[TGrid] Alerts status update use RBAC api

packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts

@@ -27,7 +27,7 @@ export const AlertConsumers = {
   SYNTHETICS: 'synthetics',
 } as const;
 export type AlertConsumers = typeof AlertConsumers[keyof typeof AlertConsumers];
-export type STATUS_VALUES = 'open' | 'acknowledged' | 'closed';
+export type STATUS_VALUES = 'open' | 'acknowledged' | 'closed' | 'in-progress'; // TODO: remove 'in-progress' after migration to 'acknowledged'
 
 export const mapConsumerToIndexName: Record<AlertConsumers, string | string[]> = {
   apm: '.alerts-observability-apm',

x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts

@@ -35,7 +35,7 @@ import { Logger, ElasticsearchClient, EcsEventOutcome } from '../../../../../src
 import { alertAuditEvent, operationAlertAuditActionMap } from './audit_events';
 import { AuditLogger } from '../../../security/server';
 import {
-  ALERT_STATUS,
+  ALERT_WORKFLOW_STATUS,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_TYPE_ID,
   SPACE_IDS,
@@ -55,11 +55,14 @@ type AlertType = NonNullableProps<
   typeof ALERT_RULE_TYPE_ID | typeof ALERT_RULE_CONSUMER | typeof SPACE_IDS
 >;
 
-const isValidAlert = (source?: ParsedTechnicalFields): source is AlertType => {
+const isValidAlert = (source?: any): source is AlertType => {
   return (
-    source?.[ALERT_RULE_TYPE_ID] != null &&
-    source?.[ALERT_RULE_CONSUMER] != null &&
-    source?.[SPACE_IDS] != null
+    (source?._source?.[ALERT_RULE_TYPE_ID] != null &&
+      source?._source?.[ALERT_RULE_CONSUMER] != null &&
+      source?._source?.[SPACE_IDS] != null) ||
+    (source?.fields?.[ALERT_RULE_TYPE_ID][0] != null &&
+      source?.fields?.[ALERT_RULE_CONSUMER][0] != null &&
+      source?.fields?.[SPACE_IDS][0] != null)
   );
 };
 export interface ConstructorOptions {
@@ -80,7 +83,7 @@ export interface BulkUpdateOptions<Params extends AlertTypeParams> {
   ids: string[] | undefined | null;
   status: STATUS_VALUES;
   index: string;
-  query: string | undefined | null;
+  query: object | string | undefined | null;
 }
 
 interface GetAlertParams {
@@ -90,7 +93,7 @@ interface GetAlertParams {
 
 interface SingleSearchAfterAndAudit {
   id: string | null | undefined;
-  query: string | null | undefined;
+  query: object | string | null | undefined;
   index?: string;
   operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get;
   lastSortIds: Array<string | number> | undefined;
@@ -218,6 +221,7 @@ export class AlertsClient {
       const config = getEsQueryConfig();
 
       let queryBody = {
+        fields: [ALERT_RULE_TYPE_ID, ALERT_RULE_CONSUMER, ALERT_WORKFLOW_STATUS, SPACE_IDS],
         query: await this.buildEsQueryWithAuthz(query, id, alertSpaceId, operation, config),
         sort: [
           {
@@ -245,7 +249,7 @@ export class AlertsClient {
         seq_no_primary_term: true,
       });
 
-      if (!result?.body.hits.hits.every((hit) => isValidAlert(hit._source))) {
+      if (!result?.body.hits.hits.every((hit) => isValidAlert(hit))) {
         const errorMessage = `Invalid alert found with id of "${id}" or with query "${query}" and operation ${operation}`;
         this.logger.error(errorMessage);
         throw Boom.badData(errorMessage);
@@ -307,17 +311,25 @@ export class AlertsClient {
         );
       }
 
-      const bulkUpdateRequest = mgetRes.body.docs.flatMap((item) => [
-        {
-          update: {
-            _index: item._index,
-            _id: item._id,
+      const bulkUpdateRequest = mgetRes.body.docs.flatMap((item) => {
+        const fieldToUpdate =
+          item?._source?.[ALERT_WORKFLOW_STATUS] == null
+            ? { signal: { status } }
+            : { [ALERT_WORKFLOW_STATUS]: status };
+        return [
+          {
+            update: {
+              _index: item._index,
+              _id: item._id,
+            },
           },
-        },
-        {
-          doc: { [ALERT_STATUS]: status },
-        },
-      ]);
+          {
+            doc: {
+              ...fieldToUpdate,
+            },
+          },
+        ];
+      });
 
       const bulkUpdateResponse = await this.esClient.bulk({
         body: bulkUpdateRequest,
@@ -330,7 +342,7 @@ export class AlertsClient {
   }
 
   private async buildEsQueryWithAuthz(
-    query: string | null | undefined,
+    query: object | string | null | undefined,
     id: string | null | undefined,
     alertSpaceId: string,
     operation: WriteOperations.Update | ReadOperations.Get | ReadOperations.Find,
@@ -345,15 +357,33 @@ export class AlertsClient {
         },
         operation
       );
-      return buildEsQuery(
+      let esQuery;
+      if (id != null) {
+        esQuery = { query: `_id:${id}`, language: 'kuery' };
+      } else if (typeof query === 'string') {
+        esQuery = { query, language: 'kuery' };
+      } else if (query != null && typeof query === 'object') {
+        esQuery = [];
+      }
+      const builtQuery = buildEsQuery(
         undefined,
-        { query: query == null ? `_id:${id}` : query, language: 'kuery' },
+        esQuery == null ? { query: ``, language: 'kuery' } : esQuery,
         [
           (authzFilter as unknown) as Filter,
           ({ term: { [SPACE_IDS]: alertSpaceId } } as unknown) as Filter,
         ],
         config
       );
+      if (query != null && typeof query === 'object') {
+        return {
+          ...builtQuery,
+          bool: {
+            ...builtQuery.bool,
+            must: [...builtQuery.bool.must, query],
+          },
+        };
+      }
+      return builtQuery;
     } catch (exc) {
       this.logger.error(exc);
       throw Boom.expectationFailed(
@@ -373,7 +403,7 @@ export class AlertsClient {
     operation,
   }: {
     index: string;
-    query: string;
+    query: object | string;
     operation: WriteOperations.Update | ReadOperations.Find | ReadOperations.Get;
   }) {
     let lastSortIds;
@@ -436,7 +466,7 @@ export class AlertsClient {
       // first search for the alert by id, then use the alert info to check if user has access to it
       const alert = await this.singleSearchAfterAndAudit({
         id,
-        query: null,
+        query: undefined,
         index,
         operation: ReadOperations.Get,
         lastSortIds: undefined,
@@ -477,13 +507,18 @@ export class AlertsClient {
         throw Boom.notFound(errorMessage);
       }
 
+      const fieldToUpdate =
+        alert?.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS] == null
+          ? { signal: { status } }
+          : { [ALERT_WORKFLOW_STATUS]: status };
+
       const { body: response } = await this.esClient.update<ParsedTechnicalFields>({
         ...decodeVersion(_version),
         id,
         index,
         body: {
           doc: {
-            [ALERT_STATUS]: status,
+            ...fieldToUpdate,
           },
         },
         refresh: 'wait_for',
@@ -535,11 +570,11 @@ export class AlertsClient {
           refresh: true,
           body: {
             script: {
-              source: `if (ctx._source['${ALERT_STATUS}'] != null) {
-                ctx._source['${ALERT_STATUS}'] = '${status}'
+              source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
+                ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}'
               }
-              if (ctx._source['signal.status'] != null) {
-                ctx._source['signal.status'] = '${status}'
+              if (ctx._source.signal != null && ctx._source.signal.status != null) {
+                ctx._source.signal.status = '${status}'
               }`,
               lang: 'painless',
             } as InlineScript,

x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts

@@ -119,6 +119,12 @@ describe('get()', () => {
       Array [
         Object {
           "body": Object {
+            "fields": Array [
+              "kibana.alert.rule.rule_type_id",
+              "kibana.alert.rule.consumer",
+              "kibana.alert.workflow_status",
+              "kibana.space_ids",
+            ],
             "query": Object {
               "bool": Object {
                 "filter": Array [
@@ -254,7 +260,7 @@ describe('get()', () => {
 
     await expect(alertsClient.get({ id: fakeAlertId, index: '.alerts-observability-apm' })).rejects
       .toThrowErrorMatchingInlineSnapshot(`
-            "Unable to retrieve alert details for alert with id of \\"myfakeid1\\" or with query \\"null\\" and operation get 
+            "Unable to retrieve alert details for alert with id of \\"myfakeid1\\" or with query \\"undefined\\" and operation get 
             Error: Error: Unauthorized for fake.rule and apm"
           `);
 
@@ -281,7 +287,7 @@ describe('get()', () => {
     await expect(
       alertsClient.get({ id: 'NoxgpHkBqbdrfX07MqXV', index: '.alerts-observability-apm' })
     ).rejects.toThrowErrorMatchingInlineSnapshot(`
-            "Unable to retrieve alert details for alert with id of \\"NoxgpHkBqbdrfX07MqXV\\" or with query \\"null\\" and operation get 
+            "Unable to retrieve alert details for alert with id of \\"NoxgpHkBqbdrfX07MqXV\\" or with query \\"undefined\\" and operation get 
             Error: Error: something went wrong"
           `);
   });

x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts

@@ -7,7 +7,7 @@
 
 import {
   ALERT_RULE_CONSUMER,
-  ALERT_STATUS,
+  ALERT_WORKFLOW_STATUS,
   SPACE_IDS,
   ALERT_RULE_TYPE_ID,
 } from '@kbn/rule-data-utils';
@@ -89,8 +89,8 @@ describe('update()', () => {
                 _source: {
                   [ALERT_RULE_TYPE_ID]: 'apm.error_rate',
                   message: 'hello world 1',
+                  [ALERT_WORKFLOW_STATUS]: 'open',
                   [ALERT_RULE_CONSUMER]: 'apm',
-                  [ALERT_STATUS]: 'open',
                   [SPACE_IDS]: [DEFAULT_SPACE],
                 },
               },
@@ -139,7 +139,7 @@ describe('update()', () => {
         Object {
           "body": Object {
             "doc": Object {
-              "${ALERT_STATUS}": "closed",
+              "${ALERT_WORKFLOW_STATUS}": "closed",
             },
           },
           "id": "1",
@@ -175,8 +175,8 @@ describe('update()', () => {
                 _source: {
                   [ALERT_RULE_TYPE_ID]: 'apm.error_rate',
                   message: 'hello world 1',
+                  [ALERT_WORKFLOW_STATUS]: 'open',
                   [ALERT_RULE_CONSUMER]: 'apm',
-                  [ALERT_STATUS]: 'open',
                   [SPACE_IDS]: [DEFAULT_SPACE],
                 },
               },
@@ -249,7 +249,7 @@ describe('update()', () => {
                 _source: {
                   [ALERT_RULE_TYPE_ID]: fakeRuleTypeId,
                   [ALERT_RULE_CONSUMER]: 'apm',
-                  [ALERT_STATUS]: 'open',
+                  [ALERT_WORKFLOW_STATUS]: 'open',
                   [SPACE_IDS]: [DEFAULT_SPACE],
                 },
               },
@@ -330,8 +330,8 @@ describe('update()', () => {
                 _source: {
                   [ALERT_RULE_TYPE_ID]: 'apm.error_rate',
                   message: 'hello world 1',
+                  [ALERT_WORKFLOW_STATUS]: 'open',
                   [ALERT_RULE_CONSUMER]: 'apm',
-                  [ALERT_STATUS]: 'open',
                   [SPACE_IDS]: [DEFAULT_SPACE],
                 },
               },
@@ -391,7 +391,7 @@ describe('update()', () => {
                     [ALERT_RULE_TYPE_ID]: 'apm.error_rate',
                     message: 'hello world 1',
                     [ALERT_RULE_CONSUMER]: 'apm',
-                    [ALERT_STATUS]: 'open',
+                    [ALERT_WORKFLOW_STATUS]: 'open',
                     [SPACE_IDS]: [DEFAULT_SPACE],
                   },
                 },

x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts

@@ -22,16 +22,26 @@ export const bulkUpdateAlertsRoute = (router: IRouter<RacRequestHandlerContext>)
         body: buildRouteValidation(
           t.union([
             t.strict({
-              status: t.union([t.literal('open'), t.literal('closed')]),
+              status: t.union([
+                t.literal('open'),
+                t.literal('closed'),
+                t.literal('in-progress'), // TODO: remove after migration to acknowledged
+                t.literal('acknowledged'),
+              ]),
               index: t.string,
               ids: t.array(t.string),
               query: t.undefined,
             }),
             t.strict({
-              status: t.union([t.literal('open'), t.literal('closed')]),
+              status: t.union([
+                t.literal('open'),
+                t.literal('closed'),
+                t.literal('in-progress'), // TODO: remove after migration to acknowledged
+                t.literal('acknowledged'),
+              ]),
               index: t.string,
               ids: t.undefined,
-              query: t.string,
+              query: t.union([t.object, t.string]),
             }),
           ])
         ),

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx

@@ -53,7 +53,6 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps> = ({
   timelineId,
 }) => {
   const [isPopoverOpen, setPopover] = useState(false);
-
   const ruleId = get(0, ecsRowData?.signal?.rule?.id);
   const ruleName = get(0, ecsRowData?.signal?.rule?.name);
 
@@ -116,6 +115,7 @@ const AlertContextMenuComponent: React.FC<AlertContextMenuProps> = ({
   const { actionItems } = useAlertsActions({
     alertStatus,
     eventId: ecsRowData?._id,
+    indexName: ecsRowData?._index ?? '',
     timelineId,
     closePopover,
   });

x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/use_alerts_actions.tsx

@@ -27,9 +27,16 @@ interface Props {
   closePopover: () => void;
   eventId: string;
   timelineId: string;
+  indexName: string;
 }
 
-export const useAlertsActions = ({ alertStatus, closePopover, eventId, timelineId }: Props) => {
+export const useAlertsActions = ({
+  alertStatus,
+  closePopover,
+  eventId,
+  timelineId,
+  indexName,
+}: Props) => {
   const dispatch = useDispatch();
   const [, dispatchToaster] = useStateToaster();
 
@@ -100,6 +107,7 @@ export const useAlertsActions = ({ alertStatus, closePopover, eventId, timelineI
   const actionItems = useStatusBulkActionItems({
     eventIds: [eventId],
     currentStatus: alertStatus,
+    indexName,
     setEventsLoading,
     setEventsDeleted,
     onUpdateSuccess: onAlertStatusUpdateSuccess,

x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx

@@ -48,6 +48,7 @@ export const TakeActionDropdown = React.memo(
     onAddExceptionTypeClick,
     onAddIsolationStatusClick,
     refetch,
+    indexName,
     timelineId,
   }: {
     detailsData: TimelineEventsDetailsItem[] | null;
@@ -57,6 +58,7 @@ export const TakeActionDropdown = React.memo(
     loadingEventDetails: boolean;
     nonEcsData?: TimelineNonEcsData[];
     refetch: (() => void) | undefined;
+    indexName: string;
     onAddEventFilterClick: () => void;
     onAddExceptionTypeClick: (type: ExceptionListType) => void;
     onAddIsolationStatusClick: (action: 'isolateHost' | 'unisolateHost') => void;
@@ -154,6 +156,7 @@ export const TakeActionDropdown = React.memo(
     const { actionItems } = useAlertsActions({
       alertStatus: actionsData.alertStatus,
       eventId: actionsData.eventId,
+      indexName,
       timelineId,
       closePopover: closePopoverAndFlyout,
     });