elastic · XavierM · Dec 22, 2023 · Nov 29, 2023 · Nov 30, 2023 · Dec 4, 2023
@@ -43,7 +43,7 @@ const CasesAppComponent: React.FC<CasesAppProps> = ({
         useFetchAlertData: () => [false, {}],
         permissions: userCapabilities.generalCases,
         basePath: '/',
-        features: { alerts: { enabled: false } },
+        features: { alerts: { enabled: true } },
       })}
     </Wrapper>
   );

@@ -30,6 +30,13 @@ describe('CaseUI View Page activity tab', () => {
     appMockRender = createAppMockRenderer();
     appMockRender.coreStart.triggersActionsUi.getAlertsStateTable =
       getAlertsStateTableMock.mockReturnValue(<div data-test-subj="alerts-table" />);
+    appMockRender.coreStart.triggersActionsUi.alertsTableConfigurationRegistry.register({
+      id: 'case-details-alerts-observability',
+      columns: [],
+      ruleTypeIds: ['log-threshold'],
+    });
+  });
+  afterEach(() => {
     jest.clearAllMocks();
   });
 
@@ -46,7 +53,7 @@ describe('CaseUI View Page activity tab', () => {
       expect(getAlertsStateTableMock).toHaveBeenCalledWith({
         alertsTableConfigurationRegistry: expect.anything(),
         configurationId: 'securitySolution-case',
-        featureIds: ['siem', 'observability'],
+        featureIds: ['siem'],
         id: 'case-details-alerts-securitySolution',
         query: {
           ids: {
@@ -60,7 +67,13 @@ describe('CaseUI View Page activity tab', () => {
 
   it('should call the alerts table with correct props for observability', async () => {
     const getFeatureIdsMock = jest.spyOn(api, 'getFeatureIds');
-    getFeatureIdsMock.mockResolvedValueOnce(['observability']);
+    getFeatureIdsMock.mockResolvedValueOnce({
+      aggregations: {
+        consumer: { buckets: [{ doc_count: 1, key: 'observability' }] },
+        producer: { buckets: [] },
+        ruleTypeIds: { buckets: [{ doc_count: 1, key: 'log-threshold' }] },
+      },
+    } as unknown as api.FeatureIdsResponse);
     appMockRender.render(
       <CaseViewAlerts
         caseData={{
@@ -73,7 +86,7 @@ describe('CaseUI View Page activity tab', () => {
     await waitFor(async () => {
       expect(getAlertsStateTableMock).toHaveBeenCalledWith({
         alertsTableConfigurationRegistry: expect.anything(),
-        configurationId: 'observability',
+        configurationId: 'case-details-alerts-observability',
         featureIds: ['observability'],
         id: 'case-details-alerts-observability',
         query: {
@@ -86,12 +99,23 @@ describe('CaseUI View Page activity tab', () => {
     });
   });
 
-  it('should call the getFeatureIds with the correct registration context', async () => {
+  it('should call the getFeatureIds with the correct alert ID', async () => {
     const getFeatureIdsMock = jest.spyOn(api, 'getFeatureIds');
-    appMockRender.render(<CaseViewAlerts caseData={caseData} />);
+    appMockRender.render(
+      <CaseViewAlerts
+        caseData={{
+          ...caseData,
+          owner: OBSERVABILITY_OWNER,
+        }}
+      />
+    );
     await waitFor(async () => {
       expect(getFeatureIdsMock).toHaveBeenCalledWith({
-        query: { registrationContext: ['matchme'] },
+        query: {
+          ids: {
+            values: ['alert-id-1'],
+          },
+        },
         signal: expect.anything(),
       });
     });

@@ -8,10 +8,12 @@
 import React, { useMemo } from 'react';
 
 import { EuiFlexItem, EuiFlexGroup, EuiProgress } from '@elastic/eui';
+import type { ValidFeatureId } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
+import { AlertConsumers } from '@kbn/rule-registry-plugin/common/technical_rule_data_field_names';
 import { SECURITY_SOLUTION_OWNER } from '../../../../common/constants';
 import type { CaseUI } from '../../../../common';
 import { useKibana } from '../../../common/lib/kibana';
-import { getManualAlertIds, getRegistrationContextFromAlerts } from './helpers';
+import { getManualAlertIds } from './helpers';
 import { useGetFeatureIds } from '../../../containers/use_get_feature_ids';
 import { CaseViewAlertsEmpty } from './case_view_alerts_empty';
 import { CaseViewTabs } from '../case_view_tabs';
@@ -22,34 +24,49 @@ interface CaseViewAlertsProps {
 export const CaseViewAlerts = ({ caseData }: CaseViewAlertsProps) => {
   const { triggersActionsUi } = useKibana().services;
 
+  const alertIds = getManualAlertIds(caseData.comments);
   const alertIdsQuery = useMemo(
     () => ({
       ids: {
-        values: getManualAlertIds(caseData.comments),
+        values: alertIds,
       },
     }),
-    [caseData.comments]
+    [alertIds]
   );
 
-  const alertRegistrationContexts = useMemo(
-    () => getRegistrationContextFromAlerts(caseData.comments),
-    [caseData.comments]
+  const { isLoading: isLoadingAlertFeatureIds, data: alertData } = useGetFeatureIds(
+    alertIds,
+    caseData.owner !== SECURITY_SOLUTION_OWNER
   );
 
-  const { isLoading: isLoadingAlertFeatureIds, data: alertFeatureIds } =
-    useGetFeatureIds(alertRegistrationContexts);
-
   const configId =
-    caseData.owner === SECURITY_SOLUTION_OWNER ? `${caseData.owner}-case` : caseData.owner;
+    caseData.owner === SECURITY_SOLUTION_OWNER
+      ? `${caseData.owner}-case`
+      : !isLoadingAlertFeatureIds
+      ? triggersActionsUi.alertsTableConfigurationRegistry.getAlertConfigIdPerRuleType(
+          alertData?.ruleTypeIds ?? []
+        )
+      : '';
 
-  const alertStateProps = {
-    alertsTableConfigurationRegistry: triggersActionsUi.alertsTableConfigurationRegistry,
-    configurationId: configId,
-    id: `case-details-alerts-${caseData.owner}`,
-    featureIds: alertFeatureIds ?? [],
-    query: alertIdsQuery,
-    showAlertStatusWithFlapping: caseData.owner !== SECURITY_SOLUTION_OWNER,
-  };
+  const alertStateProps = useMemo(
+    () => ({
+      alertsTableConfigurationRegistry: triggersActionsUi.alertsTableConfigurationRegistry,
+      configurationId: configId,
+      id: `case-details-alerts-${caseData.owner}`,
+      featureIds: (caseData.owner === SECURITY_SOLUTION_OWNER
+        ? [AlertConsumers.SIEM]
+        : alertData?.featureIds ?? []) as ValidFeatureId[],
+      query: alertIdsQuery,
+      showAlertStatusWithFlapping: caseData.owner !== SECURITY_SOLUTION_OWNER,
+    }),
+    [
+      triggersActionsUi.alertsTableConfigurationRegistry,
+      configId,
+      caseData.owner,
+      alertData?.featureIds,
+      alertIdsQuery,
+    ]
+  );
 
   if (alertIdsQuery.ids.values.length === 0) {
     return (

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import type { ValidFeatureId } from '@kbn/rule-data-utils';
+import { ALERT_RULE_CONSUMER, ALERT_RULE_PRODUCER, ALERT_RULE_TYPE_ID } from '@kbn/rule-data-utils';
 import { BASE_RAC_ALERTS_API_PATH } from '@kbn/rule-registry-plugin/common/constants';
 import type { User } from '../../common/types/domain';
 import { AttachmentType } from '../../common/types/domain';
@@ -73,6 +73,7 @@ import {
 import type {
   ActionLicense,
   CaseUI,
+  FeatureIdsResponse,
   SingleCaseMetrics,
   SingleCaseMetricsFeature,
   UserActionUI,
@@ -511,16 +512,40 @@ export const getFeatureIds = async ({
   query,
   signal,
 }: {
-  query: { registrationContext: string[] };
+  query: {
+    ids: {
+      values: string[];
+    };
+  };
   signal?: AbortSignal;
-}): Promise<ValidFeatureId[]> => {
-  return KibanaServices.get().http.fetch<ValidFeatureId[]>(
-    `${BASE_RAC_ALERTS_API_PATH}/_feature_ids`,
-    {
-      signal,
+}): Promise<FeatureIdsResponse> => {
+  return KibanaServices.get().http.post<FeatureIdsResponse>(`${BASE_RAC_ALERTS_API_PATH}/find`, {
+    method: 'POST',
+    body: JSON.stringify({
+      aggs: {
+        consumer: {
+          terms: {
+            field: ALERT_RULE_CONSUMER,
+            size: 100,
+          },
+        },
+        producer: {
+          terms: {
+            field: ALERT_RULE_PRODUCER,
+            size: 100,
+          },
+        },
+        ruleTypeIds: {
+          terms: {
+            field: ALERT_RULE_TYPE_ID,
+            size: 100,
+          },
+        },
+      },
       query,
-    }
-  );
+    }),
+    signal,
+  });
 };
 
 export const getCaseConnectors = async (

@@ -5,4 +5,21 @@
  * 2.0.
  */
 
+import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+
 export * from '../../common/ui';
+
+export type FeatureIdsResponse = estypes.SearchResponse<
+  unknown,
+  {
+    consumer: {
+      buckets: Array<{ key: string; doc_count: number }>;
+    };
+    producer: {
+      buckets: Array<{ key: string; doc_count: number }>;
+    };
+    ruleTypeIds: {
+      buckets: Array<{ key: string; doc_count: number }>;
+    };
+  }
+>;
@@ -32,36 +32,54 @@ describe('useGetFeaturesIds', () => {
   it('returns the features ids correctly', async () => {
     const spy = jest.spyOn(api, 'getFeatureIds').mockRejectedValue([]);
 
-    const { waitForNextUpdate } = renderHook(() => useGetFeatureIds(['context1']), {
+    const { waitForNextUpdate } = renderHook(() => useGetFeatureIds(['alert-id-1'], true), {
       wrapper: appMockRender.AppWrapper,
     });
 
     await waitForNextUpdate();
 
     await waitFor(() => {
       expect(spy).toHaveBeenCalledWith({
-        query: { registrationContext: ['context1'] },
+        query: {
+          ids: {
+            values: ['alert-id-1'],
+          },
+        },
         signal: expect.any(AbortSignal),
       });
     });
   });
 
+  it('never call API if disable', async () => {
+    const spyMock = jest.spyOn(api, 'getFeatureIds');
+
+    renderHook(() => useGetFeatureIds(['alert-id-1'], false), {
+      wrapper: appMockRender.AppWrapper,
+    });
+
+    expect(spyMock).toHaveBeenCalledTimes(0);
+  });
+
   it('shows a toast error when the api return an error', async () => {
     (useToasts as jest.Mock).mockReturnValue({ addError });
 
     const spy = jest
       .spyOn(api, 'getFeatureIds')
       .mockRejectedValue(new Error('Something went wrong'));
 
-    const { waitForNextUpdate } = renderHook(() => useGetFeatureIds(['context1']), {
+    const { waitForNextUpdate } = renderHook(() => useGetFeatureIds(['alert-id-1'], true), {
       wrapper: appMockRender.AppWrapper,
     });
 
     await waitForNextUpdate();
 
     await waitFor(() => {
       expect(spy).toHaveBeenCalledWith({
-        query: { registrationContext: ['context1'] },
+        query: {
+          ids: {
+            values: ['alert-id-1'],
+          },
+        },
         signal: expect.any(AbortSignal),
       });
       expect(addError).toHaveBeenCalled();

@@ -6,28 +6,76 @@
  */
 
 import { useQuery } from '@tanstack/react-query';
-import type { ValidFeatureId } from '@kbn/rule-data-utils';
+import { isValidFeatureId } from '@kbn/rule-data-utils';
+import { useMemo } from 'react';
 import type { ServerError } from '../types';
 import { useCasesToast } from '../common/use_cases_toast';
 import * as i18n from './translations';
 import { getFeatureIds } from './api';
 import { casesQueriesKeys } from './constants';
+import type { FeatureIdsResponse } from './types';
 
-export const useGetFeatureIds = (alertRegistrationContexts: string[]) => {
-  const { showErrorToast } = useCasesToast();
+interface UseGetFeatureIdsResponse {
+  featureIds: string[];
+  ruleTypeIds: string[];
+}
+
+const featureIdsToMap = (data: FeatureIdsResponse): UseGetFeatureIdsResponse => {
+  const localFeatureIds = new Set<string>();
+  data?.aggregations?.consumer?.buckets?.forEach(
+    ({ key, doc_count: docCount }: { key: string; doc_count: number }) => {
+      if (docCount > 0 && isValidFeatureId(key)) {
+        localFeatureIds.add(key);
+      }
+    }
+  );
+  data?.aggregations?.producer?.buckets?.forEach(
+    ({ key, doc_count: docCount }: { key: string; doc_count: number }) => {
+      if (docCount > 0 && isValidFeatureId(key)) {
+        localFeatureIds.add(key);
+      }
+    }
+  );
+  const ruleTypeIds =
+    data?.aggregations?.ruleTypeIds?.buckets
+      ?.filter(({ doc_count: docCount }: { doc_count: number }) => docCount > 0)
+      .map(({ key }: { key: string }) => key) ?? [];
 
-  return useQuery<ValidFeatureId[], ServerError>(
-    casesQueriesKeys.alertFeatureIds(alertRegistrationContexts),
+  return { featureIds: [...localFeatureIds], ruleTypeIds };
+};
+
+export const useGetFeatureIds = (alertIds: string[], enabled: boolean) => {
+  const { showErrorToast } = useCasesToast();
+  const { data, isInitialLoading, isLoading } = useQuery<
+    FeatureIdsResponse,
+    ServerError,
+    UseGetFeatureIdsResponse
+  >(
+    casesQueriesKeys.alertFeatureIds(alertIds),
     ({ signal }) => {
-      const query = { registrationContext: alertRegistrationContexts };
-      return getFeatureIds({ query, signal });
+      return getFeatureIds({
+        query: {
+          ids: {
+            values: alertIds,
+          },
+        },
+        signal,
+      });
     },
     {
+      select: featureIdsToMap,
+      retry: false,
+      enabled,
       onError: (error: ServerError) => {
         showErrorToast(error, { title: i18n.ERROR_TITLE });
       },
     }
   );
+
+  return useMemo(
+    () => ({ data, isLoading: (isInitialLoading || isLoading) && enabled }),
+    [data, enabled, isInitialLoading, isLoading]
+  );
 };
 
 export type UseGetFeatureIds = typeof useGetFeatureIds;