From 49ebd28e257912cc942276b8072025088dc13997 Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Tue, 10 Aug 2021 21:06:12 +0200
Subject: [PATCH 01/16] use rac alerts bulk_update

---
 ...te_old_security_solution_alert_by_query.sh |  6 +-
 .../common/experimental_features.ts           |  2 +-
 .../routes/index/signal_aad_mapping.json      |  2 +-
 .../public/components/t_grid/body/index.tsx   |  8 +++
 .../public/components/t_grid/helpers.tsx      | 62 +++++++++++++++----
 .../components/t_grid/integrated/index.tsx    | 26 +++++++-
 .../components/t_grid/standalone/index.tsx    | 26 +++++++-
 .../alert_status_bulk_actions.tsx             |  8 ++-
 .../public/container/use_update_alerts.ts     | 20 +++---
 .../hooks/use_status_bulk_action_items.tsx    | 15 +++--
 .../server/search_strategy/timeline/index.ts  | 13 ++--
 11 files changed, 154 insertions(+), 34 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
index 8725e791d8efa..08cb22d5e4976 100755
--- a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
+++ b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
@@ -20,9 +20,9 @@ cd ../observer && sh ./post_detections_role.sh && sh ./post_detections_user.sh
 cd ..
 
 # Example: ./update_observability_alert.sh "kibana.rac.alert.stats: open" <closed | open>
-curl -s -k \
+curl -v \
  -H 'Content-Type: application/json' \
  -H 'kbn-xsrf: 123' \
  -u hunter:changeme \
- -X POST ${KIBANA_URL}${SPACE_URL}/internal/rac/alerts/bulk_update \
--d "{\"query\": \"$QUERY\", \"status\":\"$STATUS\", \"index\":\".siem-signals*\"}" | jq .
+ -X POST ${KIBANA_URL}/internal/rac/alerts/bulk_update \
+-d "{\"ids\": [\"cf2b7bf9b224c5ca9b4080ebf7a0ee0e1556898633cca169913482f5664a8a04\"], \"status\":\"open\", \"index\":\".siem-signals*\"}" 
diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts
index 0ae42d4baaec4..a474ae602fab2 100644
--- a/x-pack/plugins/security_solution/common/experimental_features.ts
+++ b/x-pack/plugins/security_solution/common/experimental_features.ts
@@ -14,7 +14,7 @@ export type ExperimentalFeatures = typeof allowedExperimentalValues;
 export const allowedExperimentalValues = Object.freeze({
   metricsEntitiesEnabled: false,
   ruleRegistryEnabled: false,
-  tGridEnabled: false,
+  tGridEnabled: true,
   trustedAppsByPolicyEnabled: false,
   excludePoliciesInFilterEnabled: false,
   uebaEnabled: false,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
index 066fdbc87f906..59f8b9db827be 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
@@ -83,7 +83,7 @@
   "signal.rule.updated_at": "kibana.alert.rule.updated_at",
   "signal.rule.updated_by": "kibana.alert.rule.updated_by",
   "signal.rule.version": "kibana.alert.rule.version",
-  "signal.status": "kibana.alert.workflow_status",
+  "signal.status": "kibana.alert.status",
   "signal.threshold_result.from": "kibana.alert.threshold_result.from",
   "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field",
   "signal.threshold_result.terms.value": "kibana.alert.threshold_result.terms.value",
diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/index.tsx
index cc94f901446a7..ab104ea8e438b 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/body/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/body/index.tsx
@@ -74,6 +74,7 @@ interface OwnProps {
   activePage: number;
   additionalControls?: React.ReactNode;
   browserFields: BrowserFields;
+  filterQuery: string;
   data: TimelineItem[];
   defaultCellActions?: TGridCellAction[];
   id: string;
@@ -90,6 +91,7 @@ interface OwnProps {
   filterStatus?: AlertStatus;
   unit?: (total: number) => React.ReactNode;
   onRuleChange?: () => void;
+  indexNames: string[];
   refetch: Refetch;
 }
 
@@ -225,6 +227,7 @@ export const BodyComponent = React.memo<StatefulBodyProps>(
     activePage,
     additionalControls,
     browserFields,
+    filterQuery,
     columnHeaders,
     data,
     defaultCellActions,
@@ -250,6 +253,7 @@ export const BodyComponent = React.memo<StatefulBodyProps>(
     unit = basicUnit,
     leadingControlColumns = EMPTY_CONTROL_COLUMNS,
     trailingControlColumns = EMPTY_CONTROL_COLUMNS,
+    indexNames,
     refetch,
   }) => {
     const dispatch = useDispatch();
@@ -337,6 +341,8 @@ export const BodyComponent = React.memo<StatefulBodyProps>(
                     id={id}
                     totalItems={totalItems}
                     filterStatus={filterStatus}
+                    query={filterQuery}
+                    indexName={indexNames.join(',')}
                     onActionSuccess={onAlertStatusActionSuccess}
                     onActionFailure={onAlertStatusActionFailure}
                     refetch={refetch}
@@ -375,7 +381,9 @@ export const BodyComponent = React.memo<StatefulBodyProps>(
         alertCountText,
         totalItems,
         filterStatus,
+        filterQuery,
         browserFields,
+        indexNames,
         columnHeaders,
         additionalControls,
         showBulkActions,
diff --git a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
index 58d92c5f47f29..6044c868ef089 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
@@ -15,7 +15,7 @@ import {
   handleSkipFocus,
   stopPropagationAndPreventDefault,
 } from '../../../common';
-import type { IIndexPattern } from '../../../../../../src/plugins/data/public';
+import { esFilters, IIndexPattern } from '../../../../../../src/plugins/data/public';
 import type { BrowserFields } from '../../../common/search_strategy/index_fields';
 import { DataProviderType, EXISTS_OPERATOR } from '../../../common/types/timeline';
 import type { DataProvider, DataProvidersAnd } from '../../../common/types/timeline';
@@ -133,6 +133,17 @@ export const buildGlobalQuery = (dataProviders: DataProvider[], browserFields: B
       return !index ? `(${queryMatch})` : `${globalQuery} or (${queryMatch})`;
     }, '');
 
+interface CombineQueries {
+  config: EsQueryConfig;
+  dataProviders: DataProvider[];
+  indexPattern: IIndexPattern;
+  browserFields: BrowserFields;
+  filters: Filter[];
+  kqlQuery: Query;
+  kqlMode: string;
+  isEventViewer?: boolean;
+}
+
 export const combineQueries = ({
   config,
   dataProviders,
@@ -142,16 +153,7 @@ export const combineQueries = ({
   kqlQuery,
   kqlMode,
   isEventViewer,
-}: {
-  config: EsQueryConfig;
-  dataProviders: DataProvider[];
-  indexPattern: IIndexPattern;
-  browserFields: BrowserFields;
-  filters: Filter[];
-  kqlQuery: Query;
-  kqlMode: string;
-  isEventViewer?: boolean;
-}): { filterQuery: string } | null => {
+}: CombineQueries): { filterQuery: string } | null => {
   const kuery: Query = { query: '', language: kqlQuery.language };
   if (isEmpty(dataProviders) && isEmpty(kqlQuery.query) && isEmpty(filters) && !isEventViewer) {
     return null;
@@ -184,6 +186,44 @@ export const combineQueries = ({
   };
 };
 
+export const buildTimeRangeFilter = (from: string, to: string): Filter =>
+  ({
+    range: {
+      '@timestamp': {
+        gte: from,
+        lt: to,
+        format: 'strict_date_optional_time',
+      },
+    },
+    meta: {
+      type: 'range',
+      disabled: false,
+      negate: false,
+      alias: null,
+      key: '@timestamp',
+      params: {
+        gte: from,
+        lt: to,
+        format: 'strict_date_optional_time',
+      },
+    },
+    $state: {
+      store: esFilters.FilterStateStore.APP_STATE,
+    },
+  } as Filter);
+
+export const getCombinedFilterQuery = ({
+  from,
+  to,
+  filters,
+  ...combineQueriesParams
+}: CombineQueries & { from: string; to: string }): string => {
+  return combineQueries({
+    ...combineQueriesParams,
+    filters: [...filters, buildTimeRangeFilter(from, to)],
+  })!.filterQuery;
+};
+
 /**
  * The CSS class name of a "stateful event", which appears in both
  * the `Timeline` and the `Events Viewer` widget
diff --git a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
index 36b5537eb3010..49a187b8aeada 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
@@ -35,7 +35,12 @@ import {
 } from '../../../../../../../src/plugins/data/public';
 import { useDeepEqualSelector } from '../../../hooks/use_selector';
 import { defaultHeaders } from '../body/column_headers/default_headers';
-import { calculateTotalPages, combineQueries, resolverIsShowing } from '../helpers';
+import {
+  calculateTotalPages,
+  combineQueries,
+  getCombinedFilterQuery,
+  resolverIsShowing,
+} from '../helpers';
 import { tGridActions, tGridSelectors } from '../../../store/t_grid';
 import { useTimelineEvents } from '../../../container';
 import { HeaderSection } from '../header_section';
@@ -253,6 +258,23 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
     data,
   });
 
+  const filterQuery = useMemo(
+    () =>
+      getCombinedFilterQuery({
+        config: esQuery.getEsQueryConfig(uiSettings),
+        dataProviders,
+        indexPattern,
+        browserFields,
+        filters,
+        kqlQuery: query,
+        kqlMode,
+        isEventViewer: true,
+        from: start,
+        to: end,
+      }),
+    [uiSettings, dataProviders, indexPattern, browserFields, filters, start, end, query, kqlMode]
+  );
+
   const totalCountMinusDeleted = useMemo(
     () => (totalCount > 0 ? totalCount - deletedEventIds.length : 0),
     [deletedEventIds.length, totalCount]
@@ -311,6 +333,7 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
                   <StatefulBody
                     activePage={pageInfo.activePage}
                     browserFields={browserFields}
+                    filterQuery={filterQuery}
                     data={nonDeletedEvents}
                     defaultCellActions={defaultCellActions}
                     id={id}
@@ -330,6 +353,7 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
                     leadingControlColumns={leadingControlColumns}
                     trailingControlColumns={trailingControlColumns}
                     refetch={refetch}
+                    indexNames={indexNames}
                   />
                   <Footer
                     activePage={pageInfo.activePage}
diff --git a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
index df8a5897bfcd1..af46fb3cd92e0 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
@@ -33,7 +33,12 @@ import {
 } from '../../../../../../../src/plugins/data/public';
 import { useDeepEqualSelector } from '../../../hooks/use_selector';
 import { defaultHeaders } from '../body/column_headers/default_headers';
-import { calculateTotalPages, combineQueries, resolverIsShowing } from '../helpers';
+import {
+  calculateTotalPages,
+  combineQueries,
+  getCombinedFilterQuery,
+  resolverIsShowing,
+} from '../helpers';
 import { tGridActions, tGridSelectors } from '../../../store/t_grid';
 import { useTimelineEvents } from '../../../container';
 import { HeaderSection } from '../header_section';
@@ -263,6 +268,23 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
     [headerFilterGroup, graphEventId]
   );
 
+  const filterQuery = useMemo(
+    () =>
+      getCombinedFilterQuery({
+        config: esQuery.getEsQueryConfig(uiSettings),
+        dataProviders: EMPTY_DATA_PROVIDERS,
+        indexPattern: indexPatterns,
+        browserFields,
+        filters,
+        kqlQuery: query,
+        kqlMode: 'search',
+        isEventViewer: true,
+        from: start,
+        to: end,
+      }),
+    [uiSettings, indexPatterns, browserFields, filters, query, start, end]
+  );
+
   useEffect(() => {
     setIsQueryLoading(loading);
   }, [loading]);
@@ -327,6 +349,7 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
                   <StatefulBody
                     activePage={pageInfo.activePage}
                     browserFields={browserFields}
+                    filterQuery={filterQuery}
                     data={nonDeletedEvents}
                     defaultCellActions={defaultCellActions}
                     id={STANDALONE_ID}
@@ -346,6 +369,7 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
                     leadingControlColumns={leadingControlColumns}
                     trailingControlColumns={trailingControlColumns}
                     refetch={refetch}
+                    indexNames={indexNames}
                   />
                   <Footer
                     activePage={pageInfo.activePage}
diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
index ef1f7e524ef5f..2ed52c0a66c07 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
@@ -27,6 +27,8 @@ interface OwnProps {
   id: string;
   totalItems: number;
   filterStatus?: AlertStatus;
+  query: string;
+  indexName: string;
   onActionSuccess?: OnAlertStatusActionSuccess;
   onActionFailure?: OnAlertStatusActionFailure;
   refetch: Refetch;
@@ -42,9 +44,11 @@ export const AlertStatusBulkActionsComponent = React.memo<StatefulAlertStatusBul
     id,
     totalItems,
     filterStatus,
+    query,
     selectedEventIds,
     isSelectAllChecked,
     clearSelected,
+    indexName,
     onActionSuccess,
     onActionFailure,
     refetch,
@@ -145,8 +149,10 @@ export const AlertStatusBulkActionsComponent = React.memo<StatefulAlertStatusBul
     );
 
     const statusBulkActionItems = useStatusBulkActionItems({
-      currentStatus: filterStatus,
+      indexName,
       eventIds: Object.keys(selectedEventIds),
+      currentStatus: filterStatus,
+      ...(isSelectAllChecked ? { query } : {}),
       setEventsLoading,
       setEventsDeleted,
       onUpdateSuccess: onAlertStatusUpdateSuccess,
diff --git a/x-pack/plugins/timelines/public/container/use_update_alerts.ts b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
index 7576c831554cd..b4bbcd6b67b4a 100644
--- a/x-pack/plugins/timelines/public/container/use_update_alerts.ts
+++ b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
@@ -9,7 +9,8 @@ import { UpdateDocumentByQueryResponse } from 'elasticsearch';
 import { useKibana } from '../../../../../src/plugins/kibana_react/public';
 import { AlertStatus } from '../../../timelines/common';
 
-export const DETECTION_ENGINE_SIGNALS_STATUS_URL = '/api/detection_engine/signals/status';
+// export const DETECTION_ENGINE_SIGNALS_STATUS_URL = '/api/detection_engine/signals/status';
+export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update';
 
 /**
  * Update alert status by query
@@ -22,17 +23,22 @@ export const DETECTION_ENGINE_SIGNALS_STATUS_URL = '/api/detection_engine/signal
  */
 export const useUpdateAlertsStatus = (): {
   updateAlertStatus: (params: {
-    query: object;
     status: AlertStatus;
+    index: string;
+    ids?: string[];
+    query?: object;
   }) => Promise<UpdateDocumentByQueryResponse>;
 } => {
   const { http } = useKibana().services;
-
   return {
-    updateAlertStatus: ({ query, status }) =>
-      http!.fetch(DETECTION_ENGINE_SIGNALS_STATUS_URL, {
+    updateAlertStatus: ({ status: alertStatus, index, ids, query }) => {
+      const status: string = alertStatus === 'in-progress' ? 'acknowledged' : alertStatus;
+      console.log({ index, status, query, ids });
+
+      return http!.fetch(RAC_ALERTS_BULK_UPDATE_URL, {
         method: 'POST',
-        body: JSON.stringify({ status, query }),
-      }),
+        body: JSON.stringify({ index, status, ...(query ? { query } : { ids }) }),
+      });
+    },
   };
 };
diff --git a/x-pack/plugins/timelines/public/hooks/use_status_bulk_action_items.tsx b/x-pack/plugins/timelines/public/hooks/use_status_bulk_action_items.tsx
index 69d7ad36324de..1820681edce77 100644
--- a/x-pack/plugins/timelines/public/hooks/use_status_bulk_action_items.tsx
+++ b/x-pack/plugins/timelines/public/hooks/use_status_bulk_action_items.tsx
@@ -26,6 +26,7 @@ export interface StatusBulkActionsProps {
   eventIds: string[];
   currentStatus?: AlertStatus;
   query?: string;
+  indexName: string;
   setEventsLoading: (param: SetEventsLoadingProps) => void;
   setEventsDeleted: ({ eventIds, isDeleted }: SetEventsDeletedProps) => void;
   onUpdateSuccess: (updated: number, conflicts: number, status: AlertStatus) => void;
@@ -40,6 +41,7 @@ export const useStatusBulkActionItems = ({
   eventIds,
   currentStatus,
   query,
+  indexName,
   setEventsLoading,
   setEventsDeleted,
   onUpdateSuccess,
@@ -52,8 +54,12 @@ export const useStatusBulkActionItems = ({
       try {
         setEventsLoading({ eventIds, isLoading: true });
 
-        const queryObject = query ? JSON.parse(query) : getUpdateAlertsQuery(eventIds);
-        const response = await updateAlertStatus({ query: queryObject, status });
+        const response = await updateAlertStatus({
+          index: indexName,
+          status,
+          ...(query ? { query: JSON.parse(query) } : { ids: eventIds }),
+        });
+
         // TODO: Only delete those that were successfully updated from updatedRules
         setEventsDeleted({ eventIds, isDeleted: true });
 
@@ -69,10 +75,11 @@ export const useStatusBulkActionItems = ({
       }
     },
     [
-      eventIds,
-      query,
       setEventsLoading,
+      eventIds,
       updateAlertStatus,
+      indexName,
+      query,
       setEventsDeleted,
       onUpdateSuccess,
       onUpdateFailure,
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
index dfba32f8a238c..a582214a05595 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
@@ -9,7 +9,8 @@ import { ALERT_OWNER, RULE_ID, SPACE_IDS } from '@kbn/rule-data-utils';
 import { map, mergeMap, catchError } from 'rxjs/operators';
 import { from } from 'rxjs';
 import {
-  isValidFeatureId,
+  // TODO: Undo comment in fix here https://github.com/elastic/kibana/pull/107857
+  // isValidFeatureId,
   mapConsumerToIndexName,
   AlertConsumers,
 } from '@kbn/rule-data-utils/target/alerts_as_data_rbac';
@@ -49,7 +50,9 @@ export const timelineSearchStrategyProvider = <T extends TimelineFactoryQueryTyp
     search: (request, options, deps) => {
       const factoryQueryType = request.factoryQueryType;
       const entityType = request.entityType;
-      const alertConsumers = request.alertConsumers;
+      let alertConsumers = request.alertConsumers;
+      // TODO: Remove in fix here https://github.com/elastic/kibana/pull/107857
+      alertConsumers = undefined;
 
       if (factoryQueryType == null) {
         throw new Error('factoryQueryType is required');
@@ -58,7 +61,9 @@ export const timelineSearchStrategyProvider = <T extends TimelineFactoryQueryTyp
       const queryFactory: TimelineFactory<T> = timelineFactory[factoryQueryType];
 
       if (alertConsumers != null && entityType != null && entityType === EntityType.ALERTS) {
-        const allFeatureIdsValid = alertConsumers.every((id) => isValidFeatureId(id));
+        // TODO: Thist won't be hit since alertConsumers = undefined
+        // TODO: remove in fix here https://github.com/elastic/kibana/pull/107857
+        const allFeatureIdsValid = null; // alertConsumers.every((id) => isValidFeatureId(id));
 
         if (!allFeatureIdsValid) {
           throw new Error('An invalid alerts consumer feature id was provided');
@@ -162,4 +167,4 @@ const timelineAlertsSearchStrategy = <T extends TimelineFactoryQueryTypes>({
       throw err;
     })
   );
-};
+};
\ No newline at end of file

From 74e64b1c27e9b770987d94bc71a070245a8c2405 Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Tue, 10 Aug 2021 21:15:36 +0200
Subject: [PATCH 02/16] cleanup

---
 ...k_update_old_security_solution_alert_by_query.sh |  6 +++---
 .../common/experimental_features.ts                 |  2 +-
 .../server/search_strategy/timeline/index.ts        | 13 ++++---------
 3 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
index 08cb22d5e4976..8725e791d8efa 100755
--- a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
+++ b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
@@ -20,9 +20,9 @@ cd ../observer && sh ./post_detections_role.sh && sh ./post_detections_user.sh
 cd ..
 
 # Example: ./update_observability_alert.sh "kibana.rac.alert.stats: open" <closed | open>
-curl -v \
+curl -s -k \
  -H 'Content-Type: application/json' \
  -H 'kbn-xsrf: 123' \
  -u hunter:changeme \
- -X POST ${KIBANA_URL}/internal/rac/alerts/bulk_update \
--d "{\"ids\": [\"cf2b7bf9b224c5ca9b4080ebf7a0ee0e1556898633cca169913482f5664a8a04\"], \"status\":\"open\", \"index\":\".siem-signals*\"}" 
+ -X POST ${KIBANA_URL}${SPACE_URL}/internal/rac/alerts/bulk_update \
+-d "{\"query\": \"$QUERY\", \"status\":\"$STATUS\", \"index\":\".siem-signals*\"}" | jq .
diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts
index a474ae602fab2..0ae42d4baaec4 100644
--- a/x-pack/plugins/security_solution/common/experimental_features.ts
+++ b/x-pack/plugins/security_solution/common/experimental_features.ts
@@ -14,7 +14,7 @@ export type ExperimentalFeatures = typeof allowedExperimentalValues;
 export const allowedExperimentalValues = Object.freeze({
   metricsEntitiesEnabled: false,
   ruleRegistryEnabled: false,
-  tGridEnabled: true,
+  tGridEnabled: false,
   trustedAppsByPolicyEnabled: false,
   excludePoliciesInFilterEnabled: false,
   uebaEnabled: false,
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
index a582214a05595..dfba32f8a238c 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
@@ -9,8 +9,7 @@ import { ALERT_OWNER, RULE_ID, SPACE_IDS } from '@kbn/rule-data-utils';
 import { map, mergeMap, catchError } from 'rxjs/operators';
 import { from } from 'rxjs';
 import {
-  // TODO: Undo comment in fix here https://github.com/elastic/kibana/pull/107857
-  // isValidFeatureId,
+  isValidFeatureId,
   mapConsumerToIndexName,
   AlertConsumers,
 } from '@kbn/rule-data-utils/target/alerts_as_data_rbac';
@@ -50,9 +49,7 @@ export const timelineSearchStrategyProvider = <T extends TimelineFactoryQueryTyp
     search: (request, options, deps) => {
       const factoryQueryType = request.factoryQueryType;
       const entityType = request.entityType;
-      let alertConsumers = request.alertConsumers;
-      // TODO: Remove in fix here https://github.com/elastic/kibana/pull/107857
-      alertConsumers = undefined;
+      const alertConsumers = request.alertConsumers;
 
       if (factoryQueryType == null) {
         throw new Error('factoryQueryType is required');
@@ -61,9 +58,7 @@ export const timelineSearchStrategyProvider = <T extends TimelineFactoryQueryTyp
       const queryFactory: TimelineFactory<T> = timelineFactory[factoryQueryType];
 
       if (alertConsumers != null && entityType != null && entityType === EntityType.ALERTS) {
-        // TODO: Thist won't be hit since alertConsumers = undefined
-        // TODO: remove in fix here https://github.com/elastic/kibana/pull/107857
-        const allFeatureIdsValid = null; // alertConsumers.every((id) => isValidFeatureId(id));
+        const allFeatureIdsValid = alertConsumers.every((id) => isValidFeatureId(id));
 
         if (!allFeatureIdsValid) {
           throw new Error('An invalid alerts consumer feature id was provided');
@@ -167,4 +162,4 @@ const timelineAlertsSearchStrategy = <T extends TimelineFactoryQueryTypes>({
       throw err;
     })
   );
-};
\ No newline at end of file
+};

From 73b97e32887ab16c9290c858669230d07fedabd5 Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Wed, 11 Aug 2021 17:54:23 -0400
Subject: [PATCH 03/16] adds replace ALERT_STATUS with ALERT_WORKFLOW_STATUS
 and updates tests and adds logic for switching between signal.status and
 workflow status when updating alerts in .siem-signals

---
 .../server/alert_data_client/alerts_client.ts      | 14 +++++++++-----
 .../server/alert_data_client/tests/update.test.ts  |  2 +-
 .../routes/index/signal_aad_mapping.json           |  2 +-
 .../es_archives/rule_registry/alerts/data.json     | 14 +++++++-------
 .../tests/basic/bulk_update_alerts.ts              |  4 +++-
 5 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index 2a7419b20570e..2a24262499e06 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -28,7 +28,7 @@ import { Logger, ElasticsearchClient, EcsEventOutcome } from '../../../../../src
 import { alertAuditEvent, operationAlertAuditActionMap } from './audit_events';
 import { AuditLogger } from '../../../security/server';
 import {
-  ALERT_STATUS,
+  ALERT_WORKFLOW_STATUS,
   ALERT_OWNER,
   RULE_ID,
   SPACE_IDS,
@@ -296,7 +296,11 @@ export class AlertsClient {
           },
         },
         {
-          doc: { [ALERT_STATUS]: status },
+          doc: {
+            [item?._source?.[ALERT_WORKFLOW_STATUS] == null
+              ? 'signal.status'
+              : ALERT_WORKFLOW_STATUS]: status,
+          },
         },
       ]);
 
@@ -464,7 +468,7 @@ export class AlertsClient {
         index,
         body: {
           doc: {
-            [ALERT_STATUS]: status,
+            [ALERT_WORKFLOW_STATUS]: status,
           },
         },
         refresh: 'wait_for',
@@ -516,8 +520,8 @@ export class AlertsClient {
           refresh: true,
           body: {
             script: {
-              source: `if (ctx._source['${ALERT_STATUS}'] != null) {
-                ctx._source['${ALERT_STATUS}'] = '${status}'
+              source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
+                ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}'
               }
               if (ctx._source['signal.status'] != null) {
                 ctx._source['signal.status'] = '${status}'
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
index 435b6e310ffdf..f0426bb1cef00 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
@@ -134,7 +134,7 @@ describe('update()', () => {
         Object {
           "body": Object {
             "doc": Object {
-              "${ALERT_STATUS}": "closed",
+              "kibana.alert.workflow_status": "closed",
             },
           },
           "id": "1",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
index 59f8b9db827be..066fdbc87f906 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
@@ -83,7 +83,7 @@
   "signal.rule.updated_at": "kibana.alert.rule.updated_at",
   "signal.rule.updated_by": "kibana.alert.rule.updated_by",
   "signal.rule.version": "kibana.alert.rule.version",
-  "signal.status": "kibana.alert.status",
+  "signal.status": "kibana.alert.workflow_status",
   "signal.threshold_result.from": "kibana.alert.threshold_result.from",
   "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field",
   "signal.threshold_result.terms.value": "kibana.alert.threshold_result.terms.value",
diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
index 940ebe5321b9d..9f02058ac69ff 100644
--- a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
+++ b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
@@ -9,7 +9,7 @@
       "rule.id": "apm.error_rate",
       "message": "hello world 1",
       "kibana.alert.owner": "apm",
-      "kibana.alert.status": "open",
+      "kibana.alert.workflow_status": "open",
       "kibana.space_ids": ["space1", "space2"]
     }
   }
@@ -26,7 +26,7 @@
       "rule.id": "apm.error_rate",
       "message": "hello world 1",
       "kibana.alert.owner": "apm",
-      "kibana.alert.status": "open",
+      "kibana.alert.workflow_status": "open",
       "kibana.space_ids": ["space1"]
     }
   }
@@ -43,7 +43,7 @@
       "rule.id": "apm.error_rate",
       "message": "hello world 1",
       "kibana.alert.owner": "apm",
-      "kibana.alert.status": "open",
+      "kibana.alert.workflow_status": "open",
       "kibana.space_ids": ["space2"]
     }
   }
@@ -60,7 +60,7 @@
       "rule.id": "siem.signals",
       "message": "hello world security",
       "kibana.alert.owner": "siem",
-      "kibana.alert.status": "open",
+      "kibana.alert.workflow_status": "open",
       "kibana.space_ids": ["space1", "space2"]
     }
   }
@@ -77,7 +77,7 @@
       "rule.id": "siem.customRule",
       "message": "hello world security",
       "kibana.alert.owner": "siem",
-      "kibana.alert.status": "open",
+      "kibana.alert.workflow_status": "open",
       "kibana.space_ids": ["space1", "space2"]
     }
   }
@@ -93,7 +93,7 @@
       "rule.id": "siem.signals",
       "message": "hello world security",
       "kibana.alert.owner": "siem",
-      "kibana.alert.status": "open",
+      "kibana.alert.workflow_status": "open",
       "kibana.space_ids": ["space1"]
     }
   }
@@ -109,7 +109,7 @@
       "rule.id": "siem.signals",
       "message": "hello world security",
       "kibana.alert.owner": "siem",
-      "kibana.alert.status": "open",
+      "kibana.alert.workflow_status": "open",
       "kibana.space_ids": ["space2"]
     }
   }
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
index aa8eb6bc8fcaa..b9e542f7b2df4 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
@@ -6,6 +6,7 @@
  */
 import expect from '@kbn/expect';
 
+import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils';
 import {
   superUser,
   globalRead,
@@ -26,6 +27,7 @@ import {
   secOnlySpacesAll,
   noKibanaPrivileges,
 } from '../../../common/lib/authentication/users';
+
 import type { User } from '../../../common/lib/authentication/types';
 import { FtrProviderContext } from '../../../common/ftr_provider_context';
 import { getSpaceUrlPrefix } from '../../../common/lib/authentication/spaces';
@@ -126,7 +128,7 @@ export default ({ getService }: FtrProviderContext) => {
             .set('kbn-xsrf', 'true')
             .send({
               status: 'closed',
-              query: 'kibana.alert.status: open',
+              query: `${ALERT_WORKFLOW_STATUS}: open`,
               index,
             });
           expect(updated.statusCode).to.eql(200);

From d6094df1c8d0bd371cc26e2882fcf494e5ac8885 Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Wed, 11 Aug 2021 19:15:59 -0400
Subject: [PATCH 04/16] allow object and string types in query param, fixed
 single update api to use WORKFLOW_STATUS instead of ALERT_STATUS

---
 .../server/alert_data_client/alerts_client.ts | 31 ++++++++++++++-----
 .../alert_data_client/tests/get.test.ts       |  4 +--
 .../alert_data_client/tests/update.test.ts    | 12 +++----
 .../server/routes/bulk_update_alerts.ts       |  2 +-
 4 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index 2a24262499e06..49426a604c8d0 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -64,7 +64,7 @@ export interface BulkUpdateOptions<Params extends AlertTypeParams> {
   ids: string[] | undefined | null;
   status: STATUS_VALUES;
   index: string;
-  query: string | undefined | null;
+  query: object | string | undefined | null;
 }
 
 interface GetAlertParams {
@@ -74,7 +74,7 @@ interface GetAlertParams {
 
 interface SingleSearchAfterAndAudit {
   id: string | null | undefined;
-  query: string | null | undefined;
+  query: object | string | null | undefined;
   index?: string;
   operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get;
   lastSortIds: Array<string | number> | undefined;
@@ -315,7 +315,7 @@ export class AlertsClient {
   }
 
   private async buildEsQueryWithAuthz(
-    query: string | null | undefined,
+    query: object | string | null | undefined,
     id: string | null | undefined,
     alertSpaceId: string,
     operation: WriteOperations.Update | ReadOperations.Get | ReadOperations.Find,
@@ -330,15 +330,28 @@ export class AlertsClient {
         },
         operation
       );
-      return buildEsQuery(
+      let esQuery;
+      if (id != null) {
+        esQuery = { query: `_id:${id}`, language: 'kuery' };
+      } else if (typeof query === 'string') {
+        esQuery = { query, language: 'kuery' };
+      } else if (query != null && typeof query === 'object') {
+        esQuery = [];
+      }
+      const builtQuery = buildEsQuery(
         undefined,
-        { query: query == null ? `_id:${id}` : query, language: 'kuery' },
+        esQuery == null ? { query: ``, language: 'kuery' } : esQuery,
         [
           (authzFilter as unknown) as Filter,
           ({ term: { [SPACE_IDS]: alertSpaceId } } as unknown) as Filter,
         ],
         config
       );
+      if (query != null && typeof query === 'object') {
+        // @ts-expect-error
+        builtQuery.bool.must.push(query);
+      }
+      return builtQuery;
     } catch (exc) {
       this.logger.error(exc);
       throw Boom.expectationFailed(
@@ -358,7 +371,7 @@ export class AlertsClient {
     operation,
   }: {
     index: string;
-    query: string;
+    query: object | string;
     operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get;
   }) {
     let lastSortIds;
@@ -421,7 +434,7 @@ export class AlertsClient {
       // first search for the alert by id, then use the alert info to check if user has access to it
       const alert = await this.singleSearchAfterAndAudit({
         id,
-        query: null,
+        query: undefined,
         index,
         operation: ReadOperations.Get,
         lastSortIds: undefined,
@@ -468,7 +481,9 @@ export class AlertsClient {
         index,
         body: {
           doc: {
-            [ALERT_WORKFLOW_STATUS]: status,
+            [alert?.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS] == null
+              ? 'signal.status'
+              : ALERT_WORKFLOW_STATUS]: status,
           },
         },
         refresh: 'wait_for',
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
index 651d728b1983c..df1c8fdf10727 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
@@ -249,7 +249,7 @@ describe('get()', () => {
 
     await expect(alertsClient.get({ id: fakeAlertId, index: '.alerts-observability-apm' })).rejects
       .toThrowErrorMatchingInlineSnapshot(`
-            "Unable to retrieve alert details for alert with id of \\"myfakeid1\\" or with query \\"null\\" and operation get 
+            "Unable to retrieve alert details for alert with id of \\"myfakeid1\\" or with query \\"undefined\\" and operation get 
             Error: Error: Unauthorized for fake.rule and apm"
           `);
 
@@ -276,7 +276,7 @@ describe('get()', () => {
     await expect(
       alertsClient.get({ id: 'NoxgpHkBqbdrfX07MqXV', index: '.alerts-observability-apm' })
     ).rejects.toThrowErrorMatchingInlineSnapshot(`
-            "Unable to retrieve alert details for alert with id of \\"NoxgpHkBqbdrfX07MqXV\\" or with query \\"null\\" and operation get 
+            "Unable to retrieve alert details for alert with id of \\"NoxgpHkBqbdrfX07MqXV\\" or with query \\"undefined\\" and operation get 
             Error: Error: something went wrong"
           `);
   });
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
index f0426bb1cef00..99f8c4236d4e9 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { ALERT_OWNER, ALERT_STATUS, SPACE_IDS, RULE_ID } from '@kbn/rule-data-utils';
+import { ALERT_OWNER, ALERT_WORKFLOW_STATUS, SPACE_IDS, RULE_ID } from '@kbn/rule-data-utils';
 import { AlertsClient, ConstructorOptions } from '../alerts_client';
 import { loggingSystemMock } from '../../../../../../src/core/server/mocks';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
@@ -85,7 +85,7 @@ describe('update()', () => {
                   [RULE_ID]: 'apm.error_rate',
                   message: 'hello world 1',
                   [ALERT_OWNER]: 'apm',
-                  [ALERT_STATUS]: 'open',
+                  [ALERT_WORKFLOW_STATUS]: 'open',
                   [SPACE_IDS]: [DEFAULT_SPACE],
                 },
               },
@@ -171,7 +171,7 @@ describe('update()', () => {
                   'rule.id': 'apm.error_rate',
                   message: 'hello world 1',
                   [ALERT_OWNER]: 'apm',
-                  [ALERT_STATUS]: 'open',
+                  [ALERT_WORKFLOW_STATUS]: 'open',
                   [SPACE_IDS]: [DEFAULT_SPACE],
                 },
               },
@@ -244,7 +244,7 @@ describe('update()', () => {
                 _source: {
                   [RULE_ID]: fakeRuleTypeId,
                   [ALERT_OWNER]: 'apm',
-                  [ALERT_STATUS]: 'open',
+                  [ALERT_WORKFLOW_STATUS]: 'open',
                   [SPACE_IDS]: [DEFAULT_SPACE],
                 },
               },
@@ -326,7 +326,7 @@ describe('update()', () => {
                   'rule.id': 'apm.error_rate',
                   message: 'hello world 1',
                   [ALERT_OWNER]: 'apm',
-                  [ALERT_STATUS]: 'open',
+                  [ALERT_WORKFLOW_STATUS]: 'open',
                   [SPACE_IDS]: [DEFAULT_SPACE],
                 },
               },
@@ -386,7 +386,7 @@ describe('update()', () => {
                     'rule.id': 'apm.error_rate',
                     message: 'hello world 1',
                     [ALERT_OWNER]: 'apm',
-                    [ALERT_STATUS]: 'open',
+                    [ALERT_WORKFLOW_STATUS]: 'open',
                     [SPACE_IDS]: [DEFAULT_SPACE],
                   },
                 },
diff --git a/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts b/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
index 40f27f7eb7e23..9a29774219270 100644
--- a/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
+++ b/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
@@ -31,7 +31,7 @@ export const bulkUpdateAlertsRoute = (router: IRouter<RacRequestHandlerContext>)
               status: t.union([t.literal('open'), t.literal('closed')]),
               index: t.string,
               ids: t.undefined,
-              query: t.string,
+              query: t.union([t.object, t.string]),
             }),
           ])
         ),

From 1a7cfd45f44695f232b5e376691b4727e1052b4d Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Wed, 11 Aug 2021 19:41:14 -0400
Subject: [PATCH 05/16] adds additional integration test for when query is a
 DSL object in addtion to KQL string

---
 .../tests/basic/bulk_update_alerts.ts          | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
index b9e542f7b2df4..a033e634dc6b3 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
@@ -121,7 +121,8 @@ export default ({ getService }: FtrProviderContext) => {
           items.map((item) => expect(item.update.result).to.eql('updated'));
         });
 
-        it(`${username} should bulk update alerts which match query in ${space}/${index}`, async () => {
+        it(`${username} should bulk update alerts which match KQL query string in ${space}/${index}`, async () => {
+          await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); // since this is a success case, reload the test data immediately beforehand
           const { body: updated } = await supertestWithoutAuth
             .post(`${getSpaceUrlPrefix(space)}${TEST_URL}/bulk_update`)
             .auth(username, password)
@@ -134,6 +135,21 @@ export default ({ getService }: FtrProviderContext) => {
           expect(updated.statusCode).to.eql(200);
           expect(updated.body.updated).to.greaterThan(0);
         });
+
+        it(`${username} should bulk update alerts which match query in DSL in ${space}/${index}`, async () => {
+          await esArchiver.load('x-pack/test/functional/es_archives/rule_registry/alerts'); // since this is a success case, reload the test data immediately beforehand
+          const { body: updated } = await supertestWithoutAuth
+            .post(`${getSpaceUrlPrefix(space)}${TEST_URL}/bulk_update`)
+            .auth(username, password)
+            .set('kbn-xsrf', 'true')
+            .send({
+              status: 'closed',
+              query: { match: { [ALERT_WORKFLOW_STATUS]: 'open' } },
+              index,
+            });
+          expect(updated.statusCode).to.eql(200);
+          expect(updated.body.updated).to.greaterThan(0);
+        });
       });
 
       unauthorizedUsers.forEach(({ username, password }) => {

From cae09607bbc728dbc338b5aa16320862eac00551 Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Thu, 12 Aug 2021 12:19:32 -0400
Subject: [PATCH 06/16] optionally use fields api in requests if _source does
 not contain authz properties

---
 .../server/alert_data_client/alerts_client.ts | 57 +++++++++++--------
 ...te_old_security_solution_alert_by_query.sh | 14 ++++-
 2 files changed, 47 insertions(+), 24 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index 64a6be3aac8d8..59f3d883f6cff 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -55,11 +55,14 @@ type AlertType = NonNullableProps<
   typeof ALERT_RULE_TYPE_ID | typeof ALERT_RULE_CONSUMER | typeof SPACE_IDS
 >;
 
-const isValidAlert = (source?: ParsedTechnicalFields): source is AlertType => {
+const isValidAlert = (source?: any): source is AlertType => {
   return (
-    source?.[ALERT_RULE_TYPE_ID] != null &&
-    source?.[ALERT_RULE_CONSUMER] != null &&
-    source?.[SPACE_IDS] != null
+    (source?._source?.[ALERT_RULE_TYPE_ID] != null &&
+      source?._source?.[ALERT_RULE_CONSUMER] != null &&
+      source?._source?.[SPACE_IDS] != null) ||
+    (source?.fields?.[ALERT_RULE_TYPE_ID][0] != null &&
+      source?.fields?.[ALERT_RULE_CONSUMER][0] != null &&
+      source?.fields?.[SPACE_IDS][0] != null)
   );
 };
 export interface ConstructorOptions {
@@ -218,6 +221,7 @@ export class AlertsClient {
       const config = getEsQueryConfig();
 
       let queryBody = {
+        fields: [ALERT_RULE_TYPE_ID, ALERT_RULE_CONSUMER, ALERT_WORKFLOW_STATUS, SPACE_IDS],
         query: await this.buildEsQueryWithAuthz(query, id, alertSpaceId, operation, config),
         sort: [
           {
@@ -245,7 +249,7 @@ export class AlertsClient {
         seq_no_primary_term: true,
       });
 
-      if (!result?.body.hits.hits.every((hit) => isValidAlert(hit._source))) {
+      if (!result?.body.hits.hits.every((hit) => isValidAlert(hit))) {
         const errorMessage = `Invalid alert found with id of "${id}" or with query "${query}" and operation ${operation}`;
         this.logger.error(errorMessage);
         throw Boom.badData(errorMessage);
@@ -307,21 +311,25 @@ export class AlertsClient {
         );
       }
 
-      const bulkUpdateRequest = mgetRes.body.docs.flatMap((item) => [
-        {
-          update: {
-            _index: item._index,
-            _id: item._id,
+      const bulkUpdateRequest = mgetRes.body.docs.flatMap((item) => {
+        const fieldToUpdate =
+          item?._source?.[ALERT_WORKFLOW_STATUS] == null
+            ? { signal: { status } }
+            : { [ALERT_WORKFLOW_STATUS]: status };
+        return [
+          {
+            update: {
+              _index: item._index,
+              _id: item._id,
+            },
           },
-        },
-        {
-          doc: {
-            [item?._source?.[ALERT_WORKFLOW_STATUS] == null
-              ? 'signal.status'
-              : ALERT_WORKFLOW_STATUS]: status,
+          {
+            doc: {
+              ...fieldToUpdate,
+            },
           },
-        },
-      ]);
+        ];
+      });
 
       const bulkUpdateResponse = await this.esClient.bulk({
         body: bulkUpdateRequest,
@@ -494,15 +502,18 @@ export class AlertsClient {
         throw Boom.notFound(errorMessage);
       }
 
+      const fieldToUpdate =
+        alert?.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS] == null
+          ? { signal: { status } }
+          : { [ALERT_WORKFLOW_STATUS]: status };
+
       const { body: response } = await this.esClient.update<ParsedTechnicalFields>({
         ...decodeVersion(_version),
         id,
         index,
         body: {
           doc: {
-            [alert?.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS] == null
-              ? 'signal.status'
-              : ALERT_WORKFLOW_STATUS]: status,
+            ...fieldToUpdate,
           },
         },
         refresh: 'wait_for',
@@ -557,8 +568,8 @@ export class AlertsClient {
               source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
                 ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}'
               }
-              if (ctx._source['signal.status'] != null) {
-                ctx._source['signal.status'] = '${status}'
+              if (ctx._source.signal.status != null) {
+                ctx._source.signal.status = '${status}'
               }`,
               lang: 'painless',
             } as InlineScript,
diff --git a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
index 8725e791d8efa..b7642094fd2e2 100755
--- a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
+++ b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
@@ -25,4 +25,16 @@ curl -s -k \
  -H 'kbn-xsrf: 123' \
  -u hunter:changeme \
  -X POST ${KIBANA_URL}${SPACE_URL}/internal/rac/alerts/bulk_update \
--d "{\"query\": \"$QUERY\", \"status\":\"$STATUS\", \"index\":\".siem-signals*\"}" | jq .
+ -d "{\"ids\": [\"7e5bf32b8aa1a96b835200d8a6aad39079f03257129ad238a828152884690c86\"], \"status\":\"$STATUS\", \"index\":\".siem-signals-devin-hurley-default\"}" | jq .
+
+# -d "{\"query\": {\"bool\": {
+#     \"filter\": {
+#       \"terms\": {
+#         \"_id\": [         \"7e5bf32b8aa1a96b835200d8a6aad39079f03257129ad238a828152884690c86\"
+#         ]
+#       }
+#     }
+#   }}, \"status\":\"$STATUS\", \"index\":\".siem-signals-devin-hurley-default\"}" | jq .
+
+
+# 824ec1a1c9a0fcded6063e88353b828e414149b37f6d7cbe47a038d08aaa3285
\ No newline at end of file

From 918c4bdc00c4d2ea172c71f97e7a585c27e35c2e Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Thu, 12 Aug 2021 18:59:00 +0200
Subject: [PATCH 07/16] integrate bulk update to all hook calls

---
 .../alert_data_client/tests/update.test.ts    |  2 +-
 .../timeline_actions/alert_context_menu.tsx   |  2 +
 .../timeline_actions/use_alerts_actions.tsx   | 10 +++-
 .../components/take_action_dropdown/index.tsx |  3 ++
 .../side_panel/event_details/footer.tsx       |  1 +
 .../components/t_grid/body/index.test.tsx     |  2 +
 .../public/components/t_grid/helpers.tsx      | 29 ++++++++++--
 .../components/t_grid/integrated/index.tsx    | 47 ++++++++++++-------
 .../components/t_grid/standalone/index.tsx    | 12 ++---
 .../alert_status_bulk_actions.tsx             |  3 +-
 .../public/container/use_update_alerts.ts     |  6 +--
 .../hooks/use_status_bulk_action_items.tsx    |  2 +-
 12 files changed, 81 insertions(+), 38 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
index 7c2e985c269a8..4e084c2c028b1 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts
@@ -139,7 +139,7 @@ describe('update()', () => {
         Object {
           "body": Object {
             "doc": Object {
-              "kibana.alert.workflow_status": "closed",
+              "${ALERT_WORKFLOW_STATUS}": "closed",
             },
           },
           "id": "1",
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
index 2dae69fec43e1..2ca059ed0ab13 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
@@ -53,6 +53,7 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps> = ({
   timelineId,
 }) => {
   const [isPopoverOpen, setPopover] = useState(false);
+  const { signalIndexName } = useSignalIndex();
 
   const ruleId = get(0, ecsRowData?.signal?.rule?.id);
   const ruleName = get(0, ecsRowData?.signal?.rule?.name);
@@ -116,6 +117,7 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps> = ({
   const { actionItems } = useAlertsActions({
     alertStatus,
     eventId: ecsRowData?._id,
+    indexName: signalIndexName!,
     timelineId,
     closePopover,
   });
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/use_alerts_actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/use_alerts_actions.tsx
index 4fdebee6e1f4d..f06d671549357 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/use_alerts_actions.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/use_alerts_actions.tsx
@@ -27,9 +27,16 @@ interface Props {
   closePopover: () => void;
   eventId: string;
   timelineId: string;
+  indexName: string;
 }
 
-export const useAlertsActions = ({ alertStatus, closePopover, eventId, timelineId }: Props) => {
+export const useAlertsActions = ({
+  alertStatus,
+  closePopover,
+  eventId,
+  timelineId,
+  indexName,
+}: Props) => {
   const dispatch = useDispatch();
   const [, dispatchToaster] = useStateToaster();
 
@@ -100,6 +107,7 @@ export const useAlertsActions = ({ alertStatus, closePopover, eventId, timelineI
   const actionItems = useStatusBulkActionItems({
     eventIds: [eventId],
     currentStatus: alertStatus,
+    indexName,
     setEventsLoading,
     setEventsDeleted,
     onUpdateSuccess: onAlertStatusUpdateSuccess,
diff --git a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx
index ffaea216f3fe3..f30a223b3280e 100644
--- a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx
@@ -50,6 +50,7 @@ export const TakeActionDropdown = React.memo(
     onAddExceptionTypeClick,
     onAddIsolationStatusClick,
     refetch,
+    indexName,
     timelineId,
   }: {
     detailsData: TimelineEventsDetailsItem[] | null;
@@ -59,6 +60,7 @@ export const TakeActionDropdown = React.memo(
     loadingEventDetails: boolean;
     nonEcsData?: TimelineNonEcsData[];
     refetch: (() => void) | undefined;
+    indexName: string;
     onAddEventFilterClick: () => void;
     onAddExceptionTypeClick: (type: ExceptionListType) => void;
     onAddIsolationStatusClick: (action: 'isolateHost' | 'unisolateHost') => void;
@@ -152,6 +154,7 @@ export const TakeActionDropdown = React.memo(
     const { actionItems } = useAlertsActions({
       alertStatus: actionsData.alertStatus,
       eventId: actionsData.eventId,
+      indexName,
       timelineId,
       closePopover: closePopoverAndFlyout,
     });
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx
index cb8ed537543a0..60e177944df88 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx
@@ -110,6 +110,7 @@ export const EventDetailsFooter = React.memo(
                 onAddExceptionTypeClick={onAddExceptionTypeClick}
                 onAddIsolationStatusClick={onAddIsolationStatusClick}
                 refetch={expandedEvent?.refetch}
+                indexName={expandedEvent.indexName}
                 timelineId={timelineId}
               />
             </EuiFlexItem>
diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/index.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/index.test.tsx
index db5ec7646977d..c9a94eab0ff20 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/body/index.test.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/body/index.test.tsx
@@ -80,6 +80,8 @@ describe('Body', () => {
     leadingControlColumns: [],
     trailingControlColumns: [],
     filterStatus: 'open',
+    filterQuery: '',
+    indexNames: [''],
     refetch: jest.fn(),
   };
 
diff --git a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
index 6044c868ef089..4964316fccd94 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
@@ -8,6 +8,7 @@
 import type { Filter, EsQueryConfig, Query } from '@kbn/es-query';
 import { isEmpty, get } from 'lodash/fp';
 import memoizeOne from 'memoize-one';
+import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils';
 import {
   elementOrChildrenHasFocus,
   getFocusedAriaColindexCell,
@@ -186,6 +187,15 @@ export const combineQueries = ({
   };
 };
 
+export const buildCombinedQuery = (combineQueriesParams: CombineQueries) => {
+  const combinedQuery = combineQueries(combineQueriesParams);
+  return combinedQuery
+    ? {
+        filterQuery: replaceStatusField(combinedQuery!.filterQuery),
+      }
+    : null;
+};
+
 export const buildTimeRangeFilter = (from: string, to: string): Filter =>
   ({
     range: {
@@ -218,12 +228,23 @@ export const getCombinedFilterQuery = ({
   filters,
   ...combineQueriesParams
 }: CombineQueries & { from: string; to: string }): string => {
-  return combineQueries({
-    ...combineQueriesParams,
-    filters: [...filters, buildTimeRangeFilter(from, to)],
-  })!.filterQuery;
+  return replaceStatusField(
+    combineQueries({
+      ...combineQueriesParams,
+      filters: [...filters, buildTimeRangeFilter(from, to)],
+    })!.filterQuery
+  );
 };
 
+/**
+ * This function is a temporary patch to prevent queries using old `signal.status` field.
+ * @todo The `signal.status` field should not be queried anymore and
+ * must be replaced by `ALERT_WORKFLOW_STATUS` field name constant
+ * @deprecated
+ */
+const replaceStatusField = (query: string): string =>
+  query.replaceAll('signal.status', ALERT_WORKFLOW_STATUS);
+
 /**
  * The CSS class name of a "stateful event", which appears in both
  * the `Timeline` and the `Events Viewer` widget
diff --git a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
index 070f1bec5ac47..fb3b7db4dab84 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
@@ -39,7 +39,7 @@ import { useDeepEqualSelector } from '../../../hooks/use_selector';
 import { defaultHeaders } from '../body/column_headers/default_headers';
 import {
   calculateTotalPages,
-  combineQueries,
+  buildCombinedQuery,
   getCombinedFilterQuery,
   resolverIsShowing,
 } from '../helpers';
@@ -208,7 +208,7 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
     [globalFullScreen, justTitle, setGlobalFullScreen]
   );
 
-  const combinedQueries = combineQueries({
+  const combinedQueries = buildCombinedQuery({
     config: esQuery.getEsQueryConfig(uiSettings),
     dataProviders,
     indexPattern,
@@ -262,22 +262,33 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
     data,
   });
 
-  const filterQuery = useMemo(
-    () =>
-      getCombinedFilterQuery({
-        config: esQuery.getEsQueryConfig(uiSettings),
-        dataProviders,
-        indexPattern,
-        browserFields,
-        filters,
-        kqlQuery: query,
-        kqlMode,
-        isEventViewer: true,
-        from: start,
-        to: end,
-      }),
-    [uiSettings, dataProviders, indexPattern, browserFields, filters, start, end, query, kqlMode]
-  );
+  const filterQuery = useMemo(() => {
+    console.log('getCombinedFilterQuery', {
+      config: esQuery.getEsQueryConfig(uiSettings),
+      dataProviders,
+      indexPattern,
+      browserFields,
+      filters,
+      kqlQuery: query,
+      kqlMode,
+      isEventViewer: true,
+      from: start,
+      to: end,
+    });
+    return getCombinedFilterQuery({
+      config: esQuery.getEsQueryConfig(uiSettings),
+      dataProviders,
+      indexPattern,
+      browserFields,
+      filters,
+      kqlQuery: query,
+      kqlMode,
+      isEventViewer: true,
+      from: start,
+      to: end,
+    });
+  }, [uiSettings, dataProviders, indexPattern, browserFields, filters, start, end, query, kqlMode]);
+  console.log('getCombinedFilterQuery', JSON.parse(filterQuery));
 
   const totalCountMinusDeleted = useMemo(
     () => (totalCount > 0 ? totalCount - deletedEventIds.length : 0),
diff --git a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
index 4cff11aea590c..234817168c473 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
@@ -153,7 +153,7 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
   rowRenderers,
   setRefetch,
   start,
-  sort: initialSort,
+  sort,
   graphEventId,
   leadingControlColumns,
   trailingControlColumns,
@@ -171,7 +171,6 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
     itemsPerPage: itemsPerPageStore,
     itemsPerPageOptions: itemsPerPageOptionsStore,
     queryFields,
-    sort: sortFromRedux,
     title,
   } = useDeepEqualSelector((state) => getTGrid(state, STANDALONE_ID ?? ''));
 
@@ -212,9 +211,6 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
     [columnsHeader, queryFields]
   );
 
-  const [sort, setSort] = useState(initialSort);
-  useEffect(() => setSort(sortFromRedux), [sortFromRedux]);
-
   const sortField = useMemo(
     () =>
       sort.map(({ columnId, columnType, sortDirection }) => ({
@@ -229,7 +225,6 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
     loading,
     { events, updatedAt, loadPage, pageInfo, refetch, totalCount = 0, inspect },
   ] = useTimelineEvents({
-    alertConsumers,
     docValueFields: [],
     excludeEcsData: true,
     fields,
@@ -310,7 +305,6 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
         defaultColumns: columns,
         footerText,
         loadingText,
-        sort,
         unit,
       })
     );
@@ -349,7 +343,6 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
                   <StatefulBody
                     activePage={pageInfo.activePage}
                     browserFields={browserFields}
-                    filterQuery={filterQuery}
                     data={nonDeletedEvents}
                     defaultCellActions={defaultCellActions}
                     id={STANDALONE_ID}
@@ -364,12 +357,13 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
                       itemsPerPage: itemsPerPageStore,
                     })}
                     totalItems={totalCountMinusDeleted}
+                    indexNames={indexNames}
+                    filterQuery={filterQuery}
                     unit={unit}
                     filterStatus={filterStatus}
                     leadingControlColumns={leadingControlColumns}
                     trailingControlColumns={trailingControlColumns}
                     refetch={refetch}
-                    indexNames={indexNames}
                   />
                   <Footer
                     activePage={pageInfo.activePage}
diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
index 2ed52c0a66c07..92d40ad3d7a6a 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
@@ -152,7 +152,8 @@ export const AlertStatusBulkActionsComponent = React.memo<StatefulAlertStatusBul
       indexName,
       eventIds: Object.keys(selectedEventIds),
       currentStatus: filterStatus,
-      ...(isSelectAllChecked ? { query } : {}),
+      ...(showClearSelection ? { query } : {}),
+      // query,
       setEventsLoading,
       setEventsDeleted,
       onUpdateSuccess: onAlertStatusUpdateSuccess,
diff --git a/x-pack/plugins/timelines/public/container/use_update_alerts.ts b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
index 03948a439b25b..a45bd28b848c0 100644
--- a/x-pack/plugins/timelines/public/container/use_update_alerts.ts
+++ b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
@@ -32,14 +32,14 @@ export const useUpdateAlertsStatus = (): {
 } => {
   const { http } = useKibana().services;
   return {
-    updateAlertStatus: ({ status: alertStatus, index, ids, query }) => {
+    updateAlertStatus: async ({ status: alertStatus, index, ids, query }) => {
       const status: string = alertStatus === 'in-progress' ? 'acknowledged' : alertStatus;
-      console.log({ index, status, query, ids });
 
-      return http!.fetch(RAC_ALERTS_BULK_UPDATE_URL, {
+      const { body } = await http!.fetch(RAC_ALERTS_BULK_UPDATE_URL, {
         method: 'POST',
         body: JSON.stringify({ index, status, ...(query ? { query } : { ids }) }),
       });
+      return body;
     },
   };
 };
diff --git a/x-pack/plugins/timelines/public/hooks/use_status_bulk_action_items.tsx b/x-pack/plugins/timelines/public/hooks/use_status_bulk_action_items.tsx
index 8721a64a92dbb..91d4be96199fc 100644
--- a/x-pack/plugins/timelines/public/hooks/use_status_bulk_action_items.tsx
+++ b/x-pack/plugins/timelines/public/hooks/use_status_bulk_action_items.tsx
@@ -57,7 +57,7 @@ export const useStatusBulkActionItems = ({
         const response = await updateAlertStatus({
           index: indexName,
           status,
-          ...(query ? { query: JSON.parse(query) } : { ids: eventIds }),
+          query: query ? JSON.parse(query) : getUpdateAlertsQuery(eventIds),
         });
 
         // TODO: Only delete those that were successfully updated from updatedRules

From 7cbec10ad02f46d4cf02bb17ea14e2bdfab1ee74 Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Thu, 12 Aug 2021 13:01:48 -0400
Subject: [PATCH 08/16] adds fields support, fixes bug where we were writing to
 'signals.status' and not { signals: {status }} in alerts client

---
 .../server/alert_data_client/alerts_client.ts |   2 +-
 .../alert_data_client/tests/get.test.ts       |   6 +
 .../rule_registry/alerts/data.json            | 203 +++++++++---------
 3 files changed, 108 insertions(+), 103 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index 59f3d883f6cff..40157bc63625b 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -568,7 +568,7 @@ export class AlertsClient {
               source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
                 ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}'
               }
-              if (ctx._source.signal.status != null) {
+              if (ctx._source.signal != null && ctx._source.signal.status != null) {
                 ctx._source.signal.status = '${status}'
               }`,
               lang: 'painless',
diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
index 33958f584988d..1a0628bf6e9a8 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts
@@ -119,6 +119,12 @@ describe('get()', () => {
       Array [
         Object {
           "body": Object {
+            "fields": Array [
+              "kibana.alert.rule.rule_type_id",
+              "kibana.alert.rule.consumer",
+              "kibana.alert.workflow_status",
+              "kibana.space_ids",
+            ],
             "query": Object {
               "bool": Object {
                 "filter": Array [
diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
index baea934440e13..0b13306e05f2a 100644
--- a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
+++ b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
@@ -1,117 +1,116 @@
 {
-    "type": "doc",
-    "value": {
-      "index": ".alerts-observability-apm",
-      "id": "NoxgpHkBqbdrfX07MqXV",
-      "source": {
-        "event.kind" : "signal",
-        "@timestamp": "2020-12-16T15:16:18.570Z",
-        "kibana.alert.rule.rule_type_id": "apm.error_rate",
-        "message": "hello world 1",
-        "kibana.alert.workflow_status": "open",
-        "kibana.alert.rule.consumer": "apm",
-        "kibana.space_ids": ["space1", "space2"]
-      }
+  "type": "doc",
+  "value": {
+    "index": ".alerts-observability-apm",
+    "id": "NoxgpHkBqbdrfX07MqXV",
+    "source": {
+      "event.kind" : "signal",
+      "@timestamp": "2020-12-16T15:16:18.570Z",
+      "kibana.alert.rule.rule_type_id": "apm.error_rate",
+      "message": "hello world 1",
+      "kibana.alert.rule.consumer": "apm",
+      "kibana.alert.workflow_status": "open",
+      "kibana.space_ids": ["space1", "space2"]
     }
   }
-  
-  {
-    "type": "doc",
-    "value": {
-      "index": ".alerts-observability-apm",
-      "id": "space1alert",
-      "source": {
-        "event.kind" : "signal",
-        "@timestamp": "2020-12-16T15:16:18.570Z",
-        "kibana.alert.rule.rule_type_id": "apm.error_rate",
-        "message": "hello world 1",
-        "kibana.alert.workflow_status": "open",
-        "kibana.alert.rule.consumer": "apm",
-        "kibana.space_ids": ["space1"]
-      }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".alerts-observability-apm",
+    "id": "space1alert",
+    "source": {
+      "event.kind" : "signal",
+      "@timestamp": "2020-12-16T15:16:18.570Z",
+      "kibana.alert.rule.rule_type_id": "apm.error_rate",
+      "message": "hello world 1",
+      "kibana.alert.rule.consumer": "apm",
+      "kibana.alert.workflow_status": "open",
+      "kibana.space_ids": ["space1"]
     }
   }
-  
-  {
-    "type": "doc",
-    "value": {
-      "index": ".alerts-observability-apm",
-      "id": "space2alert",
-      "source": {
-        "event.kind" : "signal",
-        "@timestamp": "2020-12-16T15:16:18.570Z",
-        "kibana.alert.rule.rule_type_id": "apm.error_rate",
-        "message": "hello world 1",
-        "kibana.alert.workflow_status": "open",
-        "kibana.alert.rule.consumer": "apm",
-        "kibana.space_ids": ["space2"]
-      }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".alerts-observability-apm",
+    "id": "space2alert",
+    "source": {
+      "event.kind" : "signal",
+      "@timestamp": "2020-12-16T15:16:18.570Z",
+      "kibana.alert.rule.rule_type_id": "apm.error_rate",
+      "message": "hello world 1",
+      "kibana.alert.rule.consumer": "apm",
+      "kibana.alert.workflow_status": "open",
+      "kibana.space_ids": ["space2"]
     }
   }
-  
-  {
-    "type": "doc",
-    "value": {
-      "index": ".alerts-security.alerts",
-      "id": "020202",
-      "source": {
-        "event.kind" : "signal",
-        "@timestamp": "2020-12-16T15:16:18.570Z",
-        "kibana.alert.rule.rule_type_id": "siem.signals",
-        "message": "hello world security",
-        "kibana.alert.workflow_status": "open",
-        "kibana.alert.rule.consumer": "siem",
-        "kibana.space_ids": ["space1", "space2"]
-      }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".alerts-security.alerts",
+    "id": "020202",
+    "source": {
+      "event.kind" : "signal",
+      "@timestamp": "2020-12-16T15:16:18.570Z",
+      "kibana.alert.rule.rule_type_id": "siem.signals",
+      "message": "hello world security",
+      "kibana.alert.rule.consumer": "siem",
+      "kibana.alert.workflow_status": "open",
+      "kibana.space_ids": ["space1", "space2"]
     }
   }
-  
-  {
-    "type": "doc",
-    "value": {
-      "index": ".alerts-security.alerts",
-      "id": "020204",
-      "source": {
-        "event.kind" : "signal",
-        "@timestamp": "2020-12-16T15:16:18.570Z",
-        "kibana.alert.rule.rule_type_id": "siem.customRule",
-        "message": "hello world security",
-        "kibana.alert.workflow_status": "open",
-        "kibana.alert.rule.consumer": "siem",
-        "kibana.space_ids": ["space1", "space2"]
-      }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".alerts-security.alerts",
+    "id": "020204",
+    "source": {
+      "event.kind" : "signal",
+      "@timestamp": "2020-12-16T15:16:18.570Z",
+      "kibana.alert.rule.rule_type_id": "siem.customRule",
+      "message": "hello world security",
+      "kibana.alert.rule.consumer": "siem",
+      "kibana.alert.workflow_status": "open",
+      "kibana.space_ids": ["space1", "space2"]
     }
   }
-  
-  {
-    "type": "doc",
-    "value": {
-      "index": ".alerts-security.alerts",
-      "id": "space1securityalert",
-      "source": {
-        "@timestamp": "2020-12-16T15:16:18.570Z",
-        "kibana.alert.rule.rule_type_id": "siem.signals",
-        "message": "hello world security",
-        "kibana.alert.workflow_status": "open",
-        "kibana.alert.rule.consumer": "siem",
-        "kibana.space_ids": ["space1"]
-      }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".alerts-security.alerts",
+    "id": "space1securityalert",
+    "source": {
+      "@timestamp": "2020-12-16T15:16:18.570Z",
+      "kibana.alert.rule.rule_type_id": "siem.signals",
+      "message": "hello world security",
+      "kibana.alert.rule.consumer": "siem",
+      "kibana.alert.workflow_status": "open",
+      "kibana.space_ids": ["space1"]
     }
   }
-  
-  {
-    "type": "doc",
-    "value": {
-      "index": ".alerts-security.alerts",
-      "id": "space2securityalert",
-      "source": {
-        "@timestamp": "2020-12-16T15:16:18.570Z",
-        "kibana.alert.rule.rule_type_id": "siem.signals",
-        "message": "hello world security",
-        "kibana.alert.workflow_status": "open",
-        "kibana.alert.rule.consumer": "siem",
-        "kibana.space_ids": ["space2"]
-      }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "index": ".alerts-security.alerts",
+    "id": "space2securityalert",
+    "source": {
+      "@timestamp": "2020-12-16T15:16:18.570Z",
+      "kibana.alert.rule.rule_type_id": "siem.signals",
+      "message": "hello world security",
+      "kibana.alert.rule.consumer": "siem",
+      "kibana.alert.workflow_status": "open",
+      "kibana.space_ids": ["space2"]
     }
   }
-  
\ No newline at end of file
+}
\ No newline at end of file

From 7ef80cf3f0426a8ef63469ee0b9b5449f1a519e0 Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Thu, 12 Aug 2021 19:32:49 +0200
Subject: [PATCH 09/16] clean up and fixes

---
 .../server/routes/bulk_update_alerts.ts            |  4 ++--
 ..._update_old_security_solution_alert_by_query.sh | 14 +-------------
 .../public/components/t_grid/integrated/index.tsx  | 13 -------------
 .../public/container/use_update_alerts.ts          |  4 +---
 4 files changed, 4 insertions(+), 31 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts b/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
index 9a29774219270..3bab930da08b9 100644
--- a/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
+++ b/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
@@ -22,13 +22,13 @@ export const bulkUpdateAlertsRoute = (router: IRouter<RacRequestHandlerContext>)
         body: buildRouteValidation(
           t.union([
             t.strict({
-              status: t.union([t.literal('open'), t.literal('closed')]),
+              status: t.union([t.literal('open'), t.literal('closed'), t.literal('in-progress')]),
               index: t.string,
               ids: t.array(t.string),
               query: t.undefined,
             }),
             t.strict({
-              status: t.union([t.literal('open'), t.literal('closed')]),
+              status: t.union([t.literal('open'), t.literal('closed'), t.literal('in-progress')]),
               index: t.string,
               ids: t.undefined,
               query: t.union([t.object, t.string]),
diff --git a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
index b7642094fd2e2..8725e791d8efa 100755
--- a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
+++ b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
@@ -25,16 +25,4 @@ curl -s -k \
  -H 'kbn-xsrf: 123' \
  -u hunter:changeme \
  -X POST ${KIBANA_URL}${SPACE_URL}/internal/rac/alerts/bulk_update \
- -d "{\"ids\": [\"7e5bf32b8aa1a96b835200d8a6aad39079f03257129ad238a828152884690c86\"], \"status\":\"$STATUS\", \"index\":\".siem-signals-devin-hurley-default\"}" | jq .
-
-# -d "{\"query\": {\"bool\": {
-#     \"filter\": {
-#       \"terms\": {
-#         \"_id\": [         \"7e5bf32b8aa1a96b835200d8a6aad39079f03257129ad238a828152884690c86\"
-#         ]
-#       }
-#     }
-#   }}, \"status\":\"$STATUS\", \"index\":\".siem-signals-devin-hurley-default\"}" | jq .
-
-
-# 824ec1a1c9a0fcded6063e88353b828e414149b37f6d7cbe47a038d08aaa3285
\ No newline at end of file
+-d "{\"query\": \"$QUERY\", \"status\":\"$STATUS\", \"index\":\".siem-signals*\"}" | jq .
diff --git a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
index fb3b7db4dab84..7dc632c219bd8 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
@@ -263,18 +263,6 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
   });
 
   const filterQuery = useMemo(() => {
-    console.log('getCombinedFilterQuery', {
-      config: esQuery.getEsQueryConfig(uiSettings),
-      dataProviders,
-      indexPattern,
-      browserFields,
-      filters,
-      kqlQuery: query,
-      kqlMode,
-      isEventViewer: true,
-      from: start,
-      to: end,
-    });
     return getCombinedFilterQuery({
       config: esQuery.getEsQueryConfig(uiSettings),
       dataProviders,
@@ -288,7 +276,6 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
       to: end,
     });
   }, [uiSettings, dataProviders, indexPattern, browserFields, filters, start, end, query, kqlMode]);
-  console.log('getCombinedFilterQuery', JSON.parse(filterQuery));
 
   const totalCountMinusDeleted = useMemo(
     () => (totalCount > 0 ? totalCount - deletedEventIds.length : 0),
diff --git a/x-pack/plugins/timelines/public/container/use_update_alerts.ts b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
index a45bd28b848c0..6b7c660a734eb 100644
--- a/x-pack/plugins/timelines/public/container/use_update_alerts.ts
+++ b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
@@ -32,9 +32,7 @@ export const useUpdateAlertsStatus = (): {
 } => {
   const { http } = useKibana().services;
   return {
-    updateAlertStatus: async ({ status: alertStatus, index, ids, query }) => {
-      const status: string = alertStatus === 'in-progress' ? 'acknowledged' : alertStatus;
-
+    updateAlertStatus: async ({ status, index, ids, query }) => {
       const { body } = await http!.fetch(RAC_ALERTS_BULK_UPDATE_URL, {
         method: 'POST',
         body: JSON.stringify({ index, status, ...(query ? { query } : { ids }) }),

From df080e2517677074cacf765bdaac93b5c43140e3 Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Thu, 12 Aug 2021 16:31:21 -0400
Subject: [PATCH 10/16] fix a bug where we were not waiting for updates to
 complete when using ids param in alerts bulk update. Adds integration tests
 for detection engine testing update alerts with new alerts as data client
 routes

---
 .../server/alert_data_client/alerts_client.ts |   1 +
 .../security_solution/common/constants.ts     |   2 +
 .../basic/tests/index.ts                      |   1 +
 .../basic/tests/update_rac_alerts.ts          | 164 ++++++++++++++++++
 4 files changed, 168 insertions(+)
 create mode 100644 x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index 40157bc63625b..77573388f6a9b 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -332,6 +332,7 @@ export class AlertsClient {
       });
 
       const bulkUpdateResponse = await this.esClient.bulk({
+        refresh: 'wait_for',
         body: bulkUpdateRequest,
       });
       return bulkUpdateResponse;
diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts
index 47e3b5b3ea364..35feeaf6c502a 100644
--- a/x-pack/plugins/security_solution/common/constants.ts
+++ b/x-pack/plugins/security_solution/common/constants.ts
@@ -249,6 +249,8 @@ export const DETECTION_ENGINE_SIGNALS_MIGRATION_URL = `${DETECTION_ENGINE_SIGNAL
 export const DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL = `${DETECTION_ENGINE_SIGNALS_URL}/migration_status`;
 export const DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL = `${DETECTION_ENGINE_SIGNALS_URL}/finalize_migration`;
 
+export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update';
+
 /**
  * Common naming convention for an unauthenticated user
  */
diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/index.ts b/x-pack/test/detection_engine_api_integration/basic/tests/index.ts
index 715303634875e..802b1e78930e8 100644
--- a/x-pack/test/detection_engine_api_integration/basic/tests/index.ts
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/index.ts
@@ -30,5 +30,6 @@ export default ({ loadTestFile }: FtrProviderContext): void => {
     loadTestFile(require.resolve('./query_signals'));
     loadTestFile(require.resolve('./open_close_signals'));
     loadTestFile(require.resolve('./import_timelines'));
+    loadTestFile(require.resolve('./update_rac_alerts'));
   });
 };
diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts b/x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts
new file mode 100644
index 0000000000000..cc43a6a09a118
--- /dev/null
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts
@@ -0,0 +1,164 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+
+import type { estypes } from '@elastic/elasticsearch';
+import { Signal } from '../../../../plugins/security_solution/server/lib/detection_engine/signals/types';
+import {
+  RAC_ALERTS_BULK_UPDATE_URL,
+  DETECTION_ENGINE_QUERY_SIGNALS_URL,
+} from '../../../../plugins/security_solution/common/constants';
+import { FtrProviderContext } from '../../common/ftr_provider_context';
+import {
+  createSignalsIndex,
+  deleteSignalsIndex,
+  getSignalStatusEmptyResponse,
+  getQuerySignalIds,
+  deleteAllAlerts,
+  createRule,
+  waitForSignalsToBePresent,
+  getSignalsByIds,
+  waitForRuleSuccessOrStatus,
+  getRuleForSignalTesting,
+} from '../../utils';
+
+// eslint-disable-next-line import/no-default-export
+export default ({ getService }: FtrProviderContext) => {
+  const supertest = getService('supertest');
+  const esArchiver = getService('esArchiver');
+
+  describe('open_close_signals', () => {
+    describe('validation checks', () => {
+      it.skip('should not give errors when querying and the signals index does not exist yet', async () => {
+        const { body } = await supertest
+          .post(RAC_ALERTS_BULK_UPDATE_URL)
+          .set('kbn-xsrf', 'true')
+          .send({ ids: ['123'], status: 'open', index: '.siem-signals-default' });
+        //   .expect(200);
+        // console.error('BODY', JSON.stringify(body, null, 2));
+
+        // remove any server generated items that are indeterministic
+        delete body.took;
+
+        expect(body).to.eql(getSignalStatusEmptyResponse());
+      });
+
+      it('should not give errors when querying and the signals index does exist and is empty', async () => {
+        await createSignalsIndex(supertest);
+        const { body } = await supertest
+          .post(RAC_ALERTS_BULK_UPDATE_URL)
+          .set('kbn-xsrf', 'true')
+          .send({ ids: ['123'], status: 'open', index: '.siem-signals-default' })
+          .expect(200);
+
+        // remove any server generated items that are indeterministic
+        // delete body.took;
+
+        // expect(body).to.eql(getSignalStatusEmptyResponse());
+
+        // await deleteSignalsIndex(supertest);
+      });
+    });
+
+    describe('tests with auditbeat data', () => {
+      before(async () => {
+        await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts');
+      });
+      after(async () => {
+        await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
+      });
+      beforeEach(async () => {
+        await deleteAllAlerts(supertest);
+        await createSignalsIndex(supertest);
+      });
+      afterEach(async () => {
+        await deleteSignalsIndex(supertest);
+        await deleteAllAlerts(supertest);
+      });
+
+      it('should be able to execute and get 10 signals', async () => {
+        const rule = getRuleForSignalTesting(['auditbeat-*']);
+        const { id } = await createRule(supertest, rule);
+        await waitForRuleSuccessOrStatus(supertest, id);
+        await waitForSignalsToBePresent(supertest, 10, [id]);
+        const signalsOpen = await getSignalsByIds(supertest, [id]);
+        expect(signalsOpen.hits.hits.length).equal(10);
+      });
+
+      it('should be have set the signals in an open state initially', async () => {
+        const rule = getRuleForSignalTesting(['auditbeat-*']);
+        const { id } = await createRule(supertest, rule);
+        await waitForRuleSuccessOrStatus(supertest, id);
+        await waitForSignalsToBePresent(supertest, 10, [id]);
+        const signalsOpen = await getSignalsByIds(supertest, [id]);
+        const everySignalOpen = signalsOpen.hits.hits.every(
+          (hit) => hit._source?.signal?.status === 'open'
+        );
+        expect(everySignalOpen).to.eql(true);
+      });
+
+      it('should be able to get a count of 10 closed signals when closing 10', async () => {
+        const rule = getRuleForSignalTesting(['auditbeat-*']);
+        const { id } = await createRule(supertest, rule);
+        await waitForRuleSuccessOrStatus(supertest, id);
+        await waitForSignalsToBePresent(supertest, 10, [id]);
+        const signalsOpen = await getSignalsByIds(supertest, [id]);
+        const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
+
+        // set all of the signals to the state of closed. There is no reason to use a waitUntil here
+        // as this route intentionally has a waitFor within it and should only return when the query has
+        // the data.
+        await supertest
+          .post(RAC_ALERTS_BULK_UPDATE_URL)
+          .set('kbn-xsrf', 'true')
+          .send({ ids: signalIds, status: 'closed', index: '.siem-signals-default' })
+          .expect(200);
+
+        const {
+          body: signalsClosed,
+        }: { body: estypes.SearchResponse<{ signal: Signal }> } = await supertest
+          .post(DETECTION_ENGINE_QUERY_SIGNALS_URL)
+          .set('kbn-xsrf', 'true')
+          .send(getQuerySignalIds(signalIds))
+          .expect(200);
+        expect(signalsClosed.hits.hits.length).to.equal(10);
+      });
+
+      it('should be able close 10 signals immediately and they all should be closed', async () => {
+        const rule = getRuleForSignalTesting(['auditbeat-*']);
+        const { id } = await createRule(supertest, rule);
+        await waitForRuleSuccessOrStatus(supertest, id);
+        await waitForSignalsToBePresent(supertest, 10, [id]);
+        const signalsOpen = await getSignalsByIds(supertest, [id]);
+        const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
+
+        // set all of the signals to the state of closed. There is no reason to use a waitUntil here
+        // as this route intentionally has a waitFor within it and should only return when the query has
+        // the data.
+        await supertest
+          .post(RAC_ALERTS_BULK_UPDATE_URL)
+          .set('kbn-xsrf', 'true')
+          .send({ ids: signalIds, status: 'closed', index: '.siem-signals-default' })
+          .expect(200);
+
+        const {
+          body: signalsClosed,
+        }: { body: estypes.SearchResponse<{ signal: Signal }> } = await supertest
+          .post(DETECTION_ENGINE_QUERY_SIGNALS_URL)
+          .set('kbn-xsrf', 'true')
+          .send(getQuerySignalIds(signalIds))
+          .expect(200);
+
+        const everySignalClosed = signalsClosed.hits.hits.every(
+          (hit) => hit._source?.signal?.status === 'closed'
+        );
+        expect(everySignalClosed).to.eql(true);
+      });
+    });
+  });
+};

From 1710bf3631884fdf7c1ae8e1908c3fc962b46a0c Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Fri, 13 Aug 2021 11:42:33 +0200
Subject: [PATCH 11/16] take index name from ecsData props

---
 .../kbn-rule-data-utils/src/alerts_as_data_rbac.ts |  2 +-
 .../server/routes/bulk_update_alerts.ts            | 14 ++++++++++++--
 .../timeline_actions/alert_context_menu.tsx        |  4 +---
 .../bulk_actions/alert_status_bulk_actions.tsx     |  1 -
 .../public/container/use_update_alerts.ts          |  1 -
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts b/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts
index 795d194ee8a92..476425487df1b 100644
--- a/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts
+++ b/packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts
@@ -27,7 +27,7 @@ export const AlertConsumers = {
   SYNTHETICS: 'synthetics',
 } as const;
 export type AlertConsumers = typeof AlertConsumers[keyof typeof AlertConsumers];
-export type STATUS_VALUES = 'open' | 'acknowledged' | 'closed';
+export type STATUS_VALUES = 'open' | 'acknowledged' | 'closed' | 'in-progress'; // TODO: remove 'in-progress' after migration to 'acknowledged'
 
 export const mapConsumerToIndexName: Record<AlertConsumers, string | string[]> = {
   apm: '.alerts-observability-apm',
diff --git a/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts b/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
index 3bab930da08b9..afeddee5ff876 100644
--- a/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
+++ b/x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts
@@ -22,13 +22,23 @@ export const bulkUpdateAlertsRoute = (router: IRouter<RacRequestHandlerContext>)
         body: buildRouteValidation(
           t.union([
             t.strict({
-              status: t.union([t.literal('open'), t.literal('closed'), t.literal('in-progress')]),
+              status: t.union([
+                t.literal('open'),
+                t.literal('closed'),
+                t.literal('in-progress'), // TODO: remove after migration to acknowledged
+                t.literal('acknowledged'),
+              ]),
               index: t.string,
               ids: t.array(t.string),
               query: t.undefined,
             }),
             t.strict({
-              status: t.union([t.literal('open'), t.literal('closed'), t.literal('in-progress')]),
+              status: t.union([
+                t.literal('open'),
+                t.literal('closed'),
+                t.literal('in-progress'), // TODO: remove after migration to acknowledged
+                t.literal('acknowledged'),
+              ]),
               index: t.string,
               ids: t.undefined,
               query: t.union([t.object, t.string]),
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
index 2ca059ed0ab13..ea451f424b430 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
@@ -53,8 +53,6 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps> = ({
   timelineId,
 }) => {
   const [isPopoverOpen, setPopover] = useState(false);
-  const { signalIndexName } = useSignalIndex();
-
   const ruleId = get(0, ecsRowData?.signal?.rule?.id);
   const ruleName = get(0, ecsRowData?.signal?.rule?.name);
 
@@ -117,7 +115,7 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps> = ({
   const { actionItems } = useAlertsActions({
     alertStatus,
     eventId: ecsRowData?._id,
-    indexName: signalIndexName!,
+    indexName: ecsRowData?._index ?? '',
     timelineId,
     closePopover,
   });
diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
index 92d40ad3d7a6a..a2e91734d6f05 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/bulk_actions/alert_status_bulk_actions.tsx
@@ -153,7 +153,6 @@ export const AlertStatusBulkActionsComponent = React.memo<StatefulAlertStatusBul
       eventIds: Object.keys(selectedEventIds),
       currentStatus: filterStatus,
       ...(showClearSelection ? { query } : {}),
-      // query,
       setEventsLoading,
       setEventsDeleted,
       onUpdateSuccess: onAlertStatusUpdateSuccess,
diff --git a/x-pack/plugins/timelines/public/container/use_update_alerts.ts b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
index 6b7c660a734eb..b9f6437accd48 100644
--- a/x-pack/plugins/timelines/public/container/use_update_alerts.ts
+++ b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
@@ -10,7 +10,6 @@ import type { estypes } from '@elastic/elasticsearch';
 import { useKibana } from '../../../../../src/plugins/kibana_react/public';
 import { AlertStatus } from '../../../timelines/common';
 
-// export const DETECTION_ENGINE_SIGNALS_STATUS_URL = '/api/detection_engine/signals/status';
 export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update';
 
 /**

From 8138fb668e002ed69d77e749dcb6dda9a2d82dd0 Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Fri, 13 Aug 2021 12:29:25 +0200
Subject: [PATCH 12/16] pr suggestions

---
 .../server/alert_data_client/alerts_client.ts            | 9 +++++++--
 .../timelines/public/components/t_grid/body/index.tsx    | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index 40157bc63625b..7e59553b29bac 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -375,8 +375,13 @@ export class AlertsClient {
         config
       );
       if (query != null && typeof query === 'object') {
-        // @ts-expect-error
-        builtQuery.bool.must.push(query);
+        return {
+          ...builtQuery,
+          bool: {
+            ...builtQuery.bool,
+            must: [...builtQuery.bool.must, query],
+          },
+        };
       }
       return builtQuery;
     } catch (exc) {
diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/index.tsx
index d107235c1377c..e9051b72db5e5 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/body/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/body/index.tsx
@@ -342,7 +342,7 @@ export const BodyComponent = React.memo<StatefulBodyProps>(
                     totalItems={totalItems}
                     filterStatus={filterStatus}
                     query={filterQuery}
-                    indexName={indexNames.join(',')}
+                    indexName={indexNames.join()}
                     onActionSuccess={onAlertStatusActionSuccess}
                     onActionFailure={onAlertStatusActionFailure}
                     refetch={refetch}

From 23e77f37c48776bfd66d8130830e907deafee251 Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Fri, 13 Aug 2021 17:23:00 +0200
Subject: [PATCH 13/16] some more type fixes

---
 .../server/alert_data_client/alerts_client.ts       |  5 +++--
 .../timelines/public/components/t_grid/helpers.tsx  |  5 +++--
 .../timelines/public/container/use_update_alerts.ts | 13 +++++++------
 .../es_archives/rule_registry/alerts/data.json      |  2 +-
 .../tests/basic/bulk_update_alerts.ts               |  1 -
 5 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index 7e59553b29bac..6ef5187dd4b66 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 import Boom from '@hapi/boom';
+import { estypes } from '@elastic/elasticsearch';
 import { PublicMethodsOf } from '@kbn/utility-types';
 import { Filter, buildEsQuery, EsQueryConfig } from '@kbn/es-query';
 import { decodeVersion, encodeHitVersion } from '@kbn/securitysolution-es-utils';
@@ -50,12 +51,12 @@ const mapConsumerToIndexName: typeof mapConsumerToIndexNameTyped = mapConsumerTo
 // TODO: Fix typings https://github.com/elastic/kibana/issues/101776
 type NonNullableProps<Obj extends {}, Props extends keyof Obj> = Omit<Obj, Props> &
   { [K in Props]-?: NonNullable<Obj[K]> };
-type AlertType = NonNullableProps<
+type AlertType = { _index: string; _id: string } & NonNullableProps<
   ParsedTechnicalFields,
   typeof ALERT_RULE_TYPE_ID | typeof ALERT_RULE_CONSUMER | typeof SPACE_IDS
 >;
 
-const isValidAlert = (source?: any): source is AlertType => {
+const isValidAlert = (source?: estypes.SearchHit<any>): source is AlertType => {
   return (
     (source?._source?.[ALERT_RULE_TYPE_ID] != null &&
       source?._source?.[ALERT_RULE_CONSUMER] != null &&
diff --git a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
index 4964316fccd94..5fe766077a74c 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
@@ -6,6 +6,7 @@
  */
 
 import type { Filter, EsQueryConfig, Query } from '@kbn/es-query';
+import { FilterStateStore } from '@kbn/es-query';
 import { isEmpty, get } from 'lodash/fp';
 import memoizeOne from 'memoize-one';
 import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils';
@@ -16,7 +17,7 @@ import {
   handleSkipFocus,
   stopPropagationAndPreventDefault,
 } from '../../../common';
-import { esFilters, IIndexPattern } from '../../../../../../src/plugins/data/public';
+import { IIndexPattern } from '../../../../../../src/plugins/data/public';
 import type { BrowserFields } from '../../../common/search_strategy/index_fields';
 import { DataProviderType, EXISTS_OPERATOR } from '../../../common/types/timeline';
 import type { DataProvider, DataProvidersAnd } from '../../../common/types/timeline';
@@ -218,7 +219,7 @@ export const buildTimeRangeFilter = (from: string, to: string): Filter =>
       },
     },
     $state: {
-      store: esFilters.FilterStateStore.APP_STATE,
+      store: FilterStateStore.APP_STATE,
     },
   } as Filter);
 
diff --git a/x-pack/plugins/timelines/public/container/use_update_alerts.ts b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
index b9f6437accd48..4ffc79ef1379a 100644
--- a/x-pack/plugins/timelines/public/container/use_update_alerts.ts
+++ b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
@@ -6,6 +6,7 @@
  */
 
 import type { estypes } from '@elastic/elasticsearch';
+import { CoreStart } from '../../../../../src/core/public';
 
 import { useKibana } from '../../../../../src/plugins/kibana_react/public';
 import { AlertStatus } from '../../../timelines/common';
@@ -15,9 +16,10 @@ export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update';
 /**
  * Update alert status by query
  *
- * @param query of alerts to update
- * @param status to update to('open' / 'closed' / 'in-progress')
- * @param signal AbortSignal for cancelling request
+ * @param status to update to('open' / 'closed' / 'acknowledged')
+ * @param index index to be updated
+ * @param query optional query object to update alerts by query.
+ * @param ids optional array of alert ids to update. Ignored if query passed.
  *
  * @throws An error if response is not OK
  */
@@ -29,11 +31,10 @@ export const useUpdateAlertsStatus = (): {
     query?: object;
   }) => Promise<estypes.UpdateByQueryResponse>;
 } => {
-  const { http } = useKibana().services;
+  const { http } = useKibana<CoreStart>().services;
   return {
     updateAlertStatus: async ({ status, index, ids, query }) => {
-      const { body } = await http!.fetch(RAC_ALERTS_BULK_UPDATE_URL, {
-        method: 'POST',
+      const { body } = await http.post(RAC_ALERTS_BULK_UPDATE_URL, {
         body: JSON.stringify({ index, status, ...(query ? { query } : { ids }) }),
       });
       return body;
diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
index 0b13306e05f2a..7291dd2c65fa5 100644
--- a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
+++ b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json
@@ -113,4 +113,4 @@
       "kibana.space_ids": ["space2"]
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
index a033e634dc6b3..b203bb8659a77 100644
--- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
+++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/bulk_update_alerts.ts
@@ -58,7 +58,6 @@ export default ({ getService }: FtrProviderContext) => {
   const APM_ALERT_INDEX = '.alerts-observability-apm';
   const SECURITY_SOLUTION_ALERT_ID = '020202';
   const SECURITY_SOLUTION_ALERT_INDEX = '.alerts-security.alerts';
-  // const ALERT_VERSION = Buffer.from(JSON.stringify([0, 1]), 'utf8').toString('base64'); // required for optimistic concurrency control
 
   const getAPMIndexName = async (user: User) => {
     const {

From d5c29fab350a40169c690fb884e39225998d5d8d Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Fri, 13 Aug 2021 18:53:30 +0200
Subject: [PATCH 14/16] refactor and type fixes

---
 .../server/alert_data_client/alerts_client.ts | 24 +++++++++++--------
 .../security_solution/common/constants.ts     |  2 --
 x-pack/plugins/timelines/common/constants.ts  |  2 ++
 .../public/container/use_update_alerts.ts     |  3 +--
 .../basic/tests/update_rac_alerts.ts          | 18 +++-----------
 5 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
index 59a0c3f888038..e78f5f6d51cd2 100644
--- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
+++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -130,6 +130,15 @@ export class AlertsClient {
     };
   }
 
+  private getAlertStatusFieldUpdate(
+    source: ParsedTechnicalFields | undefined,
+    status: STATUS_VALUES
+  ) {
+    return source?.[ALERT_WORKFLOW_STATUS] == null
+      ? { signal: { status } }
+      : { [ALERT_WORKFLOW_STATUS]: status };
+  }
+
   /**
    * Accepts an array of ES documents and executes ensureAuthorized for the given operation
    * @param items
@@ -313,10 +322,7 @@ export class AlertsClient {
       }
 
       const bulkUpdateRequest = mgetRes.body.docs.flatMap((item) => {
-        const fieldToUpdate =
-          item?._source?.[ALERT_WORKFLOW_STATUS] == null
-            ? { signal: { status } }
-            : { [ALERT_WORKFLOW_STATUS]: status };
+        const fieldToUpdate = this.getAlertStatusFieldUpdate(item?._source, status);
         return [
           {
             update: {
@@ -508,12 +514,10 @@ export class AlertsClient {
         this.logger.error(errorMessage);
         throw Boom.notFound(errorMessage);
       }
-
-      const fieldToUpdate =
-        alert?.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS] == null
-          ? { signal: { status } }
-          : { [ALERT_WORKFLOW_STATUS]: status };
-
+      const fieldToUpdate = this.getAlertStatusFieldUpdate(
+        alert?.hits.hits[0]._source,
+        status as STATUS_VALUES
+      );
       const { body: response } = await this.esClient.update<ParsedTechnicalFields>({
         ...decodeVersion(_version),
         id,
diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts
index 35feeaf6c502a..47e3b5b3ea364 100644
--- a/x-pack/plugins/security_solution/common/constants.ts
+++ b/x-pack/plugins/security_solution/common/constants.ts
@@ -249,8 +249,6 @@ export const DETECTION_ENGINE_SIGNALS_MIGRATION_URL = `${DETECTION_ENGINE_SIGNAL
 export const DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL = `${DETECTION_ENGINE_SIGNALS_URL}/migration_status`;
 export const DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL = `${DETECTION_ENGINE_SIGNALS_URL}/finalize_migration`;
 
-export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update';
-
 /**
  * Common naming convention for an unauthenticated user
  */
diff --git a/x-pack/plugins/timelines/common/constants.ts b/x-pack/plugins/timelines/common/constants.ts
index 8c4e1700a54dd..9ef20f3ef5a6f 100644
--- a/x-pack/plugins/timelines/common/constants.ts
+++ b/x-pack/plugins/timelines/common/constants.ts
@@ -13,3 +13,5 @@ export const DEFAULT_NUMBER_FORMAT = 'format:number:defaultPattern';
 export const FILTER_OPEN: AlertStatus = 'open';
 export const FILTER_CLOSED: AlertStatus = 'closed';
 export const FILTER_IN_PROGRESS: AlertStatus = 'in-progress';
+
+export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update';
diff --git a/x-pack/plugins/timelines/public/container/use_update_alerts.ts b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
index 4ffc79ef1379a..7cce40b59632d 100644
--- a/x-pack/plugins/timelines/public/container/use_update_alerts.ts
+++ b/x-pack/plugins/timelines/public/container/use_update_alerts.ts
@@ -10,8 +10,7 @@ import { CoreStart } from '../../../../../src/core/public';
 
 import { useKibana } from '../../../../../src/plugins/kibana_react/public';
 import { AlertStatus } from '../../../timelines/common';
-
-export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update';
+import { RAC_ALERTS_BULK_UPDATE_URL } from '../../common/constants';
 
 /**
  * Update alert status by query
diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts b/x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts
index cc43a6a09a118..43c9a3d0d7608 100644
--- a/x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts
+++ b/x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts
@@ -9,10 +9,8 @@ import expect from '@kbn/expect';
 
 import type { estypes } from '@elastic/elasticsearch';
 import { Signal } from '../../../../plugins/security_solution/server/lib/detection_engine/signals/types';
-import {
-  RAC_ALERTS_BULK_UPDATE_URL,
-  DETECTION_ENGINE_QUERY_SIGNALS_URL,
-} from '../../../../plugins/security_solution/common/constants';
+import { DETECTION_ENGINE_QUERY_SIGNALS_URL } from '../../../../plugins/security_solution/common/constants';
+import { RAC_ALERTS_BULK_UPDATE_URL } from '../../../../plugins/timelines/common/constants';
 import { FtrProviderContext } from '../../common/ftr_provider_context';
 import {
   createSignalsIndex,
@@ -39,29 +37,19 @@ export default ({ getService }: FtrProviderContext) => {
           .post(RAC_ALERTS_BULK_UPDATE_URL)
           .set('kbn-xsrf', 'true')
           .send({ ids: ['123'], status: 'open', index: '.siem-signals-default' });
-        //   .expect(200);
-        // console.error('BODY', JSON.stringify(body, null, 2));
 
         // remove any server generated items that are indeterministic
         delete body.took;
-
         expect(body).to.eql(getSignalStatusEmptyResponse());
       });
 
       it('should not give errors when querying and the signals index does exist and is empty', async () => {
         await createSignalsIndex(supertest);
-        const { body } = await supertest
+        await supertest
           .post(RAC_ALERTS_BULK_UPDATE_URL)
           .set('kbn-xsrf', 'true')
           .send({ ids: ['123'], status: 'open', index: '.siem-signals-default' })
           .expect(200);
-
-        // remove any server generated items that are indeterministic
-        // delete body.took;
-
-        // expect(body).to.eql(getSignalStatusEmptyResponse());
-
-        // await deleteSignalsIndex(supertest);
       });
     });
 

From 5a092582c7bff38768e968ecb9b7abd3cddb6e19 Mon Sep 17 00:00:00 2001
From: semd <sergi.massaneda@elastic.co>
Date: Fri, 13 Aug 2021 20:37:10 +0200
Subject: [PATCH 15/16] snapshot updated

---
 .../components/side_panel/__snapshots__/index.test.tsx.snap     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap
index 3b365306447b4..c8da44e648ff8 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap
@@ -487,6 +487,7 @@ Array [
                       <Memo()
                         detailsData={null}
                         handleOnEventClosed={[Function]}
+                        indexName="my-index"
                         isHostIsolationPanelOpen={false}
                         loadingEventDetails={true}
                         onAddEventFilterClick={[Function]}
@@ -747,6 +748,7 @@ Array [
                     <Memo()
                       detailsData={null}
                       handleOnEventClosed={[Function]}
+                      indexName="my-index"
                       isHostIsolationPanelOpen={false}
                       loadingEventDetails={true}
                       onAddEventFilterClick={[Function]}

From 36680b4d1ed8df78b73bd25745ae1aae194c7a1a Mon Sep 17 00:00:00 2001
From: Devin Hurley <devin.hurley@elastic.co>
Date: Fri, 13 Aug 2021 15:34:54 -0400
Subject: [PATCH 16/16] add alertsConsumers back into tgrid props

---
 .../timelines/public/components/t_grid/standalone/index.tsx      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
index 234817168c473..9fb6af6199a4c 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
@@ -225,6 +225,7 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
     loading,
     { events, updatedAt, loadPage, pageInfo, refetch, totalCount = 0, inspect },
   ] = useTimelineEvents({
+    alertConsumers,
     docValueFields: [],
     excludeEcsData: true,
     fields,