAlert",
+                "alerting:apm.transaction_duration/alerts/rule/snooze",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEdit",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDelete",
+                "alerting:apm.transaction_duration/alerts/rule/bulkEnable",
+                "alerting:apm.transaction_duration/alerts/rule/bulkDisable",
+                "alerting:apm.transaction_duration/alerts/rule/unsnooze",
+                "alerting:apm.transaction_duration/alerts/rule/runSoon",
+                "alerting:apm.transaction_duration/alerts/rule/scheduleBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/deleteBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -9980,6 +19714,34 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/runSoon",
                 "alerting:apm.anomaly/observability/rule/scheduleBackfill",
                 "alerting:apm.anomaly/observability/rule/deleteBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/create",
+                "alerting:apm.anomaly/alerts/rule/delete",
+                "alerting:apm.anomaly/alerts/rule/update",
+                "alerting:apm.anomaly/alerts/rule/updateApiKey",
+                "alerting:apm.anomaly/alerts/rule/enable",
+                "alerting:apm.anomaly/alerts/rule/disable",
+                "alerting:apm.anomaly/alerts/rule/muteAll",
+                "alerting:apm.anomaly/alerts/rule/unmuteAll",
+                "alerting:apm.anomaly/alerts/rule/muteAlert",
+                "alerting:apm.anomaly/alerts/rule/unmuteAlert",
+                "alerting:apm.anomaly/alerts/rule/snooze",
+                "alerting:apm.anomaly/alerts/rule/bulkEdit",
+                "alerting:apm.anomaly/alerts/rule/bulkDelete",
+                "alerting:apm.anomaly/alerts/rule/bulkEnable",
+                "alerting:apm.anomaly/alerts/rule/bulkDisable",
+                "alerting:apm.anomaly/alerts/rule/unsnooze",
+                "alerting:apm.anomaly/alerts/rule/runSoon",
+                "alerting:apm.anomaly/alerts/rule/scheduleBackfill",
+                "alerting:apm.anomaly/alerts/rule/deleteBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -10031,56 +19793,555 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEdit",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDelete",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkEnable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
-                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/alert/update",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/update",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/update",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.synthetics.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/create",
+                "alerting:metrics.alert.threshold/observability/rule/delete",
+                "alerting:metrics.alert.threshold/observability/rule/update",
+                "alerting:metrics.alert.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/observability/rule/enable",
+                "alerting:metrics.alert.threshold/observability/rule/disable",
+                "alerting:metrics.alert.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/create",
+                "alerting:metrics.alert.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.threshold/alerts/rule/update",
+                "alerting:metrics.alert.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/create",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/update",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/deleteBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/create",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/delete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/updateApiKey",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/enable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/disable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAll",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/muteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unmuteAlert",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/snooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEdit",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDelete",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkEnable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/bulkDisable",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/unsnooze",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/runSoon",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/scheduleBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/create",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/create",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/deleteBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/create",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/delete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/updateApiKey",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/enable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/disable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAll",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/muteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unmuteAlert",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/snooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEdit",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDelete",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkEnable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/bulkDisable",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/unsnooze",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/runSoon",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/scheduleBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/create",
+                "alerting:logs.alert.document.count/observability/rule/delete",
+                "alerting:logs.alert.document.count/observability/rule/update",
+                "alerting:logs.alert.document.count/observability/rule/updateApiKey",
+                "alerting:logs.alert.document.count/observability/rule/enable",
+                "alerting:logs.alert.document.count/observability/rule/disable",
+                "alerting:logs.alert.document.count/observability/rule/muteAll",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAll",
+                "alerting:logs.alert.document.count/observability/rule/muteAlert",
+                "alerting:logs.alert.document.count/observability/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/observability/rule/snooze",
+                "alerting:logs.alert.document.count/observability/rule/bulkEdit",
+                "alerting:logs.alert.document.count/observability/rule/bulkDelete",
+                "alerting:logs.alert.document.count/observability/rule/bulkEnable",
+                "alerting:logs.alert.document.count/observability/rule/bulkDisable",
+                "alerting:logs.alert.document.count/observability/rule/unsnooze",
+                "alerting:logs.alert.document.count/observability/rule/runSoon",
+                "alerting:logs.alert.document.count/observability/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/observability/rule/deleteBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/create",
+                "alerting:logs.alert.document.count/alerts/rule/delete",
+                "alerting:logs.alert.document.count/alerts/rule/update",
+                "alerting:logs.alert.document.count/alerts/rule/updateApiKey",
+                "alerting:logs.alert.document.count/alerts/rule/enable",
+                "alerting:logs.alert.document.count/alerts/rule/disable",
+                "alerting:logs.alert.document.count/alerts/rule/muteAll",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAll",
+                "alerting:logs.alert.document.count/alerts/rule/muteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/unmuteAlert",
+                "alerting:logs.alert.document.count/alerts/rule/snooze",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEdit",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDelete",
+                "alerting:logs.alert.document.count/alerts/rule/bulkEnable",
+                "alerting:logs.alert.document.count/alerts/rule/bulkDisable",
+                "alerting:logs.alert.document.count/alerts/rule/unsnooze",
+                "alerting:logs.alert.document.count/alerts/rule/runSoon",
+                "alerting:logs.alert.document.count/alerts/rule/scheduleBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/create",
+                "alerting:slo.rules.burnRate/observability/rule/delete",
+                "alerting:slo.rules.burnRate/observability/rule/update",
+                "alerting:slo.rules.burnRate/observability/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/observability/rule/enable",
+                "alerting:slo.rules.burnRate/observability/rule/disable",
+                "alerting:slo.rules.burnRate/observability/rule/muteAll",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/observability/rule/muteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/observability/rule/snooze",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/observability/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/observability/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/observability/rule/unsnooze",
+                "alerting:slo.rules.burnRate/observability/rule/runSoon",
+                "alerting:slo.rules.burnRate/observability/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/deleteBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/create",
+                "alerting:slo.rules.burnRate/alerts/rule/delete",
+                "alerting:slo.rules.burnRate/alerts/rule/update",
+                "alerting:slo.rules.burnRate/alerts/rule/updateApiKey",
+                "alerting:slo.rules.burnRate/alerts/rule/enable",
+                "alerting:slo.rules.burnRate/alerts/rule/disable",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAll",
+                "alerting:slo.rules.burnRate/alerts/rule/muteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/unmuteAlert",
+                "alerting:slo.rules.burnRate/alerts/rule/snooze",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEdit",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDelete",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkEnable",
+                "alerting:slo.rules.burnRate/alerts/rule/bulkDisable",
+                "alerting:slo.rules.burnRate/alerts/rule/unsnooze",
+                "alerting:slo.rules.burnRate/alerts/rule/runSoon",
+                "alerting:slo.rules.burnRate/alerts/rule/scheduleBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/create",
+                "alerting:observability.rules.custom_threshold/observability/rule/delete",
+                "alerting:observability.rules.custom_threshold/observability/rule/update",
+                "alerting:observability.rules.custom_threshold/observability/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/observability/rule/enable",
+                "alerting:observability.rules.custom_threshold/observability/rule/disable",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/observability/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/observability/rule/snooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/observability/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/observability/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/observability/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/observability/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/deleteBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/create",
+                "alerting:observability.rules.custom_threshold/alerts/rule/delete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/update",
+                "alerting:observability.rules.custom_threshold/alerts/rule/updateApiKey",
+                "alerting:observability.rules.custom_threshold/alerts/rule/enable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/disable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAll",
+                "alerting:observability.rules.custom_threshold/alerts/rule/muteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unmuteAlert",
+                "alerting:observability.rules.custom_threshold/alerts/rule/snooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEdit",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDelete",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkEnable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/bulkDisable",
+                "alerting:observability.rules.custom_threshold/alerts/rule/unsnooze",
+                "alerting:observability.rules.custom_threshold/alerts/rule/runSoon",
+                "alerting:observability.rules.custom_threshold/alerts/rule/scheduleBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/deleteBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/observability/rule/create",
+                "alerting:.es-query/observability/rule/delete",
+                "alerting:.es-query/observability/rule/update",
+                "alerting:.es-query/observability/rule/updateApiKey",
+                "alerting:.es-query/observability/rule/enable",
+                "alerting:.es-query/observability/rule/disable",
+                "alerting:.es-query/observability/rule/muteAll",
+                "alerting:.es-query/observability/rule/unmuteAll",
+                "alerting:.es-query/observability/rule/muteAlert",
+                "alerting:.es-query/observability/rule/unmuteAlert",
+                "alerting:.es-query/observability/rule/snooze",
+                "alerting:.es-query/observability/rule/bulkEdit",
+                "alerting:.es-query/observability/rule/bulkDelete",
+                "alerting:.es-query/observability/rule/bulkEnable",
+                "alerting:.es-query/observability/rule/bulkDisable",
+                "alerting:.es-query/observability/rule/unsnooze",
+                "alerting:.es-query/observability/rule/runSoon",
+                "alerting:.es-query/observability/rule/scheduleBackfill",
+                "alerting:.es-query/observability/rule/deleteBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/create",
+                "alerting:.es-query/alerts/rule/delete",
+                "alerting:.es-query/alerts/rule/update",
+                "alerting:.es-query/alerts/rule/updateApiKey",
+                "alerting:.es-query/alerts/rule/enable",
+                "alerting:.es-query/alerts/rule/disable",
+                "alerting:.es-query/alerts/rule/muteAll",
+                "alerting:.es-query/alerts/rule/unmuteAll",
+                "alerting:.es-query/alerts/rule/muteAlert",
+                "alerting:.es-query/alerts/rule/unmuteAlert",
+                "alerting:.es-query/alerts/rule/snooze",
+                "alerting:.es-query/alerts/rule/bulkEdit",
+                "alerting:.es-query/alerts/rule/bulkDelete",
+                "alerting:.es-query/alerts/rule/bulkEnable",
+                "alerting:.es-query/alerts/rule/bulkDisable",
+                "alerting:.es-query/alerts/rule/unsnooze",
+                "alerting:.es-query/alerts/rule/runSoon",
+                "alerting:.es-query/alerts/rule/scheduleBackfill",
+                "alerting:.es-query/alerts/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/deleteBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/create",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/delete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/updateApiKey",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/enable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/disable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAll",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/muteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unmuteAlert",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/snooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEdit",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDelete",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkEnable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/bulkDisable",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/unsnooze",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/runSoon",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/scheduleBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/deleteBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
                 "alerting:apm.error_rate/observability/alert/update",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/update",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/update",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/update",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/update",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/update",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/update",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/update",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
@@ -10091,6 +20352,96 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/update",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/update",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/update",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/update",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/update",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/update",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/update",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/update",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/update",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/update",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/update",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/update",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/update",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/update",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/update",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/update",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/update",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/update",
               ],
               "minimal_read": Array [
                 "login:",
@@ -10171,6 +20522,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/getBackfill",
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getAlertSummary",
@@ -10180,6 +20540,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getBackfill",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getAlertSummary",
@@ -10189,6 +20558,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getBackfill",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getAlertSummary",
@@ -10198,97 +20576,103 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getBackfill",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getExecutionLog",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/findBackfill",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/get",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getRuleState",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getExecutionLog",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getActionErrorLog",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/find",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getRuleExecutionKPI",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getBackfill",
-                "alerting:xpack.synthetics.alerts.tls/uptime/rule/findBackfill",
-                "alerting:xpack.uptime.alerts.tls/uptime/alert/get",
-                "alerting:xpack.uptime.alerts.tls/uptime/alert/find",
-                "alerting:xpack.uptime.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.uptime.alerts.tls/uptime/alert/getAlertSummary",
-                "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/get",
-                "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/find",
-                "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAlertSummary",
-                "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/get",
-                "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/find",
-                "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAlertSummary",
-                "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/get",
-                "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/find",
-                "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/get",
-                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/find",
-                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAlertSummary",
-                "alerting:xpack.synthetics.alerts.tls/uptime/alert/get",
-                "alerting:xpack.synthetics.alerts.tls/uptime/alert/find",
-                "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAlertSummary",
-                "app:observability",
-                "ui:catalogue/observability",
-                "ui:navLinks/observability",
-                "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/uptime/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/uptime/alert/get",
+                "alerting:xpack.uptime.alerts.tls/uptime/alert/find",
+                "alerting:xpack.uptime.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/uptime/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/uptime/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/uptime/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
+                "app:observability",
+                "ui:catalogue/observability",
+                "ui:navLinks/observability",
+                "ui:observability/read",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -10298,6 +20682,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/observability/rule/getBackfill",
                 "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -10307,6 +20700,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -10316,6 +20718,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_duration/observability/rule/getBackfill",
                 "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -10325,6 +20736,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/observability/rule/getBackfill",
                 "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -10343,42 +20763,200 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
@@ -10387,6 +20965,78 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
               ],
               "read": Array [
                 "login:",
@@ -10467,6 +21117,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/getBackfill",
                 "alerting:xpack.uptime.alerts.tls/uptime/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/alerts/rule/findBackfill",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getAlertSummary",
@@ -10476,6 +21135,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/getBackfill",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/rule/findBackfill",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getAlertSummary",
@@ -10485,6 +21153,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/getBackfill",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/rule/findBackfill",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/get",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getRuleState",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getAlertSummary",
@@ -10494,6 +21171,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/getBackfill",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getAlertSummary",
@@ -10503,6 +21189,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/get",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/getAlertSummary",
@@ -10512,79 +21207,67 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/uptime/rule/findBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleState",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getExecutionLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getActionErrorLog",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/getBackfill",
+                "alerting:xpack.synthetics.alerts.tls/alerts/rule/findBackfill",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.tls/uptime/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/alerts/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.tlsCertificate/uptime/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/alerts/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.monitorStatus/uptime/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/alerts/alert/getAlertSummary",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/get",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/find",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.uptime.alerts.durationAnomaly/uptime/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.monitorStatus/uptime/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.monitorStatus/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/get",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/uptime/alert/getAlertSummary",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/get",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/find",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.synthetics.alerts.tls/alerts/alert/getAlertSummary",
                 "app:observability",
                 "ui:catalogue/observability",
                 "ui:navLinks/observability",
                 "ui:observability/read",
-                "alerting:slo.rules.burnRate/observability/rule/get",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
-                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
-                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
-                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
-                "alerting:slo.rules.burnRate/observability/rule/find",
-                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
-                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
-                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/get",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
-                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
-                "alerting:observability.rules.custom_threshold/observability/rule/find",
-                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
-                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
-                "alerting:.es-query/observability/rule/get",
-                "alerting:.es-query/observability/rule/getRuleState",
-                "alerting:.es-query/observability/rule/getAlertSummary",
-                "alerting:.es-query/observability/rule/getExecutionLog",
-                "alerting:.es-query/observability/rule/getActionErrorLog",
-                "alerting:.es-query/observability/rule/find",
-                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
-                "alerting:.es-query/observability/rule/getBackfill",
-                "alerting:.es-query/observability/rule/findBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
-                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
                 "alerting:apm.error_rate/observability/rule/get",
                 "alerting:apm.error_rate/observability/rule/getRuleState",
                 "alerting:apm.error_rate/observability/rule/getAlertSummary",
@@ -10594,6 +21277,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.error_rate/observability/rule/getBackfill",
                 "alerting:apm.error_rate/observability/rule/findBackfill",
+                "alerting:apm.error_rate/alerts/rule/get",
+                "alerting:apm.error_rate/alerts/rule/getRuleState",
+                "alerting:apm.error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.error_rate/alerts/rule/find",
+                "alerting:apm.error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.error_rate/alerts/rule/getBackfill",
+                "alerting:apm.error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/get",
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleState",
                 "alerting:apm.transaction_error_rate/observability/rule/getAlertSummary",
@@ -10603,6 +21295,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_error_rate/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_error_rate/observability/rule/getBackfill",
                 "alerting:apm.transaction_error_rate/observability/rule/findBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/get",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleState",
+                "alerting:apm.transaction_error_rate/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_error_rate/alerts/rule/find",
+                "alerting:apm.transaction_error_rate/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_error_rate/alerts/rule/getBackfill",
+                "alerting:apm.transaction_error_rate/alerts/rule/findBackfill",
                 "alerting:apm.transaction_duration/observability/rule/get",
                 "alerting:apm.transaction_duration/observability/rule/getRuleState",
                 "alerting:apm.transaction_duration/observability/rule/getAlertSummary",
@@ -10612,6 +21313,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.transaction_duration/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.transaction_duration/observability/rule/getBackfill",
                 "alerting:apm.transaction_duration/observability/rule/findBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/get",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleState",
+                "alerting:apm.transaction_duration/alerts/rule/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/rule/getExecutionLog",
+                "alerting:apm.transaction_duration/alerts/rule/getActionErrorLog",
+                "alerting:apm.transaction_duration/alerts/rule/find",
+                "alerting:apm.transaction_duration/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.transaction_duration/alerts/rule/getBackfill",
+                "alerting:apm.transaction_duration/alerts/rule/findBackfill",
                 "alerting:apm.anomaly/observability/rule/get",
                 "alerting:apm.anomaly/observability/rule/getRuleState",
                 "alerting:apm.anomaly/observability/rule/getAlertSummary",
@@ -10621,6 +21331,15 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:apm.anomaly/observability/rule/getRuleExecutionKPI",
                 "alerting:apm.anomaly/observability/rule/getBackfill",
                 "alerting:apm.anomaly/observability/rule/findBackfill",
+                "alerting:apm.anomaly/alerts/rule/get",
+                "alerting:apm.anomaly/alerts/rule/getRuleState",
+                "alerting:apm.anomaly/alerts/rule/getAlertSummary",
+                "alerting:apm.anomaly/alerts/rule/getExecutionLog",
+                "alerting:apm.anomaly/alerts/rule/getActionErrorLog",
+                "alerting:apm.anomaly/alerts/rule/find",
+                "alerting:apm.anomaly/alerts/rule/getRuleExecutionKPI",
+                "alerting:apm.anomaly/alerts/rule/getBackfill",
+                "alerting:apm.anomaly/alerts/rule/findBackfill",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getRuleState",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/rule/getAlertSummary",
@@ -10639,42 +21358,200 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getRuleExecutionKPI",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/getBackfill",
                 "alerting:xpack.synthetics.alerts.tls/observability/rule/findBackfill",
-                "alerting:slo.rules.burnRate/observability/alert/get",
-                "alerting:slo.rules.burnRate/observability/alert/find",
-                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
-                "alerting:observability.rules.custom_threshold/observability/alert/get",
-                "alerting:observability.rules.custom_threshold/observability/alert/find",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
-                "alerting:.es-query/observability/alert/get",
-                "alerting:.es-query/observability/alert/find",
-                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:.es-query/observability/alert/getAlertSummary",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
-                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/get",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/observability/rule/find",
+                "alerting:metrics.alert.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/get",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.threshold/alerts/rule/find",
+                "alerting:metrics.alert.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.threshold/alerts/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/get",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/find",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/observability/rule/findBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleState",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getExecutionLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getActionErrorLog",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/getBackfill",
+                "alerting:metrics.alert.inventory.threshold/alerts/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tls/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/rule/findBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleState",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getExecutionLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getActionErrorLog",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/getBackfill",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/observability/rule/get",
+                "alerting:logs.alert.document.count/observability/rule/getRuleState",
+                "alerting:logs.alert.document.count/observability/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/observability/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/observability/rule/find",
+                "alerting:logs.alert.document.count/observability/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/observability/rule/getBackfill",
+                "alerting:logs.alert.document.count/observability/rule/findBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/get",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleState",
+                "alerting:logs.alert.document.count/alerts/rule/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/rule/getExecutionLog",
+                "alerting:logs.alert.document.count/alerts/rule/getActionErrorLog",
+                "alerting:logs.alert.document.count/alerts/rule/find",
+                "alerting:logs.alert.document.count/alerts/rule/getRuleExecutionKPI",
+                "alerting:logs.alert.document.count/alerts/rule/getBackfill",
+                "alerting:logs.alert.document.count/alerts/rule/findBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/get",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleState",
+                "alerting:slo.rules.burnRate/observability/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/observability/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/observability/rule/find",
+                "alerting:slo.rules.burnRate/observability/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/observability/rule/getBackfill",
+                "alerting:slo.rules.burnRate/observability/rule/findBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/get",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleState",
+                "alerting:slo.rules.burnRate/alerts/rule/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/rule/getExecutionLog",
+                "alerting:slo.rules.burnRate/alerts/rule/getActionErrorLog",
+                "alerting:slo.rules.burnRate/alerts/rule/find",
+                "alerting:slo.rules.burnRate/alerts/rule/getRuleExecutionKPI",
+                "alerting:slo.rules.burnRate/alerts/rule/getBackfill",
+                "alerting:slo.rules.burnRate/alerts/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/get",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/observability/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/observability/rule/find",
+                "alerting:observability.rules.custom_threshold/observability/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/observability/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/observability/rule/findBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/get",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleState",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getExecutionLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getActionErrorLog",
+                "alerting:observability.rules.custom_threshold/alerts/rule/find",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getRuleExecutionKPI",
+                "alerting:observability.rules.custom_threshold/alerts/rule/getBackfill",
+                "alerting:observability.rules.custom_threshold/alerts/rule/findBackfill",
+                "alerting:.es-query/observability/rule/get",
+                "alerting:.es-query/observability/rule/getRuleState",
+                "alerting:.es-query/observability/rule/getAlertSummary",
+                "alerting:.es-query/observability/rule/getExecutionLog",
+                "alerting:.es-query/observability/rule/getActionErrorLog",
+                "alerting:.es-query/observability/rule/find",
+                "alerting:.es-query/observability/rule/getRuleExecutionKPI",
+                "alerting:.es-query/observability/rule/getBackfill",
+                "alerting:.es-query/observability/rule/findBackfill",
+                "alerting:.es-query/alerts/rule/get",
+                "alerting:.es-query/alerts/rule/getRuleState",
+                "alerting:.es-query/alerts/rule/getAlertSummary",
+                "alerting:.es-query/alerts/rule/getExecutionLog",
+                "alerting:.es-query/alerts/rule/getActionErrorLog",
+                "alerting:.es-query/alerts/rule/find",
+                "alerting:.es-query/alerts/rule/getRuleExecutionKPI",
+                "alerting:.es-query/alerts/rule/getBackfill",
+                "alerting:.es-query/alerts/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/rule/findBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleState",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getExecutionLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getActionErrorLog",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getRuleExecutionKPI",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/getBackfill",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/rule/findBackfill",
                 "alerting:apm.error_rate/observability/alert/get",
                 "alerting:apm.error_rate/observability/alert/find",
                 "alerting:apm.error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.error_rate/alerts/alert/get",
+                "alerting:apm.error_rate/alerts/alert/find",
+                "alerting:apm.error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_error_rate/observability/alert/get",
                 "alerting:apm.transaction_error_rate/observability/alert/find",
                 "alerting:apm.transaction_error_rate/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_error_rate/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_error_rate/alerts/alert/get",
+                "alerting:apm.transaction_error_rate/alerts/alert/find",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_error_rate/alerts/alert/getAlertSummary",
                 "alerting:apm.transaction_duration/observability/alert/get",
                 "alerting:apm.transaction_duration/observability/alert/find",
                 "alerting:apm.transaction_duration/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.transaction_duration/observability/alert/getAlertSummary",
+                "alerting:apm.transaction_duration/alerts/alert/get",
+                "alerting:apm.transaction_duration/alerts/alert/find",
+                "alerting:apm.transaction_duration/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.transaction_duration/alerts/alert/getAlertSummary",
                 "alerting:apm.anomaly/observability/alert/get",
                 "alerting:apm.anomaly/observability/alert/find",
                 "alerting:apm.anomaly/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:apm.anomaly/observability/alert/getAlertSummary",
+                "alerting:apm.anomaly/alerts/alert/get",
+                "alerting:apm.anomaly/alerts/alert/find",
+                "alerting:apm.anomaly/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:apm.anomaly/alerts/alert/getAlertSummary",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/get",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
@@ -10683,6 +21560,78 @@ export default function ({ getService }: FtrProviderContext) {
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/find",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
                 "alerting:xpack.synthetics.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/observability/alert/get",
+                "alerting:metrics.alert.threshold/observability/alert/find",
+                "alerting:metrics.alert.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.threshold/alerts/alert/get",
+                "alerting:metrics.alert.threshold/alerts/alert/find",
+                "alerting:metrics.alert.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.threshold/alerts/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/get",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/find",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/observability/alert/getAlertSummary",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/get",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/find",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:metrics.alert.inventory.threshold/alerts/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tls/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/get",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/find",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.tlsCertificate/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/get",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/find",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.monitorStatus/observability/alert/getAlertSummary",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/get",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/find",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.uptime.alerts.durationAnomaly/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/observability/alert/get",
+                "alerting:logs.alert.document.count/observability/alert/find",
+                "alerting:logs.alert.document.count/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/observability/alert/getAlertSummary",
+                "alerting:logs.alert.document.count/alerts/alert/get",
+                "alerting:logs.alert.document.count/alerts/alert/find",
+                "alerting:logs.alert.document.count/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:logs.alert.document.count/alerts/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/observability/alert/get",
+                "alerting:slo.rules.burnRate/observability/alert/find",
+                "alerting:slo.rules.burnRate/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/observability/alert/getAlertSummary",
+                "alerting:slo.rules.burnRate/alerts/alert/get",
+                "alerting:slo.rules.burnRate/alerts/alert/find",
+                "alerting:slo.rules.burnRate/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:slo.rules.burnRate/alerts/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/observability/alert/get",
+                "alerting:observability.rules.custom_threshold/observability/alert/find",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/observability/alert/getAlertSummary",
+                "alerting:observability.rules.custom_threshold/alerts/alert/get",
+                "alerting:observability.rules.custom_threshold/alerts/alert/find",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:observability.rules.custom_threshold/alerts/alert/getAlertSummary",
+                "alerting:.es-query/observability/alert/get",
+                "alerting:.es-query/observability/alert/find",
+                "alerting:.es-query/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/observability/alert/getAlertSummary",
+                "alerting:.es-query/alerts/alert/get",
+                "alerting:.es-query/alerts/alert/find",
+                "alerting:.es-query/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:.es-query/alerts/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/observability/alert/getAlertSummary",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/get",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/find",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAuthorizedAlertsIndices",
+                "alerting:xpack.ml.anomaly_detection_alert/alerts/alert/getAlertSummary",
               ],
             },
           }

From 8c9181aa48796a8467e38ad1431238ebaa78de7e Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 01:23:58 +1100
Subject: [PATCH 15/23] [8.x] [Security Solution] Skip isCustomized calculation
 when the feature flag is off (#201825) (#202697)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Skip isCustomized calculation when the feature
flag is off (#201825)](https://github.com/elastic/kibana/pull/201825)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Dmitrii
Shevchenko","email":"dmitrii.shevchenko@elastic.co"},"sourceCommit":{"committedDate":"2024-12-03T12:11:24Z","message":"[Security
Solution] Skip isCustomized calculation when the feature flag is off
(#201825)\n\n**Resolves:
https://github.com/elastic/kibana/issues/201632**\r\n\r\n## Summary
\r\n\r\nWhen the rule customization feature flag is disabled, we should
always\r\nreturn `isCustomized: false`, regardless of any changes
introduced to a\r\nrule. This ensures that we do not accidentally mark
prebuilt rules as\r\ncustomized in 8.16 with the feature flag off. For
more details, refer to\r\nthe related issue:
https://github.com/elastic/kibana/issues/201632\r\n\r\n### Main Changes
\r\n\r\n- The primary change in this PR is encapsulated in
the\r\n`calculateIsCustomized` function\r\n- Other changes involve
passing the feature flag to this function\r\n- Added integration tests
to cover all API CRUD operations that can be\r\nperformed with
rules","sha":"22911c1828f40160cf3a2935300aec18c11b56e9","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.17.0","v8.18.0","v8.16.2"],"title":"[Security
Solution] Skip isCustomized calculation when the feature flag is
off","number":201825,"url":"https://github.com/elastic/kibana/pull/201825","mergeCommit":{"message":"[Security
Solution] Skip isCustomized calculation when the feature flag is off
(#201825)\n\n**Resolves:
https://github.com/elastic/kibana/issues/201632**\r\n\r\n## Summary
\r\n\r\nWhen the rule customization feature flag is disabled, we should
always\r\nreturn `isCustomized: false`, regardless of any changes
introduced to a\r\nrule. This ensures that we do not accidentally mark
prebuilt rules as\r\ncustomized in 8.16 with the feature flag off. For
more details, refer to\r\nthe related issue:
https://github.com/elastic/kibana/issues/201632\r\n\r\n### Main Changes
\r\n\r\n- The primary change in this PR is encapsulated in
the\r\n`calculateIsCustomized` function\r\n- Other changes involve
passing the feature flag to this function\r\n- Added integration tests
to cover all API CRUD operations that can be\r\nperformed with
rules","sha":"22911c1828f40160cf3a2935300aec18c11b56e9"}},"sourceBranch":"main","suggestedTargetBranches":["8.17","8.x","8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201825","number":201825,"mergeCommit":{"message":"[Security
Solution] Skip isCustomized calculation when the feature flag is off
(#201825)\n\n**Resolves:
https://github.com/elastic/kibana/issues/201632**\r\n\r\n## Summary
\r\n\r\nWhen the rule customization feature flag is disabled, we should
always\r\nreturn `isCustomized: false`, regardless of any changes
introduced to a\r\nrule. This ensures that we do not accidentally mark
prebuilt rules as\r\ncustomized in 8.16 with the feature flag off. For
more details, refer to\r\nthe related issue:
https://github.com/elastic/kibana/issues/201632\r\n\r\n### Main Changes
\r\n\r\n- The primary change in this PR is encapsulated in
the\r\n`calculateIsCustomized` function\r\n- Other changes involve
passing the feature flag to this function\r\n- Added integration tests
to cover all API CRUD operations that can be\r\nperformed with
rules","sha":"22911c1828f40160cf3a2935300aec18c11b56e9"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>
---
 .../ftr_security_serverless_configs.yml       |   3 +-
 .buildkite/ftr_security_stateful_configs.yml  |   3 +-
 .../logic/bulk_actions/bulk_edit_rules.ts     |  14 +-
 ...on_rules_client.create_custom_rule.test.ts |   1 +
 ..._rules_client.create_prebuilt_rule.test.ts |   1 +
 ...detection_rules_client.delete_rule.test.ts |   1 +
 ...detection_rules_client.import_rule.test.ts |   1 +
 ...etection_rules_client.import_rules.test.ts |   1 +
 .../detection_rules_client.patch_rule.test.ts |   1 +
 .../detection_rules_client.ts                 |   6 +
 ...detection_rules_client.update_rule.test.ts |   1 +
 ...rules_client.upgrade_prebuilt_rule.test.ts |   1 +
 .../mergers/apply_rule_patch.test.ts          |  22 ++
 .../mergers/apply_rule_patch.ts               |   3 +
 .../mergers/apply_rule_update.ts              |   3 +
 .../rule_source/calculate_is_customized.ts    |  20 +-
 .../rule_source/calculate_rule_source.test.ts |  25 ++
 .../rule_source/calculate_rule_source.ts      |   8 +-
 .../methods/import_rule.ts                    |   3 +
 .../methods/patch_rule.ts                     |   3 +
 .../methods/update_rule.ts                    |   3 +
 .../methods/upgrade_prebuilt_rule.ts          |   3 +
 .../calculate_rule_source_for_import.test.ts  |   4 +
 .../calculate_rule_source_for_import.ts       |   3 +
 .../calculate_rule_source_from_asset.test.ts  |   4 +
 .../calculate_rule_source_from_asset.ts       |  10 +-
 .../rule_source_importer.test.ts              |   2 +
 .../rule_source_importer.ts                   |   2 +
 .../server/request_context_factory.ts         |   1 +
 .../configs/ess.config.ts                     |  25 ++
 .../configs/serverless.config.ts              |  17 ++
 .../customization_disabled/index.ts           |  14 ++
 .../is_customized_calculation.ts              | 218 ++++++++++++++++++
 .../configs/ess.config.ts                     |   2 +-
 .../configs/serverless.config.ts              |   2 +-
 .../import_rules.ts                           |   0
 .../index.ts                                  |   2 +-
 .../is_customized_calculation.ts              |   0
 .../rules_export.ts                           |   0
 .../patch_rules.ts                            |  28 +--
 40 files changed, 425 insertions(+), 36 deletions(-)
 create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/ess.config.ts
 create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/serverless.config.ts
 create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/index.ts
 create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/is_customized_calculation.ts
 rename x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/{trial_license_complete_tier => customization_enabled}/configs/ess.config.ts (91%)
 rename x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/{trial_license_complete_tier => customization_enabled}/configs/serverless.config.ts (84%)
 rename x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/{trial_license_complete_tier => customization_enabled}/import_rules.ts (100%)
 rename x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/{trial_license_complete_tier => customization_enabled}/index.ts (94%)
 rename x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/{trial_license_complete_tier => customization_enabled}/is_customized_calculation.ts (100%)
 rename x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/{trial_license_complete_tier => customization_enabled}/rules_export.ts (100%)

diff --git a/.buildkite/ftr_security_serverless_configs.yml b/.buildkite/ftr_security_serverless_configs.yml
index f60d78d19143e..e925365d6a1e4 100644
--- a/.buildkite/ftr_security_serverless_configs.yml
+++ b/.buildkite/ftr_security_serverless_configs.yml
@@ -70,7 +70,8 @@ disabled:
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/large_prebuilt_rules_package/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/update_prebuilt_rules_package/trial_license_complete_tier/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/basic_license_essentials_tier/configs/serverless.config.ts
diff --git a/.buildkite/ftr_security_stateful_configs.yml b/.buildkite/ftr_security_stateful_configs.yml
index 2dd4476279513..61b5152059399 100644
--- a/.buildkite/ftr_security_stateful_configs.yml
+++ b/.buildkite/ftr_security_stateful_configs.yml
@@ -58,7 +58,8 @@ enabled:
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/large_prebuilt_rules_package/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/update_prebuilt_rules_package/trial_license_complete_tier/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/basic_license_essentials_tier/configs/ess.config.ts
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/bulk_edit_rules.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/bulk_edit_rules.ts
index bee44a3600f97..b9c97c2412b1a 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/bulk_edit_rules.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/bulk_edit_rules.ts
@@ -92,14 +92,20 @@ export const bulkEditRules = async ({
         params: modifiedParams,
       };
       const ruleResponse = convertAlertingRuleToRuleResponse(updatedRule);
+      let isCustomized = false;
+      if (ruleResponse.immutable === true) {
+        isCustomized = calculateIsCustomized({
+          baseRule: baseVersionsMap.get(ruleResponse.rule_id),
+          nextRule: ruleResponse,
+          isRuleCustomizationEnabled: experimentalFeatures.prebuiltRulesCustomizationEnabled,
+        });
+      }
+
       const ruleSource =
         ruleResponse.immutable === true
           ? {
               type: 'external' as const,
-              isCustomized: calculateIsCustomized(
-                baseVersionsMap.get(ruleResponse.rule_id),
-                ruleResponse
-              ),
+              isCustomized,
             }
           : {
               type: 'internal' as const,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_custom_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_custom_rule.test.ts
index af3f85f3e1345..b07f95f74d2f9 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_custom_rule.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_custom_rule.test.ts
@@ -51,6 +51,7 @@ describe('DetectionRulesClient.createCustomRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_prebuilt_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_prebuilt_rule.test.ts
index 4caeb4bd9b940..6e1e75855b6a0 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_prebuilt_rule.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.create_prebuilt_rule.test.ts
@@ -44,6 +44,7 @@ describe('DetectionRulesClient.createPrebuiltRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.delete_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.delete_rule.test.ts
index ea5d1453753c3..a4afe5abadb6b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.delete_rule.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.delete_rule.test.ts
@@ -30,6 +30,7 @@ describe('DetectionRulesClient.deleteRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rule.test.ts
index 4300b17b3be80..5f8bfb5577740 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rule.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rule.test.ts
@@ -51,6 +51,7 @@ describe('DetectionRulesClient.importRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rules.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rules.test.ts
index 58b1385dda09c..3dfd859fb0b7b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rules.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.import_rules.test.ts
@@ -32,6 +32,7 @@ describe('detectionRulesClient.importRules', () => {
       rulesClient: rulesClientMock.create(),
       mlAuthz: buildMlAuthz(),
       savedObjectsClient: savedObjectsClientMock.create(),
+      isRuleCustomizationEnabled: true,
     });
 
     (checkRuleExceptionReferences as jest.Mock).mockReturnValue([[], []]);
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.patch_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.patch_rule.test.ts
index 448df6b581a3b..18fe3c54da7e0 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.patch_rule.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.patch_rule.test.ts
@@ -50,6 +50,7 @@ describe('DetectionRulesClient.patchRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.ts
index fb6f5c4a03c1f..57c8f12c09aa9 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.ts
@@ -38,6 +38,7 @@ interface DetectionRulesClientParams {
   rulesClient: RulesClient;
   savedObjectsClient: SavedObjectsClientContract;
   mlAuthz: MlAuthz;
+  isRuleCustomizationEnabled: boolean;
 }
 
 export const createDetectionRulesClient = ({
@@ -45,6 +46,7 @@ export const createDetectionRulesClient = ({
   rulesClient,
   mlAuthz,
   savedObjectsClient,
+  isRuleCustomizationEnabled,
 }: DetectionRulesClientParams): IDetectionRulesClient => {
   const prebuiltRuleAssetClient = createPrebuiltRuleAssetsClient(savedObjectsClient);
 
@@ -89,6 +91,7 @@ export const createDetectionRulesClient = ({
           prebuiltRuleAssetClient,
           mlAuthz,
           ruleUpdate,
+          isRuleCustomizationEnabled,
         });
       });
     },
@@ -101,6 +104,7 @@ export const createDetectionRulesClient = ({
           prebuiltRuleAssetClient,
           mlAuthz,
           rulePatch,
+          isRuleCustomizationEnabled,
         });
       });
     },
@@ -119,6 +123,7 @@ export const createDetectionRulesClient = ({
           ruleAsset,
           mlAuthz,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled,
         });
       });
     },
@@ -131,6 +136,7 @@ export const createDetectionRulesClient = ({
           importRulePayload: args,
           mlAuthz,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled,
         });
       });
     },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.update_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.update_rule.test.ts
index cbd0fb1fe3680..64c01ab395529 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.update_rule.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.update_rule.test.ts
@@ -50,6 +50,7 @@ describe('DetectionRulesClient.updateRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.upgrade_prebuilt_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.upgrade_prebuilt_rule.test.ts
index acdb7b9653930..ed186abe5a7c3 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.upgrade_prebuilt_rule.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/detection_rules_client.upgrade_prebuilt_rule.test.ts
@@ -48,6 +48,7 @@ describe('DetectionRulesClient.upgradePrebuiltRule', () => {
       rulesClient,
       mlAuthz,
       savedObjectsClient,
+      isRuleCustomizationEnabled: true,
     });
   });
 
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts
index abf90c3f4dfc4..0d780c07aac19 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts
@@ -37,6 +37,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       });
       expect(patchedRule).toEqual(
         expect.objectContaining({
@@ -65,6 +66,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       });
       expect(patchedRule).toEqual(
         expect.objectContaining({
@@ -94,6 +96,7 @@ describe('applyRulePatch', () => {
           rulePatch,
           existingRule,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled: true,
         })
       ).rejects.toThrowError(
         'event_category_override: Expected string, received number, tiebreaker_field: Expected string, received number, timestamp_field: Expected string, received number'
@@ -119,6 +122,7 @@ describe('applyRulePatch', () => {
           rulePatch,
           existingRule,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled: true,
         })
       ).rejects.toThrowError('alert_suppression.group_by: Expected array, received string');
     });
@@ -134,6 +138,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -154,6 +159,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError(
       'threat_query: Expected string, received number, threat_indicator_path: Expected string, received number'
@@ -170,6 +176,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -190,6 +197,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError(
       "index.0: Expected string, received number, language: Invalid enum value. Expected 'kuery' | 'lucene', received 'non-language'"
@@ -206,6 +214,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -226,6 +235,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError(
       "index.0: Expected string, received number, language: Invalid enum value. Expected 'kuery' | 'lucene', received 'non-language'"
@@ -244,6 +254,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -268,6 +279,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError('threshold.value: Expected number, received string');
   });
@@ -285,6 +297,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -308,6 +321,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -330,6 +344,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -354,6 +369,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -376,6 +392,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       });
       expect(patchedRule).toEqual(
         expect.objectContaining({
@@ -394,6 +411,7 @@ describe('applyRulePatch', () => {
           rulePatch,
           existingRule,
           prebuiltRuleAssetClient,
+          isRuleCustomizationEnabled: true,
         })
       ).rejects.toThrowError('anomaly_threshold: Expected number, received string');
     });
@@ -410,6 +428,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       });
 
       expect(patchedRule).toEqual(
@@ -432,6 +451,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
@@ -450,6 +470,7 @@ describe('applyRulePatch', () => {
         rulePatch,
         existingRule,
         prebuiltRuleAssetClient,
+        isRuleCustomizationEnabled: true,
       })
     ).rejects.toThrowError('new_terms_fields: Expected array, received string');
   });
@@ -472,6 +493,7 @@ describe('applyRulePatch', () => {
       rulePatch,
       existingRule,
       prebuiltRuleAssetClient,
+      isRuleCustomizationEnabled: true,
     });
     expect(patchedRule).toEqual(
       expect.objectContaining({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts
index 9f5b167322491..aaaab474c2fbe 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts
@@ -51,6 +51,7 @@ interface ApplyRulePatchProps {
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
   existingRule: RuleResponse;
   rulePatch: PatchRuleRequestBody;
+  isRuleCustomizationEnabled: boolean;
 }
 
 // eslint-disable-next-line complexity
@@ -58,6 +59,7 @@ export const applyRulePatch = async ({
   rulePatch,
   existingRule,
   prebuiltRuleAssetClient,
+  isRuleCustomizationEnabled,
 }: ApplyRulePatchProps): Promise<RuleResponse> => {
   const typeSpecificParams = patchTypeSpecificParams(rulePatch, existingRule);
 
@@ -122,6 +124,7 @@ export const applyRulePatch = async ({
   nextRule.rule_source = await calculateRuleSource({
     rule: nextRule,
     prebuiltRuleAssetClient,
+    isRuleCustomizationEnabled,
   });
 
   return nextRule;
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_update.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_update.ts
index b911e66a1fc45..850924d3cd04d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_update.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_update.ts
@@ -17,12 +17,14 @@ interface ApplyRuleUpdateProps {
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
   existingRule: RuleResponse;
   ruleUpdate: RuleUpdateProps;
+  isRuleCustomizationEnabled: boolean;
 }
 
 export const applyRuleUpdate = async ({
   prebuiltRuleAssetClient,
   existingRule,
   ruleUpdate,
+  isRuleCustomizationEnabled,
 }: ApplyRuleUpdateProps): Promise<RuleResponse> => {
   const nextRule: RuleResponse = {
     ...applyRuleDefaults(ruleUpdate),
@@ -46,6 +48,7 @@ export const applyRuleUpdate = async ({
   nextRule.rule_source = await calculateRuleSource({
     rule: nextRule,
     prebuiltRuleAssetClient,
+    isRuleCustomizationEnabled,
   });
 
   return nextRule;
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_is_customized.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_is_customized.ts
index 92c7d941dd7f1..a94506486cc53 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_is_customized.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_is_customized.ts
@@ -12,10 +12,22 @@ import { calculateRuleFieldsDiff } from '../../../../../prebuilt_rules/logic/dif
 import { convertRuleToDiffable } from '../../../../../../../../common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable';
 import { convertPrebuiltRuleAssetToRuleResponse } from '../../converters/convert_prebuilt_rule_asset_to_rule_response';
 
-export function calculateIsCustomized(
-  baseRule: PrebuiltRuleAsset | undefined,
-  nextRule: RuleResponse
-) {
+interface CalculateIsCustomizedArgs {
+  baseRule: PrebuiltRuleAsset | undefined;
+  nextRule: RuleResponse;
+  isRuleCustomizationEnabled: boolean;
+}
+
+export function calculateIsCustomized({
+  baseRule,
+  nextRule,
+  isRuleCustomizationEnabled,
+}: CalculateIsCustomizedArgs) {
+  if (!isRuleCustomizationEnabled) {
+    // We don't want to accidentally mark rules as customized when customization is disabled.
+    return false;
+  }
+
   if (baseRule == null) {
     // If the base version is missing, we consider the rule to be customized
     return true;
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_rule_source.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_rule_source.test.ts
index e44c69d2705d5..d0b9f722458a1 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_rule_source.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_rule_source.test.ts
@@ -43,6 +43,7 @@ describe('calculateRuleSource', () => {
     const result = await calculateRuleSource({
       prebuiltRuleAssetClient,
       rule,
+      isRuleCustomizationEnabled: true,
     });
     expect(result).toEqual({
       type: 'internal',
@@ -59,6 +60,7 @@ describe('calculateRuleSource', () => {
     const result = await calculateRuleSource({
       prebuiltRuleAssetClient,
       rule,
+      isRuleCustomizationEnabled: true,
     });
     expect(result).toEqual(
       expect.objectContaining({
@@ -79,6 +81,7 @@ describe('calculateRuleSource', () => {
     const result = await calculateRuleSource({
       prebuiltRuleAssetClient,
       rule,
+      isRuleCustomizationEnabled: true,
     });
     expect(result).toEqual(
       expect.objectContaining({
@@ -101,6 +104,28 @@ describe('calculateRuleSource', () => {
     const result = await calculateRuleSource({
       prebuiltRuleAssetClient,
       rule,
+      isRuleCustomizationEnabled: true,
+    });
+    expect(result).toEqual(
+      expect.objectContaining({
+        type: 'external',
+        is_customized: false,
+      })
+    );
+  });
+
+  it('returns is_customized false when the rule is customized but customization is disabled', async () => {
+    const rule = getSampleRule();
+    rule.immutable = true;
+    rule.name = 'Updated name';
+
+    const baseRule = getSampleRuleAsset();
+    prebuiltRuleAssetClient.fetchAssetsByVersion.mockResolvedValueOnce([baseRule]);
+
+    const result = await calculateRuleSource({
+      prebuiltRuleAssetClient,
+      rule,
+      isRuleCustomizationEnabled: false,
     });
     expect(result).toEqual(
       expect.objectContaining({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_rule_source.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_rule_source.ts
index 742cd20544a60..6c3d2419159a6 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_rule_source.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/rule_source/calculate_rule_source.ts
@@ -16,11 +16,13 @@ import { calculateIsCustomized } from './calculate_is_customized';
 interface CalculateRuleSourceProps {
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
   rule: RuleResponse;
+  isRuleCustomizationEnabled: boolean;
 }
 
 export async function calculateRuleSource({
   prebuiltRuleAssetClient,
   rule,
+  isRuleCustomizationEnabled,
 }: CalculateRuleSourceProps): Promise<RuleSource> {
   if (rule.immutable) {
     // This is a prebuilt rule and, despite the name, they are not immutable. So
@@ -33,7 +35,11 @@ export async function calculateRuleSource({
     ]);
     const baseRule: PrebuiltRuleAsset | undefined = prebuiltRulesResponse.at(0);
 
-    const isCustomized = calculateIsCustomized(baseRule, rule);
+    const isCustomized = calculateIsCustomized({
+      baseRule,
+      nextRule: rule,
+      isRuleCustomizationEnabled,
+    });
 
     return {
       type: 'external',
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/import_rule.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/import_rule.ts
index dd57e66c41a64..16fda89391ab9 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/import_rule.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/import_rule.ts
@@ -26,6 +26,7 @@ interface ImportRuleOptions {
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
   importRulePayload: ImportRuleArgs;
   mlAuthz: MlAuthz;
+  isRuleCustomizationEnabled: boolean;
 }
 
 export const importRule = async ({
@@ -34,6 +35,7 @@ export const importRule = async ({
   importRulePayload,
   prebuiltRuleAssetClient,
   mlAuthz,
+  isRuleCustomizationEnabled,
 }: ImportRuleOptions): Promise<RuleResponse> => {
   const { ruleToImport, overwriteRules, overrideFields, allowMissingConnectorSecrets } =
     importRulePayload;
@@ -60,6 +62,7 @@ export const importRule = async ({
       prebuiltRuleAssetClient,
       existingRule,
       ruleUpdate: rule,
+      isRuleCustomizationEnabled,
     });
     // applyRuleUpdate prefers the existing rule's values for `rule_source` and `immutable`, but we want to use the importing rule's calculated values
     ruleWithUpdates = { ...ruleWithUpdates, ...overrideFields };
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/patch_rule.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/patch_rule.ts
index 113576e8d02e2..0b22ea39eaef4 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/patch_rule.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/patch_rule.ts
@@ -28,6 +28,7 @@ interface PatchRuleOptions {
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
   rulePatch: RulePatchProps;
   mlAuthz: MlAuthz;
+  isRuleCustomizationEnabled: boolean;
 }
 
 export const patchRule = async ({
@@ -36,6 +37,7 @@ export const patchRule = async ({
   prebuiltRuleAssetClient,
   rulePatch,
   mlAuthz,
+  isRuleCustomizationEnabled,
 }: PatchRuleOptions): Promise<RuleResponse> => {
   const { rule_id: ruleId, id } = rulePatch;
 
@@ -58,6 +60,7 @@ export const patchRule = async ({
     prebuiltRuleAssetClient,
     existingRule,
     rulePatch,
+    isRuleCustomizationEnabled,
   });
 
   const patchedInternalRule = await rulesClient.update({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/update_rule.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/update_rule.ts
index 8fd7f7a89dcb7..3d465d44fdc1d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/update_rule.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/update_rule.ts
@@ -27,6 +27,7 @@ interface UpdateRuleArguments {
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
   ruleUpdate: RuleUpdateProps;
   mlAuthz: MlAuthz;
+  isRuleCustomizationEnabled: boolean;
 }
 
 export const updateRule = async ({
@@ -35,6 +36,7 @@ export const updateRule = async ({
   prebuiltRuleAssetClient,
   ruleUpdate,
   mlAuthz,
+  isRuleCustomizationEnabled,
 }: UpdateRuleArguments): Promise<RuleResponse> => {
   const { rule_id: ruleId, id } = ruleUpdate;
 
@@ -57,6 +59,7 @@ export const updateRule = async ({
     prebuiltRuleAssetClient,
     existingRule,
     ruleUpdate,
+    isRuleCustomizationEnabled,
   });
 
   const updatedRule = await rulesClient.update({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/upgrade_prebuilt_rule.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/upgrade_prebuilt_rule.ts
index 64486bed14304..dff7c8a333ca7 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/upgrade_prebuilt_rule.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/upgrade_prebuilt_rule.ts
@@ -25,12 +25,14 @@ export const upgradePrebuiltRule = async ({
   ruleAsset,
   mlAuthz,
   prebuiltRuleAssetClient,
+  isRuleCustomizationEnabled,
 }: {
   actionsClient: ActionsClient;
   rulesClient: RulesClient;
   ruleAsset: PrebuiltRuleAsset;
   mlAuthz: MlAuthz;
   prebuiltRuleAssetClient: IPrebuiltRuleAssetsClient;
+  isRuleCustomizationEnabled: boolean;
 }): Promise<RuleResponse> => {
   await validateMlAuth(mlAuthz, ruleAsset.type);
 
@@ -73,6 +75,7 @@ export const upgradePrebuiltRule = async ({
     prebuiltRuleAssetClient,
     existingRule,
     ruleUpdate: ruleAsset,
+    isRuleCustomizationEnabled,
   });
 
   const updatedInternalRule = await rulesClient.update({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_for_import.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_for_import.test.ts
index e3bfb75c6a88d..b1952ff6948c7 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_for_import.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_for_import.test.ts
@@ -15,6 +15,7 @@ describe('calculateRuleSourceForImport', () => {
       rule: getRulesSchemaMock(),
       prebuiltRuleAssetsByRuleId: {},
       isKnownPrebuiltRule: false,
+      isRuleCustomizationEnabled: true,
     });
 
     expect(result).toEqual({
@@ -33,6 +34,7 @@ describe('calculateRuleSourceForImport', () => {
       rule,
       prebuiltRuleAssetsByRuleId: {},
       isKnownPrebuiltRule: true,
+      isRuleCustomizationEnabled: true,
     });
 
     expect(result).toEqual({
@@ -53,6 +55,7 @@ describe('calculateRuleSourceForImport', () => {
       rule,
       prebuiltRuleAssetsByRuleId,
       isKnownPrebuiltRule: true,
+      isRuleCustomizationEnabled: true,
     });
 
     expect(result).toEqual({
@@ -73,6 +76,7 @@ describe('calculateRuleSourceForImport', () => {
       rule,
       prebuiltRuleAssetsByRuleId,
       isKnownPrebuiltRule: true,
+      isRuleCustomizationEnabled: true,
     });
 
     expect(result).toEqual({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_for_import.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_for_import.ts
index 133566a7b776b..32a1f622b08d8 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_for_import.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_for_import.ts
@@ -28,10 +28,12 @@ export const calculateRuleSourceForImport = ({
   rule,
   prebuiltRuleAssetsByRuleId,
   isKnownPrebuiltRule,
+  isRuleCustomizationEnabled,
 }: {
   rule: ValidatedRuleToImport;
   prebuiltRuleAssetsByRuleId: Record<string, PrebuiltRuleAsset>;
   isKnownPrebuiltRule: boolean;
+  isRuleCustomizationEnabled: boolean;
 }): { ruleSource: RuleSource; immutable: boolean } => {
   const assetWithMatchingVersion = prebuiltRuleAssetsByRuleId[rule.rule_id];
   // We convert here so that RuleSource calculation can
@@ -43,6 +45,7 @@ export const calculateRuleSourceForImport = ({
     rule: ruleResponseForImport,
     assetWithMatchingVersion,
     isKnownPrebuiltRule,
+    isRuleCustomizationEnabled,
   });
 
   return {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_from_asset.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_from_asset.test.ts
index 9a2f68479fdea..099c0f41f1720 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_from_asset.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_from_asset.test.ts
@@ -15,6 +15,7 @@ describe('calculateRuleSourceFromAsset', () => {
       rule: getRulesSchemaMock(),
       assetWithMatchingVersion: undefined,
       isKnownPrebuiltRule: false,
+      isRuleCustomizationEnabled: true,
     });
 
     expect(result).toEqual({
@@ -28,6 +29,7 @@ describe('calculateRuleSourceFromAsset', () => {
       rule: ruleToImport,
       assetWithMatchingVersion: undefined,
       isKnownPrebuiltRule: true,
+      isRuleCustomizationEnabled: true,
     });
 
     expect(result).toEqual({
@@ -47,6 +49,7 @@ describe('calculateRuleSourceFromAsset', () => {
           // no other overwrites -> no differences
         }),
         isKnownPrebuiltRule: true,
+        isRuleCustomizationEnabled: true,
       });
 
       expect(result).toEqual({
@@ -65,6 +68,7 @@ describe('calculateRuleSourceFromAsset', () => {
           name: 'Customized name', // mock a customization
         }),
         isKnownPrebuiltRule: true,
+        isRuleCustomizationEnabled: true,
       });
 
       expect(result).toEqual({
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_from_asset.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_from_asset.ts
index 4f0caf9b10056..33063bedb11b2 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_from_asset.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/calculate_rule_source_from_asset.ts
@@ -24,10 +24,12 @@ export const calculateRuleSourceFromAsset = ({
   rule,
   assetWithMatchingVersion,
   isKnownPrebuiltRule,
+  isRuleCustomizationEnabled,
 }: {
   rule: RuleResponse;
   assetWithMatchingVersion: PrebuiltRuleAsset | undefined;
   isKnownPrebuiltRule: boolean;
+  isRuleCustomizationEnabled: boolean;
 }): RuleSource => {
   if (!isKnownPrebuiltRule) {
     return {
@@ -38,11 +40,15 @@ export const calculateRuleSourceFromAsset = ({
   if (assetWithMatchingVersion == null) {
     return {
       type: 'external',
-      is_customized: true,
+      is_customized: isRuleCustomizationEnabled ? true : false,
     };
   }
 
-  const isCustomized = calculateIsCustomized(assetWithMatchingVersion, rule);
+  const isCustomized = calculateIsCustomized({
+    baseRule: assetWithMatchingVersion,
+    nextRule: rule,
+    isRuleCustomizationEnabled,
+  });
 
   return {
     type: 'external',
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/rule_source_importer/rule_source_importer.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/rule_source_importer/rule_source_importer.test.ts
index 39c937f4645a7..426109bbeb3bb 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/rule_source_importer/rule_source_importer.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/rule_source_importer/rule_source_importer.test.ts
@@ -138,6 +138,7 @@ describe('ruleSourceImporter', () => {
         rule,
         prebuiltRuleAssetsByRuleId: { 'rule-1': expect.objectContaining({ rule_id: 'rule-1' }) },
         isKnownPrebuiltRule: true,
+        isRuleCustomizationEnabled: true,
       });
     });
 
@@ -166,6 +167,7 @@ describe('ruleSourceImporter', () => {
           rule,
           prebuiltRuleAssetsByRuleId: { 'rule-1': expect.objectContaining({ rule_id: 'rule-1' }) },
           isKnownPrebuiltRule: true,
+          isRuleCustomizationEnabled: true,
         });
       });
     });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/rule_source_importer/rule_source_importer.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/rule_source_importer/rule_source_importer.ts
index 1f5c2c5aa543b..0c553e6bb7c56 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/rule_source_importer/rule_source_importer.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/import/rule_source_importer/rule_source_importer.ts
@@ -143,6 +143,8 @@ export class RuleSourceImporter implements IRuleSourceImporter {
       rule,
       prebuiltRuleAssetsByRuleId: this.matchingAssetsByRuleId,
       isKnownPrebuiltRule: this.availableRuleAssetIds.has(rule.rule_id),
+      isRuleCustomizationEnabled:
+        this.config.experimentalFeatures.prebuiltRulesCustomizationEnabled,
     });
   }
 
diff --git a/x-pack/plugins/security_solution/server/request_context_factory.ts b/x-pack/plugins/security_solution/server/request_context_factory.ts
index ccf8420155677..60050920302ef 100644
--- a/x-pack/plugins/security_solution/server/request_context_factory.ts
+++ b/x-pack/plugins/security_solution/server/request_context_factory.ts
@@ -152,6 +152,7 @@ export class RequestContextFactory implements IRequestContextFactory {
           actionsClient,
           savedObjectsClient: coreContext.savedObjects.client,
           mlAuthz,
+          isRuleCustomizationEnabled: config.experimentalFeatures.prebuiltRulesCustomizationEnabled,
         });
       }),
 
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/ess.config.ts
new file mode 100644
index 0000000000000..2e1b278c9247f
--- /dev/null
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/ess.config.ts
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../../../config/ess/config.base.trial')
+  );
+
+  const testConfig = {
+    ...functionalConfig.getAll(),
+    testFiles: [require.resolve('..')],
+    junit: {
+      reportName:
+        'Rules Management - Prebuilt Rule Customization Disabled Integration Tests - ESS Env',
+    },
+  };
+
+  return testConfig;
+}
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/serverless.config.ts
new file mode 100644
index 0000000000000..462a971d8dda7
--- /dev/null
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/serverless.config.ts
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createTestConfig } from '../../../../../../../config/serverless/config.base';
+
+export default createTestConfig({
+  testFiles: [require.resolve('..')],
+  junit: {
+    reportName:
+      'Rules Management - Prebuilt Rule Customization Disabled Integration Tests - Serverless Env',
+  },
+  kbnTestServerArgs: [],
+});
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/index.ts
new file mode 100644
index 0000000000000..0d78605426dbf
--- /dev/null
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/index.ts
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContext } from '../../../../../../ftr_provider_context';
+
+export default ({ loadTestFile }: FtrProviderContext): void => {
+  describe('Rules Management - Prebuilt Rules - Prebuilt Rule Customization Disabled', function () {
+    loadTestFile(require.resolve('./is_customized_calculation'));
+  });
+};
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/is_customized_calculation.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/is_customized_calculation.ts
new file mode 100644
index 0000000000000..e4ae135b481ed
--- /dev/null
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/is_customized_calculation.ts
@@ -0,0 +1,218 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from 'expect';
+import {
+  BulkActionEditTypeEnum,
+  BulkActionTypeEnum,
+} from '@kbn/security-solution-plugin/common/api/detection_engine';
+import { deleteAllRules } from '../../../../../../../common/utils/security_solution';
+import { FtrProviderContext } from '../../../../../../ftr_provider_context';
+import {
+  deleteAllPrebuiltRuleAssets,
+  createRuleAssetSavedObject,
+  createPrebuiltRuleAssetSavedObjects,
+  installPrebuiltRules,
+} from '../../../../utils';
+
+export default ({ getService }: FtrProviderContext) => {
+  const supertest = getService('supertest');
+  const securitySolutionApi = getService('securitySolutionApi');
+  const log = getService('log');
+  const es = getService('es');
+
+  const ruleAsset = createRuleAssetSavedObject({
+    rule_id: 'test-rule-id',
+  });
+
+  describe('@ess @serverless @skipInServerlessMKI is_customized calculation with disabled customization', () => {
+    beforeEach(async () => {
+      await deleteAllRules(supertest, log);
+      await deleteAllPrebuiltRuleAssets(es, log);
+    });
+
+    it('should set is_customized to "false" on prebuilt rule PATCH', async () => {
+      await createPrebuiltRuleAssetSavedObjects(es, [ruleAsset]);
+      await installPrebuiltRules(es, supertest);
+
+      const { body: findResult } = await securitySolutionApi
+        .findRules({
+          query: {
+            per_page: 1,
+            filter: `alert.attributes.params.immutable: true`,
+          },
+        })
+        .expect(200);
+      const prebuiltRule = findResult.data[0];
+
+      // Check that the rule has been created and is not customized
+      expect(prebuiltRule).not.toBeNull();
+      expect(prebuiltRule.rule_source.is_customized).toEqual(false);
+
+      const { body } = await securitySolutionApi
+        .patchRule({
+          body: {
+            rule_id: 'test-rule-id',
+            name: 'some other rule name',
+          },
+        })
+        .expect(200);
+
+      // Check that the rule name has been updated and the rule is still not customized
+      expect(body).toEqual(
+        expect.objectContaining({
+          name: 'some other rule name',
+        })
+      );
+      expect(body.rule_source.is_customized).toEqual(false);
+    });
+
+    it('should set is_customized to "false" on prebuilt rule UPDATE', async () => {
+      await createPrebuiltRuleAssetSavedObjects(es, [ruleAsset]);
+      await installPrebuiltRules(es, supertest);
+
+      const { body: findResult } = await securitySolutionApi
+        .findRules({
+          query: {
+            per_page: 1,
+            filter: `alert.attributes.params.immutable: true`,
+          },
+        })
+        .expect(200);
+      const prebuiltRule = findResult.data[0];
+
+      // Check that the rule has been created and is not customized
+      expect(prebuiltRule).not.toBeNull();
+      expect(prebuiltRule.rule_source.is_customized).toEqual(false);
+
+      const { body } = await securitySolutionApi
+        .updateRule({
+          body: {
+            ...prebuiltRule,
+            id: undefined, // id together with rule_id is not allowed
+            name: 'some other rule name',
+          },
+        })
+        .expect(200);
+
+      // Check that the rule name has been updated and the rule is still not customized
+      expect(body).toEqual(
+        expect.objectContaining({
+          name: 'some other rule name',
+        })
+      );
+      expect(body.rule_source.is_customized).toEqual(false);
+    });
+
+    it('should not allow prebuilt rule customization on import', async () => {
+      await createPrebuiltRuleAssetSavedObjects(es, [ruleAsset]);
+      await installPrebuiltRules(es, supertest);
+
+      const { body: findResult } = await securitySolutionApi
+        .findRules({
+          query: {
+            per_page: 1,
+            filter: `alert.attributes.params.immutable: true`,
+          },
+        })
+        .expect(200);
+      const prebuiltRule = findResult.data[0];
+
+      // Check that the rule has been created and is not customized
+      expect(prebuiltRule).not.toBeNull();
+      expect(prebuiltRule.rule_source.is_customized).toEqual(false);
+
+      const ruleBuffer = Buffer.from(
+        JSON.stringify({
+          ...prebuiltRule,
+          name: 'some other rule name',
+        })
+      );
+
+      const { body } = await securitySolutionApi
+        .importRules({ query: {} })
+        .attach('file', ruleBuffer, 'rules.ndjson')
+        .expect('Content-Type', 'application/json; charset=utf-8')
+        .expect(200);
+
+      expect(body).toMatchObject({
+        rules_count: 1,
+        success: false,
+        success_count: 0,
+        errors: [
+          {
+            error: {
+              message: expect.stringContaining('Importing prebuilt rules is not supported'),
+            },
+            rule_id: 'test-rule-id',
+          },
+        ],
+      });
+
+      // Check that the rule has not been customized
+      const { body: importedRule } = await securitySolutionApi.readRule({
+        query: { rule_id: prebuiltRule.rule_id },
+      });
+      expect(importedRule.rule_source.is_customized).toEqual(false);
+    });
+
+    it('should not allow rule customization on bulk edit', async () => {
+      await createPrebuiltRuleAssetSavedObjects(es, [ruleAsset]);
+      await installPrebuiltRules(es, supertest);
+
+      const { body: findResult } = await securitySolutionApi
+        .findRules({
+          query: {
+            per_page: 1,
+            filter: `alert.attributes.params.immutable: true`,
+          },
+        })
+        .expect(200);
+      const prebuiltRule = findResult.data[0];
+
+      // Check that the rule has been created and is not customized
+      expect(prebuiltRule).not.toBeNull();
+      expect(prebuiltRule.rule_source.is_customized).toEqual(false);
+
+      const { body: bulkResult } = await securitySolutionApi
+        .performRulesBulkAction({
+          query: {},
+          body: {
+            ids: [prebuiltRule.id],
+            action: BulkActionTypeEnum.edit,
+            [BulkActionTypeEnum.edit]: [
+              {
+                type: BulkActionEditTypeEnum.add_tags,
+                value: ['test'],
+              },
+            ],
+          },
+        })
+        .expect(500);
+
+      expect(bulkResult).toMatchObject(
+        expect.objectContaining({
+          attributes: expect.objectContaining({
+            summary: {
+              failed: 1,
+              skipped: 0,
+              succeeded: 0,
+              total: 1,
+            },
+            errors: [expect.objectContaining({ message: "Elastic rule can't be edited" })],
+          }),
+        })
+      );
+
+      // Check that the rule has not been customized
+      const { body: ruleAfterUpdate } = await securitySolutionApi.readRule({
+        query: { rule_id: prebuiltRule.rule_id },
+      });
+      expect(ruleAfterUpdate.rule_source.is_customized).toEqual(false);
+    });
+  });
+};
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/ess.config.ts
similarity index 91%
rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/ess.config.ts
rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/ess.config.ts
index eee14323c9b98..ff46ebb70d7c8 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/ess.config.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/ess.config.ts
@@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     testFiles: [require.resolve('..')],
     junit: {
       reportName:
-        'Rules Management - Prebuilt Rule Customization Integration Tests - ESS Env - Trial License',
+        'Rules Management - Prebuilt Rule Customization Enabled Integration Tests - ESS Env',
     },
   };
   testConfig.kbnTestServer.serverArgs = testConfig.kbnTestServer.serverArgs.map((arg: string) => {
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/serverless.config.ts
similarity index 84%
rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/serverless.config.ts
rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/serverless.config.ts
index 79a23c85d2279..8c1d777665667 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/configs/serverless.config.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/serverless.config.ts
@@ -11,7 +11,7 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Rules Management - Prebuilt Rule Customization Integration Tests - Serverless Env - Complete Tier',
+      'Rules Management - Prebuilt Rule Customization Enabled Integration Tests - Serverless Env',
   },
   kbnTestServerArgs: [
     `--xpack.securitySolution.enableExperimental=${JSON.stringify([
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/import_rules.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/import_rules.ts
similarity index 100%
rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/import_rules.ts
rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/import_rules.ts
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/index.ts
similarity index 94%
rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/index.ts
rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/index.ts
index 58904243e51ca..d89f8ed5d49d3 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/index.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/index.ts
@@ -8,7 +8,7 @@
 import { FtrProviderContext } from '../../../../../../ftr_provider_context';
 
 export default ({ loadTestFile }: FtrProviderContext): void => {
-  describe('Rules Management - Prebuilt Rules - Prebuilt Rule Customization', function () {
+  describe('Rules Management - Prebuilt Rules - Prebuilt Rule Customization Enabled', function () {
     loadTestFile(require.resolve('./is_customized_calculation'));
     loadTestFile(require.resolve('./import_rules'));
     loadTestFile(require.resolve('./rules_export'));
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/is_customized_calculation.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/is_customized_calculation.ts
similarity index 100%
rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/is_customized_calculation.ts
rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/is_customized_calculation.ts
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/rules_export.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/rules_export.ts
similarity index 100%
rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/rules_export.ts
rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/rules_export.ts
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/patch_rules.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/patch_rules.ts
index 378a1f7bb0187..9ed45b81cc1e4 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/patch_rules.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/patch_rules.ts
@@ -7,25 +7,21 @@
 
 import expect from 'expect';
 
+import { createRule, deleteAllRules } from '../../../../../../common/utils/security_solution';
 import { FtrProviderContext } from '../../../../../ftr_provider_context';
 import {
+  createHistoricalPrebuiltRuleAssetSavedObjects,
+  createRuleAssetSavedObject,
+  deleteAllPrebuiltRuleAssets,
+  getCustomQueryRuleParams,
   getSimpleRule,
   getSimpleRuleOutput,
-  getCustomQueryRuleParams,
+  getSimpleRuleOutputWithoutRuleId,
+  installPrebuiltRules,
   removeServerGeneratedProperties,
   removeServerGeneratedPropertiesIncludingRuleId,
-  getSimpleRuleOutputWithoutRuleId,
   updateUsername,
-  createHistoricalPrebuiltRuleAssetSavedObjects,
-  installPrebuiltRules,
-  createRuleAssetSavedObject,
 } from '../../../utils';
-import {
-  createAlertsIndex,
-  deleteAllRules,
-  createRule,
-  deleteAllAlerts,
-} from '../../../../../../common/utils/security_solution';
 
 export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
@@ -37,12 +33,8 @@ export default ({ getService }: FtrProviderContext) => {
   describe('@ess @serverless @serverlessQA patch_rules', () => {
     describe('patch rules', () => {
       beforeEach(async () => {
-        await createAlertsIndex(supertest, log);
-      });
-
-      afterEach(async () => {
-        await deleteAllAlerts(supertest, log, es);
         await deleteAllRules(supertest, log);
+        await deleteAllPrebuiltRuleAssets(es, log);
       });
 
       it('should patch a single rule property of name using a rule_id', async () => {
@@ -261,10 +253,6 @@ export default ({ getService }: FtrProviderContext) => {
       });
 
       describe('max signals', () => {
-        afterEach(async () => {
-          await deleteAllRules(supertest, log);
-        });
-
         it('does NOT patch a rule when max_signals is less than 1', async () => {
           await securitySolutionApi.createRule({
             body: getCustomQueryRuleParams({ rule_id: 'rule-1', max_signals: 100 }),

From 020ee11f5d07d7513df7be504f548d3f25817f07 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 01:24:31 +1100
Subject: [PATCH 16/23] [8.x] Expose values of certain task manager
 configuration settings in the telemetry (#202511) (#202686)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Backport

This will backport the following commits from `main` to `8.x`:
- [Expose values of certain task manager configuration settings in the
telemetry (#202511)](https://github.com/elastic/kibana/pull/202511)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Mike
Côté","email":"mikecote@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-03T11:22:23Z","message":"Expose
values of certain task manager configuration settings in the telemetry
(#202511)\n\nIn this PR, I'm adding some settings to the `exposeToUsage`
variable\r\nwhich allows the values of these settings to be reported via
telemetry.\r\nThis way we can see what values, ratios, etc a certain
setting has.\r\n\r\nSettings to report values instead of
`[redacted]`:\r\n- `xpack.task_manager.claim_strategy`\r\n-
`xpack.task_manager.discovery.active_nodes_lookback`\r\n-
`xpack.task_manager.unsafe.exclude_task_types`","sha":"bca48508144714b678772541a22a6e5f9210f4a5","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Feature:Task
Manager","Team:ResponseOps","v9.0.0","backport:version","v8.17.0","v8.18.0","v8.16.2"],"title":"Expose
values of certain task manager configuration settings in the
telemetry","number":202511,"url":"https://github.com/elastic/kibana/pull/202511","mergeCommit":{"message":"Expose
values of certain task manager configuration settings in the telemetry
(#202511)\n\nIn this PR, I'm adding some settings to the `exposeToUsage`
variable\r\nwhich allows the values of these settings to be reported via
telemetry.\r\nThis way we can see what values, ratios, etc a certain
setting has.\r\n\r\nSettings to report values instead of
`[redacted]`:\r\n- `xpack.task_manager.claim_strategy`\r\n-
`xpack.task_manager.discovery.active_nodes_lookback`\r\n-
`xpack.task_manager.unsafe.exclude_task_types`","sha":"bca48508144714b678772541a22a6e5f9210f4a5"}},"sourceBranch":"main","suggestedTargetBranches":["8.17","8.x","8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202511","number":202511,"mergeCommit":{"message":"Expose
values of certain task manager configuration settings in the telemetry
(#202511)\n\nIn this PR, I'm adding some settings to the `exposeToUsage`
variable\r\nwhich allows the values of these settings to be reported via
telemetry.\r\nThis way we can see what values, ratios, etc a certain
setting has.\r\n\r\nSettings to report values instead of
`[redacted]`:\r\n- `xpack.task_manager.claim_strategy`\r\n-
`xpack.task_manager.discovery.active_nodes_lookback`\r\n-
`xpack.task_manager.unsafe.exclude_task_types`","sha":"bca48508144714b678772541a22a6e5f9210f4a5"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Mike Côté <mikecote@users.noreply.github.com>
---
 x-pack/plugins/task_manager/server/index.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/x-pack/plugins/task_manager/server/index.ts b/x-pack/plugins/task_manager/server/index.ts
index 79ec16b52987f..f2ad559f02b9c 100644
--- a/x-pack/plugins/task_manager/server/index.ts
+++ b/x-pack/plugins/task_manager/server/index.ts
@@ -104,4 +104,13 @@ export const config: PluginConfigDescriptor<TaskManagerConfig> = {
       },
     ];
   },
+  exposeToUsage: {
+    claim_strategy: true,
+    discovery: {
+      active_nodes_lookback: true,
+    },
+    unsafe: {
+      exclude_task_types: true,
+    },
+  },
 };

From 167719cf65b5790d5330b792fc5ad3d8b2d9f201 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 01:32:04 +1100
Subject: [PATCH 17/23] [8.x] [Security Solution][Serverless] Github tickets /
 notifications (#197265) (#199314)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution][Serverless] Github tickets / notifications
(#197265)](https://github.com/elastic/kibana/pull/197265)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"dkirchan","email":"55240027+dkirchan@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-07T13:17:54Z","message":"[Security
Solution][Serverless] Github tickets / notifications (#197265)\n\n##
Summary\r\n\r\nThis PR is accompanied with the [PR in
kibana-operations\r\nrepo](https://github.com/elastic/kibana-operations/pull/236)
and\r\nintegrates the security solution quality gate pipelines with
the\r\nfunctionality to create ticket when a test fails and then notify
the\r\nrespective **codeowner** team with a _Test failed alert_. Also
when a\r\ntest fails a second time and a ticket exist a new comment is
added in\r\nthe same issue that the test failed again in a given
pipeline.\r\n\r\nLast a similar flow exist when a test is skipped by a
team. \r\n\r\n**Specifications:**\r\n\r\n- In the
`failed_test_reporter_cli.ts` [a new field is
introduced\r\n](https://github.com/elastic/kibana/compare/main...security-mki-github-tickets#diff-bb801c18fd2e1a3a36a3b39fbf02c1abe337c46c201ad5a01239a9d2501d4b56R47)`prependTitle`\r\nwhich
is initialized by the environmental
variable\r\n`process.env.PREPEND_FAILURE_TITLE` if exists, in order to
add a custom\r\ntext of preference before the issue title.\r\n\r\nThe
scope of this is to be able to give the team the opportunity to
add\r\nsome tags or any convention agreed within the team in the issue
created\r\nin order to easily understand the context without opening the
ticket. If\r\nthis field is not initialized, the normal existing flow
proceeds.\r\n[Here](https://github.com/elastic/kibana/issues/197133) an
example of\r\nthe prependTitle usage can be seen where the tags
`[MKI][QA]` are\r\nprepended in order to identify where did the test
fail, having the same\r\nexactly tests running on both CI and MKI. This
means that a github issue\r\nwith the exact same title would be created
for both cases if this\r\nprepend title field would not exist.\r\n\r\n-
In
the\r\n[junit_transformer/lib.ts](https://github.com/elastic/kibana/compare/main...security-mki-github-tickets#diff-31c5651af613c7d02139f3e9fccd00ddb997f2502523372dd19db9e0659a66d6R278)\r\na
new functionality is introduced to cover an existing issue.
The\r\nexisting issue is: the fact that we are retrying the failed test
in\r\ncypress in the `parallel_serverless` script, leads to two junit
xml\r\nresult files completely identical with only difference the
execution\r\ntime and the timestamps. This change will take one by one
the xml\r\noutputs, transform them exactly as it was happening before
and then save\r\nthe file, but also remove the time and timestamp
fields, convert it to a\r\nstring and add it to a \"state\" list. Then
in a next file if it is\r\nalready parsed and saved to the list having
the exact same results\r\nwithin, it deletes the file instead of saving
it transformed.\r\n\r\nThe problem before this fix was the fact that
when two xml outputs\r\nexisted, a github ticket was created and when
parsing-uploading the\r\nsecond file it was immediately failing for a
second time as well. This\r\nmeans that `new-failure` notification was
never triggered after the\r\ngithub actions flow split, and the existing
failure was always\r\ntriggered, something that most teams have
disabled.\r\n\r\nWith the fix, the identical files are parsed but only
once uploaded and\r\nthe new failure flow works
again.","sha":"9353497d0adea457c13643bc8fa1a26a05422e8f","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:
SecuritySolution","backport:prev-minor","v8.16.0","v8.17.0"],"title":"[Security
Solution][Serverless] Github tickets /
notifications","number":197265,"url":"https://github.com/elastic/kibana/pull/197265","mergeCommit":{"message":"[Security
Solution][Serverless] Github tickets / notifications (#197265)\n\n##
Summary\r\n\r\nThis PR is accompanied with the [PR in
kibana-operations\r\nrepo](https://github.com/elastic/kibana-operations/pull/236)
and\r\nintegrates the security solution quality gate pipelines with
the\r\nfunctionality to create ticket when a test fails and then notify
the\r\nrespective **codeowner** team with a _Test failed alert_. Also
when a\r\ntest fails a second time and a ticket exist a new comment is
added in\r\nthe same issue that the test failed again in a given
pipeline.\r\n\r\nLast a similar flow exist when a test is skipped by a
team. \r\n\r\n**Specifications:**\r\n\r\n- In the
`failed_test_reporter_cli.ts` [a new field is
introduced\r\n](https://github.com/elastic/kibana/compare/main...security-mki-github-tickets#diff-bb801c18fd2e1a3a36a3b39fbf02c1abe337c46c201ad5a01239a9d2501d4b56R47)`prependTitle`\r\nwhich
is initialized by the environmental
variable\r\n`process.env.PREPEND_FAILURE_TITLE` if exists, in order to
add a custom\r\ntext of preference before the issue title.\r\n\r\nThe
scope of this is to be able to give the team the opportunity to
add\r\nsome tags or any convention agreed within the team in the issue
created\r\nin order to easily understand the context without opening the
ticket. If\r\nthis field is not initialized, the normal existing flow
proceeds.\r\n[Here](https://github.com/elastic/kibana/issues/197133) an
example of\r\nthe prependTitle usage can be seen where the tags
`[MKI][QA]` are\r\nprepended in order to identify where did the test
fail, having the same\r\nexactly tests running on both CI and MKI. This
means that a github issue\r\nwith the exact same title would be created
for both cases if this\r\nprepend title field would not exist.\r\n\r\n-
In
the\r\n[junit_transformer/lib.ts](https://github.com/elastic/kibana/compare/main...security-mki-github-tickets#diff-31c5651af613c7d02139f3e9fccd00ddb997f2502523372dd19db9e0659a66d6R278)\r\na
new functionality is introduced to cover an existing issue.
The\r\nexisting issue is: the fact that we are retrying the failed test
in\r\ncypress in the `parallel_serverless` script, leads to two junit
xml\r\nresult files completely identical with only difference the
execution\r\ntime and the timestamps. This change will take one by one
the xml\r\noutputs, transform them exactly as it was happening before
and then save\r\nthe file, but also remove the time and timestamp
fields, convert it to a\r\nstring and add it to a \"state\" list. Then
in a next file if it is\r\nalready parsed and saved to the list having
the exact same results\r\nwithin, it deletes the file instead of saving
it transformed.\r\n\r\nThe problem before this fix was the fact that
when two xml outputs\r\nexisted, a github ticket was created and when
parsing-uploading the\r\nsecond file it was immediately failing for a
second time as well. This\r\nmeans that `new-failure` notification was
never triggered after the\r\ngithub actions flow split, and the existing
failure was always\r\ntriggered, something that most teams have
disabled.\r\n\r\nWith the fix, the identical files are parsed but only
once uploaded and\r\nthe new failure flow works
again.","sha":"9353497d0adea457c13643bc8fa1a26a05422e8f"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197265","number":197265,"mergeCommit":{"message":"[Security
Solution][Serverless] Github tickets / notifications (#197265)\n\n##
Summary\r\n\r\nThis PR is accompanied with the [PR in
kibana-operations\r\nrepo](https://github.com/elastic/kibana-operations/pull/236)
and\r\nintegrates the security solution quality gate pipelines with
the\r\nfunctionality to create ticket when a test fails and then notify
the\r\nrespective **codeowner** team with a _Test failed alert_. Also
when a\r\ntest fails a second time and a ticket exist a new comment is
added in\r\nthe same issue that the test failed again in a given
pipeline.\r\n\r\nLast a similar flow exist when a test is skipped by a
team. \r\n\r\n**Specifications:**\r\n\r\n- In the
`failed_test_reporter_cli.ts` [a new field is
introduced\r\n](https://github.com/elastic/kibana/compare/main...security-mki-github-tickets#diff-bb801c18fd2e1a3a36a3b39fbf02c1abe337c46c201ad5a01239a9d2501d4b56R47)`prependTitle`\r\nwhich
is initialized by the environmental
variable\r\n`process.env.PREPEND_FAILURE_TITLE` if exists, in order to
add a custom\r\ntext of preference before the issue title.\r\n\r\nThe
scope of this is to be able to give the team the opportunity to
add\r\nsome tags or any convention agreed within the team in the issue
created\r\nin order to easily understand the context without opening the
ticket. If\r\nthis field is not initialized, the normal existing flow
proceeds.\r\n[Here](https://github.com/elastic/kibana/issues/197133) an
example of\r\nthe prependTitle usage can be seen where the tags
`[MKI][QA]` are\r\nprepended in order to identify where did the test
fail, having the same\r\nexactly tests running on both CI and MKI. This
means that a github issue\r\nwith the exact same title would be created
for both cases if this\r\nprepend title field would not exist.\r\n\r\n-
In
the\r\n[junit_transformer/lib.ts](https://github.com/elastic/kibana/compare/main...security-mki-github-tickets#diff-31c5651af613c7d02139f3e9fccd00ddb997f2502523372dd19db9e0659a66d6R278)\r\na
new functionality is introduced to cover an existing issue.
The\r\nexisting issue is: the fact that we are retrying the failed test
in\r\ncypress in the `parallel_serverless` script, leads to two junit
xml\r\nresult files completely identical with only difference the
execution\r\ntime and the timestamps. This change will take one by one
the xml\r\noutputs, transform them exactly as it was happening before
and then save\r\nthe file, but also remove the time and timestamp
fields, convert it to a\r\nstring and add it to a \"state\" list. Then
in a next file if it is\r\nalready parsed and saved to the list having
the exact same results\r\nwithin, it deletes the file instead of saving
it transformed.\r\n\r\nThe problem before this fix was the fact that
when two xml outputs\r\nexisted, a github ticket was created and when
parsing-uploading the\r\nsecond file it was immediately failing for a
second time as well. This\r\nmeans that `new-failure` notification was
never triggered after the\r\ngithub actions flow split, and the existing
failure was always\r\ntriggered, something that most teams have
disabled.\r\n\r\nWith the fix, the identical files are parsed but only
once uploaded and\r\nthe new failure flow works
again.","sha":"9353497d0adea457c13643bc8fa1a26a05422e8f"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: dkirchan <55240027+dkirchan@users.noreply.github.com>
Co-authored-by: Alex Szabo <alex.szabo@elastic.co>
---
 .../failed_tests_reporter_cli.ts              | 11 ++++-
 .../report_failure.test.ts                    | 47 +++++++++++++++++++
 .../failed_tests_reporter/report_failure.ts   | 10 +++-
 .../scripts/junit_transformer/lib.ts          | 38 +++++++++++++++
 4 files changed, 103 insertions(+), 3 deletions(-)

diff --git a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/failed_tests_reporter_cli.ts b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/failed_tests_reporter_cli.ts
index d86f7f5213125..36466c3e3637e 100644
--- a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/failed_tests_reporter_cli.ts
+++ b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/failed_tests_reporter_cli.ts
@@ -44,6 +44,7 @@ run(
 
     let branch: string = '';
     let pipeline: string = '';
+    let prependTitle: string = '';
     if (updateGithub) {
       let isPr = false;
 
@@ -52,6 +53,7 @@ run(
         pipeline = process.env.BUILDKITE_PIPELINE_SLUG || '';
         isPr = process.env.BUILDKITE_PULL_REQUEST === 'true';
         updateGithub = process.env.REPORT_FAILED_TESTS_TO_GITHUB === 'true';
+        prependTitle = process.env.PREPEND_FAILURE_TITLE || '';
       } else {
         // JOB_NAME is formatted as `elastic+kibana+7.x` in some places and `elastic+kibana+7.x/JOB=kibana-intake,node=immutable` in others
         const jobNameSplit = (process.env.JOB_NAME || '').split(/\+|\//);
@@ -154,7 +156,14 @@ run(
             continue;
           }
 
-          const newIssue = await createFailureIssue(buildUrl, failure, githubApi, branch, pipeline);
+          const newIssue = await createFailureIssue(
+            buildUrl,
+            failure,
+            githubApi,
+            branch,
+            pipeline,
+            prependTitle
+          );
           existingIssues.addNewlyCreated(failure, newIssue);
           pushMessage('Test has not failed recently on tracked branches');
           if (updateGithub) {
diff --git a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/report_failure.test.ts b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/report_failure.test.ts
index dce47461377c4..c7dbd2db77319 100644
--- a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/report_failure.test.ts
+++ b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/report_failure.test.ts
@@ -60,6 +60,53 @@ describe('createFailureIssue()', () => {
       }
     `);
   });
+
+  it('creates new github issue with title prepended', async () => {
+    const api = new GithubApi();
+
+    await createFailureIssue(
+      'https://build-url',
+      {
+        classname: 'some.classname',
+        failure: 'this is the failure text',
+        name: 'test name',
+        time: '2018-01-01T01:00:00Z',
+        likelyIrrelevant: false,
+      },
+      api,
+      'main',
+      'kibana-on-merge',
+      '[MKI][QA]'
+    );
+
+    expect(api.createIssue).toMatchInlineSnapshot(`
+      [MockFunction] {
+        "calls": Array [
+          Array [
+            "Failing test: [MKI][QA] some.classname - test name",
+            "A test failed on a tracked branch
+
+      \`\`\`
+      this is the failure text
+      \`\`\`
+
+      First failure: [kibana-on-merge - main](https://build-url)
+
+      <!-- kibanaCiData = {\\"failed-test\\":{\\"test.class\\":\\"some.classname\\",\\"test.name\\":\\"test name\\",\\"test.failCount\\":1}} -->",
+            Array [
+              "failed-test",
+            ],
+          ],
+        ],
+        "results": Array [
+          Object {
+            "type": "return",
+            "value": undefined,
+          },
+        ],
+      }
+    `);
+  });
 });
 
 describe('updateFailureIssue()', () => {
diff --git a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/report_failure.ts b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/report_failure.ts
index 182bde666c250..d941f94b6b24d 100644
--- a/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/report_failure.ts
+++ b/packages/kbn-failed-test-reporter-cli/failed_tests_reporter/report_failure.ts
@@ -17,9 +17,15 @@ export async function createFailureIssue(
   failure: TestFailure,
   api: GithubApi,
   branch: string,
-  pipeline: string
+  pipeline: string,
+  prependTitle: string = ''
 ) {
-  const title = `Failing test: ${failure.classname} - ${failure.name}`;
+  // PrependTitle is introduced to provide some clarity by prepending the failing test title
+  // in order to give the whole info in the title according to each team's preference.
+  const title =
+    prependTitle && prependTitle.trim() !== ''
+      ? `Failing test: ${prependTitle} ${failure.classname} - ${failure.name}`
+      : `Failing test: ${failure.classname} - ${failure.name}`;
 
   // Github API body length maximum is 65536 characters
   // Let's keep consistency with Mocha output that is truncated to 8192 characters
diff --git a/x-pack/plugins/security_solution/scripts/junit_transformer/lib.ts b/x-pack/plugins/security_solution/scripts/junit_transformer/lib.ts
index 725baa689cd20..e09a057978bce 100644
--- a/x-pack/plugins/security_solution/scripts/junit_transformer/lib.ts
+++ b/x-pack/plugins/security_solution/scripts/junit_transformer/lib.ts
@@ -18,6 +18,20 @@ import { PathReporter } from 'io-ts/lib/PathReporter';
 import globby from 'globby';
 import del from 'del';
 
+// Function to remove specific fields from an XML object in order to
+// compare them as strings.
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function removeFields(obj: any, fieldsToRemove: string[]): any {
+  for (const key in obj) {
+    if (fieldsToRemove.includes(key)) {
+      delete obj[key];
+    } else if (typeof obj[key] === 'object') {
+      obj[key] = removeFields(obj[key], fieldsToRemove); // Recursively remove fields
+    }
+  }
+  return obj;
+}
+
 /**
  * Updates the `name` and `classname` attributes of each testcase.
  * `name` will have the value of `classname` appended to it. This makes sense because they each contain part of the bdd spec.
@@ -174,6 +188,10 @@ export async function command({ flags, log }: CommandArgs) {
     throw createFlagError('please provide a single --reportName flag');
   }
 
+  // Going to be used in order to store results as string in order to compare
+  // and remove duplicated reports.
+  const xmlResultFiles: string[] = [];
+
   for (const path of await globby(flags.pathPattern)) {
     // Read the file
     const source: string = await fs.readFile(path, 'utf8');
@@ -242,6 +260,26 @@ ${boilerplate}
       rootDirectory: flags.rootDirectory,
     });
 
+    // We need to check if a XML Junit report is duplicate
+    // Only if we remove the time and timestamp and the rest of the
+    // report as a string is completely identical.
+    const fieldsToRemove = ['time', 'timestamp'];
+    const tempReport = await parseStringPromise(reportString);
+    const truncatedReport = removeFields(tempReport, fieldsToRemove);
+
+    // Rebuild the XML to compare (optional, if you want to compare XML strings)
+    const builder = new Builder();
+    const rebuildComparableReport = builder.buildObject(truncatedReport);
+
+    // Compare the cleaned and rebuilt XML objects or strings
+    if (xmlResultFiles.includes(rebuildComparableReport)) {
+      // If the report is a duplicate, we need to remove the file
+      // in order to be excluded from the uploaded results.
+      await del(path, { force: true });
+      continue;
+    }
+    xmlResultFiles.push(rebuildComparableReport);
+
     // If the writeInPlace flag was passed, overwrite the original file, otherwise log the output to stdout
     if (flags.writeInPlace) {
       log.info(`Wrote transformed junit report to ${path}`);

From bd35590580494f21d702d5b990f61c5d900b702a Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 01:41:09 +1100
Subject: [PATCH 18/23] [8.x] [EDR Workflows] Fix wrong endpoint link (#202434)
 (#202703)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[EDR Workflows] Fix wrong endpoint link
(#202434)](https://github.com/elastic/kibana/pull/202434)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Tomasz
Ciecierski","email":"tomasz.ciecierski@elastic.co"},"sourceCommit":{"committedDate":"2024-12-03T12:25:30Z","message":"[EDR
Workflows] Fix wrong endpoint link
(#202434)","sha":"bcd442239f0eaa6ba84579ea19311ad29221c01f","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","ci:cloud-deploy","ci:project-deploy-security","v8.16.0","backport:version","v8.17.0","v8.18.0"],"title":"[EDR
Workflows] Fix wrong endpoint
link","number":202434,"url":"https://github.com/elastic/kibana/pull/202434","mergeCommit":{"message":"[EDR
Workflows] Fix wrong endpoint link
(#202434)","sha":"bcd442239f0eaa6ba84579ea19311ad29221c01f"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.17","8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202434","number":202434,"mergeCommit":{"message":"[EDR
Workflows] Fix wrong endpoint link
(#202434)","sha":"bcd442239f0eaa6ba84579ea19311ad29221c01f"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Tomasz Ciecierski <tomasz.ciecierski@elastic.co>
---
 .../endpoint_hosts/view/hooks/use_endpoint_action_items.tsx     | 2 +-
 .../public/management/pages/endpoint_hosts/view/index.test.tsx  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/hooks/use_endpoint_action_items.tsx b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/hooks/use_endpoint_action_items.tsx
index bb6102e8051c4..579561573488c 100644
--- a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/hooks/use_endpoint_action_items.tsx
+++ b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/hooks/use_endpoint_action_items.tsx
@@ -56,7 +56,7 @@ export const useEndpointActionItems = (
     const endpointMetadata = endpointInfo.metadata;
     const isIsolated = isEndpointHostIsolated(endpointMetadata);
     const endpointId = endpointMetadata.agent.id;
-    const endpointHostName = endpointMetadata.host.hostname;
+    const endpointHostName = endpointMetadata.host.hostname.toLowerCase();
     const fleetAgentId = endpointMetadata.elastic.agent.id;
     const { show, selected_endpoint: _selectedEndpoint, ...currentUrlParams } = allCurrentUrlParams;
     const endpointActionsPath = getEndpointDetailsPath({
diff --git a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.test.tsx b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.test.tsx
index d0b05404dc16d..57b0dde41177d 100644
--- a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/index.test.tsx
@@ -1306,7 +1306,7 @@ describe('when on the endpoint list page', () => {
     it('navigates to the Security Solution Host Details page', async () => {
       const hostLink = await renderResult.findByTestId('hostLink');
       expect(hostLink.getAttribute('href')).toEqual(
-        `${APP_PATH}/hosts/${hostInfo[0].metadata.host.hostname}`
+        `${APP_PATH}/hosts/${hostInfo[0].metadata.host.hostname.toLowerCase()}`
       );
     });
     it('navigates to the correct Ingest Agent Policy page', async () => {

From 02c7cc7a007bd71f08c318d296bc6c4fe8d0dffa Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 01:44:29 +1100
Subject: [PATCH 19/23] [8.x] [Console] Update console definitions (#202394)
 (#202711)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Console] Update console definitions
(#202394)](https://github.com/elastic/kibana/pull/202394)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"42973632+kibanamachine@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-03T12:44:43Z","message":"[Console]
Update console definitions (#202394)\n\nThis PR updates the console
definitions to match the latest ones from\r\nthe
@elastic/elasticsearch-specification
repo.","sha":"d1e5aa158248fef3a86a59be4212f0a8d511ff91","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Console","Team:Kibana
Management","release_note:skip","v9.0.0","backport:prev-minor"],"title":"[Console]
Update console
definitions","number":202394,"url":"https://github.com/elastic/kibana/pull/202394","mergeCommit":{"message":"[Console]
Update console definitions (#202394)\n\nThis PR updates the console
definitions to match the latest ones from\r\nthe
@elastic/elasticsearch-specification
repo.","sha":"d1e5aa158248fef3a86a59be4212f0a8d511ff91"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202394","number":202394,"mergeCommit":{"message":"[Console]
Update console definitions (#202394)\n\nThis PR updates the console
definitions to match the latest ones from\r\nthe
@elastic/elasticsearch-specification
repo.","sha":"d1e5aa158248fef3a86a59be4212f0a8d511ff91"}}]}] BACKPORT-->
---
 .../json/generated/async_search.status.json                | 7 ++++++-
 .../json/generated/async_search.submit.json                | 4 ----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/plugins/console/server/lib/spec_definitions/json/generated/async_search.status.json b/src/plugins/console/server/lib/spec_definitions/json/generated/async_search.status.json
index 66d774b605076..4e605ca1d0efe 100644
--- a/src/plugins/console/server/lib/spec_definitions/json/generated/async_search.status.json
+++ b/src/plugins/console/server/lib/spec_definitions/json/generated/async_search.status.json
@@ -4,7 +4,12 @@
       "error_trace": "__flag__",
       "filter_path": [],
       "human": "__flag__",
-      "pretty": "__flag__"
+      "pretty": "__flag__",
+      "keep_alive": [
+        "5d",
+        "-1",
+        "0"
+      ]
     },
     "methods": [
       "GET"
diff --git a/src/plugins/console/server/lib/spec_definitions/json/generated/async_search.submit.json b/src/plugins/console/server/lib/spec_definitions/json/generated/async_search.submit.json
index fcc429811827e..3da69d695ef76 100644
--- a/src/plugins/console/server/lib/spec_definitions/json/generated/async_search.submit.json
+++ b/src/plugins/console/server/lib/spec_definitions/json/generated/async_search.submit.json
@@ -48,10 +48,6 @@
       ],
       "request_cache": "__flag__",
       "routing": "",
-      "scroll": [
-        "-1",
-        "0"
-      ],
       "search_type": [
         "query_then_fetch",
         "dfs_query_then_fetch"

From b82912008582aa8612f2964d65fb36d2750adc77 Mon Sep 17 00:00:00 2001
From: Pablo Machado <pablo.nevesmachado@elastic.co>
Date: Tue, 3 Dec 2024 16:13:21 +0100
Subject: [PATCH 20/23] [8.x] [SecuritySolution] Entity Engine status tab
 (#201235) (#202650)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution] Entity Engine status tab
(#201235)](https://github.com/elastic/kibana/pull/201235)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Pablo
Machado","email":"pablo.nevesmachado@elastic.co"},"sourceCommit":{"committedDate":"2024-11-29T15:29:04Z","message":"[SecuritySolution]
Entity Engine status tab (#201235)\n\n## Summary\r\n\r\n* Add two tabs
to the Entity Store page\r\n * The import entities tab has all the bulk
upload content\r\n * The status tab has the new content created on this
PR\r\n* Move the \"clear entity store data\" button to the header
according to\r\ndesign mockups.\r\n* Delete unused stats route\r\n*
Rename `enablement` API docs to `enable`\r\n* Add a new parameter to the
status API (`withComponents`)\r\n * Should I make it snake
cased?\r\n\r\n### import entities tab\r\n![Screenshot 2024-11-27 at 15
07\r\n01](https://github.com/user-attachments/assets/c433e217-781e-4792-8695-2ee609efa654)\r\n\r\n\r\n###
status tab\r\n![Screenshot 2024-11-27 at 15
07\r\n20](https://github.com/user-attachments/assets/8970c023-22b3-4e83-a444-fa3ccf78ea42)\r\n\r\n\r\n##
How to test it\r\n- Open security solution app with data\r\n- Go to
entity store page\r\n- You shouldn't see the new tab because the engine
is disabled\r\n- Enable the engine and wait\r\n- Click on the new tab
that showed up\r\n- It should list user and host engine components, and
everything should\r\nbe installed\r\n- Delete or misconfigure some of
the resources, the new status should be\r\nreflected on the
tab.\r\n\r\n\r\n## TODO:\r\n- [x] Rebase main after
https://github.com/elastic/kibana/pull/199762 is\r\nmerged\r\n - [x]
Remove temporary status hook\r\n- [x] Fix the\"clear entity data\"
button. It should re-fetch the
status\r\nAPI.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"06b7993bd90cf84f87a99668c4425fb4dd6d6b5e","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","Team:
SecuritySolution","release_note:feature","Theme:
entity_analytics","Feature:Entity Analytics","Team:Entity
Analytics","backport:version","v8.18.0"],"number":201235,"url":"https://github.com/elastic/kibana/pull/201235","mergeCommit":{"message":"[SecuritySolution]
Entity Engine status tab (#201235)\n\n## Summary\r\n\r\n* Add two tabs
to the Entity Store page\r\n * The import entities tab has all the bulk
upload content\r\n * The status tab has the new content created on this
PR\r\n* Move the \"clear entity store data\" button to the header
according to\r\ndesign mockups.\r\n* Delete unused stats route\r\n*
Rename `enablement` API docs to `enable`\r\n* Add a new parameter to the
status API (`withComponents`)\r\n * Should I make it snake
cased?\r\n\r\n### import entities tab\r\n![Screenshot 2024-11-27 at 15
07\r\n01](https://github.com/user-attachments/assets/c433e217-781e-4792-8695-2ee609efa654)\r\n\r\n\r\n###
status tab\r\n![Screenshot 2024-11-27 at 15
07\r\n20](https://github.com/user-attachments/assets/8970c023-22b3-4e83-a444-fa3ccf78ea42)\r\n\r\n\r\n##
How to test it\r\n- Open security solution app with data\r\n- Go to
entity store page\r\n- You shouldn't see the new tab because the engine
is disabled\r\n- Enable the engine and wait\r\n- Click on the new tab
that showed up\r\n- It should list user and host engine components, and
everything should\r\nbe installed\r\n- Delete or misconfigure some of
the resources, the new status should be\r\nreflected on the
tab.\r\n\r\n\r\n## TODO:\r\n- [x] Rebase main after
https://github.com/elastic/kibana/pull/199762 is\r\nmerged\r\n - [x]
Remove temporary status hook\r\n- [x] Fix the\"clear entity data\"
button. It should re-fetch the
status\r\nAPI.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"06b7993bd90cf84f87a99668c4425fb4dd6d6b5e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201235","number":201235,"mergeCommit":{"message":"[SecuritySolution]
Entity Engine status tab (#201235)\n\n## Summary\r\n\r\n* Add two tabs
to the Entity Store page\r\n * The import entities tab has all the bulk
upload content\r\n * The status tab has the new content created on this
PR\r\n* Move the \"clear entity store data\" button to the header
according to\r\ndesign mockups.\r\n* Delete unused stats route\r\n*
Rename `enablement` API docs to `enable`\r\n* Add a new parameter to the
status API (`withComponents`)\r\n * Should I make it snake
cased?\r\n\r\n### import entities tab\r\n![Screenshot 2024-11-27 at 15
07\r\n01](https://github.com/user-attachments/assets/c433e217-781e-4792-8695-2ee609efa654)\r\n\r\n\r\n###
status tab\r\n![Screenshot 2024-11-27 at 15
07\r\n20](https://github.com/user-attachments/assets/8970c023-22b3-4e83-a444-fa3ccf78ea42)\r\n\r\n\r\n##
How to test it\r\n- Open security solution app with data\r\n- Go to
entity store page\r\n- You shouldn't see the new tab because the engine
is disabled\r\n- Enable the engine and wait\r\n- Click on the new tab
that showed up\r\n- It should list user and host engine components, and
everything should\r\nbe installed\r\n- Delete or misconfigure some of
the resources, the new status should be\r\nreflected on the
tab.\r\n\r\n\r\n## TODO:\r\n- [x] Rebase main after
https://github.com/elastic/kibana/pull/199762 is\r\nmerged\r\n - [x]
Remove temporary status hook\r\n- [x] Fix the\"clear entity data\"
button. It should re-fetch the
status\r\nAPI.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] The PR
description includes the appropriate Release Notes section,\r\nand the
correct `release_note:*` label is applied per
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"06b7993bd90cf84f87a99668c4425fb4dd6d6b5e"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
---
 oas_docs/output/kibana.yaml                   |  94 +++++---
 .../entity_store/common.gen.ts                |  31 +++
 .../entity_store/common.schema.yaml           |  43 ++++
 .../{enablement.gen.ts => enable.gen.ts}      |   8 +-
 ...blement.schema.yaml => enable.schema.yaml} |  21 --
 .../entity_store/engine/index.ts              |   1 -
 .../entity_store/engine/stats.gen.ts          |  39 ----
 .../entity_store/engine/stats.schema.yaml     |  41 ----
 .../entity_store/status.gen.ts                |  43 ++++
 .../entity_store/status.schema.yaml           |  44 ++++
 .../common/api/quickstart_client.gen.ts       |  31 +--
 ...alytics_api_2023_10_31.bundled.schema.yaml |  96 +++++---
 ...alytics_api_2023_10_31.bundled.schema.yaml |  96 +++++---
 .../entity_analytics/api/entity_store.ts      |  16 +-
 .../components/dashboard_enablement_panel.tsx |   2 +-
 .../engine_components_status.test.tsx         | 118 ++++++++++
 .../components/engine_components_status.tsx   |  75 +++++++
 .../engines_status/hooks/use_columns.tsx      | 184 ++++++++++++++++
 .../components/engines_status/index.test.tsx  | 100 +++++++++
 .../components/engines_status/index.tsx       | 103 +++++++++
 .../entity_store/hooks/use_entity_store.ts    |  31 ++-
 .../entity_store_management_page.test.tsx     | 207 ++++++++++++++++++
 .../pages/entity_store_management_page.tsx    | 156 +++++++------
 .../entity_store/auditing/resources.ts        |  18 --
 .../component_template.ts                     |  25 +++
 .../elasticsearch_assets/enrich_policy.ts     |  19 ++
 .../elasticsearch_assets/entity_index.ts      |  24 +-
 .../elasticsearch_assets/ingest_pipeline.ts   |  25 +++
 .../entity_store/entity_store_data_client.ts  | 166 ++++++++++++--
 .../entity_store/routes/enablement.ts         |   4 +-
 .../entity_store/routes/stats.ts              |  64 ------
 .../entity_store/routes/status.ts             |  12 +-
 .../task/field_retention_enrichment_task.ts   |  39 +++-
 .../translations/translations/fr-FR.json      |   2 -
 .../translations/translations/ja-JP.json      |   2 -
 .../translations/translations/zh-CN.json      |   2 -
 .../services/security_solution_api.gen.ts     |  25 +--
 .../entity_store.ts                           |  77 +++++--
 38 files changed, 1605 insertions(+), 479 deletions(-)
 rename x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/{enablement.gen.ts => enable.gen.ts} (78%)
 rename x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/{enablement.schema.yaml => enable.schema.yaml} (65%)
 delete mode 100644 x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/stats.gen.ts
 delete mode 100644 x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/stats.schema.yaml
 create mode 100644 x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/status.gen.ts
 create mode 100644 x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/status.schema.yaml
 create mode 100644 x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/components/engine_components_status.test.tsx
 create mode 100644 x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/components/engine_components_status.tsx
 create mode 100644 x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/hooks/use_columns.tsx
 create mode 100644 x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/index.test.tsx
 create mode 100644 x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/index.tsx
 create mode 100644 x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.test.tsx
 delete mode 100644 x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/auditing/resources.ts
 delete mode 100644 x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/stats.ts

diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml
index df82a63588150..c99662d2007d6 100644
--- a/oas_docs/output/kibana.yaml
+++ b/oas_docs/output/kibana.yaml
@@ -11011,41 +11011,6 @@ paths:
       summary: Start an Entity Engine
       tags:
         - Security Entity Analytics API
-  /api/entity_store/engines/{entityType}/stats:
-    post:
-      operationId: GetEntityEngineStats
-      parameters:
-        - description: The entity type of the engine (either 'user' or 'host').
-          in: path
-          name: entityType
-          required: true
-          schema:
-            $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
-      responses:
-        '200':
-          content:
-            application/json; Elastic-Api-Version=2023-10-31:
-              schema:
-                type: object
-                properties:
-                  indexPattern:
-                    $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern'
-                  indices:
-                    items:
-                      type: object
-                    type: array
-                  status:
-                    $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus'
-                  transforms:
-                    items:
-                      type: object
-                    type: array
-                  type:
-                    $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
-          description: Successful response
-      summary: Get Entity Engine stats
-      tags:
-        - Security Entity Analytics API
   /api/entity_store/engines/{entityType}/stop:
     post:
       operationId: StopEntityEngine
@@ -11196,6 +11161,12 @@ paths:
   /api/entity_store/status:
     get:
       operationId: GetEntityStoreStatus
+      parameters:
+        - description: If true returns a detailed status of the engine including all it's components
+          in: query
+          name: include_components
+          schema:
+            type: boolean
       responses:
         '200':
           content:
@@ -11205,10 +11176,20 @@ paths:
                 properties:
                   engines:
                     items:
-                      $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
+                      allOf:
+                        - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
+                        - type: object
+                          properties:
+                            components:
+                              items:
+                                $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus'
+                              type: array
                     type: array
                   status:
                     $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus'
+                required:
+                  - status
+                  - engines
           description: Successful response
       summary: Get the status of the Entity Store
       tags:
@@ -38949,6 +38930,47 @@ components:
               $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
           required:
             - criticality_level
+    Security_Entity_Analytics_API_EngineComponentResource:
+      enum:
+        - entity_engine
+        - entity_definition
+        - index
+        - component_template
+        - index_template
+        - ingest_pipeline
+        - enrich_policy
+        - task
+        - transform
+      type: string
+    Security_Entity_Analytics_API_EngineComponentStatus:
+      type: object
+      properties:
+        errors:
+          items:
+            type: object
+            properties:
+              message:
+                type: string
+              title:
+                type: string
+          type: array
+        health:
+          enum:
+            - green
+            - yellow
+            - red
+            - unknown
+          type: string
+        id:
+          type: string
+        installed:
+          type: boolean
+        resource:
+          $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource'
+      required:
+        - id
+        - installed
+        - resource
     Security_Entity_Analytics_API_EngineDataviewUpdateResult:
       type: object
       properties:
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/common.gen.ts b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/common.gen.ts
index 7e419dbe6453c..25c47e838d85c 100644
--- a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/common.gen.ts
+++ b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/common.gen.ts
@@ -39,6 +39,37 @@ export const EngineDescriptor = z.object({
   error: z.object({}).optional(),
 });
 
+export type EngineComponentResource = z.infer<typeof EngineComponentResource>;
+export const EngineComponentResource = z.enum([
+  'entity_engine',
+  'entity_definition',
+  'index',
+  'component_template',
+  'index_template',
+  'ingest_pipeline',
+  'enrich_policy',
+  'task',
+  'transform',
+]);
+export type EngineComponentResourceEnum = typeof EngineComponentResource.enum;
+export const EngineComponentResourceEnum = EngineComponentResource.enum;
+
+export type EngineComponentStatus = z.infer<typeof EngineComponentStatus>;
+export const EngineComponentStatus = z.object({
+  id: z.string(),
+  installed: z.boolean(),
+  resource: EngineComponentResource,
+  health: z.enum(['green', 'yellow', 'red', 'unknown']).optional(),
+  errors: z
+    .array(
+      z.object({
+        title: z.string().optional(),
+        message: z.string().optional(),
+      })
+    )
+    .optional(),
+});
+
 export type StoreStatus = z.infer<typeof StoreStatus>;
 export const StoreStatus = z.enum(['not_installed', 'installing', 'running', 'stopped', 'error']);
 export type StoreStatusEnum = typeof StoreStatus.enum;
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/common.schema.yaml b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/common.schema.yaml
index 9a42191a556ac..5adb6fe038dc9 100644
--- a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/common.schema.yaml
+++ b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/common.schema.yaml
@@ -42,6 +42,49 @@ components:
         - updating
         - error
     
+    EngineComponentStatus:
+      type: object
+      required:
+          - id
+          - installed
+          - resource
+      properties:
+        id: 
+          type: string
+        installed: 
+          type: boolean
+        resource:
+          $ref: '#/components/schemas/EngineComponentResource'
+        health: 
+          type: string
+          enum:
+            - green
+            - yellow
+            - red
+            - unknown
+        errors:
+          type: array
+          items:
+            type: object
+            properties:
+              title:
+                type: string
+              message:
+                type: string
+
+    EngineComponentResource:
+      type: string
+      enum:
+        - entity_engine
+        - entity_definition
+        - index
+        - component_template
+        - index_template
+        - ingest_pipeline
+        - enrich_policy
+        - task
+        - transform
+
     StoreStatus:
       type: string
       enum:
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enablement.gen.ts b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enable.gen.ts
similarity index 78%
rename from x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enablement.gen.ts
rename to x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enable.gen.ts
index 9644a1a333d16..70a58bf02be68 100644
--- a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enablement.gen.ts
+++ b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enable.gen.ts
@@ -16,13 +16,7 @@
 
 import { z } from '@kbn/zod';
 
-import { IndexPattern, EngineDescriptor, StoreStatus } from './common.gen';
-
-export type GetEntityStoreStatusResponse = z.infer<typeof GetEntityStoreStatusResponse>;
-export const GetEntityStoreStatusResponse = z.object({
-  status: StoreStatus.optional(),
-  engines: z.array(EngineDescriptor).optional(),
-});
+import { IndexPattern, EngineDescriptor } from './common.gen';
 
 export type InitEntityStoreRequestBody = z.infer<typeof InitEntityStoreRequestBody>;
 export const InitEntityStoreRequestBody = z.object({
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enablement.schema.yaml b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enable.schema.yaml
similarity index 65%
rename from x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enablement.schema.yaml
rename to x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enable.schema.yaml
index 306e876dfc4a7..81eec22d9ade9 100644
--- a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enablement.schema.yaml
+++ b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/enable.schema.yaml
@@ -41,24 +41,3 @@ paths:
                     type: array
                     items:
                       $ref: './common.schema.yaml#/components/schemas/EngineDescriptor'
-  
-  /api/entity_store/status:
-    get:
-      x-labels: [ess, serverless]
-      x-codegen-enabled: true
-      operationId: GetEntityStoreStatus
-      summary: Get the status of the Entity Store
-      responses:
-        '200':
-          description: Successful response
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  status: 
-                    $ref: './common.schema.yaml#/components/schemas/StoreStatus'
-                  engines:
-                    type: array
-                    items:
-                      $ref: './common.schema.yaml#/components/schemas/EngineDescriptor'
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/index.ts b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/index.ts
index b21308de36f18..32bc0a4efc07b 100644
--- a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/index.ts
+++ b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/index.ts
@@ -10,6 +10,5 @@ export * from './get.gen';
 export * from './init.gen';
 export * from './list.gen';
 export * from './start.gen';
-export * from './stats.gen';
 export * from './stop.gen';
 export * from './apply_dataview_indices.gen';
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/stats.gen.ts b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/stats.gen.ts
deleted file mode 100644
index 8b2cb44947535..0000000000000
--- a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/stats.gen.ts
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-/*
- * NOTICE: Do not edit this file manually.
- * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
- *
- * info:
- *   title: Get Entity Engine stats
- *   version: 2023-10-31
- */
-
-import { z } from '@kbn/zod';
-
-import { EntityType, IndexPattern, EngineStatus } from '../common.gen';
-
-export type GetEntityEngineStatsRequestParams = z.infer<typeof GetEntityEngineStatsRequestParams>;
-export const GetEntityEngineStatsRequestParams = z.object({
-  /**
-   * The entity type of the engine (either 'user' or 'host').
-   */
-  entityType: EntityType,
-});
-export type GetEntityEngineStatsRequestParamsInput = z.input<
-  typeof GetEntityEngineStatsRequestParams
->;
-
-export type GetEntityEngineStatsResponse = z.infer<typeof GetEntityEngineStatsResponse>;
-export const GetEntityEngineStatsResponse = z.object({
-  type: EntityType.optional(),
-  indexPattern: IndexPattern.optional(),
-  status: EngineStatus.optional(),
-  transforms: z.array(z.object({})).optional(),
-  indices: z.array(z.object({})).optional(),
-});
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/stats.schema.yaml b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/stats.schema.yaml
deleted file mode 100644
index 25c010acc92ce..0000000000000
--- a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/engine/stats.schema.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-openapi: 3.0.0
-
-info:
-  title: Get Entity Engine stats
-  version: '2023-10-31'
-paths:
-   /api/entity_store/engines/{entityType}/stats:
-    post:
-      x-labels: [ess, serverless]
-      x-codegen-enabled: true
-      operationId: GetEntityEngineStats
-      summary: Get Entity Engine stats
-      parameters:
-        - name: entityType
-          in: path
-          required: true
-          schema:
-            $ref: '../common.schema.yaml#/components/schemas/EntityType'
-          description: The entity type of the engine (either 'user' or 'host').
-      responses:
-        '200':
-          description: Successful response
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:      
-                  type:
-                    $ref : '../common.schema.yaml#/components/schemas/EntityType'
-                  indexPattern:
-                    $ref : '../common.schema.yaml#/components/schemas/IndexPattern'
-                  status:
-                    $ref : '../common.schema.yaml#/components/schemas/EngineStatus'
-                  transforms:
-                    type: array
-                    items:
-                      type: object
-                  indices:
-                    type: array  
-                    items:
-                      type: object
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/status.gen.ts b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/status.gen.ts
new file mode 100644
index 0000000000000..76249a787a43b
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/status.gen.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Enable Entity Store
+ *   version: 2023-10-31
+ */
+
+import { z } from '@kbn/zod';
+import { BooleanFromString } from '@kbn/zod-helpers';
+
+import { StoreStatus, EngineDescriptor, EngineComponentStatus } from './common.gen';
+
+export type GetEntityStoreStatusRequestQuery = z.infer<typeof GetEntityStoreStatusRequestQuery>;
+export const GetEntityStoreStatusRequestQuery = z.object({
+  /**
+   * If true returns a detailed status of the engine including all it's components
+   */
+  include_components: BooleanFromString.optional(),
+});
+export type GetEntityStoreStatusRequestQueryInput = z.input<
+  typeof GetEntityStoreStatusRequestQuery
+>;
+
+export type GetEntityStoreStatusResponse = z.infer<typeof GetEntityStoreStatusResponse>;
+export const GetEntityStoreStatusResponse = z.object({
+  status: StoreStatus,
+  engines: z.array(
+    EngineDescriptor.merge(
+      z.object({
+        components: z.array(EngineComponentStatus).optional(),
+      })
+    )
+  ),
+});
diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/status.schema.yaml b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/status.schema.yaml
new file mode 100644
index 0000000000000..a1be66282328e
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/api/entity_analytics/entity_store/status.schema.yaml
@@ -0,0 +1,44 @@
+openapi: 3.0.0
+
+info:
+  title: Enable Entity Store
+  version: '2023-10-31'
+paths:
+  /api/entity_store/status:
+    get:
+      x-labels: [ess, serverless]
+      x-codegen-enabled: true
+      operationId: GetEntityStoreStatus
+      summary: Get the status of the Entity Store
+            
+      parameters:
+        - name: include_components
+          in: query  
+          schema:
+            type: boolean
+          description: If true returns a detailed status of the engine including all it's components
+
+      responses:
+        '200':
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - status
+                  - engines
+                properties:
+                  status: 
+                    $ref: './common.schema.yaml#/components/schemas/StoreStatus'
+                  engines:
+                    type: array
+                    items:
+                      allOf:
+                        - $ref: './common.schema.yaml#/components/schemas/EngineDescriptor'
+                        - type: object
+                          properties:
+                            components:
+                              type: array
+                              items:
+                                $ref: './common.schema.yaml#/components/schemas/EngineComponentStatus'
diff --git a/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts b/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts
index 6a85c76c27e56..9c1d5efdb6849 100644
--- a/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts
+++ b/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts
@@ -244,10 +244,9 @@ import type {
   UploadAssetCriticalityRecordsResponse,
 } from './entity_analytics/asset_criticality/upload_asset_criticality_csv.gen';
 import type {
-  GetEntityStoreStatusResponse,
   InitEntityStoreRequestBodyInput,
   InitEntityStoreResponse,
-} from './entity_analytics/entity_store/enablement.gen';
+} from './entity_analytics/entity_store/enable.gen';
 import type { ApplyEntityEngineDataviewIndicesResponse } from './entity_analytics/entity_store/engine/apply_dataview_indices.gen';
 import type {
   DeleteEntityEngineRequestQueryInput,
@@ -269,10 +268,6 @@ import type {
   StartEntityEngineRequestParamsInput,
   StartEntityEngineResponse,
 } from './entity_analytics/entity_store/engine/start.gen';
-import type {
-  GetEntityEngineStatsRequestParamsInput,
-  GetEntityEngineStatsResponse,
-} from './entity_analytics/entity_store/engine/stats.gen';
 import type {
   StopEntityEngineRequestParamsInput,
   StopEntityEngineResponse,
@@ -281,6 +276,10 @@ import type {
   ListEntitiesRequestQueryInput,
   ListEntitiesResponse,
 } from './entity_analytics/entity_store/entities/list_entities.gen';
+import type {
+  GetEntityStoreStatusRequestQueryInput,
+  GetEntityStoreStatusResponse,
+} from './entity_analytics/entity_store/status.gen';
 import type { CleanUpRiskEngineResponse } from './entity_analytics/risk_engine/engine_cleanup_route.gen';
 import type { DisableRiskEngineResponse } from './entity_analytics/risk_engine/engine_disable_route.gen';
 import type { EnableRiskEngineResponse } from './entity_analytics/risk_engine/engine_enable_route.gen';
@@ -1342,19 +1341,7 @@ finalize it.
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
-  async getEntityEngineStats(props: GetEntityEngineStatsProps) {
-    this.log.info(`${new Date().toISOString()} Calling API GetEntityEngineStats`);
-    return this.kbnClient
-      .request<GetEntityEngineStatsResponse>({
-        path: replaceParams('/api/entity_store/engines/{entityType}/stats', props.params),
-        headers: {
-          [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31',
-        },
-        method: 'POST',
-      })
-      .catch(catchAxiosErrorFormatAndThrow);
-  }
-  async getEntityStoreStatus() {
+  async getEntityStoreStatus(props: GetEntityStoreStatusProps) {
     this.log.info(`${new Date().toISOString()} Calling API GetEntityStoreStatus`);
     return this.kbnClient
       .request<GetEntityStoreStatusResponse>({
@@ -1363,6 +1350,8 @@ finalize it.
           [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31',
         },
         method: 'GET',
+
+        query: props.query,
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
@@ -2356,8 +2345,8 @@ export interface GetEndpointSuggestionsProps {
 export interface GetEntityEngineProps {
   params: GetEntityEngineRequestParamsInput;
 }
-export interface GetEntityEngineStatsProps {
-  params: GetEntityEngineStatsRequestParamsInput;
+export interface GetEntityStoreStatusProps {
+  query: GetEntityStoreStatusRequestQueryInput;
 }
 export interface GetNotesProps {
   query: GetNotesRequestQueryInput;
diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml
index ca046be2c73c8..e09127af98608 100644
--- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml
+++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml
@@ -419,41 +419,6 @@ paths:
       summary: Start an Entity Engine
       tags:
         - Security Entity Analytics API
-  '/api/entity_store/engines/{entityType}/stats':
-    post:
-      operationId: GetEntityEngineStats
-      parameters:
-        - description: The entity type of the engine (either 'user' or 'host').
-          in: path
-          name: entityType
-          required: true
-          schema:
-            $ref: '#/components/schemas/EntityType'
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  indexPattern:
-                    $ref: '#/components/schemas/IndexPattern'
-                  indices:
-                    items:
-                      type: object
-                    type: array
-                  status:
-                    $ref: '#/components/schemas/EngineStatus'
-                  transforms:
-                    items:
-                      type: object
-                    type: array
-                  type:
-                    $ref: '#/components/schemas/EntityType'
-          description: Successful response
-      summary: Get Entity Engine stats
-      tags:
-        - Security Entity Analytics API
   '/api/entity_store/engines/{entityType}/stop':
     post:
       operationId: StopEntityEngine
@@ -604,6 +569,14 @@ paths:
   /api/entity_store/status:
     get:
       operationId: GetEntityStoreStatus
+      parameters:
+        - description: >-
+            If true returns a detailed status of the engine including all it's
+            components
+          in: query
+          name: include_components
+          schema:
+            type: boolean
       responses:
         '200':
           content:
@@ -613,10 +586,20 @@ paths:
                 properties:
                   engines:
                     items:
-                      $ref: '#/components/schemas/EngineDescriptor'
+                      allOf:
+                        - $ref: '#/components/schemas/EngineDescriptor'
+                        - type: object
+                          properties:
+                            components:
+                              items:
+                                $ref: '#/components/schemas/EngineComponentStatus'
+                              type: array
                     type: array
                   status:
                     $ref: '#/components/schemas/StoreStatus'
+                required:
+                  - status
+                  - engines
           description: Successful response
       summary: Get the status of the Entity Store
       tags:
@@ -809,6 +792,47 @@ components:
               $ref: '#/components/schemas/AssetCriticalityLevel'
           required:
             - criticality_level
+    EngineComponentResource:
+      enum:
+        - entity_engine
+        - entity_definition
+        - index
+        - component_template
+        - index_template
+        - ingest_pipeline
+        - enrich_policy
+        - task
+        - transform
+      type: string
+    EngineComponentStatus:
+      type: object
+      properties:
+        errors:
+          items:
+            type: object
+            properties:
+              message:
+                type: string
+              title:
+                type: string
+          type: array
+        health:
+          enum:
+            - green
+            - yellow
+            - red
+            - unknown
+          type: string
+        id:
+          type: string
+        installed:
+          type: boolean
+        resource:
+          $ref: '#/components/schemas/EngineComponentResource'
+      required:
+        - id
+        - installed
+        - resource
     EngineDataviewUpdateResult:
       type: object
       properties:
diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml
index e5eacbfbfdf17..a5a4c30582e5f 100644
--- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml
+++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml
@@ -419,41 +419,6 @@ paths:
       summary: Start an Entity Engine
       tags:
         - Security Entity Analytics API
-  '/api/entity_store/engines/{entityType}/stats':
-    post:
-      operationId: GetEntityEngineStats
-      parameters:
-        - description: The entity type of the engine (either 'user' or 'host').
-          in: path
-          name: entityType
-          required: true
-          schema:
-            $ref: '#/components/schemas/EntityType'
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  indexPattern:
-                    $ref: '#/components/schemas/IndexPattern'
-                  indices:
-                    items:
-                      type: object
-                    type: array
-                  status:
-                    $ref: '#/components/schemas/EngineStatus'
-                  transforms:
-                    items:
-                      type: object
-                    type: array
-                  type:
-                    $ref: '#/components/schemas/EntityType'
-          description: Successful response
-      summary: Get Entity Engine stats
-      tags:
-        - Security Entity Analytics API
   '/api/entity_store/engines/{entityType}/stop':
     post:
       operationId: StopEntityEngine
@@ -604,6 +569,14 @@ paths:
   /api/entity_store/status:
     get:
       operationId: GetEntityStoreStatus
+      parameters:
+        - description: >-
+            If true returns a detailed status of the engine including all it's
+            components
+          in: query
+          name: include_components
+          schema:
+            type: boolean
       responses:
         '200':
           content:
@@ -613,10 +586,20 @@ paths:
                 properties:
                   engines:
                     items:
-                      $ref: '#/components/schemas/EngineDescriptor'
+                      allOf:
+                        - $ref: '#/components/schemas/EngineDescriptor'
+                        - type: object
+                          properties:
+                            components:
+                              items:
+                                $ref: '#/components/schemas/EngineComponentStatus'
+                              type: array
                     type: array
                   status:
                     $ref: '#/components/schemas/StoreStatus'
+                required:
+                  - status
+                  - engines
           description: Successful response
       summary: Get the status of the Entity Store
       tags:
@@ -809,6 +792,47 @@ components:
               $ref: '#/components/schemas/AssetCriticalityLevel'
           required:
             - criticality_level
+    EngineComponentResource:
+      enum:
+        - entity_engine
+        - entity_definition
+        - index
+        - component_template
+        - index_template
+        - ingest_pipeline
+        - enrich_policy
+        - task
+        - transform
+      type: string
+    EngineComponentStatus:
+      type: object
+      properties:
+        errors:
+          items:
+            type: object
+            properties:
+              message:
+                type: string
+              title:
+                type: string
+          type: array
+        health:
+          enum:
+            - green
+            - yellow
+            - red
+            - unknown
+          type: string
+        id:
+          type: string
+        installed:
+          type: boolean
+        resource:
+          $ref: '#/components/schemas/EngineComponentResource'
+      required:
+        - id
+        - installed
+        - resource
     EngineDataviewUpdateResult:
       type: object
       properties:
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/api/entity_store.ts b/x-pack/plugins/security_solution/public/entity_analytics/api/entity_store.ts
index f1afa13637bb8..0098b842748e2 100644
--- a/x-pack/plugins/security_solution/public/entity_analytics/api/entity_store.ts
+++ b/x-pack/plugins/security_solution/public/entity_analytics/api/entity_store.ts
@@ -5,15 +5,14 @@
  * 2.0.
  */
 import { useMemo } from 'react';
+import type { GetEntityStoreStatusResponse } from '../../../common/api/entity_analytics/entity_store/status.gen';
 import type {
-  GetEntityStoreStatusResponse,
   InitEntityStoreRequestBody,
   InitEntityStoreResponse,
-} from '../../../common/api/entity_analytics/entity_store/enablement.gen';
+} from '../../../common/api/entity_analytics/entity_store/enable.gen';
 import type {
   DeleteEntityEngineResponse,
   EntityType,
-  GetEntityEngineResponse,
   InitEntityEngineResponse,
   ListEntityEnginesResponse,
   StopEntityEngineResponse,
@@ -35,10 +34,11 @@ export const useEntityStoreRoutes = () => {
       });
     };
 
-    const getEntityStoreStatus = async () => {
+    const getEntityStoreStatus = async (withComponents = false) => {
       return http.fetch<GetEntityStoreStatusResponse>('/api/entity_store/status', {
         method: 'GET',
         version: API_VERSIONS.public.v1,
+        query: { include_components: withComponents },
       });
     };
 
@@ -58,13 +58,6 @@ export const useEntityStoreRoutes = () => {
       });
     };
 
-    const getEntityEngine = async (entityType: EntityType) => {
-      return http.fetch<GetEntityEngineResponse>(`/api/entity_store/engines/${entityType}`, {
-        method: 'GET',
-        version: API_VERSIONS.public.v1,
-      });
-    };
-
     const deleteEntityEngine = async (entityType: EntityType, deleteData: boolean) => {
       return http.fetch<DeleteEntityEngineResponse>(`/api/entity_store/engines/${entityType}`, {
         method: 'DELETE',
@@ -85,7 +78,6 @@ export const useEntityStoreRoutes = () => {
       getEntityStoreStatus,
       initEntityEngine,
       stopEntityEngine,
-      getEntityEngine,
       deleteEntityEngine,
       listEntityEngines,
     };
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/dashboard_enablement_panel.tsx b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/dashboard_enablement_panel.tsx
index 8d0426fd99ceb..38449fa1e72ff 100644
--- a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/dashboard_enablement_panel.tsx
+++ b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/dashboard_enablement_panel.tsx
@@ -16,7 +16,7 @@ import {
 } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n-react';
 import type { UseQueryResult } from '@tanstack/react-query';
-import type { GetEntityStoreStatusResponse } from '../../../../../common/api/entity_analytics/entity_store/enablement.gen';
+import type { GetEntityStoreStatusResponse } from '../../../../../common/api/entity_analytics/entity_store/status.gen';
 import type { StoreStatus } from '../../../../../common/api/entity_analytics';
 import { RiskEngineStatusEnum } from '../../../../../common/api/entity_analytics';
 import { useInitRiskEngineMutation } from '../../../api/hooks/use_init_risk_engine_mutation';
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/components/engine_components_status.test.tsx b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/components/engine_components_status.test.tsx
new file mode 100644
index 0000000000000..e97c9f961bb50
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/components/engine_components_status.test.tsx
@@ -0,0 +1,118 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { render, screen, fireEvent } from '@testing-library/react';
+import { EngineComponentsStatusTable } from './engine_components_status';
+import {
+  EngineComponentResourceEnum,
+  type EngineComponentStatus,
+} from '../../../../../../../common/api/entity_analytics';
+import { TestProviders } from '../../../../../../common/mock';
+
+const uninstalledWithErrorsComponent = {
+  id: 'entity_engine_id',
+  installed: false,
+  resource: EngineComponentResourceEnum.entity_engine,
+  errors: [{ title: 'Error 1', message: 'Error message 1' }],
+};
+
+const installedComponent = {
+  id: 'index_id',
+  resource: EngineComponentResourceEnum.index,
+  errors: [],
+  installed: true,
+};
+
+const mockComponents: EngineComponentStatus[] = [
+  uninstalledWithErrorsComponent,
+  installedComponent,
+];
+
+const mockGetUrlForApp = jest.fn();
+
+jest.mock('../../../../../../common/lib/kibana', () => {
+  return {
+    useKibana: jest.fn().mockReturnValue({
+      services: {
+        application: {
+          getUrlForApp: () => mockGetUrlForApp(),
+          navigateToApp: jest.fn(),
+        },
+      },
+    }),
+  };
+});
+
+describe('EngineComponentsStatusTable', () => {
+  it('renders the table with components', () => {
+    render(<EngineComponentsStatusTable components={mockComponents} />, { wrapper: TestProviders });
+    expect(screen.getByTestId('engine-components-status-table')).toBeInTheDocument();
+  });
+
+  it('expands and collapses rows correctly', () => {
+    render(<EngineComponentsStatusTable components={mockComponents} />, { wrapper: TestProviders });
+
+    const toggleButton = screen.getByLabelText('Expand');
+    fireEvent.click(toggleButton);
+
+    expect(screen.getByText('Error 1')).toBeInTheDocument();
+    expect(screen.getByText('Error message 1')).toBeInTheDocument();
+
+    fireEvent.click(toggleButton);
+
+    expect(screen.queryByText('Error 1')).not.toBeInTheDocument();
+    expect(screen.queryByText('Error message 1')).not.toBeInTheDocument();
+  });
+
+  describe('columns', () => {
+    it('renders the correct resource text', () => {
+      render(<EngineComponentsStatusTable components={[installedComponent]} />, {
+        wrapper: TestProviders,
+      });
+      expect(screen.getByText('Index')).toBeInTheDocument();
+    });
+
+    it('renders checkmark on installation column when installed', () => {
+      render(<EngineComponentsStatusTable components={[installedComponent]} />, {
+        wrapper: TestProviders,
+      });
+
+      const icon = screen.getByTestId('installation-status');
+
+      expect(icon).toHaveAttribute('data-euiicon-type', 'check');
+    });
+
+    it('renders cross on installation column when installed', () => {
+      render(<EngineComponentsStatusTable components={[uninstalledWithErrorsComponent]} />, {
+        wrapper: TestProviders,
+      });
+
+      const icon = screen.getByTestId('installation-status');
+
+      expect(icon).toHaveAttribute('data-euiicon-type', 'cross');
+    });
+
+    it('renders the correct health status', () => {
+      render(<EngineComponentsStatusTable components={[installedComponent]} />, {
+        wrapper: TestProviders,
+      });
+
+      expect(screen.queryByRole('img', { name: /health/i })).not.toBeInTheDocument();
+    });
+
+    it('renders the correct identifier link', () => {
+      mockGetUrlForApp.mockReturnValue('mockedUrl');
+
+      render(<EngineComponentsStatusTable components={[installedComponent]} />, {
+        wrapper: TestProviders,
+      });
+      const link = screen.getByRole('link');
+      expect(link).toHaveAttribute('href', 'mockedUrl');
+    });
+  });
+});
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/components/engine_components_status.tsx b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/components/engine_components_status.tsx
new file mode 100644
index 0000000000000..eb789035d566f
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/components/engine_components_status.tsx
@@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { ReactNode } from 'react';
+import React, { useState, useMemo, useCallback, Fragment } from 'react';
+import { EuiSpacer, EuiHealth, EuiCodeBlock } from '@elastic/eui';
+import { BasicTable } from '../../../../../../common/components/ml/tables/basic_table';
+import { useColumns } from '../hooks/use_columns';
+import type { EngineComponentStatus } from '../../../../../../../common/api/entity_analytics';
+
+type ExpandedRowMap = Record<string, ReactNode>;
+
+const componentToId = ({ id, resource }: EngineComponentStatus) => `${resource}-${id}`;
+
+export const EngineComponentsStatusTable = ({
+  components,
+}: {
+  components: EngineComponentStatus[];
+}) => {
+  const [expandedItems, setExpandedItems] = useState<EngineComponentStatus[]>([]);
+
+  const itemIdToExpandedRowMap: ExpandedRowMap = useMemo(() => {
+    return expandedItems.reduce<ExpandedRowMap>((acc, componentStatus) => {
+      if (componentStatus.errors && componentStatus.errors.length > 0) {
+        acc[componentToId(componentStatus)] = (
+          <TransformExtendedData errors={componentStatus.errors} />
+        );
+      }
+      return acc;
+    }, {});
+  }, [expandedItems]);
+
+  const onToggle = useCallback(
+    (component: EngineComponentStatus) => {
+      const isItemExpanded = expandedItems.includes(component);
+
+      if (isItemExpanded) {
+        setExpandedItems(expandedItems.filter((item) => component !== item));
+      } else {
+        setExpandedItems([...expandedItems, component]);
+      }
+    },
+    [expandedItems]
+  );
+
+  const columns = useColumns(onToggle, expandedItems);
+
+  return (
+    <BasicTable
+      data-test-subj="engine-components-status-table"
+      columns={columns}
+      itemId={componentToId}
+      itemIdToExpandedRowMap={itemIdToExpandedRowMap}
+      items={components}
+    />
+  );
+};
+
+const TransformExtendedData = ({ errors }: { errors: EngineComponentStatus['errors'] }) => {
+  return (
+    <>
+      {errors?.map(({ title, message }) => (
+        <Fragment key={title}>
+          <EuiSpacer size="m" />
+          <EuiHealth color="danger">{title}</EuiHealth>
+          <EuiSpacer size="s" />
+          <EuiCodeBlock>{message}</EuiCodeBlock>
+        </Fragment>
+      ))}
+    </>
+  );
+};
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/hooks/use_columns.tsx b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/hooks/use_columns.tsx
new file mode 100644
index 0000000000000..3156c768bf4fc
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/hooks/use_columns.tsx
@@ -0,0 +1,184 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { IconColor } from '@elastic/eui';
+import {
+  EuiLink,
+  type EuiBasicTableColumn,
+  EuiHealth,
+  EuiScreenReaderOnly,
+  EuiButtonIcon,
+  EuiIcon,
+} from '@elastic/eui';
+import React, { useMemo } from 'react';
+import { FormattedMessage } from '@kbn/i18n-react';
+import {
+  EngineComponentResourceEnum,
+  type EngineComponentResource,
+} from '../../../../../../../common/api/entity_analytics';
+import type { EngineComponentStatus } from '../../../../../../../common/api/entity_analytics';
+import { useKibana } from '../../../../../../common/lib/kibana';
+
+type TableColumn = EuiBasicTableColumn<EngineComponentStatus>;
+
+export const HEALTH_COLOR: Record<Required<EngineComponentStatus>['health'], IconColor> = {
+  green: 'success',
+  unknown: 'subdued',
+  yellow: 'warning',
+  red: 'danger',
+} as const;
+
+const RESOURCE_TO_TEXT: Record<EngineComponentResource, string> = {
+  ingest_pipeline: 'Ingest Pipeline',
+  enrich_policy: 'Enrich Policy',
+  index: 'Index',
+  component_template: 'Component Template',
+  task: 'Task',
+  transform: 'Transform',
+  entity_definition: 'Entity Definition',
+  entity_engine: 'Engine',
+  index_template: 'Index Template',
+};
+
+export const useColumns = (
+  onToggleExpandedItem: (item: EngineComponentStatus) => void,
+  expandedItems: EngineComponentStatus[]
+): TableColumn[] => {
+  const { getUrlForApp } = useKibana().services.application;
+
+  return useMemo(
+    () => [
+      {
+        field: 'resource',
+        name: (
+          <FormattedMessage
+            id="xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.resourceColumnTitle"
+            defaultMessage="Resource"
+          />
+        ),
+        width: '20%',
+        render: (resource: EngineComponentStatus['resource']) => RESOURCE_TO_TEXT[resource],
+      },
+      {
+        field: 'id',
+        name: (
+          <FormattedMessage
+            id="xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.idColumnTitle"
+            defaultMessage="Identifier"
+          />
+        ),
+        render: (id: EngineComponentStatus['id'], { resource, installed }) => {
+          const path = getResourcePath(id, resource);
+
+          if (!installed || !path) {
+            return id;
+          }
+
+          return (
+            <EuiLink
+              target="_blank"
+              href={getUrlForApp('management', {
+                path,
+              })}
+            >
+              {id}
+            </EuiLink>
+          );
+        },
+      },
+      {
+        field: 'installed',
+        name: (
+          <FormattedMessage
+            id="xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.installedColumnTitle"
+            defaultMessage="Installed"
+          />
+        ),
+        width: '10%',
+        align: 'center',
+        render: (value: boolean) =>
+          value ? (
+            <EuiIcon data-test-subj="installation-status" type="check" color="success" size="l" />
+          ) : (
+            <EuiIcon data-test-subj="installation-status" type="cross" color="danger" size="l" />
+          ),
+      },
+      {
+        name: (
+          <FormattedMessage
+            id="xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.healthColumnTitle"
+            defaultMessage="Health"
+          />
+        ),
+        width: '10%',
+        align: 'center',
+        render: ({ installed, resource, health }: EngineComponentStatus) => {
+          if (!installed) {
+            return null;
+          }
+
+          return <EuiHealth color={HEALTH_COLOR[health ?? 'green']} />;
+        },
+      },
+      {
+        isExpander: true,
+        align: 'right',
+        width: '40px',
+        name: (
+          <EuiScreenReaderOnly>
+            <span>
+              <FormattedMessage
+                id="xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.expandRow"
+                defaultMessage="Expand row"
+              />
+            </span>
+          </EuiScreenReaderOnly>
+        ),
+        mobileOptions: { header: false },
+        render: (component: EngineComponentStatus) => {
+          const isItemExpanded = expandedItems.includes(component);
+
+          return component.errors && component.errors.length > 0 ? (
+            <EuiButtonIcon
+              onClick={() => onToggleExpandedItem(component)}
+              aria-label={isItemExpanded ? 'Collapse' : 'Expand'}
+              iconType={isItemExpanded ? 'arrowDown' : 'arrowRight'}
+            />
+          ) : null;
+        },
+      },
+    ],
+    [expandedItems, getUrlForApp, onToggleExpandedItem]
+  );
+};
+
+const getResourcePath = (id: string, resource: EngineComponentResource) => {
+  if (resource === EngineComponentResourceEnum.ingest_pipeline) {
+    return `ingest/ingest_pipelines?pipeline=${id}`;
+  }
+
+  if (resource === EngineComponentResourceEnum.index_template) {
+    return `data/index_management/templates/${id}`;
+  }
+
+  if (resource === EngineComponentResourceEnum.index) {
+    return `data/index_management/indices/index_details?indexName=${id}`;
+  }
+
+  if (resource === EngineComponentResourceEnum.component_template) {
+    return `data/index_management/component_templates/${id}`;
+  }
+
+  if (resource === EngineComponentResourceEnum.enrich_policy) {
+    return `data/index_management/enrich_policies?policy=${id}`;
+  }
+
+  if (resource === EngineComponentResourceEnum.transform) {
+    return `data/transform/enrich_policies?_a=(transform:(queryText:'${id}'))`;
+  }
+  return null;
+};
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/index.test.tsx b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/index.test.tsx
new file mode 100644
index 0000000000000..2f9e74df39d39
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/index.test.tsx
@@ -0,0 +1,100 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { render, screen, fireEvent } from '@testing-library/react';
+import { EngineStatus } from '.';
+
+import { TestProviders } from '@kbn/timelines-plugin/public/mock';
+
+const mockUseEntityStore = jest.fn();
+jest.mock('../../hooks/use_entity_store', () => ({
+  useEntityStoreStatus: () => mockUseEntityStore(),
+}));
+
+const mockDownloadBlob = jest.fn();
+jest.mock('../../../../../common/utils/download_blob', () => ({
+  downloadBlob: () => mockDownloadBlob(),
+}));
+
+describe('EngineStatus', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('renders loading spinner when data is loading', () => {
+    mockUseEntityStore.mockReturnValue({
+      data: undefined,
+      isLoading: true,
+      error: null,
+    });
+
+    render(<EngineStatus />, { wrapper: TestProviders });
+
+    expect(screen.getByRole('progressbar')).toBeInTheDocument();
+  });
+
+  it('renders error state when there is an error', () => {
+    mockUseEntityStore.mockReturnValue({
+      data: null,
+      isLoading: false,
+      error: new Error('Error'),
+    });
+
+    render(<EngineStatus />, { wrapper: TestProviders });
+
+    expect(screen.getByText('There was an error loading the engine status')).toBeInTheDocument();
+  });
+
+  it('renders "No engines found" message when there are no engines', () => {
+    mockUseEntityStore.mockReturnValue({
+      data: { engines: [] },
+      isLoading: false,
+      error: null,
+    });
+
+    render(<EngineStatus />, { wrapper: TestProviders });
+
+    expect(screen.getByText('No engines found')).toBeInTheDocument();
+  });
+
+  it('renders engine components when data is available', () => {
+    const mockData = {
+      engines: [
+        {
+          type: 'test',
+          components: [{ id: 'entity_engine_id', installed: true, resource: 'entity_engine' }],
+        },
+      ],
+    };
+    mockUseEntityStore.mockReturnValue({ data: mockData, isLoading: false, error: null });
+
+    render(<EngineStatus />, { wrapper: TestProviders });
+
+    expect(screen.getByText('Test Store')).toBeInTheDocument();
+    expect(screen.getByText('Download status')).toBeInTheDocument();
+  });
+
+  it('calls downloadJson when download button is clicked', () => {
+    const mockData = {
+      engines: [
+        {
+          type: 'test',
+          components: [{ id: 'entity_engine_id', installed: true, resource: 'entity_engine' }],
+        },
+      ],
+    };
+    mockUseEntityStore.mockReturnValue({ data: mockData, isLoading: false, error: null });
+
+    render(<EngineStatus />, { wrapper: TestProviders });
+
+    const downloadButton = screen.getByText('Download status');
+    fireEvent.click(downloadButton);
+
+    expect(mockDownloadBlob).toHaveBeenCalled();
+  });
+});
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/index.tsx b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/index.tsx
new file mode 100644
index 0000000000000..692841334bd50
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/components/engines_status/index.tsx
@@ -0,0 +1,103 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { Fragment } from 'react';
+import {
+  EuiLoadingSpinner,
+  EuiPanel,
+  EuiSpacer,
+  EuiButtonEmpty,
+  EuiFlexItem,
+  EuiTitle,
+  EuiFlexGroup,
+  EuiCallOut,
+} from '@elastic/eui';
+import { capitalize } from 'lodash/fp';
+import { FormattedMessage } from '@kbn/i18n-react';
+import { i18n } from '@kbn/i18n';
+import { useErrorToast } from '../../../../../common/hooks/use_error_toast';
+import { downloadBlob } from '../../../../../common/utils/download_blob';
+import { EngineComponentsStatusTable } from './components/engine_components_status';
+import { useEntityStoreStatus } from '../../hooks/use_entity_store';
+
+const FILE_NAME = 'engines_status.json';
+
+export const EngineStatus: React.FC = () => {
+  const { data, isLoading, error } = useEntityStoreStatus({ withComponents: true });
+
+  const downloadJson = () => {
+    downloadBlob(new Blob([JSON.stringify(data)]), FILE_NAME);
+  };
+
+  const errorMessage = i18n.translate(
+    'xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.queryError',
+    {
+      defaultMessage: 'There was an error loading the engine status',
+    }
+  );
+
+  useErrorToast(errorMessage, error);
+
+  if (error) {
+    return <EuiCallOut title={errorMessage} color="danger" iconType="alert" />;
+  }
+
+  if (!data || isLoading) return <EuiLoadingSpinner size="xl" />;
+
+  if (data.engines.length === 0) {
+    return (
+      <FormattedMessage
+        id="xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.notFoundMessage"
+        defaultMessage="No engines found"
+      />
+    );
+  }
+
+  return (
+    <EuiFlexGroup direction="column" gutterSize="none">
+      {data?.engines?.length > 0 && (
+        <EuiFlexItem grow={false}>
+          <EuiFlexGroup justifyContent="flexEnd">
+            <EuiFlexItem grow={false}>
+              <EuiButtonEmpty size="s" onClick={downloadJson}>
+                <FormattedMessage
+                  id="xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.downloadButton"
+                  defaultMessage="Download status"
+                />
+              </EuiButtonEmpty>
+            </EuiFlexItem>
+          </EuiFlexGroup>
+        </EuiFlexItem>
+      )}
+      <EuiFlexItem>
+        {(data?.engines ?? []).map((engine) => (
+          <Fragment key={engine.type}>
+            <EuiTitle size="s">
+              <h4>
+                <FormattedMessage
+                  id="xpack.securitySolution.entityAnalytics.entityStore.enginesStatus.title"
+                  defaultMessage="{type} Store"
+                  values={{
+                    type: capitalize(engine.type),
+                  }}
+                />
+              </h4>
+            </EuiTitle>
+
+            <EuiSpacer size="s" />
+
+            <EuiPanel hasShadow={false} hasBorder={false}>
+              {engine.components && <EngineComponentsStatusTable components={engine.components} />}
+            </EuiPanel>
+
+            <EuiSpacer size="xl" />
+          </Fragment>
+        ))}
+      </EuiFlexItem>
+    </EuiFlexGroup>
+  );
+};
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/hooks/use_entity_store.ts b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/hooks/use_entity_store.ts
index b27b5b4cdf26a..ceb93d164af62 100644
--- a/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/hooks/use_entity_store.ts
+++ b/x-pack/plugins/security_solution/public/entity_analytics/components/entity_store/hooks/use_entity_store.ts
@@ -5,13 +5,12 @@
  * 2.0.
  */
 
-import type { UseMutationOptions, UseQueryOptions } from '@tanstack/react-query';
+import type { UseMutationOptions } from '@tanstack/react-query';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 
-import type {
-  GetEntityStoreStatusResponse,
-  InitEntityStoreResponse,
-} from '../../../../../common/api/entity_analytics/entity_store/enablement.gen';
+import type { IHttpFetchError } from '@kbn/core-http-browser';
+import type { GetEntityStoreStatusResponse } from '../../../../../common/api/entity_analytics/entity_store/status.gen';
+import type { InitEntityStoreResponse } from '../../../../../common/api/entity_analytics/entity_store/enable.gen';
 import { useKibana } from '../../../../common/lib/kibana/kibana_react';
 import type {
   DeleteEntityEngineResponse,
@@ -26,19 +25,24 @@ const ENTITY_STORE_STATUS = ['GET', 'ENTITY_STORE_STATUS'];
 interface ResponseError {
   body: { message: string };
 }
-export const useEntityStoreStatus = (options: UseQueryOptions<GetEntityStoreStatusResponse>) => {
+
+interface Options {
+  withComponents?: boolean;
+}
+
+export const useEntityStoreStatus = (opts: Options = {}) => {
   const { getEntityStoreStatus } = useEntityStoreRoutes();
 
-  const query = useQuery<GetEntityStoreStatusResponse>(ENTITY_STORE_STATUS, getEntityStoreStatus, {
+  return useQuery<GetEntityStoreStatusResponse, IHttpFetchError>({
+    queryKey: [...ENTITY_STORE_STATUS, opts.withComponents],
+    queryFn: () => getEntityStoreStatus(opts.withComponents),
     refetchInterval: (data) => {
       if (data?.status === 'installing') {
         return 5000;
       }
       return false;
     },
-    ...options,
   });
-  return query;
 };
 
 export const ENABLE_STORE_STATUS_KEY = ['POST', 'ENABLE_ENTITY_STORE'];
@@ -102,15 +106,18 @@ export const useStopEntityEngineMutation = (options?: UseMutationOptions<{}>) =>
 };
 
 export const DELETE_ENTITY_ENGINE_STATUS_KEY = ['POST', 'STOP_ENTITY_ENGINE'];
-export const useDeleteEntityEngineMutation = (options?: UseMutationOptions<{}>) => {
+export const useDeleteEntityEngineMutation = ({ onSuccess }: { onSuccess?: () => void }) => {
   const queryClient = useQueryClient();
   const { deleteEntityEngine } = useEntityStoreRoutes();
+
   return useMutation<DeleteEntityEngineResponse[]>(
     () => Promise.all([deleteEntityEngine('user', true), deleteEntityEngine('host', true)]),
     {
       mutationKey: DELETE_ENTITY_ENGINE_STATUS_KEY,
-      onSuccess: () => queryClient.refetchQueries({ queryKey: ENTITY_STORE_STATUS }),
-      ...options,
+      onSuccess: () => {
+        queryClient.refetchQueries({ queryKey: ENTITY_STORE_STATUS });
+        onSuccess?.();
+      },
     }
   );
 };
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.test.tsx b/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.test.tsx
new file mode 100644
index 0000000000000..cc15a5360a3d1
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.test.tsx
@@ -0,0 +1,207 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { render, screen, fireEvent } from '@testing-library/react';
+import { EntityStoreManagementPage } from './entity_store_management_page';
+import { TestProviders } from '../../common/mock';
+
+jest.mock('../components/entity_store/components/engines_status', () => ({
+  EngineStatus: () => <span>{'Mocked Engine Status Tab'}</span>,
+}));
+
+const mockUseAssetCriticalityPrivileges = jest.fn();
+jest.mock('../components/asset_criticality/use_asset_criticality', () => ({
+  useAssetCriticalityPrivileges: () => mockUseAssetCriticalityPrivileges(),
+}));
+
+const mockUseIsExperimentalFeatureEnabled = jest.fn();
+jest.mock('../../common/hooks/use_experimental_features', () => ({
+  useIsExperimentalFeatureEnabled: () => mockUseIsExperimentalFeatureEnabled(),
+}));
+
+const mockUseHasSecurityCapability = jest.fn().mockReturnValue(true);
+jest.mock('../../helper_hooks', () => ({
+  useHasSecurityCapability: () => mockUseHasSecurityCapability(),
+}));
+
+const mockUseEntityStoreStatus = jest.fn();
+jest.mock('../components/entity_store/hooks/use_entity_store', () => ({
+  ...jest.requireActual('../components/entity_store/hooks/use_entity_store'),
+  useEntityStoreStatus: () => mockUseEntityStoreStatus(),
+}));
+
+const mockUseEntityEnginePrivileges = jest.fn();
+jest.mock('../components/entity_store/hooks/use_entity_engine_privileges', () => ({
+  useEntityEnginePrivileges: () => mockUseEntityEnginePrivileges(),
+}));
+
+describe('EntityStoreManagementPage', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    mockUseAssetCriticalityPrivileges.mockReturnValue({
+      isLoading: false,
+      data: { has_write_permissions: true },
+    });
+
+    mockUseEntityEnginePrivileges.mockReturnValue({
+      data: { has_all_required: true },
+    });
+
+    mockUseEntityStoreStatus.mockReturnValue({
+      data: {
+        status: 'running',
+      },
+      errors: [],
+    });
+
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+  });
+
+  it('does not render page when asset criticality is loading', () => {
+    mockUseAssetCriticalityPrivileges.mockReturnValue({
+      isLoading: true,
+    });
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    expect(screen.queryByTestId('entityStoreManagementPage')).not.toBeInTheDocument();
+  });
+
+  it('renders the page header', () => {
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    expect(screen.getByTestId('entityStoreManagementPage')).toBeInTheDocument();
+    expect(screen.getByText('Entity Store')).toBeInTheDocument();
+  });
+
+  it('disables the switch when status is installing', () => {
+    mockUseEntityStoreStatus.mockReturnValue({
+      data: {
+        status: 'installing',
+      },
+      errors: [],
+    });
+
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    expect(screen.getByTestId('entity-store-switch')).toBeDisabled();
+  });
+
+  it('show clear entity data modal when clear data button clicked', () => {
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    fireEvent.click(screen.getByText('Clear Entity Data'));
+
+    expect(screen.getByText('Clear Entity data?')).toBeInTheDocument();
+  });
+
+  it('renders the AssetCriticalityIssueCallout when there is an error', () => {
+    mockUseAssetCriticalityPrivileges.mockReturnValue({
+      isLoading: false,
+      error: { body: { message: 'Error message', status_code: 403 } },
+    });
+
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    expect(
+      screen.getByText('Asset criticality CSV file upload functionality unavailable.')
+    ).toBeInTheDocument();
+    expect(screen.getByText('Error message')).toBeInTheDocument();
+  });
+
+  it('renders the InsufficientAssetCriticalityPrivilegesCallout when there are no write permissions', () => {
+    mockUseAssetCriticalityPrivileges.mockReturnValue({
+      isLoading: false,
+      data: { has_write_permissions: false },
+    });
+
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    expect(
+      screen.getByText('Insufficient index privileges to perform CSV upload')
+    ).toBeInTheDocument();
+  });
+
+  it('selects the Import tab by default', () => {
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    expect(screen.getByText('Import Entities').parentNode).toHaveAttribute('aria-selected', 'true');
+  });
+
+  it('switches to the Status tab when clicked', () => {
+    mockUseEntityStoreStatus.mockReturnValue({
+      data: {
+        status: 'running',
+      },
+      errors: [],
+    });
+
+    mockUseEntityEnginePrivileges.mockReturnValue({
+      data: { has_all_required: true },
+    });
+
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    fireEvent.click(screen.getByText('Engine Status'));
+
+    expect(screen.getByText('Engine Status').parentNode).toHaveAttribute('aria-selected', 'true');
+  });
+
+  it('does not render the Status tab when entity store is not installed', () => {
+    mockUseEntityStoreStatus.mockReturnValue({
+      data: {
+        status: 'not_installed',
+      },
+      errors: [],
+    });
+
+    mockUseEntityEnginePrivileges.mockReturnValue({
+      data: { has_all_required: true },
+    });
+
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    expect(screen.queryByText('Engine Status')).not.toBeInTheDocument();
+  });
+
+  it('does not render the Status tab when privileges are missing', () => {
+    mockUseEntityStoreStatus.mockReturnValue({
+      data: {
+        status: 'running',
+      },
+      errors: [],
+    });
+
+    mockUseEntityEnginePrivileges.mockReturnValue({
+      data: { has_all_required: false, privileges: { kibana: {}, elasticsearch: {} } },
+    });
+
+    mockUseIsExperimentalFeatureEnabled.mockReturnValue(false);
+
+    render(<EntityStoreManagementPage />, { wrapper: TestProviders });
+
+    expect(screen.queryByText('Engine Status')).not.toBeInTheDocument();
+  });
+});
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.tsx b/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.tsx
index 83a307e3eef57..3cf3eb58355c6 100644
--- a/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.tsx
+++ b/x-pack/plugins/security_solution/public/entity_analytics/pages/entity_store_management_page.tsx
@@ -21,13 +21,15 @@ import {
   EuiCode,
   EuiSwitch,
   EuiHealth,
-  EuiButton,
   EuiLoadingSpinner,
   EuiToolTip,
   EuiBetaBadge,
+  EuiTabs,
+  EuiTab,
+  EuiButtonEmpty,
 } from '@elastic/eui';
 import type { ReactNode } from 'react';
-import React, { useCallback, useState } from 'react';
+import React, { useCallback, useEffect, useState } from 'react';
 import { FormattedMessage } from '@kbn/i18n-react';
 
 import type { SecurityAppError } from '@kbn/securitysolution-t-grid';
@@ -47,11 +49,18 @@ import {
 import { TECHNICAL_PREVIEW, TECHNICAL_PREVIEW_TOOLTIP } from '../../common/translations';
 import { useEntityEnginePrivileges } from '../components/entity_store/hooks/use_entity_engine_privileges';
 import { MissingPrivilegesCallout } from '../components/entity_store/components/missing_privileges_callout';
+import { EngineStatus } from '../components/entity_store/components/engines_status';
+
+enum TabId {
+  Import = 'import',
+  Status = 'status',
+}
 
 const isSwitchDisabled = (status?: StoreStatus) => status === 'error' || status === 'installing';
 const isEntityStoreEnabled = (status?: StoreStatus) => status === 'running';
 const canDeleteEntityEngine = (status?: StoreStatus) =>
   !['not_installed', 'installing'].includes(status || '');
+const isEntityStoreInstalled = (status?: StoreStatus) => status && status !== 'not_installed';
 
 export const EntityStoreManagementPage = () => {
   const hasEntityAnalyticsCapability = useHasSecurityCapability('entity-analytics');
@@ -62,7 +71,7 @@ export const EntityStoreManagementPage = () => {
     isLoading: assetCriticalityIsLoading,
   } = useAssetCriticalityPrivileges('AssetCriticalityUploadPage');
   const hasAssetCriticalityWritePermissions = assetCriticalityPrivileges?.has_write_permissions;
-
+  const [selectedTabId, setSelectedTabId] = useState(TabId.Import);
   const entityStoreStatus = useEntityStoreStatus({});
 
   const enableStoreMutation = useEnableEntityStoreMutation();
@@ -91,6 +100,15 @@ export const EntityStoreManagementPage = () => {
 
   const { data: privileges } = useEntityEnginePrivileges();
 
+  const shouldDisplayEngineStatusTab =
+    isEntityStoreInstalled(entityStoreStatus.data?.status) && privileges?.has_all_required;
+
+  useEffect(() => {
+    if (selectedTabId === TabId.Status && !shouldDisplayEngineStatusTab) {
+      setSelectedTabId(TabId.Import);
+    }
+  }, [shouldDisplayEngineStatusTab, selectedTabId]);
+
   if (assetCriticalityIsLoading) {
     // Wait for permission before rendering content to avoid flickering
     return null;
@@ -149,8 +167,18 @@ export const EntityStoreManagementPage = () => {
                   onSwitch={onSwitchClick}
                   status={entityStoreStatus.data?.status}
                 />,
+                canDeleteEntityEngine(entityStoreStatus.data?.status) ? (
+                  <ClearEntityDataButton
+                    {...{
+                      deleteEntityEngineMutation,
+                      isClearModalVisible,
+                      closeClearModal,
+                      showClearModal,
+                    }}
+                  />
+                ) : null,
               ]
-            : []
+            : undefined
         }
       />
       <EuiSpacer size="s" />
@@ -169,14 +197,44 @@ export const EntityStoreManagementPage = () => {
         </>
       )}
 
-      <EuiHorizontalRule />
-      <EuiSpacer size="l" />
+      <EuiSpacer size="m" />
+
+      <EuiTabs data-test-subj="tabs">
+        <EuiTab
+          key={TabId.Import}
+          isSelected={selectedTabId === TabId.Import}
+          onClick={() => setSelectedTabId(TabId.Import)}
+        >
+          <FormattedMessage
+            id="xpack.securitySolution.entityAnalytics.entityStoreManagementPage.importEntities.tabTitle"
+            defaultMessage="Import Entities"
+          />
+        </EuiTab>
+
+        {shouldDisplayEngineStatusTab && (
+          <EuiTab
+            key={TabId.Status}
+            isSelected={selectedTabId === TabId.Status}
+            onClick={() => setSelectedTabId(TabId.Status)}
+          >
+            <FormattedMessage
+              id="xpack.securitySolution.entityAnalytics.entityStoreManagementPage.engineStatus.tabTitle"
+              defaultMessage="Engine Status"
+            />
+          </EuiTab>
+        )}
+      </EuiTabs>
+
+      <EuiSpacer size="s" />
       <EuiFlexGroup gutterSize="xl">
-        <FileUploadSection
-          assetCriticalityPrivilegesError={assetCriticalityPrivilegesError}
-          hasEntityAnalyticsCapability={hasEntityAnalyticsCapability}
-          hasAssetCriticalityWritePermissions={hasAssetCriticalityWritePermissions}
-        />
+        {selectedTabId === TabId.Import && (
+          <FileUploadSection
+            assetCriticalityPrivilegesError={assetCriticalityPrivilegesError}
+            hasEntityAnalyticsCapability={hasEntityAnalyticsCapability}
+            hasAssetCriticalityWritePermissions={hasAssetCriticalityWritePermissions}
+          />
+        )}
+        {selectedTabId === TabId.Status && <EngineStatus />}
         <EuiFlexItem grow={2}>
           <EuiFlexGroup direction="column">
             {enableStoreMutation.isError && (
@@ -210,19 +268,7 @@ export const EntityStoreManagementPage = () => {
               </EuiCallOut>
             )}
             {callouts}
-            <WhatIsAssetCriticalityPanel />
-            {!isEntityStoreFeatureFlagDisabled &&
-              privileges?.has_all_required &&
-              canDeleteEntityEngine(entityStoreStatus.data?.status) && (
-                <ClearEntityDataPanel
-                  {...{
-                    deleteEntityEngineMutation,
-                    isClearModalVisible,
-                    closeClearModal,
-                    showClearModal,
-                  }}
-                />
-              )}
+            {selectedTabId === TabId.Import && <WhatIsAssetCriticalityPanel />}
           </EuiFlexGroup>
         </EuiFlexItem>
       </EuiFlexGroup>
@@ -375,10 +421,8 @@ const InsufficientAssetCriticalityPrivilegesCallout: React.FC = () => {
   );
 };
 
-const AssetCriticalityIssueCallout: React.FC = ({
+const AssetCriticalityIssueCallout: React.FC<{ errorMessage?: string | ReactNode }> = ({
   errorMessage,
-}: {
-  errorMessage?: string | ReactNode;
 }) => {
   const msg = errorMessage ?? (
     <FormattedMessage
@@ -405,7 +449,7 @@ const AssetCriticalityIssueCallout: React.FC = ({
   );
 };
 
-const ClearEntityDataPanel: React.FC<{
+const ClearEntityDataButton: React.FC<{
   deleteEntityEngineMutation: ReturnType<typeof useDeleteEntityEngineMutation>;
   isClearModalVisible: boolean;
   closeClearModal: () => void;
@@ -413,37 +457,19 @@ const ClearEntityDataPanel: React.FC<{
 }> = ({ deleteEntityEngineMutation, isClearModalVisible, closeClearModal, showClearModal }) => {
   return (
     <>
-      <EuiPanel paddingSize="l" grow={false} color="subdued" borderRadius="none" hasShadow={false}>
-        <EuiText size="s">
-          <h3>
-            <FormattedMessage
-              id="xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntityData"
-              defaultMessage="Clear entity data"
-            />
-          </h3>
-          <EuiSpacer size="s" />
-          <FormattedMessage
-            id="xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntityData"
-            defaultMessage={`Remove all extracted entity data from the store. This action will
-            permanently delete persisted user and host records, and data will no longer be available for analysis.
-            Proceed with caution, as this cannot be undone. Note that this operation will not delete source data,
-            Entity risk scores, or Asset Criticality assignments.`}
-          />
-        </EuiText>
-        <EuiSpacer size="m" />
-        <EuiButton
-          color="danger"
-          iconType="trash"
-          onClick={() => {
-            showClearModal();
-          }}
-        >
-          <FormattedMessage
-            id="xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clear"
-            defaultMessage="Clear"
-          />
-        </EuiButton>
-      </EuiPanel>
+      <EuiButtonEmpty
+        color="danger"
+        iconType="trash"
+        onClick={() => {
+          showClearModal();
+        }}
+      >
+        <FormattedMessage
+          id="xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clear"
+          defaultMessage="Clear Entity Data"
+        />
+      </EuiButtonEmpty>
+
       {isClearModalVisible && (
         <EuiConfirmModal
           isLoading={deleteEntityEngineMutation.isLoading}
@@ -494,21 +520,15 @@ const FileUploadSection: React.FC<{
   hasAssetCriticalityWritePermissions,
 }) => {
   if (!hasEntityAnalyticsCapability || assetCriticalityPrivilegesError?.body.status_code === 403) {
-    return <AssetCriticalityIssueCallout />;
+    return (
+      <AssetCriticalityIssueCallout errorMessage={assetCriticalityPrivilegesError?.body.message} />
+    );
   }
   if (!hasAssetCriticalityWritePermissions) {
     return <InsufficientAssetCriticalityPrivilegesCallout />;
   }
   return (
     <EuiFlexItem grow={3}>
-      <EuiTitle size="s">
-        <h2>
-          <FormattedMessage
-            id="xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.subTitle"
-            defaultMessage="Import entities using a text file"
-          />
-        </h2>
-      </EuiTitle>
       <EuiSpacer size="m" />
       <EuiText size="s">
         <FormattedMessage
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/auditing/resources.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/auditing/resources.ts
deleted file mode 100644
index 67d33fb42dc93..0000000000000
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/auditing/resources.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-export const EntityStoreResource = {
-  ENTITY_ENGINE: 'entity_engine',
-  ENTITY_DEFINITION: 'entity_definition',
-  ENTITY_INDEX: 'entity_index',
-  INDEX_COMPONENT_TEMPLATE: 'index_component_template',
-  PLATFORM_PIPELINE: 'platform_pipeline',
-  FIELD_RETENTION_ENRICH_POLICY: 'field_retention_enrich_policy',
-  FIELD_RETENTION_ENRICH_POLICY_TASK: 'field_retention_enrich_policy_task',
-} as const;
-
-export type EntityStoreResource = (typeof EntityStoreResource)[keyof typeof EntityStoreResource];
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/component_template.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/component_template.ts
index d0fe14dcd3b8d..a1352594ff47d 100644
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/component_template.ts
+++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/component_template.ts
@@ -6,6 +6,10 @@
  */
 
 import type { ElasticsearchClient } from '@kbn/core/server';
+import {
+  EngineComponentResourceEnum,
+  type EngineComponentStatus,
+} from '../../../../../common/api/entity_analytics';
 import type { UnitedEntityDefinition } from '../united_entity_definitions';
 
 const getComponentTemplateName = (definitionId: string) => `${definitionId}-latest@platform`;
@@ -41,3 +45,24 @@ export const deleteEntityIndexComponentTemplate = ({ unitedDefinition, esClient
     }
   );
 };
+
+export const getEntityIndexComponentTemplateStatus = async ({
+  definitionId,
+  esClient,
+}: Pick<Options, 'esClient'> & { definitionId: string }): Promise<EngineComponentStatus> => {
+  const name = getComponentTemplateName(definitionId);
+  const componentTemplate = await esClient.cluster.getComponentTemplate(
+    {
+      name,
+    },
+    {
+      ignore: [404],
+    }
+  );
+
+  return {
+    id: name,
+    installed: componentTemplate?.component_templates?.length > 0,
+    resource: EngineComponentResourceEnum.component_template,
+  };
+};
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/enrich_policy.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/enrich_policy.ts
index 4b8ce594a6cb7..7064a4dd98851 100644
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/enrich_policy.ts
+++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/enrich_policy.ts
@@ -7,6 +7,7 @@
 
 import type { ElasticsearchClient, Logger } from '@kbn/core/server';
 import type { EnrichPutPolicyRequest } from '@elastic/elasticsearch/lib/api/types';
+import { EngineComponentResourceEnum } from '../../../../../common/api/entity_analytics';
 import { getEntitiesIndexName } from '../utils';
 import type { UnitedEntityDefinition } from '../united_entity_definitions';
 
@@ -105,3 +106,21 @@ export const deleteFieldRetentionEnrichPolicy = async ({
     }
   }
 };
+
+export const getFieldRetentionEnrichPolicyStatus = async ({
+  definitionMetadata,
+  esClient,
+}: {
+  definitionMetadata: DefinitionMetadata;
+  esClient: ElasticsearchClient;
+}) => {
+  const name = getFieldRetentionEnrichPolicyName(definitionMetadata);
+  const policy = await esClient.enrich.getPolicy({ name }, { ignore: [404] });
+  const policies = policy.policies;
+
+  return {
+    installed: policies.length > 0,
+    id: name,
+    resource: EngineComponentResourceEnum.enrich_policy,
+  };
+};
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/entity_index.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/entity_index.ts
index 6fb5935618dfc..0de8fe20050ce 100644
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/entity_index.ts
+++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/entity_index.ts
@@ -6,7 +6,11 @@
  */
 
 import type { ElasticsearchClient, Logger } from '@kbn/core/server';
-import type { EntityType } from '../../../../../common/api/entity_analytics';
+import {
+  EngineComponentResourceEnum,
+  type EngineComponentStatus,
+  type EntityType,
+} from '../../../../../common/api/entity_analytics';
 import { getEntitiesIndexName } from '../utils';
 import { createOrUpdateIndex } from '../../utils/create_or_update_index';
 
@@ -36,3 +40,21 @@ export const deleteEntityIndex = ({ entityType, esClient, namespace }: Options)
       ignore: [404],
     }
   );
+
+export const getEntityIndexStatus = async ({
+  entityType,
+  esClient,
+  namespace,
+}: Pick<Options, 'entityType' | 'namespace' | 'esClient'>): Promise<EngineComponentStatus> => {
+  const index = getEntitiesIndexName(entityType, namespace);
+  const exists = await esClient.indices.exists(
+    {
+      index,
+    },
+    {
+      ignore: [404],
+    }
+  );
+
+  return { id: index, installed: exists, resource: EngineComponentResourceEnum.index };
+};
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/ingest_pipeline.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/ingest_pipeline.ts
index f4d2b848b726f..f57102fd13f14 100644
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/ingest_pipeline.ts
+++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/elasticsearch_assets/ingest_pipeline.ts
@@ -8,6 +8,7 @@
 import type { ElasticsearchClient, Logger } from '@kbn/core/server';
 import type { IngestProcessorContainer } from '@elastic/elasticsearch/lib/api/types';
 import type { EntityDefinition } from '@kbn/entities-schema';
+import { EngineComponentResourceEnum } from '../../../../../common/api/entity_analytics';
 import { type FieldRetentionDefinition } from '../field_retention_definition';
 import {
   debugDeepCopyContextStep,
@@ -161,3 +162,27 @@ export const deletePlatformPipeline = ({
     }
   );
 };
+
+export const getPlatformPipelineStatus = async ({
+  definition,
+  esClient,
+}: {
+  definition: EntityDefinition;
+  esClient: ElasticsearchClient;
+}) => {
+  const pipelineId = getPlatformPipelineId(definition);
+  const pipeline = await esClient.ingest.getPipeline(
+    {
+      id: pipelineId,
+    },
+    {
+      ignore: [404],
+    }
+  );
+
+  return {
+    id: pipelineId,
+    installed: !!pipeline[pipelineId],
+    resource: EngineComponentResourceEnum.ingest_pipeline,
+  };
+};
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts
index 567cf5b763fed..724226b7f8d82 100644
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts
+++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts
@@ -20,19 +20,28 @@ import type { TaskManagerStartContract } from '@kbn/task-manager-plugin/server';
 import type { DataViewsService } from '@kbn/data-views-plugin/common';
 import { isEqual } from 'lodash/fp';
 import moment from 'moment';
+import type { EntityDefinitionWithState } from '@kbn/entityManager-plugin/server/lib/entities/types';
+import type { EntityDefinition } from '@kbn/entities-schema';
+import type { estypes } from '@elastic/elasticsearch';
 import type {
+  GetEntityStoreStatusRequestQuery,
   GetEntityStoreStatusResponse,
+} from '../../../../common/api/entity_analytics/entity_store/status.gen';
+import type {
   InitEntityStoreRequestBody,
   InitEntityStoreResponse,
-} from '../../../../common/api/entity_analytics/entity_store/enablement.gen';
+} from '../../../../common/api/entity_analytics/entity_store/enable.gen';
 import type { AppClient } from '../../..';
-import { EntityType } from '../../../../common/api/entity_analytics';
+import { EngineComponentResourceEnum, EntityType } from '../../../../common/api/entity_analytics';
 import type {
   Entity,
   EngineDataviewUpdateResult,
   InitEntityEngineRequestBody,
   InitEntityEngineResponse,
   InspectQuery,
+  ListEntityEnginesResponse,
+  EngineComponentStatus,
+  EngineComponentResource,
 } from '../../../../common/api/entity_analytics';
 import { EngineDescriptorClient } from './saved_object/engine_descriptor';
 import { ENGINE_STATUS, ENTITY_STORE_STATUS, MAX_SEARCH_RESPONSE_SIZE } from './constants';
@@ -41,6 +50,7 @@ import { getUnitedEntityDefinition } from './united_entity_definitions';
 import {
   startEntityStoreFieldRetentionEnrichTask,
   removeEntityStoreFieldRetentionEnrichTask,
+  getEntityStoreFieldRetentionEnrichTaskState as getEntityStoreFieldRetentionEnrichTaskStatus,
 } from './task';
 import {
   createEntityIndex,
@@ -52,6 +62,10 @@ import {
   createFieldRetentionEnrichPolicy,
   executeFieldRetentionEnrichPolicy,
   deleteFieldRetentionEnrichPolicy,
+  getPlatformPipelineStatus,
+  getFieldRetentionEnrichPolicyStatus,
+  getEntityIndexStatus,
+  getEntityIndexComponentTemplateStatus,
 } from './elasticsearch_assets';
 import { RiskScoreDataClient } from '../risk_score/risk_score_data_client';
 import {
@@ -63,7 +77,6 @@ import {
 } from './utils';
 
 import { EntityEngineActions } from './auditing/actions';
-import { EntityStoreResource } from './auditing/resources';
 import { AUDIT_CATEGORY, AUDIT_OUTCOME, AUDIT_TYPE } from '../audit';
 import type { EntityRecord, EntityStoreConfig } from './types';
 import {
@@ -72,6 +85,19 @@ import {
 } from '../../telemetry/event_based/events';
 import { CRITICALITY_VALUES } from '../asset_criticality/constants';
 
+// Workaround. TransformState type is wrong. The health type should be: TransformHealth from '@kbn/transform-plugin/common/types/transform_stats'
+export interface TransformHealth extends estypes.TransformGetTransformStatsTransformStatsHealth {
+  issues?: TransformHealthIssue[];
+}
+
+export interface TransformHealthIssue {
+  type: string;
+  issue: string;
+  details?: string;
+  count: number;
+  first_occurrence?: number;
+}
+
 interface EntityStoreClientOpts {
   logger: Logger;
   clusterClient: IScopedClusterClient;
@@ -132,6 +158,42 @@ export class EntityStoreDataClient {
     });
   }
 
+  private async getEngineComponentsState(
+    type: EntityType,
+    definition?: EntityDefinition
+  ): Promise<EngineComponentStatus[]> {
+    const { namespace, taskManager } = this.options;
+
+    return definition
+      ? Promise.all([
+          ...(taskManager
+            ? [getEntityStoreFieldRetentionEnrichTaskStatus({ namespace, taskManager })]
+            : []),
+          getPlatformPipelineStatus({
+            definition,
+            esClient: this.esClient,
+          }),
+          getFieldRetentionEnrichPolicyStatus({
+            definitionMetadata: {
+              namespace,
+              entityType: type,
+              version: definition.version,
+            },
+            esClient: this.esClient,
+          }),
+          getEntityIndexStatus({
+            entityType: type,
+            esClient: this.esClient,
+            namespace,
+          }),
+          getEntityIndexComponentTemplateStatus({
+            definitionId: definition.id,
+            esClient: this.esClient,
+          }),
+        ])
+      : Promise.resolve([] as EngineComponentStatus[]);
+  }
+
   public async enable(
     { indexPattern = '', filter = '', fieldHistoryLength = 10 }: InitEntityStoreRequestBody,
     { pipelineDebugMode = false }: { pipelineDebugMode?: boolean } = {}
@@ -153,7 +215,10 @@ export class EntityStoreDataClient {
     return { engines, succeeded: true };
   }
 
-  public async status(): Promise<GetEntityStoreStatusResponse> {
+  public async status({
+    include_components: withComponents = false,
+  }: GetEntityStoreStatusRequestQuery): Promise<GetEntityStoreStatusResponse> {
+    const { namespace } = this.options;
     const { engines, count } = await this.engineClient.list();
 
     let status = ENTITY_STORE_STATUS.RUNNING;
@@ -167,7 +232,38 @@ export class EntityStoreDataClient {
       status = ENTITY_STORE_STATUS.INSTALLING;
     }
 
-    return { engines, status };
+    if (withComponents) {
+      const enginesWithComponents = await Promise.all(
+        engines.map(async (engine) => {
+          const entityDefinitionId = buildEntityDefinitionId(engine.type, namespace);
+          const {
+            definitions: [definition],
+          } = await this.entityClient.getEntityDefinitions({
+            id: entityDefinitionId,
+            includeState: withComponents,
+          });
+
+          const definitionComponents = this.getComponentFromEntityDefinition(
+            entityDefinitionId,
+            definition
+          );
+
+          const entityStoreComponents = await this.getEngineComponentsState(
+            engine.type,
+            definition
+          );
+
+          return {
+            ...engine,
+            components: [...definitionComponents, ...entityStoreComponents],
+          };
+        })
+      );
+
+      return { engines: enginesWithComponents, status };
+    } else {
+      return { engines, status };
+    }
   }
 
   public async init(
@@ -204,7 +300,7 @@ export class EntityStoreDataClient {
     this.log('info', entityType, `Initializing entity store`);
     this.audit(
       EntityEngineActions.INIT,
-      EntityStoreResource.ENTITY_ENGINE,
+      EngineComponentResourceEnum.entity_engine,
       entityType,
       'Initializing entity engine'
     );
@@ -331,7 +427,7 @@ export class EntityStoreDataClient {
 
       this.audit(
         EntityEngineActions.INIT,
-        EntityStoreResource.ENTITY_ENGINE,
+        EngineComponentResourceEnum.entity_engine,
         entityType,
         'Failed to initialize entity engine resources',
         err
@@ -354,6 +450,50 @@ export class EntityStoreDataClient {
     }
   }
 
+  public getComponentFromEntityDefinition(
+    id: string,
+    definition: EntityDefinitionWithState | EntityDefinition
+  ): EngineComponentStatus[] {
+    if (!definition) {
+      return [
+        {
+          id,
+          installed: false,
+          resource: EngineComponentResourceEnum.entity_definition,
+        },
+      ];
+    }
+
+    if ('state' in definition) {
+      return [
+        {
+          id: definition.id,
+          installed: definition.state.installed,
+          resource: EngineComponentResourceEnum.entity_definition,
+        },
+        ...definition.state.components.transforms.map(({ installed, running, stats }) => ({
+          id,
+          resource: EngineComponentResourceEnum.transform,
+          installed,
+          errors: (stats?.health as TransformHealth)?.issues?.map(({ issue, details }) => ({
+            title: issue,
+            message: details,
+          })),
+        })),
+        ...definition.state.components.ingestPipelines.map((pipeline) => ({
+          resource: EngineComponentResourceEnum.ingest_pipeline,
+          ...pipeline,
+        })),
+        ...definition.state.components.indexTemplates.map(({ installed }) => ({
+          id,
+          installed,
+          resource: EngineComponentResourceEnum.index_template,
+        })),
+      ];
+    }
+    return [];
+  }
+
   public async getExistingEntityDefinition(entityType: EntityType) {
     const entityDefinitionId = buildEntityDefinitionId(entityType, this.options.namespace);
 
@@ -386,7 +526,7 @@ export class EntityStoreDataClient {
     const fullEntityDefinition = await this.getExistingEntityDefinition(entityType);
     this.audit(
       EntityEngineActions.START,
-      EntityStoreResource.ENTITY_DEFINITION,
+      EngineComponentResourceEnum.entity_definition,
       entityType,
       'Starting entity definition'
     );
@@ -413,7 +553,7 @@ export class EntityStoreDataClient {
     const fullEntityDefinition = await this.getExistingEntityDefinition(entityType);
     this.audit(
       EntityEngineActions.STOP,
-      EntityStoreResource.ENTITY_DEFINITION,
+      EngineComponentResourceEnum.entity_definition,
       entityType,
       'Stopping entity definition'
     );
@@ -427,7 +567,7 @@ export class EntityStoreDataClient {
     return this.engineClient.get(entityType);
   }
 
-  public async list() {
+  public async list(): Promise<ListEntityEnginesResponse> {
     return this.engineClient.list();
   }
 
@@ -456,7 +596,7 @@ export class EntityStoreDataClient {
     this.log('info', entityType, `Deleting entity store`);
     this.audit(
       EntityEngineActions.DELETE,
-      EntityStoreResource.ENTITY_ENGINE,
+      EngineComponentResourceEnum.entity_engine,
       entityType,
       'Deleting entity engine'
     );
@@ -523,7 +663,7 @@ export class EntityStoreDataClient {
 
       this.audit(
         EntityEngineActions.DELETE,
-        EntityStoreResource.ENTITY_ENGINE,
+        EngineComponentResourceEnum.entity_engine,
         entityType,
         'Failed to delete entity engine',
         err
@@ -670,7 +810,7 @@ export class EntityStoreDataClient {
 
   private audit(
     action: EntityEngineActions,
-    resource: EntityStoreResource,
+    resource: EngineComponentResource,
     entityType: EntityType,
     msg: string,
     error?: Error
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/enablement.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/enablement.ts
index 16813fccdf235..d19e9699f4756 100644
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/enablement.ts
+++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/enablement.ts
@@ -10,8 +10,8 @@ import { buildSiemResponse } from '@kbn/lists-plugin/server/routes/utils';
 import { transformError } from '@kbn/securitysolution-es-utils';
 import { buildRouteValidationWithZod } from '@kbn/zod-helpers';
 
-import type { InitEntityStoreResponse } from '../../../../../common/api/entity_analytics/entity_store/enablement.gen';
-import { InitEntityStoreRequestBody } from '../../../../../common/api/entity_analytics/entity_store/enablement.gen';
+import type { InitEntityStoreResponse } from '../../../../../common/api/entity_analytics/entity_store/enable.gen';
+import { InitEntityStoreRequestBody } from '../../../../../common/api/entity_analytics/entity_store/enable.gen';
 import { API_VERSIONS, APP_ID } from '../../../../../common/constants';
 import type { EntityAnalyticsRoutesDeps } from '../../types';
 import { checkAndInitAssetCriticalityResources } from '../../asset_criticality/check_and_init_asset_criticality_resources';
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/stats.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/stats.ts
deleted file mode 100644
index 24785fbd5c015..0000000000000
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/stats.ts
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import type { IKibanaResponse, Logger } from '@kbn/core/server';
-import { buildSiemResponse } from '@kbn/lists-plugin/server/routes/utils';
-import { transformError } from '@kbn/securitysolution-es-utils';
-import { buildRouteValidationWithZod } from '@kbn/zod-helpers';
-
-import type { GetEntityEngineStatsResponse } from '../../../../../common/api/entity_analytics/entity_store/engine/stats.gen';
-import { GetEntityEngineStatsRequestParams } from '../../../../../common/api/entity_analytics/entity_store/engine/stats.gen';
-import { API_VERSIONS, APP_ID } from '../../../../../common/constants';
-import type { EntityAnalyticsRoutesDeps } from '../../types';
-
-export const getEntityEngineStatsRoute = (
-  router: EntityAnalyticsRoutesDeps['router'],
-  logger: Logger
-) => {
-  router.versioned
-    .post({
-      access: 'public',
-      path: '/api/entity_store/engines/{entityType}/stats',
-      security: {
-        authz: {
-          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
-        },
-      },
-    })
-    .addVersion(
-      {
-        version: API_VERSIONS.public.v1,
-        validate: {
-          request: {
-            params: buildRouteValidationWithZod(GetEntityEngineStatsRequestParams),
-          },
-        },
-      },
-
-      async (
-        context,
-        request,
-        response
-      ): Promise<IKibanaResponse<GetEntityEngineStatsResponse>> => {
-        const siemResponse = buildSiemResponse(response);
-
-        try {
-          // TODO
-          throw new Error('Not implemented');
-
-          // return response.ok({ body });
-        } catch (e) {
-          logger.error('Error in GetEntityEngineStats:', e);
-          const error = transformError(e);
-          return siemResponse.error({
-            statusCode: error.statusCode,
-            body: error.message,
-          });
-        }
-      }
-    );
-};
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/status.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/status.ts
index 7a59b59b9914a..c2c24b114f66b 100644
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/status.ts
+++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/status.ts
@@ -15,7 +15,9 @@
 import type { IKibanaResponse, Logger } from '@kbn/core/server';
 import { buildSiemResponse } from '@kbn/lists-plugin/server/routes/utils';
 import { transformError } from '@kbn/securitysolution-es-utils';
-import type { GetEntityStoreStatusResponse } from '../../../../../common/api/entity_analytics/entity_store/enablement.gen';
+import { buildRouteValidationWithZod } from '@kbn/zod-helpers';
+import type { GetEntityStoreStatusResponse } from '../../../../../common/api/entity_analytics/entity_store/status.gen';
+import { GetEntityStoreStatusRequestQuery } from '../../../../../common/api/entity_analytics/entity_store/status.gen';
 import { API_VERSIONS, APP_ID } from '../../../../../common/constants';
 import type { EntityAnalyticsRoutesDeps } from '../../types';
 import { checkAndInitAssetCriticalityResources } from '../../asset_criticality/check_and_init_asset_criticality_resources';
@@ -38,7 +40,11 @@ export const getEntityStoreStatusRoute = (
     .addVersion(
       {
         version: API_VERSIONS.public.v1,
-        validate: {},
+        validate: {
+          request: {
+            query: buildRouteValidationWithZod(GetEntityStoreStatusRequestQuery),
+          },
+        },
       },
 
       async (
@@ -54,7 +60,7 @@ export const getEntityStoreStatusRoute = (
         try {
           const body: GetEntityStoreStatusResponse = await secSol
             .getEntityStoreDataClient()
-            .status();
+            .status(request.query);
 
           return response.ok({ body });
         } catch (e) {
diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts
index 708b74277faae..3d103ea2af467 100644
--- a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts
+++ b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts
@@ -13,7 +13,10 @@ import type {
   TaskManagerSetupContract,
   TaskManagerStartContract,
 } from '@kbn/task-manager-plugin/server';
-import type { EntityType } from '../../../../../common/api/entity_analytics/entity_store';
+import {
+  EngineComponentResourceEnum,
+  type EntityType,
+} from '../../../../../common/api/entity_analytics/entity_store';
 import {
   defaultState,
   stateSchemaByVersion,
@@ -275,3 +278,37 @@ const createTaskRunnerFactory =
       },
     };
   };
+
+export const getEntityStoreFieldRetentionEnrichTaskState = async ({
+  namespace,
+  taskManager,
+}: {
+  namespace: string;
+  taskManager: TaskManagerStartContract;
+}) => {
+  const taskId = getTaskId(namespace);
+  try {
+    const taskState = await taskManager.get(taskId);
+
+    return {
+      id: taskState.id,
+      resource: EngineComponentResourceEnum.task,
+      installed: true,
+      enabled: taskState.enabled,
+      status: taskState.status,
+      retryAttempts: taskState.attempts,
+      nextRun: taskState.runAt,
+      lastRun: taskState.state.lastExecutionTimestamp,
+      runs: taskState.state.runs,
+    };
+  } catch (e) {
+    if (SavedObjectsErrorHelpers.isNotFoundError(e)) {
+      return {
+        id: taskId,
+        installed: false,
+        resource: EngineComponentResourceEnum.task,
+      };
+    }
+    throw e;
+  }
+};
diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json
index cd3678bcc173f..ffe3994652fde 100644
--- a/x-pack/plugins/translations/translations/fr-FR.json
+++ b/x-pack/plugins/translations/translations/fr-FR.json
@@ -40445,7 +40445,6 @@
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.noPermissionTitle": "Privilèges d'index insuffisants pour effectuer le chargement de fichiers CSV",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.resultsStepTitle": "Résultats",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.selectFileStepTitle": "Sélectionner un fichier",
-    "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.subTitle": "Importer des entités à l'aide d'un fichier texte",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.unavailable": "La fonctionnalité de chargement de fichiers CSV de criticité des ressources n'est pas disponible.",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.unsupportedFileTypeError": "Format de fichier sélectionné non valide. Veuillez choisir un fichier {supportedFileExtensions} et réessayer",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.uploadFileSizeLimit": "La taille maximale de fichier est de : {maxFileSize}",
@@ -40487,7 +40486,6 @@
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.clearAllEntities": "Effacer toutes les entités",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.close": "Fermer",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.title": "Effacer les données des entités ?",
-    "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntityData": "Supprimez toutes les données d'entité extraites du stockage. Cette action supprimera définitivement les enregistrements d’utilisateur et d'hôte persistants, les données ne seront par ailleurs plus disponibles pour l'analyse. Procédez avec prudence, car cette opération est irréversible. Notez que cette opération ne supprimera pas les données sources, les scores de risque des entités ni les attributions de criticité des ressources.",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.featureFlagDisabled": "Les fonctionnalités du stockage d'entités ne sont pas disponibles",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.subTitle": "Permet un monitoring complet des hôtes et des utilisateurs de votre système.",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.title": "Stockage d'entités",
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index 8d3f9df8ddbf2..660f89ebf277f 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -40414,7 +40414,6 @@
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.noPermissionTitle": "CSVアップロードを実行する十分なインデックス権限がありません",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.resultsStepTitle": "結果",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.selectFileStepTitle": "ファイルを選択",
-    "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.subTitle": "テキストファイルを使用してエンティティをインポート",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.unavailable": "アセット重要度CSVファイルアップロード機能が利用できません。",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.unsupportedFileTypeError": "無効なファイル形式が選択されました。{supportedFileExtensions}ファイルを選択して再試行してください。",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.uploadFileSizeLimit": "最大ファイルサイズ：{maxFileSize}",
@@ -40456,7 +40455,6 @@
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.clearAllEntities": "すべてのエンティティを消去",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.close": "閉じる",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.title": "エンティティデータを消去しますか？",
-    "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntityData": "すべての抽出されたエンティティデータをストアから削除します。このアクションにより、永続化されたユーザーおよびホストレコードが完全に削除され、データは分析で使用できなくなります。注意して続行してください。この操作は元に戻せません。この処理では、ソースデータ、エンティティリスクスコア、アセット重要度割り当ては削除されません。",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.featureFlagDisabled": "エンティティストア機能を利用できません",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.subTitle": "システムのホストとユーザーを包括的に監視できます。",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.title": "エンティティストア",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index 6f5ba4b47d4df..f78ca57643200 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -40479,7 +40479,6 @@
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.noPermissionTitle": "索引权限不足，无法执行 CSV 上传",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.resultsStepTitle": "结果",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.selectFileStepTitle": "选择文件",
-    "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.subTitle": "使用文本文件导入实体",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.unavailable": "资产关键度 CSV 文件上传功能不可用。",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.unsupportedFileTypeError": "选定的文件格式无效。请选择 {supportedFileExtensions} 文件，然后重试",
     "xpack.securitySolution.entityAnalytics.assetCriticalityUploadPage.uploadFileSizeLimit": "最大文件大小：{maxFileSize}",
@@ -40521,7 +40520,6 @@
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.clearAllEntities": "清除所有实体",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.close": "关闭",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntitiesModal.title": "清除实体数据？",
-    "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.clearEntityData": "移除从仓库中提取的所有实体数据。此操作将永久删除持久化用户和主机记录，并且数据将不再可用于分析。请谨慎操作，因为此操作无法撤消。请注意，此操作不会删除源数据、实体风险分数或资产关键度分配。",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.featureFlagDisabled": "实体仓库功能不可用",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.subTitle": "允许全面监测您系统的主机和用户。",
     "xpack.securitySolution.entityAnalytics.entityStoreManagementPage.title": "实体仓库",
diff --git a/x-pack/test/api_integration/services/security_solution_api.gen.ts b/x-pack/test/api_integration/services/security_solution_api.gen.ts
index c4a8979b78e2e..79b535d118211 100644
--- a/x-pack/test/api_integration/services/security_solution_api.gen.ts
+++ b/x-pack/test/api_integration/services/security_solution_api.gen.ts
@@ -83,7 +83,7 @@ import {
   GetEndpointSuggestionsRequestBodyInput,
 } from '@kbn/security-solution-plugin/common/api/endpoint/suggestions/get_suggestions.gen';
 import { GetEntityEngineRequestParamsInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/engine/get.gen';
-import { GetEntityEngineStatsRequestParamsInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/engine/stats.gen';
+import { GetEntityStoreStatusRequestQueryInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/status.gen';
 import { GetNotesRequestQueryInput } from '@kbn/security-solution-plugin/common/api/timeline/get_notes/get_notes_route.gen';
 import { GetPolicyResponseRequestQueryInput } from '@kbn/security-solution-plugin/common/api/endpoint/policy/policy_response.gen';
 import { GetProtectionUpdatesNoteRequestParamsInput } from '@kbn/security-solution-plugin/common/api/endpoint/protection_updates_note/protection_updates_note.gen';
@@ -109,7 +109,7 @@ import {
   InitEntityEngineRequestParamsInput,
   InitEntityEngineRequestBodyInput,
 } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/engine/init.gen';
-import { InitEntityStoreRequestBodyInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/enablement.gen';
+import { InitEntityStoreRequestBodyInput } from '@kbn/security-solution-plugin/common/api/entity_analytics/entity_store/enable.gen';
 import {
   InstallMigrationRulesRequestParamsInput,
   InstallMigrationRulesRequestBodyInput,
@@ -856,24 +856,13 @@ finalize it.
         .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
         .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
     },
-    getEntityEngineStats(props: GetEntityEngineStatsProps, kibanaSpace: string = 'default') {
-      return supertest
-        .post(
-          routeWithNamespace(
-            replaceParams('/api/entity_store/engines/{entityType}/stats', props.params),
-            kibanaSpace
-          )
-        )
-        .set('kbn-xsrf', 'true')
-        .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
-        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
-    },
-    getEntityStoreStatus(kibanaSpace: string = 'default') {
+    getEntityStoreStatus(props: GetEntityStoreStatusProps, kibanaSpace: string = 'default') {
       return supertest
         .get(routeWithNamespace('/api/entity_store/status', kibanaSpace))
         .set('kbn-xsrf', 'true')
         .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
-        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
+        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
+        .query(props.query);
     },
     /**
      * Gets notes
@@ -1661,8 +1650,8 @@ export interface GetEndpointSuggestionsProps {
 export interface GetEntityEngineProps {
   params: GetEntityEngineRequestParamsInput;
 }
-export interface GetEntityEngineStatsProps {
-  params: GetEntityEngineStatsRequestParamsInput;
+export interface GetEntityStoreStatusProps {
+  query: GetEntityStoreStatusRequestQueryInput;
 }
 export interface GetNotesProps {
   query: GetNotesRequestQueryInput;
diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/entity_store/trial_license_complete_tier/entity_store.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/entity_store/trial_license_complete_tier/entity_store.ts
index 3b249da0f38ed..ffa5a6b3fe778 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/entity_store/trial_license_complete_tier/entity_store.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/entity_store/trial_license_complete_tier/entity_store.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import expect from '@kbn/expect';
+import expect from 'expect';
 import { FtrProviderContext } from '../../../../ftr_provider_context';
 import { EntityStoreUtils } from '../../utils';
 import { dataViewRouteHelpersFactory } from '../../utils/data_view';
@@ -14,8 +14,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
 
   const utils = EntityStoreUtils(getService);
-  // Failing: See https://github.com/elastic/kibana/issues/200758
-  describe.skip('@ess @skipInServerlessMKI Entity Store APIs', () => {
+  describe('@ess @skipInServerlessMKI Entity Store APIs', () => {
     const dataView = dataViewRouteHelpersFactory(supertest);
 
     before(async () => {
@@ -85,7 +84,7 @@ export default ({ getService }: FtrProviderContext) => {
             })
             .expect(200);
 
-          expect(getResponse.body).to.eql({
+          expect(getResponse.body).toEqual({
             status: 'started',
             type: 'host',
             indexPattern: '',
@@ -101,7 +100,7 @@ export default ({ getService }: FtrProviderContext) => {
             })
             .expect(200);
 
-          expect(getResponse.body).to.eql({
+          expect(getResponse.body).toEqual({
             status: 'started',
             type: 'user',
             indexPattern: '',
@@ -118,7 +117,7 @@ export default ({ getService }: FtrProviderContext) => {
           // @ts-expect-error body is any
           const sortedEngines = body.engines.sort((a, b) => a.type.localeCompare(b.type));
 
-          expect(sortedEngines).to.eql([
+          expect(sortedEngines).toEqual([
             {
               status: 'started',
               type: 'host',
@@ -160,7 +159,7 @@ export default ({ getService }: FtrProviderContext) => {
           })
           .expect(200);
 
-        expect(body.status).to.eql('stopped');
+        expect(body.status).toEqual('stopped');
       });
 
       it('should start the entity engine', async () => {
@@ -176,7 +175,7 @@ export default ({ getService }: FtrProviderContext) => {
           })
           .expect(200);
 
-        expect(body.status).to.eql('started');
+        expect(body.status).toEqual('started');
       });
     });
 
@@ -212,10 +211,11 @@ export default ({ getService }: FtrProviderContext) => {
       afterEach(async () => {
         await utils.cleanEngines();
       });
+
       it('should return "not_installed" when no engines have been initialized', async () => {
-        const { body } = await api.getEntityStoreStatus().expect(200);
+        const { body } = await api.getEntityStoreStatus({ query: {} }).expect(200);
 
-        expect(body).to.eql({
+        expect(body).toEqual({
           engines: [],
           status: 'not_installed',
         });
@@ -224,23 +224,56 @@ export default ({ getService }: FtrProviderContext) => {
       it('should return "installing" when at least one engine is being initialized', async () => {
         await utils.enableEntityStore();
 
-        const { body } = await api.getEntityStoreStatus().expect(200);
+        const { body } = await api.getEntityStoreStatus({ query: {} }).expect(200);
 
-        expect(body.status).to.eql('installing');
-        expect(body.engines.length).to.eql(2);
-        expect(body.engines[0].status).to.eql('installing');
-        expect(body.engines[1].status).to.eql('installing');
+        expect(body.status).toEqual('installing');
+        expect(body.engines.length).toEqual(2);
+        expect(body.engines[0].status).toEqual('installing');
+        expect(body.engines[1].status).toEqual('installing');
       });
 
       it('should return "started" when all engines are started', async () => {
         await utils.initEntityEngineForEntityTypesAndWait(['host', 'user']);
 
-        const { body } = await api.getEntityStoreStatus().expect(200);
+        const { body } = await api.getEntityStoreStatus({ query: {} }).expect(200);
+
+        expect(body.status).toEqual('running');
+        expect(body.engines.length).toEqual(2);
+        expect(body.engines[0].status).toEqual('started');
+        expect(body.engines[1].status).toEqual('started');
+      });
 
-        expect(body.status).to.eql('running');
-        expect(body.engines.length).to.eql(2);
-        expect(body.engines[0].status).to.eql('started');
-        expect(body.engines[1].status).to.eql('started');
+      describe('status with components', () => {
+        it('should return empty list when when no engines have been initialized', async () => {
+          const { body } = await api
+            .getEntityStoreStatus({ query: { include_components: true } })
+            .expect(200);
+
+          expect(body).toEqual({
+            engines: [],
+            status: 'not_installed',
+          });
+        });
+
+        it('should return components status when engines are installed', async () => {
+          await utils.initEntityEngineForEntityTypesAndWait(['host']);
+
+          const { body } = await api
+            .getEntityStoreStatus({ query: { include_components: true } })
+            .expect(200);
+
+          expect(body.engines[0].components).toEqual([
+            expect.objectContaining({ resource: 'entity_definition' }),
+            expect.objectContaining({ resource: 'transform' }),
+            expect.objectContaining({ resource: 'ingest_pipeline' }),
+            expect.objectContaining({ resource: 'index_template' }),
+            expect.objectContaining({ resource: 'task' }),
+            expect.objectContaining({ resource: 'ingest_pipeline' }),
+            expect.objectContaining({ resource: 'enrich_policy' }),
+            expect.objectContaining({ resource: 'index' }),
+            expect.objectContaining({ resource: 'component_template' }),
+          ]);
+        });
       });
     });
 
@@ -261,14 +294,14 @@ export default ({ getService }: FtrProviderContext) => {
       it("should not update the index patten when it didn't change", async () => {
         const response = await api.applyEntityEngineDataviewIndices();
 
-        expect(response.body).to.eql({ success: true, result: [{ type: 'host', changes: {} }] });
+        expect(response.body).toEqual({ success: true, result: [{ type: 'host', changes: {} }] });
       });
 
       it('should update the index pattern when the data view changes', async () => {
         await dataView.updateIndexPattern('security-solution', 'test-*');
         const response = await api.applyEntityEngineDataviewIndices();
 
-        expect(response.body).to.eql({
+        expect(response.body).toEqual({
           success: true,
           result: [
             {

From de5f453ef627df4f90ee1ed0d9b4fa1d9da5bf8e Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 02:31:57 +1100
Subject: [PATCH 21/23] [8.x] [Dataset Quality][Observability Onboarding]
 Update axios headers (#202412) (#202723)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Dataset Quality][Observability Onboarding] Update axios headers
(#202412)](https://github.com/elastic/kibana/pull/202412)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Marco Antonio
Ghiani","email":"marcoantonio.ghiani01@gmail.com"},"sourceCommit":{"committedDate":"2024-12-03T13:35:34Z","message":"[Dataset
Quality][Observability Onboarding] Update axios headers (#202412)\n\n##
📓 Summary\r\n\r\nTo ensure Kibana features/tests don't break after the
update to v9.0.0,\r\nwe need to provide the
`'x-elastic-internal-origin': 'kibana'` header is\r\nset on API
providers that are not the internal core HTTP service.\r\n\r\nThese
changes fix a couple of utilities using the axios library for\r\ntesting
purpose.\r\n\r\n---------\r\n\r\nCo-authored-by: Marco Antonio Ghiani
<marcoantonio.ghiani@elastic.co>","sha":"a75a92b284a860ecbb5e3accef97d3044f5ac4a4","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:prev-minor","ci:project-deploy-observability","Team:obs-ux-logs"],"title":"[Dataset
Quality][Observability Onboarding] Update axios
headers","number":202412,"url":"https://github.com/elastic/kibana/pull/202412","mergeCommit":{"message":"[Dataset
Quality][Observability Onboarding] Update axios headers (#202412)\n\n##
📓 Summary\r\n\r\nTo ensure Kibana features/tests don't break after the
update to v9.0.0,\r\nwe need to provide the
`'x-elastic-internal-origin': 'kibana'` header is\r\nset on API
providers that are not the internal core HTTP service.\r\n\r\nThese
changes fix a couple of utilities using the axios library for\r\ntesting
purpose.\r\n\r\n---------\r\n\r\nCo-authored-by: Marco Antonio Ghiani
<marcoantonio.ghiani@elastic.co>","sha":"a75a92b284a860ecbb5e3accef97d3044f5ac4a4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202412","number":202412,"mergeCommit":{"message":"[Dataset
Quality][Observability Onboarding] Update axios headers (#202412)\n\n##
📓 Summary\r\n\r\nTo ensure Kibana features/tests don't break after the
update to v9.0.0,\r\nwe need to provide the
`'x-elastic-internal-origin': 'kibana'` header is\r\nset on API
providers that are not the internal core HTTP service.\r\n\r\nThese
changes fix a couple of utilities using the axios library for\r\ntesting
purpose.\r\n\r\n---------\r\n\r\nCo-authored-by: Marco Antonio Ghiani
<marcoantonio.ghiani@elastic.co>","sha":"a75a92b284a860ecbb5e3accef97d3044f5ac4a4"}}]}]
BACKPORT-->

Co-authored-by: Marco Antonio Ghiani <marcoantonio.ghiani01@gmail.com>
---
 .../create_dataset_quality_users/helpers/call_kibana.ts   | 8 ++++++--
 .../helpers/call_kibana.ts                                | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/x-pack/plugins/observability_solution/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts b/x-pack/plugins/observability_solution/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts
index 879b02f8a93c5..5f36a8a4204f2 100644
--- a/x-pack/plugins/observability_solution/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts
+++ b/x-pack/plugins/observability_solution/dataset_quality/server/test_helpers/create_dataset_quality_users/helpers/call_kibana.ts
@@ -24,14 +24,18 @@ export async function callKibana<T>({
     ...options,
     baseURL: baseUrl,
     auth: { username, password },
-    headers: { 'kbn-xsrf': 'true', ...options.headers },
+    headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers },
   });
   return data;
 }
 
 const getBaseUrl = once(async (kibanaHostname: string) => {
   try {
-    await axios.request({ url: kibanaHostname, maxRedirects: 0 });
+    await axios.request({
+      url: kibanaHostname,
+      maxRedirects: 0,
+      headers: { 'x-elastic-internal-origin': 'kibana' },
+    });
   } catch (e) {
     if (isAxiosError(e)) {
       const location = e.response?.headers?.location ?? '';
diff --git a/x-pack/plugins/observability_solution/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts b/x-pack/plugins/observability_solution/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts
index 879b02f8a93c5..5f36a8a4204f2 100644
--- a/x-pack/plugins/observability_solution/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts
+++ b/x-pack/plugins/observability_solution/observability_onboarding/server/test_helpers/create_observability_onboarding_users/helpers/call_kibana.ts
@@ -24,14 +24,18 @@ export async function callKibana<T>({
     ...options,
     baseURL: baseUrl,
     auth: { username, password },
-    headers: { 'kbn-xsrf': 'true', ...options.headers },
+    headers: { 'kbn-xsrf': 'true', 'x-elastic-internal-origin': 'kibana', ...options.headers },
   });
   return data;
 }
 
 const getBaseUrl = once(async (kibanaHostname: string) => {
   try {
-    await axios.request({ url: kibanaHostname, maxRedirects: 0 });
+    await axios.request({
+      url: kibanaHostname,
+      maxRedirects: 0,
+      headers: { 'x-elastic-internal-origin': 'kibana' },
+    });
   } catch (e) {
     if (isAxiosError(e)) {
       const location = e.response?.headers?.location ?? '';

From 4de4e042e0262c546ec58e17178226c0a9ffe508 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 02:42:36 +1100
Subject: [PATCH 22/23] [8.x] [Fleet] Rollover datastreams on subobjects mapper
 exception (#202689) (#202731)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Fleet] Rollover datastreams on subobjects mapper exception
(#202689)](https://github.com/elastic/kibana/pull/202689)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Julia
Bardi","email":"90178898+juliaElastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-03T13:51:11Z","message":"[Fleet]
Rollover datastreams on subobjects mapper exception (#202689)\n\n##
Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/193044\r\n\r\nThe previously
added `subobjectsFieldChanged` check was not picking up\r\nthe
subobjects change in this case (okta integration), maybe because
it\r\nis in dynamic template mappings. Added an additional condition to
pick\r\nup on the `mapper_exception` with subobjects mentioned in the
reason.\r\n\r\nTo verify:\r\n- install okta-2.11.0 integration\r\n-
upgrade to okta-2.12.0\r\n- expect upgrade successful, the data stream
should be rolled over\r\n```\r\nPOST
kbn:/api/fleet/epm/packages/okta/2.11.0\r\n{\r\n \"force\":
true\r\n}\r\n\r\nPOST logs-okta.system-default/_doc\r\n {\r\n
\"message\": \"abc\",\r\n \"@timestamp\":
\"2024-05-30T07:50:00.000Z\"\r\n }\r\n\r\nPOST
kbn:/api/fleet/epm/packages/okta/2.12.0\r\n{\r\n \"force\":
true\r\n}\r\n\r\nGET logs-okta.system-default/_mapping\r\n```\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"1edcb62a30597104bfead7864b5c52dbb1086511","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","v9.0.0","backport:prev-minor","v8.17.0"],"title":"[Fleet]
Rollover datastreams on subobjects mapper
exception","number":202689,"url":"https://github.com/elastic/kibana/pull/202689","mergeCommit":{"message":"[Fleet]
Rollover datastreams on subobjects mapper exception (#202689)\n\n##
Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/193044\r\n\r\nThe previously
added `subobjectsFieldChanged` check was not picking up\r\nthe
subobjects change in this case (okta integration), maybe because
it\r\nis in dynamic template mappings. Added an additional condition to
pick\r\nup on the `mapper_exception` with subobjects mentioned in the
reason.\r\n\r\nTo verify:\r\n- install okta-2.11.0 integration\r\n-
upgrade to okta-2.12.0\r\n- expect upgrade successful, the data stream
should be rolled over\r\n```\r\nPOST
kbn:/api/fleet/epm/packages/okta/2.11.0\r\n{\r\n \"force\":
true\r\n}\r\n\r\nPOST logs-okta.system-default/_doc\r\n {\r\n
\"message\": \"abc\",\r\n \"@timestamp\":
\"2024-05-30T07:50:00.000Z\"\r\n }\r\n\r\nPOST
kbn:/api/fleet/epm/packages/okta/2.12.0\r\n{\r\n \"force\":
true\r\n}\r\n\r\nGET logs-okta.system-default/_mapping\r\n```\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"1edcb62a30597104bfead7864b5c52dbb1086511"}},"sourceBranch":"main","suggestedTargetBranches":["8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202689","number":202689,"mergeCommit":{"message":"[Fleet]
Rollover datastreams on subobjects mapper exception (#202689)\n\n##
Summary\r\n\r\nCloses
https://github.com/elastic/kibana/issues/193044\r\n\r\nThe previously
added `subobjectsFieldChanged` check was not picking up\r\nthe
subobjects change in this case (okta integration), maybe because
it\r\nis in dynamic template mappings. Added an additional condition to
pick\r\nup on the `mapper_exception` with subobjects mentioned in the
reason.\r\n\r\nTo verify:\r\n- install okta-2.11.0 integration\r\n-
upgrade to okta-2.12.0\r\n- expect upgrade successful, the data stream
should be rolled over\r\n```\r\nPOST
kbn:/api/fleet/epm/packages/okta/2.11.0\r\n{\r\n \"force\":
true\r\n}\r\n\r\nPOST logs-okta.system-default/_doc\r\n {\r\n
\"message\": \"abc\",\r\n \"@timestamp\":
\"2024-05-30T07:50:00.000Z\"\r\n }\r\n\r\nPOST
kbn:/api/fleet/epm/packages/okta/2.12.0\r\n{\r\n \"force\":
true\r\n}\r\n\r\nGET logs-okta.system-default/_mapping\r\n```\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"1edcb62a30597104bfead7864b5c52dbb1086511"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Julia Bardi <90178898+juliaElastic@users.noreply.github.com>
---
 .../elasticsearch/template/template.test.ts   | 51 +++++++++++++++++++
 .../epm/elasticsearch/template/template.ts    |  4 ++
 2 files changed, 55 insertions(+)

diff --git a/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.test.ts b/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.test.ts
index a42fb9481cc63..878680e766574 100644
--- a/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.test.ts
+++ b/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.test.ts
@@ -2075,6 +2075,57 @@ describe('EPM template', () => {
         })
       );
     });
+    it('should rollover on mapper exception with subobjects in reason', async () => {
+      const esClient = elasticsearchServiceMock.createElasticsearchClient();
+      esClient.indices.getDataStream.mockResponse({
+        data_streams: [{ name: 'test.prefix1-default' }],
+      } as any);
+      esClient.indices.get.mockResponse({
+        'test.prefix1-default': {
+          mappings: {},
+        },
+      } as any);
+      esClient.indices.simulateTemplate.mockResponse({
+        template: {
+          settings: { index: {} },
+          mappings: {},
+        },
+      } as any);
+      esClient.indices.putMapping.mockImplementation(() => {
+        throw new errors.ResponseError({
+          body: {
+            error: {
+              type: 'mapper_exception',
+              reason:
+                "the [subobjects] parameter can't be updated for the object mapping [okta.debug_context.debug_data]",
+            },
+          },
+        } as any);
+      });
+
+      const logger = loggerMock.create();
+      await updateCurrentWriteIndices(esClient, logger, [
+        {
+          templateName: 'test',
+          indexTemplate: {
+            index_patterns: ['test.*-*'],
+            template: {
+              settings: { index: {} },
+              mappings: {},
+            },
+          } as any,
+        },
+      ]);
+
+      expect(esClient.transport.request).toHaveBeenCalledWith(
+        expect.objectContaining({
+          path: '/test.prefix1-default/_rollover',
+          querystring: {
+            lazy: true,
+          },
+        })
+      );
+    });
     it('should skip rollover on expected error when flag is on', async () => {
       const esClient = elasticsearchServiceMock.createElasticsearchClient();
       esClient.indices.getDataStream.mockResponse({
diff --git a/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.ts b/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.ts
index 00ecaddf2c7f7..cf1a394834b17 100644
--- a/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.ts
+++ b/x-pack/plugins/fleet/server/services/epm/elasticsearch/template/template.ts
@@ -1069,6 +1069,10 @@ const updateExistingDataStream = async ({
 
     // if update fails, rollover data stream and bail out
   } catch (err) {
+    subobjectsFieldChanged =
+      subobjectsFieldChanged ||
+      (err.body?.error?.type === 'mapper_exception' &&
+        err.body?.error?.reason?.includes('subobjects'));
     if (
       (isResponseError(err) &&
         err.statusCode === 400 &&

From 36f34e556b5eebbf6c3b05dbad26e993011eaca4 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 4 Dec 2024 02:42:59 +1100
Subject: [PATCH 23/23] [8.x] [Obs AI Assistant] Perform index creation at
 startup (#201362) (#202728)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Obs AI Assistant] Perform index creation at startup
(#201362)](https://github.com/elastic/kibana/pull/201362)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Søren
Louv-Jansen","email":"soren.louv@elastic.co"},"sourceCommit":{"committedDate":"2024-12-03T13:48:19Z","message":"[Obs
AI Assistant] Perform index creation at startup (#201362)\n\nCurrently
the knowledge base creates index assets (index templates, index
components) lazily when the user interacts with the assistant. This
prevents running the semantic text migrations (added in
https://github.com/elastic/kibana/pull/186499) when Kibana starts
because the mappings have not yet been updated.\r\n\r\nAdditionally,
this PR also increases `min_number_of_allocations` to 1 to\r\nensure at
least one ML node is available at all
times.","sha":"b217f1acbdce4d9c0288c87e9afa470038cf6557","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:prev-minor","Team:Obs
AI Assistant","ci:project-deploy-observability","v8.17.0"],"title":"[Obs
AI Assistant] Perform index creation at
startup","number":201362,"url":"https://github.com/elastic/kibana/pull/201362","mergeCommit":{"message":"[Obs
AI Assistant] Perform index creation at startup (#201362)\n\nCurrently
the knowledge base creates index assets (index templates, index
components) lazily when the user interacts with the assistant. This
prevents running the semantic text migrations (added in
https://github.com/elastic/kibana/pull/186499) when Kibana starts
because the mappings have not yet been updated.\r\n\r\nAdditionally,
this PR also increases `min_number_of_allocations` to 1 to\r\nensure at
least one ML node is available at all
times.","sha":"b217f1acbdce4d9c0288c87e9afa470038cf6557"}},"sourceBranch":"main","suggestedTargetBranches":["8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201362","number":201362,"mergeCommit":{"message":"[Obs
AI Assistant] Perform index creation at startup (#201362)\n\nCurrently
the knowledge base creates index assets (index templates, index
components) lazily when the user interacts with the assistant. This
prevents running the semantic text migrations (added in
https://github.com/elastic/kibana/pull/186499) when Kibana starts
because the mappings have not yet been updated.\r\n\r\nAdditionally,
this PR also increases `min_number_of_allocations` to 1 to\r\nensure at
least one ML node is available at all
times.","sha":"b217f1acbdce4d9c0288c87e9afa470038cf6557"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Søren Louv-Jansen <soren.louv@elastic.co>
---
 .../server/plugin.ts                          |   5 +-
 .../server/service/client/index.test.ts       |   8 +-
 .../server/service/client/index.ts            |  32 +++-
 .../server/service/index.ts                   | 156 ++++--------------
 .../server/service/inference_endpoint.ts      |  97 ++++++++---
 .../server/service/kb_component_template.ts   |   4 -
 .../service/knowledge_base_service/index.ts   |  59 +------
 .../setup_conversation_and_kb_index_assets.ts | 108 ++++++++++++
 ...ter_migrate_knowledge_base_entries_task.ts |  99 +++++++----
 9 files changed, 316 insertions(+), 252 deletions(-)
 create mode 100644 x-pack/plugins/observability_solution/observability_ai_assistant/server/service/setup_conversation_and_kb_index_assets.ts

diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/plugin.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/plugin.ts
index 7949276ac6aba..b8de2f5688373 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/plugin.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/plugin.ts
@@ -134,8 +134,9 @@ export class ObservabilityAIAssistantPlugin
       core,
       taskManager: plugins.taskManager,
       logger: this.logger,
-    }).catch((error) => {
-      this.logger.error(`Failed to register migrate knowledge base entries task: ${error}`);
+      config: this.config,
+    }).catch((e) => {
+      this.logger.error(`Knowledge base migration was not successfully: ${e.message}`);
     });
 
     service.register(registerFunctions);
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/client/index.test.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/client/index.test.ts
index 8da2a0d843b11..f6aa0dfab2726 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/client/index.test.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/client/index.test.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 import type { ActionsClient } from '@kbn/actions-plugin/server/actions_client';
-import type { ElasticsearchClient, IUiSettingsClient, Logger } from '@kbn/core/server';
+import type { CoreSetup, ElasticsearchClient, IUiSettingsClient, Logger } from '@kbn/core/server';
 import type { DeeplyMockedKeys } from '@kbn/utility-types-jest';
 import { waitFor } from '@testing-library/react';
 import { last, merge, repeat } from 'lodash';
@@ -27,7 +27,9 @@ import { CONTEXT_FUNCTION_NAME } from '../../functions/context';
 import { ChatFunctionClient } from '../chat_function_client';
 import type { KnowledgeBaseService } from '../knowledge_base_service';
 import { observableIntoStream } from '../util/observable_into_stream';
-import { CreateChatCompletionResponseChunk } from './adapters/process_openai_stream';
+import type { CreateChatCompletionResponseChunk } from './adapters/process_openai_stream';
+import type { ObservabilityAIAssistantConfig } from '../../config';
+import type { ObservabilityAIAssistantPluginStartDependencies } from '../../types';
 
 type ChunkDelta = CreateChatCompletionResponseChunk['choices'][number]['delta'];
 
@@ -177,6 +179,8 @@ describe('Observability AI Assistant client', () => {
     functionClientMock.getAdhocInstructions.mockReturnValue([]);
 
     return new ObservabilityAIAssistantClient({
+      config: {} as ObservabilityAIAssistantConfig,
+      core: {} as CoreSetup<ObservabilityAIAssistantPluginStartDependencies>,
       actionsClient: actionsClientMock,
       uiSettingsClient: uiSettingsClientMock,
       esClient: {
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/client/index.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/client/index.ts
index 2bd2fdcf22462..107bed3cac7be 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/client/index.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/client/index.ts
@@ -7,7 +7,7 @@
 import type { SearchHit } from '@elastic/elasticsearch/lib/api/types';
 import { notFound } from '@hapi/boom';
 import type { ActionsClient } from '@kbn/actions-plugin/server';
-import type { ElasticsearchClient, IUiSettingsClient } from '@kbn/core/server';
+import type { CoreSetup, ElasticsearchClient, IUiSettingsClient } from '@kbn/core/server';
 import type { Logger } from '@kbn/logging';
 import type { PublicMethodsOf } from '@kbn/utility-types';
 import { SpanKind, context } from '@opentelemetry/api';
@@ -80,13 +80,20 @@ import {
   LangtraceServiceProvider,
   withLangtraceChatCompleteSpan,
 } from './operators/with_langtrace_chat_complete_span';
-import { runSemanticTextKnowledgeBaseMigration } from '../task_manager_definitions/register_migrate_knowledge_base_entries_task';
+import {
+  runSemanticTextKnowledgeBaseMigration,
+  scheduleSemanticTextMigration,
+} from '../task_manager_definitions/register_migrate_knowledge_base_entries_task';
+import { ObservabilityAIAssistantPluginStartDependencies } from '../../types';
+import { ObservabilityAIAssistantConfig } from '../../config';
 
 const MAX_FUNCTION_CALLS = 8;
 
 export class ObservabilityAIAssistantClient {
   constructor(
     private readonly dependencies: {
+      config: ObservabilityAIAssistantConfig;
+      core: CoreSetup<ObservabilityAIAssistantPluginStartDependencies>;
       actionsClient: PublicMethodsOf<ActionsClient>;
       uiSettingsClient: IUiSettingsClient;
       namespace: string;
@@ -725,9 +732,23 @@ export class ObservabilityAIAssistantClient {
     return this.dependencies.knowledgeBaseService.getStatus();
   };
 
-  setupKnowledgeBase = (modelId: string | undefined) => {
-    const { esClient } = this.dependencies;
-    return this.dependencies.knowledgeBaseService.setup(esClient, modelId);
+  setupKnowledgeBase = async (modelId: string | undefined) => {
+    const { esClient, core, logger, knowledgeBaseService } = this.dependencies;
+
+    // setup the knowledge base
+    const res = await knowledgeBaseService.setup(esClient, modelId);
+
+    core
+      .getStartServices()
+      .then(([_, pluginsStart]) => {
+        logger.debug('Schedule semantic text migration task');
+        return scheduleSemanticTextMigration(pluginsStart);
+      })
+      .catch((error) => {
+        logger.error(`Failed to run semantic text migration task: ${error}`);
+      });
+
+    return res;
   };
 
   resetKnowledgeBase = () => {
@@ -739,6 +760,7 @@ export class ObservabilityAIAssistantClient {
     return runSemanticTextKnowledgeBaseMigration({
       esClient: this.dependencies.esClient,
       logger: this.dependencies.logger,
+      config: this.dependencies.config,
     });
   };
 
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/index.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/index.ts
index 9c26bebdd8388..d98799fcb63a7 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/index.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/index.ts
@@ -5,22 +5,19 @@
  * 2.0.
  */
 
-import type { PluginStartContract as ActionsPluginStart } from '@kbn/actions-plugin/server/plugin';
-import { createConcreteWriteIndex, getDataStreamAdapter } from '@kbn/alerting-plugin/server';
-import type { CoreSetup, CoreStart, KibanaRequest, Logger } from '@kbn/core/server';
-import type { SecurityPluginStart } from '@kbn/security-plugin/server';
+import type { CoreSetup, KibanaRequest, Logger } from '@kbn/core/server';
 import { getSpaceIdFromPath } from '@kbn/spaces-plugin/common';
-import { once } from 'lodash';
 import type { AssistantScope } from '@kbn/ai-assistant-common';
+import { once } from 'lodash';
+import pRetry from 'p-retry';
 import { ObservabilityAIAssistantScreenContextRequest } from '../../common/types';
 import type { ObservabilityAIAssistantPluginStartDependencies } from '../types';
 import { ChatFunctionClient } from './chat_function_client';
 import { ObservabilityAIAssistantClient } from './client';
-import { conversationComponentTemplate } from './conversation_component_template';
-import { kbComponentTemplate } from './kb_component_template';
 import { KnowledgeBaseService } from './knowledge_base_service';
 import type { RegistrationCallback, RespondFunctionResources } from './types';
 import { ObservabilityAIAssistantConfig } from '../config';
+import { setupConversationAndKbIndexAssets } from './setup_conversation_and_kb_index_assets';
 
 function getResourceName(resource: string) {
   return `.kibana-observability-ai-assistant-${resource}`;
@@ -45,12 +42,15 @@ export const resourceNames = {
   },
 };
 
+const createIndexAssetsOnce = once(
+  (logger: Logger, core: CoreSetup<ObservabilityAIAssistantPluginStartDependencies>) =>
+    pRetry(() => setupConversationAndKbIndexAssets({ logger, core }))
+);
+
 export class ObservabilityAIAssistantService {
   private readonly core: CoreSetup<ObservabilityAIAssistantPluginStartDependencies>;
   private readonly logger: Logger;
-  private kbService?: KnowledgeBaseService;
   private config: ObservabilityAIAssistantConfig;
-
   private readonly registrations: RegistrationCallback[] = [];
 
   constructor({
@@ -65,120 +65,8 @@ export class ObservabilityAIAssistantService {
     this.core = core;
     this.logger = logger;
     this.config = config;
-
-    this.resetInit();
   }
 
-  init = async () => {};
-
-  private resetInit = () => {
-    this.init = once(async () => {
-      return this.doInit().catch((error) => {
-        this.resetInit(); // reset the once flag if an error occurs
-        throw error;
-      });
-    });
-  };
-
-  private doInit = async () => {
-    try {
-      this.logger.debug('Setting up index assets');
-      const [coreStart] = await this.core.getStartServices();
-
-      const { asInternalUser } = coreStart.elasticsearch.client;
-
-      await asInternalUser.cluster.putComponentTemplate({
-        create: false,
-        name: resourceNames.componentTemplate.conversations,
-        template: conversationComponentTemplate,
-      });
-
-      await asInternalUser.indices.putIndexTemplate({
-        name: resourceNames.indexTemplate.conversations,
-        composed_of: [resourceNames.componentTemplate.conversations],
-        create: false,
-        index_patterns: [resourceNames.indexPatterns.conversations],
-        template: {
-          settings: {
-            number_of_shards: 1,
-            auto_expand_replicas: '0-1',
-            hidden: true,
-          },
-        },
-      });
-
-      const conversationAliasName = resourceNames.aliases.conversations;
-
-      await createConcreteWriteIndex({
-        esClient: asInternalUser,
-        logger: this.logger,
-        totalFieldsLimit: 10000,
-        indexPatterns: {
-          alias: conversationAliasName,
-          pattern: `${conversationAliasName}*`,
-          basePattern: `${conversationAliasName}*`,
-          name: `${conversationAliasName}-000001`,
-          template: resourceNames.indexTemplate.conversations,
-        },
-        dataStreamAdapter: getDataStreamAdapter({ useDataStreamForAlerts: false }),
-      });
-
-      // Knowledge base: component template
-      await asInternalUser.cluster.putComponentTemplate({
-        create: false,
-        name: resourceNames.componentTemplate.kb,
-        template: kbComponentTemplate,
-      });
-
-      // Knowledge base: index template
-      await asInternalUser.indices.putIndexTemplate({
-        name: resourceNames.indexTemplate.kb,
-        composed_of: [resourceNames.componentTemplate.kb],
-        create: false,
-        index_patterns: [resourceNames.indexPatterns.kb],
-        template: {
-          settings: {
-            number_of_shards: 1,
-            auto_expand_replicas: '0-1',
-            hidden: true,
-          },
-        },
-      });
-
-      const kbAliasName = resourceNames.aliases.kb;
-
-      // Knowledge base: write index
-      await createConcreteWriteIndex({
-        esClient: asInternalUser,
-        logger: this.logger,
-        totalFieldsLimit: 10000,
-        indexPatterns: {
-          alias: kbAliasName,
-          pattern: `${kbAliasName}*`,
-          basePattern: `${kbAliasName}*`,
-          name: `${kbAliasName}-000001`,
-          template: resourceNames.indexTemplate.kb,
-        },
-        dataStreamAdapter: getDataStreamAdapter({ useDataStreamForAlerts: false }),
-      });
-
-      this.kbService = new KnowledgeBaseService({
-        core: this.core,
-        logger: this.logger.get('kb'),
-        config: this.config,
-        esClient: {
-          asInternalUser,
-        },
-      });
-
-      this.logger.info('Successfully set up index assets');
-    } catch (error) {
-      this.logger.error(`Failed setting up index assets: ${error.message}`);
-      this.logger.debug(error);
-      throw error;
-    }
-  };
-
   async getClient({
     request,
     scopes,
@@ -192,12 +80,11 @@ export class ObservabilityAIAssistantService {
       controller.abort();
     });
 
-    const [_, [coreStart, plugins]] = await Promise.all([
-      this.init(),
-      this.core.getStartServices() as Promise<
-        [CoreStart, { security: SecurityPluginStart; actions: ActionsPluginStart }, unknown]
-      >,
+    const [[coreStart, plugins]] = await Promise.all([
+      this.core.getStartServices(),
+      createIndexAssetsOnce(this.logger, this.core),
     ]);
+
     // user will not be found when executed from system connector context
     const user = plugins.security.authc.getCurrentUser(request);
 
@@ -207,12 +94,25 @@ export class ObservabilityAIAssistantService {
 
     const { spaceId } = getSpaceIdFromPath(basePath, coreStart.http.basePath.serverBasePath);
 
+    const { asInternalUser } = coreStart.elasticsearch.client;
+
+    const kbService = new KnowledgeBaseService({
+      core: this.core,
+      logger: this.logger.get('kb'),
+      config: this.config,
+      esClient: {
+        asInternalUser,
+      },
+    });
+
     return new ObservabilityAIAssistantClient({
+      core: this.core,
+      config: this.config,
       actionsClient: await plugins.actions.getActionsClientWithRequest(request),
       uiSettingsClient: coreStart.uiSettings.asScopedToClient(soClient),
       namespace: spaceId,
       esClient: {
-        asInternalUser: coreStart.elasticsearch.client.asInternalUser,
+        asInternalUser,
         asCurrentUser: coreStart.elasticsearch.client.asScoped(request).asCurrentUser,
       },
       logger: this.logger,
@@ -222,7 +122,7 @@ export class ObservabilityAIAssistantService {
             name: user.username,
           }
         : undefined,
-      knowledgeBaseService: this.kbService!,
+      knowledgeBaseService: kbService,
       scopes: scopes || ['all'],
     });
   }
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/inference_endpoint.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/inference_endpoint.ts
index e89028652d9ac..a2993f7353c61 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/inference_endpoint.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/inference_endpoint.ts
@@ -9,6 +9,7 @@ import { errors } from '@elastic/elasticsearch';
 import { ElasticsearchClient } from '@kbn/core-elasticsearch-server';
 import { Logger } from '@kbn/logging';
 import moment from 'moment';
+import { ObservabilityAIAssistantConfig } from '../config';
 
 export const AI_ASSISTANT_KB_INFERENCE_ID = 'obs_ai_assistant_kb_inference';
 
@@ -34,7 +35,7 @@ export async function createInferenceEndpoint({
           service: 'elasticsearch',
           service_settings: {
             model_id: modelId,
-            adaptive_allocations: { enabled: true },
+            adaptive_allocations: { enabled: true, min_number_of_allocations: 1 },
             num_threads: 1,
           },
           task_settings: {},
@@ -45,7 +46,7 @@ export async function createInferenceEndpoint({
       }
     );
   } catch (e) {
-    logger.error(
+    logger.debug(
       `Failed to create inference endpoint "${AI_ASSISTANT_KB_INFERENCE_ID}": ${e.message}`
     );
     throw e;
@@ -54,44 +55,30 @@ export async function createInferenceEndpoint({
 
 export async function deleteInferenceEndpoint({
   esClient,
-  logger,
 }: {
   esClient: {
     asCurrentUser: ElasticsearchClient;
   };
-  logger: Logger;
 }) {
-  try {
-    const response = await esClient.asCurrentUser.inference.delete({
-      inference_id: AI_ASSISTANT_KB_INFERENCE_ID,
-      force: true,
-    });
+  const response = await esClient.asCurrentUser.inference.delete({
+    inference_id: AI_ASSISTANT_KB_INFERENCE_ID,
+    force: true,
+  });
 
-    return response;
-  } catch (e) {
-    logger.error(`Failed to delete inference endpoint: ${e.message}`);
-    throw e;
-  }
+  return response;
 }
 
 export async function getInferenceEndpoint({
   esClient,
-  logger,
 }: {
   esClient: { asInternalUser: ElasticsearchClient };
-  logger: Logger;
 }) {
-  try {
-    const response = await esClient.asInternalUser.inference.get({
-      inference_id: AI_ASSISTANT_KB_INFERENCE_ID,
-    });
+  const response = await esClient.asInternalUser.inference.get({
+    inference_id: AI_ASSISTANT_KB_INFERENCE_ID,
+  });
 
-    if (response.endpoints.length > 0) {
-      return response.endpoints[0];
-    }
-  } catch (e) {
-    logger.error(`Failed to fetch inference endpoint: ${e.message}`);
-    throw e;
+  if (response.endpoints.length > 0) {
+    return response.endpoints[0];
   }
 }
 
@@ -102,3 +89,61 @@ export function isInferenceEndpointMissingOrUnavailable(error: Error) {
       error.body?.error?.type === 'status_exception')
   );
 }
+
+export async function getElserModelStatus({
+  esClient,
+  logger,
+  config,
+}: {
+  esClient: { asInternalUser: ElasticsearchClient };
+  logger: Logger;
+  config: ObservabilityAIAssistantConfig;
+}) {
+  let errorMessage = '';
+  const endpoint = await getInferenceEndpoint({
+    esClient,
+  }).catch((error) => {
+    if (!isInferenceEndpointMissingOrUnavailable(error)) {
+      throw error;
+    }
+    errorMessage = error.message;
+  });
+
+  const enabled = config.enableKnowledgeBase;
+  if (!endpoint) {
+    return { ready: false, enabled, errorMessage };
+  }
+
+  const modelId = endpoint.service_settings?.model_id;
+  const modelStats = await esClient.asInternalUser.ml
+    .getTrainedModelsStats({ model_id: modelId })
+    .catch((error) => {
+      logger.debug(`Failed to get model stats: ${error.message}`);
+      errorMessage = error.message;
+    });
+
+  if (!modelStats) {
+    return { ready: false, enabled, errorMessage };
+  }
+
+  const elserModelStats = modelStats.trained_model_stats.find(
+    (stats) => stats.deployment_stats?.deployment_id === AI_ASSISTANT_KB_INFERENCE_ID
+  );
+  const deploymentState = elserModelStats?.deployment_stats?.state;
+  const allocationState = elserModelStats?.deployment_stats?.allocation_status.state;
+  const allocationCount =
+    elserModelStats?.deployment_stats?.allocation_status.allocation_count ?? 0;
+  const ready =
+    deploymentState === 'started' && allocationState === 'fully_allocated' && allocationCount > 0;
+
+  return {
+    endpoint,
+    ready,
+    enabled,
+    model_stats: {
+      allocation_count: allocationCount,
+      deployment_state: deploymentState,
+      allocation_state: allocationState,
+    },
+  };
+}
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/kb_component_template.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/kb_component_template.ts
index 6cf89b0c9e22d..49e856db29d50 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/kb_component_template.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/kb_component_template.ts
@@ -62,10 +62,6 @@ export const kbComponentTemplate: ClusterComponentTemplate['component_template']
       semantic_text: {
         type: 'semantic_text',
         inference_id: AI_ASSISTANT_KB_INFERENCE_ID,
-        // @ts-expect-error: @elastic/elasticsearch does not have this type yet
-        model_settings: {
-          task_type: 'sparse_embedding',
-        },
       },
       'ml.tokens': {
         type: 'rank_features',
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/knowledge_base_service/index.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/knowledge_base_service/index.ts
index fdde5ebb49970..1cf1cdc326fdf 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/knowledge_base_service/index.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/knowledge_base_service/index.ts
@@ -20,10 +20,9 @@ import {
 import { getAccessQuery } from '../util/get_access_query';
 import { getCategoryQuery } from '../util/get_category_query';
 import {
-  AI_ASSISTANT_KB_INFERENCE_ID,
   createInferenceEndpoint,
   deleteInferenceEndpoint,
-  getInferenceEndpoint,
+  getElserModelStatus,
   isInferenceEndpointMissingOrUnavailable,
 } from '../inference_endpoint';
 import { recallFromSearchConnectors } from './recall_from_search_connectors';
@@ -61,13 +60,13 @@ export class KnowledgeBaseService {
     },
     modelId: string | undefined
   ) {
-    await deleteInferenceEndpoint({ esClient, logger: this.dependencies.logger }).catch((e) => {}); // ensure existing inference endpoint is deleted
+    await deleteInferenceEndpoint({ esClient }).catch((e) => {}); // ensure existing inference endpoint is deleted
     return createInferenceEndpoint({ esClient, logger: this.dependencies.logger, modelId });
   }
 
   async reset(esClient: { asCurrentUser: ElasticsearchClient }) {
     try {
-      await deleteInferenceEndpoint({ esClient, logger: this.dependencies.logger });
+      await deleteInferenceEndpoint({ esClient });
     } catch (error) {
       if (isInferenceEndpointMissingOrUnavailable(error)) {
         return;
@@ -437,58 +436,10 @@ export class KnowledgeBaseService {
   };
 
   getStatus = async () => {
-    let errorMessage = '';
-    const endpoint = await getInferenceEndpoint({
+    return getElserModelStatus({
       esClient: this.dependencies.esClient,
       logger: this.dependencies.logger,
-    }).catch((error) => {
-      if (!isInferenceEndpointMissingOrUnavailable(error)) {
-        throw error;
-      }
-      this.dependencies.logger.error(`Failed to get inference endpoint: ${error.message}`);
-      errorMessage = error.message;
+      config: this.dependencies.config,
     });
-
-    const enabled = this.dependencies.config.enableKnowledgeBase;
-    if (!endpoint) {
-      return { ready: false, enabled, errorMessage };
-    }
-
-    const modelId = endpoint.service_settings?.model_id;
-    const modelStats = await this.dependencies.esClient.asInternalUser.ml
-      .getTrainedModelsStats({ model_id: modelId })
-      .catch((error) => {
-        this.dependencies.logger.error(`Failed to get model stats: ${error.message}`);
-        errorMessage = error.message;
-      });
-
-    if (!modelStats) {
-      return { ready: false, enabled, errorMessage };
-    }
-
-    const elserModelStats = modelStats.trained_model_stats.find(
-      (stats) => stats.deployment_stats?.deployment_id === AI_ASSISTANT_KB_INFERENCE_ID
-    );
-    const deploymentState = elserModelStats?.deployment_stats?.state;
-    const allocationState = elserModelStats?.deployment_stats?.allocation_status.state;
-    const allocationCount =
-      elserModelStats?.deployment_stats?.allocation_status.allocation_count ?? 0;
-    const ready =
-      deploymentState === 'started' && allocationState === 'fully_allocated' && allocationCount > 0;
-
-    this.dependencies.logger.debug(
-      `Model deployment state: ${deploymentState}, allocation state: ${allocationState}, ready: ${ready}`
-    );
-
-    return {
-      endpoint,
-      ready,
-      enabled,
-      model_stats: {
-        allocation_count: allocationCount,
-        deployment_state: deploymentState,
-        allocation_state: allocationState,
-      },
-    };
   };
 }
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/setup_conversation_and_kb_index_assets.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/setup_conversation_and_kb_index_assets.ts
new file mode 100644
index 0000000000000..30d55400bbbda
--- /dev/null
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/setup_conversation_and_kb_index_assets.ts
@@ -0,0 +1,108 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createConcreteWriteIndex, getDataStreamAdapter } from '@kbn/alerting-plugin/server';
+import type { CoreSetup, Logger } from '@kbn/core/server';
+import type { ObservabilityAIAssistantPluginStartDependencies } from '../types';
+import { conversationComponentTemplate } from './conversation_component_template';
+import { kbComponentTemplate } from './kb_component_template';
+import { resourceNames } from '.';
+
+export async function setupConversationAndKbIndexAssets({
+  logger,
+  core,
+}: {
+  logger: Logger;
+  core: CoreSetup<ObservabilityAIAssistantPluginStartDependencies>;
+}) {
+  try {
+    logger.debug('Setting up index assets');
+    const [coreStart] = await core.getStartServices();
+    const { asInternalUser } = coreStart.elasticsearch.client;
+
+    // Conversations: component template
+    await asInternalUser.cluster.putComponentTemplate({
+      create: false,
+      name: resourceNames.componentTemplate.conversations,
+      template: conversationComponentTemplate,
+    });
+
+    // Conversations: index template
+    await asInternalUser.indices.putIndexTemplate({
+      name: resourceNames.indexTemplate.conversations,
+      composed_of: [resourceNames.componentTemplate.conversations],
+      create: false,
+      index_patterns: [resourceNames.indexPatterns.conversations],
+      template: {
+        settings: {
+          number_of_shards: 1,
+          auto_expand_replicas: '0-1',
+          hidden: true,
+        },
+      },
+    });
+
+    // Conversations: write index
+    const conversationAliasName = resourceNames.aliases.conversations;
+    await createConcreteWriteIndex({
+      esClient: asInternalUser,
+      logger,
+      totalFieldsLimit: 10000,
+      indexPatterns: {
+        alias: conversationAliasName,
+        pattern: `${conversationAliasName}*`,
+        basePattern: `${conversationAliasName}*`,
+        name: `${conversationAliasName}-000001`,
+        template: resourceNames.indexTemplate.conversations,
+      },
+      dataStreamAdapter: getDataStreamAdapter({ useDataStreamForAlerts: false }),
+    });
+
+    // Knowledge base: component template
+    await asInternalUser.cluster.putComponentTemplate({
+      create: false,
+      name: resourceNames.componentTemplate.kb,
+      template: kbComponentTemplate,
+    });
+
+    // Knowledge base: index template
+    await asInternalUser.indices.putIndexTemplate({
+      name: resourceNames.indexTemplate.kb,
+      composed_of: [resourceNames.componentTemplate.kb],
+      create: false,
+      index_patterns: [resourceNames.indexPatterns.kb],
+      template: {
+        settings: {
+          number_of_shards: 1,
+          auto_expand_replicas: '0-1',
+          hidden: true,
+        },
+      },
+    });
+
+    // Knowledge base: write index
+    const kbAliasName = resourceNames.aliases.kb;
+    await createConcreteWriteIndex({
+      esClient: asInternalUser,
+      logger,
+      totalFieldsLimit: 10000,
+      indexPatterns: {
+        alias: kbAliasName,
+        pattern: `${kbAliasName}*`,
+        basePattern: `${kbAliasName}*`,
+        name: `${kbAliasName}-000001`,
+        template: resourceNames.indexTemplate.kb,
+      },
+      dataStreamAdapter: getDataStreamAdapter({ useDataStreamForAlerts: false }),
+    });
+
+    logger.info('Successfully set up index assets');
+  } catch (error) {
+    logger.error(`Failed setting up index assets: ${error.message}`);
+    logger.debug(error);
+  }
+}
diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/task_manager_definitions/register_migrate_knowledge_base_entries_task.ts b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/task_manager_definitions/register_migrate_knowledge_base_entries_task.ts
index 3df125ab2ba2d..b75074dc7ea54 100644
--- a/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/task_manager_definitions/register_migrate_knowledge_base_entries_task.ts
+++ b/x-pack/plugins/observability_solution/observability_ai_assistant/server/service/task_manager_definitions/register_migrate_knowledge_base_entries_task.ts
@@ -12,8 +12,10 @@ import type { CoreSetup, Logger } from '@kbn/core/server';
 import pRetry from 'p-retry';
 import { KnowledgeBaseEntry } from '../../../common';
 import { resourceNames } from '..';
-import { getInferenceEndpoint } from '../inference_endpoint';
+import { getElserModelStatus } from '../inference_endpoint';
 import { ObservabilityAIAssistantPluginStartDependencies } from '../../types';
+import { ObservabilityAIAssistantConfig } from '../../config';
+import { setupConversationAndKbIndexAssets } from '../setup_conversation_and_kb_index_assets';
 
 const TASK_ID = 'obs-ai-assistant:knowledge-base-migration-task-id';
 const TASK_TYPE = 'obs-ai-assistant:knowledge-base-migration';
@@ -25,36 +27,66 @@ export async function registerMigrateKnowledgeBaseEntriesTask({
   taskManager,
   logger,
   core,
+  config,
 }: {
   taskManager: TaskManagerSetupContract;
   logger: Logger;
   core: CoreSetup<ObservabilityAIAssistantPluginStartDependencies>;
+  config: ObservabilityAIAssistantConfig;
 }) {
-  logger.debug(`Register task "${TASK_TYPE}"`);
-
   const [coreStart, pluginsStart] = await core.getStartServices();
 
-  taskManager.registerTaskDefinitions({
-    [TASK_TYPE]: {
-      title: 'Migrate AI Assistant Knowledge Base',
-      description: `Migrates AI Assistant knowledge base entries`,
-      timeout: '1h',
-      maxAttempts: 5,
-      createTaskRunner() {
-        return {
-          async run() {
-            logger.debug(`Run task: "${TASK_TYPE}"`);
-
-            const esClient = { asInternalUser: coreStart.elasticsearch.client.asInternalUser };
-            await runSemanticTextKnowledgeBaseMigration({ esClient, logger });
-          },
-        };
+  try {
+    logger.debug(`Register task "${TASK_TYPE}"`);
+    taskManager.registerTaskDefinitions({
+      [TASK_TYPE]: {
+        title: 'Migrate AI Assistant Knowledge Base',
+        description: `Migrates AI Assistant knowledge base entries`,
+        timeout: '1h',
+        maxAttempts: 5,
+        createTaskRunner() {
+          return {
+            async run() {
+              logger.debug(`Run task: "${TASK_TYPE}"`);
+              const esClient = coreStart.elasticsearch.client;
+
+              const hasKbIndex = await esClient.asInternalUser.indices.exists({
+                index: resourceNames.aliases.kb,
+              });
+
+              if (!hasKbIndex) {
+                logger.debug(
+                  'Knowledge base index does not exist. Skipping semantic text migration.'
+                );
+                return;
+              }
+
+              // update fields and mappings
+              await setupConversationAndKbIndexAssets({ logger, core });
+
+              // run migration
+              await runSemanticTextKnowledgeBaseMigration({ esClient, logger, config });
+            },
+          };
+        },
       },
-    },
-  });
+    });
+  } catch (error) {
+    logger.error(`Failed to register task "${TASK_TYPE}". Error: ${error}`);
+  }
+
+  try {
+    logger.debug(`Scheduled task: "${TASK_TYPE}"`);
+    await scheduleSemanticTextMigration(pluginsStart);
+  } catch (error) {
+    logger.error(`Failed to schedule task "${TASK_TYPE}". Error: ${error}`);
+  }
+}
 
-  logger.debug(`Scheduled task: "${TASK_TYPE}"`);
-  await pluginsStart.taskManager.ensureScheduled({
+export function scheduleSemanticTextMigration(
+  pluginsStart: ObservabilityAIAssistantPluginStartDependencies
+) {
+  return pluginsStart.taskManager.ensureScheduled({
     id: TASK_ID,
     taskType: TASK_TYPE,
     scope: ['aiAssistant'],
@@ -66,9 +98,11 @@ export async function registerMigrateKnowledgeBaseEntriesTask({
 export async function runSemanticTextKnowledgeBaseMigration({
   esClient,
   logger,
+  config,
 }: {
   esClient: { asInternalUser: ElasticsearchClient };
   logger: Logger;
+  config: ObservabilityAIAssistantConfig;
 }) {
   logger.debug('Knowledge base migration: Running migration');
 
@@ -98,7 +132,7 @@ export async function runSemanticTextKnowledgeBaseMigration({
 
     logger.debug(`Knowledge base migration: Found ${response.hits.hits.length} entries to migrate`);
 
-    await waitForInferenceEndpoint({ esClient, logger });
+    await waitForModel({ esClient, logger, config });
 
     // Limit the number of concurrent requests to avoid overloading the cluster
     const limiter = pLimit(10);
@@ -109,6 +143,7 @@ export async function runSemanticTextKnowledgeBaseMigration({
         }
 
         return esClient.asInternalUser.update({
+          refresh: 'wait_for',
           index: resourceNames.aliases.kb,
           id: hit._id,
           body: {
@@ -123,27 +158,29 @@ export async function runSemanticTextKnowledgeBaseMigration({
 
     await Promise.all(promises);
     logger.debug(`Knowledge base migration: Migrated ${promises.length} entries`);
-    await runSemanticTextKnowledgeBaseMigration({ esClient, logger });
+    await runSemanticTextKnowledgeBaseMigration({ esClient, logger, config });
   } catch (e) {
-    logger.error('Knowledge base migration: Failed to migrate entries');
-    logger.error(e);
+    logger.error(`Knowledge base migration failed: ${e.message}`);
   }
 }
 
-async function waitForInferenceEndpoint({
+async function waitForModel({
   esClient,
   logger,
+  config,
 }: {
   esClient: { asInternalUser: ElasticsearchClient };
   logger: Logger;
+  config: ObservabilityAIAssistantConfig;
 }) {
   return pRetry(
     async () => {
-      const endpoint = await getInferenceEndpoint({ esClient, logger });
-      if (!endpoint) {
-        throw new Error('Inference endpoint not yet ready');
+      const { ready } = await getElserModelStatus({ esClient, logger, config });
+      if (!ready) {
+        logger.debug('Elser model is not yet ready. Retrying...');
+        throw new Error('Elser model is not yet ready');
       }
     },
-    { retries: 20, factor: 2 }
+    { retries: 30, factor: 2, maxTimeout: 30_000 }
   );
 }