[Response Ops][Alerting] Using alertsClient for legacy siem notific…

…ation rule types to write default alerts-as-data docs (elastic#174553)

Towards elastic/response-ops-team#164
Resolves elastic#171795

## Summary

* Switches this rule type to use `alertsClient` from alerting framework
in favor of the deprecated `alertFactory`
* Defines the `default` alert config for these rule types so framework
level fields will be written out into the
`.alerts-default.alerts-default` index with no rule type specific
fields.
* Updated some terminology from `alert` to `rule`

## To Verify

* Follow the instructions in [this
PR](elastic#112869) to add a legacy
notification to a detection rule.
* Verify the notification fires as expected
* Verify an alert document is written to
`.alerts-default.alerts-default` that looks like:
```
{
    "kibana.alert.rule.category": "Security Solution notification (Legacy)",
    "kibana.alert.rule.consumer": "siem",
    "kibana.alert.rule.execution.uuid": "cbad59ec-2a6e-4791-81c3-ae0fefd3d48a",
    "kibana.alert.rule.name": "Legacy notification with one action",
    "kibana.alert.rule.parameters": {
        "ruleAlertId": "9c07db42-b5fa-4ef9-8d7e-48d5688fd88e"
    },
    "kibana.alert.rule.producer": "siem",
    "kibana.alert.rule.rule_type_id": "siem.notifications",
    "kibana.alert.rule.tags": [],
    "kibana.alert.rule.uuid": "1869763e-c6e7-47fd-8275-0c9568127d84",
    "kibana.space_ids": [
        "default"
    ],
    "@timestamp": "2024-01-10T18:12:02.433Z",
    "event.action": "close",
    "event.kind": "signal",
    "kibana.alert.action_group": "recovered",
    "kibana.alert.flapping_history": [
        true,
        true,
        false,
        false
    ],
    "kibana.alert.instance.id": "1869763e-c6e7-47fd-8275-0c9568127d84",
    "kibana.alert.maintenance_window_ids": [],
    "kibana.alert.status": "recovered",
    "kibana.alert.uuid": "119269e0-a767-43c9-b383-a8840b4dddd5",
    "kibana.alert.workflow_status": "open",
    "kibana.alert.start": "2024-01-10T18:08:53.373Z",
    "kibana.alert.time_range": {
        "gte": "2024-01-10T18:08:53.373Z",
        "lte": "2024-01-10T18:09:56.367Z"
    },
    "kibana.version": "8.13.0",
    "tags": [],
    "kibana.alert.duration.us": 62994000,
    "kibana.alert.end": "2024-01-10T18:09:56.367Z",
    "kibana.alert.rule.revision": 0,
    "kibana.alert.flapping": false
}
```

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

x-pack/plugins/rule_registry/server/search_strategy/search_strategy.ts

@@ -33,6 +33,9 @@ export const EMPTY_RESPONSE: RuleRegistrySearchResponse = {
 
 export const RULE_SEARCH_STRATEGY_NAME = 'privateRuleRegistryAlertsSearchStrategy';
 
+// these are deprecated types should never show up in any alert table
+const EXCLUDED_RULE_TYPE_IDS = ['siem.notifications'];
+
 export const ruleRegistrySearchStrategyProvider = (
   data: PluginStart,
   alerting: AlertingStart,
@@ -85,14 +88,16 @@ export const ruleRegistrySearchStrategyProvider = (
           featureIds.length > 0
             ? await authorization.getAuthorizedRuleTypes(AlertingAuthorizationEntity.Alert, fIds)
             : [];
+
         return { space, authzFilter, authorizedRuleTypes };
       };
       return from(getAsync(request.featureIds)).pipe(
         mergeMap(({ space, authzFilter, authorizedRuleTypes }) => {
-          const indices = alerting.getAlertIndicesAlias(
-            authorizedRuleTypes.map((art: { id: any }) => art.id),
-            space?.id
+          const allRuleTypes = authorizedRuleTypes.map((art: { id: string }) => art.id);
+          const ruleTypes = (allRuleTypes ?? []).filter(
+            (ruleTypeId: string) => !EXCLUDED_RULE_TYPE_IDS.includes(ruleTypeId)
           );
+          const indices = alerting.getAlertIndicesAlias(ruleTypes, space?.id);
           if (indices.length === 0) {
             return of(EMPTY_RESPONSE);
           }

x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_responses.ts

@@ -46,7 +46,7 @@ import {
 } from '../../../../../common/api/detection_engine/signals_migration/mocks';
 
 // eslint-disable-next-line no-restricted-imports
-import type { LegacyRuleNotificationAlertType } from '../../rule_actions_legacy';
+import type { LegacyRuleNotificationRuleType } from '../../rule_actions_legacy';
 import type { RuleAlertType, RuleParams } from '../../rule_schema';
 import { getQueryRuleParams } from '../../rule_schema/mocks';
 
@@ -520,7 +520,7 @@ export const legacyGetNotificationResult = ({
 }: {
   id?: string;
   ruleId?: string;
-} = {}): LegacyRuleNotificationAlertType => ({
+} = {}): LegacyRuleNotificationRuleType => ({
   id,
   name: 'Notification for Rule Test',
   tags: [],
@@ -567,7 +567,7 @@ export const legacyGetNotificationResult = ({
  */
 export const legacyGetFindNotificationsResultWithSingleHit = (
   ruleId = '123'
-): FindHit<LegacyRuleNotificationAlertType> => ({
+): FindHit<LegacyRuleNotificationRuleType> => ({
   page: 1,
   perPage: 1,
   total: 1,

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts

@@ -14,7 +14,7 @@ import { legacyUpdateOrCreateRuleActionsSavedObject } from '../../logic/rule_act
 // eslint-disable-next-line no-restricted-imports
 import { legacyReadNotifications } from '../../logic/notifications/legacy_read_notifications';
 // eslint-disable-next-line no-restricted-imports
-import type { LegacyRuleNotificationAlertTypeParams } from '../../logic/notifications/legacy_types';
+import type { LegacyRuleNotificationRuleTypeParams } from '../../logic/notifications/legacy_types';
 // eslint-disable-next-line no-restricted-imports
 import { legacyCreateNotifications } from '../../logic/notifications/legacy_create_notifications';
 import { UPDATE_OR_CREATE_LEGACY_ACTIONS } from '../../../../../../common/constants';
@@ -75,7 +75,7 @@ export const legacyCreateLegacyNotificationRoute = (
             ruleAlertId,
           });
           if (notification != null) {
-            await rulesClient.update<LegacyRuleNotificationAlertTypeParams>({
+            await rulesClient.update<LegacyRuleNotificationRuleTypeParams>({
               id: notification.id,
               data: {
                 tags: [],

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/index.ts

@@ -8,13 +8,13 @@
 export * from './api/register_routes';
 
 // eslint-disable-next-line no-restricted-imports
-export { legacyRulesNotificationAlertType } from './logic/notifications/legacy_rules_notification_alert_type';
+export { legacyRulesNotificationRuleType } from './logic/notifications/legacy_rules_notification_rule_type';
 // eslint-disable-next-line no-restricted-imports
-export { legacyIsNotificationAlertExecutor } from './logic/notifications/legacy_types';
+export { isLegacyNotificationRuleExecutor } from './logic/notifications/legacy_types';
 // eslint-disable-next-line no-restricted-imports
 export type {
-  LegacyRuleNotificationAlertType,
-  LegacyRuleNotificationAlertTypeParams,
+  LegacyRuleNotificationRuleType,
+  LegacyRuleNotificationRuleTypeParams,
 } from './logic/notifications/legacy_types';
 export type { NotificationRuleTypeParams } from './logic/notifications/schedule_notification_actions';
 export { scheduleNotificationActions } from './logic/notifications/schedule_notification_actions';

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/legacy_create_notifications.ts

@@ -10,7 +10,7 @@ import { SERVER_APP_ID, LEGACY_NOTIFICATIONS_ID } from '../../../../../../common
 // eslint-disable-next-line no-restricted-imports
 import type {
   CreateNotificationParams,
-  LegacyRuleNotificationAlertTypeParams,
+  LegacyRuleNotificationRuleTypeParams,
 } from './legacy_types';
 
 /**
@@ -23,8 +23,8 @@ export const legacyCreateNotifications = async ({
   ruleAlertId,
   interval,
   name,
-}: CreateNotificationParams): Promise<SanitizedRule<LegacyRuleNotificationAlertTypeParams>> =>
-  rulesClient.create<LegacyRuleNotificationAlertTypeParams>({
+}: CreateNotificationParams): Promise<SanitizedRule<LegacyRuleNotificationRuleTypeParams>> =>
+  rulesClient.create<LegacyRuleNotificationRuleTypeParams>({
     data: {
       name,
       tags: [],

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/legacy_read_notifications.ts

@@ -9,7 +9,7 @@ import type { RuleTypeParams, SanitizedRule } from '@kbn/alerting-plugin/common'
 // eslint-disable-next-line no-restricted-imports
 import type { LegacyReadNotificationParams } from './legacy_types';
 // eslint-disable-next-line no-restricted-imports
-import { legacyIsAlertType } from './legacy_types';
+import { isLegacyRuleType } from './legacy_types';
 // eslint-disable-next-line no-restricted-imports
 import { legacyFindNotifications } from './legacy_find_notifications';
 
@@ -24,7 +24,7 @@ export const legacyReadNotifications = async ({
   if (id != null) {
     try {
       const notification = await rulesClient.get({ id });
-      if (legacyIsAlertType(notification)) {
+      if (isLegacyRuleType(notification)) {
         return notification;
       } else {
         return null;
@@ -43,10 +43,7 @@ export const legacyReadNotifications = async ({
       filter: `alert.attributes.params.ruleAlertId: "${ruleAlertId}"`,
       page: 1,
     });
-    if (
-      notificationFromFind.data.length === 0 ||
-      !legacyIsAlertType(notificationFromFind.data[0])
-    ) {
+    if (notificationFromFind.data.length === 0 || !isLegacyRuleType(notificationFromFind.data[0])) {
       return null;
     } else {
       return notificationFromFind.data[0];