[SECURITY SOLUTIONS] Bugs overview page + investigate eql in timeline

x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx

@@ -47,7 +47,9 @@ describe('alert actions', () => {
     searchStrategyClient = {
       aggs: {} as ISearchStart['aggs'],
       showError: jest.fn(),
-      search: jest.fn().mockResolvedValue({ data: mockTimelineDetails }),
+      search: jest
+        .fn()
+        .mockImplementation(() => ({ toPromise: () => ({ data: mockTimelineDetails }) })),
       searchSource: {} as ISearchStart['searchSource'],
       session: dataPluginMock.createStartContract().search.session,
     };
@@ -400,6 +402,78 @@ describe('alert actions', () => {
         expect(createTimeline).toHaveBeenCalledWith(defaultTimelineProps);
       });
     });
+
+    describe('Eql', () => {
+      test(' with signal.group.id', async () => {
+        const ecsDataMock: Ecs = {
+          ...mockEcsDataWithAlert,
+          signal: {
+            rule: {
+              ...mockEcsDataWithAlert.signal?.rule!,
+              type: ['eql'],
+              timeline_id: [''],
+            },
+            group: {
+              id: ['my-group-id'],
+            },
+          },
+        };
+
+        await sendAlertToTimelineAction({
+          createTimeline,
+          ecsData: ecsDataMock,
+          nonEcsData: [],
+          updateTimelineIsLoading,
+          searchStrategyClient,
+        });
+
+        expect(updateTimelineIsLoading).not.toHaveBeenCalled();
+        expect(createTimeline).toHaveBeenCalledTimes(1);
+        expect(createTimeline).toHaveBeenCalledWith({
+          ...defaultTimelineProps,
+          timeline: {
+            ...defaultTimelineProps.timeline,
+            dataProviders: [
+              {
+                and: [],
+                enabled: true,
+                excluded: false,
+                id:
+                  'send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-alert-id-my-group-id',
+                kqlQuery: '',
+                name: '1',
+                queryMatch: { field: 'signal.group.id', operator: ':', value: 'my-group-id' },
+              },
+            ],
+          },
+        });
+      });
+
+      test(' with NO  signal.group.id', async () => {
+        const ecsDataMock: Ecs = {
+          ...mockEcsDataWithAlert,
+          signal: {
+            rule: {
+              ...mockEcsDataWithAlert.signal?.rule!,
+              type: ['eql'],
+              timeline_id: [''],
+            },
+          },
+        };
+
+        await sendAlertToTimelineAction({
+          createTimeline,
+          ecsData: ecsDataMock,
+          nonEcsData: [],
+          updateTimelineIsLoading,
+          searchStrategyClient,
+        });
+
+        expect(updateTimelineIsLoading).not.toHaveBeenCalled();
+        expect(createTimeline).toHaveBeenCalledTimes(1);
+        expect(createTimeline).toHaveBeenCalledWith(defaultTimelineProps);
+      });
+    });
   });
 
   describe('determineToAndFrom', () => {

x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx

@@ -150,8 +150,10 @@ export const getThresholdAggregationDataProvider = (
   ];
 };
 
-export const isEqlRule = (ecsData: Ecs) =>
-  ecsData.signal?.rule?.type?.length && ecsData.signal?.rule?.type[0] === 'eql';
+export const isEqlRuleWithGroupId = (ecsData: Ecs) =>
+  ecsData.signal?.rule?.type?.length &&
+  ecsData.signal?.rule?.type[0] === 'eql' &&
+  ecsData.signal?.group?.id?.length;
 
 export const isThresholdRule = (ecsData: Ecs) =>
   ecsData.signal?.rule?.type?.length && ecsData.signal?.rule?.type[0] === 'threshold';
@@ -181,24 +183,23 @@ export const sendAlertToTimelineAction = async ({
             timelineType: TimelineType.template,
           },
         }),
-        searchStrategyClient.search<
-          TimelineEventsDetailsRequestOptions,
-          TimelineEventsDetailsStrategyResponse
-        >(
-          {
-            defaultIndex: [],
-            docValueFields: [],
-            indexName: ecsData._index ?? '',
-            eventId: ecsData._id,
-            factoryQueryType: TimelineEventsQueries.details,
-          },
-          {
-            strategy: 'securitySolutionTimelineSearchStrategy',
-          }
-        ),
+        searchStrategyClient
+          .search<TimelineEventsDetailsRequestOptions, TimelineEventsDetailsStrategyResponse>(
+            {
+              defaultIndex: [],
+              docValueFields: [],
+              indexName: ecsData._index ?? '',
+              eventId: ecsData._id,
+              factoryQueryType: TimelineEventsQueries.details,
+            },
+            {
+              strategy: 'securitySolutionTimelineSearchStrategy',
+            }
+          )
+          .toPromise(),
       ]);
       const resultingTimeline: TimelineResult = getOr({}, 'data.getOneTimeline', responseTimeline);
-      const eventData: TimelineEventsDetailsItem[] = getOr([], 'data', eventDataResp);
+      const eventData: TimelineEventsDetailsItem[] = eventDataResp.data ?? [];
       if (!isEmpty(resultingTimeline)) {
         const timelineTemplate: TimelineResult = omitTypenameInTimeline(resultingTimeline);
         const { timeline, notes } = formatTimelineResultToModel(
@@ -327,7 +328,7 @@ export const sendAlertToTimelineAction = async ({
         },
       },
     ];
-    if (isEqlRule(ecsData)) {
+    if (isEqlRuleWithGroupId(ecsData)) {
       const signalGroupId = ecsData.signal?.group?.id?.length
         ? ecsData.signal?.group?.id[0]
         : 'unknown-signal-group-id';

x-pack/plugins/security_solution/public/overview/pages/overview.tsx

@@ -131,7 +131,7 @@ const OverviewComponent: React.FC<PropsFromRedux> = ({
                     <EventCounts
                       filters={filters}
                       from={from}
-                      indexNames={[]}
+                      indexNames={selectedPatterns}
                       indexPattern={indexPattern}
                       query={query}
                       setQuery={setQuery}

x-pack/plugins/security_solution/public/plugin.tsx

@@ -414,7 +414,7 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
         this.subPlugins(),
         startPlugins.data.search
           .search<IndexFieldsStrategyRequest, IndexFieldsStrategyResponse>(
-            { indices: defaultIndicesName, onlyCheckIfIndicesExist: false },
+            { indices: defaultIndicesName, onlyCheckIfIndicesExist: true },
             {
               strategy: 'securitySolutionIndexFields',
             }