From ea762092718a8631d9a6489dbb65666bdafc39f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patryk=20Kopyci=C5=84ski?= <patryk.kopycinski@elastic.co>
Date: Wed, 16 Sep 2020 20:25:10 +0200
Subject: [PATCH 1/5] [Security Solution] Refactor Timeline Events to use
 Search Strategy (#77205)

---
 .../common/ecs/agent/index.ts                 |   9 +
 .../common/ecs/endgame/index.ts               |  38 +-
 .../security_solution/common/ecs/index.ts     |   5 +-
 .../common/ecs/process/index.ts               |  12 +-
 .../common/ecs/rule/index.ts                  |  34 +-
 .../common/ecs/signal/index.ts                |   2 +-
 .../common/search_strategy/common/index.ts    |  10 +
 .../timeline/events/all/index.ts              |  42 ++
 .../timeline/events/common/index.ts           |  25 ++
 .../timeline/{ => events}/details/index.ts    |  16 +-
 .../search_strategy/timeline/events/index.ts  |  15 +
 .../timeline/events/last_event_time/index.ts  |  32 ++
 .../common/search_strategy/timeline/index.ts  |  80 ++--
 .../components/alerts_viewer/translations.ts  |   2 +-
 .../event_details/event_details.tsx           |   4 +-
 .../event_details/event_fields_browser.tsx    |   4 +-
 .../event_details/stateful_event_details.tsx  |   4 +-
 .../events_viewer/events_viewer.test.tsx      | 191 ++++-----
 .../events_viewer/events_viewer.tsx           | 199 ++++-----
 .../components/events_viewer/index.test.tsx   |  36 +-
 .../common/components/events_viewer/mock.ts   |  68 +--
 .../add_exception_modal/index.test.tsx        |   3 +-
 .../exceptions/add_exception_modal/index.tsx  |   3 +-
 .../common/components/exceptions/helpers.tsx  |   2 +-
 .../components/last_event_time/index.test.tsx |  55 +--
 .../components/last_event_time/index.tsx      |  12 +-
 .../events/last_event_time/index.ts           | 197 +++++----
 .../events/last_event_time/translations.ts    |  21 +
 .../public/common/mock/mock_ecs.ts            | 265 +-----------
 .../common/mock/mock_endgame_ecs_data.ts      |   2 +-
 .../public/common/mock/mock_timeline_data.ts  | 350 +--------------
 .../public/common/mock/netflow.ts             |   2 +-
 .../components/alerts_table/actions.test.tsx  |   3 +-
 .../components/alerts_table/actions.tsx       |  24 +-
 .../alerts_table/alerts_utility_bar/index.tsx |   2 +-
 .../timeline_actions/alert_context_menu.tsx   |   3 +-
 .../investigate_in_timeline_action.tsx        |   3 +-
 .../components/alerts_table/translations.ts   |   2 +-
 .../components/alerts_table/types.ts          |   4 +-
 .../public/hosts/containers/hosts/index.tsx   |  11 +-
 .../components/flyout/header/index.tsx        |   2 -
 .../timeline/body/column_headers/index.tsx    |   9 +-
 .../body/data_driven_columns/index.tsx        |   3 +-
 .../body/events/event_column_view.tsx         |   3 +-
 .../components/timeline/body/events/index.tsx |   5 +-
 .../timeline/body/events/stateful_event.tsx   |  18 +-
 .../components/timeline/body/helpers.test.ts  |   9 +-
 .../components/timeline/body/helpers.tsx      |   3 +-
 .../components/timeline/body/index.test.tsx   |   3 +-
 .../components/timeline/body/index.tsx        |   6 +-
 .../generic_details.test.tsx.snap             |  19 -
 .../generic_file_details.test.tsx.snap        |  23 -
 .../generic_row_renderer.test.tsx.snap        |  37 --
 .../body/renderers/auditd/generic_details.tsx |   2 +-
 .../renderers/auditd/generic_file_details.tsx |   2 +-
 .../auditd/generic_row_renderer.test.tsx      |   2 +-
 .../body/renderers/column_renderer.ts         |   2 +-
 .../dns/dns_request_event_details.tsx         |   2 +-
 .../renderers/empty_column_renderer.test.tsx  |   2 +-
 .../body/renderers/empty_column_renderer.tsx  |   2 +-
 .../endgame_security_event_details.tsx        |   2 +-
 .../renderers/get_column_renderer.test.tsx    |   2 +-
 .../body/renderers/get_column_renderer.ts     |   2 +-
 .../body/renderers/get_row_renderer.test.tsx  |   2 +-
 .../body/renderers/get_row_renderer.ts        |   2 +-
 .../timeline/body/renderers/helpers.test.tsx  |   2 +-
 .../timeline/body/renderers/helpers.tsx       |   2 +-
 .../timeline/body/renderers/netflow.tsx       |   2 +-
 .../netflow/netflow_row_renderer.test.tsx     |   2 +-
 .../renderers/plain_column_renderer.test.tsx  |   2 +-
 .../body/renderers/plain_column_renderer.tsx  |   2 +-
 .../renderers/plain_row_renderer.test.tsx     |   2 +-
 .../timeline/body/renderers/row_renderer.tsx  |   2 +-
 .../renderers/suricata/suricata_details.tsx   |   2 +-
 .../suricata/suricata_row_renderer.test.tsx   |   2 +-
 .../generic_details.test.tsx.snap             |  34 --
 .../generic_file_details.test.tsx.snap        |  35 --
 .../generic_row_renderer.test.tsx.snap        |  68 ---
 .../body/renderers/system/generic_details.tsx |   2 +-
 .../renderers/system/generic_file_details.tsx |   2 +-
 .../system/generic_row_renderer.test.tsx      |   2 +-
 .../unknown_column_renderer.test.tsx          |   2 +-
 .../body/renderers/zeek/zeek_details.tsx      |   2 +-
 .../renderers/zeek/zeek_row_renderer.test.tsx |   2 +-
 .../renderers/zeek/zeek_signature.test.tsx    |   2 +-
 .../body/renderers/zeek/zeek_signature.tsx    |   2 +-
 .../timeline/body/stateful_body.tsx           |   4 +-
 .../timelines/components/timeline/events.ts   |   2 +-
 .../timeline/expandable_event/index.tsx       |   4 +-
 .../footer/__snapshots__/index.test.tsx.snap  |   9 +-
 .../components/timeline/footer/index.test.tsx | 108 +++--
 .../components/timeline/footer/index.tsx      |  78 ++--
 .../timeline/footer/translations.ts           |   6 +-
 .../components/timeline/index.test.tsx        |  12 +-
 .../components/timeline/timeline.test.tsx     | 105 ++---
 .../components/timeline/timeline.tsx          | 151 +++----
 .../timelines/containers/details/index.tsx    |  72 ++--
 .../public/timelines/containers/index.tsx     | 400 ++++++++++--------
 .../timelines/containers/translations.ts      |  21 +
 .../timelines/store/timeline/actions.ts       |   2 +-
 .../timelines/store/timeline/helpers.ts       |   2 +-
 .../public/timelines/store/timeline/model.ts  |  12 +-
 .../search_strategy/helpers/to_array.ts       |   2 +-
 .../factory/hosts/all/index.ts                |   2 +-
 .../factory/hosts/all/query.all_hosts.dsl.ts  |   4 +-
 .../hosts/authentications/__mocks__/index.ts  |  81 +++-
 .../factory/hosts/authentications/index.tsx   |   2 +-
 .../factory/hosts/overview/__mocks__/index.ts | 219 +++++++++-
 .../uncommon_processes/__mocks__/index.ts     | 144 ++++++-
 .../factory/hosts/uncommon_processes/index.ts |   2 +-
 .../matrix_histogram/__mocks__/index.ts       | 331 ++++++++++++++-
 .../alerts/__mocks__/index.ts                 |  23 +-
 .../anomalies/__mocks__/index.ts              |  16 +-
 .../authentications/__mocks__/index.ts        |   2 +-
 .../matrix_histogram/dns/__mocks__/index.ts   |   2 +-
 .../events/__mocks__/index.ts                 |   2 +-
 .../factory/network/dns/__mocks__/index.ts    |  56 ++-
 .../factory/network/dns/index.ts              |   2 +-
 .../factory/network/http/__mocks__/index.ts   |  55 ++-
 .../factory/network/http/index.ts             |   2 +-
 .../network/overview/__mocks__/index.ts       |  91 +++-
 .../factory/network/tls/__mocks__/index.ts    |  56 ++-
 .../factory/network/tls/index.ts              |   2 +-
 .../network/top_countries/__mocks__/index.ts  |  61 ++-
 .../factory/network/top_countries/index.ts    |   2 +-
 .../network/top_n_flow/__mocks__/index.ts     |  68 ++-
 .../factory/network/top_n_flow/index.ts       |   2 +-
 .../factory/network/users/__mocks__/index.ts  |  57 ++-
 .../factory/network/users/index.ts            |   2 +-
 .../timeline/factory/events/all/constants.ts  | 219 ++++++++++
 .../timeline/factory/events/all/helpers.ts    |  92 ++++
 .../timeline/factory/events/all/index.ts      |  68 +++
 .../events/all/query.events_all.dsl.ts        |  76 ++++
 .../factory/{ => events}/details/helpers.ts   |  10 +-
 .../factory/{ => events}/details/index.ts     |  24 +-
 .../details/query.events_details.dsl.ts}      |   2 +-
 .../timeline/factory/events/index.ts          |  24 ++
 .../factory/events/last_event_time/index.ts   |  36 ++
 .../query.events_last_event_time.dsl.ts       |  93 ++++
 .../search_strategy/timeline/factory/index.ts |  10 +-
 .../server/utils/build_query/filters.ts       |   4 +-
 .../server/utils/build_query/index.ts         |   1 +
 .../translations/translations/ja-JP.json      |   1 -
 .../translations/translations/zh-CN.json      |   1 -
 144 files changed, 3081 insertions(+), 1985 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/common/ecs/agent/index.ts
 create mode 100644 x-pack/plugins/security_solution/common/search_strategy/timeline/events/all/index.ts
 create mode 100644 x-pack/plugins/security_solution/common/search_strategy/timeline/events/common/index.ts
 rename x-pack/plugins/security_solution/common/search_strategy/timeline/{ => events}/details/index.ts (50%)
 create mode 100644 x-pack/plugins/security_solution/common/search_strategy/timeline/events/index.ts
 create mode 100644 x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts
 create mode 100644 x-pack/plugins/security_solution/public/common/containers/events/last_event_time/translations.ts
 create mode 100644 x-pack/plugins/security_solution/public/timelines/containers/translations.ts
 create mode 100644 x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/constants.ts
 create mode 100644 x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts
 create mode 100644 x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts
 create mode 100644 x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
 rename x-pack/plugins/security_solution/server/search_strategy/timeline/factory/{ => events}/details/helpers.ts (81%)
 rename x-pack/plugins/security_solution/server/search_strategy/timeline/factory/{ => events}/details/index.ts (58%)
 rename x-pack/plugins/security_solution/server/search_strategy/timeline/factory/{details/query.timeline_details.dsl.ts => events/details/query.events_details.dsl.ts} (88%)
 create mode 100644 x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/index.ts
 create mode 100644 x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/index.ts
 create mode 100644 x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts

diff --git a/x-pack/plugins/security_solution/common/ecs/agent/index.ts b/x-pack/plugins/security_solution/common/ecs/agent/index.ts
new file mode 100644
index 0000000000000..6f29a2020c944
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/ecs/agent/index.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface AgentEcs {
+  type?: string[];
+}
diff --git a/x-pack/plugins/security_solution/common/ecs/endgame/index.ts b/x-pack/plugins/security_solution/common/ecs/endgame/index.ts
index f435db4f47810..d2fc5d61527a5 100644
--- a/x-pack/plugins/security_solution/common/ecs/endgame/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/endgame/index.ts
@@ -5,29 +5,17 @@
  */
 
 export interface EndgameEcs {
-  exit_code?: number;
-
-  file_name?: string;
-
-  file_path?: string;
-
-  logon_type?: number;
-
-  parent_process_name?: string;
-
-  pid?: number;
-
-  process_name?: string;
-
-  subject_domain_name?: string;
-
-  subject_logon_id?: string;
-
-  subject_user_name?: string;
-
-  target_domain_name?: string;
-
-  target_logon_id?: string;
-
-  target_user_name?: string;
+  exit_code?: number[];
+  file_name?: string[];
+  file_path?: string[];
+  logon_type?: number[];
+  parent_process_name?: string[];
+  pid?: number[];
+  process_name?: string[];
+  subject_domain_name?: string[];
+  subject_logon_id?: string[];
+  subject_user_name?: string[];
+  target_domain_name?: string[];
+  target_logon_id?: string[];
+  target_user_name?: string[];
 }
diff --git a/x-pack/plugins/security_solution/common/ecs/index.ts b/x-pack/plugins/security_solution/common/ecs/index.ts
index e31d42b02f80b..b8190463f5da5 100644
--- a/x-pack/plugins/security_solution/common/ecs/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/index.ts
@@ -4,11 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { AgentEcs } from './agent';
 import { AuditdEcs } from './auditd';
 import { DestinationEcs } from './destination';
 import { DnsEcs } from './dns';
 import { EndgameEcs } from './endgame';
 import { EventEcs } from './event';
+import { FileEcs } from './file';
 import { GeoEcs } from './geo';
 import { HostEcs } from './host';
 import { NetworkEcs } from './network';
@@ -28,6 +30,7 @@ import { SystemEcs } from './system';
 export interface Ecs {
   _id: string;
   _index?: string;
+  agent?: AgentEcs;
   auditd?: AuditdEcs;
   destination?: DestinationEcs;
   dns?: DnsEcs;
@@ -49,6 +52,6 @@ export interface Ecs {
   user?: UserEcs;
   winlog?: WinlogEcs;
   process?: ProcessEcs;
-  file?: File;
+  file?: FileEcs;
   system?: SystemEcs;
 }
diff --git a/x-pack/plugins/security_solution/common/ecs/process/index.ts b/x-pack/plugins/security_solution/common/ecs/process/index.ts
index 0584d95c8059d..451f1455f55d4 100644
--- a/x-pack/plugins/security_solution/common/ecs/process/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/process/index.ts
@@ -5,35 +5,25 @@
  */
 
 export interface ProcessEcs {
+  entity_id?: string[];
   hash?: ProcessHashData;
-
   pid?: number[];
-
   name?: string[];
-
   ppid?: number[];
-
   args?: string[];
-
   executable?: string[];
-
   title?: string[];
-
   thread?: Thread;
-
   working_directory?: string[];
 }
 
 export interface ProcessHashData {
   md5?: string[];
-
   sha1?: string[];
-
   sha256?: string[];
 }
 
 export interface Thread {
   id?: number[];
-
   start?: string[];
 }
diff --git a/x-pack/plugins/security_solution/common/ecs/rule/index.ts b/x-pack/plugins/security_solution/common/ecs/rule/index.ts
index c1ef1ee17ca0c..47316c7791e4b 100644
--- a/x-pack/plugins/security_solution/common/ecs/rule/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/rule/index.ts
@@ -6,64 +6,38 @@
 
 export interface RuleEcs {
   id?: string[];
-
   rule_id?: string[];
-
   false_positives: string[];
-
   saved_id?: string[];
-
   timeline_id?: string[];
-
   timeline_title?: string[];
-
   max_signals?: number[];
-
   risk_score?: string[];
-
   output_index?: string[];
-
   description?: string[];
-
   from?: string[];
-
   immutable?: boolean[];
-
   index?: string[];
-
   interval?: string[];
-
   language?: string[];
-
   query?: string[];
-
   references?: string[];
-
   severity?: string[];
-
   tags?: string[];
-
   threat?: unknown;
-
+  threshold?: {
+    field: string;
+    value: number;
+  };
   type?: string[];
-
   size?: string[];
-
   to?: string[];
-
   enabled?: boolean[];
-
   filters?: unknown;
-
   created_at?: string[];
-
   updated_at?: string[];
-
   created_by?: string[];
-
   updated_by?: string[];
-
   version?: string[];
-
   note?: string[];
 }
diff --git a/x-pack/plugins/security_solution/common/ecs/signal/index.ts b/x-pack/plugins/security_solution/common/ecs/signal/index.ts
index 66e35e26af341..55a889f3a5dd1 100644
--- a/x-pack/plugins/security_solution/common/ecs/signal/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/signal/index.ts
@@ -8,6 +8,6 @@ import { RuleEcs } from '../rule';
 
 export interface SignalEcs {
   rule?: RuleEcs;
-
   original_time?: string[];
+  status?: string[];
 }
diff --git a/x-pack/plugins/security_solution/common/search_strategy/common/index.ts b/x-pack/plugins/security_solution/common/search_strategy/common/index.ts
index b55226b08b800..48437e12f75a5 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/common/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/common/index.ts
@@ -113,3 +113,13 @@ export interface GenericBuckets {
 }
 
 export type StringOrNumber = string | number;
+
+export interface TimerangeFilter {
+  range: {
+    [timestamp: string]: {
+      gte: string;
+      lte: string;
+      format: string;
+    };
+  };
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/all/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/all/index.ts
new file mode 100644
index 0000000000000..0503a9c327467
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/all/index.ts
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Ecs } from '../../../../ecs';
+import { CursorType, Inspect, Maybe } from '../../../common';
+import { TimelineRequestOptionsPaginated } from '../..';
+
+export interface TimelineEdges {
+  node: TimelineItem;
+  cursor: CursorType;
+}
+
+export interface TimelineItem {
+  _id: string;
+  _index?: Maybe<string>;
+  data: TimelineNonEcsData[];
+  ecs: Ecs;
+}
+
+export interface TimelineNonEcsData {
+  field: string;
+  value?: Maybe<string[]>;
+}
+
+export interface TimelineEventsAllStrategyResponse extends IEsSearchResponse {
+  edges: TimelineEdges[];
+  totalCount: number;
+  pageInfo: {
+    activePage: number;
+    totalPages: number;
+  };
+  inspect?: Maybe<Inspect>;
+}
+
+export interface TimelineEventsAllRequestOptions extends TimelineRequestOptionsPaginated {
+  fields: string[];
+  fieldRequested: string[];
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/common/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/common/index.ts
new file mode 100644
index 0000000000000..200f400ef6816
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/common/index.ts
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Ecs } from '../../../../ecs';
+import { CursorType, Maybe } from '../../../common';
+
+export interface TimelineEdges {
+  node: TimelineItem;
+  cursor: CursorType;
+}
+
+export interface TimelineItem {
+  _id: string;
+  _index?: Maybe<string>;
+  data: TimelineNonEcsData[];
+  ecs: Ecs;
+}
+
+export interface TimelineNonEcsData {
+  field: string;
+  value?: Maybe<string[] | string>;
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/details/index.ts
similarity index 50%
rename from x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts
rename to x-pack/plugins/security_solution/common/search_strategy/timeline/events/details/index.ts
index e5e1c41f4731a..6f9192be40150 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/details/index.ts
@@ -4,25 +4,25 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { IEsSearchResponse } from '../../../../../../../src/plugins/data/common';
-import { Inspect, Maybe } from '../../common';
-import { TimelineRequestOptionsPaginated } from '..';
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Inspect, Maybe } from '../../../common';
+import { TimelineRequestOptionsPaginated } from '../..';
 
-export interface DetailItem {
+export interface TimelineEventsDetailsItem {
   field: string;
   values?: Maybe<string[]>;
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   originalValue?: Maybe<any>;
 }
 
-export interface TimelineDetailsStrategyResponse extends IEsSearchResponse {
-  data?: Maybe<DetailItem[]>;
+export interface TimelineEventsDetailsStrategyResponse extends IEsSearchResponse {
+  data?: Maybe<TimelineEventsDetailsItem[]>;
   inspect?: Maybe<Inspect>;
 }
 
-export interface TimelineDetailsRequestOptions extends Partial<TimelineRequestOptionsPaginated> {
+export interface TimelineEventsDetailsRequestOptions
+  extends Partial<TimelineRequestOptionsPaginated> {
   defaultIndex: string[];
-  executeQuery: boolean;
   indexName: string;
   eventId: string;
 }
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/index.ts
new file mode 100644
index 0000000000000..6bb9461995974
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/index.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export * from './all';
+export * from './details';
+export * from './last_event_time';
+
+export enum TimelineEventsQueries {
+  all = 'eventsAll',
+  details = 'eventsDetails',
+  lastEventTime = 'eventsLastEventTime',
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts
new file mode 100644
index 0000000000000..10750503fc807
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Inspect, Maybe } from '../../../common';
+import { TimelineRequestBasicOptions } from '../..';
+
+export enum LastEventIndexKey {
+  hostDetails = 'hostDetails',
+  hosts = 'hosts',
+  ipDetails = 'ipDetails',
+  network = 'network',
+}
+
+export interface LastTimeDetails {
+  hostName?: Maybe<string>;
+  ip?: Maybe<string>;
+}
+
+export interface TimelineEventsLastEventTimeStrategyResponse extends IEsSearchResponse {
+  lastSeen: Maybe<string>;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface TimelineEventsLastEventTimeRequestOptions
+  extends Omit<TimelineRequestBasicOptions, 'filterQuery' | 'timerange'> {
+  indexKey: LastEventIndexKey;
+  details: LastTimeDetails;
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
index a7bf61c102cd4..773ee60855886 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
@@ -3,45 +3,22 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
 import { IEsSearchRequest } from '../../../../../../src/plugins/data/common';
 import { ESQuery } from '../../typed_json';
-import { Ecs } from '../../ecs';
 import {
-  CursorType,
-  Maybe,
-  TimerangeInput,
-  DocValueFields,
-  PaginationInput,
-  PaginationInputPaginated,
-  SortField,
-} from '../common';
-import { TimelineDetailsRequestOptions, TimelineDetailsStrategyResponse } from './details';
-
-export * from './details';
+  TimelineEventsQueries,
+  TimelineEventsAllRequestOptions,
+  TimelineEventsAllStrategyResponse,
+  TimelineEventsDetailsRequestOptions,
+  TimelineEventsDetailsStrategyResponse,
+  TimelineEventsLastEventTimeRequestOptions,
+  TimelineEventsLastEventTimeStrategyResponse,
+} from './events';
+import { DocValueFields, TimerangeInput, SortField } from '../common';
 
-export enum TimelineQueries {
-  details = 'details',
-}
+export * from './events';
 
-export type TimelineFactoryQueryTypes = TimelineQueries;
-
-export interface TimelineEdges {
-  node: TimelineItem;
-  cursor: CursorType;
-}
-
-export interface TimelineItem {
-  _id: string;
-  _index?: Maybe<string>;
-  data: TimelineNonEcsData[];
-  ecs: Ecs;
-}
-
-export interface TimelineNonEcsData {
-  field: string;
-  value?: Maybe<string[] | string>;
-}
+export type TimelineFactoryQueryTypes = TimelineEventsQueries;
 
 export interface TimelineRequestBasicOptions extends IEsSearchRequest {
   timerange: TimerangeInput;
@@ -51,20 +28,39 @@ export interface TimelineRequestBasicOptions extends IEsSearchRequest {
   factoryQueryType?: TimelineFactoryQueryTypes;
 }
 
-export interface TimelineRequestOptions extends TimelineRequestBasicOptions {
-  pagination: PaginationInput;
-  sortField?: SortField;
+export interface TimelineRequestOptions<Field = string> extends TimelineRequestBasicOptions {
+  pagination: {
+    activePage: number;
+    querySize: number;
+  };
+  sort: SortField<Field>;
 }
 
-export interface TimelineRequestOptionsPaginated extends TimelineRequestBasicOptions {
-  pagination: PaginationInputPaginated;
-  sortField?: SortField;
+export interface TimelineRequestOptionsPaginated<Field = string>
+  extends TimelineRequestBasicOptions {
+  pagination: {
+    activePage: number;
+    querySize: number;
+  };
+  sort: SortField<Field>;
 }
 
 export type TimelineStrategyResponseType<
   T extends TimelineFactoryQueryTypes
-> = T extends TimelineQueries.details ? TimelineDetailsStrategyResponse : never;
+> = T extends TimelineEventsQueries.all
+  ? TimelineEventsAllStrategyResponse
+  : T extends TimelineEventsQueries.details
+  ? TimelineEventsDetailsStrategyResponse
+  : T extends TimelineEventsQueries.lastEventTime
+  ? TimelineEventsLastEventTimeStrategyResponse
+  : never;
 
 export type TimelineStrategyRequestType<
   T extends TimelineFactoryQueryTypes
-> = T extends TimelineQueries.details ? TimelineDetailsRequestOptions : never;
+> = T extends TimelineEventsQueries.all
+  ? TimelineEventsAllRequestOptions
+  : T extends TimelineEventsQueries.details
+  ? TimelineEventsDetailsRequestOptions
+  : T extends TimelineEventsQueries.lastEventTime
+  ? TimelineEventsLastEventTimeRequestOptions
+  : never;
diff --git a/x-pack/plugins/security_solution/public/common/components/alerts_viewer/translations.ts b/x-pack/plugins/security_solution/public/common/components/alerts_viewer/translations.ts
index b1ab509417fe5..980ec89f524bc 100644
--- a/x-pack/plugins/security_solution/public/common/components/alerts_viewer/translations.ts
+++ b/x-pack/plugins/security_solution/public/common/components/alerts_viewer/translations.ts
@@ -16,7 +16,7 @@ export const ALERTS_DOCUMENT_TYPE = i18n.translate(
 export const TOTAL_COUNT_OF_ALERTS = i18n.translate(
   'xpack.securitySolution.alertsView.totalCountOfAlerts',
   {
-    defaultMessage: 'external alerts match the search criteria',
+    defaultMessage: 'external alerts',
   }
 );
 
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
index 8068d51a80153..074e6faf80c7d 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
@@ -9,7 +9,7 @@ import React, { useMemo } from 'react';
 import styled from 'styled-components';
 
 import { BrowserFields } from '../../containers/source';
-import { DetailItem } from '../../../../common/search_strategy/timeline';
+import { TimelineEventsDetailsItem } from '../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 import { EventFieldsBrowser } from './event_fields_browser';
@@ -28,7 +28,7 @@ CollapseLink.displayName = 'CollapseLink';
 interface Props {
   browserFields: BrowserFields;
   columnHeaders: ColumnHeaderOptions[];
-  data: DetailItem[];
+  data: TimelineEventsDetailsItem[];
   id: string;
   view: View;
   onEventToggled: () => void;
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
index 9737a09c89f49..79250ae9bec52 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
@@ -10,7 +10,7 @@ import React, { useMemo } from 'react';
 
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { BrowserFields, getAllFieldsByName } from '../../containers/source';
-import { DetailItem } from '../../../../common/search_strategy/timeline';
+import { TimelineEventsDetailsItem } from '../../../../common/search_strategy/timeline';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 
 import { getColumns } from './columns';
@@ -19,7 +19,7 @@ import { search } from './helpers';
 interface Props {
   browserFields: BrowserFields;
   columnHeaders: ColumnHeaderOptions[];
-  data: DetailItem[];
+  data: TimelineEventsDetailsItem[];
   eventId: string;
   onUpdateColumns: OnUpdateColumns;
   timelineId: string;
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
index f4028c988acb8..bb74935d5703e 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
@@ -7,7 +7,7 @@
 import React, { useCallback, useState } from 'react';
 
 import { BrowserFields } from '../../containers/source';
-import { DetailItem } from '../../../../common/search_strategy/timeline';
+import { TimelineEventsDetailsItem } from '../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 
@@ -16,7 +16,7 @@ import { EventDetails, View } from './event_details';
 interface Props {
   browserFields: BrowserFields;
   columnHeaders: ColumnHeaderOptions[];
-  data: DetailItem[];
+  data: TimelineEventsDetailsItem[];
   id: string;
   onEventToggled: () => void;
   onUpdateColumns: OnUpdateColumns;
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
index 833688ae57993..037655f594241 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
@@ -5,7 +5,6 @@
  */
 
 import React from 'react';
-import { MockedProvider } from 'react-apollo/test-utils';
 import useResizeObserver from 'use-resize-observer/polyfilled';
 
 import '../../mock/match_media';
@@ -26,6 +25,11 @@ import { TimelineId } from '../../../../common/types/timeline';
 import { KqlMode } from '../../../timelines/store/timeline/model';
 import { SortDirection } from '../../../timelines/components/timeline/body/sort';
 import { AlertsTableFilterGroup } from '../../../detections/components/alerts_table/alerts_filter_group';
+import { useTimelineEvents } from '../../../timelines/containers';
+
+jest.mock('../../../timelines/containers', () => ({
+  useTimelineEvents: jest.fn(),
+}));
 
 jest.mock('../../components/url_state/normalize_time_range.ts');
 
@@ -83,20 +87,19 @@ describe('EventsViewer', () => {
   const mount = useMountAppended();
 
   beforeEach(() => {
+    (useTimelineEvents as jest.Mock).mockReturnValue([false, mockEventViewerResponse]);
     mockUseFetchIndexPatterns.mockImplementation(() => [{ ...defaultMocks }]);
   });
 
   test('it renders the "Showing..." subtitle with the expected event count', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -114,14 +117,12 @@ describe('EventsViewer', () => {
 
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -139,14 +140,12 @@ describe('EventsViewer', () => {
 
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={''}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={''}
+        />
       </TestProviders>
     );
 
@@ -164,14 +163,12 @@ describe('EventsViewer', () => {
 
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={''}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={''}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -187,14 +184,12 @@ describe('EventsViewer', () => {
   test('it renders the Fields Browser as a settings gear', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -208,21 +203,19 @@ describe('EventsViewer', () => {
   test('it renders the footer containing the Load More button', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
     await waitFor(() => {
       wrapper.update();
 
-      expect(wrapper.find(`[data-test-subj="TimelineMoreButton"]`).first().exists()).toBe(true);
+      expect(wrapper.find(`[data-test-subj="timeline-pagination"]`).first().exists()).toBe(true);
     });
   });
 
@@ -230,14 +223,12 @@ describe('EventsViewer', () => {
     test(`it renders the ${header.id} default EventsViewer column header`, async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <StatefulEventsViewer
-              defaultModel={eventsDefaultModel}
-              end={to}
-              id={'test-stateful-events-viewer'}
-              start={from}
-            />
-          </MockedProvider>
+          <StatefulEventsViewer
+            defaultModel={eventsDefaultModel}
+            end={to}
+            id={'test-stateful-events-viewer'}
+            start={from}
+          />
         </TestProviders>
       );
 
@@ -257,13 +248,11 @@ describe('EventsViewer', () => {
     test('it renders the provided headerFilterGroup', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId={undefined}
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId={undefined}
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -277,13 +266,11 @@ describe('EventsViewer', () => {
     test('it has a visible HeaderFilterGroupWrapper when Resolver is NOT showing, because graphEventId is undefined', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId={undefined}
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId={undefined}
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -299,13 +286,11 @@ describe('EventsViewer', () => {
     test('it has a visible HeaderFilterGroupWrapper when Resolver is NOT showing, because graphEventId is an empty string', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId=""
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId=""
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -321,13 +306,11 @@ describe('EventsViewer', () => {
     test('it does NOT have a visible HeaderFilterGroupWrapper when Resolver is showing, because graphEventId is a valid id', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId="a valid id"
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId="a valid id"
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -343,13 +326,11 @@ describe('EventsViewer', () => {
     test('it (still) renders an invisible headerFilterGroup (to maintain state while hidden) when Resolver is showing, because graphEventId is a valid id', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId="a valid id"
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId="a valid id"
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -365,9 +346,7 @@ describe('EventsViewer', () => {
     test('it renders the provided utilityBar when Resolver is NOT showing, because graphEventId is undefined', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId={undefined} />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId={undefined} />
         </TestProviders>
       );
 
@@ -381,9 +360,7 @@ describe('EventsViewer', () => {
     test('it renders the provided utilityBar when Resolver is NOT showing, because graphEventId is an empty string', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId="" />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId="" />
         </TestProviders>
       );
 
@@ -397,9 +374,7 @@ describe('EventsViewer', () => {
     test('it does NOT render the provided utilityBar when Resolver is showing, because graphEventId is a valid id', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId="a valid id" />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId="a valid id" />
         </TestProviders>
       );
 
@@ -415,9 +390,7 @@ describe('EventsViewer', () => {
     test('it renders the inspect button when Resolver is NOT showing, because graphEventId is undefined', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId={undefined} />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId={undefined} />
         </TestProviders>
       );
 
@@ -431,9 +404,7 @@ describe('EventsViewer', () => {
     test('it renders the inspect button when Resolver is NOT showing, because graphEventId is an empty string', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId="" />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId="" />
         </TestProviders>
       );
 
@@ -447,9 +418,7 @@ describe('EventsViewer', () => {
     test('it does NOT render the inspect button when Resolver is showing, because graphEventId is a valid id', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId="a valid id" />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId="a valid id" />
         </TestProviders>
       );
 
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
index 3d193856a8ae4..2998bd031d674 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
@@ -10,9 +10,9 @@ import React, { useEffect, useMemo, useState } from 'react';
 import styled from 'styled-components';
 import deepEqual from 'fast-deep-equal';
 
+import { Direction } from '../../../../common/search_strategy';
 import { BrowserFields, DocValueFields } from '../../containers/source';
-import { TimelineQuery } from '../../../timelines/containers';
-import { Direction } from '../../../graphql/types';
+import { useTimelineEvents } from '../../../timelines/containers';
 import { useKibana } from '../../lib/kibana';
 import { ColumnHeaderOptions, KqlMode } from '../../../timelines/store/timeline/model';
 import { HeaderSection } from '../header_section';
@@ -196,14 +196,51 @@ const EventsViewerComponent: React.FC<Props> = ({
       ),
     [columnsHeader, queryFields]
   );
+
   const sortField = useMemo(
     () => ({
-      sortFieldId: sort.columnId,
+      field: sort.columnId,
       direction: sort.sortDirection as Direction,
     }),
     [sort.columnId, sort.sortDirection]
   );
 
+  const [
+    loading,
+    { events, updatedAt, inspect, loadPage, pageInfo, refetch, totalCount = 0 },
+  ] = useTimelineEvents({
+    docValueFields,
+    fields,
+    filterQuery: combinedQueries!.filterQuery,
+    id,
+    indexPattern,
+    limit: itemsPerPage,
+    sort: sortField,
+    startDate: start,
+    endDate: end,
+    skip: !canQueryTimeline,
+  });
+
+  const totalCountMinusDeleted = useMemo(
+    () => (totalCount > 0 ? totalCount - deletedEventIds.length : 0),
+    [deletedEventIds.length, totalCount]
+  );
+
+  const subtitle = useMemo(
+    () =>
+      `${i18n.SHOWING}: ${totalCountMinusDeleted.toLocaleString()} ${unit(totalCountMinusDeleted)}`,
+    [totalCountMinusDeleted, unit]
+  );
+
+  const nonDeletedEvents = useMemo(() => events.filter((e) => !deletedEventIds.includes(e._id)), [
+    deletedEventIds,
+    events,
+  ]);
+
+  useEffect(() => {
+    setIsQueryLoading(loading);
+  }, [loading]);
+
   return (
     <StyledEuiPanel
       data-test-subj="events-viewer-panel"
@@ -211,104 +248,68 @@ const EventsViewerComponent: React.FC<Props> = ({
     >
       {canQueryTimeline ? (
         <EventDetailsWidthProvider>
-          <TimelineQuery
-            docValueFields={docValueFields}
-            fields={fields}
-            filterQuery={combinedQueries!.filterQuery}
-            id={id}
-            indexPattern={indexPattern}
-            limit={itemsPerPage}
-            sortField={sortField}
-            sourceId="default"
-            startDate={start}
-            endDate={end}
-            queryDeduplication="events_viewer"
-          >
-            {({
-              events,
-              getUpdatedAt,
-              inspect,
-              loading,
-              loadMore,
-              pageInfo,
-              refetch,
-              totalCount = 0,
-            }) => {
-              setIsQueryLoading(loading);
-              const totalCountMinusDeleted =
-                totalCount > 0 ? totalCount - deletedEventIds.length : 0;
-
-              const subtitle = `${i18n.SHOWING}: ${totalCountMinusDeleted.toLocaleString()} ${unit(
-                totalCountMinusDeleted
-              )}`;
-
-              return (
-                <>
-                  <HeaderSection
-                    id={!resolverIsShowing(graphEventId) ? id : undefined}
-                    height={headerFilterGroup ? COMPACT_HEADER_HEIGHT : EVENTS_VIEWER_HEADER_HEIGHT}
-                    subtitle={utilityBar ? undefined : subtitle}
-                    title={inspect ? justTitle : titleWithExitFullScreen}
-                  >
-                    {headerFilterGroup && (
-                      <HeaderFilterGroupWrapper
-                        data-test-subj="header-filter-group-wrapper"
-                        show={!resolverIsShowing(graphEventId)}
-                      >
-                        {headerFilterGroup}
-                      </HeaderFilterGroupWrapper>
-                    )}
-                  </HeaderSection>
-                  {utilityBar && !resolverIsShowing(graphEventId) && (
-                    <UtilityBar>{utilityBar?.(refetch, totalCountMinusDeleted)}</UtilityBar>
-                  )}
-                  <EventsContainerLoading data-test-subj={`events-container-loading-${loading}`}>
-                    <TimelineRefetch
-                      id={id}
-                      inputId="global"
-                      inspect={inspect}
-                      loading={loading}
-                      refetch={refetch}
-                    />
+          <>
+            <HeaderSection
+              id={!resolverIsShowing(graphEventId) ? id : undefined}
+              height={headerFilterGroup ? COMPACT_HEADER_HEIGHT : EVENTS_VIEWER_HEADER_HEIGHT}
+              subtitle={utilityBar ? undefined : subtitle}
+              title={inspect ? justTitle : titleWithExitFullScreen}
+            >
+              {headerFilterGroup && (
+                <HeaderFilterGroupWrapper
+                  data-test-subj="header-filter-group-wrapper"
+                  show={!resolverIsShowing(graphEventId)}
+                >
+                  {headerFilterGroup}
+                </HeaderFilterGroupWrapper>
+              )}
+            </HeaderSection>
+            {utilityBar && !resolverIsShowing(graphEventId) && (
+              <UtilityBar>{utilityBar?.(refetch, totalCountMinusDeleted)}</UtilityBar>
+            )}
+            <EventsContainerLoading data-test-subj={`events-container-loading-${loading}`}>
+              <TimelineRefetch
+                id={id}
+                inputId="global"
+                inspect={inspect}
+                loading={loading}
+                refetch={refetch}
+              />
 
-                    <StatefulBody
-                      browserFields={browserFields}
-                      data={events.filter((e) => !deletedEventIds.includes(e._id))}
-                      docValueFields={docValueFields}
-                      id={id}
-                      isEventViewer={true}
-                      refetch={refetch}
-                      sort={sort}
-                      toggleColumn={toggleColumn}
-                    />
+              <StatefulBody
+                browserFields={browserFields}
+                data={nonDeletedEvents}
+                docValueFields={docValueFields}
+                id={id}
+                isEventViewer={true}
+                refetch={refetch}
+                sort={sort}
+                toggleColumn={toggleColumn}
+              />
 
-                    {
-                      /** Hide the footer if Resolver is showing. */
-                      !graphEventId && (
-                        <Footer
-                          data-test-subj="events-viewer-footer"
-                          getUpdatedAt={getUpdatedAt}
-                          hasNextPage={getOr(false, 'hasNextPage', pageInfo)!}
-                          height={footerHeight}
-                          id={id}
-                          isLive={isLive}
-                          isLoading={loading}
-                          itemsCount={events.length}
-                          itemsPerPage={itemsPerPage}
-                          itemsPerPageOptions={itemsPerPageOptions}
-                          onChangeItemsPerPage={onChangeItemsPerPage}
-                          onLoadMore={loadMore}
-                          nextCursor={getOr(null, 'endCursor.value', pageInfo)!}
-                          serverSideEventCount={totalCountMinusDeleted}
-                          tieBreaker={getOr(null, 'endCursor.tiebreaker', pageInfo)}
-                        />
-                      )
-                    }
-                  </EventsContainerLoading>
-                </>
-              );
-            }}
-          </TimelineQuery>
+              {
+                /** Hide the footer if Resolver is showing. */
+                !graphEventId && (
+                  <Footer
+                    activePage={getOr(0, 'activePage', pageInfo)}
+                    data-test-subj="events-viewer-footer"
+                    updatedAt={updatedAt}
+                    height={footerHeight}
+                    id={id}
+                    isLive={isLive}
+                    isLoading={loading}
+                    itemsCount={nonDeletedEvents.length}
+                    itemsPerPage={itemsPerPage}
+                    itemsPerPageOptions={itemsPerPageOptions}
+                    onChangeItemsPerPage={onChangeItemsPerPage}
+                    onChangePage={loadPage}
+                    serverSideEventCount={totalCountMinusDeleted}
+                    totalPages={getOr(0, 'totalPages', pageInfo)}
+                  />
+                )
+              }
+            </EventsContainerLoading>
+          </>
         </EventDetailsWidthProvider>
       ) : null}
     </StyledEuiPanel>
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.test.tsx
index 4509d01e82e25..8c61281422c2a 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.test.tsx
@@ -5,7 +5,6 @@
  */
 
 import React from 'react';
-import { MockedProvider } from 'react-apollo/test-utils';
 import useResizeObserver from 'use-resize-observer/polyfilled';
 
 import '../../mock/match_media';
@@ -19,6 +18,11 @@ import { StatefulEventsViewer } from '.';
 import { useFetchIndexPatterns } from '../../../detections/containers/detection_engine/rules/fetch_index_patterns';
 import { mockBrowserFields } from '../../containers/source/mock';
 import { eventsDefaultModel } from './default_model';
+import { useTimelineEvents } from '../../../timelines/containers';
+
+jest.mock('../../../timelines/containers', () => ({
+  useTimelineEvents: jest.fn(),
+}));
 
 jest.mock('../../components/url_state/normalize_time_range.ts');
 
@@ -41,17 +45,17 @@ const to = '2019-08-26T22:10:56.791Z';
 describe('StatefulEventsViewer', () => {
   const mount = useMountAppended();
 
+  (useTimelineEvents as jest.Mock).mockReturnValue([false, mockEventViewerResponse]);
+
   test('it renders the events viewer', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -66,14 +70,12 @@ describe('StatefulEventsViewer', () => {
   test('it renders InspectButtonContainer', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts b/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts
index 6266e84051901..f6fb01be4371f 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts
@@ -4,65 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { noop } from 'lodash/fp';
-import { timelineQuery } from '../../../timelines/containers/index.gql_query';
-
-export const mockEventViewerResponse = [
-  {
-    request: {
-      query: timelineQuery,
-      fetchPolicy: 'network-only',
-      notifyOnNetworkStatusChange: true,
-      variables: {
-        fieldRequested: [
-          '@timestamp',
-          'message',
-          'host.name',
-          'event.module',
-          'event.dataset',
-          'event.action',
-          'user.name',
-          'source.ip',
-          'destination.ip',
-        ],
-        filterQuery: '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
-        sourceId: 'default',
-        timerange: {
-          interval: '12h',
-          from: '2019-08-26T22:10:56.791Z',
-          to: '2019-08-27T22:10:56.794Z',
-        },
-        pagination: { limit: 25, cursor: null, tiebreaker: null },
-        sortField: { sortFieldId: '@timestamp', direction: 'desc' },
-        defaultIndex: ['filebeat-*', 'auditbeat-*', 'packetbeat-*'],
-        docValueFields: [
-          { field: '@timestamp', format: 'date_time' },
-          { field: 'event.end', format: 'date_time' },
-        ],
-        inspect: false,
-        queryDeduplication: 'events_viewer',
-      },
-    },
-    result: {
-      loading: false,
-      fetchMore: noop,
-      refetch: noop,
-      data: {
-        source: {
-          id: 'default',
-          Timeline: {
-            totalCount: 12,
-            pageInfo: {
-              endCursor: null,
-              hasNextPage: true,
-              __typename: 'PageInfo',
-            },
-            edges: [],
-            __typename: 'TimelineData',
-          },
-          __typename: 'Source',
-        },
-      },
-    },
+export const mockEventViewerResponse = {
+  totalCount: 12,
+  pageInfo: {
+    activePage: 0,
+    totalPages: 10,
   },
-];
+  events: [],
+};
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.test.tsx
index cef92ce2a7817..691a7d99d9345 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.test.tsx
@@ -18,7 +18,8 @@ import { stubIndexPattern } from 'src/plugins/data/common/index_patterns/index_p
 import { useAddOrUpdateException } from '../use_add_exception';
 import { useFetchOrCreateRuleExceptionList } from '../use_fetch_or_create_rule_exception_list';
 import { useSignalIndex } from '../../../../detections/containers/detection_engine/alerts/use_signal_index';
-import { TimelineNonEcsData, Ecs } from '../../../../graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import * as builder from '../builder';
 import * as helpers from '../helpers';
 import { getExceptionListItemSchemaMock } from '../../../../../../lists/common/schemas/response/exception_list_item_schema.mock';
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx
index bcbad2dfee9f0..721e53732c093 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx
@@ -29,7 +29,8 @@ import {
 import * as i18nCommon from '../../../translations';
 import * as i18n from './translations';
 import * as sharedI18n from '../translations';
-import { TimelineNonEcsData, Ecs } from '../../../../graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import { useAppToasts } from '../../../hooks/use_app_toasts';
 import { useKibana } from '../../../lib/kibana';
 import { ExceptionBuilderComponent } from '../builder';
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
index 18d2130dd3811..3c3c71a2b33e7 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
@@ -38,7 +38,7 @@ import {
 } from '../../../shared_imports';
 import { IIndexPattern } from '../../../../../../../src/plugins/data/common';
 import { validate } from '../../../../common/validate';
-import { TimelineNonEcsData } from '../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
 import { WithCopyToClipboard } from '../../lib/clipboard/with_copy_to_clipboard';
 
 /**
diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx
index 2f0060c91668b..9473ba67a1c4f 100644
--- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx
@@ -11,29 +11,30 @@ import { LastEventIndexKey } from '../../../graphql/types';
 import { mockLastEventTimeQuery } from '../../containers/events/last_event_time/mock';
 
 import { useMountAppended } from '../../utils/use_mount_appended';
-import { useLastEventTimeQuery } from '../../containers/events/last_event_time';
+import { useTimelineLastEventTime } from '../../containers/events/last_event_time';
 import { TestProviders } from '../../mock';
 
 import { LastEventTime } from '.';
 
-const mockUseLastEventTimeQuery: jest.Mock = useLastEventTimeQuery as jest.Mock;
 jest.mock('../../containers/events/last_event_time', () => ({
-  useLastEventTimeQuery: jest.fn(),
+  useTimelineLastEventTime: jest.fn(),
 }));
 
 describe('Last Event Time Stat', () => {
   const mount = useMountAppended();
 
   beforeEach(() => {
-    mockUseLastEventTimeQuery.mockReset();
+    (useTimelineLastEventTime as jest.Mock).mockReset();
   });
 
   test('Loading', async () => {
-    mockUseLastEventTimeQuery.mockImplementation(() => ({
-      loading: true,
-      lastSeen: null,
-      errorMessage: null,
-    }));
+    (useTimelineLastEventTime as jest.Mock).mockReturnValue([
+      true,
+      {
+        lastSeen: null,
+        errorMessage: null,
+      },
+    ]);
     const wrapper = mount(
       <TestProviders>
         <LastEventTime indexKey={LastEventIndexKey.hosts} />
@@ -44,11 +45,13 @@ describe('Last Event Time Stat', () => {
     );
   });
   test('Last seen', async () => {
-    mockUseLastEventTimeQuery.mockImplementation(() => ({
-      loading: false,
-      lastSeen: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.lastSeen,
-      errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
-    }));
+    (useTimelineLastEventTime as jest.Mock).mockReturnValue([
+      false,
+      {
+        lastSeen: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.lastSeen,
+        errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
+      },
+    ]);
     const wrapper = mount(
       <TestProviders>
         <LastEventTime indexKey={LastEventIndexKey.hosts} />
@@ -57,11 +60,13 @@ describe('Last Event Time Stat', () => {
     expect(wrapper.html()).toBe('Last event: <span class="euiToolTipAnchor">12 minutes ago</span>');
   });
   test('Bad date time string', async () => {
-    mockUseLastEventTimeQuery.mockImplementation(() => ({
-      loading: false,
-      lastSeen: 'something-invalid',
-      errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
-    }));
+    (useTimelineLastEventTime as jest.Mock).mockReturnValue([
+      false,
+      {
+        lastSeen: 'something-invalid',
+        errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
+      },
+    ]);
     const wrapper = mount(
       <TestProviders>
         <LastEventTime indexKey={LastEventIndexKey.hosts} />
@@ -71,11 +76,13 @@ describe('Last Event Time Stat', () => {
     expect(wrapper.html()).toBe('something-invalid');
   });
   test('Null time string', async () => {
-    mockUseLastEventTimeQuery.mockImplementation(() => ({
-      loading: false,
-      lastSeen: null,
-      errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
-    }));
+    (useTimelineLastEventTime as jest.Mock).mockReturnValue([
+      false,
+      {
+        lastSeen: null,
+        errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
+      },
+    ]);
     const wrapper = mount(
       <TestProviders>
         <LastEventTime indexKey={LastEventIndexKey.hosts} />
diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx
index 35a891c21aa8a..e9e8e7a03017c 100644
--- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx
@@ -9,7 +9,7 @@ import { FormattedMessage } from '@kbn/i18n/react';
 import React, { memo } from 'react';
 
 import { LastEventIndexKey } from '../../../graphql/types';
-import { useLastEventTimeQuery } from '../../containers/events/last_event_time';
+import { useTimelineLastEventTime } from '../../containers/events/last_event_time';
 import { getEmptyTagValue } from '../empty_value';
 import { FormattedRelativePreferenceDate } from '../formatted_date';
 
@@ -20,11 +20,13 @@ export interface LastEventTimeProps {
 }
 
 export const LastEventTime = memo<LastEventTimeProps>(({ hostName, indexKey, ip }) => {
-  const { loading, lastSeen, errorMessage } = useLastEventTimeQuery(
+  const [loading, { lastSeen, errorMessage }] = useTimelineLastEventTime({
     indexKey,
-    { hostName, ip },
-    'default'
-  );
+    details: {
+      hostName,
+      ip,
+    },
+  });
 
   if (errorMessage != null) {
     return (
diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts
index 00b78c3a96550..d70762615818b 100644
--- a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts
+++ b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts
@@ -4,92 +4,145 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { get } from 'lodash/fp';
-import React, { useEffect, useState } from 'react';
+import deepEqual from 'fast-deep-equal';
+import { noop } from 'lodash/fp';
+import { useCallback, useEffect, useRef, useState } from 'react';
 
 import { DEFAULT_INDEX_KEY } from '../../../../../common/constants';
+import { inputsModel } from '../../../../common/store';
+import { useKibana } from '../../../../common/lib/kibana';
 import {
-  GetLastEventTimeQuery,
-  LastEventIndexKey,
+  TimelineEventsQueries,
+  TimelineEventsLastEventTimeRequestOptions,
+  TimelineEventsLastEventTimeStrategyResponse,
   LastTimeDetails,
-} from '../../../../graphql/types';
-import { inputsModel } from '../../../store';
-import { QueryTemplateProps } from '../../query_template';
-import { useUiSetting$ } from '../../../lib/kibana';
-
-import { LastEventTimeGqlQuery } from './last_event_time.gql_query';
-import { useApolloClient } from '../../../utils/apollo_context';
+  LastEventIndexKey,
+} from '../../../../../common/search_strategy/timeline';
+import { AbortError } from '../../../../../../../../src/plugins/data/common';
 import { useWithSource } from '../../source';
+import * as i18n from './translations';
 
-export interface LastEventTimeArgs {
-  id: string;
-  errorMessage: string;
-  lastSeen: Date;
-  loading: boolean;
+// const ID = 'timelineEventsLastEventTimeQuery';
+
+export interface UseTimelineLastEventTimeArgs {
+  lastSeen: string | null;
   refetch: inputsModel.Refetch;
+  errorMessage?: string;
 }
 
-export interface OwnProps extends QueryTemplateProps {
-  children: (args: LastEventTimeArgs) => React.ReactNode;
+interface UseTimelineLastEventTimeProps {
   indexKey: LastEventIndexKey;
+  details: LastTimeDetails;
 }
 
-export function useLastEventTimeQuery(
-  indexKey: LastEventIndexKey,
-  details: LastTimeDetails,
-  sourceId: string
-) {
-  const [loading, updateLoading] = useState(false);
-  const [lastSeen, updateLastSeen] = useState<number | null>(null);
-  const [errorMessage, updateErrorMessage] = useState<string | null>(null);
-  const [currentIndexKey, updateCurrentIndexKey] = useState<LastEventIndexKey | null>(null);
-  const [defaultIndex] = useUiSetting$<string[]>(DEFAULT_INDEX_KEY);
-  const apolloClient = useApolloClient();
-  const { docValueFields } = useWithSource(sourceId);
+export const useTimelineLastEventTime = ({
+  indexKey,
+  details,
+}: UseTimelineLastEventTimeProps): [boolean, UseTimelineLastEventTimeArgs] => {
+  const { data, notifications, uiSettings } = useKibana().services;
+  const { docValueFields } = useWithSource('default');
+  const refetch = useRef<inputsModel.Refetch>(noop);
+  const abortCtrl = useRef(new AbortController());
+  const defaultIndex = uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
+  const [loading, setLoading] = useState(false);
+  const [TimelineLastEventTimeRequest, setTimelineLastEventTimeRequest] = useState<
+    TimelineEventsLastEventTimeRequestOptions
+  >({
+    defaultIndex,
+    factoryQueryType: TimelineEventsQueries.lastEventTime,
+    docValueFields,
+    indexKey,
+    details,
+  });
+
+  const [TimelineLastEventTimeResponse, setTimelineLastEventTimeResponse] = useState<
+    UseTimelineLastEventTimeArgs
+  >({
+    lastSeen: null,
+    refetch: refetch.current,
+    errorMessage: undefined,
+  });
 
-  async function fetchLastEventTime(signal: AbortSignal) {
-    updateLoading(true);
-    if (apolloClient) {
-      apolloClient
-        .query<GetLastEventTimeQuery.Query, GetLastEventTimeQuery.Variables>({
-          query: LastEventTimeGqlQuery,
-          fetchPolicy: 'cache-first',
-          variables: {
-            docValueFields,
-            sourceId,
-            indexKey,
-            details,
-            defaultIndex,
-          },
-          context: {
-            fetchOptions: {
-              signal,
+  const timelineLastEventTimeSearch = useCallback(
+    (request: TimelineEventsLastEventTimeRequestOptions) => {
+      let didCancel = false;
+      const asyncSearch = async () => {
+        abortCtrl.current = new AbortController();
+        setLoading(true);
+
+        const searchSubscription$ = data.search
+          .search<
+            TimelineEventsLastEventTimeRequestOptions,
+            TimelineEventsLastEventTimeStrategyResponse
+          >(request, {
+            strategy: 'securitySolutionTimelineSearchStrategy',
+            abortSignal: abortCtrl.current.signal,
+          })
+          .subscribe({
+            next: (response) => {
+              if (!response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                  setTimelineLastEventTimeResponse((prevResponse) => ({
+                    ...prevResponse,
+                    errorMessage: undefined,
+                    lastSeen: response.lastSeen,
+                    refetch: refetch.current,
+                  }));
+                }
+                searchSubscription$.unsubscribe();
+              } else if (response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                }
+                // TODO: Make response error status clearer
+                notifications.toasts.addWarning(i18n.ERROR_LAST_EVENT_TIME);
+                searchSubscription$.unsubscribe();
+              }
+            },
+            error: (msg) => {
+              if (!(msg instanceof AbortError)) {
+                notifications.toasts.addDanger({
+                  title: i18n.FAIL_LAST_EVENT_TIME,
+                  text: msg.message,
+                });
+                setTimelineLastEventTimeResponse((prevResponse) => ({
+                  ...prevResponse,
+                  errorMessage: msg.message,
+                }));
+              }
             },
-          },
-        })
-        .then(
-          (result) => {
-            updateLoading(false);
-            updateLastSeen(get('data.source.LastEventTime.lastSeen', result));
-            updateErrorMessage(null);
-            updateCurrentIndexKey(currentIndexKey);
-          },
-          (error) => {
-            updateLoading(false);
-            updateLastSeen(null);
-            updateErrorMessage(error.message);
-          }
-        );
-    }
-  }
+          });
+      };
+      abortCtrl.current.abort();
+      asyncSearch();
+      refetch.current = asyncSearch;
+      return () => {
+        didCancel = true;
+        abortCtrl.current.abort();
+      };
+    },
+    [data.search, notifications.toasts]
+  );
 
   useEffect(() => {
-    const abortCtrl = new AbortController();
-    const signal = abortCtrl.signal;
-    fetchLastEventTime(signal);
-    return () => abortCtrl.abort();
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [apolloClient, indexKey, details.hostName, details.ip]);
+    setTimelineLastEventTimeRequest((prevRequest) => {
+      const myRequest = {
+        ...prevRequest,
+        defaultIndex,
+        indexKey,
+        details,
+      };
+      if (!deepEqual(prevRequest, myRequest)) {
+        return myRequest;
+      }
+      return prevRequest;
+    });
+  }, [defaultIndex, details, indexKey]);
 
-  return { lastSeen, loading, errorMessage };
-}
+  useEffect(() => {
+    timelineLastEventTimeSearch(TimelineLastEventTimeRequest);
+  }, [TimelineLastEventTimeRequest, timelineLastEventTimeSearch]);
+
+  return [loading, TimelineLastEventTimeResponse];
+};
diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/translations.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/translations.ts
new file mode 100644
index 0000000000000..1e3cf0d081384
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/translations.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const ERROR_LAST_EVENT_TIME = i18n.translate(
+  'xpack.securitySolution.lastEventTime.errorSearchDescription',
+  {
+    defaultMessage: `An error has occurred on last event time search`,
+  }
+);
+
+export const FAIL_LAST_EVENT_TIME = i18n.translate(
+  'xpack.securitySolution.lastEventTime.failSearchDescription',
+  {
+    defaultMessage: `Failed to run search on last event time`,
+  }
+);
diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts b/x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts
index c897da69caba0..168906c6f6193 100644
--- a/x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs } from '../../graphql/types';
+import { Ecs } from '../../../common/ecs';
 
 export const mockEcsData: Ecs[] = [
   {
@@ -438,11 +438,7 @@ export const mockEcsData: Ecs[] = [
     _id: '14',
     timestamp: '2019-03-07T05:06:51.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.connection'],
     },
     host: {
@@ -462,12 +458,9 @@ export const mockEcsData: Ecs[] = [
       region_name: ['New York'],
       country_iso_code: ['US'],
     },
-    suricata: null,
     network: {
       transport: ['tcp'],
     },
-    http: null,
-    url: null,
     zeek: {
       session_id: ['C8DRTq362Fios6hw16'],
       connection: {
@@ -477,22 +470,13 @@ export const mockEcsData: Ecs[] = [
         state: ['REJ'],
         history: ['Sr'],
       },
-      notice: null,
-      dns: null,
-      http: null,
-      files: null,
-      ssl: null,
     },
   },
   {
     _id: '15',
     timestamp: '2019-03-07T00:51:28.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.dns'],
     },
     host: {
@@ -512,43 +496,25 @@ export const mockEcsData: Ecs[] = [
       region_name: ['New York'],
       country_iso_code: ['US'],
     },
-    suricata: null,
     network: {
       transport: ['udp'],
     },
-    http: null,
-    url: null,
     zeek: {
       session_id: ['CyIrMA1L1JtLqdIuol'],
-      connection: null,
-      notice: null,
       dns: {
         AA: [false],
-        qclass_name: null,
         RD: [false],
-        qtype_name: null,
-        rejected: null,
-        qtype: null,
-        query: null,
         trans_id: [65252],
-        qclass: null,
         RA: [false],
         TC: [false],
       },
-      http: null,
-      files: null,
-      ssl: null,
     },
   },
   {
     _id: '16',
     timestamp: '2019-03-05T07:00:20.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.http'],
     },
     host: {
@@ -568,32 +534,22 @@ export const mockEcsData: Ecs[] = [
       region_name: ['New York'],
       country_iso_code: ['US'],
     },
-    suricata: null,
-    network: null,
     http: {
       version: ['1.1'],
       request: {
-        method: null,
         body: {
           bytes: [0],
-          content: null,
         },
-        referrer: null,
       },
       response: {
         status_code: [302],
         body: {
           bytes: [154],
-          content: null,
         },
       },
     },
-    url: null,
     zeek: {
       session_id: ['CZLkpC22NquQJOpkwe'],
-      connection: null,
-      notice: null,
-      dns: null,
       http: {
         resp_mime_types: ['text/html'],
         trans_depth: ['3'],
@@ -601,19 +557,13 @@ export const mockEcsData: Ecs[] = [
         resp_fuids: ['FzeujEPP7GTHmYPsc'],
         tags: [],
       },
-      files: null,
-      ssl: null,
     },
   },
   {
     _id: '17',
     timestamp: '2019-02-28T22:36:28.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.notice'],
     },
     host: {
@@ -623,17 +573,8 @@ export const mockEcsData: Ecs[] = [
     },
     source: {
       ip: ['8.42.77.171'],
-      port: null,
-    },
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
+    },
     zeek: {
-      session_id: null,
-      connection: null,
       notice: {
         suppress_for: [3600],
         msg: ['8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s'],
@@ -643,27 +584,18 @@ export const mockEcsData: Ecs[] = [
         dropped: [false],
         peer_descr: ['bro'],
       },
-      dns: null,
-      http: null,
-      files: null,
-      ssl: null,
     },
   },
   {
     _id: '18',
     timestamp: '2019-02-22T21:12:13.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.ssl'],
     },
     host: {
       id: ['2ce8b1e7d69e4a1d9c6bcddc473da9d9'],
       name: ['zeek-sensor-amsterdam'],
-      ip: null,
     },
     source: {
       ip: ['188.166.66.184'],
@@ -677,17 +609,8 @@ export const mockEcsData: Ecs[] = [
       region_name: ['England'],
       country_iso_code: ['GB'],
     },
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     zeek: {
       session_id: ['CmTxzt2OVXZLkGDaRe'],
-      connection: null,
-      notice: null,
-      dns: null,
-      http: null,
-      files: null,
       ssl: {
         cipher: ['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'],
         established: [false],
@@ -700,11 +623,7 @@ export const mockEcsData: Ecs[] = [
     _id: '19',
     timestamp: '2019-03-03T04:26:38.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.files'],
     },
     host: {
@@ -712,19 +631,8 @@ export const mockEcsData: Ecs[] = [
       name: ['suricata-zeek-singapore'],
       ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     zeek: {
       session_id: ['Cu0n232QMyvNtzb75j'],
-      connection: null,
-      notice: null,
-      dns: null,
-      http: null,
       files: {
         session_ids: ['Cu0n232QMyvNtzb75j'],
         timedout: [false],
@@ -745,7 +653,6 @@ export const mockEcsData: Ecs[] = [
         missing_bytes: [0],
         md5: ['f7653f1951693021daa9e6be61226e32'],
       },
-      ssl: null,
     },
   },
   {
@@ -753,24 +660,14 @@ export const mockEcsData: Ecs[] = [
     timestamp: '2019-03-13T05:42:11.815Z',
     event: {
       action: ['executed'],
-      severity: null,
       module: ['auditd'],
       category: ['audit-rule'],
-      id: null,
-      dataset: null,
     },
     host: {
       id: ['f896741c3b3b44bdb8e351a4ab6d2d7c'],
       name: ['zeek-sanfran'],
       ip: ['134.209.63.134', '10.46.0.5', 'fe80::a0d9:16ff:fecf:e70b'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['alice'],
     },
@@ -783,24 +680,19 @@ export const mockEcsData: Ecs[] = [
       title: ['gpgconf --list-dirs agent-socket'],
       working_directory: ['/'],
     },
-    zeek: null,
   },
   {
     _id: '21',
     timestamp: '2019-03-14T22:30:25.527Z',
     event: {
       action: ['logged-in'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
       session: ['14'],
       data: {
-        acct: null,
         terminal: ['/dev/pts/0'],
         op: ['login'],
       },
@@ -815,8 +707,6 @@ export const mockEcsData: Ecs[] = [
           type: ['user-session'],
         },
         how: ['/usr/sbin/sshd'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -826,38 +716,22 @@ export const mockEcsData: Ecs[] = [
     },
     source: {
       ip: ['8.42.77.171'],
-      port: null,
-    },
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
+    },
     user: {
       name: ['root'],
     },
     process: {
       pid: [17471],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/sshd'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '22',
     timestamp: '2019-03-13T03:35:21.614Z',
     event: {
       action: ['disposed-credentials'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
@@ -878,8 +752,6 @@ export const mockEcsData: Ecs[] = [
           type: ['user-session'],
         },
         how: ['/usr/sbin/sshd'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -887,37 +759,21 @@ export const mockEcsData: Ecs[] = [
       name: ['suricata-bangalore'],
       ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['root'],
     },
     process: {
       pid: [21202],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/sshd'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '23',
     timestamp: '2019-03-13T03:35:21.614Z',
     event: {
       action: ['ended-session'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
@@ -938,8 +794,6 @@ export const mockEcsData: Ecs[] = [
           type: ['user-session'],
         },
         how: ['/usr/sbin/sshd'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -947,37 +801,21 @@ export const mockEcsData: Ecs[] = [
       name: ['suricata-bangalore'],
       ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['root'],
     },
     process: {
       pid: [21202],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/sshd'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '24',
     timestamp: '2019-03-18T23:17:01.645Z',
     event: {
       action: ['acquired-credentials'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
@@ -994,12 +832,9 @@ export const mockEcsData: Ecs[] = [
         },
         object: {
           primary: ['cron'],
-          secondary: null,
           type: ['user-session'],
         },
         how: ['/usr/sbin/cron'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -1007,37 +842,21 @@ export const mockEcsData: Ecs[] = [
       name: ['zeek-london'],
       ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['root'],
     },
     process: {
       pid: [9592],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/cron'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '25',
     timestamp: '2019-03-19T01:17:01.336Z',
     event: {
       action: ['started-session'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
@@ -1054,58 +873,36 @@ export const mockEcsData: Ecs[] = [
         },
         object: {
           primary: ['cron'],
-          secondary: null,
           type: ['user-session'],
         },
         how: ['[/usr/sbin/cron'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
       id: ['aa7ca589f1b8220002f2fc61c64cfbf1'],
       name: ['siem-kibana'],
-      ip: null,
-    },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
+    },
     user: {
       name: ['root'],
     },
     process: {
       pid: [725],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/cron'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '26',
     timestamp: '2019-03-13T03:34:08.890Z',
     event: {
       action: ['was-authorized'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
       session: ['338'],
       data: {
-        acct: null,
         terminal: ['/dev/pts/0'],
-        op: null,
       },
       summary: {
         actor: {
@@ -1114,12 +911,9 @@ export const mockEcsData: Ecs[] = [
         },
         object: {
           primary: ['/dev/pts/0'],
-          secondary: null,
           type: ['user-session'],
         },
         how: ['/sbin/pam_tally2'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -1127,42 +921,25 @@ export const mockEcsData: Ecs[] = [
       name: ['suricata-bangalore'],
       ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['alice'],
     },
     process: {
       pid: [21170],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/sbin/pam_tally2'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '27',
     timestamp: '2019-03-22T19:13:11.026Z',
     event: {
       action: ['connected-to'],
-      severity: null,
       module: ['auditd'],
       category: ['audit-rule'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
       session: ['246'],
-      data: null,
       summary: {
         actor: {
           primary: ['alice'],
@@ -1174,8 +951,6 @@ export const mockEcsData: Ecs[] = [
           type: ['socket'],
         },
         how: ['/usr/bin/wget'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -1183,16 +958,10 @@ export const mockEcsData: Ecs[] = [
       name: ['zeek-london'],
       ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
     },
-    source: null,
     destination: {
       ip: ['93.184.216.34'],
       port: [80],
     },
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['alice'],
     },
@@ -1200,28 +969,21 @@ export const mockEcsData: Ecs[] = [
       pid: [1490],
       name: ['wget'],
       ppid: [1476],
-      args: null,
       executable: ['/usr/bin/wget'],
       title: ['wget www.example.com'],
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '28',
     timestamp: '2019-03-26T22:12:18.609Z',
     event: {
       action: ['opened-file'],
-      severity: null,
       module: ['auditd'],
       category: ['audit-rule'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
       session: ['unset'],
-      data: null,
       summary: {
         actor: {
           primary: ['unset'],
@@ -1229,19 +991,13 @@ export const mockEcsData: Ecs[] = [
         },
         object: {
           primary: ['/proc/15990/attr/current'],
-          secondary: null,
           type: ['file'],
         },
         how: ['/lib/systemd/systemd-journald'],
-        message_type: null,
-        sequence: null,
       },
     },
     file: {
       path: ['/proc/15990/attr/current'],
-      target_path: null,
-      extension: null,
-      type: null,
       device: ['00:00'],
       inode: ['27672309'],
       uid: ['0'],
@@ -1249,22 +1005,13 @@ export const mockEcsData: Ecs[] = [
       gid: ['0'],
       group: ['root'],
       mode: ['0666'],
-      size: null,
-      mtime: null,
-      ctime: null,
     },
     host: {
       id: ['7c21f5ed03b04d0299569d221fe18bbc'],
       name: ['zeek-london'],
       ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
+
     user: {
       name: ['root'],
     },
@@ -1272,12 +1019,10 @@ export const mockEcsData: Ecs[] = [
       pid: [27244],
       name: ['systemd-journal'],
       ppid: [1],
-      args: null,
       executable: ['/lib/systemd/systemd-journald'],
       title: ['/lib/systemd/systemd-journald'],
       working_directory: ['/'],
     },
-    zeek: null,
   },
 ];
 
diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts b/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts
index 9b2cd14499db4..4c03a5457eb3f 100644
--- a/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs } from '../../graphql/types';
+import { Ecs } from '../../../common/ecs';
 
 export const mockEndgameDnsRequest: Ecs = {
   _id: 'S8jPcG0BOpWiDweSou3g',
diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts b/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts
index 9974842bff474..322dccdac973e 100644
--- a/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts
@@ -4,7 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs, TimelineItem } from '../../graphql/types';
+import { Ecs } from '../../../common/ecs';
+import { TimelineItem } from '../../../common/search_strategy/timeline';
 
 export const mockTimelineData: TimelineItem[] = [
   {
@@ -425,11 +426,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '14',
       timestamp: '2019-03-07T05:06:51.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.connection'],
       },
       host: {
@@ -440,10 +437,7 @@ export const mockTimelineData: TimelineItem[] = [
       source: { ip: ['185.176.26.101'], port: [44059] },
       destination: { ip: ['207.154.238.205'], port: [11568] },
       geo: { region_name: ['New York'], country_iso_code: ['US'] },
-      suricata: null,
       network: { transport: ['tcp'] },
-      http: null,
-      url: null,
       zeek: {
         session_id: ['C8DRTq362Fios6hw16'],
         connection: {
@@ -453,11 +447,6 @@ export const mockTimelineData: TimelineItem[] = [
           state: ['REJ'],
           history: ['Sr'],
         },
-        notice: null,
-        dns: null,
-        http: null,
-        files: null,
-        ssl: null,
       },
     },
   },
@@ -473,11 +462,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '15',
       timestamp: '2019-03-07T00:51:28.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.dns'],
       },
       host: {
@@ -488,30 +473,16 @@ export const mockTimelineData: TimelineItem[] = [
       source: { ip: ['206.189.35.240'], port: [57475] },
       destination: { ip: ['67.207.67.3'], port: [53] },
       geo: { region_name: ['New York'], country_iso_code: ['US'] },
-      suricata: null,
       network: { transport: ['udp'] },
-      http: null,
-      url: null,
       zeek: {
         session_id: ['CyIrMA1L1JtLqdIuol'],
-        connection: null,
-        notice: null,
         dns: {
           AA: [false],
-          qclass_name: null,
           RD: [false],
-          qtype_name: null,
-          rejected: null,
-          qtype: null,
-          query: null,
           trans_id: [65252],
-          qclass: null,
           RA: [false],
           TC: [false],
         },
-        http: null,
-        files: null,
-        ssl: null,
       },
     },
   },
@@ -527,11 +498,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '16',
       timestamp: '2019-03-05T07:00:20.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.http'],
       },
       host: {
@@ -542,19 +509,14 @@ export const mockTimelineData: TimelineItem[] = [
       source: { ip: ['206.189.35.240'], port: [36220] },
       destination: { ip: ['192.241.164.26'], port: [80] },
       geo: { region_name: ['New York'], country_iso_code: ['US'] },
-      suricata: null,
-      network: null,
       http: {
         version: ['1.1'],
-        request: { method: null, body: { bytes: [0], content: null }, referrer: null },
-        response: { status_code: [302], body: { bytes: [154], content: null } },
+        request: { body: { bytes: [0] } },
+        response: { status_code: [302], body: { bytes: [154] } },
       },
-      url: null,
       zeek: {
         session_id: ['CZLkpC22NquQJOpkwe'],
-        connection: null,
-        notice: null,
-        dns: null,
+
         http: {
           resp_mime_types: ['text/html'],
           trans_depth: ['3'],
@@ -562,8 +524,6 @@ export const mockTimelineData: TimelineItem[] = [
           resp_fuids: ['FzeujEPP7GTHmYPsc'],
           tags: [],
         },
-        files: null,
-        ssl: null,
       },
     },
   },
@@ -578,11 +538,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '17',
       timestamp: '2019-02-28T22:36:28.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.notice'],
       },
       host: {
@@ -590,16 +546,8 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['zeek-franfurt'],
         ip: ['207.154.238.205', '10.19.0.5', 'fe80::d82b:9aff:fe0d:1e12'],
       },
-      source: { ip: ['8.42.77.171'], port: null },
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
+      source: { ip: ['8.42.77.171'] },
       zeek: {
-        session_id: null,
-        connection: null,
         notice: {
           suppress_for: [3600],
           msg: ['8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s'],
@@ -609,10 +557,6 @@ export const mockTimelineData: TimelineItem[] = [
           dropped: [false],
           peer_descr: ['bro'],
         },
-        dns: null,
-        http: null,
-        files: null,
-        ssl: null,
       },
     },
   },
@@ -628,28 +572,15 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '18',
       timestamp: '2019-02-22T21:12:13.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.ssl'],
       },
-      host: { id: ['2ce8b1e7d69e4a1d9c6bcddc473da9d9'], name: ['zeek-sensor-amsterdam'], ip: null },
+      host: { id: ['2ce8b1e7d69e4a1d9c6bcddc473da9d9'], name: ['zeek-sensor-amsterdam'] },
       source: { ip: ['188.166.66.184'], port: [34514] },
       destination: { ip: ['91.189.95.15'], port: [443] },
       geo: { region_name: ['England'], country_iso_code: ['GB'] },
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       zeek: {
         session_id: ['CmTxzt2OVXZLkGDaRe'],
-        connection: null,
-        notice: null,
-        dns: null,
-        http: null,
-        files: null,
         ssl: {
           cipher: ['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'],
           established: [false],
@@ -669,11 +600,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '19',
       timestamp: '2019-03-03T04:26:38.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.files'],
       },
       host: {
@@ -681,19 +608,8 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['suricata-zeek-singapore'],
         ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       zeek: {
         session_id: ['Cu0n232QMyvNtzb75j'],
-        connection: null,
-        notice: null,
-        dns: null,
-        http: null,
         files: {
           session_ids: ['Cu0n232QMyvNtzb75j'],
           timedout: [false],
@@ -714,7 +630,6 @@ export const mockTimelineData: TimelineItem[] = [
           missing_bytes: [0],
           md5: ['f7653f1951693021daa9e6be61226e32'],
         },
-        ssl: null,
       },
     },
   },
@@ -730,24 +645,14 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-13T05:42:11.815Z',
       event: {
         action: ['executed'],
-        severity: null,
         module: ['auditd'],
         category: ['audit-rule'],
-        id: null,
-        dataset: null,
       },
       host: {
         id: ['f896741c3b3b44bdb8e351a4ab6d2d7c'],
         name: ['zeek-sanfran'],
         ip: ['134.209.63.134', '10.46.0.5', 'fe80::a0d9:16ff:fecf:e70b'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['alice'] },
       process: {
         pid: [5402],
@@ -758,7 +663,6 @@ export const mockTimelineData: TimelineItem[] = [
         title: ['gpgconf --list-dirs agent-socket'],
         working_directory: ['/'],
       },
-      zeek: null,
     },
   },
   {
@@ -775,22 +679,17 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-14T22:30:25.527Z',
       event: {
         action: ['logged-in'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
         session: ['14'],
-        data: { acct: null, terminal: ['/dev/pts/0'], op: ['login'] },
+        data: { terminal: ['/dev/pts/0'], op: ['login'] },
         summary: {
           actor: { primary: ['alice'], secondary: ['alice'] },
           object: { primary: ['/dev/pts/0'], secondary: ['8.42.77.171'], type: ['user-session'] },
           how: ['/usr/sbin/sshd'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -798,24 +697,12 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
-      source: { ip: ['8.42.77.171'], port: null },
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
+      source: { ip: ['8.42.77.171'] },
       user: { name: ['root'] },
       process: {
         pid: [17471],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/sshd'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -831,11 +718,8 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-13T03:35:21.614Z',
       event: {
         action: ['disposed-credentials'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
@@ -845,8 +729,6 @@ export const mockTimelineData: TimelineItem[] = [
           actor: { primary: ['alice'], secondary: ['alice'] },
           object: { primary: ['ssh'], secondary: ['8.42.77.171'], type: ['user-session'] },
           how: ['/usr/sbin/sshd'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -854,24 +736,11 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['suricata-bangalore'],
         ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['root'] },
       process: {
         pid: [21202],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/sshd'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -887,11 +756,8 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-13T03:35:21.614Z',
       event: {
         action: ['ended-session'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
@@ -901,8 +767,6 @@ export const mockTimelineData: TimelineItem[] = [
           actor: { primary: ['alice'], secondary: ['alice'] },
           object: { primary: ['ssh'], secondary: ['8.42.77.171'], type: ['user-session'] },
           how: ['/usr/sbin/sshd'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -910,24 +774,11 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['suricata-bangalore'],
         ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['root'] },
       process: {
         pid: [21202],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/sshd'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -943,11 +794,8 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-18T23:17:01.645Z',
       event: {
         action: ['acquired-credentials'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
@@ -955,10 +803,8 @@ export const mockTimelineData: TimelineItem[] = [
         data: { acct: ['root'], terminal: ['cron'], op: ['PAM:setcred'] },
         summary: {
           actor: { primary: ['unset'], secondary: ['root'] },
-          object: { primary: ['cron'], secondary: null, type: ['user-session'] },
+          object: { primary: ['cron'], type: ['user-session'] },
           how: ['/usr/sbin/cron'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -966,24 +812,11 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['root'] },
       process: {
         pid: [9592],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/cron'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -999,11 +832,8 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-19T01:17:01.336Z',
       event: {
         action: ['started-session'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
@@ -1011,31 +841,16 @@ export const mockTimelineData: TimelineItem[] = [
         data: { acct: ['root'], terminal: ['cron'], op: ['PAM:session_open'] },
         summary: {
           actor: { primary: ['root'], secondary: ['root'] },
-          object: { primary: ['cron'], secondary: null, type: ['user-session'] },
+          object: { primary: ['cron'], type: ['user-session'] },
           how: ['/usr/sbin/cron'],
-          message_type: null,
-          sequence: null,
         },
       },
-      host: { id: ['aa7ca589f1b8220002f2fc61c64cfbf1'], name: ['siem-kibana'], ip: null },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
+      host: { id: ['aa7ca589f1b8220002f2fc61c64cfbf1'], name: ['siem-kibana'] },
       user: { name: ['root'] },
       process: {
         pid: [725],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/cron'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -1051,22 +866,17 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-13T03:34:08.890Z',
       event: {
         action: ['was-authorized'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
         session: ['338'],
-        data: { acct: null, terminal: ['/dev/pts/0'], op: null },
+        data: { terminal: ['/dev/pts/0'] },
         summary: {
           actor: { primary: ['root'], secondary: ['alice'] },
-          object: { primary: ['/dev/pts/0'], secondary: null, type: ['user-session'] },
+          object: { primary: ['/dev/pts/0'], type: ['user-session'] },
           how: ['/sbin/pam_tally2'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -1074,24 +884,11 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['suricata-bangalore'],
         ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['alice'] },
       process: {
         pid: [21170],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/sbin/pam_tally2'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -1109,22 +906,16 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-22T19:13:11.026Z',
       event: {
         action: ['connected-to'],
-        severity: null,
         module: ['auditd'],
         category: ['audit-rule'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
         session: ['246'],
-        data: null,
         summary: {
           actor: { primary: ['alice'], secondary: ['alice'] },
           object: { primary: ['192.168.216.34'], secondary: ['80'], type: ['socket'] },
           how: ['/usr/bin/wget'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -1132,24 +923,15 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
-      source: null,
       destination: { ip: ['192.168.216.34'], port: [80] },
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['alice'] },
       process: {
         pid: [1490],
         name: ['wget'],
         ppid: [1476],
-        args: null,
         executable: ['/usr/bin/wget'],
         title: ['wget www.example.com'],
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -1166,29 +948,20 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-26T22:12:18.609Z',
       event: {
         action: ['opened-file'],
-        severity: null,
         module: ['auditd'],
         category: ['audit-rule'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
         session: ['242'],
-        data: null,
         summary: {
           actor: { primary: ['unset'], secondary: ['root'] },
-          object: { primary: ['/proc/15990/attr/current'], secondary: null, type: ['file'] },
+          object: { primary: ['/proc/15990/attr/current'], type: ['file'] },
           how: ['/lib/systemd/systemd-journald'],
-          message_type: null,
-          sequence: null,
         },
       },
       file: {
         path: ['/proc/15990/attr/current'],
-        target_path: null,
-        extension: null,
-        type: null,
         device: ['00:00'],
         inode: ['27672309'],
         uid: ['0'],
@@ -1196,33 +969,22 @@ export const mockTimelineData: TimelineItem[] = [
         gid: ['0'],
         group: ['root'],
         mode: ['0666'],
-        size: null,
-        mtime: null,
-        ctime: null,
       },
       host: {
         id: ['7c21f5ed03b04d0299569d221fe18bbc'],
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
+
       user: { name: ['root'] },
       process: {
         pid: [27244],
         name: ['systemd-journal'],
         ppid: [1],
-        args: null,
         executable: ['/lib/systemd/systemd-journald'],
         title: ['/lib/systemd/systemd-journald'],
         working_directory: ['/'],
       },
-      zeek: null,
     },
   },
   {
@@ -1236,61 +998,27 @@ export const mockTimelineData: TimelineItem[] = [
     ],
     ecs: {
       _id: '29',
-      system: null,
       event: {
         action: ['user_login'],
-        category: null,
-        created: null,
         dataset: ['login'],
-        duration: null,
-        end: null,
-        hash: null,
-        id: null,
         kind: ['event'],
         module: ['system'],
-        original: null,
         outcome: ['failure'],
-        risk_score: null,
-        risk_score_norm: null,
-        severity: null,
-        start: null,
-        timezone: null,
-        type: null,
-      },
-      auditd: null,
-      file: null,
+      },
       host: {
         id: ['7c21f5ed03b04d0299569d221fe18bbc'],
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
       source: {
-        bytes: null,
         ip: ['128.199.212.120'],
-        packets: null,
-        port: null,
-        geo: null,
-      },
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      tls: null,
-      url: null,
+      },
       user: {
         name: ['Braden'],
       },
       process: {
         pid: [6278],
-        name: null,
-        ppid: null,
-        args: null,
-        executable: null,
-        title: null,
-        working_directory: null,
-      },
-      zeek: null,
+      },
     },
   },
   {
@@ -1304,61 +1032,27 @@ export const mockTimelineData: TimelineItem[] = [
     ],
     ecs: {
       _id: '30',
-      system: null,
       event: {
         action: ['process_started'],
-        category: null,
-        created: null,
         dataset: ['login'],
-        duration: null,
-        end: null,
-        hash: null,
-        id: null,
         kind: ['event'],
         module: ['system'],
-        original: null,
         outcome: ['failure'],
-        risk_score: null,
-        risk_score_norm: null,
-        severity: null,
-        start: null,
-        timezone: null,
-        type: null,
-      },
-      auditd: null,
-      file: null,
+      },
       host: {
         id: ['7c21f5ed03b04d0299569d221fe18bbc'],
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
       source: {
-        bytes: null,
         ip: ['128.199.212.120'],
-        packets: null,
-        port: null,
-        geo: null,
-      },
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      tls: null,
-      url: null,
+      },
       user: {
         name: ['Evan'],
       },
       process: {
         pid: [6278],
-        name: null,
-        ppid: null,
-        args: null,
-        executable: null,
-        title: null,
-        working_directory: null,
-      },
-      zeek: null,
+      },
     },
   },
   {
diff --git a/x-pack/plugins/security_solution/public/common/mock/netflow.ts b/x-pack/plugins/security_solution/public/common/mock/netflow.ts
index 4dad794533374..1c384ef9a4f63 100644
--- a/x-pack/plugins/security_solution/public/common/mock/netflow.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/netflow.ts
@@ -5,7 +5,7 @@
  */
 
 import { ONE_MILLISECOND_AS_NANOSECONDS } from '../../timelines/components/formatted_duration/helpers';
-import { Ecs } from '../../graphql/types';
+import { Ecs } from '../../../common/ecs';
 
 /** Returns mock data for testing the Netflow component */
 export const getMockNetflowData = (): Ecs => ({
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
index 3f95fd36b6010..678aaf06e50e4 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
@@ -17,7 +17,7 @@ import {
   mockTimelineDetailsApollo,
 } from '../../../common/mock/';
 import { CreateTimeline, UpdateTimelineLoading } from './types';
-import { Ecs } from '../../../graphql/types';
+import { Ecs } from '../../../../common/ecs';
 import { TimelineId, TimelineType, TimelineStatus } from '../../../../common/types/timeline';
 
 jest.mock('apollo-client');
@@ -336,6 +336,7 @@ describe('alert actions', () => {
           signal: {
             rule: {
               ...mockEcsDataWithAlert.signal?.rule!,
+              // @ts-expect-error
               timeline_id: null,
             },
           },
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
index 972a8aa4b0871..640726bb2e7c8 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
@@ -11,19 +11,15 @@ import { get, getOr, isEmpty, find } from 'lodash/fp';
 import moment from 'moment';
 import { i18n } from '@kbn/i18n';
 
-import { TimelineId } from '../../../../common/types/timeline';
+import { TimelineId, TimelineStatus, TimelineType } from '../../../../common/types/timeline';
 import { updateAlertStatus } from '../../containers/detection_engine/alerts/api';
 import { SendAlertToTimelineActionProps, UpdateAlertStatusActionProps } from './types';
+import { Ecs } from '../../../../common/ecs';
+import { GetOneTimeline, TimelineResult, GetTimelineDetailsQuery } from '../../../graphql/types';
 import {
   TimelineNonEcsData,
-  GetOneTimeline,
-  TimelineResult,
-  Ecs,
-  TimelineStatus,
-  TimelineType,
-  GetTimelineDetailsQuery,
-  DetailItem,
-} from '../../../graphql/types';
+  TimelineEventsDetailsItem,
+} from '../../../../common/search_strategy/timeline';
 import { oneTimelineQuery } from '../../../timelines/containers/one/index.gql_query';
 import { timelineDefaults } from '../../../timelines/store/timeline/defaults';
 import {
@@ -122,7 +118,7 @@ export const getThresholdAggregationDataProvider = (
   ecsData: Ecs,
   nonEcsData: TimelineNonEcsData[]
 ): DataProvider[] => {
-  const aggregationField = ecsData.signal?.rule?.threshold.field;
+  const aggregationField = ecsData.signal?.rule?.threshold?.field!;
   const aggregationValue =
     get(aggregationField, ecsData) ?? find(['field', aggregationField], nonEcsData)?.value;
   const dataProviderValue = Array.isArray(aggregationValue)
@@ -139,7 +135,7 @@ export const getThresholdAggregationDataProvider = (
     {
       and: [],
       id: `send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-${TimelineId.active}-${aggregationFieldId}-${dataProviderValue}`,
-      name: ecsData.signal?.rule?.threshold.field,
+      name: aggregationField,
       enabled: true,
       excluded: false,
       kqlQuery: '',
@@ -189,7 +185,11 @@ export const sendAlertToTimelineAction = async ({
         }),
       ]);
       const resultingTimeline: TimelineResult = getOr({}, 'data.getOneTimeline', responseTimeline);
-      const eventData: DetailItem[] = getOr([], 'data.source.TimelineDetails.data', eventDataResp);
+      const eventData: TimelineEventsDetailsItem[] = getOr(
+        [],
+        'data.source.TimelineDetails.data',
+        eventDataResp
+      );
       if (!isEmpty(resultingTimeline)) {
         const timelineTemplate: TimelineResult = omitTypenameInTimeline(resultingTimeline);
         openAlertInBasicTimeline = false;
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_utility_bar/index.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_utility_bar/index.tsx
index bdad380f59ae9..30fcdc21d61e8 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_utility_bar/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_utility_bar/index.tsx
@@ -24,7 +24,7 @@ import {
 } from '../../../../common/components/utility_bar';
 import * as i18n from './translations';
 import { useUiSetting$ } from '../../../../common/lib/kibana';
-import { TimelineNonEcsData } from '../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import { UpdateAlertsStatus } from '../types';
 import { FILTER_CLOSED, FILTER_IN_PROGRESS, FILTER_OPEN } from '../alerts_filter_group';
 
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
index cbf0e08fef5cd..4559e44b8c3c5 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
@@ -27,7 +27,8 @@ import { DEFAULT_ICON_BUTTON_WIDTH } from '../../../../timelines/components/time
 import { FILTER_OPEN, FILTER_CLOSED, FILTER_IN_PROGRESS } from '../alerts_filter_group';
 import { updateAlertStatusAction } from '../actions';
 import { SetEventsDeletedProps, SetEventsLoadingProps } from '../types';
-import { Ecs, TimelineNonEcsData } from '../../../../graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import {
   AddExceptionModal as AddExceptionModalComponent,
   AddExceptionModalBaseProps,
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx
index f4080de5b4ba1..4ab5fa5e6012f 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx
@@ -8,7 +8,8 @@ import React, { useCallback } from 'react';
 import { useDispatch } from 'react-redux';
 
 import { TimelineId } from '../../../../../common/types/timeline';
-import { TimelineNonEcsData, Ecs } from '../../../../../public/graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import { timelineActions } from '../../../../timelines/store/timeline';
 import { useApolloClient } from '../../../../common/utils/apollo_context';
 import { sendAlertToTimelineAction } from '../actions';
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
index b4da0267d2ea5..50ac344eb2a2f 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
@@ -48,7 +48,7 @@ export const LOADING_ALERTS = i18n.translate(
 export const TOTAL_COUNT_OF_ALERTS = i18n.translate(
   'xpack.securitySolution.detectionEngine.alerts.totalCountOfAlertsTitle',
   {
-    defaultMessage: 'alerts match the search criteria',
+    defaultMessage: 'alerts',
   }
 );
 
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_table/types.ts
index f8b3cd6af8b8a..3dfdfe4c17e04 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/types.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/types.ts
@@ -7,7 +7,9 @@
 import ApolloClient from 'apollo-client';
 
 import { Status } from '../../../../common/detection_engine/schemas/common/schemas';
-import { Ecs, NoteResult, TimelineNonEcsData } from '../../../graphql/types';
+import { Ecs } from '../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
+import { NoteResult } from '../../../graphql/types';
 import { TimelineModel } from '../../../timelines/store/timeline/model';
 import { inputsModel } from '../../../common/store';
 
diff --git a/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx b/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
index 958d62dfe9b6a..11b853e0ebeb0 100644
--- a/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
+++ b/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
@@ -87,17 +87,14 @@ export const useAllHost = ({
       direction,
       field: sortField,
     },
-    // inspect: isInspected,
   });
 
   const wrappedLoadMore = useCallback(
     (newActivePage: number) => {
-      setHostRequest((prevRequest) => {
-        return {
-          ...prevRequest,
-          pagination: generateTablePaginationOptions(newActivePage, limit),
-        };
-      });
+      setHostRequest((prevRequest) => ({
+        ...prevRequest,
+        pagination: generateTablePaginationOptions(newActivePage, limit),
+      }));
     },
     [limit]
   );
diff --git a/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
index 10f20eeacbcb0..a711e7a1d0442 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
@@ -129,8 +129,6 @@ const mapDispatchToProps = (dispatch: Dispatch, { timelineId }: OwnProps) => ({
     dispatch(timelineActions.updateDescription({ id, description })),
   updateIsFavorite: ({ id, isFavorite }: { id: string; isFavorite: boolean }) =>
     dispatch(timelineActions.updateIsFavorite({ id, isFavorite })),
-  updateIsLive: ({ id, isLive }: { id: string; isLive: boolean }) =>
-    dispatch(timelineActions.updateIsLive({ id, isLive })),
   updateNote: (note: Note) => dispatch(appActions.updateNote({ note })),
   updateTitle: ({ id, title }: { id: string; title: string }) =>
     dispatch(timelineActions.updateTitle({ id, title })),
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/index.tsx
index 120fc12b425f4..ea938be91abd1 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/index.tsx
@@ -5,7 +5,6 @@
  */
 
 import { EuiButtonIcon, EuiCheckbox, EuiToolTip } from '@elastic/eui';
-import { noop } from 'lodash/fp';
 import React, { useState, useEffect, useCallback, useMemo } from 'react';
 import { Droppable, DraggableChildrenFn } from 'react-beautiful-dnd';
 import deepEqual from 'fast-deep-equal';
@@ -26,7 +25,6 @@ import {
   OnColumnRemoved,
   OnColumnResized,
   OnColumnSorted,
-  OnFilterChange,
   OnSelectAll,
   OnUpdateColumns,
 } from '../../events';
@@ -57,7 +55,6 @@ interface Props {
   onColumnRemoved: OnColumnRemoved;
   onColumnResized: OnColumnResized;
   onColumnSorted: OnColumnSorted;
-  onFilterChange?: OnFilterChange;
   onSelectAll: OnSelectAll;
   onUpdateColumns: OnUpdateColumns;
   showEventsSelect: boolean;
@@ -111,7 +108,6 @@ export const ColumnHeadersComponent = ({
   onColumnSorted,
   onSelectAll,
   onUpdateColumns,
-  onFilterChange = noop,
   showEventsSelect,
   showSelectAllCheckbox,
   sort,
@@ -186,18 +182,16 @@ export const ColumnHeadersComponent = ({
           isDragging={draggingIndex === draggableIndex}
           onColumnRemoved={onColumnRemoved}
           onColumnSorted={onColumnSorted}
-          onFilterChange={onFilterChange}
           onColumnResized={onColumnResized}
           sort={sort}
         />
       )),
-    // eslint-disable-next-line react-hooks/exhaustive-deps
     [
       columnHeaders,
       timelineId,
       draggingIndex,
       onColumnRemoved,
-      onFilterChange,
+      onColumnSorted,
       onColumnResized,
       sort,
     ]
@@ -312,7 +306,6 @@ export const ColumnHeaders = React.memo(
     prevProps.onColumnSorted === nextProps.onColumnSorted &&
     prevProps.onSelectAll === nextProps.onSelectAll &&
     prevProps.onUpdateColumns === nextProps.onUpdateColumns &&
-    prevProps.onFilterChange === nextProps.onFilterChange &&
     prevProps.showEventsSelect === nextProps.showEventsSelect &&
     prevProps.showSelectAllCheckbox === nextProps.showSelectAllCheckbox &&
     prevProps.sort === nextProps.sort &&
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx
index f4838f90a1e96..0d37f25d66e3f 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx
@@ -7,7 +7,8 @@
 import React from 'react';
 import { getOr } from 'lodash/fp';
 
-import { Ecs, TimelineNonEcsData } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import { OnColumnResized } from '../../events';
 import { EventsTd, EventsTdContent, EventsTdGroupData } from '../../styles';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/event_column_view.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/event_column_view.tsx
index f1d45d5458554..2c84a786d4432 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/event_column_view.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/event_column_view.tsx
@@ -8,7 +8,8 @@ import React, { useCallback, useMemo } from 'react';
 import uuid from 'uuid';
 import { useSelector, shallowEqual } from 'react-redux';
 
-import { TimelineNonEcsData, Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { Note } from '../../../../../common/lib/note';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import { AssociateNote, UpdateNote } from '../../../notes/helpers';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx
index 64d55f8cf6c6a..0fc097de680e8 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx
@@ -8,7 +8,10 @@ import React from 'react';
 
 import { inputsModel } from '../../../../../common/store';
 import { BrowserFields, DocValueFields } from '../../../../../common/containers/source';
-import { TimelineItem, TimelineNonEcsData } from '../../../../../graphql/types';
+import {
+  TimelineItem,
+  TimelineNonEcsData,
+} from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import { Note } from '../../../../../common/lib/note';
 import { AddNoteToEvent, UpdateNote } from '../../../notes/helpers';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
index 9691327f2c988..d8cc8ddd2f15a 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
@@ -9,11 +9,13 @@ import { useSelector } from 'react-redux';
 import uuid from 'uuid';
 import VisibilitySensor from 'react-visibility-sensor';
 
-import { TimelineId } from '../../../../../../common/types/timeline';
 import { BrowserFields, DocValueFields } from '../../../../../common/containers/source';
-import { useTimelineDetails } from '../../../../containers/details';
-import { TimelineItem, TimelineNonEcsData } from '../../../../../graphql/types';
-import { DetailItem } from '../../../../../../common/search_strategy/timeline';
+import { useTimelineEventsDetails } from '../../../../containers/details';
+import {
+  TimelineEventsDetailsItem,
+  TimelineItem,
+  TimelineNonEcsData,
+} from '../../../../../../common/search_strategy/timeline';
 import { Note } from '../../../../../common/lib/note';
 import { ColumnHeaderOptions, TimelineModel } from '../../../../../timelines/store/timeline/model';
 import { AddNoteToEvent, UpdateNote } from '../../../notes/helpers';
@@ -68,7 +70,7 @@ interface Props {
 
 export const getNewNoteId = (): string => uuid.v4();
 
-const emptyDetails: DetailItem[] = [];
+const emptyDetails: TimelineEventsDetailsItem[] = [];
 
 /**
  * This is the default row height whenever it is a plain row renderer and not a custom row height.
@@ -135,14 +137,14 @@ const StatefulEventComponent: React.FC<Props> = ({
   const [expanded, setExpanded] = useState<{ [eventId: string]: boolean }>({});
   const [showNotes, setShowNotes] = useState<{ [eventId: string]: boolean }>({});
   const { status: timelineStatus } = useSelector<StoreState, TimelineModel>(
-    (state) => state.timeline.timelineById[TimelineId.active]
+    (state) => state.timeline.timelineById[timelineId]
   );
   const divElement = useRef<HTMLDivElement | null>(null);
-  const [loading, detailsData] = useTimelineDetails({
+  const [loading, detailsData] = useTimelineEventsDetails({
     docValueFields,
     indexName: event._index!,
     eventId: event._id,
-    executeQuery: !!expanded[event._id],
+    skip: !expanded[event._id],
   });
 
   const onToggleShowNotes = useCallback(() => {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.test.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.test.ts
index f4dc691f3d059..7e438b9ee6ccc 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.test.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.test.ts
@@ -4,8 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs } from '../../../../graphql/types';
-
 import {
   eventHasNotes,
   eventIsPinned,
@@ -14,6 +12,7 @@ import {
   stringifyEvent,
   isInvestigateInResolverActionEnabled,
 } from './helpers';
+import { Ecs } from '../../../../../common/ecs';
 import { TimelineType } from '../../../../../common/types/timeline';
 
 describe('helpers', () => {
@@ -145,11 +144,7 @@ describe('helpers', () => {
       };
       const toStringify: Ecs = {
         _id: '4',
-        timestamp: null,
-        host: {
-          name: null,
-          ip: null,
-        },
+        host: {},
         event: {
           id: ['4'],
           category: ['theory'],
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx
index 5753efa2bf1bb..824a37f72ba59 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx
@@ -8,7 +8,8 @@ import React, { useCallback, useMemo } from 'react';
 import { get, isEmpty } from 'lodash/fp';
 import { useDispatch } from 'react-redux';
 
-import { Ecs, TimelineItem, TimelineNonEcsData } from '../../../../graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineItem, TimelineNonEcsData } from '../../../../../common/search_strategy';
 import { updateTimelineGraphEventId } from '../../../store/timeline/actions';
 import { EventType } from '../../../store/timeline/model';
 import { OnPinEvent, OnUnPinEvent } from '../events';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.test.tsx
index 657e1617e8d24..23a449cca972d 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.test.tsx
@@ -9,7 +9,7 @@ import { useSelector } from 'react-redux';
 
 import '../../../../common/mock/match_media';
 import { mockBrowserFields } from '../../../../common/containers/source/mock';
-import { Direction } from '../../../../graphql/types';
+import { Direction } from '../../../../../common/search_strategy';
 import { defaultHeaders, mockTimelineData, mockTimelineModel } from '../../../../common/mock';
 import { TestProviders } from '../../../../common/mock/test_providers';
 
@@ -70,7 +70,6 @@ describe('Body', () => {
     onColumnRemoved: jest.fn(),
     onColumnResized: jest.fn(),
     onColumnSorted: jest.fn(),
-    onFilterChange: jest.fn(),
     onPinEvent: jest.fn(),
     onRowSelected: jest.fn(),
     onSelectAll: jest.fn(),
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx
index 40cc12afde51d..58c87c086df6e 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx
@@ -8,7 +8,7 @@ import React, { useMemo, useRef } from 'react';
 
 import { inputsModel } from '../../../../common/store';
 import { BrowserFields, DocValueFields } from '../../../../common/containers/source';
-import { TimelineItem, TimelineNonEcsData } from '../../../../graphql/types';
+import { TimelineItem, TimelineNonEcsData } from '../../../../../common/search_strategy';
 import { Note } from '../../../../common/lib/note';
 import { ColumnHeaderOptions, EventType } from '../../../../timelines/store/timeline/model';
 import { AddNoteToEvent, UpdateNote } from '../../notes/helpers';
@@ -16,7 +16,6 @@ import {
   OnColumnRemoved,
   OnColumnResized,
   OnColumnSorted,
-  OnFilterChange,
   OnPinEvent,
   OnRowSelected,
   OnSelectAll,
@@ -53,7 +52,6 @@ export interface BodyProps {
   onColumnSorted: OnColumnSorted;
   onRowSelected: OnRowSelected;
   onSelectAll: OnSelectAll;
-  onFilterChange: OnFilterChange;
   onPinEvent: OnPinEvent;
   onUpdateColumns: OnUpdateColumns;
   onUnPinEvent: OnUnPinEvent;
@@ -99,7 +97,6 @@ export const Body = React.memo<BodyProps>(
     onColumnSorted,
     onRowSelected,
     onSelectAll,
-    onFilterChange,
     onPinEvent,
     onUpdateColumns,
     onUnPinEvent,
@@ -157,7 +154,6 @@ export const Body = React.memo<BodyProps>(
               onColumnRemoved={onColumnRemoved}
               onColumnResized={onColumnResized}
               onColumnSorted={onColumnSorted}
-              onFilterChange={onFilterChange}
               onSelectAll={onSelectAll}
               onUpdateColumns={onUpdateColumns}
               showEventsSelect={false}
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_details.test.tsx.snap
index cf953ccef8f8e..8dd7452b5d900 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_details.test.tsx.snap
@@ -3,7 +3,6 @@
 exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetails 1`] = `
 <Details>
   <AuditdGenericLine
-    args={null}
     contextId="contextid-123"
     hostName="suricata-bangalore"
     id="22"
@@ -53,7 +52,6 @@ exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetai
             "how": Array [
               "/usr/sbin/sshd",
             ],
-            "message_type": null,
             "object": Object {
               "primary": Array [
                 "ssh",
@@ -65,10 +63,8 @@ exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetai
                 "user-session",
               ],
             },
-            "sequence": null,
           },
         },
-        "destination": null,
         "event": Object {
           "action": Array [
             "disposed-credentials",
@@ -76,14 +72,10 @@ exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetai
           "category": Array [
             "user-login",
           ],
-          "dataset": null,
-          "id": null,
           "module": Array [
             "auditd",
           ],
-          "severity": null,
         },
-        "geo": null,
         "host": Object {
           "id": Array [
             "0a63559c1acf4c419d979c4b4d8b83ff",
@@ -97,31 +89,20 @@ exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetai
             "suricata-bangalore",
           ],
         },
-        "http": null,
-        "network": null,
         "process": Object {
-          "args": null,
           "executable": Array [
             "/usr/sbin/sshd",
           ],
-          "name": null,
           "pid": Array [
             21202,
           ],
-          "ppid": null,
-          "title": null,
-          "working_directory": null,
         },
-        "source": null,
-        "suricata": null,
         "timestamp": "2019-03-13T03:35:21.614Z",
-        "url": null,
         "user": Object {
           "name": Array [
             "root",
           ],
         },
-        "zeek": null,
       }
     }
     timelineId="test"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_file_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_file_details.test.tsx.snap
index f6fbc771c954a..c811d0d7efece 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_file_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_file_details.test.tsx.snap
@@ -3,7 +3,6 @@
 exports[`GenericFileDetails rendering it renders the default GenericFileDetails 1`] = `
 <Details>
   <AuditdGenericFileLine
-    args={null}
     contextId="contextid-123"
     fileIcon="document"
     filePath="/proc/15990/attr/current"
@@ -29,7 +28,6 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
       Object {
         "_id": "28",
         "auditd": Object {
-          "data": null,
           "result": Array [
             "success",
           ],
@@ -48,20 +46,16 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
             "how": Array [
               "/lib/systemd/systemd-journald",
             ],
-            "message_type": null,
             "object": Object {
               "primary": Array [
                 "/proc/15990/attr/current",
               ],
-              "secondary": null,
               "type": Array [
                 "file",
               ],
             },
-            "sequence": null,
           },
         },
-        "destination": null,
         "event": Object {
           "action": Array [
             "opened-file",
@@ -69,19 +63,14 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
           "category": Array [
             "audit-rule",
           ],
-          "dataset": null,
-          "id": null,
           "module": Array [
             "auditd",
           ],
-          "severity": null,
         },
         "file": Object {
-          "ctime": null,
           "device": Array [
             "00:00",
           ],
-          "extension": null,
           "gid": Array [
             "0",
           ],
@@ -94,21 +83,16 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
           "mode": Array [
             "0666",
           ],
-          "mtime": null,
           "owner": Array [
             "root",
           ],
           "path": Array [
             "/proc/15990/attr/current",
           ],
-          "size": null,
-          "target_path": null,
-          "type": null,
           "uid": Array [
             "0",
           ],
         },
-        "geo": null,
         "host": Object {
           "id": Array [
             "7c21f5ed03b04d0299569d221fe18bbc",
@@ -122,10 +106,7 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
             "zeek-london",
           ],
         },
-        "http": null,
-        "network": null,
         "process": Object {
-          "args": null,
           "executable": Array [
             "/lib/systemd/systemd-journald",
           ],
@@ -145,16 +126,12 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
             "/",
           ],
         },
-        "source": null,
-        "suricata": null,
         "timestamp": "2019-03-26T22:12:18.609Z",
-        "url": null,
         "user": Object {
           "name": Array [
             "root",
           ],
         },
-        "zeek": null,
       }
     }
     timelineId="test"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_row_renderer.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_row_renderer.test.tsx.snap
index 784924e896673..63b65d3cf36be 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_row_renderer.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_row_renderer.test.tsx.snap
@@ -10,7 +10,6 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
         Object {
           "_id": "27",
           "auditd": Object {
-            "data": null,
             "result": Array [
               "success",
             ],
@@ -29,7 +28,6 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
               "how": Array [
                 "/usr/bin/wget",
               ],
-              "message_type": null,
               "object": Object {
                 "primary": Array [
                   "192.168.216.34",
@@ -41,7 +39,6 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
                   "socket",
                 ],
               },
-              "sequence": null,
             },
           },
           "destination": Object {
@@ -59,14 +56,10 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
             "category": Array [
               "audit-rule",
             ],
-            "dataset": null,
-            "id": null,
             "module": Array [
               "auditd",
             ],
-            "severity": null,
           },
-          "geo": null,
           "host": Object {
             "id": Array [
               "7c21f5ed03b04d0299569d221fe18bbc",
@@ -80,10 +73,7 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
               "zeek-london",
             ],
           },
-          "http": null,
-          "network": null,
           "process": Object {
-            "args": null,
             "executable": Array [
               "/usr/bin/wget",
             ],
@@ -99,18 +89,13 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
             "title": Array [
               "wget www.example.com",
             ],
-            "working_directory": null,
           },
-          "source": null,
-          "suricata": null,
           "timestamp": "2019-03-22T19:13:11.026Z",
-          "url": null,
           "user": Object {
             "name": Array [
               "alice",
             ],
           },
-          "zeek": null,
         }
       }
       text="connected using"
@@ -130,7 +115,6 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
         Object {
           "_id": "28",
           "auditd": Object {
-            "data": null,
             "result": Array [
               "success",
             ],
@@ -149,20 +133,16 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
               "how": Array [
                 "/lib/systemd/systemd-journald",
               ],
-              "message_type": null,
               "object": Object {
                 "primary": Array [
                   "/proc/15990/attr/current",
                 ],
-                "secondary": null,
                 "type": Array [
                   "file",
                 ],
               },
-              "sequence": null,
             },
           },
-          "destination": null,
           "event": Object {
             "action": Array [
               "opened-file",
@@ -170,19 +150,14 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
             "category": Array [
               "audit-rule",
             ],
-            "dataset": null,
-            "id": null,
             "module": Array [
               "auditd",
             ],
-            "severity": null,
           },
           "file": Object {
-            "ctime": null,
             "device": Array [
               "00:00",
             ],
-            "extension": null,
             "gid": Array [
               "0",
             ],
@@ -195,21 +170,16 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
             "mode": Array [
               "0666",
             ],
-            "mtime": null,
             "owner": Array [
               "root",
             ],
             "path": Array [
               "/proc/15990/attr/current",
             ],
-            "size": null,
-            "target_path": null,
-            "type": null,
             "uid": Array [
               "0",
             ],
           },
-          "geo": null,
           "host": Object {
             "id": Array [
               "7c21f5ed03b04d0299569d221fe18bbc",
@@ -223,10 +193,7 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
               "zeek-london",
             ],
           },
-          "http": null,
-          "network": null,
           "process": Object {
-            "args": null,
             "executable": Array [
               "/lib/systemd/systemd-journald",
             ],
@@ -246,16 +213,12 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
               "/",
             ],
           },
-          "source": null,
-          "suricata": null,
           "timestamp": "2019-03-26T22:12:18.609Z",
-          "url": null,
           "user": Object {
             "name": Array [
               "root",
             ],
           },
-          "zeek": null,
         }
       }
       fileIcon="document"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx
index 1e82519285da3..f1e8a5aafee7d 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { DraggableBadge } from '../../../../../../common/components/draggables';
 
 import * as i18n from './translations';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_file_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_file_details.tsx
index d9149bae89190..ea3f20c2816db 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_file_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_file_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { DraggableBadge } from '../../../../../../common/components/draggables';
 
 import * as i18n from './translations';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_row_renderer.test.tsx
index 1e314c0ebd281..415124d400446 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_row_renderer.test.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { mockTimelineData, TestProviders } from '../../../../../../common/mock';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
 import { RowRenderer } from '../row_renderer';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/column_renderer.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/column_renderer.ts
index 4a89fea8c5106..c462841f7ea38 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/column_renderer.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/column_renderer.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 
 export interface ColumnRenderer {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/dns/dns_request_event_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/dns/dns_request_event_details.tsx
index 74ed5b2a6587f..7b89626467c11 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/dns/dns_request_event_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/dns/dns_request_event_details.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
 import { Details } from '../helpers';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { NetflowRenderer } from '../netflow';
 
 import { DnsRequestEventDetailsLine } from './dns_request_event_details_line';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.test.tsx
index 6c9dd5092e7c1..b614f93f6c02d 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.test.tsx
@@ -8,7 +8,7 @@ import { shallow } from 'enzyme';
 import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../../common/mock';
 import '../../../../../common/mock/match_media';
 import { useMountAppended } from '../../../../../common/utils/use_mount_appended';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.tsx
index 5ffaa2898f63a..59eedd0cc9ffe 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.tsx
@@ -8,7 +8,7 @@
 
 import React from 'react';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import {
   DraggableWrapper,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/endgame/endgame_security_event_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/endgame/endgame_security_event_details.tsx
index 11580e2536ff7..00846e7cc34af 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/endgame/endgame_security_event_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/endgame/endgame_security_event_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { NetflowRenderer } from '../netflow';
 
 import { EndgameSecurityEventDetailsLine } from './endgame_security_event_details_line';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.test.tsx
index d1ed5e86e72e5..2a8f72aeaf2a4 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import '../../../../../common/mock/match_media';
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { mockTimelineData } from '../../../../../common/mock';
 import { TestProviders } from '../../../../../common/mock/test_providers';
 import { getEmptyValue } from '../../../../../common/components/empty_value';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.ts
index e456e8c9f02f6..9bba170a34405 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnRenderer } from './column_renderer';
 
 const unhandledColumnRenderer = (): never => {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.test.tsx
index 0c7fbd08ba98c..52b9b9a31fc99 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.test.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 
 import '../../../../../common/mock/match_media';
 import { mockBrowserFields } from '../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { mockTimelineData } from '../../../../../common/mock';
 import { TestProviders } from '../../../../../common/mock/test_providers';
 import { useMountAppended } from '../../../../../common/utils/use_mount_appended';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.ts
index 778246aeb1815..779d54216e26c 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { RowRenderer } from './row_renderer';
 
 const unhandledRowRenderer = (): never => {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.test.tsx
index 162db69416b53..7cccae2f474c2 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.test.tsx
@@ -6,7 +6,7 @@
 
 import { cloneDeep } from 'lodash/fp';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { mockTimelineData } from '../../../../../common/mock';
 import {
   deleteItemIdx,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.tsx
index 16c2f989a8107..8042a66cd5428 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.tsx
@@ -8,7 +8,7 @@ import { EuiFlexItem } from '@elastic/eui';
 import { isNumber, isEmpty } from 'lodash/fp';
 import styled from 'styled-components';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 
 export const deleteItemIdx = (data: TimelineNonEcsData[], idx: number) => [
   ...data.slice(0, idx),
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow.tsx
index 0492450df5134..ddd427bf9ca06 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow.tsx
@@ -7,7 +7,7 @@
 import { get } from 'lodash/fp';
 import React from 'react';
 
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { asArrayIfExists } from '../../../../../common/lib/helpers';
 import {
   TLS_CLIENT_CERTIFICATE_FINGERPRINT_SHA1_FIELD_NAME,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow/netflow_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow/netflow_row_renderer.test.tsx
index 8a8b40198bdba..3528081a20f6b 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow/netflow_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow/netflow_row_renderer.test.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 import '../../../../../../common/mock/match_media';
 import { BrowserFields } from '../../../../../../common/containers/source';
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { getMockNetflowData, TestProviders } from '../../../../../../common/mock';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.test.tsx
index 9199278c57f7a..0d0b011c0b438 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import '../../../../../common/mock/match_media';
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../../common/mock';
 import { getEmptyValue } from '../../../../../common/components/empty_value';
 import { useMountAppended } from '../../../../../common/utils/use_mount_appended';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.tsx
index 989c8015b796d..013ea1d6abb83 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.tsx
@@ -7,7 +7,7 @@
 import { head } from 'lodash/fp';
 import React from 'react';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import { getEmptyTagValue } from '../../../../../common/components/empty_value';
 import { ColumnRenderer } from './column_renderer';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_row_renderer.test.tsx
index 82d42988ef34f..a914d31ff93c5 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_row_renderer.test.tsx
@@ -11,7 +11,7 @@ import React from 'react';
 import { ThemeProvider } from 'styled-components';
 
 import { mockBrowserFields } from '../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { mockTimelineData } from '../../../../../common/mock';
 import { plainRowRenderer } from './plain_row_renderer';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/row_renderer.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/row_renderer.tsx
index 609e9dba1a46e..c4f8d35a5544f 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/row_renderer.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/row_renderer.tsx
@@ -8,7 +8,7 @@ import React from 'react';
 
 import { BrowserFields } from '../../../../../common/containers/source';
 import type { RowRendererId } from '../../../../../../common/types/timeline';
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { EventsTrSupplement } from '../../styles';
 
 interface RowRendererContainerProps {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_details.tsx
index c21b609a0f91e..891780d7df520 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_details.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 import styled from 'styled-components';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 
 import { NetflowRenderer } from '../netflow';
 import { SuricataSignature } from './suricata_signature';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_row_renderer.test.tsx
index 7d700732a6409..bed2171715380 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_row_renderer.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { mockTimelineData } from '../../../../../../common/mock';
 import '../../../../../../common/mock/match_media';
 import { TestProviders } from '../../../../../../common/mock/test_providers';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_details.test.tsx.snap
index 177a3531e5d7b..3952f05d34d25 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_details.test.tsx.snap
@@ -19,40 +19,23 @@ exports[`SystemGenericDetails rendering it renders the default SystemGenericDeta
     data={
       Object {
         "_id": "29",
-        "auditd": null,
-        "destination": null,
         "event": Object {
           "action": Array [
             "user_login",
           ],
-          "category": null,
-          "created": null,
           "dataset": Array [
             "login",
           ],
-          "duration": null,
-          "end": null,
-          "hash": null,
-          "id": null,
           "kind": Array [
             "event",
           ],
           "module": Array [
             "system",
           ],
-          "original": null,
           "outcome": Array [
             "failure",
           ],
-          "risk_score": null,
-          "risk_score_norm": null,
-          "severity": null,
-          "start": null,
-          "timezone": null,
-          "type": null,
         },
-        "file": null,
-        "geo": null,
         "host": Object {
           "id": Array [
             "7c21f5ed03b04d0299569d221fe18bbc",
@@ -66,38 +49,21 @@ exports[`SystemGenericDetails rendering it renders the default SystemGenericDeta
             "zeek-london",
           ],
         },
-        "http": null,
-        "network": null,
         "process": Object {
-          "args": null,
-          "executable": null,
-          "name": null,
           "pid": Array [
             6278,
           ],
-          "ppid": null,
-          "title": null,
-          "working_directory": null,
         },
         "source": Object {
-          "bytes": null,
-          "geo": null,
           "ip": Array [
             "128.199.212.120",
           ],
-          "packets": null,
-          "port": null,
         },
-        "suricata": null,
-        "system": null,
-        "tls": null,
-        "url": null,
         "user": Object {
           "name": Array [
             "Braden",
           ],
         },
-        "zeek": null,
       }
     }
     timelineId="test"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_file_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_file_details.test.tsx.snap
index 19b7f8b6f77c6..8045ce95ca272 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_file_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_file_details.test.tsx.snap
@@ -3,7 +3,6 @@
 exports[`SystemGenericFileDetails rendering it renders the default SystemGenericDetails 1`] = `
 <Details>
   <SystemGenericFileLine
-    args={null}
     contextId="[contextid-123]"
     eventAction="process_started"
     hostName="zeek-london"
@@ -22,40 +21,23 @@ exports[`SystemGenericFileDetails rendering it renders the default SystemGeneric
     data={
       Object {
         "_id": "30",
-        "auditd": null,
-        "destination": null,
         "event": Object {
           "action": Array [
             "process_started",
           ],
-          "category": null,
-          "created": null,
           "dataset": Array [
             "login",
           ],
-          "duration": null,
-          "end": null,
-          "hash": null,
-          "id": null,
           "kind": Array [
             "event",
           ],
           "module": Array [
             "system",
           ],
-          "original": null,
           "outcome": Array [
             "failure",
           ],
-          "risk_score": null,
-          "risk_score_norm": null,
-          "severity": null,
-          "start": null,
-          "timezone": null,
-          "type": null,
         },
-        "file": null,
-        "geo": null,
         "host": Object {
           "id": Array [
             "7c21f5ed03b04d0299569d221fe18bbc",
@@ -69,38 +51,21 @@ exports[`SystemGenericFileDetails rendering it renders the default SystemGeneric
             "zeek-london",
           ],
         },
-        "http": null,
-        "network": null,
         "process": Object {
-          "args": null,
-          "executable": null,
-          "name": null,
           "pid": Array [
             6278,
           ],
-          "ppid": null,
-          "title": null,
-          "working_directory": null,
         },
         "source": Object {
-          "bytes": null,
-          "geo": null,
           "ip": Array [
             "128.199.212.120",
           ],
-          "packets": null,
-          "port": null,
         },
-        "suricata": null,
-        "system": null,
-        "tls": null,
-        "url": null,
         "user": Object {
           "name": Array [
             "Evan",
           ],
         },
-        "zeek": null,
       }
     }
     timelineId="test"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_row_renderer.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_row_renderer.test.tsx.snap
index 6fff32925abf3..d2c405a46acf8 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_row_renderer.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_row_renderer.test.tsx.snap
@@ -9,40 +9,23 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
       data={
         Object {
           "_id": "29",
-          "auditd": null,
-          "destination": null,
           "event": Object {
             "action": Array [
               "user_login",
             ],
-            "category": null,
-            "created": null,
             "dataset": Array [
               "login",
             ],
-            "duration": null,
-            "end": null,
-            "hash": null,
-            "id": null,
             "kind": Array [
               "event",
             ],
             "module": Array [
               "system",
             ],
-            "original": null,
             "outcome": Array [
               "failure",
             ],
-            "risk_score": null,
-            "risk_score_norm": null,
-            "severity": null,
-            "start": null,
-            "timezone": null,
-            "type": null,
           },
-          "file": null,
-          "geo": null,
           "host": Object {
             "id": Array [
               "7c21f5ed03b04d0299569d221fe18bbc",
@@ -56,38 +39,21 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
               "zeek-london",
             ],
           },
-          "http": null,
-          "network": null,
           "process": Object {
-            "args": null,
-            "executable": null,
-            "name": null,
             "pid": Array [
               6278,
             ],
-            "ppid": null,
-            "title": null,
-            "working_directory": null,
           },
           "source": Object {
-            "bytes": null,
-            "geo": null,
             "ip": Array [
               "128.199.212.120",
             ],
-            "packets": null,
-            "port": null,
           },
-          "suricata": null,
-          "system": null,
-          "tls": null,
-          "url": null,
           "user": Object {
             "name": Array [
               "Braden",
             ],
           },
-          "zeek": null,
         }
       }
       text="some text"
@@ -106,40 +72,23 @@ exports[`GenericRowRenderer #createGenericSystemRowRenderer renders correctly ag
       data={
         Object {
           "_id": "30",
-          "auditd": null,
-          "destination": null,
           "event": Object {
             "action": Array [
               "process_started",
             ],
-            "category": null,
-            "created": null,
             "dataset": Array [
               "login",
             ],
-            "duration": null,
-            "end": null,
-            "hash": null,
-            "id": null,
             "kind": Array [
               "event",
             ],
             "module": Array [
               "system",
             ],
-            "original": null,
             "outcome": Array [
               "failure",
             ],
-            "risk_score": null,
-            "risk_score_norm": null,
-            "severity": null,
-            "start": null,
-            "timezone": null,
-            "type": null,
           },
-          "file": null,
-          "geo": null,
           "host": Object {
             "id": Array [
               "7c21f5ed03b04d0299569d221fe18bbc",
@@ -153,38 +102,21 @@ exports[`GenericRowRenderer #createGenericSystemRowRenderer renders correctly ag
               "zeek-london",
             ],
           },
-          "http": null,
-          "network": null,
           "process": Object {
-            "args": null,
-            "executable": null,
-            "name": null,
             "pid": Array [
               6278,
             ],
-            "ppid": null,
-            "title": null,
-            "working_directory": null,
           },
           "source": Object {
-            "bytes": null,
-            "geo": null,
             "ip": Array [
               "128.199.212.120",
             ],
-            "packets": null,
-            "port": null,
           },
-          "suricata": null,
-          "system": null,
-          "tls": null,
-          "url": null,
           "user": Object {
             "name": Array [
               "Evan",
             ],
           },
-          "zeek": null,
         }
       }
       text="some text"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_details.tsx
index e849732d07f6f..2c7920ce4f1aa 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { DraggableBadge } from '../../../../../../common/components/draggables';
 import { OverflowField } from '../../../../../../common/components/tables/helpers';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_file_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_file_details.tsx
index 3a95c0ea927c8..56c48d4ad9a18 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_file_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_file_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { DraggableBadge } from '../../../../../../common/components/draggables';
 import { OverflowField } from '../../../../../../common/components/tables/helpers';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_row_renderer.test.tsx
index bb997b9689270..6c2e9ad7535a1 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_row_renderer.test.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import {
   mockDnsEvent,
   mockFimFileCreatedEvent,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/unknown_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/unknown_column_renderer.test.tsx
index 856b7ca570f3c..0f4f8d1539a9e 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/unknown_column_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/unknown_column_renderer.test.tsx
@@ -10,7 +10,7 @@ import { cloneDeep } from 'lodash';
 import React from 'react';
 import { ThemeProvider } from 'styled-components';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { defaultHeaders, mockTimelineData } from '../../../../../common/mock';
 import { getEmptyValue } from '../../../../../common/components/empty_value';
 import { unknownColumnRenderer } from './unknown_column_renderer';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_details.tsx
index 4f991429d6a4d..8b691ad557d89 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_details.tsx
@@ -9,7 +9,7 @@ import React from 'react';
 import styled from 'styled-components';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 
 import { NetflowRenderer } from '../netflow';
 import { ZeekSignature } from './zeek_signature';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_row_renderer.test.tsx
index 23c38f83b89d4..9c08fbacafcdc 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_row_renderer.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { mockTimelineData, TestProviders } from '../../../../../../common/mock';
 import '../../../../../../common/mock/match_media';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.test.tsx
index 3b1ce431bfc87..efa22cb2c5617 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import '../../../../../../common/mock/match_media';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { mockTimelineData, TestProviders } from '../../../../../../common/mock';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
 import {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.tsx
index 74f75a0a73386..07e32a9a4e5d1 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 import styled from 'styled-components';
 
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import {
   DragEffects,
   DraggableWrapper,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/stateful_body.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/stateful_body.tsx
index 9b7b896a2ec69..ef5689f494cd0 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/stateful_body.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/stateful_body.tsx
@@ -4,7 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { noop } from 'lodash/fp';
 import memoizeOne from 'memoize-one';
 import React, { useCallback, useEffect, useMemo } from 'react';
 import { connect, ConnectedProps } from 'react-redux';
@@ -12,7 +11,7 @@ import deepEqual from 'fast-deep-equal';
 
 import { RowRendererId, TimelineId } from '../../../../../common/types/timeline';
 import { BrowserFields, DocValueFields } from '../../../../common/containers/source';
-import { TimelineItem } from '../../../../graphql/types';
+import { TimelineItem } from '../../../../../common/search_strategy/timeline';
 import { Note } from '../../../../common/lib/note';
 import { appSelectors, inputsModel, State } from '../../../../common/store';
 import { appActions } from '../../../../common/store/actions';
@@ -209,7 +208,6 @@ const StatefulBodyComponent = React.memo<StatefulBodyComponentProps>(
         onColumnSorted={onColumnSorted}
         onRowSelected={onRowSelected}
         onSelectAll={onSelectAll}
-        onFilterChange={noop} // TODO: this is the callback for column filters, which is out scope for this phase of delivery
         onPinEvent={onPinEvent}
         onUnPinEvent={onUnPinEvent}
         onUpdateColumns={onUpdateColumns}
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts
index 4653880739c6d..f894ac4e73939 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts
@@ -74,7 +74,7 @@ export type OnColumnResized = ({ columnId, delta }: { columnId: ColumnId; delta:
 export type OnChangeItemsPerPage = (itemsPerPage: number) => void;
 
 /** Invoked when a user clicks to load more item */
-export type OnLoadMore = (cursor: string, tieBreaker: string) => void;
+export type OnChangePage = (nextPage: number) => void;
 
 export type OnChangeDroppableAndProvider = (providerId: string) => void;
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
index 49f17db242f75..b1f48608346c7 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
@@ -9,7 +9,7 @@ import styled from 'styled-components';
 
 import { BrowserFields } from '../../../../common/containers/source';
 import { ColumnHeaderOptions } from '../../../../timelines/store/timeline/model';
-import { DetailItem } from '../../../../../common/search_strategy/timeline';
+import { TimelineEventsDetailsItem } from '../../../../../common/search_strategy/timeline';
 import { StatefulEventDetails } from '../../../../common/components/event_details/stateful_event_details';
 import { LazyAccordion } from '../../lazy_accordion';
 import { OnUpdateColumns } from '../events';
@@ -31,7 +31,7 @@ interface Props {
   browserFields: BrowserFields;
   columnHeaders: ColumnHeaderOptions[];
   id: string;
-  event: DetailItem[];
+  event: TimelineEventsDetailsItem[];
   forceExpand?: boolean;
   hideExpandButton?: boolean;
   onEventToggled: () => void;
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/__snapshots__/index.test.tsx.snap
index f155b379227f0..f81934f9a1d91 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/__snapshots__/index.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/__snapshots__/index.test.tsx.snap
@@ -27,8 +27,8 @@ exports[`Footer Timeline Component rendering it renders the default timeline foo
       >
         <EventsCount
           closePopover={[Function]}
-          documentType="events match the search criteria"
-          footerText="events match the search criteria"
+          documentType="events"
+          footerText="events"
           isOpen={false}
           items={
             Array [
@@ -73,10 +73,11 @@ exports[`Footer Timeline Component rendering it renders the default timeline foo
       grow={false}
     >
       <PagingControl
+        activePage={0}
         data-test-subj="paging-control"
-        hasNextPage={true}
         isLoading={false}
-        loadMore={[Function]}
+        onPageClick={[Function]}
+        totalPages={2}
       />
     </EuiFlexItem>
     <EuiFlexItem
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx
index 6675ff493d563..01e5202d03332 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx
@@ -5,7 +5,6 @@
  */
 
 import { mount, shallow } from 'enzyme';
-import { getOr } from 'lodash/fp';
 import React from 'react';
 
 import { TestProviders } from '../../../../common/mock/test_providers';
@@ -16,14 +15,14 @@ import { mockData } from './mock';
 describe('Footer Timeline Component', () => {
   const loadMore = jest.fn();
   const onChangeItemsPerPage = jest.fn();
-  const getUpdatedAt = () => 1546878704036;
+  const updatedAt = 1546878704036;
 
   describe('rendering', () => {
     test('it renders the default timeline footer', () => {
       const wrapper = shallow(
         <FooterComponent
-          getUpdatedAt={getUpdatedAt}
-          hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+          activePage={0}
+          updatedAt={updatedAt}
           height={100}
           id={'timeline-id'}
           isLive={false}
@@ -31,11 +30,10 @@ describe('Footer Timeline Component', () => {
           itemsCount={mockData.Events.edges.length}
           itemsPerPage={2}
           itemsPerPageOptions={[1, 5, 10, 20]}
-          nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
           onChangeItemsPerPage={onChangeItemsPerPage}
-          onLoadMore={loadMore}
+          onChangePage={loadMore}
           serverSideEventCount={mockData.Events.totalCount}
-          tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+          totalPages={2}
         />
       );
 
@@ -45,8 +43,8 @@ describe('Footer Timeline Component', () => {
     test('it renders the loading panel at the beginning ', () => {
       const wrapper = mount(
         <FooterComponent
-          getUpdatedAt={getUpdatedAt}
-          hasNextPage={false}
+          activePage={0}
+          updatedAt={updatedAt}
           height={100}
           id={'timeline-id'}
           isLive={false}
@@ -54,11 +52,10 @@ describe('Footer Timeline Component', () => {
           itemsCount={mockData.Events.edges.length}
           itemsPerPage={2}
           itemsPerPageOptions={[1, 5, 10, 20]}
-          nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
           onChangeItemsPerPage={onChangeItemsPerPage}
-          onLoadMore={loadMore}
+          onChangePage={loadMore}
           serverSideEventCount={mockData.Events.totalCount}
-          tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+          totalPages={2}
         />
       );
 
@@ -69,8 +66,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -78,50 +75,50 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={2}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
 
-      expect(wrapper.find('[data-test-subj="TimelineMoreButton"]').exists()).toBeTruthy();
+      expect(wrapper.find('[data-test-subj="timeline-pagination"]').exists()).toBeTruthy();
     });
 
     test('it renders the Loading... in the more load button when fetching new data', () => {
       const wrapper = shallow(
         <PagingControlComponent
-          hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
-          loadMore={loadMore}
+          activePage={0}
+          totalPages={3}
+          onPageClick={loadMore}
           isLoading={true}
         />
       );
 
-      const loadButton = wrapper.find('[data-test-subj="TimelineMoreButton"]').dive().text();
+      const loadButton = wrapper.text();
       expect(wrapper.find('[data-test-subj="LoadingPanelTimeline"]').exists()).toBeFalsy();
       expect(loadButton).toContain('Loading...');
     });
 
-    test('it renders the Load More in the more load button when fetching new data', () => {
+    test('it renders the Pagination in the more load button when fetching new data', () => {
       const wrapper = shallow(
         <PagingControlComponent
-          hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
-          loadMore={loadMore}
+          activePage={0}
+          totalPages={3}
+          onPageClick={loadMore}
           isLoading={false}
         />
       );
 
-      const loadButton = wrapper.find('[data-test-subj="TimelineMoreButton"]').dive().text();
-      expect(loadButton).toContain('Load more');
+      expect(wrapper.find('[data-test-subj="timeline-pagination"]').exists()).toBeTruthy();
     });
 
     test('it does NOT render the loadMore button because there is nothing else to fetch', () => {
       const wrapper = mount(
         <FooterComponent
-          getUpdatedAt={getUpdatedAt}
-          hasNextPage={false}
+          activePage={0}
+          updatedAt={updatedAt}
           height={100}
           id={'timeline-id'}
           isLive={false}
@@ -129,23 +126,22 @@ describe('Footer Timeline Component', () => {
           itemsCount={mockData.Events.edges.length}
           itemsPerPage={2}
           itemsPerPageOptions={[1, 5, 10, 20]}
-          nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
           onChangeItemsPerPage={onChangeItemsPerPage}
-          onLoadMore={loadMore}
+          onChangePage={loadMore}
           serverSideEventCount={mockData.Events.totalCount}
-          tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+          totalPages={2}
         />
       );
 
-      expect(wrapper.find('[data-test-subj="TimelineMoreButton"]').exists()).toBeFalsy();
+      expect(wrapper.find('[data-test-subj="timeline-pagination"]').exists()).toBeFalsy();
     });
 
     test('it render popover to select new itemsPerPage in timeline', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -153,11 +149,10 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={1}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
@@ -172,8 +167,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -181,17 +176,15 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={2}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
 
-      wrapper.find('[data-test-subj="TimelineMoreButton"]').first().simulate('click');
-
+      wrapper.find('[data-test-subj="pagination-button-next"]').first().simulate('click');
       expect(loadMore).toBeCalled();
     });
 
@@ -199,8 +192,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -208,11 +201,10 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={1}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
@@ -227,8 +219,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={true}
@@ -236,11 +228,10 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={2}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
@@ -253,8 +244,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -262,11 +253,10 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={2}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.tsx
index 3169201b12c7b..7174e9b2121e5 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.tsx
@@ -6,7 +6,6 @@
 
 import {
   EuiBadge,
-  EuiButton,
   EuiButtonEmpty,
   EuiContextMenuItem,
   EuiContextMenuPanel,
@@ -17,13 +16,14 @@ import {
   EuiText,
   EuiToolTip,
   EuiPopoverProps,
+  EuiPagination,
 } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
 import React, { FC, useCallback, useEffect, useState, useMemo } from 'react';
 import styled from 'styled-components';
 
 import { LoadingPanel } from '../../loading';
-import { OnChangeItemsPerPage, OnLoadMore } from '../events';
+import { OnChangeItemsPerPage, OnChangePage } from '../events';
 
 import { LastUpdatedAt } from './last_updated';
 import * as i18n from './translations';
@@ -175,24 +175,26 @@ export const EventsCount = React.memo(EventsCountComponent);
 EventsCount.displayName = 'EventsCount';
 
 export const PagingControlComponent = ({
-  hasNextPage,
+  activePage,
   isLoading,
-  loadMore,
+  onPageClick,
+  totalPages,
 }: {
-  hasNextPage: boolean;
+  activePage: number;
   isLoading: boolean;
-  loadMore: () => void;
+  onPageClick: OnChangePage;
+  totalPages: number;
 }) => (
   <>
-    {hasNextPage && (
-      <EuiButton
-        data-test-subj="TimelineMoreButton"
-        isLoading={isLoading}
-        onClick={loadMore}
-        size="s"
-      >
-        {isLoading ? `${i18n.LOADING}...` : i18n.LOAD_MORE}
-      </EuiButton>
+    {isLoading ? (
+      `${i18n.LOADING}...`
+    ) : (
+      <EuiPagination
+        data-test-subj="timeline-pagination"
+        pageCount={totalPages}
+        activePage={activePage}
+        onPageClick={onPageClick}
+      />
     )}
   </>
 );
@@ -202,10 +204,9 @@ PagingControlComponent.displayName = 'PagingControlComponent';
 export const PagingControl = React.memo(PagingControlComponent);
 
 PagingControl.displayName = 'PagingControl';
-
 interface FooterProps {
-  getUpdatedAt: () => number;
-  hasNextPage: boolean;
+  updatedAt: number;
+  activePage: number;
   height: number;
   id: string;
   isLive: boolean;
@@ -213,17 +214,16 @@ interface FooterProps {
   itemsCount: number;
   itemsPerPage: number;
   itemsPerPageOptions: number[];
-  nextCursor: string;
   onChangeItemsPerPage: OnChangeItemsPerPage;
-  onLoadMore: OnLoadMore;
+  onChangePage: OnChangePage;
   serverSideEventCount: number;
-  tieBreaker: string;
+  totalPages: number;
 }
 
 /** Renders a loading indicator and paging controls */
 export const FooterComponent = ({
-  getUpdatedAt,
-  hasNextPage,
+  activePage,
+  updatedAt,
   height,
   id,
   isLive,
@@ -231,15 +231,13 @@ export const FooterComponent = ({
   itemsCount,
   itemsPerPage,
   itemsPerPageOptions,
-  nextCursor,
   onChangeItemsPerPage,
-  onLoadMore,
+  onChangePage,
   serverSideEventCount,
-  tieBreaker,
+  totalPages,
 }: FooterProps) => {
   const [isPopoverOpen, setIsPopoverOpen] = useState(false);
   const [paginationLoading, setPaginationLoading] = useState(false);
-  const [updatedAt, setUpdatedAt] = useState<number | null>(null);
 
   const { getManageTimelineById } = useManageTimeline();
   const { documentType, loadingText, footerText } = useMemo(() => getManageTimelineById(id), [
@@ -247,10 +245,13 @@ export const FooterComponent = ({
     id,
   ]);
 
-  const loadMore = useCallback(() => {
-    setPaginationLoading(true);
-    onLoadMore(nextCursor, tieBreaker);
-  }, [nextCursor, tieBreaker, onLoadMore, setPaginationLoading]);
+  const handleChangePageClick = useCallback(
+    (nextPage: number) => {
+      setPaginationLoading(true);
+      onChangePage(nextPage);
+    },
+    [onChangePage]
+  );
 
   const onButtonClick = useCallback(() => setIsPopoverOpen(!isPopoverOpen), [
     isPopoverOpen,
@@ -261,14 +262,8 @@ export const FooterComponent = ({
   useEffect(() => {
     if (paginationLoading && !isLoading) {
       setPaginationLoading(false);
-      setUpdatedAt(getUpdatedAt());
-    }
-
-    if (updatedAt === null || !isLoading) {
-      setUpdatedAt(getUpdatedAt());
     }
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [isLoading]);
+  }, [isLoading, paginationLoading]);
 
   if (isLoading && !paginationLoading) {
     return (
@@ -358,15 +353,16 @@ export const FooterComponent = ({
           ) : (
             <PagingControl
               data-test-subj="paging-control"
-              hasNextPage={hasNextPage}
+              totalPages={totalPages}
+              activePage={activePage}
+              onPageClick={handleChangePageClick}
               isLoading={isLoading}
-              loadMore={loadMore}
             />
           )}
         </EuiFlexItem>
 
         <EuiFlexItem data-test-subj="last-updated-container" grow={false}>
-          <FixedWidthLastUpdatedContainer updatedAt={updatedAt || getUpdatedAt()} />
+          <FixedWidthLastUpdatedContainer updatedAt={updatedAt} />
         </EuiFlexItem>
       </FooterFlexGroup>
     </FooterContainer>
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/translations.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/translations.ts
index e0254d0f4a62f..f581d0757bc3c 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/translations.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/translations.ts
@@ -29,14 +29,10 @@ export const LOADING = i18n.translate('xpack.securitySolution.footer.loadingLabe
   defaultMessage: 'Loading',
 });
 
-export const LOAD_MORE = i18n.translate('xpack.securitySolution.footer.loadMoreLabel', {
-  defaultMessage: 'Load more',
-});
-
 export const TOTAL_COUNT_OF_EVENTS = i18n.translate(
   'xpack.securitySolution.footer.totalCountOfEvents',
   {
-    defaultMessage: 'events match the search criteria',
+    defaultMessage: 'events',
   }
 );
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
index 51edf7336c4e7..f1bfdd5d33606 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
@@ -20,7 +20,6 @@ import { mocksSource } from '../../../common/containers/source/mock';
 import { wait as waitFor } from '@testing-library/react';
 import { defaultHeaders, mockTimelineData, TestProviders } from '../../../common/mock';
 import { Direction } from '../../../graphql/types';
-import { timelineQuery } from '../../containers/index.gql_query';
 import { timelineActions } from '../../store/timeline';
 
 import { Sort } from './body/sort';
@@ -28,6 +27,11 @@ import { mockDataProviders } from './data_providers/mock/mock_data_providers';
 import { StatefulTimeline, Props as StatefulTimelineProps } from './index';
 import { Timeline } from './timeline';
 import { TimelineType, TimelineStatus } from '../../../../common/types/timeline';
+import { useTimelineEvents } from '../../containers/index';
+
+jest.mock('../../containers/index', () => ({
+  useTimelineEvents: jest.fn(),
+}));
 
 jest.mock('../../../common/lib/kibana', () => {
   const originalModule = jest.requireActual('../../../common/lib/kibana');
@@ -63,12 +67,10 @@ describe('StatefulTimeline', () => {
   const startDate = '2018-03-23T18:49:23.132Z';
   const endDate = '2018-03-24T03:33:52.253Z';
 
-  const mocks = [
-    { request: { query: timelineQuery }, result: { data: { events: mockTimelineData } } },
-    ...mocksSource,
-  ];
+  const mocks = mocksSource;
 
   beforeEach(() => {
+    (useTimelineEvents as jest.Mock).mockReturnValue([false, { events: mockTimelineData }]);
     props = {
       addProvider: timelineActions.addProvider,
       columns: defaultHeaders,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.test.tsx
index 555b22eff0c91..887a6a546d2b7 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.test.tsx
@@ -6,10 +6,8 @@
 
 import { shallow } from 'enzyme';
 import React from 'react';
-import { MockedProvider } from 'react-apollo/test-utils';
 import useResizeObserver from 'use-resize-observer/polyfilled';
 
-import { timelineQuery } from '../../containers/index.gql_query';
 import { mockBrowserFields } from '../../../common/containers/source/mock';
 import { Direction } from '../../../graphql/types';
 import { defaultHeaders, mockTimelineData, mockIndexPattern } from '../../../common/mock';
@@ -26,7 +24,19 @@ import { Sort } from './body/sort';
 import { mockDataProviders } from './data_providers/mock/mock_data_providers';
 import { useMountAppended } from '../../../common/utils/use_mount_appended';
 import { TimelineStatus, TimelineType } from '../../../../common/types/timeline';
-
+import { useTimelineEvents } from '../../containers/index';
+import { useTimelineEventsDetails } from '../../containers/details/index';
+
+jest.mock('../../containers/index', () => ({
+  useTimelineEvents: jest.fn(),
+}));
+jest.mock('../../containers/details/index', () => ({
+  useTimelineEventsDetails: jest.fn(),
+}));
+jest.mock('./body/events/index', () => ({
+  // eslint-disable-next-line react/display-name
+  Events: () => <></>,
+}));
 jest.mock('../../../common/lib/kibana');
 jest.mock('./properties/properties_right');
 const mockUseResizeObserver: jest.Mock = useResizeObserver as jest.Mock;
@@ -42,6 +52,7 @@ jest.mock('../../../common/lib/kibana', () => {
       services: {
         application: {
           navigateToApp: jest.fn(),
+          getUrlForApp: jest.fn(),
         },
         uiSettings: {
           get: jest.fn(),
@@ -65,13 +76,21 @@ describe('Timeline', () => {
 
   const indexPattern = mockIndexPattern;
 
-  const mocks = [
-    { request: { query: timelineQuery }, result: { data: { events: mockTimelineData } } },
-  ];
-
   const mount = useMountAppended();
 
   beforeEach(() => {
+    (useTimelineEvents as jest.Mock).mockReturnValue([
+      false,
+      {
+        events: mockTimelineData,
+        pageInfo: {
+          activePage: 0,
+          totalPages: 10,
+        },
+      },
+    ]);
+    (useTimelineEventsDetails as jest.Mock).mockReturnValue([false, {}]);
+
     props = {
       browserFields: mockBrowserFields,
       columns: defaultHeaders,
@@ -123,9 +142,7 @@ describe('Timeline', () => {
     test('it renders the timeline header', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -135,9 +152,7 @@ describe('Timeline', () => {
     test('it renders the title field', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -149,9 +164,7 @@ describe('Timeline', () => {
     test('it renders the timeline table', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -161,9 +174,7 @@ describe('Timeline', () => {
     test('it does NOT render the timeline table when the source is loading', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} isLoadingSource={true} />
-          </MockedProvider>
+          <TimelineComponent {...props} isLoadingSource={true} />
         </TestProviders>
       );
 
@@ -173,9 +184,7 @@ describe('Timeline', () => {
     test('it does NOT render the timeline table when start is empty', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} start={''} />
-          </MockedProvider>
+          <TimelineComponent {...props} start={''} />
         </TestProviders>
       );
 
@@ -185,9 +194,7 @@ describe('Timeline', () => {
     test('it does NOT render the timeline table when end is empty', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} end={''} />
-          </MockedProvider>
+          <TimelineComponent {...props} end={''} />
         </TestProviders>
       );
 
@@ -197,9 +204,7 @@ describe('Timeline', () => {
     test('it does NOT render the paging footer when you do NOT have any data providers', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -209,9 +214,7 @@ describe('Timeline', () => {
     test('it defaults to showing `All`', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -221,9 +224,7 @@ describe('Timeline', () => {
     it('it shows the timeline footer', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -236,9 +237,7 @@ describe('Timeline', () => {
       it('should not show the timeline footer', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
 
@@ -252,9 +251,7 @@ describe('Timeline', () => {
       test('it invokes the onDataProviderRemoved callback when the delete button on a provider is clicked', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
 
@@ -271,9 +268,7 @@ describe('Timeline', () => {
       test('it invokes the onDataProviderRemoved callback when you click on the option "Delete" in the provider menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
         wrapper.find('button[data-test-subj="providerBadge"]').first().simulate('click');
@@ -295,9 +290,7 @@ describe('Timeline', () => {
       test('it invokes the onToggleDataProviderEnabled callback when you click on the option "Temporary disable" in the provider menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
 
@@ -321,9 +314,7 @@ describe('Timeline', () => {
       test('it invokes the onToggleDataProviderExcluded callback when you click on the option "Exclude results" in the provider menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
 
@@ -355,9 +346,7 @@ describe('Timeline', () => {
       test('Rendering And Provider', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} dataProviders={dataProviders} />
-            </MockedProvider>
+            <TimelineComponent {...props} dataProviders={dataProviders} />
           </TestProviders>
         );
 
@@ -375,9 +364,7 @@ describe('Timeline', () => {
       test('it invokes the onDataProviderRemoved callback when you click on the option "Delete" in the accordion menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} dataProviders={dataProviders} />
-            </MockedProvider>
+            <TimelineComponent {...props} dataProviders={dataProviders} />
           </TestProviders>
         );
 
@@ -404,9 +391,7 @@ describe('Timeline', () => {
       test('it invokes the onToggleDataProviderEnabled callback when you click on the option "Temporary disable" in the accordion menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} dataProviders={dataProviders} />
-            </MockedProvider>
+            <TimelineComponent {...props} dataProviders={dataProviders} />
           </TestProviders>
         );
 
@@ -434,9 +419,7 @@ describe('Timeline', () => {
       test('it invokes the onToggleDataProviderExcluded callback when you click on the option "Exclude results" in the accordion menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} dataProviders={dataProviders} />
-            </MockedProvider>
+            <TimelineComponent {...props} dataProviders={dataProviders} />
           </TestProviders>
         );
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx
index 7b1c1bd2119cd..434c7075a9470 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx
@@ -5,14 +5,14 @@
  */
 
 import { EuiFlyoutHeader, EuiFlyoutBody, EuiFlyoutFooter, EuiProgress } from '@elastic/eui';
-import { getOr, isEmpty } from 'lodash/fp';
+import { isEmpty } from 'lodash/fp';
 import React, { useState, useMemo, useEffect } from 'react';
 import styled from 'styled-components';
 
 import { FlyoutHeaderWithCloseButton } from '../flyout/header_with_close_button';
 import { BrowserFields, DocValueFields } from '../../../common/containers/source';
-import { TimelineQuery } from '../../containers/index';
-import { Direction } from '../../../graphql/types';
+import { Direction } from '../../../../common/search_strategy';
+import { useTimelineEvents } from '../../containers/index';
 import { useKibana } from '../../../common/lib/kibana';
 import { ColumnHeaderOptions, KqlMode, EventType } from '../../../timelines/store/timeline/model';
 import { defaultHeaders } from './body/column_headers/default_headers';
@@ -217,13 +217,14 @@ export const TimelineComponent: React.FC<Props> = ({
   }, [columnsHeader]);
   const timelineQuerySortField = useMemo(
     () => ({
-      sortFieldId: sort.columnId,
+      field: sort.columnId,
       direction: sort.sortDirection as Direction,
     }),
     [sort.columnId, sort.sortDirection]
   );
   const [isQueryLoading, setIsQueryLoading] = useState(false);
   const { initializeTimeline, setIndexToAdd, setIsTimelineLoading } = useManageTimeline();
+
   useEffect(() => {
     initializeTimeline({
       filterManager,
@@ -233,6 +234,23 @@ export const TimelineComponent: React.FC<Props> = ({
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, []);
 
+  const [
+    loading,
+    { events, inspect, totalCount, pageInfo, loadPage, updatedAt, refetch },
+  ] = useTimelineEvents({
+    docValueFields,
+    endDate: end,
+    eventType,
+    id,
+    indexToAdd,
+    fields: timelineQueryFields,
+    limit: itemsPerPage,
+    filterQuery: combinedQueries?.filterQuery ?? '',
+    startDate: start,
+    skip: canQueryTimeline,
+    sort: timelineQuerySortField,
+  });
+
   useEffect(() => {
     setIsTimelineLoading({ id, isLoading: isQueryLoading || loadingIndexName });
   }, [loadingIndexName, id, isQueryLoading, setIsTimelineLoading]);
@@ -241,6 +259,10 @@ export const TimelineComponent: React.FC<Props> = ({
     setIndexToAdd({ id, indexToAdd });
   }, [id, indexToAdd, setIndexToAdd]);
 
+  useEffect(() => {
+    setIsQueryLoading(loading);
+  }, [loading]);
+
   return (
     <TimelineContainer data-test-subj="timeline">
       {isSaving && <EuiProgress size="s" color="primary" position="absolute" />}
@@ -274,85 +296,52 @@ export const TimelineComponent: React.FC<Props> = ({
       </StyledEuiFlyoutHeader>
       <TimelineKqlFetch id={id} indexPattern={indexPattern} inputId="timeline" />
       {canQueryTimeline ? (
-        <TimelineQuery
-          docValueFields={docValueFields}
-          endDate={end}
-          eventType={eventType}
-          id={id}
-          indexToAdd={indexToAdd}
-          fields={timelineQueryFields}
-          sourceId="default"
-          limit={itemsPerPage}
-          filterQuery={combinedQueries!.filterQuery}
-          sortField={timelineQuerySortField}
-          startDate={start}
-          queryDeduplication="timeline"
-        >
-          {({
-            events,
-            inspect,
-            loading,
-            totalCount,
-            pageInfo,
-            loadMore,
-            getUpdatedAt,
-            refetch,
-          }) => {
-            setIsQueryLoading(loading);
-            return (
-              <>
-                <TimelineRefetch
+        <>
+          <TimelineRefetch
+            id={id}
+            inputId="timeline"
+            inspect={inspect}
+            loading={loading}
+            refetch={refetch}
+          />
+          <StyledEuiFlyoutBody data-test-subj="eui-flyout-body" className="timeline-flyout-body">
+            <StatefulBody
+              browserFields={browserFields}
+              data={events}
+              docValueFields={docValueFields}
+              id={id}
+              refetch={refetch}
+              sort={sort}
+              toggleColumn={toggleColumn}
+            />
+          </StyledEuiFlyoutBody>
+          {
+            /** Hide the footer if Resolver is showing. */
+            !graphEventId && (
+              <StyledEuiFlyoutFooter
+                data-test-subj="eui-flyout-footer"
+                className="timeline-flyout-footer"
+              >
+                <Footer
+                  activePage={pageInfo.activePage}
+                  data-test-subj="timeline-footer"
+                  updatedAt={updatedAt}
+                  height={footerHeight}
                   id={id}
-                  inputId="timeline"
-                  inspect={inspect}
-                  loading={loading}
-                  refetch={refetch}
+                  isLive={isLive}
+                  isLoading={loading || loadingIndexName}
+                  itemsCount={events.length}
+                  itemsPerPage={itemsPerPage}
+                  itemsPerPageOptions={itemsPerPageOptions}
+                  onChangeItemsPerPage={onChangeItemsPerPage}
+                  onChangePage={loadPage}
+                  serverSideEventCount={totalCount}
+                  totalPages={pageInfo.totalPages}
                 />
-                <StyledEuiFlyoutBody
-                  data-test-subj="eui-flyout-body"
-                  className="timeline-flyout-body"
-                >
-                  <StatefulBody
-                    browserFields={browserFields}
-                    data={events}
-                    docValueFields={docValueFields}
-                    id={id}
-                    refetch={refetch}
-                    sort={sort}
-                    toggleColumn={toggleColumn}
-                  />
-                </StyledEuiFlyoutBody>
-                {
-                  /** Hide the footer if Resolver is showing. */
-                  !graphEventId && (
-                    <StyledEuiFlyoutFooter
-                      data-test-subj="eui-flyout-footer"
-                      className="timeline-flyout-footer"
-                    >
-                      <Footer
-                        data-test-subj="timeline-footer"
-                        getUpdatedAt={getUpdatedAt}
-                        hasNextPage={getOr(false, 'hasNextPage', pageInfo)!}
-                        height={footerHeight}
-                        id={id}
-                        isLive={isLive}
-                        isLoading={loading || loadingIndexName}
-                        itemsCount={events.length}
-                        itemsPerPage={itemsPerPage}
-                        itemsPerPageOptions={itemsPerPageOptions}
-                        nextCursor={getOr(null, 'endCursor.value', pageInfo)!}
-                        onChangeItemsPerPage={onChangeItemsPerPage}
-                        onLoadMore={loadMore}
-                        serverSideEventCount={totalCount}
-                        tieBreaker={getOr(null, 'endCursor.tiebreaker', pageInfo)}
-                      />
-                    </StyledEuiFlyoutFooter>
-                  )
-                }
-              </>
-            );
-          }}
-        </TimelineQuery>
+              </StyledEuiFlyoutFooter>
+            )
+          }
+        </>
       ) : null}
     </TimelineContainer>
   );
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
index 35f8c7ae90e6e..af99c75ae701a 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
@@ -5,7 +5,6 @@
  */
 
 import { noop } from 'lodash/fp';
-import memoizeOne from 'memoize-one';
 import { useCallback, useEffect, useRef, useState } from 'react';
 import deepEqual from 'fast-deep-equal';
 
@@ -14,73 +13,63 @@ import { DEFAULT_INDEX_KEY } from '../../../../common/constants';
 import { useKibana } from '../../../common/lib/kibana';
 import {
   DocValueFields,
-  DetailItem,
-  TimelineQueries,
-  TimelineDetailsRequestOptions,
-  TimelineDetailsStrategyResponse,
+  TimelineEventsDetailsItem,
+  TimelineEventsQueries,
+  TimelineEventsDetailsRequestOptions,
+  TimelineEventsDetailsStrategyResponse,
 } from '../../../../common/search_strategy';
 export interface EventsArgs {
-  detailsData: DetailItem[] | null;
-  loading: boolean;
+  detailsData: TimelineEventsDetailsItem[] | null;
 }
 
-export interface TimelineDetailsProps {
+export interface UseTimelineEventsDetailsProps {
   docValueFields: DocValueFields[];
   indexName: string;
   eventId: string;
-  executeQuery: boolean;
+  skip: boolean;
 }
 
-const getDetailsEvent = memoizeOne(
-  (variables: string, detail: DetailItem[]): DetailItem[] => detail
-);
-
-export const useTimelineDetails = ({
+export const useTimelineEventsDetails = ({
   docValueFields,
   indexName,
   eventId,
-  executeQuery,
-}: TimelineDetailsProps): [boolean, EventsArgs['detailsData']] => {
+  skip,
+}: UseTimelineEventsDetailsProps): [boolean, EventsArgs['detailsData']] => {
   const { data, notifications, uiSettings } = useKibana().services;
   const refetch = useRef<inputsModel.Refetch>(noop);
   const abortCtrl = useRef(new AbortController());
   const defaultIndex = uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
   const [loading, setLoading] = useState(false);
-  const [timelineDetailsRequest, setTimelineDetailsRequest] = useState<
-    TimelineDetailsRequestOptions
-  >({
-    defaultIndex,
-    docValueFields,
-    executeQuery,
-    indexName,
-    eventId,
-    factoryQueryType: TimelineQueries.details,
-  });
+  const [
+    timelineDetailsRequest,
+    setTimelineDetailsRequest,
+  ] = useState<TimelineEventsDetailsRequestOptions | null>(null);
 
   const [timelineDetailsResponse, setTimelineDetailsResponse] = useState<EventsArgs['detailsData']>(
     null
   );
 
   const timelineDetailsSearch = useCallback(
-    (request: TimelineDetailsRequestOptions) => {
+    (request: TimelineEventsDetailsRequestOptions) => {
       let didCancel = false;
       const asyncSearch = async () => {
         abortCtrl.current = new AbortController();
         setLoading(true);
 
         const searchSubscription$ = data.search
-          .search<TimelineDetailsRequestOptions, TimelineDetailsStrategyResponse>(request, {
-            strategy: 'securitySolutionTimelineSearchStrategy',
-            abortSignal: abortCtrl.current.signal,
-          })
+          .search<TimelineEventsDetailsRequestOptions, TimelineEventsDetailsStrategyResponse>(
+            request,
+            {
+              strategy: 'securitySolutionTimelineSearchStrategy',
+              abortSignal: abortCtrl.current.signal,
+            }
+          )
           .subscribe({
             next: (response) => {
               if (!response.isPartial && !response.isRunning) {
                 if (!didCancel) {
                   setLoading(false);
-                  setTimelineDetailsResponse(
-                    getDetailsEvent(JSON.stringify(timelineDetailsRequest), response.data || [])
-                  );
+                  setTimelineDetailsResponse(response.data || []);
                 }
                 searchSubscription$.unsubscribe();
               } else if (response.isPartial && !response.isRunning) {
@@ -105,28 +94,31 @@ export const useTimelineDetails = ({
         abortCtrl.current.abort();
       };
     },
-    [data.search, notifications.toasts, timelineDetailsRequest]
+    [data.search, notifications.toasts]
   );
 
   useEffect(() => {
     setTimelineDetailsRequest((prevRequest) => {
       const myRequest = {
-        ...prevRequest,
+        ...(prevRequest ?? {}),
         defaultIndex,
         docValueFields,
         indexName,
         eventId,
+        factoryQueryType: TimelineEventsQueries.details,
       };
-      if (!deepEqual(prevRequest, myRequest)) {
+      if (!skip && !deepEqual(prevRequest, myRequest)) {
         return myRequest;
       }
       return prevRequest;
     });
-  }, [defaultIndex, docValueFields, eventId, indexName]);
+  }, [defaultIndex, docValueFields, eventId, indexName, skip]);
 
   useEffect(() => {
-    if (executeQuery) timelineDetailsSearch(timelineDetailsRequest);
-  }, [executeQuery, timelineDetailsRequest, timelineDetailsSearch]);
+    if (timelineDetailsRequest) {
+      timelineDetailsSearch(timelineDetailsRequest);
+    }
+  }, [timelineDetailsRequest, timelineDetailsSearch]);
 
   return [loading, timelineDetailsResponse];
 };
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
index de7175f0a7f97..f340096c75f2b 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
@@ -4,215 +4,259 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { getOr, uniqBy } from 'lodash/fp';
-import memoizeOne from 'memoize-one';
-import React from 'react';
-import { Query } from 'react-apollo';
-import { compose, Dispatch } from 'redux';
-import { connect, ConnectedProps } from 'react-redux';
+import deepEqual from 'fast-deep-equal';
+import { noop } from 'lodash/fp';
+import { useCallback, useEffect, useRef, useState } from 'react';
+import { useDispatch } from 'react-redux';
+
+import { ESQuery } from '../../../common/typed_json';
+import { IIndexPattern } from '../../../../../../src/plugins/data/public';
 
 import { DEFAULT_INDEX_KEY } from '../../../common/constants';
-import { IIndexPattern } from '../../../../../../src/plugins/data/common/index_patterns';
-import {
-  GetTimelineQuery,
-  PageInfo,
-  SortField,
-  TimelineEdges,
-  TimelineItem,
-} from '../../graphql/types';
-import { inputsModel, inputsSelectors, State } from '../../common/store';
-import { withKibana, WithKibanaProps } from '../../common/lib/kibana';
+import { inputsModel } from '../../common/store';
+import { useKibana } from '../../common/lib/kibana';
 import { createFilter } from '../../common/containers/helpers';
-import { QueryTemplate, QueryTemplateProps } from '../../common/containers/query_template';
+import { DocValueFields } from '../../common/containers/query_template';
 import { EventType } from '../../timelines/store/timeline/model';
-import { timelineQuery } from './index.gql_query';
 import { timelineActions } from '../../timelines/store/timeline';
 import { detectionsTimelineIds, skipQueryForDetectionsPage } from './helpers';
+import { getInspectResponse } from '../../helpers';
+import {
+  Direction,
+  TimelineEventsQueries,
+  TimelineEventsAllStrategyResponse,
+  TimelineEventsAllRequestOptions,
+  TimelineEdges,
+  TimelineItem,
+  SortField,
+} from '../../../common/search_strategy';
+import { InspectResponse } from '../../types';
+import * as i18n from './translations';
 
 export interface TimelineArgs {
   events: TimelineItem[];
   id: string;
-  inspect: inputsModel.InspectQuery;
-  loading: boolean;
-  loadMore: (cursor: string, tieBreaker: string) => void;
-  pageInfo: PageInfo;
+  inspect: InspectResponse;
+  loadPage: LoadPage;
+  pageInfo: {
+    activePage: number;
+    totalPages: number;
+  };
   refetch: inputsModel.Refetch;
   totalCount: number;
-  getUpdatedAt: () => number;
+  updatedAt: number;
 }
 
-export interface CustomReduxProps {
-  clearSignalsState: ({ id }: { id?: string }) => void;
-}
+type LoadPage = (newActivePage: number) => void;
 
-export interface OwnProps extends QueryTemplateProps {
-  children?: (args: TimelineArgs) => React.ReactNode;
+interface UseTimelineEventsProps {
+  docValueFields?: DocValueFields[];
+  filterQuery?: ESQuery | string;
+  skip?: boolean;
   endDate: string;
   eventType?: EventType;
   id: string;
+  fields: string[];
   indexPattern?: IIndexPattern;
   indexToAdd?: string[];
   limit: number;
-  sortField: SortField;
-  fields: string[];
+  sort: SortField;
   startDate: string;
-  queryDeduplication: string;
+  canQueryTimeline?: boolean;
 }
 
-type TimelineQueryProps = OwnProps & PropsFromRedux & WithKibanaProps & CustomReduxProps;
-
-class TimelineQueryComponent extends QueryTemplate<
-  TimelineQueryProps,
-  GetTimelineQuery.Query,
-  GetTimelineQuery.Variables
-> {
-  private updatedDate: number = Date.now();
-  private memoizedTimelineEvents: (variables: string, events: TimelineEdges[]) => TimelineItem[];
-
-  constructor(props: TimelineQueryProps) {
-    super(props);
-    this.memoizedTimelineEvents = memoizeOne(this.getTimelineEvents);
-  }
-
-  public render() {
-    const {
-      children,
-      clearSignalsState,
-      docValueFields,
-      endDate,
-      eventType = 'raw',
-      id,
-      indexPattern,
-      indexToAdd = [],
-      isInspected,
-      kibana,
-      limit,
-      fields,
-      filterQuery,
-      sourceId,
-      sortField,
-      startDate,
-      queryDeduplication,
-    } = this.props;
-    const defaultKibanaIndex = kibana.services.uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
-    const defaultIndex =
-      indexPattern == null || (indexPattern != null && indexPattern.title === '')
-        ? [
-            ...(['all', 'raw'].includes(eventType) ? defaultKibanaIndex : []),
-            ...(['all', 'alert', 'signal'].includes(eventType) ? indexToAdd : []),
-          ]
-        : indexPattern?.title.split(',') ?? [];
-    // Fun fact: When using this hook multiple times within a component (e.g. add_exception_modal & edit_exception_modal),
-    // the apolloClient will perform queryDeduplication and prevent the first query from executing. A deep compare is not
-    // performed on `indices`, so another field must be passed to circumvent this.
-    // For details, see https://github.com/apollographql/react-apollo/issues/2202
-    const variables: GetTimelineQuery.Variables & { queryDeduplication: string } = {
-      fieldRequested: fields,
-      filterQuery: createFilter(filterQuery),
-      sourceId,
-      timerange: {
-        interval: '12h',
-        from: startDate,
-        to: endDate,
-      },
-      pagination: { limit, cursor: null, tiebreaker: null },
-      sortField,
-      defaultIndex,
-      docValueFields: docValueFields ?? [],
-      inspect: isInspected,
-      queryDeduplication,
-    };
-
-    return (
-      <Query<GetTimelineQuery.Query, GetTimelineQuery.Variables>
-        query={timelineQuery}
-        fetchPolicy="network-only"
-        notifyOnNetworkStatusChange
-        skip={skipQueryForDetectionsPage(id, defaultIndex)}
-        variables={variables}
-      >
-        {({ data, loading, fetchMore, refetch }) => {
-          this.setRefetch(refetch);
-          this.setExecuteBeforeRefetch(clearSignalsState);
-          this.setExecuteBeforeFetchMore(clearSignalsState);
-
-          const timelineEdges = getOr([], 'source.Timeline.edges', data);
-          this.setFetchMore(fetchMore);
-          this.setFetchMoreOptions((newCursor: string, tiebreaker?: string) => ({
-            variables: {
-              pagination: {
-                cursor: newCursor,
-                tiebreaker,
-                limit,
-              },
-            },
-            updateQuery: (prev, { fetchMoreResult }) => {
-              if (!fetchMoreResult) {
-                return prev;
-              }
-              return {
-                ...fetchMoreResult,
-                source: {
-                  ...fetchMoreResult.source,
-                  Timeline: {
-                    ...fetchMoreResult.source.Timeline,
-                    edges: uniqBy('node._id', [
-                      ...prev.source.Timeline.edges,
-                      ...fetchMoreResult.source.Timeline.edges,
-                    ]),
-                  },
-                },
-              };
-            },
-          }));
-          this.updatedDate = Date.now();
-          return children!({
-            id,
-            inspect: getOr(null, 'source.Timeline.inspect', data),
-            refetch: this.wrappedRefetch,
-            loading,
-            totalCount: getOr(0, 'source.Timeline.totalCount', data),
-            pageInfo: getOr({}, 'source.Timeline.pageInfo', data),
-            events: this.memoizedTimelineEvents(JSON.stringify(variables), timelineEdges),
-            loadMore: this.wrappedLoadMore,
-            getUpdatedAt: this.getUpdatedAt,
-          });
-        }}
-      </Query>
-    );
-  }
+const getTimelineEvents = (timelineEdges: TimelineEdges[]): TimelineItem[] =>
+  timelineEdges.map((e: TimelineEdges) => e.node);
 
-  private getUpdatedAt = () => this.updatedDate;
+const ID = 'timelineEventsQuery';
 
-  private getTimelineEvents = (variables: string, timelineEdges: TimelineEdges[]): TimelineItem[] =>
-    timelineEdges.map((e: TimelineEdges) => e.node);
-}
-
-const makeMapStateToProps = () => {
-  const getQuery = inputsSelectors.timelineQueryByIdSelector();
-  const mapStateToProps = (state: State, { id }: OwnProps) => {
-    const { isInspected } = getQuery(state, id);
-    return {
-      isInspected,
-    };
-  };
-  return mapStateToProps;
-};
+export const useTimelineEvents = ({
+  docValueFields,
+  endDate,
+  eventType = 'raw',
+  id = ID,
+  indexPattern,
+  indexToAdd = [],
+  fields,
+  filterQuery,
+  startDate,
+  limit,
+  sort = {
+    field: '@timestamp',
+    direction: Direction.asc,
+  },
+  canQueryTimeline = true,
+}: UseTimelineEventsProps): [boolean, TimelineArgs] => {
+  const dispatch = useDispatch();
+  const { data, notifications, uiSettings } = useKibana().services;
+  const refetch = useRef<inputsModel.Refetch>(noop);
+  const abortCtrl = useRef(new AbortController());
+  const defaultKibanaIndex = uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
+  const defaultIndex =
+    indexPattern == null || (indexPattern != null && indexPattern.title === '')
+      ? [
+          ...(['all', 'raw'].includes(eventType) ? defaultKibanaIndex : []),
+          ...(['all', 'alert', 'signal'].includes(eventType) ? indexToAdd : []),
+        ]
+      : indexPattern?.title.split(',') ?? [];
+  const [loading, setLoading] = useState(false);
+  const [activePage, setActivePage] = useState(0);
+  const [timelineRequest, setTimelineRequest] = useState<TimelineEventsAllRequestOptions>({
+    fields,
+    fieldRequested: fields,
+    filterQuery: createFilter(filterQuery),
+    id,
+    timerange: {
+      interval: '12h',
+      from: startDate,
+      to: endDate,
+    },
+    pagination: {
+      activePage,
+      querySize: limit,
+    },
+    sort,
+    defaultIndex,
+    docValueFields: docValueFields ?? [],
+    factoryQueryType: TimelineEventsQueries.all,
+  });
 
-const mapDispatchToProps = (dispatch: Dispatch) => ({
-  clearSignalsState: ({ id }: { id?: string }) => {
+  const clearSignalsState = useCallback(() => {
     if (id != null && detectionsTimelineIds.some((timelineId) => timelineId === id)) {
       dispatch(timelineActions.clearEventsLoading({ id }));
       dispatch(timelineActions.clearEventsDeleted({ id }));
     }
-  },
-});
+  }, [dispatch, id]);
 
-const connector = connect(makeMapStateToProps, mapDispatchToProps);
+  const wrappedLoadPage = useCallback(
+    (newActivePage: number) => {
+      clearSignalsState();
+      setActivePage(newActivePage);
+    },
+    [clearSignalsState]
+  );
 
-type PropsFromRedux = ConnectedProps<typeof connector>;
+  const [timelineResponse, setTimelineResponse] = useState<TimelineArgs>({
+    id: ID,
+    inspect: {
+      dsl: [],
+      response: [],
+    },
+    refetch: refetch.current,
+    totalCount: -1,
+    pageInfo: {
+      activePage: 0,
+      totalPages: 0,
+    },
+    events: [],
+    loadPage: wrappedLoadPage,
+    updatedAt: 0,
+  });
 
-export const TimelineQuery = compose<React.ComponentClass<OwnProps>>(
-  connector,
-  withKibana
-)(TimelineQueryComponent);
+  const timelineSearch = useCallback(
+    (request: TimelineEventsAllRequestOptions) => {
+      let didCancel = false;
+      const asyncSearch = async () => {
+        abortCtrl.current = new AbortController();
+        setLoading(true);
+
+        const searchSubscription$ = data.search
+          .search<TimelineEventsAllRequestOptions, TimelineEventsAllStrategyResponse>(request, {
+            strategy: 'securitySolutionTimelineSearchStrategy',
+            abortSignal: abortCtrl.current.signal,
+          })
+          .subscribe({
+            next: (response) => {
+              if (!response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                  setTimelineResponse((prevResponse) => ({
+                    ...prevResponse,
+                    events: getTimelineEvents(response.edges),
+                    inspect: getInspectResponse(response, prevResponse.inspect),
+                    pageInfo: response.pageInfo,
+                    refetch: refetch.current,
+                    totalCount: response.totalCount,
+                    updatedAt: Date.now(),
+                  }));
+                }
+                searchSubscription$.unsubscribe();
+              } else if (response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                }
+                notifications.toasts.addWarning(i18n.ERROR_TIMELINE_EVENTS);
+                searchSubscription$.unsubscribe();
+              }
+            },
+            error: (msg) => {
+              if (msg.message !== 'Aborted') {
+                notifications.toasts.addDanger({
+                  title: i18n.FAIL_TIMELINE_EVENTS,
+                  text: msg.message,
+                });
+              }
+            },
+          });
+      };
+      abortCtrl.current.abort();
+      asyncSearch();
+      refetch.current = asyncSearch;
+      return () => {
+        didCancel = true;
+        abortCtrl.current.abort();
+      };
+    },
+    [data.search, notifications.toasts]
+  );
+
+  useEffect(() => {
+    if (!canQueryTimeline || skipQueryForDetectionsPage(id, defaultIndex)) {
+      return;
+    }
+
+    setTimelineRequest((prevRequest) => {
+      const myRequest = {
+        ...prevRequest,
+        defaultIndex,
+        docValueFields: docValueFields ?? [],
+        filterQuery: createFilter(filterQuery),
+        pagination: {
+          activePage,
+          querySize: limit,
+        },
+        timerange: {
+          interval: '12h',
+          from: startDate,
+          to: endDate,
+        },
+        sort,
+      };
+      if (
+        canQueryTimeline &&
+        !skipQueryForDetectionsPage(id, defaultIndex) &&
+        !deepEqual(prevRequest, myRequest)
+      ) {
+        return myRequest;
+      }
+      return prevRequest;
+    });
+  }, [
+    defaultIndex,
+    docValueFields,
+    endDate,
+    filterQuery,
+    startDate,
+    canQueryTimeline,
+    id,
+    activePage,
+    limit,
+    sort,
+  ]);
+
+  useEffect(() => {
+    timelineSearch(timelineRequest);
+  }, [timelineRequest, timelineSearch]);
+
+  return [loading, timelineResponse];
+};
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/translations.ts b/x-pack/plugins/security_solution/public/timelines/containers/translations.ts
new file mode 100644
index 0000000000000..ba3cc3c84b92d
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/timelines/containers/translations.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const ERROR_TIMELINE_EVENTS = i18n.translate(
+  'xpack.securitySolution.timelineEvents.errorSearchDescription',
+  {
+    defaultMessage: `An error has occurred on timeline events search`,
+  }
+);
+
+export const FAIL_TIMELINE_EVENTS = i18n.translate(
+  'xpack.securitySolution.timelineEvents.failSearchDescription',
+  {
+    defaultMessage: `Failed to run search on timeline events`,
+  }
+);
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
index ebee0f5cae9a6..da9c363703d16 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
@@ -16,7 +16,7 @@ import {
 import { KueryFilterQuery, SerializedFilterQuery } from '../../../common/store/types';
 
 import { EventType, KqlMode, TimelineModel, ColumnHeaderOptions } from './model';
-import { TimelineNonEcsData } from '../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
 import { TimelineTypeLiteral, RowRendererId } from '../../../../common/types/timeline';
 import { InsertTimeline } from './types';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts
index a6b78269cff2f..1432e133244d0 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts
@@ -20,7 +20,7 @@ import {
   EXISTS_OPERATOR,
 } from '../../../timelines/components/timeline/data_providers/data_provider';
 import { KueryFilterQuery, SerializedFilterQuery } from '../../../common/store/model';
-import { TimelineNonEcsData } from '../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
 import {
   TimelineTypeLiteral,
   TimelineType,
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
index 9a8399d366967..88ec9da1e0c4e 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
@@ -8,14 +8,14 @@ import { Filter } from '../../../../../../../src/plugins/data/public';
 
 import { DataProvider } from '../../components/timeline/data_providers/data_provider';
 import { Sort } from '../../components/timeline/body/sort';
-import {
-  PinnedEvent,
-  TimelineNonEcsData,
+import { PinnedEvent } from '../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
+import { KueryFilterQuery, SerializedFilterQuery } from '../../../common/store/types';
+import type {
   TimelineType,
   TimelineStatus,
-} from '../../../graphql/types';
-import { KueryFilterQuery, SerializedFilterQuery } from '../../../common/store/types';
-import type { RowRendererId } from '../../../../common/types/timeline';
+  RowRendererId,
+} from '../../../../common/types/timeline';
 
 export const DEFAULT_PAGE_COUNT = 2; // Eui Pager will not render unless this is a minimum of 2 pages
 export type KqlMode = 'filter' | 'search';
diff --git a/x-pack/plugins/security_solution/server/search_strategy/helpers/to_array.ts b/x-pack/plugins/security_solution/server/search_strategy/helpers/to_array.ts
index 4da319d5b1e42..f7d9f408c5e2d 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/helpers/to_array.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/helpers/to_array.ts
@@ -5,4 +5,4 @@
  */
 
 export const toArray = <T = string>(value: T | T[] | null) =>
-  Array.isArray(value) ? value : value == null ? [] : [value];
+  Array.isArray(value) ? value : value == null ? [] : [`${value}`];
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/index.ts
index aacfc227a36ad..7967ef2af4132 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/index.ts
@@ -52,7 +52,7 @@ export const allHosts: SecuritySolutionFactory<HostsQueries.hosts> = {
       edges,
       totalCount,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
index 93390c314a637..b257d9cfee418 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { isEmpty, isString } from 'lodash/fp';
+import { isEmpty } from 'lodash/fp';
 import { ISearchRequestParams } from '../../../../../../../../../src/plugins/data/common';
 import {
   Direction,
@@ -24,7 +24,7 @@ export const buildHostsQuery = ({
   timerange: { from, to },
 }: HostsRequestOptions): ISearchRequestParams => {
   const filter = [
-    ...createQueryFilterClauses(isString(filterQuery) ? JSON.parse(filterQuery) : filterQuery),
+    ...createQueryFilterClauses(filterQuery),
     {
       range: {
         '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/__mocks__/index.ts
index 65343dc721fd7..d1c63651997c7 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/__mocks__/index.ts
@@ -3,12 +3,14 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+
 import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/data/common';
+
 import {
   AuthenticationHit,
   Direction,
-  HostsQueries,
   HostAuthenticationsRequestOptions,
+  HostsQueries,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: HostAuthenticationsRequestOptions = {
@@ -2143,7 +2145,80 @@ export const formattedSearchStrategyResponse = {
   loaded: 21,
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "user_count": {\n        "cardinality": {\n          "field": "user.name"\n        }\n      },\n      "group_by_users": {\n        "terms": {\n          "size": 10,\n          "field": "user.name",\n          "order": [\n            {\n              "successes.doc_count": "desc"\n            },\n            {\n              "failures.doc_count": "desc"\n            }\n          ]\n        },\n        "aggs": {\n          "failures": {\n            "filter": {\n              "term": {\n                "event.outcome": "failure"\n              }\n            },\n            "aggs": {\n              "lastFailure": {\n                "top_hits": {\n                  "size": 1,\n                  "_source": [],\n                  "sort": [\n                    {\n                      "@timestamp": {\n                        "order": "desc"\n                      }\n                    }\n                  ]\n                }\n              }\n            }\n          },\n          "successes": {\n            "filter": {\n              "term": {\n                "event.outcome": "success"\n              }\n            },\n            "aggs": {\n              "lastSuccess": {\n                "top_hits": {\n                  "size": 1,\n                  "_source": [],\n                  "sort": [\n                    {\n                      "@timestamp": {\n                        "order": "desc"\n                      }\n                    }\n                  ]\n                }\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "term": {\n              "event.category": "authentication"\n            }\n          },\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-02T15:17:13.678Z",\n                "lte": "2020-09-03T15:17:13.678Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0\n  },\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              user_count: { cardinality: { field: 'user.name' } },
+              group_by_users: {
+                terms: {
+                  size: 10,
+                  field: 'user.name',
+                  order: [{ 'successes.doc_count': 'desc' }, { 'failures.doc_count': 'desc' }],
+                },
+                aggs: {
+                  failures: {
+                    filter: { term: { 'event.outcome': 'failure' } },
+                    aggs: {
+                      lastFailure: {
+                        top_hits: {
+                          size: 1,
+                          _source: [],
+                          sort: [{ '@timestamp': { order: 'desc' } }],
+                        },
+                      },
+                    },
+                  },
+                  successes: {
+                    filter: { term: { 'event.outcome': 'success' } },
+                    aggs: {
+                      lastSuccess: {
+                        top_hits: {
+                          size: 1,
+                          _source: [],
+                          sort: [{ '@timestamp': { order: 'desc' } }],
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  { term: { 'event.category': 'authentication' } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-02T15:17:13.678Z',
+                        lte: '2020-09-03T15:17:13.678Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+          },
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   edges: [
@@ -2335,7 +2410,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           { term: { 'event.category': 'authentication' } },
           {
             range: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
index d5bdeac38cee5..a43f53880587a 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
@@ -55,7 +55,7 @@ export const authentications: SecuritySolutionFactory<HostsQueries.authenticatio
       edges,
       totalCount,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/overview/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/overview/__mocks__/index.ts
index c017f39842ba1..b1f9b04daa1c1 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/overview/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/overview/__mocks__/index.ts
@@ -3,10 +3,12 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+
 import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/data/common';
+
 import {
-  HostsQueries,
   HostOverviewRequestOptions,
+  HostsQueries,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: HostOverviewRequestOptions = {
@@ -111,7 +113,197 @@ export const formattedSearchStrategyResponse = {
   loaded: 21,
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "auditd_count": {\n        "filter": {\n          "term": {\n            "event.module": "auditd"\n          }\n        }\n      },\n      "endgame_module": {\n        "filter": {\n          "bool": {\n            "should": [\n              {\n                "term": {\n                  "event.module": "endpoint"\n                }\n              },\n              {\n                "term": {\n                  "event.module": "endgame"\n                }\n              }\n            ]\n          }\n        },\n        "aggs": {\n          "dns_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "bool": {\n                      "filter": [\n                        {\n                          "term": {\n                            "network.protocol": "dns"\n                          }\n                        },\n                        {\n                          "term": {\n                            "event.category": "network"\n                          }\n                        }\n                      ]\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "dns_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "file_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "term": {\n                      "event.category": "file"\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "file_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "image_load_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "bool": {\n                      "should": [\n                        {\n                          "term": {\n                            "event.category": "library"\n                          }\n                        },\n                        {\n                          "term": {\n                            "event.category": "driver"\n                          }\n                        }\n                      ]\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "image_load_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "network_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "bool": {\n                      "filter": [\n                        {\n                          "bool": {\n                            "must_not": {\n                              "term": {\n                                "network.protocol": "dns"\n                              }\n                            }\n                          }\n                        },\n                        {\n                          "term": {\n                            "event.category": "network"\n                          }\n                        }\n                      ]\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "network_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "process_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "term": {\n                      "event.category": "process"\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "process_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "registry_event": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "term": {\n                      "event.category": "registry"\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "registry_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "security_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "bool": {\n                      "filter": [\n                        {\n                          "term": {\n                            "event.category": "session"\n                          }\n                        },\n                        {\n                          "term": {\n                            "event.category": "authentication"\n                          }\n                        }\n                      ]\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "security_event"\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      },\n      "fim_count": {\n        "filter": {\n          "term": {\n            "event.module": "file_integrity"\n          }\n        }\n      },\n      "winlog_module": {\n        "filter": {\n          "term": {\n            "agent.type": "winlogbeat"\n          }\n        },\n        "aggs": {\n          "mwsysmon_operational_event_count": {\n            "filter": {\n              "term": {\n                "winlog.channel": "Microsoft-Windows-Sysmon/Operational"\n              }\n            }\n          },\n          "security_event_count": {\n            "filter": {\n              "term": {\n                "winlog.channel": "Security"\n              }\n            }\n          }\n        }\n      },\n      "system_module": {\n        "filter": {\n          "term": {\n            "event.module": "system"\n          }\n        },\n        "aggs": {\n          "login_count": {\n            "filter": {\n              "term": {\n                "event.dataset": "login"\n              }\n            }\n          },\n          "package_count": {\n            "filter": {\n              "term": {\n                "event.dataset": "package"\n              }\n            }\n          },\n          "process_count": {\n            "filter": {\n              "term": {\n                "event.dataset": "process"\n              }\n            }\n          },\n          "user_count": {\n            "filter": {\n              "term": {\n                "event.dataset": "user"\n              }\n            }\n          },\n          "filebeat_count": {\n            "filter": {\n              "term": {\n                "agent.type": "filebeat"\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"filter\\":[{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"host.name\\"}}],\\"minimum_should_match\\":1}}]}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-07T09:47:28.606Z",\n                "lte": "2020-09-08T09:47:28.606Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": false\n  }\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              auditd_count: { filter: { term: { 'event.module': 'auditd' } } },
+              endgame_module: {
+                filter: {
+                  bool: {
+                    should: [
+                      { term: { 'event.module': 'endpoint' } },
+                      { term: { 'event.module': 'endgame' } },
+                    ],
+                  },
+                },
+                aggs: {
+                  dns_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              filter: [
+                                { term: { 'network.protocol': 'dns' } },
+                                { term: { 'event.category': 'network' } },
+                              ],
+                            },
+                          },
+                          { term: { 'endgame.event_type_full': 'dns_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  file_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          { term: { 'event.category': 'file' } },
+                          { term: { 'endgame.event_type_full': 'file_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  image_load_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              should: [
+                                { term: { 'event.category': 'library' } },
+                                { term: { 'event.category': 'driver' } },
+                              ],
+                            },
+                          },
+                          { term: { 'endgame.event_type_full': 'image_load_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  network_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              filter: [
+                                { bool: { must_not: { term: { 'network.protocol': 'dns' } } } },
+                                { term: { 'event.category': 'network' } },
+                              ],
+                            },
+                          },
+                          { term: { 'endgame.event_type_full': 'network_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  process_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          { term: { 'event.category': 'process' } },
+                          { term: { 'endgame.event_type_full': 'process_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  registry_event: {
+                    filter: {
+                      bool: {
+                        should: [
+                          { term: { 'event.category': 'registry' } },
+                          { term: { 'endgame.event_type_full': 'registry_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  security_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              filter: [
+                                { term: { 'event.category': 'session' } },
+                                { term: { 'event.category': 'authentication' } },
+                              ],
+                            },
+                          },
+                          { term: { 'endgame.event_type_full': 'security_event' } },
+                        ],
+                      },
+                    },
+                  },
+                },
+              },
+              fim_count: { filter: { term: { 'event.module': 'file_integrity' } } },
+              winlog_module: {
+                filter: { term: { 'agent.type': 'winlogbeat' } },
+                aggs: {
+                  mwsysmon_operational_event_count: {
+                    filter: { term: { 'winlog.channel': 'Microsoft-Windows-Sysmon/Operational' } },
+                  },
+                  security_event_count: { filter: { term: { 'winlog.channel': 'Security' } } },
+                },
+              },
+              system_module: {
+                filter: { term: { 'event.module': 'system' } },
+                aggs: {
+                  login_count: { filter: { term: { 'event.dataset': 'login' } } },
+                  package_count: { filter: { term: { 'event.dataset': 'package' } } },
+                  process_count: { filter: { term: { 'event.dataset': 'process' } } },
+                  user_count: { filter: { term: { 'event.dataset': 'user' } } },
+                  filebeat_count: { filter: { term: { 'agent.type': 'filebeat' } } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        {
+                          bool: {
+                            filter: [
+                              {
+                                bool: {
+                                  should: [{ exists: { field: 'host.name' } }],
+                                  minimum_should_match: 1,
+                                },
+                              },
+                            ],
+                          },
+                        },
+                      ],
+                      should: [],
+                      must_not: [],
+                    },
+                  },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-07T09:47:28.606Z',
+                        lte: '2020-09-08T09:47:28.606Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: false,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   overviewHost: {
@@ -283,7 +475,28 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"filter":[{"bool":{"should":[{"exists":{"field":"host.name"}}],"minimum_should_match":1}}]}}],"should":[],"must_not":[]}}',
+          {
+            bool: {
+              must: [],
+              filter: [
+                { match_all: {} },
+                {
+                  bool: {
+                    filter: [
+                      {
+                        bool: {
+                          should: [{ exists: { field: 'host.name' } }],
+                          minimum_should_match: 1,
+                        },
+                      },
+                    ],
+                  },
+                },
+              ],
+              should: [],
+              must_not: [],
+            },
+          },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/__mocks__/index.ts
index 5f0e2af8ae921..1c0b44bdfc4f6 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/__mocks__/index.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { SortField, HostsQueries } from '../../../../../../../common/search_strategy';
+import { HostsQueries, SortField } from '../../../../../../../common/search_strategy';
 
 export const mockOptions = {
   defaultIndex: [
@@ -4260,7 +4260,7 @@ export const formattedSearchStrategyResponse = {
           },
         ],
         user: {
-          id: [0],
+          id: ['0'],
           name: ['root'],
         },
       },
@@ -4284,7 +4284,7 @@ export const formattedSearchStrategyResponse = {
           },
         ],
         user: {
-          id: [0],
+          id: ['0'],
           name: ['root'],
         },
       },
@@ -4296,7 +4296,131 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "process_count": {\n        "cardinality": {\n          "field": "process.name"\n        }\n      },\n      "group_by_process": {\n        "terms": {\n          "size": 10,\n          "field": "process.name",\n          "order": [\n            {\n              "host_count": "asc"\n            },\n            {\n              "_count": "asc"\n            },\n            {\n              "_key": "asc"\n            }\n          ]\n        },\n        "aggregations": {\n          "process": {\n            "top_hits": {\n              "size": 1,\n              "sort": [\n                {\n                  "@timestamp": {\n                    "order": "desc"\n                  }\n                }\n              ],\n              "_source": [\n                "process.args",\n                "process.name",\n                "user.id",\n                "user.name"\n              ]\n            }\n          },\n          "host_count": {\n            "cardinality": {\n              "field": "host.name"\n            }\n          },\n          "hosts": {\n            "terms": {\n              "field": "host.name"\n            },\n            "aggregations": {\n              "host": {\n                "top_hits": {\n                  "size": 1,\n                  "_source": []\n                }\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "should": [\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "agent.type": "auditbeat"\n                  }\n                },\n                {\n                  "term": {\n                    "event.module": "auditd"\n                  }\n                },\n                {\n                  "term": {\n                    "event.action": "executed"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "agent.type": "auditbeat"\n                  }\n                },\n                {\n                  "term": {\n                    "event.module": "system"\n                  }\n                },\n                {\n                  "term": {\n                    "event.dataset": "process"\n                  }\n                },\n                {\n                  "term": {\n                    "event.action": "process_started"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "agent.type": "winlogbeat"\n                  }\n                },\n                {\n                  "term": {\n                    "event.code": "4688"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "winlog.event_id": 1\n                  }\n                },\n                {\n                  "term": {\n                    "winlog.channel": "Microsoft-Windows-Sysmon/Operational"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "event.type": "process_start"\n                  }\n                },\n                {\n                  "term": {\n                    "event.category": "process"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "event.category": "process"\n                  }\n                },\n                {\n                  "term": {\n                    "event.type": "start"\n                  }\n                }\n              ]\n            }\n          }\n        ],\n        "minimum_should_match": 1,\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"match_phrase\\":{\\"host.name\\":{\\"query\\":\\"siem-kibana\\"}}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-06T15:23:52.757Z",\n                "lte": "2020-09-07T15:23:52.757Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              process_count: { cardinality: { field: 'process.name' } },
+              group_by_process: {
+                terms: {
+                  size: 10,
+                  field: 'process.name',
+                  order: [{ host_count: 'asc' }, { _count: 'asc' }, { _key: 'asc' }],
+                },
+                aggregations: {
+                  process: {
+                    top_hits: {
+                      size: 1,
+                      sort: [{ '@timestamp': { order: 'desc' } }],
+                      _source: ['process.args', 'process.name', 'user.id', 'user.name'],
+                    },
+                  },
+                  host_count: { cardinality: { field: 'host.name' } },
+                  hosts: {
+                    terms: { field: 'host.name' },
+                    aggregations: { host: { top_hits: { size: 1, _source: [] } } },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                should: [
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'agent.type': 'auditbeat' } },
+                        { term: { 'event.module': 'auditd' } },
+                        { term: { 'event.action': 'executed' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'agent.type': 'auditbeat' } },
+                        { term: { 'event.module': 'system' } },
+                        { term: { 'event.dataset': 'process' } },
+                        { term: { 'event.action': 'process_started' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'agent.type': 'winlogbeat' } },
+                        { term: { 'event.code': '4688' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'winlog.event_id': 1 } },
+                        { term: { 'winlog.channel': 'Microsoft-Windows-Sysmon/Operational' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'event.type': 'process_start' } },
+                        { term: { 'event.category': 'process' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'event.category': 'process' } },
+                        { term: { 'event.type': 'start' } },
+                      ],
+                    },
+                  },
+                ],
+                minimum_should_match: 1,
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        { match_phrase: { 'host.name': { query: 'siem-kibana' } } },
+                      ],
+                      should: [],
+                      must_not: [],
+                    },
+                  },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-06T15:23:52.757Z',
+                        lte: '2020-09-07T15:23:52.757Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: {
@@ -4401,7 +4525,17 @@ export const expectedDsl = {
         ],
         minimum_should_match: 1,
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}},{"match_phrase":{"host.name":{"query":"siem-kibana"}}}],"should":[],"must_not":[]}}',
+          {
+            bool: {
+              must: [],
+              filter: [
+                { match_all: {} },
+                { match_phrase: { 'host.name': { query: 'siem-kibana' } } },
+              ],
+              should: [],
+              must_not: [],
+            },
+          },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/index.ts
index fcc76eebe4cf5..5682e63b50ed0 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/index.ts
@@ -58,7 +58,7 @@ export const uncommonProcesses: SecuritySolutionFactory<HostsQueries.uncommonPro
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts
index 73cf74087aad6..c1c4db53ba4e3 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts
@@ -28,7 +28,96 @@ export const formattedAlertsSearchStrategyResponse: MatrixHistogramStrategyRespo
   ...mockAlertsSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "alertsGroup": {\n        "terms": {\n          "field": "event.module",\n          "missing": "All others",\n          "order": {\n            "_count": "desc"\n          },\n          "size": 10\n        },\n        "aggs": {\n          "alerts": {\n            "date_histogram": {\n              "field": "@timestamp",\n              "fixed_interval": "2700000ms",\n              "min_doc_count": 0,\n              "extended_bounds": {\n                "min": 1599574984482,\n                "max": 1599661384482\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"filter\\":[{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"host.name\\"}}],\\"minimum_should_match\\":1}}]}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "bool": {\n              "filter": [\n                {\n                  "bool": {\n                    "should": [\n                      {\n                        "match": {\n                          "event.kind": "alert"\n                        }\n                      }\n                    ],\n                    "minimum_should_match": 1\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-08T14:23:04.482Z",\n                "lte": "2020-09-09T14:23:04.482Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              alertsGroup: {
+                terms: {
+                  field: 'event.module',
+                  missing: 'All others',
+                  order: { _count: 'desc' },
+                  size: 10,
+                },
+                aggs: {
+                  alerts: {
+                    date_histogram: {
+                      field: '@timestamp',
+                      fixed_interval: '2700000ms',
+                      min_doc_count: 0,
+                      extended_bounds: { min: 1599574984482, max: 1599661384482 },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        {
+                          bool: {
+                            filter: [
+                              {
+                                bool: {
+                                  should: [{ exists: { field: 'host.name' } }],
+                                  minimum_should_match: 1,
+                                },
+                              },
+                            ],
+                          },
+                        },
+                      ],
+                      should: [],
+                      must_not: [],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        {
+                          bool: {
+                            should: [{ match: { 'event.kind': 'alert' } }],
+                            minimum_should_match: 1,
+                          },
+                        },
+                      ],
+                    },
+                  },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-08T14:23:04.482Z',
+                        lte: '2020-09-09T14:23:04.482Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   matrixHistogramData: [],
@@ -105,7 +194,75 @@ export const formattedAnomaliesSearchStrategyResponse: MatrixHistogramStrategyRe
   ...mockAnomaliesSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggs": {\n      "anomalyActionGroup": {\n        "terms": {\n          "field": "job_id",\n          "order": {\n            "_count": "desc"\n          },\n          "size": 10\n        },\n        "aggs": {\n          "anomalies": {\n            "date_histogram": {\n              "field": "timestamp",\n              "fixed_interval": "2700000ms",\n              "min_doc_count": 0,\n              "extended_bounds": {\n                "min": 1599578075566,\n                "max": 1599664475566\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"should\\":[],\\"minimum_should_match\\":1}},{\\"match_phrase\\":{\\"result_type\\":\\"record\\"}},null,{\\"range\\":{\\"record_score\\":{\\"gte\\":50}}}],\\"should\\":[{\\"exists\\":{\\"field\\":\\"source.ip\\"}},{\\"exists\\":{\\"field\\":\\"destination.ip\\"}}],\\"must_not\\":[],\\"minimum_should_match\\":1}}",\n          {\n            "range": {\n              "timestamp": {\n                "gte": "2020-09-08T15:14:35.566Z",\n                "lte": "2020-09-09T15:14:35.566Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggs: {
+              anomalyActionGroup: {
+                terms: { field: 'job_id', order: { _count: 'desc' }, size: 10 },
+                aggs: {
+                  anomalies: {
+                    date_histogram: {
+                      field: 'timestamp',
+                      fixed_interval: '2700000ms',
+                      min_doc_count: 0,
+                      extended_bounds: { min: 1599578075566, max: 1599664475566 },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        { bool: { should: [], minimum_should_match: 1 } },
+                        { match_phrase: { result_type: 'record' } },
+                        null,
+                        { range: { record_score: { gte: 50 } } },
+                      ],
+                      should: [
+                        { exists: { field: 'source.ip' } },
+                        { exists: { field: 'destination.ip' } },
+                      ],
+                      must_not: [],
+                      minimum_should_match: 1,
+                    },
+                  },
+                  {
+                    range: {
+                      timestamp: {
+                        gte: '2020-09-08T15:14:35.566Z',
+                        lte: '2020-09-09T15:14:35.566Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   matrixHistogramData: [],
@@ -219,7 +376,64 @@ export const formattedAuthenticationsSearchStrategyResponse: MatrixHistogramStra
   ...mockAuthenticationsSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "eventActionGroup": {\n        "terms": {\n          "field": "event.outcome",\n          "include": [\n            "success",\n            "failure"\n          ],\n          "order": {\n            "_count": "desc"\n          },\n          "size": 2\n        },\n        "aggs": {\n          "events": {\n            "date_histogram": {\n              "field": "@timestamp",\n              "fixed_interval": "2700000ms",\n              "min_doc_count": 0,\n              "extended_bounds": {\n                "min": 1599578520325,\n                "max": 1599664920325\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "bool": {\n              "must": [\n                {\n                  "term": {\n                    "event.category": "authentication"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-08T15:22:00.325Z",\n                "lte": "2020-09-09T15:22:00.325Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              eventActionGroup: {
+                terms: {
+                  field: 'event.outcome',
+                  include: ['success', 'failure'],
+                  order: { _count: 'desc' },
+                  size: 2,
+                },
+                aggs: {
+                  events: {
+                    date_histogram: {
+                      field: '@timestamp',
+                      fixed_interval: '2700000ms',
+                      min_doc_count: 0,
+                      extended_bounds: { min: 1599578520325, max: 1599664920325 },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  { bool: { must: [{ term: { 'event.category': 'authentication' } }] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-08T15:22:00.325Z',
+                        lte: '2020-09-09T15:22:00.325Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   matrixHistogramData: [
@@ -728,7 +942,63 @@ export const formattedEventsSearchStrategyResponse: MatrixHistogramStrategyRespo
   ...mockEventsSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "eventActionGroup": {\n        "terms": {\n          "field": "event.action",\n          "missing": "All others",\n          "order": {\n            "_count": "desc"\n          },\n          "size": 10\n        },\n        "aggs": {\n          "events": {\n            "date_histogram": {\n              "field": "@timestamp",\n              "fixed_interval": "2700000ms",\n              "min_doc_count": 0,\n              "extended_bounds": {\n                "min": 1599581486215,\n                "max": 1599667886215\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-08T16:11:26.215Z",\n                "lte": "2020-09-09T16:11:26.215Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              eventActionGroup: {
+                terms: {
+                  field: 'event.action',
+                  missing: 'All others',
+                  order: { _count: 'desc' },
+                  size: 10,
+                },
+                aggs: {
+                  events: {
+                    date_histogram: {
+                      field: '@timestamp',
+                      fixed_interval: '2700000ms',
+                      min_doc_count: 0,
+                      extended_bounds: { min: 1599581486215, max: 1599667886215 },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-08T16:11:26.215Z',
+                        lte: '2020-09-09T16:11:26.215Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   totalCount: 0,
@@ -1294,7 +1564,58 @@ export const formattedDnsSearchStrategyResponse: MatrixHistogramStrategyResponse
   ...mockDnsSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "NetworkDns": {\n        "date_histogram": {\n          "field": "@timestamp",\n          "fixed_interval": "2700000ms"\n        },\n        "aggs": {\n          "dns": {\n            "terms": {\n              "field": "dns.question.registered_domain",\n              "order": {\n                "orderAgg": "desc"\n              },\n              "size": 10\n            },\n            "aggs": {\n              "orderAgg": {\n                "cardinality": {\n                  "field": "dns.question.name"\n                }\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-08T15:41:15.528Z",\n                "lte": "2020-09-09T15:41:15.529Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              NetworkDns: {
+                date_histogram: { field: '@timestamp', fixed_interval: '2700000ms' },
+                aggs: {
+                  dns: {
+                    terms: {
+                      field: 'dns.question.registered_domain',
+                      order: { orderAgg: 'desc' },
+                      size: 10,
+                    },
+                    aggs: { orderAgg: { cardinality: { field: 'dns.question.name' } } },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-08T15:41:15.528Z',
+                        lte: '2020-09-09T15:41:15.529Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   matrixHistogramData: [
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts
index 8b2e666ad0103..df304552f9fc2 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts
@@ -59,7 +59,28 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"filter":[{"bool":{"should":[{"exists":{"field":"host.name"}}],"minimum_should_match":1}}]}}],"should":[],"must_not":[]}}',
+          {
+            bool: {
+              must: [],
+              filter: [
+                { match_all: {} },
+                {
+                  bool: {
+                    filter: [
+                      {
+                        bool: {
+                          should: [{ exists: { field: 'host.name' } }],
+                          minimum_should_match: 1,
+                        },
+                      },
+                    ],
+                  },
+                },
+              ],
+              should: [],
+              must_not: [],
+            },
+          },
           {
             bool: {
               filter: [
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts
index 6ca3c785e2e75..de0fcd8e22207 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts
@@ -54,7 +54,21 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"should":[],"minimum_should_match":1}},{"match_phrase":{"result_type":"record"}},null,{"range":{"record_score":{"gte":50}}}],"should":[{"exists":{"field":"source.ip"}},{"exists":{"field":"destination.ip"}}],"must_not":[],"minimum_should_match":1}}',
+          {
+            bool: {
+              must: [],
+              filter: [
+                { match_all: {} },
+                { bool: { should: [], minimum_should_match: 1 } },
+                { match_phrase: { result_type: 'record' } },
+                null,
+                { range: { record_score: { gte: 50 } } },
+              ],
+              should: [{ exists: { field: 'source.ip' } }, { exists: { field: 'destination.ip' } }],
+              must_not: [],
+              minimum_should_match: 1,
+            },
+          },
           {
             range: {
               timestamp: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts
index 1fd420dbb94cb..136c9964717c3 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts
@@ -58,7 +58,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           { bool: { must: [{ term: { 'event.category': 'authentication' } }] } },
           {
             range: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts
index 94ba20327a404..3a769127bbe85 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts
@@ -53,7 +53,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts
index 09b710ab33c76..61f672203e45f 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts
@@ -63,7 +63,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
index f0605c5523fd9..d3625a96c6db9 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
@@ -127,7 +127,59 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "dns_count": {\n        "cardinality": {\n          "field": "dns.question.registered_domain"\n        }\n      },\n      "dns_name_query_count": {\n        "terms": {\n          "field": "dns.question.registered_domain",\n          "size": 10,\n          "order": {\n            "unique_domains": "desc"\n          }\n        },\n        "aggs": {\n          "unique_domains": {\n            "cardinality": {\n              "field": "dns.question.name"\n            }\n          },\n          "dns_bytes_in": {\n            "sum": {\n              "field": "source.bytes"\n            }\n          },\n          "dns_bytes_out": {\n            "sum": {\n              "field": "destination.bytes"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T09:00:43.249Z",\n                "lte": "2020-09-14T09:00:43.249Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ],\n        "must_not": [\n          {\n            "term": {\n              "dns.question.type": {\n                "value": "PTR"\n              }\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              dns_count: { cardinality: { field: 'dns.question.registered_domain' } },
+              dns_name_query_count: {
+                terms: {
+                  field: 'dns.question.registered_domain',
+                  size: 10,
+                  order: { unique_domains: 'desc' },
+                },
+                aggs: {
+                  unique_domains: { cardinality: { field: 'dns.question.name' } },
+                  dns_bytes_in: { sum: { field: 'source.bytes' } },
+                  dns_bytes_out: { sum: { field: 'destination.bytes' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T09:00:43.249Z',
+                        lte: '2020-09-14T09:00:43.249Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+                must_not: [{ term: { 'dns.question.type': { value: 'PTR' } } }],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 2, showMorePagesIndicator: false },
@@ -165,7 +217,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts
index 8e734ca9d1179..ca7743126df4c 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts
@@ -48,7 +48,7 @@ export const networkDns: SecuritySolutionFactory<NetworkQueries.dns> = {
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts
index 9991d267707b7..d105cb621cf46 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts
@@ -615,7 +615,58 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "http_count": {\n        "cardinality": {\n          "field": "url.path"\n        }\n      },\n      "url": {\n        "terms": {\n          "field": "url.path",\n          "size": 10,\n          "order": {\n            "_count": "desc"\n          }\n        },\n        "aggs": {\n          "methods": {\n            "terms": {\n              "field": "http.request.method",\n              "size": 4\n            }\n          },\n          "domains": {\n            "terms": {\n              "field": "url.domain",\n              "size": 4\n            }\n          },\n          "status": {\n            "terms": {\n              "field": "http.response.status_code",\n              "size": 4\n            }\n          },\n          "source": {\n            "top_hits": {\n              "size": 1,\n              "_source": {\n                "includes": [\n                  "host.name",\n                  "source.ip"\n                ]\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T09:00:43.249Z",\n                "lte": "2020-09-14T09:00:43.249Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          },\n          {\n            "exists": {\n              "field": "http.request.method"\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              http_count: { cardinality: { field: 'url.path' } },
+              url: {
+                terms: { field: 'url.path', size: 10, order: { _count: 'desc' } },
+                aggs: {
+                  methods: { terms: { field: 'http.request.method', size: 4 } },
+                  domains: { terms: { field: 'url.domain', size: 4 } },
+                  status: { terms: { field: 'http.response.status_code', size: 4 } },
+                  source: {
+                    top_hits: { size: 1, _source: { includes: ['host.name', 'source.ip'] } },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T09:00:43.249Z',
+                        lte: '2020-09-14T09:00:43.249Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                  { exists: { field: 'http.request.method' } },
+                ],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 50, showMorePagesIndicator: true },
@@ -650,7 +701,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/index.ts
index c0205ccce63cc..6ad4ac9cb8e33 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/index.ts
@@ -48,7 +48,7 @@ export const networkHttp: SecuritySolutionFactory<NetworkQueries.http> = {
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/overview/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/overview/__mocks__/index.ts
index 8f34d31e49e1d..2c3eb37e25453 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/overview/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/overview/__mocks__/index.ts
@@ -97,7 +97,96 @@ export const formattedSearchStrategyResponse = {
   ...mockSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "unique_flow_count": {\n        "filter": {\n          "term": {\n            "type": "flow"\n          }\n        }\n      },\n      "unique_dns_count": {\n        "filter": {\n          "term": {\n            "type": "dns"\n          }\n        }\n      },\n      "unique_suricata_count": {\n        "filter": {\n          "term": {\n            "service.type": "suricata"\n          }\n        }\n      },\n      "unique_zeek_count": {\n        "filter": {\n          "term": {\n            "service.type": "zeek"\n          }\n        }\n      },\n      "unique_socket_count": {\n        "filter": {\n          "term": {\n            "event.dataset": "socket"\n          }\n        }\n      },\n      "unique_filebeat_count": {\n        "filter": {\n          "term": {\n            "agent.type": "filebeat"\n          }\n        },\n        "aggs": {\n          "unique_netflow_count": {\n            "filter": {\n              "term": {\n                "input.type": "netflow"\n              }\n            }\n          },\n          "unique_panw_count": {\n            "filter": {\n              "term": {\n                "event.module": "panw"\n              }\n            }\n          },\n          "unique_cisco_count": {\n            "filter": {\n              "term": {\n                "event.module": "cisco"\n              }\n            }\n          }\n        }\n      },\n      "unique_packetbeat_count": {\n        "filter": {\n          "term": {\n            "agent.type": "packetbeat"\n          }\n        },\n        "aggs": {\n          "unique_tls_count": {\n            "filter": {\n              "term": {\n                "network.protocol": "tls"\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"filter\\":[{\\"bool\\":{\\"should\\":[{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"source.ip\\"}}],\\"minimum_should_match\\":1}},{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"destination.ip\\"}}],\\"minimum_should_match\\":1}}],\\"minimum_should_match\\":1}}]}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T12:54:24.685Z",\n                "lte": "2020-09-14T12:54:24.685Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": false\n  }\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              unique_flow_count: { filter: { term: { type: 'flow' } } },
+              unique_dns_count: { filter: { term: { type: 'dns' } } },
+              unique_suricata_count: { filter: { term: { 'service.type': 'suricata' } } },
+              unique_zeek_count: { filter: { term: { 'service.type': 'zeek' } } },
+              unique_socket_count: { filter: { term: { 'event.dataset': 'socket' } } },
+              unique_filebeat_count: {
+                filter: { term: { 'agent.type': 'filebeat' } },
+                aggs: {
+                  unique_netflow_count: { filter: { term: { 'input.type': 'netflow' } } },
+                  unique_panw_count: { filter: { term: { 'event.module': 'panw' } } },
+                  unique_cisco_count: { filter: { term: { 'event.module': 'cisco' } } },
+                },
+              },
+              unique_packetbeat_count: {
+                filter: { term: { 'agent.type': 'packetbeat' } },
+                aggs: { unique_tls_count: { filter: { term: { 'network.protocol': 'tls' } } } },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        {
+                          bool: {
+                            filter: [
+                              {
+                                bool: {
+                                  should: [
+                                    {
+                                      bool: {
+                                        should: [{ exists: { field: 'source.ip' } }],
+                                        minimum_should_match: 1,
+                                      },
+                                    },
+                                    {
+                                      bool: {
+                                        should: [{ exists: { field: 'destination.ip' } }],
+                                        minimum_should_match: 1,
+                                      },
+                                    },
+                                  ],
+                                  minimum_should_match: 1,
+                                },
+                              },
+                            ],
+                          },
+                        },
+                      ],
+                      should: [],
+                      must_not: [],
+                    },
+                  },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T12:54:24.685Z',
+                        lte: '2020-09-14T12:54:24.685Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: false,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   overviewNetwork: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/__mocks__/index.ts
index 15e2ac3cc0f69..50a263572edb8 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/__mocks__/index.ts
@@ -8,10 +8,10 @@ import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/dat
 
 import {
   Direction,
+  FlowTargetSourceDest,
+  NetworkQueries,
   NetworkTlsFields,
   NetworkTlsRequestOptions,
-  NetworkQueries,
-  FlowTargetSourceDest,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: NetworkTlsRequestOptions = {
@@ -55,7 +55,55 @@ export const formattedSearchStrategyResponse = {
   edges: [],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggs": {\n      "count": {\n        "cardinality": {\n          "field": "tls.server.hash.sha1"\n        }\n      },\n      "sha1": {\n        "terms": {\n          "field": "tls.server.hash.sha1",\n          "size": 10,\n          "order": {\n            "_key": "desc"\n          }\n        },\n        "aggs": {\n          "issuers": {\n            "terms": {\n              "field": "tls.server.issuer"\n            }\n          },\n          "subjects": {\n            "terms": {\n              "field": "tls.server.subject"\n            }\n          },\n          "not_after": {\n            "terms": {\n              "field": "tls.server.not_after"\n            }\n          },\n          "ja3": {\n            "terms": {\n              "field": "tls.server.ja3s"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T09:58:58.637Z",\n                "lte": "2020-09-14T09:58:58.637Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": false\n  }\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggs: {
+              count: { cardinality: { field: 'tls.server.hash.sha1' } },
+              sha1: {
+                terms: { field: 'tls.server.hash.sha1', size: 10, order: { _key: 'desc' } },
+                aggs: {
+                  issuers: { terms: { field: 'tls.server.issuer' } },
+                  subjects: { terms: { field: 'tls.server.subject' } },
+                  not_after: { terms: { field: 'tls.server.not_after' } },
+                  ja3: { terms: { field: 'tls.server.ja3s' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T09:58:58.637Z',
+                        lte: '2020-09-14T09:58:58.637Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: false,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 0, showMorePagesIndicator: false },
@@ -90,7 +138,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/index.ts
index 46556f46d3a50..7ada299a513bb 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/index.ts
@@ -48,7 +48,7 @@ export const networkTls: SecuritySolutionFactory<NetworkQueries.tls> = {
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/__mocks__/index.ts
index 0578d99accbf5..dfa2722b142ea 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/__mocks__/index.ts
@@ -8,9 +8,9 @@ import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/dat
 
 import {
   Direction,
-  NetworkTopCountriesRequestOptions,
-  NetworkQueries,
   FlowTargetSourceDest,
+  NetworkQueries,
+  NetworkTopCountriesRequestOptions,
   NetworkTopTablesFields,
 } from '../../../../../../../common/search_strategy';
 
@@ -54,7 +54,60 @@ export const formattedSearchStrategyResponse = {
   edges: [],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "top_countries_count": {\n        "cardinality": {\n          "field": "destination.geo.country_iso_code"\n        }\n      },\n      "destination": {\n        "terms": {\n          "field": "destination.geo.country_iso_code",\n          "size": 10,\n          "order": {\n            "bytes_in": "desc"\n          }\n        },\n        "aggs": {\n          "bytes_in": {\n            "sum": {\n              "field": "source.bytes"\n            }\n          },\n          "bytes_out": {\n            "sum": {\n              "field": "destination.bytes"\n            }\n          },\n          "flows": {\n            "cardinality": {\n              "field": "network.community_id"\n            }\n          },\n          "source_ips": {\n            "cardinality": {\n              "field": "source.ip"\n            }\n          },\n          "destination_ips": {\n            "cardinality": {\n              "field": "destination.ip"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T09:58:58.637Z",\n                "lte": "2020-09-14T09:58:58.637Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              top_countries_count: { cardinality: { field: 'destination.geo.country_iso_code' } },
+              destination: {
+                terms: {
+                  field: 'destination.geo.country_iso_code',
+                  size: 10,
+                  order: { bytes_in: 'desc' },
+                },
+                aggs: {
+                  bytes_in: { sum: { field: 'source.bytes' } },
+                  bytes_out: { sum: { field: 'destination.bytes' } },
+                  flows: { cardinality: { field: 'network.community_id' } },
+                  source_ips: { cardinality: { field: 'source.ip' } },
+                  destination_ips: { cardinality: { field: 'destination.ip' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T09:58:58.637Z',
+                        lte: '2020-09-14T09:58:58.637Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 0, showMorePagesIndicator: false },
@@ -90,7 +143,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/index.ts
index ba4565b068eb4..ad698046cc030 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/index.ts
@@ -51,7 +51,7 @@ export const networkTopCountries: SecuritySolutionFactory<NetworkQueries.topCoun
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts
index 84c1ca129ecac..b1470b17eea5d 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts
@@ -8,10 +8,10 @@ import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/dat
 
 import {
   Direction,
-  NetworkTopNFlowRequestOptions,
+  FlowTargetSourceDest,
   NetworkQueries,
+  NetworkTopNFlowRequestOptions,
   NetworkTopTablesFields,
-  FlowTargetSourceDest,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: NetworkTopNFlowRequestOptions = {
@@ -781,7 +781,67 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "top_n_flow_count": {\n        "cardinality": {\n          "field": "source.ip"\n        }\n      },\n      "source": {\n        "terms": {\n          "field": "source.ip",\n          "size": 10,\n          "order": {\n            "bytes_out": "desc"\n          }\n        },\n        "aggs": {\n          "bytes_in": {\n            "sum": {\n              "field": "destination.bytes"\n            }\n          },\n          "bytes_out": {\n            "sum": {\n              "field": "source.bytes"\n            }\n          },\n          "domain": {\n            "terms": {\n              "field": "source.domain",\n              "order": {\n                "timestamp": "desc"\n              }\n            },\n            "aggs": {\n              "timestamp": {\n                "max": {\n                  "field": "@timestamp"\n                }\n              }\n            }\n          },\n          "location": {\n            "filter": {\n              "exists": {\n                "field": "source.geo"\n              }\n            },\n            "aggs": {\n              "top_geo": {\n                "top_hits": {\n                  "_source": "source.geo.*",\n                  "size": 1\n                }\n              }\n            }\n          },\n          "autonomous_system": {\n            "filter": {\n              "exists": {\n                "field": "source.as"\n              }\n            },\n            "aggs": {\n              "top_as": {\n                "top_hits": {\n                  "_source": "source.as.*",\n                  "size": 1\n                }\n              }\n            }\n          },\n          "flows": {\n            "cardinality": {\n              "field": "network.community_id"\n            }\n          },\n          "destination_ips": {\n            "cardinality": {\n              "field": "destination.ip"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T10:16:46.870Z",\n                "lte": "2020-09-14T10:16:46.870Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              top_n_flow_count: { cardinality: { field: 'source.ip' } },
+              source: {
+                terms: { field: 'source.ip', size: 10, order: { bytes_out: 'desc' } },
+                aggs: {
+                  bytes_in: { sum: { field: 'destination.bytes' } },
+                  bytes_out: { sum: { field: 'source.bytes' } },
+                  domain: {
+                    terms: { field: 'source.domain', order: { timestamp: 'desc' } },
+                    aggs: { timestamp: { max: { field: '@timestamp' } } },
+                  },
+                  location: {
+                    filter: { exists: { field: 'source.geo' } },
+                    aggs: { top_geo: { top_hits: { _source: 'source.geo.*', size: 1 } } },
+                  },
+                  autonomous_system: {
+                    filter: { exists: { field: 'source.as' } },
+                    aggs: { top_as: { top_hits: { _source: 'source.as.*', size: 1 } } },
+                  },
+                  flows: { cardinality: { field: 'network.community_id' } },
+                  destination_ips: { cardinality: { field: 'destination.ip' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T10:16:46.870Z',
+                        lte: '2020-09-14T10:16:46.870Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 50, showMorePagesIndicator: true },
@@ -828,7 +888,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/index.ts
index 198368d981800..60ae4069e8f9c 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/index.ts
@@ -48,7 +48,7 @@ export const networkTopNFlow: SecuritySolutionFactory<NetworkQueries.topNFlow> =
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/__mocks__/index.ts
index 3f57de7c78d1a..d9591ca3640ab 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/__mocks__/index.ts
@@ -8,10 +8,10 @@ import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/dat
 
 import {
   Direction,
-  NetworkUsersRequestOptions,
+  FlowTarget,
   NetworkQueries,
   NetworkUsersFields,
-  FlowTarget,
+  NetworkUsersRequestOptions,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: NetworkUsersRequestOptions = {
@@ -115,7 +115,56 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggs": {\n      "user_count": {\n        "cardinality": {\n          "field": "user.name"\n        }\n      },\n      "users": {\n        "terms": {\n          "field": "user.name",\n          "size": 10,\n          "order": {\n            "_key": "asc"\n          }\n        },\n        "aggs": {\n          "id": {\n            "terms": {\n              "field": "user.id"\n            }\n          },\n          "groupId": {\n            "terms": {\n              "field": "user.group.id"\n            }\n          },\n          "groupName": {\n            "terms": {\n              "field": "user.group.name"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T10:16:46.870Z",\n                "lte": "2020-09-14T10:16:46.870Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          },\n          {\n            "term": {\n              "source.ip": "10.142.0.7"\n            }\n          }\n        ],\n        "must_not": [\n          {\n            "term": {\n              "event.category": "authentication"\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": false\n  }\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggs: {
+              user_count: { cardinality: { field: 'user.name' } },
+              users: {
+                terms: { field: 'user.name', size: 10, order: { _key: 'asc' } },
+                aggs: {
+                  id: { terms: { field: 'user.id' } },
+                  groupId: { terms: { field: 'user.group.id' } },
+                  groupName: { terms: { field: 'user.group.name' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T10:16:46.870Z',
+                        lte: '2020-09-14T10:16:46.870Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                  { term: { 'source.ip': '10.142.0.7' } },
+                ],
+                must_not: [{ term: { 'event.category': 'authentication' } }],
+              },
+            },
+            size: 0,
+            track_total_hits: false,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 3, showMorePagesIndicator: false },
@@ -139,7 +188,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/index.ts
index f9b9a2fd2747f..a5ceb447f7bc0 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/index.ts
@@ -47,7 +47,7 @@ export const networkUsers: SecuritySolutionFactory<NetworkQueries.users> = {
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/constants.ts
new file mode 100644
index 0000000000000..924426e56361f
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/constants.ts
@@ -0,0 +1,219 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const TIMELINE_EVENTS_FIELDS = [
+  '@timestamp',
+  'signal.status',
+  'signal.original_time',
+  'signal.rule.filters',
+  'signal.rule.from',
+  'signal.rule.language',
+  'signal.rule.query',
+  'signal.rule.name',
+  'signal.rule.to',
+  'signal.rule.id',
+  'signal.rule.index',
+  'signal.rule.type',
+  'signal.original_event.kind',
+  'signal.original_event.module',
+  'file.path',
+  'file.Ext.code_signature.subject_name',
+  'file.Ext.code_signature.trusted',
+  'file.hash.sha256',
+  'host.os.family',
+  'event.code',
+  'signal.rule.version',
+  'signal.rule.severity',
+  'signal.rule.risk_score',
+  'event.module',
+  'event.action',
+  'event.category',
+  'host.name',
+  'user.name',
+  'source.ip',
+  'destination.ip',
+  'message',
+  'system.auth.ssh.signature',
+  'system.auth.ssh.method',
+  'system.audit.package.arch',
+  'system.audit.package.entity_id',
+  'system.audit.package.name',
+  'system.audit.package.size',
+  'system.audit.package.summary',
+  'system.audit.package.version',
+  'event.created',
+  'event.dataset',
+  'event.duration',
+  'event.end',
+  'event.hash',
+  'event.id',
+  'event.kind',
+  'event.original',
+  'event.outcome',
+  'event.risk_score',
+  'event.risk_score_norm',
+  'event.severity',
+  'event.start',
+  'event.timezone',
+  'event.type',
+  'agent.type',
+  'auditd.result',
+  'auditd.session',
+  'auditd.data.acct',
+  'auditd.data.terminal',
+  'auditd.data.op',
+  'auditd.summary.actor.primary',
+  'auditd.summary.actor.secondary',
+  'auditd.summary.object.primary',
+  'auditd.summary.object.secondary',
+  'auditd.summary.object.type',
+  'auditd.summary.how',
+  'auditd.summary.message_type',
+  'auditd.summary.sequence',
+  'file.name',
+  'file.target_path',
+  'file.extension',
+  'file.type',
+  'file.device',
+  'file.inode',
+  'file.uid',
+  'file.owner',
+  'file.gid',
+  'file.group',
+  'file.mode',
+  'file.size',
+  'file.mtime',
+  'file.ctime',
+  'host.id',
+  'host.ip',
+  'rule.reference',
+  'source.bytes',
+  'source.packets',
+  'source.port',
+  'source.geo.continent_name',
+  'source.geo.country_name',
+  'source.geo.country_iso_code',
+  'source.geo.city_name',
+  'source.geo.region_iso_code',
+  'source.geo.region_name',
+  'destination.bytes',
+  'destination.packets',
+  'destination.port',
+  'destination.geo.continent_name',
+  'destination.geo.country_name',
+  'destination.geo.country_iso_code',
+  'destination.geo.city_name',
+  'destination.geo.region_iso_code',
+  'destination.geo.region_name',
+  'dns.question.name',
+  'dns.question.type',
+  'dns.resolved_ip',
+  'dns.response_code',
+  'endgame.exit_code',
+  'endgame.file_name',
+  'endgame.file_path',
+  'endgame.logon_type',
+  'endgame.parent_process_name',
+  'endgame.pid',
+  'endgame.process_name',
+  'endgame.subject_domain_name',
+  'endgame.subject_logon_id',
+  'endgame.subject_user_name',
+  'endgame.target_domain_name',
+  'endgame.target_logon_id',
+  'endgame.target_user_name',
+  'signal.rule.saved_id',
+  'signal.rule.timeline_id',
+  'signal.rule.timeline_title',
+  'signal.rule.output_index',
+  'signal.rule.note',
+  'signal.rule.threshold',
+  'signal.rule.exceptions_list',
+  'suricata.eve.proto',
+  'suricata.eve.flow_id',
+  'suricata.eve.alert.signature',
+  'suricata.eve.alert.signature_id',
+  'network.bytes',
+  'network.community_id',
+  'network.direction',
+  'network.packets',
+  'network.protocol',
+  'network.transport',
+  'http.version',
+  'http.request.method',
+  'http.request.body.bytes',
+  'http.request.body.content',
+  'http.request.referrer',
+  'http.response.status_code',
+  'http.response.body.bytes',
+  'http.response.body.content',
+  'tls.client_certificate.fingerprint.sha1',
+  'tls.fingerprints.ja3.hash',
+  'tls.server_certificate.fingerprint.sha1',
+  'user.domain',
+  'winlog.event_id',
+  'process.hash.md5',
+  'process.hash.sha1',
+  'process.hash.sha256',
+  'process.pid',
+  'process.name',
+  'process.ppid',
+  'process.args',
+  'process.entity_id',
+  'process.executable',
+  'process.title',
+  'process.working_directory',
+  'zeek.session_id',
+  'zeek.connection.local_resp',
+  'zeek.connection.local_orig',
+  'zeek.connection.missed_bytes',
+  'zeek.connection.state',
+  'zeek.connection.history',
+  'zeek.notice.suppress_for',
+  'zeek.notice.msg',
+  'zeek.notice.note',
+  'zeek.notice.sub',
+  'zeek.notice.dst',
+  'zeek.notice.dropped',
+  'zeek.notice.peer_descr',
+  'zeek.dns.AA',
+  'zeek.dns.qclass_name',
+  'zeek.dns.RD',
+  'zeek.dns.qtype_name',
+  'zeek.dns.qtype',
+  'zeek.dns.query',
+  'zeek.dns.trans_id',
+  'zeek.dns.qclass',
+  'zeek.dns.RA',
+  'zeek.dns.TC',
+  'zeek.http.resp_mime_types',
+  'zeek.http.trans_depth',
+  'zeek.http.status_msg',
+  'zeek.http.resp_fuids',
+  'zeek.http.tags',
+  'zeek.files.session_ids',
+  'zeek.files.timedout',
+  'zeek.files.local_orig',
+  'zeek.files.tx_host',
+  'zeek.files.source',
+  'zeek.files.is_orig',
+  'zeek.files.overflow_bytes',
+  'zeek.files.sha1',
+  'zeek.files.duration',
+  'zeek.files.depth',
+  'zeek.files.analyzers',
+  'zeek.files.mime_type',
+  'zeek.files.rx_host',
+  'zeek.files.total_bytes',
+  'zeek.files.fuid',
+  'zeek.files.seen_bytes',
+  'zeek.files.missing_bytes',
+  'zeek.files.md5',
+  'zeek.ssl.cipher',
+  'zeek.ssl.established',
+  'zeek.ssl.resumed',
+  'zeek.ssl.version',
+];
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts
new file mode 100644
index 0000000000000..edff22766cc54
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts
@@ -0,0 +1,92 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { get, has, merge, uniq } from 'lodash/fp';
+import { EventHit, TimelineEdges } from '../../../../../../common/search_strategy';
+import { toArray } from '../../../../helpers/to_array';
+
+export const formatTimelineData = (
+  dataFields: readonly string[],
+  ecsFields: readonly string[],
+  hit: EventHit,
+  fieldMap: Readonly<Record<string, string>>
+) =>
+  uniq([...ecsFields, ...dataFields]).reduce<TimelineEdges>(
+    (flattenedFields, fieldName) => {
+      flattenedFields.node._id = hit._id;
+      flattenedFields.node._index = hit._index;
+      flattenedFields.node.ecs._id = hit._id;
+      flattenedFields.node.ecs._index = hit._index;
+      if (hit.sort && hit.sort.length > 1) {
+        flattenedFields.cursor.value = hit.sort[0];
+        flattenedFields.cursor.tiebreaker = hit.sort[1];
+      }
+      return mergeTimelineFieldsWithHit(
+        fieldName,
+        flattenedFields,
+        fieldMap,
+        hit,
+        dataFields,
+        ecsFields
+      );
+    },
+    {
+      node: { ecs: { _id: '' }, data: [], _id: '', _index: '' },
+      cursor: {
+        value: '',
+        tiebreaker: null,
+      },
+    }
+  );
+
+const specialFields = ['_id', '_index', '_type', '_score'];
+
+const mergeTimelineFieldsWithHit = <T>(
+  fieldName: string,
+  flattenedFields: T,
+  fieldMap: Readonly<Record<string, string>>,
+  hit: { _source: {} },
+  dataFields: readonly string[],
+  ecsFields: readonly string[]
+) => {
+  if (fieldMap[fieldName] != null || dataFields.includes(fieldName)) {
+    const esField = dataFields.includes(fieldName) ? fieldName : fieldMap[fieldName];
+    if (has(esField, hit._source) || specialFields.includes(esField)) {
+      const objectWithProperty = {
+        node: {
+          ...get('node', flattenedFields),
+          data: dataFields.includes(fieldName)
+            ? [
+                ...get('node.data', flattenedFields),
+                {
+                  field: fieldName,
+                  value: specialFields.includes(esField)
+                    ? toArray(get(esField, hit))
+                    : toArray(get(esField, hit._source)),
+                },
+              ]
+            : get('node.data', flattenedFields),
+          ecs: ecsFields.includes(fieldName)
+            ? {
+                ...get('node.ecs', flattenedFields),
+                // @ts-expect-error
+                ...fieldName.split('.').reduceRight(
+                  // @ts-expect-error
+                  (obj, next) => ({ [next]: obj }),
+                  toArray<string>(get(esField, hit._source))
+                ),
+              }
+            : get('node.ecs', flattenedFields),
+        },
+      };
+      return merge(flattenedFields, objectWithProperty);
+    } else {
+      return flattenedFields;
+    }
+  } else {
+    return flattenedFields;
+  }
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts
new file mode 100644
index 0000000000000..12729eb88a666
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts
@@ -0,0 +1,68 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { cloneDeep, getOr, uniq } from 'lodash/fp';
+
+import { DEFAULT_MAX_TABLE_QUERY_SIZE } from '../../../../../../common/constants';
+import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
+import {
+  TimelineEventsQueries,
+  TimelineEventsAllStrategyResponse,
+  TimelineEventsAllRequestOptions,
+  TimelineEdges,
+} from '../../../../../../common/search_strategy/timeline';
+import { inspectStringifyObject, reduceFields } from '../../../../../utils/build_query';
+import { SecuritySolutionTimelineFactory } from '../../types';
+import { buildTimelineEventsAllQuery } from './query.events_all.dsl';
+import { eventFieldsMap } from '../../../../../lib/ecs_fields';
+import { TIMELINE_EVENTS_FIELDS } from './constants';
+import { formatTimelineData } from './helpers';
+
+export const timelineEventsAll: SecuritySolutionTimelineFactory<TimelineEventsQueries.all> = {
+  buildDsl: (options: TimelineEventsAllRequestOptions) => {
+    if (options.pagination && options.pagination.querySize >= DEFAULT_MAX_TABLE_QUERY_SIZE) {
+      throw new Error(`No query size above ${DEFAULT_MAX_TABLE_QUERY_SIZE}`);
+    }
+    const { fieldRequested, ...queryOptions } = cloneDeep(options);
+    queryOptions.fields = uniq([
+      ...fieldRequested,
+      ...reduceFields(TIMELINE_EVENTS_FIELDS, eventFieldsMap),
+    ]);
+    return buildTimelineEventsAllQuery(queryOptions);
+  },
+  parse: async (
+    options: TimelineEventsAllRequestOptions,
+    response: IEsSearchResponse<unknown>
+  ): Promise<TimelineEventsAllStrategyResponse> => {
+    const { fieldRequested, ...queryOptions } = cloneDeep(options);
+    queryOptions.fields = uniq([
+      ...fieldRequested,
+      ...reduceFields(TIMELINE_EVENTS_FIELDS, eventFieldsMap),
+    ]);
+    const { activePage, querySize } = options.pagination;
+
+    const totalCount = getOr(0, 'hits.total.value', response.rawResponse);
+    const hits = response.rawResponse.hits.hits;
+    const edges: TimelineEdges[] = hits.map((hit) =>
+      // @ts-expect-error
+      formatTimelineData(options.fieldRequested, TIMELINE_EVENTS_FIELDS, hit, eventFieldsMap)
+    );
+    const inspect = {
+      dsl: [inspectStringifyObject(buildTimelineEventsAllQuery(queryOptions))],
+    };
+
+    return {
+      ...response,
+      inspect,
+      edges,
+      totalCount,
+      pageInfo: {
+        activePage: activePage ?? 0,
+        totalPages: Math.ceil(totalCount / querySize),
+      },
+    };
+  },
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
new file mode 100644
index 0000000000000..261a27b0110e8
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
@@ -0,0 +1,76 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { isEmpty } from 'lodash/fp';
+
+import {
+  SortField,
+  TimerangeFilter,
+  TimerangeInput,
+  TimelineEventsAllRequestOptions,
+} from '../../../../../../common/search_strategy';
+import { createQueryFilterClauses } from '../../../../../utils/build_query';
+import { TIMELINE_EVENTS_FIELDS } from './constants';
+
+export const buildTimelineEventsAllQuery = ({
+  defaultIndex,
+  docValueFields,
+  filterQuery,
+  pagination: { activePage, querySize },
+  sort,
+  timerange,
+}: Omit<TimelineEventsAllRequestOptions, 'fieldRequested'>) => {
+  const filterClause = [...createQueryFilterClauses(filterQuery)];
+
+  const getTimerangeFilter = (timerangeOption: TimerangeInput | undefined): TimerangeFilter[] => {
+    if (timerangeOption) {
+      const { to, from } = timerangeOption;
+      return [
+        {
+          range: {
+            '@timestamp': {
+              gte: from,
+              lte: to,
+              format: 'strict_date_optional_time',
+            },
+          },
+        },
+      ];
+    }
+    return [];
+  };
+
+  const filter = [...filterClause, ...getTimerangeFilter(timerange), { match_all: {} }];
+
+  const getSortField = (sortField: SortField) => {
+    if (sortField.field) {
+      const field: string = sortField.field === 'timestamp' ? '@timestamp' : sortField.field;
+
+      return [{ [field]: sortField.direction }];
+    }
+    return [];
+  };
+
+  const dslQuery = {
+    allowNoIndices: true,
+    index: defaultIndex,
+    ignoreUnavailable: true,
+    body: {
+      ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
+      query: {
+        bool: {
+          filter,
+        },
+      },
+      from: activePage * querySize,
+      size: querySize,
+      track_total_hits: true,
+      sort: getSortField(sort),
+      _source: TIMELINE_EVENTS_FIELDS,
+    },
+  };
+
+  return dslQuery;
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/helpers.ts
similarity index 81%
rename from x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts
rename to x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/helpers.ts
index b772dec773dce..3b0935db9a5d6 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/helpers.ts
@@ -6,8 +6,8 @@
 
 import { get, isEmpty, isNumber, isObject, isString } from 'lodash/fp';
 
-import { DetailItem } from '../../../../../common/search_strategy/timeline';
-import { baseCategoryFields } from '../../../../utils/beat_schema/8.0.0';
+import { TimelineEventsDetailsItem } from '../../../../../../common/search_strategy/timeline';
+import { baseCategoryFields } from '../../../../../utils/beat_schema/8.0.0';
 
 export const getFieldCategory = (field: string): string => {
   const fieldCategory = field.split('.')[0];
@@ -21,8 +21,8 @@ export const getDataFromHits = (
   sources: EventSource,
   category?: string,
   path?: string
-): DetailItem[] =>
-  Object.keys(sources).reduce<DetailItem[]>((accumulator, source) => {
+): TimelineEventsDetailsItem[] =>
+  Object.keys(sources).reduce<TimelineEventsDetailsItem[]>((accumulator, source) => {
     const item: EventSource = get(source, sources);
     if (Array.isArray(item) || isString(item) || isNumber(item)) {
       const field = path ? `${path}.${source}` : source;
@@ -43,7 +43,7 @@ export const getDataFromHits = (
               })
             : [item],
           originalValue: item,
-        } as DetailItem,
+        } as TimelineEventsDetailsItem,
       ];
     } else if (isObject(item)) {
       return [
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/index.ts
similarity index 58%
rename from x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts
rename to x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/index.ts
index e1fabe2b4d586..54e138c1e9d6f 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/index.ts
@@ -6,26 +6,26 @@
 
 import { getOr, merge } from 'lodash/fp';
 
-import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
 import {
-  TimelineQueries,
-  TimelineDetailsStrategyResponse,
-  TimelineDetailsRequestOptions,
-} from '../../../../../common/search_strategy/timeline';
-import { inspectStringifyObject } from '../../../../utils/build_query';
-import { SecuritySolutionTimelineFactory } from '../types';
-import { buildTimelineDetailsQuery } from './query.timeline_details.dsl';
+  TimelineEventsQueries,
+  TimelineEventsDetailsStrategyResponse,
+  TimelineEventsDetailsRequestOptions,
+} from '../../../../../../common/search_strategy/timeline';
+import { inspectStringifyObject } from '../../../../../utils/build_query';
+import { SecuritySolutionTimelineFactory } from '../../types';
+import { buildTimelineDetailsQuery } from './query.events_details.dsl';
 import { getDataFromHits } from './helpers';
 
-export const timelineDetails: SecuritySolutionTimelineFactory<TimelineQueries.details> = {
-  buildDsl: (options: TimelineDetailsRequestOptions) => {
+export const timelineEventsDetails: SecuritySolutionTimelineFactory<TimelineEventsQueries.details> = {
+  buildDsl: (options: TimelineEventsDetailsRequestOptions) => {
     const { indexName, eventId, docValueFields = [] } = options;
     return buildTimelineDetailsQuery(indexName, eventId, docValueFields);
   },
   parse: async (
-    options: TimelineDetailsRequestOptions,
+    options: TimelineEventsDetailsRequestOptions,
     response: IEsSearchResponse<unknown>
-  ): Promise<TimelineDetailsStrategyResponse> => {
+  ): Promise<TimelineEventsDetailsStrategyResponse> => {
     const { indexName, eventId, docValueFields = [] } = options;
     const sourceData = getOr({}, 'hits.hits.0._source', response.rawResponse);
     const hitsData = getOr({}, 'hits.hits.0', response.rawResponse);
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
similarity index 88%
rename from x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts
rename to x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
index 4f003c1c27ef2..216e8f947d261 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { DocValueFields } from '../../../../../common/search_strategy';
+import { DocValueFields } from '../../../../../../common/search_strategy';
 
 export const buildTimelineDetailsQuery = (
   indexName: string,
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/index.ts
new file mode 100644
index 0000000000000..a4e2c168a41d9
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/index.ts
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  TimelineFactoryQueryTypes,
+  TimelineEventsQueries,
+} from '../../../../../common/search_strategy/timeline';
+
+import { SecuritySolutionTimelineFactory } from '../types';
+import { timelineEventsAll } from './all';
+import { timelineEventsDetails } from './details';
+import { timelineEventsLastEventTime } from './last_event_time';
+
+export const timelineEventsFactory: Record<
+  TimelineEventsQueries,
+  SecuritySolutionTimelineFactory<TimelineFactoryQueryTypes>
+> = {
+  [TimelineEventsQueries.all]: timelineEventsAll,
+  [TimelineEventsQueries.details]: timelineEventsDetails,
+  [TimelineEventsQueries.lastEventTime]: timelineEventsLastEventTime,
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/index.ts
new file mode 100644
index 0000000000000..97d7383fa831a
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/index.ts
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getOr } from 'lodash/fp';
+
+import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
+import {
+  TimelineEventsQueries,
+  TimelineEventsLastEventTimeStrategyResponse,
+  TimelineEventsLastEventTimeRequestOptions,
+} from '../../../../../../common/search_strategy/timeline';
+import { inspectStringifyObject } from '../../../../../utils/build_query';
+import { SecuritySolutionTimelineFactory } from '../../types';
+import { buildLastEventTimeQuery } from './query.events_last_event_time.dsl';
+
+export const timelineEventsLastEventTime: SecuritySolutionTimelineFactory<TimelineEventsQueries.lastEventTime> = {
+  buildDsl: (options: TimelineEventsLastEventTimeRequestOptions) =>
+    buildLastEventTimeQuery(options),
+  parse: async (
+    options: TimelineEventsLastEventTimeRequestOptions,
+    response: IEsSearchResponse<unknown>
+  ): Promise<TimelineEventsLastEventTimeStrategyResponse> => {
+    const inspect = {
+      dsl: [inspectStringifyObject(buildLastEventTimeQuery(options))],
+    };
+
+    return {
+      ...response,
+      lastSeen: getOr(null, 'aggregations.last_seen_event.value_as_string', response.rawResponse),
+      inspect,
+    };
+  },
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts
new file mode 100644
index 0000000000000..0f4eabf692919
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts
@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isEmpty } from 'lodash/fp';
+import {
+  TimelineEventsLastEventTimeRequestOptions,
+  LastEventIndexKey,
+} from '../../../../../../common/search_strategy';
+
+import { assertUnreachable } from '../../../../../../common/utility_types';
+
+interface EventIndices {
+  [key: string]: string[];
+}
+
+export const buildLastEventTimeQuery = ({
+  indexKey,
+  details,
+  defaultIndex,
+  docValueFields,
+}: TimelineEventsLastEventTimeRequestOptions) => {
+  const indicesToQuery: EventIndices = {
+    hosts: defaultIndex,
+    network: defaultIndex,
+  };
+  const getHostDetailsFilter = (hostName: string) => [{ term: { 'host.name': hostName } }];
+  const getIpDetailsFilter = (ip: string) => [
+    { term: { 'source.ip': ip } },
+    { term: { 'destination.ip': ip } },
+  ];
+  const getQuery = (eventIndexKey: LastEventIndexKey) => {
+    switch (eventIndexKey) {
+      case LastEventIndexKey.ipDetails:
+        if (details.ip) {
+          return {
+            allowNoIndices: true,
+            index: indicesToQuery.network,
+            ignoreUnavailable: true,
+            body: {
+              ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
+              aggregations: {
+                last_seen_event: { max: { field: '@timestamp' } },
+              },
+              query: { bool: { should: getIpDetailsFilter(details.ip) } },
+              size: 0,
+              track_total_hits: false,
+            },
+          };
+        }
+        throw new Error('buildLastEventTimeQuery - no IP argument provided');
+      case LastEventIndexKey.hostDetails:
+        if (details.hostName) {
+          return {
+            allowNoIndices: true,
+            index: indicesToQuery.hosts,
+            ignoreUnavailable: true,
+            body: {
+              ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
+              aggregations: {
+                last_seen_event: { max: { field: '@timestamp' } },
+              },
+              query: { bool: { filter: getHostDetailsFilter(details.hostName) } },
+              size: 0,
+              track_total_hits: false,
+            },
+          };
+        }
+        throw new Error('buildLastEventTimeQuery - no hostName argument provided');
+      case LastEventIndexKey.hosts:
+      case LastEventIndexKey.network:
+        return {
+          allowNoIndices: true,
+          index: indicesToQuery[indexKey],
+          ignoreUnavailable: true,
+          body: {
+            ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
+            aggregations: {
+              last_seen_event: { max: { field: '@timestamp' } },
+            },
+            query: { match_all: {} },
+            size: 0,
+            track_total_hits: false,
+          },
+        };
+      default:
+        return assertUnreachable(eventIndexKey);
+    }
+  };
+  return getQuery(indexKey);
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts
index aa4cdaeedb131..cf2c3c552f30d 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts
@@ -4,17 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import {
-  TimelineFactoryQueryTypes,
-  TimelineQueries,
-} from '../../../../common/search_strategy/timeline';
-
-import { timelineDetails } from './details';
+import { TimelineFactoryQueryTypes } from '../../../../common/search_strategy/timeline';
 import { SecuritySolutionTimelineFactory } from './types';
+import { timelineEventsFactory } from './events';
 
 export const securitySolutionTimelineFactory: Record<
   TimelineFactoryQueryTypes,
   SecuritySolutionTimelineFactory<TimelineFactoryQueryTypes>
 > = {
-  [TimelineQueries.details]: timelineDetails,
+  ...timelineEventsFactory,
 };
diff --git a/x-pack/plugins/security_solution/server/utils/build_query/filters.ts b/x-pack/plugins/security_solution/server/utils/build_query/filters.ts
index ac736e8cb51ee..bde03be3f5edc 100644
--- a/x-pack/plugins/security_solution/server/utils/build_query/filters.ts
+++ b/x-pack/plugins/security_solution/server/utils/build_query/filters.ts
@@ -4,9 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { isEmpty } from 'lodash/fp';
+import { isEmpty, isString } from 'lodash/fp';
 
 import { ESQuery } from '../../../common/typed_json';
 
 export const createQueryFilterClauses = (filterQuery: ESQuery | string | undefined) =>
-  !isEmpty(filterQuery) ? [filterQuery] : [];
+  !isEmpty(filterQuery) ? [isString(filterQuery) ? JSON.parse(filterQuery) : filterQuery] : [];
diff --git a/x-pack/plugins/security_solution/server/utils/build_query/index.ts b/x-pack/plugins/security_solution/server/utils/build_query/index.ts
index f0f4ba07ab2ae..b7d96c3224c39 100644
--- a/x-pack/plugins/security_solution/server/utils/build_query/index.ts
+++ b/x-pack/plugins/security_solution/server/utils/build_query/index.ts
@@ -8,6 +8,7 @@ export * from './fields';
 export * from './filters';
 export * from './merge_fields_with_hits';
 export * from './calculate_timeseries_interval';
+export * from './reduce_fields';
 
 export const inspectStringifyObject = (obj: unknown) => {
   try {
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index e54d6739c0600..78e3d78d5af2a 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -16120,7 +16120,6 @@
     "xpack.securitySolution.footer.live": "ライブ",
     "xpack.securitySolution.footer.loadingLabel": "読み込み中",
     "xpack.securitySolution.footer.loadingTimelineData": "タイムラインデータを読み込み中",
-    "xpack.securitySolution.footer.loadMoreLabel": "さらに読み込む",
     "xpack.securitySolution.footer.of": "/",
     "xpack.securitySolution.footer.rows": "行",
     "xpack.securitySolution.footer.totalCountOfEvents": "イベントが検索条件に一致します",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index 4c8ccd56c1c01..79c2095218f50 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -16130,7 +16130,6 @@
     "xpack.securitySolution.footer.live": "实时",
     "xpack.securitySolution.footer.loadingLabel": "正在加载",
     "xpack.securitySolution.footer.loadingTimelineData": "正在加载时间线数据",
-    "xpack.securitySolution.footer.loadMoreLabel": "加载更多",
     "xpack.securitySolution.footer.of": "/",
     "xpack.securitySolution.footer.rows": "行",
     "xpack.securitySolution.footer.totalCountOfEvents": "个事件匹配搜索条件",

From e733d42d84734819722d0a092a5771c6bf2b3e1e Mon Sep 17 00:00:00 2001
From: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com>
Date: Wed, 16 Sep 2020 14:43:35 -0400
Subject: [PATCH 2/5] [Security Solution] [Resolver] Resolver query string
 state (#76602)

Co-authored-by: Robert Austin <robert.austin@elastic.co>
Co-authored-by: oatkiller <robert.austin@elastic.co>
---
 .../public/resolver/models/location_search.ts |  68 ++---
 .../public/resolver/models/schema.test.ts     | 135 ++++++++++
 .../public/resolver/models/schema.ts          | 176 +++++++++++++
 .../public/resolver/store/actions.ts          |  16 +-
 .../public/resolver/store/data/selectors.ts   |  14 +-
 .../public/resolver/store/selectors.ts        |  26 +-
 .../public/resolver/store/ui/selectors.ts     | 133 +++++++++-
 .../resolver/test_utilities/url_search.ts     |  17 +-
 .../public/resolver/types.ts                  |  78 ++++++
 .../resolver/view/clickthrough.test.tsx       |  11 +-
 .../public/resolver/view/limit_warnings.tsx   | 244 +++++++++---------
 .../public/resolver/view/panel.test.tsx       |  16 +-
 ...ated_event_detail.tsx => event_detail.tsx} | 135 +++++-----
 .../public/resolver/view/panels/index.tsx     | 236 +++--------------
 .../{process_details.tsx => node_details.tsx} |  83 +++---
 ...counts_for_process.tsx => node_events.tsx} | 114 +++++---
 ...event_list.tsx => node_events_of_type.tsx} | 175 +++++++------
 ...ess_list_with_counts.tsx => node_list.tsx} | 130 +++++-----
 .../view/panels/panel_content_error.tsx       |  24 +-
 .../resolver/view/panels/panel_loading.tsx    |  52 ++++
 .../public/resolver/view/panels/styles.tsx    |  17 ++
 .../resolver/view/process_event_dot.tsx       |  87 ++-----
 .../public/resolver/view/query_params.test.ts |  24 +-
 .../view/resolver_without_providers.tsx       |   5 +-
 .../public/resolver/view/styles.tsx           |   6 +-
 .../public/resolver/view/submenu.tsx          |  44 ++--
 .../resolver/view/use_navigate_or_replace.ts  |  59 +++++
 .../resolver/view/use_query_string_keys.ts    |  21 --
 ...se_related_event_by_category_navigation.ts |  37 +++
 .../use_related_event_detail_navigation.ts    |  40 +++
 .../view/use_replace_breadcrumb_parameters.ts |  47 ----
 .../view/use_resolver_query_params_cleaner.ts |  16 +-
 .../translations/translations/ja-JP.json      |   1 -
 .../translations/translations/zh-CN.json      |   1 -
 34 files changed, 1427 insertions(+), 861 deletions(-)
 create mode 100644 x-pack/plugins/security_solution/public/resolver/models/schema.test.ts
 create mode 100644 x-pack/plugins/security_solution/public/resolver/models/schema.ts
 rename x-pack/plugins/security_solution/public/resolver/view/panels/{related_event_detail.tsx => event_detail.tsx} (77%)
 rename x-pack/plugins/security_solution/public/resolver/view/panels/{process_details.tsx => node_details.tsx} (78%)
 rename x-pack/plugins/security_solution/public/resolver/view/panels/{event_counts_for_process.tsx => node_events.tsx} (57%)
 rename x-pack/plugins/security_solution/public/resolver/view/panels/{process_event_list.tsx => node_events_of_type.tsx} (64%)
 rename x-pack/plugins/security_solution/public/resolver/view/panels/{process_list_with_counts.tsx => node_list.tsx} (61%)
 create mode 100644 x-pack/plugins/security_solution/public/resolver/view/panels/panel_loading.tsx
 create mode 100644 x-pack/plugins/security_solution/public/resolver/view/panels/styles.tsx
 create mode 100644 x-pack/plugins/security_solution/public/resolver/view/use_navigate_or_replace.ts
 delete mode 100644 x-pack/plugins/security_solution/public/resolver/view/use_query_string_keys.ts
 create mode 100644 x-pack/plugins/security_solution/public/resolver/view/use_related_event_by_category_navigation.ts
 create mode 100644 x-pack/plugins/security_solution/public/resolver/view/use_related_event_detail_navigation.ts
 delete mode 100644 x-pack/plugins/security_solution/public/resolver/view/use_replace_breadcrumb_parameters.ts

diff --git a/x-pack/plugins/security_solution/public/resolver/models/location_search.ts b/x-pack/plugins/security_solution/public/resolver/models/location_search.ts
index 8c21043c268d5..6c1dc7991e298 100644
--- a/x-pack/plugins/security_solution/public/resolver/models/location_search.ts
+++ b/x-pack/plugins/security_solution/public/resolver/models/location_search.ts
@@ -4,36 +4,44 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/**
- * The legacy `crumbEvent` and `crumbId` parameters.
- * @deprecated
- */
-export function breadcrumbParameters(
-  locationSearch: string,
-  resolverComponentInstanceID: string
-): { crumbEvent: string; crumbId: string } {
-  const urlSearchParams = new URLSearchParams(locationSearch);
-  const { eventKey, idKey } = parameterNames(resolverComponentInstanceID);
-  return {
-    // Use `''` for backwards compatibility with deprecated code.
-    crumbEvent: urlSearchParams.get(eventKey) ?? '',
-    crumbId: urlSearchParams.get(idKey) ?? '',
-  };
-}
+import { PanelViewAndParameters } from '../types';
+import * as schema from './schema';
 
 /**
- * Parameter names based on the `resolverComponentInstanceID`.
+ * Validates an `unknown` value, narrowing it to `PanelViewAndParameters`.
+ * Use this to validate that the value decoded from the URL is a valid `PanelViewAndParameters` object.
  */
-function parameterNames(
-  resolverComponentInstanceID: string
-): {
-  idKey: string;
-  eventKey: string;
-} {
-  const idKey: string = `resolver-${resolverComponentInstanceID}-id`;
-  const eventKey: string = `resolver-${resolverComponentInstanceID}-event`;
-  return {
-    idKey,
-    eventKey,
-  };
-}
+export const isPanelViewAndParameters: (
+  value: unknown
+) => value is PanelViewAndParameters = schema.oneOf([
+  schema.object({
+    panelView: schema.literal('nodes' as const),
+  }),
+  schema.object({
+    panelView: schema.literal('nodeDetail' as const),
+    panelParameters: schema.object({
+      nodeID: schema.string(),
+    }),
+  }),
+  schema.object({
+    panelView: schema.literal('nodeEvents' as const),
+    panelParameters: schema.object({
+      nodeID: schema.string(),
+    }),
+  }),
+  schema.object({
+    panelView: schema.literal('nodeEventsOfType' as const),
+    panelParameters: schema.object({
+      nodeID: schema.string(),
+      eventType: schema.string(),
+    }),
+  }),
+  schema.object({
+    panelView: schema.literal('eventDetail' as const),
+    panelParameters: schema.object({
+      nodeID: schema.string(),
+      eventType: schema.string(),
+      eventID: schema.string(),
+    }),
+  }),
+]);
diff --git a/x-pack/plugins/security_solution/public/resolver/models/schema.test.ts b/x-pack/plugins/security_solution/public/resolver/models/schema.test.ts
new file mode 100644
index 0000000000000..c01e1300d8914
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/resolver/models/schema.test.ts
@@ -0,0 +1,135 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import * as schema from './schema';
+
+interface SortDefinition {
+  page?: number;
+  sort?: Array<{ field: 'name' | 'ip' | 'date'; direction: 'asc' | 'desc' }>;
+}
+describe(`a validator made using the 'schema' module which validates that a value has the type:
+{
+  page?: number;
+  sort?: Array<{ field: 'name' | 'ip' | 'date'; direction: 'asc' | 'desc' }>;
+}`, () => {
+  let validator: (value: unknown) => value is SortDefinition;
+  beforeEach(() => {
+    validator = schema.object({
+      page: schema.oneOf([schema.literal(undefined), schema.number()]),
+      sort: schema.oneOf([
+        schema.array(
+          schema.object({
+            field: schema.oneOf([
+              schema.literal('name' as const),
+              schema.literal('ip' as const),
+              schema.literal('date' as const),
+            ]),
+            direction: schema.oneOf([
+              schema.literal('asc' as const),
+              schema.literal('desc' as const),
+            ]),
+          })
+        ),
+        schema.literal(undefined),
+      ]),
+    });
+  });
+  describe.each([
+    [
+      {
+        page: 1,
+        sort: [
+          {
+            field: 'name',
+            direction: 'asc',
+          },
+          {
+            field: 'date',
+            direction: 'desc',
+          },
+        ],
+      },
+      true,
+    ],
+    [
+      {
+        // page has the wrong type
+        page: '1',
+        sort: [
+          {
+            field: 'name',
+            direction: 'asc',
+          },
+          {
+            field: 'date',
+            direction: 'desc',
+          },
+        ],
+      },
+      false,
+    ],
+
+    [
+      {
+        sort: [
+          {
+            // missing direction
+            field: 'name',
+          },
+        ],
+      },
+      false,
+    ],
+    [
+      {
+        sort: [
+          {
+            field: 'name',
+            // invalid direction
+            direction: 'invalid',
+          },
+        ],
+      },
+      false,
+    ],
+    [
+      {
+        sort: [
+          {
+            // missing field
+            direction: 'desc',
+          },
+        ],
+      },
+      false,
+    ],
+    [
+      {
+        sort: [
+          {
+            // invalid field
+            field: 'invalid',
+            direction: 'desc',
+          },
+        ],
+      },
+      false,
+    ],
+    // nothing in the array
+    [{ sort: [] }, true],
+    // page only
+    [{ page: 1 }, true],
+    // empty object (valid because all keys are optional.)
+    [{}, true],
+    // entirely invalid types
+    [null, false],
+    [true, false],
+    ['', false],
+  ])('when the value to be validated is `%j`', (value, expected) => {
+    it(`should return ${expected}`, () => {
+      expect(validator(value)).toBe(expected);
+    });
+  });
+});
diff --git a/x-pack/plugins/security_solution/public/resolver/models/schema.ts b/x-pack/plugins/security_solution/public/resolver/models/schema.ts
new file mode 100644
index 0000000000000..07912b82b425c
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/resolver/models/schema.ts
@@ -0,0 +1,176 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+type Validator<T> = (value: unknown) => value is T;
+type TypeOf<V extends Validator<unknown>> = V extends Validator<infer T> ? T : never;
+
+/**
+ * Validate that `value` matches at least one of `validators`.
+ * Use this to create a predicate for a union type.
+ * e.g.
+ * ```
+ * import * as schema from './schema';
+ * const isAscOrDesc: (value: unknown) => value is 'asc' | 'desc' = schema.oneOf([
+ *   schema.literal('asc' as const),
+ *   schema.literal('desc' as const),
+ * ]);
+ * ```
+ */
+export function oneOf<V extends Array<Validator<unknown>>>(validators: V) {
+  return function (
+    value: unknown
+  ): value is V extends Array<Validator<infer ElementType>> ? ElementType : never {
+    for (const validator of validators) {
+      if (validator(value)) {
+        return true;
+      }
+    }
+    return false;
+  };
+}
+
+/**
+ * Validate that `value` is an array and that each of its elements matches `elementValidator`.
+ * Use this to create a predicate for an array type.
+ * ```
+ * import * as schema from './schema';
+ * const isAscOrDesc: (value: unknown) => value is 'asc' | 'desc' = schema.oneOf([
+ *   schema.literal('asc' as const),
+ *   schema.literal('desc' as const),
+ * ]);
+ * ```
+ */
+export function array<V extends Validator<unknown>>(elementValidator: V) {
+  return function (
+    value: unknown
+  ): value is Array<V extends Validator<infer ElementType> ? ElementType : never> {
+    if (Array.isArray(value)) {
+      for (const element of value as unknown[]) {
+        const result = elementValidator(element);
+        if (!result) {
+          return false;
+        }
+      }
+      return true;
+    }
+    return false;
+  };
+}
+
+/**
+ * The keys of `T` where `undefined` is assignable to the corresponding value.
+ * Used to figure out which keys could be made optional.
+ */
+type KeysWithOptionalValues<T extends { [key: string]: unknown }> = {
+  [K in keyof T]: undefined extends T[K] ? K : never;
+}[keyof T];
+
+/**
+ * `T` with required keys changed to optional if the corresponding value could be `undefined`.
+ * Converts a type like `{  key: number | undefined; requiredKey: string }` to a type like `{ key?: number | undefined; requiredKey: string }`
+ * This allows us to write object literals that omit a key if the value can accept `undefined`.
+ */
+type OptionalKeyWhenValueAcceptsUndefined<T extends { [key: string]: unknown }> = {
+  [K in Exclude<keyof T, KeysWithOptionalValues<T>>]: T[K];
+} &
+  {
+    [K in KeysWithOptionalValues<T>]?: Exclude<T[K], undefined>;
+  };
+
+/**
+ * Validate that `value` is an object with string keys. The value at each key is tested against its own validator.
+ *
+ * Use this to create a predicate for a type like `{ a: string[] }`. For example:
+ * ```ts
+ * import * as schema from './schema';
+ * const myValidator: (value: unknown) => value is { a: string[] } = schema.object({
+ *   a: schema.array(schema.string()),
+ * });
+ * ```
+ */
+export function object<
+  ValidatorDictionary extends {
+    [key: string]: Validator<unknown>;
+  }
+>(validatorDictionary: ValidatorDictionary) {
+  return function (
+    value: unknown
+  ): value is /** If a key can point to `undefined`, then instead make the key optional and exclude `undefined` from the value type. */ OptionalKeyWhenValueAcceptsUndefined<
+    {
+      [K in keyof ValidatorDictionary]: TypeOf<ValidatorDictionary[K]>;
+    }
+  > {
+    // This only validates non-null objects
+    if (typeof value !== 'object' || value === null) {
+      return false;
+    }
+
+    // Rebind value as the result type so that we can interrogate it
+    const trusted = value as { [K in keyof ValidatorDictionary]: TypeOf<ValidatorDictionary[K]> };
+
+    // Get each validator in the validator dictionary and use it to validate the corresponding value
+    for (const key of Object.keys(validatorDictionary)) {
+      const validator = validatorDictionary[key];
+      if (!validator(trusted[key])) {
+        return false;
+      }
+    }
+    return true;
+  };
+}
+
+/**
+ * Validate that `value` is strictly equal to `acceptedValue`.
+ * Use this for a literal type, for example:
+ * ```
+ * import * as schema from './schema';
+ * const isAscOrDesc: (value: unknown) => value is 'asc' | 'desc' = schema.oneOf([
+ *   schema.literal('asc' as const),
+ *   schema.literal('desc' as const),
+ * ]);
+ * ```
+ */
+export function literal<T>(acceptedValue: T) {
+  return function (value: unknown): value is T {
+    return acceptedValue === value;
+  };
+}
+
+/**
+ * Validate that `value` is a string.
+ * NB: this is used as `string` externally via named export.
+ * Usage:
+ * ```
+ * import * as schema from './schema';
+ * const isString: (value: unknown) => value is string = schema.string();
+ * ```
+ */
+function anyString(): (value: unknown) => value is string {
+  return function (value: unknown): value is string {
+    return typeof value === 'string';
+  };
+}
+
+/**
+ * Validate that `value` is a number.
+ * NB: this just checks if `typeof value === 'number'`. It will return `true` for `NaN`.
+ * NB: this is used as `number` externally via named export.
+ * Usage:
+ * ```
+ * import * as schema from './schema';
+ * const isNumber: (value: unknown) => value is number = schema.number();
+ * ```
+ */
+function anyNumber(): (value: unknown) => value is number {
+  return function (value: unknown): value is number {
+    return typeof value === 'number';
+  };
+}
+
+/**
+ * Export `anyString` as `string`. We can't define a function named `string`.
+ * Export `anyNumber` as `number`. We can't define a function named `number`.
+ */
+export { anyString as string, anyNumber as number };
diff --git a/x-pack/plugins/security_solution/public/resolver/store/actions.ts b/x-pack/plugins/security_solution/public/resolver/store/actions.ts
index 7d71cbd97b9ee..6a02d5b76bc4c 100644
--- a/x-pack/plugins/security_solution/public/resolver/store/actions.ts
+++ b/x-pack/plugins/security_solution/public/resolver/store/actions.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import { CameraAction } from './camera';
-import { ResolverEvent, SafeResolverEvent } from '../../../common/endpoint/types';
+import { ResolverEvent } from '../../../common/endpoint/types';
 import { DataAction } from './data/action';
 
 /**
@@ -88,19 +88,6 @@ interface UserSelectedResolverNode {
   readonly payload: string;
 }
 
-/**
- * This action should dispatch to indicate that the user chose to
- * focus on examining the related events of a particular ResolverEvent.
- * Optionally, this can be bound by a category of related events (e.g. 'file' or 'dns')
- */
-interface UserSelectedRelatedEventCategory {
-  readonly type: 'userSelectedRelatedEventCategory';
-  readonly payload: {
-    subject: SafeResolverEvent;
-    category?: string;
-  };
-}
-
 /**
  * Used by `useStateSyncingActions` hook.
  * This is dispatched when external sources provide new parameters for Resolver.
@@ -141,6 +128,5 @@ export type ResolverAction =
   | UserFocusedOnResolverNode
   | UserSelectedResolverNode
   | UserRequestedRelatedEventData
-  | UserSelectedRelatedEventCategory
   | AppDetectedNewIdFromQueryParams
   | AppDetectedMissingEventData;
diff --git a/x-pack/plugins/security_solution/public/resolver/store/data/selectors.ts b/x-pack/plugins/security_solution/public/resolver/store/data/selectors.ts
index e647828ddb606..d714ddb181470 100644
--- a/x-pack/plugins/security_solution/public/resolver/store/data/selectors.ts
+++ b/x-pack/plugins/security_solution/public/resolver/store/data/selectors.ts
@@ -152,6 +152,7 @@ export const tree = createSelector(graphableProcesses, function indexedTree(
 
 /**
  * This returns a map of entity_ids to stats about the related events and alerts.
+ * @deprecated
  */
 export const relatedEventsStats: (
   state: DataState
@@ -189,6 +190,7 @@ export const relatedEventAggregateTotalByEntityId: (
 
 /**
  * returns a map of entity_ids to related event data.
+ * @deprecated
  */
 export function relatedEventsByEntityId(data: DataState): Map<string, ResolverRelatedEvents> {
   return data.relatedEvents;
@@ -205,6 +207,7 @@ export function relatedEventsByEntityId(data: DataState): Map<string, ResolverRe
  * {title: "a.b", description: "1"}, {title: "c", description: "d"}
  *
  * @param {object} obj The object to turn into `<dt><dd>` entries
+ * @deprecated
  */
 const objectToDescriptionListEntries = function* (
   obj: object,
@@ -232,6 +235,7 @@ const objectToDescriptionListEntries = function* (
 /**
  * Returns a function that returns the information needed to display related event details based on
  * the related event's entityID and its own ID.
+ * @deprecated
  */
 export const relatedEventDisplayInfoByEntityAndSelfID: (
   state: DataState
@@ -262,9 +266,8 @@ export const relatedEventDisplayInfoByEntityAndSelfID: (
     const countOfCategory = relatedEventsForThisProcess.events.reduce((sumtotal, evt) => {
       return eventModel.primaryEventCategory(evt) === specificCategory ? sumtotal + 1 : sumtotal;
     }, 0);
-
     // Assuming these details (agent, ecs, process) aren't as helpful, can revisit
-    const { agent, ecs, process, ...relevantData } = specificEvent as ResolverEvent & {
+    const { agent, ecs, process, ...relevantData } = specificEvent as SafeResolverEvent & {
       // Type this with various unknown keys so that ts will let us delete those keys
       ecs: unknown;
       process: unknown;
@@ -291,12 +294,13 @@ export const relatedEventDisplayInfoByEntityAndSelfID: (
 /**
  * Returns a function that returns a function (when supplied with an entity id for a node)
  * that returns related events for a node that match an event.category (when supplied with the category)
+ * @deprecated
  */
 export const relatedEventsByCategory: (
   state: DataState
 ) => (entityID: string) => (ecsCategory: string) => ResolverEvent[] = createSelector(
   relatedEventsByEntityId,
-  function provideGettersByCategory(
+  function (
     /* eslint-disable no-shadow */
     relatedEventsByEntityId
     /* eslint-enable no-shadow */
@@ -327,6 +331,7 @@ export const relatedEventsByCategory: (
 /**
  * returns a map of entity_ids to booleans indicating if it is waiting on related event
  * A value of `undefined` can be interpreted as `not yet requested`
+ * @deprecated
  */
 export function relatedEventsReady(data: DataState): Map<string, boolean> {
   return data.relatedEventsReady;
@@ -334,6 +339,7 @@ export function relatedEventsReady(data: DataState): Map<string, boolean> {
 
 /**
  * `true` if there were more children than we got in the last request.
+ * @deprecated
  */
 export function hasMoreChildren(state: DataState): boolean {
   const resolverTree = resolverTreeResponse(state);
@@ -342,6 +348,7 @@ export function hasMoreChildren(state: DataState): boolean {
 
 /**
  * `true` if there were more ancestors than we got in the last request.
+ * @deprecated
  */
 export function hasMoreAncestors(state: DataState): boolean {
   const resolverTree = resolverTreeResponse(state);
@@ -357,6 +364,7 @@ interface RelatedInfoFunctions {
  * A map of `entity_id`s to functions that provide information about
  * related events by ECS `.category` Primarily to avoid having business logic
  * in UI components.
+ * @deprecated
  */
 export const relatedEventInfoByEntityId: (
   state: DataState
diff --git a/x-pack/plugins/security_solution/public/resolver/store/selectors.ts b/x-pack/plugins/security_solution/public/resolver/store/selectors.ts
index 8ea0bc9199cb6..96b080206b61e 100644
--- a/x-pack/plugins/security_solution/public/resolver/store/selectors.ts
+++ b/x-pack/plugins/security_solution/public/resolver/store/selectors.ts
@@ -128,6 +128,7 @@ export const relatedEventAggregateTotalByEntityId: (
 
 /**
  * Map of related events... by entity id
+ * @deprecated
  */
 export const relatedEventsByEntityId = composeSelectors(
   dataStateSelector,
@@ -137,6 +138,7 @@ export const relatedEventsByEntityId = composeSelectors(
 /**
  * Returns a function that returns the information needed to display related event details based on
  * the related event's entityID and its own ID.
+ * @deprecated
  */
 export const relatedEventDisplayInfoByEntityAndSelfId = composeSelectors(
   dataStateSelector,
@@ -146,6 +148,7 @@ export const relatedEventDisplayInfoByEntityAndSelfId = composeSelectors(
 /**
  * Returns a function that returns a function (when supplied with an entity id for a node)
  * that returns related events for a node that match an event.category (when supplied with the category)
+ * @deprecated
  */
 export const relatedEventsByCategory = composeSelectors(
   dataStateSelector,
@@ -154,6 +157,7 @@ export const relatedEventsByCategory = composeSelectors(
 
 /**
  * Entity ids to booleans for waiting status
+ * @deprecated
  */
 export const relatedEventsReady = composeSelectors(
   dataStateSelector,
@@ -164,6 +168,7 @@ export const relatedEventsReady = composeSelectors(
  * Business logic lookup functions by ECS category by entity id.
  * Example usage:
  * const numberOfFileEvents = infoByEntityId.get(`someEntityId`)?.getAggregateTotalForCategory(`file`);
+ * @deprecated
  */
 export const relatedEventInfoByEntityId = composeSelectors(
   dataStateSelector,
@@ -241,6 +246,7 @@ const nodesAndEdgelines = composeSelectors(dataStateSelector, dataSelectors.node
 
 /**
  * Total count of related events for a process.
+ * @deprecated
  */
 export const relatedEventTotalForProcess = composeSelectors(
   dataStateSelector,
@@ -316,13 +322,27 @@ export const ariaFlowtoNodeID: (
   }
 );
 
+export const panelViewAndParameters = composeSelectors(
+  uiStateSelector,
+  uiSelectors.panelViewAndParameters
+);
+
+export const relativeHref = composeSelectors(uiStateSelector, uiSelectors.relativeHref);
+
+/**
+ * @deprecated
+ */
+export const relatedEventsRelativeHrefs = composeSelectors(
+  uiStateSelector,
+  uiSelectors.relatedEventsRelativeHrefs
+);
+
 /**
- * The legacy `crumbEvent` and `crumbId` parameters.
  * @deprecated
  */
-export const breadcrumbParameters = composeSelectors(
+export const relatedEventDetailHrefs = composeSelectors(
   uiStateSelector,
-  uiSelectors.breadcrumbParameters
+  uiSelectors.relatedEventDetailHrefs
 );
 
 /**
diff --git a/x-pack/plugins/security_solution/public/resolver/store/ui/selectors.ts b/x-pack/plugins/security_solution/public/resolver/store/ui/selectors.ts
index 5315ffb3c5fdb..6bc41832b92f2 100644
--- a/x-pack/plugins/security_solution/public/resolver/store/ui/selectors.ts
+++ b/x-pack/plugins/security_solution/public/resolver/store/ui/selectors.ts
@@ -4,9 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { decode, encode } from 'rison-node';
+
 import { createSelector } from 'reselect';
-import { ResolverUIState } from '../../types';
-import * as locationSearchModel from '../../models/location_search';
+import { PanelViewAndParameters, ResolverUIState } from '../../types';
+import { ResolverEvent } from '../../../../common/endpoint/types';
+import { isPanelViewAndParameters } from '../../models/location_search';
+import { eventId } from '../../../../common/endpoint/models/event';
 
 /**
  * id of the "current" tree node (fake-focused)
@@ -31,20 +35,129 @@ export const selectedNode = createSelector(
 );
 
 /**
- * The legacy `crumbEvent` and `crumbId` parameters.
- * @deprecated
+ * Which view should show in the panel, as well as what parameters should be used.
+ * Calculated using the query string
  */
-export const breadcrumbParameters = createSelector(
+export const panelViewAndParameters = createSelector(
   (state: ResolverUIState) => state.locationSearch,
   (state: ResolverUIState) => state.resolverComponentInstanceID,
   (locationSearch, resolverComponentInstanceID) => {
     if (locationSearch === undefined || resolverComponentInstanceID === undefined) {
       // Equivalent to `null`
-      return {
-        crumbId: '',
-        crumbEvent: '',
-      };
+      return defaultParameters();
+    }
+    const urlSearchParams = new URLSearchParams(locationSearch);
+    const value = urlSearchParams.get(parameterName(resolverComponentInstanceID));
+    if (value === null) {
+      // Equivalent to `null`
+      return defaultParameters();
+    }
+    const decodedValue: unknown = decode(value);
+    if (isPanelViewAndParameters(decodedValue)) {
+      return decodedValue;
     }
-    return locationSearchModel.breadcrumbParameters(locationSearch, resolverComponentInstanceID);
+    return defaultParameters();
   }
 );
+
+/**
+ * Return a relative href (which includes just the 'search' part) that contains an encoded version of `params `.
+ * All other values in the 'search' will be kept.
+ * Use this to get an `href` for an anchor tag.
+ */
+export const relativeHref: (
+  state: ResolverUIState
+) => (params: PanelViewAndParameters) => string | undefined = createSelector(
+  (state: ResolverUIState) => state.locationSearch,
+  (state: ResolverUIState) => state.resolverComponentInstanceID,
+  (locationSearch, resolverComponentInstanceID) => {
+    return (params: PanelViewAndParameters) => {
+      /**
+       * This is only possible before the first `'appReceivedNewExternalProperties'` action is fired.
+       */
+      if (locationSearch === undefined || resolverComponentInstanceID === undefined) {
+        return undefined;
+      }
+      const urlSearchParams = new URLSearchParams(locationSearch);
+      const value = encode(params);
+      urlSearchParams.set(parameterName(resolverComponentInstanceID), value);
+      return `?${urlSearchParams.toString()}`;
+    };
+  }
+);
+
+/**
+ * Returns a map of ecs category name to urls for use in panel navigation.
+ * @deprecated
+ */
+export const relatedEventsRelativeHrefs: (
+  state: ResolverUIState
+) => (
+  categories: Record<string, number> | undefined,
+  nodeID: string
+) => Map<string, string | undefined> = createSelector(relativeHref, (relativeHref) => {
+  return (categories: Record<string, number> | undefined, nodeID: string) => {
+    const hrefsByCategory = new Map<string, string | undefined>();
+    if (categories !== undefined) {
+      Object.keys(categories).map((category) => {
+        const categoryPanelParams: PanelViewAndParameters = {
+          panelView: 'nodeEventsOfType',
+          panelParameters: {
+            nodeID,
+            eventType: category,
+          },
+        };
+        hrefsByCategory.set(category, relativeHref(categoryPanelParams));
+        return category;
+      });
+    }
+    return hrefsByCategory;
+  };
+});
+
+/**
+ * Returns a map of event entity ids to urls for use in navigation.
+ * @deprecated
+ */
+export const relatedEventDetailHrefs: (
+  state: ResolverUIState
+) => (
+  category: string,
+  nodeID: string,
+  events: ResolverEvent[]
+) => Map<string, string | undefined> = createSelector(relativeHref, (relativeHref) => {
+  return (category: string, nodeID: string, events: ResolverEvent[]) => {
+    const hrefsByEntityID = new Map<string, string | undefined>();
+    events.map((event) => {
+      const entityID = String(eventId(event));
+      const eventDetailPanelParams: PanelViewAndParameters = {
+        panelView: 'eventDetail',
+        panelParameters: {
+          nodeID,
+          eventType: category,
+          eventID: entityID,
+        },
+      };
+      hrefsByEntityID.set(entityID, relativeHref(eventDetailPanelParams));
+      return event;
+    });
+    return hrefsByEntityID;
+  };
+});
+
+/**
+ * The parameter name that we use to read/write state to the query string
+ */
+export function parameterName(resolverComponentInstanceID: string): string {
+  return `resolver-${resolverComponentInstanceID}`;
+}
+/**
+ * The default parameters to use when no (valid) location search is available.
+ */
+export function defaultParameters(): PanelViewAndParameters {
+  // Note, this really should be a selector. it needs to know about the state of the app so it can select
+  // the origin event.
+  return {
+    panelView: 'nodes',
+  };
+}
diff --git a/x-pack/plugins/security_solution/public/resolver/test_utilities/url_search.ts b/x-pack/plugins/security_solution/public/resolver/test_utilities/url_search.ts
index 1a26e29d22da7..0792dae8928bd 100644
--- a/x-pack/plugins/security_solution/public/resolver/test_utilities/url_search.ts
+++ b/x-pack/plugins/security_solution/public/resolver/test_utilities/url_search.ts
@@ -4,23 +4,20 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-interface Options {
-  /**
-   * The entity_id of the selected node.
-   */
-  selectedEntityID?: string;
-}
+import { encode } from 'rison-node';
+import { PanelViewAndParameters } from '../types';
 
 /**
  * Calculate the expected URL search based on options.
  */
-export function urlSearch(resolverComponentInstanceID: string, options?: Options): string {
+export function urlSearch(
+  resolverComponentInstanceID: string,
+  options?: PanelViewAndParameters
+): string {
   if (!options) {
     return '';
   }
   const params = new URLSearchParams();
-  if (options.selectedEntityID !== undefined) {
-    params.set(`resolver-${resolverComponentInstanceID}-id`, options.selectedEntityID);
-  }
+  params.set(`resolver-${resolverComponentInstanceID}`, encode(options));
   return params.toString();
 }
diff --git a/x-pack/plugins/security_solution/public/resolver/types.ts b/x-pack/plugins/security_solution/public/resolver/types.ts
index 1e7e2a8eba8a8..952a1c5764d8e 100644
--- a/x-pack/plugins/security_solution/public/resolver/types.ts
+++ b/x-pack/plugins/security_solution/public/resolver/types.ts
@@ -619,3 +619,81 @@ export interface ResolverPluginSetup {
     };
   };
 }
+
+/**
+ * Parameters to control what panel content is shown. Can be encoded and decoded from the URL using methods in
+ * `models/location_search`
+ */
+export type PanelViewAndParameters =
+  | {
+      /**
+       * The panel will show a index view (e.g. a list) of the nodes.
+       */
+      panelView: 'nodes';
+    }
+  | {
+      /**
+       * The panel will show the details of a single node.
+       */
+      panelView: 'nodeDetail';
+      panelParameters: {
+        /**
+         * The nodeID (e.g. `process.entity_id`) for the node that will be shown in detail
+         */
+        nodeID: string;
+      };
+    }
+  | {
+      /**
+       * The panel will show a index view of the all events related to a specific node.
+       * This may show a summary of aggregation of the events related to the node.
+       */
+      panelView: 'nodeEvents';
+      panelParameters: {
+        /**
+         * The nodeID (e.g. `process.entity_id`) for the node whose events will be shown.
+         */
+        nodeID: string;
+      };
+    }
+  | {
+      /**
+       * The panel will show an index view of the events related to a specific node. Only events with a specific type will be shown.
+       */
+      panelView: 'nodeEventsOfType';
+      panelParameters: {
+        /**
+         * The nodeID (e.g. `process.entity_id`) for the node whose events will be shown.
+         */
+        nodeID: string;
+        /**
+         * A parameter used to filter the events. For example, events that don't contain `eventType` in their `event.category` field may be hidden.
+         */
+        eventType: string;
+      };
+    }
+  | {
+      /**
+       * The panel will show details about a particular event. This is meant as a subview of 'nodeEventsOfType'.
+       */
+      panelView: 'eventDetail';
+      panelParameters: {
+        /**
+         * The nodeID (e.g. `process.entity_id`) for the node related to the event being shown.
+         */
+        nodeID: string;
+        /**
+         * A value used for the `nodeEventsOfType` view. Used to associate this view with a parent `nodeEventsOfType` view.
+         * e.g. The user views the `nodeEventsOfType` and follows a link to the `eventDetail` view. The `eventDetail` view can
+         * use `eventType` to populate breadcrumbs and allow the user to return to the previous filter.
+         *
+         * This cannot be inferred from the event itself, as an event may have any number of 'eventType's.
+         */
+        eventType: string;
+
+        /**
+         * `event.id` that uniquely identifies the event to show.
+         */
+        eventID: string;
+      };
+    };
diff --git a/x-pack/plugins/security_solution/public/resolver/view/clickthrough.test.tsx b/x-pack/plugins/security_solution/public/resolver/view/clickthrough.test.tsx
index 223ce728f4267..935e565be039e 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/clickthrough.test.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/clickthrough.test.tsx
@@ -177,7 +177,7 @@ describe('Resolver, when analyzing a tree that has no ancestors and 2 children',
         );
         // Click the second child node's primary button
         if (button) {
-          button.simulate('click');
+          button.simulate('click', { button: 0 });
         }
       });
       it('should render the second child node as selected, and the origin as not selected, and the query string should indicate that the second child is selected', async () => {
@@ -194,7 +194,8 @@ describe('Resolver, when analyzing a tree that has no ancestors and 2 children',
         ).toYieldEqualTo({
           // Just the second child should be marked as selected in the query string
           search: urlSearch(resolverComponentInstanceID, {
-            selectedEntityID: entityIDs.secondChild,
+            panelParameters: { nodeID: entityIDs.secondChild },
+            panelView: 'nodeDetail',
           }),
           // The second child is rendered and has `[aria-selected]`
           selectedSecondChildNodeCount: 1,
@@ -291,7 +292,7 @@ describe('Resolver, when analyzing a tree that has two related events for the or
           simulator.processNodeSubmenuButton(entityIDs.origin)
         );
         if (button) {
-          button.simulate('click');
+          button.simulate('click', { button: 0 });
         }
       });
       it('should open the submenu and display exactly one option with the correct count', async () => {
@@ -308,8 +309,8 @@ describe('Resolver, when analyzing a tree that has two related events for the or
           simulator.processNodeSubmenuButton(entityIDs.origin)
         );
         if (button) {
-          button.simulate('click');
-          button.simulate('click'); // The first click opened the menu, this second click closes it
+          button.simulate('click', { button: 0 });
+          button.simulate('click', { button: 0 }); // The first click opened the menu, this second click closes it
         }
       });
       it('should close the submenu', async () => {
diff --git a/x-pack/plugins/security_solution/public/resolver/view/limit_warnings.tsx b/x-pack/plugins/security_solution/public/resolver/view/limit_warnings.tsx
index e3bad8ee2e574..3f2b7c769cad7 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/limit_warnings.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/limit_warnings.tsx
@@ -1,126 +1,118 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import React from 'react';
-import { EuiCallOut } from '@elastic/eui';
-import { FormattedMessage } from 'react-intl';
-
-const lineageLimitMessage = (
-  <>
-    <FormattedMessage
-      id="xpack.securitySolution.endpoint.resolver.eitherLineageLimitExceeded"
-      defaultMessage="Some process events in the visualization and event list below could not be displayed because the data limit has been reached."
-    />
-  </>
-);
-
-const LineageTitleMessage = React.memo(function LineageTitleMessage({
-  numberOfEntries,
-}: {
-  numberOfEntries: number;
-}) {
-  return (
-    <>
-      <FormattedMessage
-        id="xpack.securitySolution.endpoint.resolver.relatedEventLimitTitle"
-        defaultMessage="This list includes {numberOfEntries} process events."
-        values={{ numberOfEntries }}
-      />
-    </>
-  );
-});
-
-const RelatedEventsLimitMessage = React.memo(function RelatedEventsLimitMessage({
-  category,
-  numberOfEventsMissing,
-}: {
-  numberOfEventsMissing: number;
-  category: string;
-}) {
-  return (
-    <>
-      <FormattedMessage
-        id="xpack.securitySolution.endpoint.resolver.relatedEventLimitExceeded"
-        defaultMessage="{numberOfEventsMissing} {category} events could not be displayed because the data limit has been reached."
-        values={{ numberOfEventsMissing, category }}
-      />
-    </>
-  );
-});
-
-const RelatedLimitTitleMessage = React.memo(function RelatedLimitTitleMessage({
-  category,
-  numberOfEventsDisplayed,
-}: {
-  numberOfEventsDisplayed: number;
-  category: string;
-}) {
-  return (
-    <>
-      <FormattedMessage
-        id="xpack.securitySolution.endpoint.resolver.relatedLimitsExceededTitle"
-        defaultMessage="This list includes {numberOfEventsDisplayed} {category} events."
-        values={{ numberOfEventsDisplayed, category }}
-      />
-    </>
-  );
-});
-
-/**
- * Limit warning for hitting the /events API limit
- */
-export const RelatedEventLimitWarning = React.memo(function RelatedEventLimitWarning({
-  className,
-  eventType,
-  numberActuallyDisplayed,
-  numberMissing,
-}: {
-  className?: string;
-  eventType: string;
-  numberActuallyDisplayed: number;
-  numberMissing: number;
-}) {
-  /**
-   * Based on API limits, all related events may not be displayed.
-   */
-  return (
-    <EuiCallOut
-      size="s"
-      className={className}
-      title={
-        <RelatedLimitTitleMessage
-          category={eventType}
-          numberOfEventsDisplayed={numberActuallyDisplayed}
-        />
-      }
-    >
-      <p>
-        <RelatedEventsLimitMessage category={eventType} numberOfEventsMissing={numberMissing} />
-      </p>
-    </EuiCallOut>
-  );
-});
-
-/**
- * Limit warning for hitting a limit of nodes in the tree
- */
-export const LimitWarning = React.memo(function LimitWarning({
-  className,
-  numberDisplayed,
-}: {
-  className?: string;
-  numberDisplayed: number;
-}) {
-  return (
-    <EuiCallOut
-      size="s"
-      className={className}
-      title={<LineageTitleMessage numberOfEntries={numberDisplayed} />}
-    >
-      <p>{lineageLimitMessage}</p>
-    </EuiCallOut>
-  );
-});
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { EuiCallOut } from '@elastic/eui';
+import { FormattedMessage } from 'react-intl';
+
+const lineageLimitMessage = (
+  <FormattedMessage
+    id="xpack.securitySolution.endpoint.resolver.eitherLineageLimitExceeded"
+    defaultMessage="Some process events in the visualization and event list below could not be displayed because the data limit has been reached."
+  />
+);
+
+const LineageTitleMessage = React.memo(function LineageTitleMessage({
+  numberOfEntries,
+}: {
+  numberOfEntries: number;
+}) {
+  return (
+    <FormattedMessage
+      id="xpack.securitySolution.endpoint.resolver.relatedEventLimitTitle"
+      defaultMessage="This list includes {numberOfEntries} process events."
+      values={{ numberOfEntries }}
+    />
+  );
+});
+
+const RelatedEventsLimitMessage = React.memo(function RelatedEventsLimitMessage({
+  category,
+  numberOfEventsMissing,
+}: {
+  numberOfEventsMissing: number;
+  category: string;
+}) {
+  return (
+    <FormattedMessage
+      id="xpack.securitySolution.endpoint.resolver.relatedEventLimitExceeded"
+      defaultMessage="{numberOfEventsMissing} {category} events could not be displayed because the data limit has been reached."
+      values={{ numberOfEventsMissing, category }}
+    />
+  );
+});
+
+const RelatedLimitTitleMessage = React.memo(function RelatedLimitTitleMessage({
+  category,
+  numberOfEventsDisplayed,
+}: {
+  numberOfEventsDisplayed: number;
+  category: string;
+}) {
+  return (
+    <FormattedMessage
+      id="xpack.securitySolution.endpoint.resolver.relatedLimitsExceededTitle"
+      defaultMessage="This list includes {numberOfEventsDisplayed} {category} events."
+      values={{ numberOfEventsDisplayed, category }}
+    />
+  );
+});
+
+/**
+ * Limit warning for hitting the /events API limit
+ */
+export const RelatedEventLimitWarning = React.memo(function RelatedEventLimitWarning({
+  className,
+  eventType,
+  numberActuallyDisplayed,
+  numberMissing,
+}: {
+  className?: string;
+  eventType: string;
+  numberActuallyDisplayed: number;
+  numberMissing: number;
+}) {
+  /**
+   * Based on API limits, all related events may not be displayed.
+   */
+  return (
+    <EuiCallOut
+      size="s"
+      className={className}
+      title={
+        <RelatedLimitTitleMessage
+          category={eventType}
+          numberOfEventsDisplayed={numberActuallyDisplayed}
+        />
+      }
+    >
+      <p>
+        <RelatedEventsLimitMessage category={eventType} numberOfEventsMissing={numberMissing} />
+      </p>
+    </EuiCallOut>
+  );
+});
+
+/**
+ * Limit warning for hitting a limit of nodes in the tree
+ */
+export const LimitWarning = React.memo(function LimitWarning({
+  className,
+  numberDisplayed,
+}: {
+  className?: string;
+  numberDisplayed: number;
+}) {
+  return (
+    <EuiCallOut
+      size="s"
+      className={className}
+      title={<LineageTitleMessage numberOfEntries={numberDisplayed} />}
+    >
+      <p>{lineageLimitMessage}</p>
+    </EuiCallOut>
+  );
+});
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panel.test.tsx b/x-pack/plugins/security_solution/public/resolver/view/panel.test.tsx
index 7021e476e6439..3c32d448ac2a7 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/panel.test.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/panel.test.tsx
@@ -3,7 +3,6 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
 import { createMemoryHistory, History as HistoryPackageHistoryInterface } from 'history';
 
 import { noAncestorsTwoChildren } from '../data_access_layer/mocks/no_ancestors_two_children';
@@ -61,7 +60,8 @@ describe(`Resolver: when analyzing a tree with no ancestors and two children, an
   });
 
   const queryStringWithOriginSelected = urlSearch(resolverComponentInstanceID, {
-    selectedEntityID: 'origin',
+    panelParameters: { nodeID: 'origin' },
+    panelView: 'nodeDetail',
   });
 
   describe(`when the URL query string is ${queryStringWithOriginSelected}`, () => {
@@ -111,7 +111,8 @@ describe(`Resolver: when analyzing a tree with no ancestors and two children, an
   });
 
   const queryStringWithFirstChildSelected = urlSearch(resolverComponentInstanceID, {
-    selectedEntityID: 'firstChild',
+    panelParameters: { nodeID: 'firstChild' },
+    panelView: 'nodeDetail',
   });
 
   describe(`when the URL query string is ${queryStringWithFirstChildSelected}`, () => {
@@ -149,7 +150,7 @@ describe(`Resolver: when analyzing a tree with no ancestors and two children, an
       const nodeLinks = await simulator().resolve('resolver:node-list:node-link:title');
       expect(nodeLinks).toBeTruthy();
       if (nodeLinks) {
-        nodeLinks.first().simulate('click');
+        nodeLinks.first().simulate('click', { button: 0 });
       }
     });
     it('should show the details for the first node', async () => {
@@ -168,7 +169,10 @@ describe(`Resolver: when analyzing a tree with no ancestors and two children, an
     it("should have the first node's ID in the query string", async () => {
       await expect(simulator().map(() => simulator().historyLocationSearch)).toYieldEqualTo(
         urlSearch(resolverComponentInstanceID, {
-          selectedEntityID: entityIDs.origin,
+          panelView: 'nodeDetail',
+          panelParameters: {
+            nodeID: entityIDs.origin,
+          },
         })
       );
     });
@@ -178,7 +182,7 @@ describe(`Resolver: when analyzing a tree with no ancestors and two children, an
           'resolver:node-detail:breadcrumbs:node-list-link'
         );
         if (nodeListLink) {
-          nodeListLink.simulate('click');
+          nodeListLink.simulate('click', { button: 0 });
         }
       });
       it('should show the list of nodes with links to each node', async () => {
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/related_event_detail.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/event_detail.tsx
similarity index 77%
rename from x-pack/plugins/security_solution/public/resolver/view/panels/related_event_detail.tsx
rename to x-pack/plugins/security_solution/public/resolver/view/panels/event_detail.tsx
index 4762c615ba793..24d2a4a8f43f0 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/panels/related_event_detail.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/event_detail.tsx
@@ -10,14 +10,15 @@ import { EuiSpacer, EuiText, EuiDescriptionList, EuiTextColor, EuiTitle } from '
 import styled from 'styled-components';
 import { useSelector } from 'react-redux';
 import { FormattedMessage } from 'react-intl';
+import { StyledPanel } from '../styles';
 import { StyledBreadcrumbs, BoldCode, StyledTime, GeneratedText } from './panel_content_utilities';
 import * as event from '../../../../common/endpoint/models/event';
-import { ResolverEvent } from '../../../../common/endpoint/types';
 import * as selectors from '../../store/selectors';
 import { useResolverDispatch } from '../use_resolver_dispatch';
 import { PanelContentError } from './panel_content_error';
+import { PanelLoading } from './panel_loading';
 import { ResolverState } from '../../types';
-import { useReplaceBreadcrumbParameters } from '../use_replace_breadcrumb_parameters';
+import { useNavigateOrReplace } from '../use_navigate_or_replace';
 
 // Adding some styles to prevent horizontal scrollbars, per request from UX review
 const StyledDescriptionList = memo(styled(EuiDescriptionList)`
@@ -77,17 +78,26 @@ function entriesForDisplay(entries: Array<{ title: string; description: string }
  * This view presents a detailed view of all the available data for a related event, split and titled by the "section"
  * it appears in the underlying ResolverEvent
  */
-export const RelatedEventDetail = memo(function ({
-  relatedEventId,
-  parentEvent,
-  countForParent,
+export const EventDetail = memo(function ({
+  nodeID,
+  eventID,
 }: {
-  relatedEventId: string;
-  parentEvent: ResolverEvent;
-  countForParent: number | undefined;
+  nodeID: string;
+  eventID: string;
 }) {
+  const parentEvent = useSelector((state: ResolverState) =>
+    selectors.processEventForID(state)(nodeID)
+  );
+
+  const relatedEventsStats = useSelector((state: ResolverState) =>
+    selectors.relatedEventsStats(state)(nodeID)
+  );
+  const countForParent: number = Object.values(relatedEventsStats?.events.byCategory || {}).reduce(
+    (sum, val) => sum + val,
+    0
+  );
   const processName = (parentEvent && event.eventName(parentEvent)) || '*';
-  const processEntityId = parentEvent && event.entityId(parentEvent);
+  const processEntityId = (parentEvent && event.entityId(parentEvent)) || '';
   const totalCount = countForParent || 0;
   const eventsString = i18n.translate(
     'xpack.securitySolution.endpoint.resolver.panel.relatedEventDetail.events',
@@ -105,13 +115,23 @@ export const RelatedEventDetail = memo(function ({
   const relatedsReadyMap = useSelector(selectors.relatedEventsReady);
   const relatedsReady = relatedsReadyMap.get(processEntityId!);
   const dispatch = useResolverDispatch();
+  const nodesHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({ panelView: 'nodes' })
+  );
+  const nodesLinkNavProps = useNavigateOrReplace({
+    search: nodesHref,
+  });
 
   /**
    * If we don't have the related events for the parent yet, use this effect
    * to request them.
    */
   useEffect(() => {
-    if (typeof relatedsReady === 'undefined') {
+    if (
+      typeof relatedsReady === 'undefined' &&
+      processEntityId !== null &&
+      processEntityId !== undefined
+    ) {
       dispatch({
         type: 'appDetectedMissingEventData',
         payload: processEntityId,
@@ -126,38 +146,51 @@ export const RelatedEventDetail = memo(function ({
     sections,
     formattedDate,
   ] = useSelector((state: ResolverState) =>
-    selectors.relatedEventDisplayInfoByEntityAndSelfId(state)(processEntityId, relatedEventId)
+    selectors.relatedEventDisplayInfoByEntityAndSelfId(state)(nodeID, eventID)
   );
 
-  const pushToQueryParams = useReplaceBreadcrumbParameters();
-
-  const waitCrumbs = useMemo(() => {
-    return [
-      {
-        text: eventsString,
-        onClick: () => {
-          pushToQueryParams({ crumbId: '', crumbEvent: '' });
-        },
-      },
-    ];
-  }, [pushToQueryParams, eventsString]);
-
   const { subject = '', descriptor = '' } = relatedEventToShowDetailsFor
     ? event.descriptiveName(relatedEventToShowDetailsFor)
     : {};
+
+  const nodeDetailHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'nodeDetail',
+      panelParameters: { nodeID: processEntityId },
+    })
+  );
+  const nodeDetailLinkNavProps = useNavigateOrReplace({
+    search: nodeDetailHref,
+  });
+
+  const nodeEventsHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'nodeEvents',
+      panelParameters: { nodeID: processEntityId },
+    })
+  );
+  const nodeEventsLinkNavProps = useNavigateOrReplace({
+    search: nodeEventsHref,
+  });
+
+  const nodeEventsOfTypeHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'nodeEventsOfType',
+      panelParameters: { nodeID: processEntityId, eventType: relatedEventCategory },
+    })
+  );
+  const nodeEventsOfTypeLinkNavProps = useNavigateOrReplace({
+    search: nodeEventsOfTypeHref,
+  });
   const crumbs = useMemo(() => {
     return [
       {
         text: eventsString,
-        onClick: () => {
-          pushToQueryParams({ crumbId: '', crumbEvent: '' });
-        },
+        ...nodesLinkNavProps,
       },
       {
         text: processName,
-        onClick: () => {
-          pushToQueryParams({ crumbId: processEntityId!, crumbEvent: '' });
-        },
+        ...nodeDetailLinkNavProps,
       },
       {
         text: (
@@ -169,9 +202,7 @@ export const RelatedEventDetail = memo(function ({
             />
           </>
         ),
-        onClick: () => {
-          pushToQueryParams({ crumbId: processEntityId!, crumbEvent: 'all' });
-        },
+        ...nodeEventsLinkNavProps,
       },
       {
         text: (
@@ -183,12 +214,7 @@ export const RelatedEventDetail = memo(function ({
             />
           </>
         ),
-        onClick: () => {
-          pushToQueryParams({
-            crumbId: processEntityId!,
-            crumbEvent: relatedEventCategory || 'all',
-          });
-        },
+        ...nodeEventsOfTypeLinkNavProps,
       },
       {
         text: relatedEventToShowDetailsFor ? (
@@ -205,9 +231,7 @@ export const RelatedEventDetail = memo(function ({
     ];
   }, [
     processName,
-    processEntityId,
     eventsString,
-    pushToQueryParams,
     totalCount,
     countBySameCategory,
     naString,
@@ -215,27 +239,14 @@ export const RelatedEventDetail = memo(function ({
     relatedEventToShowDetailsFor,
     subject,
     descriptor,
+    nodeEventsOfTypeLinkNavProps,
+    nodeEventsLinkNavProps,
+    nodeDetailLinkNavProps,
+    nodesLinkNavProps,
   ]);
 
-  /**
-   * If the ship hasn't come in yet, wait on the dock
-   */
   if (!relatedsReady) {
-    const waitingString = i18n.translate(
-      'xpack.securitySolution.endpoint.resolver.panel.relatedDetail.wait',
-      {
-        defaultMessage: 'Waiting For Events...',
-      }
-    );
-    return (
-      <>
-        <StyledBreadcrumbs breadcrumbs={waitCrumbs} />
-        <EuiSpacer size="l" />
-        <EuiTitle>
-          <h4>{waitingString}</h4>
-        </EuiTitle>
-      </>
-    );
+    return <PanelLoading />;
   }
 
   /**
@@ -252,7 +263,7 @@ export const RelatedEventDetail = memo(function ({
   }
 
   return (
-    <>
+    <StyledPanel>
       <StyledBreadcrumbs breadcrumbs={crumbs} />
       <EuiSpacer size="l" />
       <EuiText size="s">
@@ -310,6 +321,6 @@ export const RelatedEventDetail = memo(function ({
           </Fragment>
         );
       })}
-    </>
+    </StyledPanel>
   );
 });
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/index.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/index.tsx
index 133dcd21e7f56..da5cb1acfed6d 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/panels/index.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/index.tsx
@@ -4,216 +4,46 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React, { memo, useMemo, useContext, useLayoutEffect, useState } from 'react';
+/* eslint-disable react/display-name */
+
+import React, { memo } from 'react';
 import { useSelector } from 'react-redux';
-import { EuiPanel } from '@elastic/eui';
 import * as selectors from '../../store/selectors';
-import { useResolverDispatch } from '../use_resolver_dispatch';
-import * as event from '../../../../common/endpoint/models/event';
-import { ResolverEvent, ResolverNodeStats } from '../../../../common/endpoint/types';
-import { SideEffectContext } from '../side_effect_context';
-import { ProcessEventList } from './process_event_list';
-import { EventCountsForProcess } from './event_counts_for_process';
-import { ProcessDetails } from './process_details';
-import { ProcessListWithCounts } from './process_list_with_counts';
-import { RelatedEventDetail } from './related_event_detail';
-import { ResolverState } from '../../types';
+import { NodeEventsOfType } from './node_events_of_type';
+import { NodeEvents } from './node_events';
+import { NodeDetail } from './node_details';
+import { NodeList } from './node_list';
+import { EventDetail } from './event_detail';
+import { PanelViewAndParameters } from '../../types';
 
 /**
- * The team decided to use this table to determine which breadcrumbs/view to display:
- *
- * | Crumb/Table            | &crumbId                   | &crumbEvent              |
- * | :--------------------- | :------------------------- | :----------------------  |
- * | all processes/default  | null                       | null                     |
- * | process detail         | entity_id of process       | null                     |
- * | relateds count by type | entity_id of process       | 'all'                    |
- * | relateds list 1 type   | entity_id of process       | valid related event type |
- * | related event detail   | event_id of related event  | entity_id of process     |
  *
  * This component implements the strategy laid out above by determining the "right" view and doing some other housekeeping e.g. effects to keep the UI-selected node in line with what's indicated by the URL parameters.
  *
  * @returns {JSX.Element} The "right" table content to show based on the query params as described above
  */
-const PanelContent = memo(function PanelContent() {
-  const dispatch = useResolverDispatch();
-
-  const { timestamp } = useContext(SideEffectContext);
-
-  const queryParams = useSelector(selectors.breadcrumbParameters);
-
-  const graphableProcesses = useSelector(selectors.graphableProcesses);
-  const graphableProcessEntityIds = useMemo(() => {
-    return new Set(graphableProcesses.map(event.entityId));
-  }, [graphableProcesses]);
-  // The entity id in query params of a graphable process (or false if none is found)
-  // For 1 case (the related detail, see below), the process id will be in crumbEvent instead of crumbId
-  const idFromParams = useMemo(() => {
-    if (graphableProcessEntityIds.has(queryParams.crumbId)) {
-      return queryParams.crumbId;
-    }
-    if (graphableProcessEntityIds.has(queryParams.crumbEvent)) {
-      return queryParams.crumbEvent;
-    }
-    return '';
-  }, [queryParams, graphableProcessEntityIds]);
-
-  // The "selected" node (and its corresponding event) in the tree control.
-  // It may need to be synchronized with the ID indicated as selected via the `idFromParams`
-  // memo above. When this is the case, it is handled by the layout effect below.
-  const selectedNode = useSelector(selectors.selectedNode);
-  const uiSelectedEvent = useMemo(() => {
-    return graphableProcesses.find((evt) => event.entityId(evt) === selectedNode);
-  }, [graphableProcesses, selectedNode]);
-
-  // Until an event is dispatched during update, the event indicated as selected by params may
-  // be different than the one in state.
-  const paramsSelectedEvent = useMemo(() => {
-    return graphableProcesses.find((evt) => event.entityId(evt) === idFromParams);
-  }, [graphableProcesses, idFromParams]);
-
-  const [lastUpdatedProcess, setLastUpdatedProcess] = useState<null | ResolverEvent>(null);
-
-  /**
-   * When the ui-selected node is _not_ the one indicated by the query params, but the id from params _is_ in the current tree,
-   * dispatch a selection action to amend the UI state to hold the query id as "selected".
-   * This is to cover cases where users e.g. share links to reconstitute a Resolver state or
-   * an effect pushes a new process id to the query params.
-   */
-  useLayoutEffect(() => {
-    if (
-      paramsSelectedEvent &&
-      // Check state to ensure we don't dispatch this in a way that causes unnecessary re-renders, or disrupts animation:
-      paramsSelectedEvent !== lastUpdatedProcess &&
-      paramsSelectedEvent !== uiSelectedEvent
-    ) {
-      setLastUpdatedProcess(paramsSelectedEvent);
-      dispatch({
-        type: 'appDetectedNewIdFromQueryParams',
-        payload: {
-          time: timestamp(),
-          process: paramsSelectedEvent,
-        },
-      });
-    }
-  }, [dispatch, uiSelectedEvent, paramsSelectedEvent, lastUpdatedProcess, timestamp]);
-
-  const relatedEventStats = useSelector(selectors.relatedEventsStats);
-  const { crumbId, crumbEvent } = queryParams;
-  const relatedStatsForIdFromParams: ResolverNodeStats | undefined = idFromParams
-    ? relatedEventStats(idFromParams)
-    : undefined;
-
-  const parentCount = useSelector((state: ResolverState) => {
-    if (idFromParams === '') {
-      return 0;
-    }
-    return selectors.relatedEventAggregateTotalByEntityId(state)(idFromParams);
-  });
-  /**
-   * Determine which set of breadcrumbs to display based on the query parameters
-   * for the table & breadcrumb nav.
-   *
-   */
-  const panelToShow = useMemo(() => {
-    if (crumbEvent === '' && crumbId === '') {
-      /**
-       * | Crumb/Table            | &crumbId                   | &crumbEvent              |
-       * | :--------------------- | :------------------------- | :----------------------  |
-       * | all processes/default  | null                       | null                     |
-       */
-      return 'processListWithCounts';
-    }
-
-    if (graphableProcessEntityIds.has(crumbId)) {
-      /**
-       * | Crumb/Table            | &crumbId                   | &crumbEvent              |
-       * | :--------------------- | :------------------------- | :----------------------  |
-       * | process detail         | entity_id of process       | null                     |
-       */
-      if (crumbEvent === '' && uiSelectedEvent) {
-        return 'processDetails';
-      }
-
-      /**
-       * | Crumb/Table            | &crumbId                   | &crumbEvent              |
-       * | :--------------------- | :------------------------- | :----------------------  |
-       * | relateds count by type | entity_id of process       | 'all'                    |
-       */
-
-      if (crumbEvent === 'all' && uiSelectedEvent) {
-        return 'eventCountsForProcess';
-      }
-
-      /**
-       * | Crumb/Table            | &crumbId                   | &crumbEvent              |
-       * | :--------------------- | :------------------------- | :----------------------  |
-       * | relateds list 1 type   | entity_id of process       | valid related event type |
-       */
-
-      if (crumbEvent && crumbEvent.length && uiSelectedEvent) {
-        return 'processEventList';
-      }
-    }
-
-    if (graphableProcessEntityIds.has(crumbEvent)) {
-      /**
-       * | Crumb/Table            | &crumbId                   | &crumbEvent              |
-       * | :--------------------- | :------------------------- | :----------------------  |
-       * | related event detail   | event_id of related event  | entity_id of process     |
-       */
-      return 'relatedEventDetail';
-    }
-
-    // The default 'Event List' / 'List of all processes' view
-    return 'processListWithCounts';
-  }, [uiSelectedEvent, crumbEvent, crumbId, graphableProcessEntityIds]);
-
-  const panelInstance = useMemo(() => {
-    if (panelToShow === 'processDetails') {
-      return <ProcessDetails processEvent={uiSelectedEvent!} />;
-    }
-
-    if (panelToShow === 'eventCountsForProcess') {
-      return (
-        <EventCountsForProcess
-          processEvent={uiSelectedEvent!}
-          relatedStats={relatedStatsForIdFromParams!}
-        />
-      );
-    }
-
-    if (panelToShow === 'processEventList') {
-      return (
-        <ProcessEventList
-          processEvent={uiSelectedEvent!}
-          relatedStats={relatedStatsForIdFromParams!}
-          eventType={crumbEvent}
-        />
-      );
-    }
-
-    if (panelToShow === 'relatedEventDetail') {
-      return (
-        <RelatedEventDetail
-          relatedEventId={crumbId}
-          parentEvent={uiSelectedEvent!}
-          countForParent={parentCount}
-        />
-      );
-    }
-    // The default 'Event List' / 'List of all processes' view
-    return <ProcessListWithCounts />;
-  }, [uiSelectedEvent, crumbEvent, crumbId, relatedStatsForIdFromParams, panelToShow, parentCount]);
-
-  return <>{panelInstance}</>;
-});
-PanelContent.displayName = 'PanelContent';
-
-export const Panel = memo(function Event({ className }: { className?: string }) {
-  return (
-    <EuiPanel className={className}>
-      <PanelContent />
-    </EuiPanel>
-  );
+export const PanelRouter = memo(function () {
+  const params: PanelViewAndParameters = useSelector(selectors.panelViewAndParameters);
+  if (params.panelView === 'nodeDetail') {
+    return <NodeDetail nodeID={params.panelParameters.nodeID} />;
+  } else if (params.panelView === 'nodeEvents') {
+    return <NodeEvents nodeID={params.panelParameters.nodeID} />;
+  } else if (params.panelView === 'nodeEventsOfType') {
+    return (
+      <NodeEventsOfType
+        nodeID={params.panelParameters.nodeID}
+        eventType={params.panelParameters.eventType}
+      />
+    );
+  } else if (params.panelView === 'eventDetail') {
+    return (
+      <EventDetail
+        nodeID={params.panelParameters.nodeID}
+        eventID={params.panelParameters.eventID}
+      />
+    );
+  } else {
+    /* The default 'Event List' / 'List of all processes' view */
+    return <NodeList />;
+  }
 });
-Panel.displayName = 'Panel';
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/process_details.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/node_details.tsx
similarity index 78%
rename from x-pack/plugins/security_solution/public/resolver/view/panels/process_details.tsx
rename to x-pack/plugins/security_solution/public/resolver/view/panels/node_details.tsx
index 4fcc557742643..cf7b646c6c50e 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/panels/process_details.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/node_details.tsx
@@ -3,21 +3,16 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+
+/* eslint-disable react/display-name */
+
 import React, { memo, useMemo, HTMLAttributes } from 'react';
 import { useSelector } from 'react-redux';
 import { i18n } from '@kbn/i18n';
-import {
-  htmlIdGenerator,
-  EuiSpacer,
-  EuiTitle,
-  EuiText,
-  EuiTextColor,
-  EuiDescriptionList,
-  EuiLink,
-} from '@elastic/eui';
-import styled from 'styled-components';
+import { htmlIdGenerator, EuiSpacer, EuiTitle, EuiText, EuiTextColor, EuiLink } from '@elastic/eui';
 import { FormattedMessage } from 'react-intl';
 import { EuiDescriptionListProps } from '@elastic/eui/src/components/description_list/description_list';
+import { StyledDescriptionList, StyledTitle } from './styles';
 import * as selectors from '../../store/selectors';
 import * as event from '../../../../common/endpoint/models/event';
 import { formatDate, StyledBreadcrumbs, GeneratedText } from './panel_content_utilities';
@@ -33,23 +28,26 @@ import { CubeForProcess } from './cube_for_process';
 import { ResolverEvent } from '../../../../common/endpoint/types';
 import { useResolverTheme } from '../assets';
 import { ResolverState } from '../../types';
-import { useReplaceBreadcrumbParameters } from '../use_replace_breadcrumb_parameters';
-
-const StyledDescriptionList = styled(EuiDescriptionList)`
-  &.euiDescriptionList.euiDescriptionList--column dt.euiDescriptionList__title.desc-title {
-    max-width: 10em;
-  }
-`;
+import { PanelLoading } from './panel_loading';
+import { StyledPanel } from '../styles';
+import { useNavigateOrReplace } from '../use_navigate_or_replace';
 
-const StyledTitle = styled('h4')`
-  overflow-wrap: break-word;
-`;
+export const NodeDetail = memo(function ({ nodeID }: { nodeID: string }) {
+  const processEvent = useSelector((state: ResolverState) =>
+    selectors.processEventForID(state)(nodeID)
+  );
+  return (
+    <StyledPanel>
+      {processEvent === null ? <PanelLoading /> : <NodeDetailView processEvent={processEvent} />}
+    </StyledPanel>
+  );
+});
 
 /**
  * A description list view of all the Metadata that goes with a particular process event, like:
  * Created, PID, User/Domain, etc.
  */
-export const ProcessDetails = memo(function ProcessDetails({
+const NodeDetailView = memo(function NodeDetailView({
   processEvent,
 }: {
   processEvent: ResolverEvent;
@@ -130,7 +128,13 @@ export const ProcessDetails = memo(function ProcessDetails({
     return processDescriptionListData;
   }, [processEvent]);
 
-  const pushToQueryParams = useReplaceBreadcrumbParameters();
+  const nodesHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({ panelView: 'nodes' })
+  );
+
+  const nodesLinkNavProps = useNavigateOrReplace({
+    search: nodesHref,
+  });
 
   const crumbs = useMemo(() => {
     return [
@@ -142,24 +146,20 @@ export const ProcessDetails = memo(function ProcessDetails({
           }
         ),
         'data-test-subj': 'resolver:node-detail:breadcrumbs:node-list-link',
-        onClick: () => {
-          pushToQueryParams({ crumbId: '', crumbEvent: '' });
-        },
+        ...nodesLinkNavProps,
       },
       {
         text: (
-          <>
-            <FormattedMessage
-              id="xpack.securitySolution.endpoint.resolver.panel.relatedEventDetail.detailsForProcessName"
-              values={{ processName }}
-              defaultMessage="Details for: {processName}"
-            />
-          </>
+          <FormattedMessage
+            id="xpack.securitySolution.endpoint.resolver.panel.relatedEventDetail.detailsForProcessName"
+            values={{ processName }}
+            defaultMessage="Details for: {processName}"
+          />
         ),
         onClick: () => {},
       },
     ];
-  }, [processName, pushToQueryParams]);
+  }, [processName, nodesLinkNavProps]);
   const { cubeAssetsForNode } = useResolverTheme();
   const { descriptionText } = useMemo(() => {
     if (!processEvent) {
@@ -168,11 +168,16 @@ export const ProcessDetails = memo(function ProcessDetails({
     return cubeAssetsForNode(isProcessTerminated, false);
   }, [processEvent, cubeAssetsForNode, isProcessTerminated]);
 
-  const handleEventsLinkClick = useMemo(() => {
-    return () => {
-      pushToQueryParams({ crumbId: entityId, crumbEvent: 'all' });
-    };
-  }, [entityId, pushToQueryParams]);
+  const nodeDetailHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'nodeEvents',
+      panelParameters: { nodeID: entityId },
+    })
+  );
+
+  const nodeDetailNavProps = useNavigateOrReplace({
+    search: nodeDetailHref!,
+  });
 
   const titleID = useMemo(() => htmlIdGenerator('resolverTable')(), []);
   return (
@@ -196,7 +201,7 @@ export const ProcessDetails = memo(function ProcessDetails({
         </EuiTextColor>
       </EuiText>
       <EuiSpacer size="s" />
-      <EuiLink onClick={handleEventsLinkClick}>
+      <EuiLink {...nodeDetailNavProps}>
         <FormattedMessage
           id="xpack.securitySolution.endpoint.resolver.panel.processDescList.numberOfEvents"
           values={{ relatedEventTotal }}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/event_counts_for_process.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/node_events.tsx
similarity index 57%
rename from x-pack/plugins/security_solution/public/resolver/view/panels/event_counts_for_process.tsx
rename to x-pack/plugins/security_solution/public/resolver/view/panels/node_events.tsx
index f81dc174d8128..7607eafd7b31c 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/panels/event_counts_for_process.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/node_events.tsx
@@ -8,11 +8,33 @@ import React, { memo, useMemo } from 'react';
 import { i18n } from '@kbn/i18n';
 import { EuiBasicTableColumn, EuiButtonEmpty, EuiSpacer, EuiInMemoryTable } from '@elastic/eui';
 import { FormattedMessage } from 'react-intl';
+import { useSelector } from 'react-redux';
 import { StyledBreadcrumbs } from './panel_content_utilities';
-
 import * as event from '../../../../common/endpoint/models/event';
 import { ResolverEvent, ResolverNodeStats } from '../../../../common/endpoint/types';
-import { useReplaceBreadcrumbParameters } from '../use_replace_breadcrumb_parameters';
+import * as selectors from '../../store/selectors';
+import { ResolverState } from '../../types';
+import { StyledPanel } from '../styles';
+import { useNavigateOrReplace } from '../use_navigate_or_replace';
+import { PanelLoading } from './panel_loading';
+
+export function NodeEvents({ nodeID }: { nodeID: string }) {
+  const processEvent = useSelector((state: ResolverState) =>
+    selectors.processEventForID(state)(nodeID)
+  );
+  const relatedEventsStats = useSelector((state: ResolverState) =>
+    selectors.relatedEventsStats(state)(nodeID)
+  );
+  if (processEvent === null || relatedEventsStats === undefined) {
+    return <PanelLoading />;
+  } else {
+    return (
+      <StyledPanel>
+        <EventCountsForProcess processEvent={processEvent} relatedStats={relatedEventsStats} />
+      </StyledPanel>
+    );
+  }
+}
 
 /**
  * This view gives counts for all the related events of a process grouped by related event type.
@@ -25,7 +47,7 @@ import { useReplaceBreadcrumbParameters } from '../use_replace_breadcrumb_parame
  * | 2                      | Network                    |
  *
  */
-export const EventCountsForProcess = memo(function EventCountsForProcess({
+const EventCountsForProcess = memo(function EventCountsForProcess({
   processEvent,
   relatedStats,
 }: {
@@ -60,37 +82,64 @@ export const EventCountsForProcess = memo(function EventCountsForProcess({
       defaultMessage: 'Events',
     }
   );
-  const pushToQueryParams = useReplaceBreadcrumbParameters();
+  const eventsHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({ panelView: 'nodes' })
+  );
+
+  const eventLinkNavProps = useNavigateOrReplace({
+    search: eventsHref,
+  });
+
+  const processDetailHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'nodeDetail',
+      panelParameters: { nodeID: processEntityId },
+    })
+  );
+
+  const processDetailNavProps = useNavigateOrReplace({
+    search: processDetailHref,
+  });
+
+  const nodeDetailHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'nodeEvents',
+      panelParameters: { nodeID: processEntityId },
+    })
+  );
+
+  const nodeDetailNavProps = useNavigateOrReplace({
+    search: nodeDetailHref!,
+  });
   const crumbs = useMemo(() => {
     return [
       {
         text: eventsString,
-        onClick: () => {
-          pushToQueryParams({ crumbId: '', crumbEvent: '' });
-        },
+        ...eventLinkNavProps,
       },
       {
         text: processName,
-        onClick: () => {
-          pushToQueryParams({ crumbId: processEntityId, crumbEvent: '' });
-        },
+        ...processDetailNavProps,
       },
       {
         text: (
-          <>
-            <FormattedMessage
-              id="xpack.securitySolution.endpoint.resolver.panel.relatedCounts.numberOfEventsInCrumb"
-              values={{ totalCount }}
-              defaultMessage="{totalCount} Events"
-            />
-          </>
+          <FormattedMessage
+            id="xpack.securitySolution.endpoint.resolver.panel.relatedCounts.numberOfEventsInCrumb"
+            values={{ totalCount }}
+            defaultMessage="{totalCount} Events"
+          />
         ),
-        onClick: () => {
-          pushToQueryParams({ crumbId: processEntityId, crumbEvent: '' });
-        },
+        ...nodeDetailNavProps,
       },
     ];
-  }, [processName, totalCount, processEntityId, pushToQueryParams, eventsString]);
+  }, [
+    processName,
+    totalCount,
+    eventsString,
+    eventLinkNavProps,
+    nodeDetailNavProps,
+    processDetailNavProps,
+  ]);
   const rows = useMemo(() => {
     return Object.entries(relatedEventsState.stats).map(
       ([eventType, count]): EventCountsTableView => {
@@ -101,6 +150,17 @@ export const EventCountsForProcess = memo(function EventCountsForProcess({
       }
     );
   }, [relatedEventsState]);
+
+  const eventDetailHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'eventDetail',
+      panelParameters: { nodeID: processEntityId, eventType: name, eventID: processEntityId },
+    })
+  );
+
+  const eventDetailNavProps = useNavigateOrReplace({
+    search: eventDetailHref,
+  });
   const columns = useMemo<Array<EuiBasicTableColumn<EventCountsTableView>>>(
     () => [
       {
@@ -119,19 +179,11 @@ export const EventCountsForProcess = memo(function EventCountsForProcess({
         width: '80%',
         sortable: true,
         render(name: string) {
-          return (
-            <EuiButtonEmpty
-              onClick={() => {
-                pushToQueryParams({ crumbId: event.entityId(processEvent), crumbEvent: name });
-              }}
-            >
-              {name}
-            </EuiButtonEmpty>
-          );
+          return <EuiButtonEmpty {...eventDetailNavProps}>{name}</EuiButtonEmpty>;
         },
       },
     ],
-    [pushToQueryParams, processEvent]
+    [eventDetailNavProps]
   );
   return (
     <>
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/process_event_list.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/node_events_of_type.tsx
similarity index 64%
rename from x-pack/plugins/security_solution/public/resolver/view/panels/process_event_list.tsx
rename to x-pack/plugins/security_solution/public/resolver/view/panels/node_events_of_type.tsx
index 5fe33530f05dc..afff8d4b75c15 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/panels/process_event_list.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/node_events_of_type.tsx
@@ -4,19 +4,25 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+/* eslint-disable react/display-name */
+
 import React, { memo, useMemo, useEffect, Fragment } from 'react';
 import { i18n } from '@kbn/i18n';
-import { EuiTitle, EuiSpacer, EuiText, EuiButtonEmpty, EuiHorizontalRule } from '@elastic/eui';
+import { EuiSpacer, EuiText, EuiButtonEmpty, EuiHorizontalRule } from '@elastic/eui';
 import { useSelector } from 'react-redux';
 import { FormattedMessage } from 'react-intl';
 import styled from 'styled-components';
+import { StyledPanel } from '../styles';
 import { formatDate, StyledBreadcrumbs, BoldCode, StyledTime } from './panel_content_utilities';
 import * as event from '../../../../common/endpoint/models/event';
 import { ResolverEvent, ResolverNodeStats } from '../../../../common/endpoint/types';
 import * as selectors from '../../store/selectors';
 import { useResolverDispatch } from '../use_resolver_dispatch';
 import { RelatedEventLimitWarning } from '../limit_warnings';
-import { useReplaceBreadcrumbParameters } from '../use_replace_breadcrumb_parameters';
+import { ResolverState } from '../../types';
+import { useNavigateOrReplace } from '../use_navigate_or_replace';
+import { useRelatedEventDetailNavigation } from '../use_related_event_detail_navigation';
+import { PanelLoading } from './panel_loading';
 
 /**
  * This view presents a list of related events of a given type for a given process.
@@ -56,13 +62,17 @@ const StyledRelatedLimitWarning = styled(RelatedEventLimitWarning)`
   }
 `;
 
-const DisplayList = memo(function DisplayList({
+const NodeCategoryEntries = memo(function ({
   crumbs,
   matchingEventEntries,
   eventType,
   processEntityId,
 }: {
-  crumbs: Array<{ text: string | JSX.Element; onClick: () => void }>;
+  crumbs: Array<{
+    text: string | JSX.Element | null;
+    onClick: (event: React.MouseEvent<HTMLAnchorElement | HTMLButtonElement, MouseEvent>) => void;
+    href?: string;
+  }>;
   matchingEventEntries: MatchingEventEntry[];
   eventType: string;
   processEntityId: string;
@@ -125,36 +135,55 @@ const DisplayList = memo(function DisplayList({
   );
 });
 
-export const ProcessEventList = memo(function ProcessEventList({
+export function NodeEventsOfType({ nodeID, eventType }: { nodeID: string; eventType: string }) {
+  const processEvent = useSelector((state: ResolverState) =>
+    selectors.processEventForID(state)(nodeID)
+  );
+  const relatedEventsStats = useSelector((state: ResolverState) =>
+    selectors.relatedEventsStats(state)(nodeID)
+  );
+
+  return (
+    <StyledPanel>
+      <NodeEventList
+        processEvent={processEvent}
+        eventType={eventType}
+        relatedStats={relatedEventsStats}
+      />
+    </StyledPanel>
+  );
+}
+
+const NodeEventList = memo(function ({
   processEvent,
   eventType,
   relatedStats,
 }: {
-  processEvent: ResolverEvent;
+  processEvent: ResolverEvent | null;
   eventType: string;
-  relatedStats: ResolverNodeStats;
+  relatedStats: ResolverNodeStats | undefined;
 }) {
   const processName = processEvent && event.eventName(processEvent);
-  const processEntityId = event.entityId(processEvent);
-  const totalCount = Object.values(relatedStats.events.byCategory).reduce(
-    (sum, val) => sum + val,
-    0
+  const processEntityId = processEvent ? event.entityId(processEvent) : '';
+  const nodesHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({ panelView: 'nodes' })
   );
+
+  const nodesLinkNavProps = useNavigateOrReplace({
+    search: nodesHref,
+  });
+  const totalCount = relatedStats
+    ? Object.values(relatedStats.events.byCategory).reduce((sum, val) => sum + val, 0)
+    : 0;
   const eventsString = i18n.translate(
     'xpack.securitySolution.endpoint.resolver.panel.processEventListByType.events',
     {
       defaultMessage: 'Events',
     }
   );
-  const waitingString = i18n.translate(
-    'xpack.securitySolution.endpoint.resolver.panel.processEventListByType.wait',
-    {
-      defaultMessage: 'Waiting For Events...',
-    }
-  );
 
   const relatedsReadyMap = useSelector(selectors.relatedEventsReady);
-  const relatedsReady = relatedsReadyMap.get(processEntityId);
+  const relatedsReady = processEntityId && relatedsReadyMap.get(processEntityId);
 
   const dispatch = useResolverDispatch();
 
@@ -167,83 +196,80 @@ export const ProcessEventList = memo(function ProcessEventList({
     }
   }, [relatedsReady, dispatch, processEntityId]);
 
-  const pushToQueryParams = useReplaceBreadcrumbParameters();
-
-  const waitCrumbs = useMemo(() => {
-    return [
-      {
-        text: eventsString,
-        onClick: () => {
-          pushToQueryParams({ crumbId: '', crumbEvent: '' });
-        },
-      },
-    ];
-  }, [pushToQueryParams, eventsString]);
-
   const relatedByCategory = useSelector(selectors.relatedEventsByCategory);
+  const eventsForCurrentCategory = relatedByCategory(processEntityId)(eventType);
+  const relatedEventDetailNavigation = useRelatedEventDetailNavigation({
+    nodeID: processEntityId,
+    category: eventType,
+    events: eventsForCurrentCategory,
+  });
 
   /**
    * A list entry will be displayed for each of these
    */
   const matchingEventEntries: MatchingEventEntry[] = useMemo(() => {
-    const relateds = relatedByCategory(processEntityId)(eventType).map((resolverEvent) => {
+    return eventsForCurrentCategory.map((resolverEvent) => {
       const eventTime = event.eventTimestamp(resolverEvent);
       const formattedDate = typeof eventTime === 'undefined' ? '' : formatDate(eventTime);
       const entityId = event.eventId(resolverEvent);
-
       return {
         formattedDate,
         eventCategory: `${eventType}`,
         eventType: `${event.ecsEventType(resolverEvent)}`,
         name: event.descriptiveName(resolverEvent),
-        setQueryParams: () => {
-          pushToQueryParams({
-            crumbId: entityId === undefined ? '' : String(entityId),
-            crumbEvent: processEntityId,
-          });
-        },
+        setQueryParams: () => relatedEventDetailNavigation(entityId),
       };
     });
-    return relateds;
-  }, [relatedByCategory, eventType, processEntityId, pushToQueryParams]);
+  }, [eventType, eventsForCurrentCategory, relatedEventDetailNavigation]);
+
+  const nodeDetailHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'nodeDetail',
+      panelParameters: { nodeID: processEntityId },
+    })
+  );
 
+  const nodeDetailNavProps = useNavigateOrReplace({
+    search: nodeDetailHref,
+  });
+
+  const nodeEventsHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({
+      panelView: 'nodeEvents',
+      panelParameters: { nodeID: processEntityId },
+    })
+  );
+
+  const nodeEventsNavProps = useNavigateOrReplace({
+    search: nodeEventsHref,
+  });
   const crumbs = useMemo(() => {
     return [
       {
         text: eventsString,
-        onClick: () => {
-          pushToQueryParams({ crumbId: '', crumbEvent: '' });
-        },
+        ...nodesLinkNavProps,
       },
       {
         text: processName,
-        onClick: () => {
-          pushToQueryParams({ crumbId: processEntityId, crumbEvent: '' });
-        },
+        ...nodeDetailNavProps,
       },
       {
         text: (
-          <>
-            <FormattedMessage
-              id="xpack.securitySolution.endpoint.resolver.panel.relatedEventList.numberOfEvents"
-              values={{ totalCount }}
-              defaultMessage="{totalCount} Events"
-            />
-          </>
+          <FormattedMessage
+            id="xpack.securitySolution.endpoint.resolver.panel.relatedEventList.numberOfEvents"
+            values={{ totalCount }}
+            defaultMessage="{totalCount} Events"
+          />
         ),
-        onClick: () => {
-          pushToQueryParams({ crumbId: processEntityId, crumbEvent: 'all' });
-        },
+        ...nodeEventsNavProps,
       },
       {
         text: (
-          <>
-            <FormattedMessage
-              id="xpack.securitySolution.endpoint.resolver.panel.relatedEventList.countByCategory"
-              values={{ count: matchingEventEntries.length, category: eventType }}
-              defaultMessage="{count} {category}"
-            />
-          </>
+          <FormattedMessage
+            id="xpack.securitySolution.endpoint.resolver.panel.relatedEventList.countByCategory"
+            values={{ count: matchingEventEntries.length, category: eventType }}
+            defaultMessage="{count} {category}"
+          />
         ),
         onClick: () => {},
       },
@@ -252,29 +278,19 @@ export const ProcessEventList = memo(function ProcessEventList({
     eventType,
     eventsString,
     matchingEventEntries.length,
-    processEntityId,
     processName,
-    pushToQueryParams,
     totalCount,
+    nodeDetailNavProps,
+    nodesLinkNavProps,
+    nodeEventsNavProps,
   ]);
 
-  /**
-   * Wait here until the effect resolves...
-   */
   if (!relatedsReady) {
-    return (
-      <>
-        <StyledBreadcrumbs breadcrumbs={waitCrumbs} />
-        <EuiSpacer size="l" />
-        <EuiTitle>
-          <h4>{waitingString}</h4>
-        </EuiTitle>
-      </>
-    );
+    return <PanelLoading />;
   }
 
   return (
-    <DisplayList
+    <NodeCategoryEntries
       crumbs={crumbs}
       processEntityId={processEntityId}
       matchingEventEntries={matchingEventEntries}
@@ -282,4 +298,3 @@ export const ProcessEventList = memo(function ProcessEventList({
     />
   );
 });
-ProcessEventList.displayName = 'ProcessEventList';
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/process_list_with_counts.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/node_list.tsx
similarity index 61%
rename from x-pack/plugins/security_solution/public/resolver/view/panels/process_list_with_counts.tsx
rename to x-pack/plugins/security_solution/public/resolver/view/panels/node_list.tsx
index 6035255824b1c..aaa81a6f747e2 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/panels/process_list_with_counts.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/node_list.tsx
@@ -6,7 +6,7 @@
 
 /* eslint-disable react/display-name */
 
-import React, { memo, useContext, useCallback, useMemo } from 'react';
+import React, { memo, useMemo } from 'react';
 import {
   EuiBasicTableColumn,
   EuiBadge,
@@ -17,15 +17,15 @@ import {
 import { i18n } from '@kbn/i18n';
 import { useSelector } from 'react-redux';
 import styled from 'styled-components';
+import { StyledPanel } from '../styles';
 import * as event from '../../../../common/endpoint/models/event';
 import * as selectors from '../../store/selectors';
 import { formatter, StyledBreadcrumbs } from './panel_content_utilities';
-import { useResolverDispatch } from '../use_resolver_dispatch';
-import { SideEffectContext } from '../side_effect_context';
 import { CubeForProcess } from './cube_for_process';
 import { SafeResolverEvent } from '../../../../common/endpoint/types';
 import { LimitWarning } from '../limit_warnings';
-import { useReplaceBreadcrumbParameters } from '../use_replace_breadcrumb_parameters';
+import { ResolverState } from '../../types';
+import { useNavigateOrReplace } from '../use_navigate_or_replace';
 
 const StyledLimitWarning = styled(LimitWarning)`
   flex-flow: row wrap;
@@ -46,35 +46,17 @@ const StyledLimitWarning = styled(LimitWarning)`
     display: inline;
   }
 `;
+interface ProcessTableView {
+  name?: string;
+  timestamp?: Date;
+  event: SafeResolverEvent;
+  href: string | undefined;
+}
 
 /**
  * The "default" view for the panel: A list of all the processes currently in the graph.
  */
-export const ProcessListWithCounts = memo(() => {
-  interface ProcessTableView {
-    name?: string;
-    timestamp?: Date;
-    event: SafeResolverEvent;
-  }
-
-  const dispatch = useResolverDispatch();
-  const { timestamp } = useContext(SideEffectContext);
-  const isProcessTerminated = useSelector(selectors.isProcessTerminated);
-  const pushToQueryParams = useReplaceBreadcrumbParameters();
-  const handleBringIntoViewClick = useCallback(
-    (processTableViewItem) => {
-      dispatch({
-        type: 'userBroughtProcessIntoView',
-        payload: {
-          time: timestamp(),
-          process: processTableViewItem.event,
-        },
-      });
-      pushToQueryParams({ crumbId: event.entityId(processTableViewItem.event), crumbEvent: '' });
-    },
-    [dispatch, timestamp, pushToQueryParams]
-  );
-
+export const NodeList = memo(() => {
   const columns = useMemo<Array<EuiBasicTableColumn<ProcessTableView>>>(
     () => [
       {
@@ -88,35 +70,7 @@ export const ProcessListWithCounts = memo(() => {
         sortable: true,
         truncateText: true,
         render(name: string, item: ProcessTableView) {
-          const entityID = event.entityIDSafeVersion(item.event);
-          const isTerminated = entityID === undefined ? false : isProcessTerminated(entityID);
-          return name === '' ? (
-            <EuiBadge color="warning">
-              {i18n.translate(
-                'xpack.securitySolution.endpoint.resolver.panel.table.row.valueMissingDescription',
-                {
-                  defaultMessage: 'Value is missing',
-                }
-              )}
-            </EuiBadge>
-          ) : (
-            <EuiButtonEmpty
-              onClick={() => {
-                handleBringIntoViewClick(item);
-                pushToQueryParams({
-                  // Take the user back to the list of nodes if this node has no ID
-                  crumbId: event.entityIDSafeVersion(item.event) ?? '',
-                  crumbEvent: '',
-                });
-              }}
-            >
-              <CubeForProcess
-                running={!isTerminated}
-                data-test-subj="resolver:node-list:node-link:icon"
-              />
-              <span data-test-subj="resolver:node-list:node-link:title">{name}</span>
-            </EuiButtonEmpty>
-          );
+          return <NodeDetailLink name={name} item={item} />;
         },
       },
       {
@@ -145,10 +99,32 @@ export const ProcessListWithCounts = memo(() => {
         },
       },
     ],
-    [pushToQueryParams, handleBringIntoViewClick, isProcessTerminated]
+    []
   );
 
   const { processNodePositions } = useSelector(selectors.layout);
+  const nodeHrefs: Map<SafeResolverEvent, string | null | undefined> = useSelector(
+    (state: ResolverState) => {
+      const relativeHref = selectors.relativeHref(state);
+      return new Map(
+        [...processNodePositions.keys()].map((processEvent) => {
+          const nodeID = event.entityIDSafeVersion(processEvent);
+          if (nodeID === undefined) {
+            return [processEvent, null];
+          }
+          return [
+            processEvent,
+            relativeHref({
+              panelView: 'nodeDetail',
+              panelParameters: {
+                nodeID,
+              },
+            }),
+          ];
+        })
+      );
+    }
+  );
   const processTableView: ProcessTableView[] = useMemo(
     () =>
       [...processNodePositions.keys()].map((processEvent) => {
@@ -157,9 +133,10 @@ export const ProcessListWithCounts = memo(() => {
           name,
           timestamp: event.timestampAsDateSafeVersion(processEvent),
           event: processEvent,
+          href: nodeHrefs.get(processEvent) ?? undefined,
         };
       }),
-    [processNodePositions]
+    [processNodePositions, nodeHrefs]
   );
   const numberOfProcesses = processTableView.length;
 
@@ -179,7 +156,7 @@ export const ProcessListWithCounts = memo(() => {
   const showWarning = children === true || ancestors === true;
   const rowProps = useMemo(() => ({ 'data-test-subj': 'resolver:node-list:item' }), []);
   return (
-    <>
+    <StyledPanel>
       <StyledBreadcrumbs breadcrumbs={crumbs} />
       {showWarning && <StyledLimitWarning numberDisplayed={numberOfProcesses} />}
       <EuiSpacer size="l" />
@@ -190,6 +167,35 @@ export const ProcessListWithCounts = memo(() => {
         columns={columns}
         sorting
       />
-    </>
+    </StyledPanel>
   );
 });
+
+function NodeDetailLink({ name, item }: { name: string; item: ProcessTableView }) {
+  const entityID = event.entityIDSafeVersion(item.event);
+  const isTerminated = useSelector((state: ResolverState) =>
+    entityID === undefined ? false : selectors.isProcessTerminated(state)(entityID)
+  );
+  return (
+    <EuiButtonEmpty {...useNavigateOrReplace({ search: item.href })}>
+      {name === '' ? (
+        <EuiBadge color="warning">
+          {i18n.translate(
+            'xpack.securitySolution.endpoint.resolver.panel.table.row.valueMissingDescription',
+            {
+              defaultMessage: 'Value is missing',
+            }
+          )}
+        </EuiBadge>
+      ) : (
+        <>
+          <CubeForProcess
+            running={!isTerminated}
+            data-test-subj="resolver:node-list:node-link:icon"
+          />
+          <span data-test-subj="resolver:node-list:node-link:title">{name}</span>
+        </>
+      )}
+    </EuiButtonEmpty>
+  );
+}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/panel_content_error.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/panel_content_error.tsx
index 4162412861f57..3b10a8db2bf12 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/panels/panel_content_error.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/panel_content_error.tsx
@@ -7,8 +7,11 @@
 import { i18n } from '@kbn/i18n';
 import { EuiSpacer, EuiText, EuiButtonEmpty } from '@elastic/eui';
 import React, { memo, useMemo } from 'react';
+import { useSelector } from 'react-redux';
+import { useNavigateOrReplace } from '../use_navigate_or_replace';
+import * as selectors from '../../store/selectors';
+import { ResolverState } from '../../types';
 import { StyledBreadcrumbs } from './panel_content_utilities';
-import { useReplaceBreadcrumbParameters } from '../use_replace_breadcrumb_parameters';
 
 /**
  * Display an error in the panel when something goes wrong and give the user a way to "retreat" back to a default state.
@@ -21,16 +24,19 @@ export const PanelContentError = memo(function ({
 }: {
   translatedErrorMessage: string;
 }) {
-  const pushToQueryParams = useReplaceBreadcrumbParameters();
+  const nodesHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({ panelView: 'nodes' })
+  );
+  const nodesLinkNavProps = useNavigateOrReplace({
+    search: nodesHref,
+  });
   const crumbs = useMemo(() => {
     return [
       {
         text: i18n.translate('xpack.securitySolution.endpoint.resolver.panel.error.events', {
           defaultMessage: 'Events',
         }),
-        onClick: () => {
-          pushToQueryParams({ crumbId: '', crumbEvent: '' });
-        },
+        ...nodesLinkNavProps,
       },
       {
         text: i18n.translate('xpack.securitySolution.endpoint.resolver.panel.error.error', {
@@ -39,18 +45,14 @@ export const PanelContentError = memo(function ({
         onClick: () => {},
       },
     ];
-  }, [pushToQueryParams]);
+  }, [nodesLinkNavProps]);
   return (
     <>
       <StyledBreadcrumbs breadcrumbs={crumbs} />
       <EuiSpacer size="l" />
       <EuiText textAlign="center">{translatedErrorMessage}</EuiText>
       <EuiSpacer size="l" />
-      <EuiButtonEmpty
-        onClick={() => {
-          pushToQueryParams({ crumbId: '', crumbEvent: '' });
-        }}
-      >
+      <EuiButtonEmpty {...nodesLinkNavProps}>
         {i18n.translate('xpack.securitySolution.endpoint.resolver.panel.error.goBack', {
           defaultMessage: 'Click this link to return to the list of all processes.',
         })}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/panel_loading.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/panel_loading.tsx
new file mode 100644
index 0000000000000..864990e4d96ab
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/panel_loading.tsx
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React, { useMemo } from 'react';
+import { useSelector } from 'react-redux';
+import { i18n } from '@kbn/i18n';
+import { EuiSpacer, EuiTitle } from '@elastic/eui';
+import * as selectors from '../../store/selectors';
+import { StyledBreadcrumbs } from './panel_content_utilities';
+import { useNavigateOrReplace } from '../use_navigate_or_replace';
+import { ResolverState } from '../../types';
+
+export function PanelLoading() {
+  const waitingString = i18n.translate(
+    'xpack.securitySolution.endpoint.resolver.panel.relatedDetail.wait',
+    {
+      defaultMessage: 'Waiting For Events...',
+    }
+  );
+  const eventsString = i18n.translate(
+    'xpack.securitySolution.endpoint.resolver.panel.relatedEventDetail.events',
+    {
+      defaultMessage: 'Events',
+    }
+  );
+  const nodesHref = useSelector((state: ResolverState) =>
+    selectors.relativeHref(state)({ panelView: 'nodes' })
+  );
+  const nodesLinkNavProps = useNavigateOrReplace({
+    search: nodesHref,
+  });
+  const waitCrumbs = useMemo(() => {
+    return [
+      {
+        text: eventsString,
+        ...nodesLinkNavProps,
+      },
+    ];
+  }, [nodesLinkNavProps, eventsString]);
+  return (
+    <>
+      <StyledBreadcrumbs breadcrumbs={waitCrumbs} />
+      <EuiSpacer size="l" />
+      <EuiTitle>
+        <h4>{waitingString}</h4>
+      </EuiTitle>
+    </>
+  );
+}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/panels/styles.tsx b/x-pack/plugins/security_solution/public/resolver/view/panels/styles.tsx
new file mode 100644
index 0000000000000..c5d5ae53a5580
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/resolver/view/panels/styles.tsx
@@ -0,0 +1,17 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import styled from 'styled-components';
+import { EuiDescriptionList } from '@elastic/eui';
+
+export const StyledDescriptionList = styled(EuiDescriptionList)`
+  &.euiDescriptionList.euiDescriptionList--column dt.euiDescriptionList__title.desc-title {
+    max-width: 10em;
+  }
+`;
+
+export const StyledTitle = styled('h4')`
+  overflow-wrap: break-word;
+`;
diff --git a/x-pack/plugins/security_solution/public/resolver/view/process_event_dot.tsx b/x-pack/plugins/security_solution/public/resolver/view/process_event_dot.tsx
index f4a7ad120e7db..3edfe36087e68 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/process_event_dot.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/process_event_dot.tsx
@@ -4,14 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-/* eslint-disable react/display-name */
-
 import React, { useCallback, useMemo } from 'react';
 import styled from 'styled-components';
-import { htmlIdGenerator, EuiButton, EuiI18nNumber, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
+import { htmlIdGenerator, EuiButton, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import { useSelector } from 'react-redux';
 import { FormattedMessage } from '@kbn/i18n/react';
-import { NodeSubMenu, subMenuAssets } from './submenu';
+import { NodeSubMenu } from './submenu';
 import { applyMatrix3 } from '../models/vector2';
 import { Vector2, Matrix3, ResolverState } from '../types';
 import { SymbolIds, useResolverTheme, calculateResolverFontSize } from './assets';
@@ -19,7 +17,7 @@ import { ResolverEvent, SafeResolverEvent } from '../../../common/endpoint/types
 import { useResolverDispatch } from './use_resolver_dispatch';
 import * as eventModel from '../../../common/endpoint/models/event';
 import * as selectors from '../store/selectors';
-import { useReplaceBreadcrumbParameters } from './use_replace_breadcrumb_parameters';
+import { useNavigateOrReplace } from './use_navigate_or_replace';
 
 interface StyledActionsContainer {
   readonly color: string;
@@ -236,6 +234,16 @@ const UnstyledProcessEventDot = React.memo(
     const isOrigin = nodeID === originID;
 
     const dispatch = useResolverDispatch();
+    const processDetailHref = useSelector((state: ResolverState) =>
+      selectors.relativeHref(state)({
+        panelView: 'nodeDetail',
+        panelParameters: { nodeID },
+      })
+    );
+
+    const processDetailNavProps = useNavigateOrReplace({
+      search: processDetailHref,
+    });
 
     const handleFocus = useCallback(() => {
       dispatch({
@@ -251,57 +259,19 @@ const UnstyledProcessEventDot = React.memo(
       });
     }, [dispatch, nodeID]);
 
-    const pushToQueryParams = useReplaceBreadcrumbParameters();
-
-    const handleClick = useCallback(() => {
-      if (animationTarget.current?.beginElement) {
-        animationTarget.current.beginElement();
-      }
-      dispatch({
-        type: 'userSelectedResolverNode',
-        payload: nodeID,
-      });
-      pushToQueryParams({ crumbId: nodeID, crumbEvent: '' });
-    }, [animationTarget, dispatch, pushToQueryParams, nodeID]);
-
-    /**
-     * Enumerates the stats for related events to display with the node as options,
-     * generally in the form `number of related events in category` `category title`
-     * e.g. "10 DNS", "230 File"
-     */
-
-    const relatedEventOptions = useMemo(() => {
-      const relatedStatsList = [];
-
-      if (!relatedEventStats) {
-        // Return an empty set of options if there are no stats to report
-        return [];
-      }
-      // If we have entries to show, map them into options to display in the selectable list
-
-      for (const [category, total] of Object.entries(relatedEventStats.events.byCategory)) {
-        relatedStatsList.push({
-          prefix: <EuiI18nNumber value={total || 0} />,
-          optionTitle: category,
-          action: () => {
-            dispatch({
-              type: 'userSelectedRelatedEventCategory',
-              payload: {
-                subject: event,
-                category,
-              },
-            });
-
-            pushToQueryParams({ crumbId: nodeID, crumbEvent: category });
-          },
+    const handleClick = useCallback(
+      (clickEvent) => {
+        if (animationTarget.current?.beginElement) {
+          animationTarget.current.beginElement();
+        }
+        dispatch({
+          type: 'userSelectedResolverNode',
+          payload: nodeID,
         });
-      }
-      return relatedStatsList;
-    }, [relatedEventStats, dispatch, event, pushToQueryParams, nodeID]);
-
-    const relatedEventStatusOrOptions = !relatedEventStats
-      ? subMenuAssets.initialMenuStatus
-      : relatedEventOptions;
+        processDetailNavProps.onClick(clickEvent);
+      },
+      [animationTarget, dispatch, nodeID, processDetailNavProps]
+    );
 
     const grandTotal: number | null = useSelector((state: ResolverState) =>
       selectors.relatedEventTotalForProcess(state)(event as ResolverEvent)
@@ -331,9 +301,9 @@ const UnstyledProcessEventDot = React.memo(
           viewBox="-15 -15 90 30"
           preserveAspectRatio="xMidYMid meet"
           onClick={
-            () => {
+            (clickEvent) => {
               handleFocus();
-              handleClick();
+              handleClick(clickEvent);
             } /* a11y note: this is strictly an alternate to the button, so no tabindex is necessary*/
           }
           role="img"
@@ -468,9 +438,8 @@ const UnstyledProcessEventDot = React.memo(
                   buttonBorderColor={labelButtonFill}
                   buttonFill={colorMap.resolverBackground}
                   menuAction={handleRelatedEventRequest}
-                  menuTitle={subMenuAssets.relatedEvents.title}
                   projectionMatrix={projectionMatrix}
-                  optionsWithActions={relatedEventStatusOrOptions}
+                  relatedEventStats={relatedEventStats}
                   nodeID={nodeID}
                 />
               )}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/query_params.test.ts b/x-pack/plugins/security_solution/public/resolver/view/query_params.test.ts
index e42de5009a0f1..787b930344917 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/query_params.test.ts
+++ b/x-pack/plugins/security_solution/public/resolver/view/query_params.test.ts
@@ -44,15 +44,19 @@ describe('Resolver, when analyzing a tree that has no ancestors and 2 children',
       );
       if (button) {
         // Click the first button under the second child element.
-        button.simulate('click');
+        button.simulate('click', { button: 0 });
       }
     });
-    const expectedSearch = urlSearch(resolverComponentInstanceID, {
-      selectedEntityID: 'secondChild',
+    const queryStringWithOriginSelected = urlSearch(resolverComponentInstanceID, {
+      panelParameters: { nodeID: 'secondChild' },
+      panelView: 'nodeDetail',
     });
-    it(`should have a url search of ${expectedSearch}`, async () => {
+    it(`should have a url search of ${queryStringWithOriginSelected}`, async () => {
       await expect(simulator.map(() => simulator.historyLocationSearch)).toYieldEqualTo(
-        urlSearch(resolverComponentInstanceID, { selectedEntityID: 'secondChild' })
+        urlSearch(resolverComponentInstanceID, {
+          panelParameters: { nodeID: 'secondChild' },
+          panelView: 'nodeDetail',
+        })
       );
     });
     describe('when the resolver component gets unmounted', () => {
@@ -78,14 +82,18 @@ describe('Resolver, when analyzing a tree that has no ancestors and 2 children',
           );
           if (button) {
             // Click the first button under the second child element.
-            button.simulate('click');
+            button.simulate('click', { button: 0 });
           }
         });
         it(`should have a url search of ${urlSearch(newInstanceID, {
-          selectedEntityID: 'secondChild',
+          panelParameters: { nodeID: 'secondChild' },
+          panelView: 'nodeDetail',
         })}`, async () => {
           await expect(simulator.map(() => simulator.historyLocationSearch)).toYieldEqualTo(
-            urlSearch(newInstanceID, { selectedEntityID: 'secondChild' })
+            urlSearch(newInstanceID, {
+              panelParameters: { nodeID: 'secondChild' },
+              panelView: 'nodeDetail',
+            })
           );
         });
       });
diff --git a/x-pack/plugins/security_solution/public/resolver/view/resolver_without_providers.tsx b/x-pack/plugins/security_solution/public/resolver/view/resolver_without_providers.tsx
index f4d471b384b35..f96d89b893ceb 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/resolver_without_providers.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/resolver_without_providers.tsx
@@ -18,10 +18,11 @@ import { ProcessEventDot } from './process_event_dot';
 import { useCamera } from './use_camera';
 import { SymbolDefinitions, useResolverTheme } from './assets';
 import { useStateSyncingActions } from './use_state_syncing_actions';
-import { StyledMapContainer, StyledPanel, GraphContainer } from './styles';
+import { StyledMapContainer, GraphContainer } from './styles';
 import { entityIDSafeVersion } from '../../../common/endpoint/models/event';
 import { SideEffectContext } from './side_effect_context';
 import { ResolverProps, ResolverState } from '../types';
+import { PanelRouter } from './panels';
 
 /**
  * The highest level connected Resolver component. Needs a `Provider` in its ancestry to work.
@@ -126,7 +127,7 @@ export const ResolverWithoutProviders = React.memo(
             })}
           </GraphContainer>
         )}
-        <StyledPanel />
+        <PanelRouter />
         <GraphControls />
         <SymbolDefinitions />
       </StyledMapContainer>
diff --git a/x-pack/plugins/security_solution/public/resolver/view/styles.tsx b/x-pack/plugins/security_solution/public/resolver/view/styles.tsx
index dfc2f970f1e6f..fb4d4d289d254 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/styles.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/styles.tsx
@@ -3,8 +3,10 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+
+import { EuiPanel } from '@elastic/eui';
+
 import styled from 'styled-components';
-import { Panel } from './panels';
 
 /**
  * The top level DOM element for Resolver
@@ -40,7 +42,7 @@ export const StyledMapContainer = styled.div<{ backgroundColor: string }>`
 /**
  * The Panel, styled for use in `ResolverMap`.
  */
-export const StyledPanel = styled(Panel)`
+export const StyledPanel = styled(EuiPanel)`
   position: absolute;
   left: 0;
   top: 0;
diff --git a/x-pack/plugins/security_solution/public/resolver/view/submenu.tsx b/x-pack/plugins/security_solution/public/resolver/view/submenu.tsx
index adff11ee94cf9..dda90df0fff93 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/submenu.tsx
+++ b/x-pack/plugins/security_solution/public/resolver/view/submenu.tsx
@@ -10,6 +10,8 @@ import { i18n } from '@kbn/i18n';
 import React, { useState, useCallback, useRef, useLayoutEffect, useMemo } from 'react';
 import { EuiI18nNumber, EuiButton, EuiPopover, ButtonColor } from '@elastic/eui';
 import styled from 'styled-components';
+import { ResolverNodeStats } from '../../../common/endpoint/types';
+import { useRelatedEventByCategoryNavigation } from './use_related_event_by_category_navigation';
 import { Matrix3 } from '../types';
 import { useResolverTheme } from './assets';
 
@@ -62,14 +64,12 @@ const SubButton = React.memo(
     menuIsOpen,
     action,
     count,
-    title,
     nodeID,
   }: {
     hasMenu: boolean;
     menuIsOpen?: boolean;
     action: (evt: React.MouseEvent<HTMLButtonElement, MouseEvent>) => void;
     count?: number;
-    title: string;
     nodeID: string;
   }) => {
     const iconType = menuIsOpen === true ? 'arrowUp' : 'arrowDown';
@@ -86,7 +86,7 @@ const SubButton = React.memo(
         data-test-resolver-node-id={nodeID}
         id={nodeID}
       >
-        {count ? <EuiI18nNumber value={count} /> : ''} {title}
+        {count ? <EuiI18nNumber value={count} /> : ''} {subMenuAssets.relatedEvents.title}
       </StyledActionButton>
     );
   }
@@ -101,17 +101,16 @@ const NodeSubMenuComponents = React.memo(
   ({
     count,
     buttonBorderColor,
-    menuTitle,
     menuAction,
-    optionsWithActions,
     className,
     projectionMatrix,
     nodeID,
+    relatedEventStats,
   }: {
-    menuTitle: string;
     className?: string;
     menuAction?: () => unknown;
     buttonBorderColor: ButtonColor;
+    // eslint-disable-next-line react/no-unused-prop-types
     buttonFill: string;
     count?: number;
     /**
@@ -119,8 +118,7 @@ const NodeSubMenuComponents = React.memo(
      */
     projectionMatrix: Matrix3;
     nodeID: string;
-  } & {
-    optionsWithActions?: ResolverSubmenuOptionList | string | undefined;
+    relatedEventStats: ResolverNodeStats | undefined;
   }) => {
     // keep a ref to the popover so we can call its reposition method
     const popoverRef = useRef<EuiPopover>(null);
@@ -148,6 +146,23 @@ const NodeSubMenuComponents = React.memo(
 
     // The last projection matrix that was used to position the popover
     const projectionMatrixAtLastRender = useRef<Matrix3>();
+    const relatedEventCallbacks = useRelatedEventByCategoryNavigation({
+      nodeID,
+      categories: relatedEventStats?.events?.byCategory,
+    });
+    const relatedEventOptions = useMemo(() => {
+      if (relatedEventStats === undefined) {
+        return [];
+      } else {
+        return Object.entries(relatedEventStats.events.byCategory).map(([category, total]) => {
+          return {
+            prefix: <EuiI18nNumber value={total || 0} />,
+            optionTitle: category,
+            action: () => relatedEventCallbacks(category),
+          };
+        });
+      }
+    }, [relatedEventStats, relatedEventCallbacks]);
 
     useLayoutEffect(() => {
       if (
@@ -167,7 +182,6 @@ const NodeSubMenuComponents = React.memo(
       // no matter what, keep track of the last project matrix that was used to size the popover
       projectionMatrixAtLastRender.current = projectionMatrix;
     }, [projectionMatrixAtLastRender, projectionMatrix]);
-
     const {
       colorMap: { pillStroke: pillBorderStroke, resolverBackground: pillFill },
     } = useResolverTheme();
@@ -177,8 +191,7 @@ const NodeSubMenuComponents = React.memo(
         backgroundColor: pillFill,
       };
     }, [pillBorderStroke, pillFill]);
-
-    if (!optionsWithActions) {
+    if (relatedEventStats === undefined) {
       /**
        * When called with a `menuAction`
        * Render without dropdown and call the supplied action when host button is clicked
@@ -191,14 +204,14 @@ const NodeSubMenuComponents = React.memo(
             size="s"
             tabIndex={-1}
           >
-            {menuTitle}
+            {subMenuAssets.relatedEvents.title}
           </EuiButton>
         </div>
       );
     }
 
-    if (typeof optionsWithActions === 'string') {
-      return <></>;
+    if (relatedEventOptions === undefined) {
+      return null;
     }
 
     return (
@@ -208,7 +221,6 @@ const NodeSubMenuComponents = React.memo(
           menuIsOpen={menuIsOpen}
           action={handleMenuOpenClick}
           count={count}
-          title={menuTitle}
           nodeID={nodeID}
         />
         {menuIsOpen ? (
@@ -217,7 +229,7 @@ const NodeSubMenuComponents = React.memo(
             aria-hidden={!menuIsOpen}
             aria-describedby={nodeID}
           >
-            {optionsWithActions
+            {relatedEventOptions
               .sort((opta, optb) => {
                 return opta.optionTitle.localeCompare(optb.optionTitle);
               })
diff --git a/x-pack/plugins/security_solution/public/resolver/view/use_navigate_or_replace.ts b/x-pack/plugins/security_solution/public/resolver/view/use_navigate_or_replace.ts
new file mode 100644
index 0000000000000..6b3568258a45f
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/resolver/view/use_navigate_or_replace.ts
@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { MouseEventHandler, useCallback } from 'react';
+import { useHistory } from 'react-router-dom';
+import { LocationDescriptorObject } from 'history';
+
+type EventHandlerCallback = MouseEventHandler<HTMLButtonElement | HTMLAnchorElement>;
+
+export function useNavigateOrReplace(
+  to: LocationDescriptorObject<unknown>,
+  /** Additional onClick callback */
+  additionalOnClick?: EventHandlerCallback
+): { href: string; onClick: EventHandlerCallback } {
+  const history = useHistory();
+  const onClick = useCallback(
+    (event) => {
+      try {
+        if (additionalOnClick) {
+          additionalOnClick(event);
+        }
+      } catch (error) {
+        event.preventDefault();
+        throw error;
+      }
+
+      if (event.defaultPrevented) {
+        return;
+      }
+
+      if (event.button !== 0) {
+        return;
+      }
+
+      if (
+        event.currentTarget instanceof HTMLAnchorElement &&
+        event.currentTarget.target !== '' &&
+        event.currentTarget.target !== '_self'
+      ) {
+        return;
+      }
+
+      if (event.metaKey || event.altKey || event.ctrlKey || event.shiftKey) {
+        return;
+      }
+
+      event.preventDefault();
+      history.push(to);
+    },
+    [history, additionalOnClick, to]
+  );
+  return {
+    href: history.createHref(to),
+    onClick,
+  };
+}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/use_query_string_keys.ts b/x-pack/plugins/security_solution/public/resolver/view/use_query_string_keys.ts
deleted file mode 100644
index 11f1a30db72fc..0000000000000
--- a/x-pack/plugins/security_solution/public/resolver/view/use_query_string_keys.ts
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { useSelector } from 'react-redux';
-import * as selectors from '../store/selectors';
-
-/**
- * Get the query string keys used by this Resolver instance.
- */
-export function useQueryStringKeys(): { idKey: string; eventKey: string } {
-  const resolverComponentInstanceID = useSelector(selectors.resolverComponentInstanceID);
-  const idKey: string = `resolver-${resolverComponentInstanceID}-id`;
-  const eventKey: string = `resolver-${resolverComponentInstanceID}-event`;
-  return {
-    idKey,
-    eventKey,
-  };
-}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/use_related_event_by_category_navigation.ts b/x-pack/plugins/security_solution/public/resolver/view/use_related_event_by_category_navigation.ts
new file mode 100644
index 0000000000000..f994350132c35
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/resolver/view/use_related_event_by_category_navigation.ts
@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { useCallback } from 'react';
+import { useSelector } from 'react-redux';
+import { useHistory } from 'react-router-dom';
+import { ResolverState } from '../types';
+import * as selectors from '../store/selectors';
+
+/**
+ * A hook that takes a nodeID and a record of categories, and returns a function that
+ * navigates to the proper url when called with a category.
+ * @deprecated
+ */
+export function useRelatedEventByCategoryNavigation({
+  nodeID,
+  categories,
+}: {
+  nodeID: string;
+  categories: Record<string, number> | undefined;
+}) {
+  const relatedEventUrls = useSelector((state: ResolverState) =>
+    selectors.relatedEventsRelativeHrefs(state)(categories, nodeID)
+  );
+  const history = useHistory();
+  return useCallback(
+    (category: string) => {
+      const urlForCategory = relatedEventUrls.get(category);
+      if (urlForCategory !== null && urlForCategory !== undefined) {
+        return history.replace({ search: urlForCategory });
+      }
+    },
+    [history, relatedEventUrls]
+  );
+}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/use_related_event_detail_navigation.ts b/x-pack/plugins/security_solution/public/resolver/view/use_related_event_detail_navigation.ts
new file mode 100644
index 0000000000000..9fc74a7567c47
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/resolver/view/use_related_event_detail_navigation.ts
@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { useCallback } from 'react';
+import { useSelector } from 'react-redux';
+import { useHistory } from 'react-router-dom';
+import { ResolverState } from '../types';
+import { ResolverEvent } from '../../../common/endpoint/types';
+import * as selectors from '../store/selectors';
+
+/**
+ * @deprecated
+ */
+export function useRelatedEventDetailNavigation({
+  nodeID,
+  category,
+  events,
+}: {
+  nodeID: string;
+  category: string;
+  events: ResolverEvent[];
+}) {
+  const relatedEventDetailUrls = useSelector((state: ResolverState) =>
+    selectors.relatedEventDetailHrefs(state)(category, nodeID, events)
+  );
+  const history = useHistory();
+  return useCallback(
+    (entityID: string | number | undefined) => {
+      if (entityID !== undefined) {
+        const urlForEntityID = relatedEventDetailUrls.get(String(entityID));
+        if (urlForEntityID !== null && urlForEntityID !== undefined) {
+          return history.replace({ search: urlForEntityID });
+        }
+      }
+    },
+    [history, relatedEventDetailUrls]
+  );
+}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/use_replace_breadcrumb_parameters.ts b/x-pack/plugins/security_solution/public/resolver/view/use_replace_breadcrumb_parameters.ts
deleted file mode 100644
index 6d819337e447d..0000000000000
--- a/x-pack/plugins/security_solution/public/resolver/view/use_replace_breadcrumb_parameters.ts
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import { useCallback } from 'react';
-import { useHistory, useLocation } from 'react-router-dom';
-import { useQueryStringKeys } from './use_query_string_keys';
-import { CrumbInfo } from '../types';
-
-/**
- * @deprecated
- * Update the browser's `search` with data from `queryStringState`. The URL search parameter names
- * will include Resolver's `resolverComponentInstanceID`.
- */
-export function useReplaceBreadcrumbParameters(): (queryStringState: CrumbInfo) => void {
-  /**
-   * This updates the breadcrumb nav and the panel view. It's supplied to each
-   * panel content view to allow them to dispatch transitions to each other.
-   */
-  const history = useHistory();
-  const urlSearch = useLocation().search;
-  const { idKey, eventKey } = useQueryStringKeys();
-  return useCallback(
-    (queryStringState: CrumbInfo) => {
-      const urlSearchParams = new URLSearchParams(urlSearch);
-
-      urlSearchParams.set(idKey, queryStringState.crumbId);
-      urlSearchParams.set(eventKey, queryStringState.crumbEvent);
-
-      // If either was passed in as empty, remove it
-      if (queryStringState.crumbId === '') {
-        urlSearchParams.delete(idKey);
-      }
-      if (queryStringState.crumbEvent === '') {
-        urlSearchParams.delete(eventKey);
-      }
-
-      const relativeURL = { search: urlSearchParams.toString() };
-      // We probably don't want to nuke the user's history with a huge
-      // trail of these, thus `.replace` instead of `.push`
-      return history.replace(relativeURL);
-    },
-    [history, urlSearch, idKey, eventKey]
-  );
-}
diff --git a/x-pack/plugins/security_solution/public/resolver/view/use_resolver_query_params_cleaner.ts b/x-pack/plugins/security_solution/public/resolver/view/use_resolver_query_params_cleaner.ts
index a84eb0490aae2..9cf6c182befe1 100644
--- a/x-pack/plugins/security_solution/public/resolver/view/use_resolver_query_params_cleaner.ts
+++ b/x-pack/plugins/security_solution/public/resolver/view/use_resolver_query_params_cleaner.ts
@@ -6,8 +6,9 @@
 
 import { useRef, useEffect } from 'react';
 import { useLocation, useHistory } from 'react-router-dom';
-
-import { useQueryStringKeys } from './use_query_string_keys';
+import { useSelector } from 'react-redux';
+import * as selectors from '../store/selectors';
+import { parameterName } from '../store/ui/selectors';
 /**
  * Cleanup any query string keys that were added by this Resolver instance.
  * This works by having a React effect that just has behavior in the 'cleanup' function.
@@ -23,15 +24,15 @@ export function useResolverQueryParamCleaner() {
   searchRef.current = useLocation().search;
 
   const history = useHistory();
+  const resolverComponentInstanceID = useSelector(selectors.resolverComponentInstanceID);
 
-  const { idKey, eventKey } = useQueryStringKeys();
+  const resolverKey = parameterName(resolverComponentInstanceID);
 
   useEffect(() => {
     /**
      * Keep track of the old query string keys so we can remove them.
      */
-    const oldIdKey = idKey;
-    const oldEventKey = eventKey;
+    const oldResolverKey = resolverKey;
     /**
      * When `idKey` or `eventKey` changes (such as when the `resolverComponentInstanceID` has changed) or when the component unmounts, remove any state from the query string.
      */
@@ -44,10 +45,9 @@ export function useResolverQueryParamCleaner() {
       /**
        * Remove old keys from the url
        */
-      urlSearchParams.delete(oldIdKey);
-      urlSearchParams.delete(oldEventKey);
+      urlSearchParams.delete(oldResolverKey);
       const relativeURL = { search: urlSearchParams.toString() };
       history.replace(relativeURL);
     };
-  }, [idKey, eventKey, history]);
+  }, [resolverKey, history]);
 }
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index 78e3d78d5af2a..3b7caf7952865 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -15927,7 +15927,6 @@
     "xpack.securitySolution.endpoint.resolver.panel.processEventCounts.events": "イベント",
     "xpack.securitySolution.endpoint.resolver.panel.processEventListByType.eventDescriptiveName": "{descriptor} {subject}",
     "xpack.securitySolution.endpoint.resolver.panel.processEventListByType.events": "イベント",
-    "xpack.securitySolution.endpoint.resolver.panel.processEventListByType.wait": "イベントを待機しています...",
     "xpack.securitySolution.endpoint.resolver.panel.relatedCounts.numberOfEventsInCrumb": "{totalCount}件のイベント",
     "xpack.securitySolution.endpoint.resolver.panel.relatedDetail.missing": "関連イベントが見つかりません。",
     "xpack.securitySolution.endpoint.resolver.panel.relatedDetail.wait": "イベントを待機しています...",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index 79c2095218f50..623061b379397 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -15937,7 +15937,6 @@
     "xpack.securitySolution.endpoint.resolver.panel.processEventCounts.events": "事件",
     "xpack.securitySolution.endpoint.resolver.panel.processEventListByType.eventDescriptiveName": "{descriptor} {subject}",
     "xpack.securitySolution.endpoint.resolver.panel.processEventListByType.events": "事件",
-    "xpack.securitySolution.endpoint.resolver.panel.processEventListByType.wait": "等候事件......",
     "xpack.securitySolution.endpoint.resolver.panel.relatedCounts.numberOfEventsInCrumb": "{totalCount} 个事件",
     "xpack.securitySolution.endpoint.resolver.panel.relatedDetail.missing": "找不到相关事件。",
     "xpack.securitySolution.endpoint.resolver.panel.relatedDetail.wait": "等候事件......",

From fd1aad0711cf7430a835f583f8a9204016826a25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20Fern=C3=A1ndez=20Haro?=
 <alejandro.haro@elastic.co>
Date: Wed, 16 Sep 2020 20:08:06 +0100
Subject: [PATCH 3/5] [Application Usage] Daily rollups to overcome the find
 >10k SO limitation (#77610)

Co-authored-by: Christiane (Tina) Heiligers <christiane.heiligers@elastic.co>
---
 .../collectors/application_usage/README.md    |  10 +-
 .../application_usage/index.test.ts           | 151 ---------
 .../application_usage/rollups.test.ts         | 299 ++++++++++++++++++
 .../collectors/application_usage/rollups.ts   | 202 ++++++++++++
 .../application_usage/saved_objects_types.ts  |  32 +-
 ...emetry_application_usage_collector.test.ts | 213 +++++++++++++
 .../telemetry_application_usage_collector.ts  | 203 +++++-------
 .../server/collectors/find_all.test.ts        |  55 ----
 .../server/collectors/find_all.ts             |  41 ---
 .../telemetry_ui_metric_collector.ts          |   4 +-
 .../kibana_usage_collection/server/plugin.ts  |  10 +-
 .../apis/telemetry/telemetry_local.js         | 108 +++++++
 12 files changed, 955 insertions(+), 373 deletions(-)
 delete mode 100644 src/plugins/kibana_usage_collection/server/collectors/application_usage/index.test.ts
 create mode 100644 src/plugins/kibana_usage_collection/server/collectors/application_usage/rollups.test.ts
 create mode 100644 src/plugins/kibana_usage_collection/server/collectors/application_usage/rollups.ts
 create mode 100644 src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.test.ts
 delete mode 100644 src/plugins/kibana_usage_collection/server/collectors/find_all.test.ts
 delete mode 100644 src/plugins/kibana_usage_collection/server/collectors/find_all.ts

diff --git a/src/plugins/kibana_usage_collection/server/collectors/application_usage/README.md b/src/plugins/kibana_usage_collection/server/collectors/application_usage/README.md
index 1ffd01fc6fde7..cb80538fd1718 100644
--- a/src/plugins/kibana_usage_collection/server/collectors/application_usage/README.md
+++ b/src/plugins/kibana_usage_collection/server/collectors/application_usage/README.md
@@ -28,10 +28,10 @@ This collection occurs by default for every application registered via the menti
 
 ## Developer notes
 
-In order to keep the count of the events, this collector uses 2 Saved Objects:
+In order to keep the count of the events, this collector uses 3 Saved Objects:
 
-1. `application_usage_transactional`: It stores each individually reported event (up to 90 days old). Grouped by `timestamp` and `appId`.
-2. `application_usage_totals`: It stores the sum of all the events older than 90 days old per `appId`.
+1. `application_usage_transactional`: It stores each individually reported event. Grouped by `timestamp` and `appId`. The reason for having these documents instead of editing `application_usage_daily` documents on very report is to provide faster response to the requests to `/api/ui_metric/report` (creating new documents instead of finding and editing existing ones) and to avoid conflicts when multiple users reach to the API concurrently.
+2. `application_usage_daily`: Periodically, documents from `application_usage_transactional` are aggregated to daily summaries and deleted. Also grouped by `timestamp` and `appId`.
+3. `application_usage_totals`: It stores the sum of all the events older than 90 days old, grouped by `appId`.
 
-Both of them use the shared fields `appId: 'keyword'`, `numberOfClicks: 'long'` and `minutesOnScreen: 'float'`. `application_usage_transactional` also stores `timestamp: { type: 'date' }`.
-but they are currently not added in the mappings because we don't use them for search purposes, and we need to be thoughtful with the number of mapped fields in the SavedObjects index ([#43673](https://github.com/elastic/kibana/issues/43673)).
+All the types use the shared fields `appId: 'keyword'`, `numberOfClicks: 'long'` and `minutesOnScreen: 'float'`, but they are currently not added in the mappings because we don't use them for search purposes, and we need to be thoughtful with the number of mapped fields in the SavedObjects index ([#43673](https://github.com/elastic/kibana/issues/43673)). `application_usage_transactional` and `application_usage_daily` also store `timestamp: { type: 'date' }`.
diff --git a/src/plugins/kibana_usage_collection/server/collectors/application_usage/index.test.ts b/src/plugins/kibana_usage_collection/server/collectors/application_usage/index.test.ts
deleted file mode 100644
index 5658b38120596..0000000000000
--- a/src/plugins/kibana_usage_collection/server/collectors/application_usage/index.test.ts
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Licensed to Elasticsearch B.V. under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch B.V. licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import { savedObjectsRepositoryMock } from '../../../../../core/server/mocks';
-import {
-  CollectorOptions,
-  createUsageCollectionSetupMock,
-} from '../../../../usage_collection/server/usage_collection.mock';
-
-import { registerApplicationUsageCollector } from './';
-import {
-  ROLL_INDICES_INTERVAL,
-  SAVED_OBJECTS_TOTAL_TYPE,
-  SAVED_OBJECTS_TRANSACTIONAL_TYPE,
-} from './telemetry_application_usage_collector';
-
-describe('telemetry_application_usage', () => {
-  jest.useFakeTimers();
-
-  let collector: CollectorOptions;
-
-  const usageCollectionMock = createUsageCollectionSetupMock();
-  usageCollectionMock.makeUsageCollector.mockImplementation((config) => {
-    collector = config;
-    return createUsageCollectionSetupMock().makeUsageCollector(config);
-  });
-
-  const getUsageCollector = jest.fn();
-  const registerType = jest.fn();
-  const callCluster = jest.fn();
-
-  beforeAll(() =>
-    registerApplicationUsageCollector(usageCollectionMock, registerType, getUsageCollector)
-  );
-  afterAll(() => jest.clearAllTimers());
-
-  test('registered collector is set', () => {
-    expect(collector).not.toBeUndefined();
-  });
-
-  test('if no savedObjectClient initialised, return undefined', async () => {
-    expect(await collector.fetch(callCluster)).toBeUndefined();
-    jest.runTimersToTime(ROLL_INDICES_INTERVAL);
-  });
-
-  test('when savedObjectClient is initialised, return something', async () => {
-    const savedObjectClient = savedObjectsRepositoryMock.create();
-    savedObjectClient.find.mockImplementation(
-      async () =>
-        ({
-          saved_objects: [],
-          total: 0,
-        } as any)
-    );
-    getUsageCollector.mockImplementation(() => savedObjectClient);
-
-    jest.runTimersToTime(ROLL_INDICES_INTERVAL); // Force rollTotals to run
-
-    expect(await collector.fetch(callCluster)).toStrictEqual({});
-    expect(savedObjectClient.bulkCreate).not.toHaveBeenCalled();
-  });
-
-  test('paging in findAll works', async () => {
-    const savedObjectClient = savedObjectsRepositoryMock.create();
-    let total = 201;
-    savedObjectClient.find.mockImplementation(async (opts) => {
-      if (opts.type === SAVED_OBJECTS_TOTAL_TYPE) {
-        return {
-          saved_objects: [
-            {
-              id: 'appId',
-              attributes: {
-                appId: 'appId',
-                minutesOnScreen: 10,
-                numberOfClicks: 10,
-              },
-            },
-          ],
-          total: 1,
-        } as any;
-      }
-      if ((opts.page || 1) > 2) {
-        return { saved_objects: [], total };
-      }
-      const doc = {
-        id: 'test-id',
-        attributes: {
-          appId: 'appId',
-          timestamp: new Date().toISOString(),
-          minutesOnScreen: 1,
-          numberOfClicks: 1,
-        },
-      };
-      const savedObjects = new Array(opts.perPage).fill(doc);
-      total = savedObjects.length * 2 + 1;
-      return { saved_objects: savedObjects, total };
-    });
-
-    getUsageCollector.mockImplementation(() => savedObjectClient);
-
-    jest.runTimersToTime(ROLL_INDICES_INTERVAL); // Force rollTotals to run
-
-    expect(await collector.fetch(callCluster)).toStrictEqual({
-      appId: {
-        clicks_total: total - 1 + 10,
-        clicks_7_days: total - 1,
-        clicks_30_days: total - 1,
-        clicks_90_days: total - 1,
-        minutes_on_screen_total: total - 1 + 10,
-        minutes_on_screen_7_days: total - 1,
-        minutes_on_screen_30_days: total - 1,
-        minutes_on_screen_90_days: total - 1,
-      },
-    });
-    expect(savedObjectClient.bulkCreate).toHaveBeenCalledWith(
-      [
-        {
-          id: 'appId',
-          type: SAVED_OBJECTS_TOTAL_TYPE,
-          attributes: {
-            appId: 'appId',
-            minutesOnScreen: total - 1 + 10,
-            numberOfClicks: total - 1 + 10,
-          },
-        },
-      ],
-      { overwrite: true }
-    );
-    expect(savedObjectClient.delete).toHaveBeenCalledTimes(total - 1);
-    expect(savedObjectClient.delete).toHaveBeenCalledWith(
-      SAVED_OBJECTS_TRANSACTIONAL_TYPE,
-      'test-id'
-    );
-  });
-});
diff --git a/src/plugins/kibana_usage_collection/server/collectors/application_usage/rollups.test.ts b/src/plugins/kibana_usage_collection/server/collectors/application_usage/rollups.test.ts
new file mode 100644
index 0000000000000..f8bc17fc40df0
--- /dev/null
+++ b/src/plugins/kibana_usage_collection/server/collectors/application_usage/rollups.test.ts
@@ -0,0 +1,299 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { rollDailyData, rollTotals } from './rollups';
+import { savedObjectsRepositoryMock, loggingSystemMock } from '../../../../../core/server/mocks';
+import { SavedObjectsErrorHelpers } from '../../../../../core/server';
+import {
+  SAVED_OBJECTS_DAILY_TYPE,
+  SAVED_OBJECTS_TOTAL_TYPE,
+  SAVED_OBJECTS_TRANSACTIONAL_TYPE,
+} from './saved_objects_types';
+
+describe('rollDailyData', () => {
+  const logger = loggingSystemMock.createLogger();
+
+  test('returns undefined if no savedObjectsClient initialised yet', async () => {
+    await expect(rollDailyData(logger, undefined)).resolves.toBe(undefined);
+  });
+
+  test('handle empty results', async () => {
+    const savedObjectClient = savedObjectsRepositoryMock.create();
+    savedObjectClient.find.mockImplementation(async ({ type, page = 1, perPage = 10 }) => {
+      switch (type) {
+        case SAVED_OBJECTS_TRANSACTIONAL_TYPE:
+          return { saved_objects: [], total: 0, page, per_page: perPage };
+        default:
+          throw new Error(`Unexpected type [${type}]`);
+      }
+    });
+    await expect(rollDailyData(logger, savedObjectClient)).resolves.toBe(undefined);
+    expect(savedObjectClient.get).not.toBeCalled();
+    expect(savedObjectClient.bulkCreate).not.toBeCalled();
+    expect(savedObjectClient.delete).not.toBeCalled();
+  });
+
+  test('migrate some docs', async () => {
+    const savedObjectClient = savedObjectsRepositoryMock.create();
+    let timesCalled = 0;
+    savedObjectClient.find.mockImplementation(async ({ type, page = 1, perPage = 10 }) => {
+      switch (type) {
+        case SAVED_OBJECTS_TRANSACTIONAL_TYPE:
+          if (timesCalled++ > 0) {
+            return { saved_objects: [], total: 0, page, per_page: perPage };
+          }
+          return {
+            saved_objects: [
+              {
+                id: 'test-id-1',
+                type,
+                score: 0,
+                references: [],
+                attributes: {
+                  appId: 'appId',
+                  timestamp: '2020-01-01T10:31:00.000Z',
+                  minutesOnScreen: 0.5,
+                  numberOfClicks: 1,
+                },
+              },
+              {
+                id: 'test-id-2',
+                type,
+                score: 0,
+                references: [],
+                attributes: {
+                  appId: 'appId',
+                  timestamp: '2020-01-01T11:31:00.000Z',
+                  minutesOnScreen: 1.5,
+                  numberOfClicks: 2,
+                },
+              },
+            ],
+            total: 2,
+            page,
+            per_page: perPage,
+          };
+        default:
+          throw new Error(`Unexpected type [${type}]`);
+      }
+    });
+
+    savedObjectClient.get.mockImplementation(async (type, id) => {
+      throw SavedObjectsErrorHelpers.createGenericNotFoundError(type, id);
+    });
+
+    await expect(rollDailyData(logger, savedObjectClient)).resolves.toBe(undefined);
+    expect(savedObjectClient.get).toHaveBeenCalledTimes(1);
+    expect(savedObjectClient.get).toHaveBeenCalledWith(
+      SAVED_OBJECTS_DAILY_TYPE,
+      'appId:2020-01-01'
+    );
+    expect(savedObjectClient.bulkCreate).toHaveBeenCalledTimes(1);
+    expect(savedObjectClient.bulkCreate).toHaveBeenCalledWith(
+      [
+        {
+          type: SAVED_OBJECTS_DAILY_TYPE,
+          id: 'appId:2020-01-01',
+          attributes: {
+            appId: 'appId',
+            timestamp: '2020-01-01T00:00:00.000Z',
+            minutesOnScreen: 2.0,
+            numberOfClicks: 3,
+          },
+        },
+      ],
+      { overwrite: true }
+    );
+    expect(savedObjectClient.delete).toHaveBeenCalledTimes(2);
+    expect(savedObjectClient.delete).toHaveBeenCalledWith(
+      SAVED_OBJECTS_TRANSACTIONAL_TYPE,
+      'test-id-1'
+    );
+    expect(savedObjectClient.delete).toHaveBeenCalledWith(
+      SAVED_OBJECTS_TRANSACTIONAL_TYPE,
+      'test-id-2'
+    );
+  });
+
+  test('error getting the daily document', async () => {
+    const savedObjectClient = savedObjectsRepositoryMock.create();
+    let timesCalled = 0;
+    savedObjectClient.find.mockImplementation(async ({ type, page = 1, perPage = 10 }) => {
+      switch (type) {
+        case SAVED_OBJECTS_TRANSACTIONAL_TYPE:
+          if (timesCalled++ > 0) {
+            return { saved_objects: [], total: 0, page, per_page: perPage };
+          }
+          return {
+            saved_objects: [
+              {
+                id: 'test-id-1',
+                type,
+                score: 0,
+                references: [],
+                attributes: {
+                  appId: 'appId',
+                  timestamp: '2020-01-01T10:31:00.000Z',
+                  minutesOnScreen: 0.5,
+                  numberOfClicks: 1,
+                },
+              },
+            ],
+            total: 1,
+            page,
+            per_page: perPage,
+          };
+        default:
+          throw new Error(`Unexpected type [${type}]`);
+      }
+    });
+
+    savedObjectClient.get.mockImplementation(async (type, id) => {
+      throw new Error('Something went terribly wrong');
+    });
+
+    await expect(rollDailyData(logger, savedObjectClient)).resolves.toBe(undefined);
+    expect(savedObjectClient.get).toHaveBeenCalledTimes(1);
+    expect(savedObjectClient.get).toHaveBeenCalledWith(
+      SAVED_OBJECTS_DAILY_TYPE,
+      'appId:2020-01-01'
+    );
+    expect(savedObjectClient.bulkCreate).toHaveBeenCalledTimes(0);
+    expect(savedObjectClient.delete).toHaveBeenCalledTimes(0);
+  });
+});
+
+describe('rollTotals', () => {
+  const logger = loggingSystemMock.createLogger();
+
+  test('returns undefined if no savedObjectsClient initialised yet', async () => {
+    await expect(rollTotals(logger, undefined)).resolves.toBe(undefined);
+  });
+
+  test('handle empty results', async () => {
+    const savedObjectClient = savedObjectsRepositoryMock.create();
+    savedObjectClient.find.mockImplementation(async ({ type, page = 1, perPage = 10 }) => {
+      switch (type) {
+        case SAVED_OBJECTS_DAILY_TYPE:
+        case SAVED_OBJECTS_TOTAL_TYPE:
+          return { saved_objects: [], total: 0, page, per_page: perPage };
+        default:
+          throw new Error(`Unexpected type [${type}]`);
+      }
+    });
+    await expect(rollTotals(logger, savedObjectClient)).resolves.toBe(undefined);
+    expect(savedObjectClient.bulkCreate).toHaveBeenCalledTimes(0);
+    expect(savedObjectClient.delete).toHaveBeenCalledTimes(0);
+  });
+
+  test('migrate some documents', async () => {
+    const savedObjectClient = savedObjectsRepositoryMock.create();
+    savedObjectClient.find.mockImplementation(async ({ type, page = 1, perPage = 10 }) => {
+      switch (type) {
+        case SAVED_OBJECTS_DAILY_TYPE:
+          return {
+            saved_objects: [
+              {
+                id: 'appId-2:2020-01-01',
+                type,
+                score: 0,
+                references: [],
+                attributes: {
+                  appId: 'appId-2',
+                  timestamp: '2020-01-01T10:31:00.000Z',
+                  minutesOnScreen: 0.5,
+                  numberOfClicks: 1,
+                },
+              },
+              {
+                id: 'appId-1:2020-01-01',
+                type,
+                score: 0,
+                references: [],
+                attributes: {
+                  appId: 'appId-1',
+                  timestamp: '2020-01-01T11:31:00.000Z',
+                  minutesOnScreen: 1.5,
+                  numberOfClicks: 2,
+                },
+              },
+            ],
+            total: 2,
+            page,
+            per_page: perPage,
+          };
+        case SAVED_OBJECTS_TOTAL_TYPE:
+          return {
+            saved_objects: [
+              {
+                id: 'appId-1',
+                type,
+                score: 0,
+                references: [],
+                attributes: {
+                  appId: 'appId-1',
+                  minutesOnScreen: 0.5,
+                  numberOfClicks: 1,
+                },
+              },
+            ],
+            total: 1,
+            page,
+            per_page: perPage,
+          };
+        default:
+          throw new Error(`Unexpected type [${type}]`);
+      }
+    });
+    await expect(rollTotals(logger, savedObjectClient)).resolves.toBe(undefined);
+    expect(savedObjectClient.bulkCreate).toHaveBeenCalledTimes(1);
+    expect(savedObjectClient.bulkCreate).toHaveBeenCalledWith(
+      [
+        {
+          type: SAVED_OBJECTS_TOTAL_TYPE,
+          id: 'appId-1',
+          attributes: {
+            appId: 'appId-1',
+            minutesOnScreen: 2.0,
+            numberOfClicks: 3,
+          },
+        },
+        {
+          type: SAVED_OBJECTS_TOTAL_TYPE,
+          id: 'appId-2',
+          attributes: {
+            appId: 'appId-2',
+            minutesOnScreen: 0.5,
+            numberOfClicks: 1,
+          },
+        },
+      ],
+      { overwrite: true }
+    );
+    expect(savedObjectClient.delete).toHaveBeenCalledTimes(2);
+    expect(savedObjectClient.delete).toHaveBeenCalledWith(
+      SAVED_OBJECTS_DAILY_TYPE,
+      'appId-2:2020-01-01'
+    );
+    expect(savedObjectClient.delete).toHaveBeenCalledWith(
+      SAVED_OBJECTS_DAILY_TYPE,
+      'appId-1:2020-01-01'
+    );
+  });
+});
diff --git a/src/plugins/kibana_usage_collection/server/collectors/application_usage/rollups.ts b/src/plugins/kibana_usage_collection/server/collectors/application_usage/rollups.ts
new file mode 100644
index 0000000000000..3020147e95d98
--- /dev/null
+++ b/src/plugins/kibana_usage_collection/server/collectors/application_usage/rollups.ts
@@ -0,0 +1,202 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { ISavedObjectsRepository, SavedObject, Logger } from 'kibana/server';
+import moment from 'moment';
+import {
+  ApplicationUsageDaily,
+  ApplicationUsageTotal,
+  ApplicationUsageTransactional,
+  SAVED_OBJECTS_DAILY_TYPE,
+  SAVED_OBJECTS_TOTAL_TYPE,
+  SAVED_OBJECTS_TRANSACTIONAL_TYPE,
+} from './saved_objects_types';
+import { SavedObjectsErrorHelpers } from '../../../../../../src/core/server';
+
+/**
+ * For Rolling the daily data, we only care about the stored attributes and the version (to avoid overwriting via concurrent requests)
+ */
+type ApplicationUsageDailyWithVersion = Pick<
+  SavedObject<ApplicationUsageDaily>,
+  'version' | 'attributes'
+>;
+
+/**
+ * Aggregates all the transactional events into daily aggregates
+ * @param logger
+ * @param savedObjectsClient
+ */
+export async function rollDailyData(logger: Logger, savedObjectsClient?: ISavedObjectsRepository) {
+  if (!savedObjectsClient) {
+    return;
+  }
+
+  try {
+    let toCreate: Map<string, ApplicationUsageDailyWithVersion>;
+    do {
+      toCreate = new Map();
+      const { saved_objects: rawApplicationUsageTransactional } = await savedObjectsClient.find<
+        ApplicationUsageTransactional
+      >({
+        type: SAVED_OBJECTS_TRANSACTIONAL_TYPE,
+        perPage: 1000, // Process 1000 at a time as a compromise of speed and overload
+      });
+
+      for (const doc of rawApplicationUsageTransactional) {
+        const {
+          attributes: { appId, minutesOnScreen, numberOfClicks, timestamp },
+        } = doc;
+        const dayId = moment(timestamp).format('YYYY-MM-DD');
+        const dailyId = `${appId}:${dayId}`;
+        const existingDoc =
+          toCreate.get(dailyId) || (await getDailyDoc(savedObjectsClient, dailyId, appId, dayId));
+        toCreate.set(dailyId, {
+          ...existingDoc,
+          attributes: {
+            ...existingDoc.attributes,
+            minutesOnScreen: existingDoc.attributes.minutesOnScreen + minutesOnScreen,
+            numberOfClicks: existingDoc.attributes.numberOfClicks + numberOfClicks,
+          },
+        });
+      }
+      if (toCreate.size > 0) {
+        await savedObjectsClient.bulkCreate(
+          [...toCreate.entries()].map(([id, { attributes, version }]) => ({
+            type: SAVED_OBJECTS_DAILY_TYPE,
+            id,
+            attributes,
+            version, // Providing version to ensure via conflict matching that only 1 Kibana instance (or interval) is taking care of the updates
+          })),
+          { overwrite: true }
+        );
+        await Promise.all(
+          rawApplicationUsageTransactional.map(
+            ({ id }) => savedObjectsClient.delete(SAVED_OBJECTS_TRANSACTIONAL_TYPE, id) // There is no bulkDelete :(
+          )
+        );
+      }
+    } while (toCreate.size > 0);
+  } catch (err) {
+    logger.warn(`Failed to rollup transactional to daily entries`);
+    logger.warn(err);
+  }
+}
+
+/**
+ * Gets daily doc from the SavedObjects repository. Creates a new one if not found
+ * @param savedObjectsClient
+ * @param id The ID of the document to retrieve (typically, `${appId}:${dayId}`)
+ * @param appId The application ID
+ * @param dayId The date of the document in the format YYYY-MM-DD
+ */
+async function getDailyDoc(
+  savedObjectsClient: ISavedObjectsRepository,
+  id: string,
+  appId: string,
+  dayId: string
+): Promise<ApplicationUsageDailyWithVersion> {
+  try {
+    return await savedObjectsClient.get<ApplicationUsageDaily>(SAVED_OBJECTS_DAILY_TYPE, id);
+  } catch (err) {
+    if (SavedObjectsErrorHelpers.isNotFoundError(err)) {
+      return {
+        attributes: {
+          appId,
+          // Concatenating the day in YYYY-MM-DD form to T00:00:00Z to reduce the TZ effects
+          timestamp: moment(`${moment(dayId).format('YYYY-MM-DD')}T00:00:00Z`).toISOString(),
+          minutesOnScreen: 0,
+          numberOfClicks: 0,
+        },
+      };
+    }
+    throw err;
+  }
+}
+
+/**
+ * Moves all the daily documents into aggregated "total" documents as we don't care about any granularity after 90 days
+ * @param logger
+ * @param savedObjectsClient
+ */
+export async function rollTotals(logger: Logger, savedObjectsClient?: ISavedObjectsRepository) {
+  if (!savedObjectsClient) {
+    return;
+  }
+
+  try {
+    const [
+      { saved_objects: rawApplicationUsageTotals },
+      { saved_objects: rawApplicationUsageDaily },
+    ] = await Promise.all([
+      savedObjectsClient.find<ApplicationUsageTotal>({
+        perPage: 10000,
+        type: SAVED_OBJECTS_TOTAL_TYPE,
+      }),
+      savedObjectsClient.find<ApplicationUsageDaily>({
+        perPage: 10000,
+        type: SAVED_OBJECTS_DAILY_TYPE,
+        filter: `${SAVED_OBJECTS_DAILY_TYPE}.attributes.timestamp < now-90d`,
+      }),
+    ]);
+
+    const existingTotals = rawApplicationUsageTotals.reduce(
+      (acc, { attributes: { appId, numberOfClicks, minutesOnScreen } }) => {
+        return {
+          ...acc,
+          // No need to sum because there should be 1 document per appId only
+          [appId]: { appId, numberOfClicks, minutesOnScreen },
+        };
+      },
+      {} as Record<string, { appId: string; minutesOnScreen: number; numberOfClicks: number }>
+    );
+
+    const totals = rawApplicationUsageDaily.reduce((acc, { attributes }) => {
+      const { appId, numberOfClicks, minutesOnScreen } = attributes;
+
+      const existing = acc[appId] || { minutesOnScreen: 0, numberOfClicks: 0 };
+
+      return {
+        ...acc,
+        [appId]: {
+          appId,
+          numberOfClicks: numberOfClicks + existing.numberOfClicks,
+          minutesOnScreen: minutesOnScreen + existing.minutesOnScreen,
+        },
+      };
+    }, existingTotals);
+
+    await Promise.all([
+      Object.entries(totals).length &&
+        savedObjectsClient.bulkCreate<ApplicationUsageTotal>(
+          Object.entries(totals).map(([id, entry]) => ({
+            type: SAVED_OBJECTS_TOTAL_TYPE,
+            id,
+            attributes: entry,
+          })),
+          { overwrite: true }
+        ),
+      ...rawApplicationUsageDaily.map(
+        ({ id }) => savedObjectsClient.delete(SAVED_OBJECTS_DAILY_TYPE, id) // There is no bulkDelete :(
+      ),
+    ]);
+  } catch (err) {
+    logger.warn(`Failed to rollup daily entries to totals`);
+    logger.warn(err);
+  }
+}
diff --git a/src/plugins/kibana_usage_collection/server/collectors/application_usage/saved_objects_types.ts b/src/plugins/kibana_usage_collection/server/collectors/application_usage/saved_objects_types.ts
index 551c6e230972e..861dc98c0c465 100644
--- a/src/plugins/kibana_usage_collection/server/collectors/application_usage/saved_objects_types.ts
+++ b/src/plugins/kibana_usage_collection/server/collectors/application_usage/saved_objects_types.ts
@@ -19,19 +19,34 @@
 
 import { SavedObjectAttributes, SavedObjectsServiceSetup } from 'kibana/server';
 
+/**
+ * Used for accumulating the totals of all the stats older than 90d
+ */
 export interface ApplicationUsageTotal extends SavedObjectAttributes {
   appId: string;
   minutesOnScreen: number;
   numberOfClicks: number;
 }
+export const SAVED_OBJECTS_TOTAL_TYPE = 'application_usage_totals';
 
+/**
+ * Used for storing each of the reports received from the users' browsers
+ */
 export interface ApplicationUsageTransactional extends ApplicationUsageTotal {
   timestamp: string;
 }
+export const SAVED_OBJECTS_TRANSACTIONAL_TYPE = 'application_usage_transactional';
+
+/**
+ * Used to aggregate the transactional events into daily summaries so we can purge the granular events
+ */
+export type ApplicationUsageDaily = ApplicationUsageTransactional;
+export const SAVED_OBJECTS_DAILY_TYPE = 'application_usage_daily';
 
 export function registerMappings(registerType: SavedObjectsServiceSetup['registerType']) {
+  // Type for storing ApplicationUsageTotal
   registerType({
-    name: 'application_usage_totals',
+    name: SAVED_OBJECTS_TOTAL_TYPE,
     hidden: false,
     namespaceType: 'agnostic',
     mappings: {
@@ -42,15 +57,28 @@ export function registerMappings(registerType: SavedObjectsServiceSetup['registe
     },
   });
 
+  // Type for storing ApplicationUsageDaily
   registerType({
-    name: 'application_usage_transactional',
+    name: SAVED_OBJECTS_DAILY_TYPE,
     hidden: false,
     namespaceType: 'agnostic',
     mappings: {
       dynamic: false,
       properties: {
+        // This type requires `timestamp` to be indexed so we can use it when rolling up totals (timestamp < now-90d)
         timestamp: { type: 'date' },
       },
     },
   });
+
+  // Type for storing ApplicationUsageTransactional (declaring empty mappings because we don't use the internal fields for query/aggregations)
+  registerType({
+    name: SAVED_OBJECTS_TRANSACTIONAL_TYPE,
+    hidden: false,
+    namespaceType: 'agnostic',
+    mappings: {
+      dynamic: false,
+      properties: {},
+    },
+  });
 }
diff --git a/src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.test.ts b/src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.test.ts
new file mode 100644
index 0000000000000..709736a37d802
--- /dev/null
+++ b/src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.test.ts
@@ -0,0 +1,213 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { savedObjectsRepositoryMock, loggingSystemMock } from '../../../../../core/server/mocks';
+import {
+  CollectorOptions,
+  createUsageCollectionSetupMock,
+} from '../../../../usage_collection/server/usage_collection.mock';
+
+import {
+  ROLL_INDICES_START,
+  ROLL_TOTAL_INDICES_INTERVAL,
+  registerApplicationUsageCollector,
+} from './telemetry_application_usage_collector';
+import {
+  SAVED_OBJECTS_DAILY_TYPE,
+  SAVED_OBJECTS_TOTAL_TYPE,
+  SAVED_OBJECTS_TRANSACTIONAL_TYPE,
+} from './saved_objects_types';
+
+describe('telemetry_application_usage', () => {
+  jest.useFakeTimers();
+
+  const logger = loggingSystemMock.createLogger();
+
+  let collector: CollectorOptions;
+
+  const usageCollectionMock = createUsageCollectionSetupMock();
+  usageCollectionMock.makeUsageCollector.mockImplementation((config) => {
+    collector = config;
+    return createUsageCollectionSetupMock().makeUsageCollector(config);
+  });
+
+  const getUsageCollector = jest.fn();
+  const registerType = jest.fn();
+  const callCluster = jest.fn();
+
+  beforeAll(() =>
+    registerApplicationUsageCollector(logger, usageCollectionMock, registerType, getUsageCollector)
+  );
+  afterAll(() => jest.clearAllTimers());
+
+  test('registered collector is set', () => {
+    expect(collector).not.toBeUndefined();
+  });
+
+  test('if no savedObjectClient initialised, return undefined', async () => {
+    expect(collector.isReady()).toBe(false);
+    expect(await collector.fetch(callCluster)).toBeUndefined();
+    jest.runTimersToTime(ROLL_INDICES_START);
+  });
+
+  test('when savedObjectClient is initialised, return something', async () => {
+    const savedObjectClient = savedObjectsRepositoryMock.create();
+    savedObjectClient.find.mockImplementation(
+      async () =>
+        ({
+          saved_objects: [],
+          total: 0,
+        } as any)
+    );
+    getUsageCollector.mockImplementation(() => savedObjectClient);
+
+    jest.runTimersToTime(ROLL_TOTAL_INDICES_INTERVAL); // Force rollTotals to run
+
+    expect(collector.isReady()).toBe(true);
+    expect(await collector.fetch(callCluster)).toStrictEqual({});
+    expect(savedObjectClient.bulkCreate).not.toHaveBeenCalled();
+  });
+
+  test('it only gets 10k even when there are more documents (ES limitation)', async () => {
+    const savedObjectClient = savedObjectsRepositoryMock.create();
+    const total = 10000;
+    savedObjectClient.find.mockImplementation(async (opts) => {
+      switch (opts.type) {
+        case SAVED_OBJECTS_TOTAL_TYPE:
+          return {
+            saved_objects: [
+              {
+                id: 'appId',
+                attributes: {
+                  appId: 'appId',
+                  minutesOnScreen: 10,
+                  numberOfClicks: 10,
+                },
+              },
+            ],
+            total: 1,
+          } as any;
+        case SAVED_OBJECTS_TRANSACTIONAL_TYPE:
+          const doc = {
+            id: 'test-id',
+            attributes: {
+              appId: 'appId',
+              timestamp: new Date().toISOString(),
+              minutesOnScreen: 0.5,
+              numberOfClicks: 1,
+            },
+          };
+          const savedObjects = new Array(total).fill(doc);
+          return { saved_objects: savedObjects, total: total + 1 };
+        case SAVED_OBJECTS_DAILY_TYPE:
+          return {
+            saved_objects: [
+              {
+                id: 'appId:YYYY-MM-DD',
+                attributes: {
+                  appId: 'appId',
+                  timestamp: new Date().toISOString(),
+                  minutesOnScreen: 0.5,
+                  numberOfClicks: 1,
+                },
+              },
+            ],
+            total: 1,
+          };
+      }
+    });
+
+    getUsageCollector.mockImplementation(() => savedObjectClient);
+
+    jest.runTimersToTime(ROLL_TOTAL_INDICES_INTERVAL); // Force rollTotals to run
+
+    expect(await collector.fetch(callCluster)).toStrictEqual({
+      appId: {
+        clicks_total: total + 1 + 10,
+        clicks_7_days: total + 1,
+        clicks_30_days: total + 1,
+        clicks_90_days: total + 1,
+        minutes_on_screen_total: (total + 1) * 0.5 + 10,
+        minutes_on_screen_7_days: (total + 1) * 0.5,
+        minutes_on_screen_30_days: (total + 1) * 0.5,
+        minutes_on_screen_90_days: (total + 1) * 0.5,
+      },
+    });
+    expect(savedObjectClient.bulkCreate).toHaveBeenCalledWith(
+      [
+        {
+          id: 'appId',
+          type: SAVED_OBJECTS_TOTAL_TYPE,
+          attributes: {
+            appId: 'appId',
+            minutesOnScreen: 10.5,
+            numberOfClicks: 11,
+          },
+        },
+      ],
+      { overwrite: true }
+    );
+    expect(savedObjectClient.delete).toHaveBeenCalledTimes(1);
+    expect(savedObjectClient.delete).toHaveBeenCalledWith(
+      SAVED_OBJECTS_DAILY_TYPE,
+      'appId:YYYY-MM-DD'
+    );
+  });
+
+  test('old transactional data not migrated yet', async () => {
+    const savedObjectClient = savedObjectsRepositoryMock.create();
+    savedObjectClient.find.mockImplementation(async (opts) => {
+      switch (opts.type) {
+        case SAVED_OBJECTS_TOTAL_TYPE:
+        case SAVED_OBJECTS_DAILY_TYPE:
+          return { saved_objects: [], total: 0 } as any;
+        case SAVED_OBJECTS_TRANSACTIONAL_TYPE:
+          return {
+            saved_objects: [
+              {
+                id: 'test-id',
+                attributes: {
+                  appId: 'appId',
+                  timestamp: new Date(0).toISOString(),
+                  minutesOnScreen: 0.5,
+                  numberOfClicks: 1,
+                },
+              },
+            ],
+            total: 1,
+          };
+      }
+    });
+
+    getUsageCollector.mockImplementation(() => savedObjectClient);
+
+    expect(await collector.fetch(callCluster)).toStrictEqual({
+      appId: {
+        clicks_total: 1,
+        clicks_7_days: 0,
+        clicks_30_days: 0,
+        clicks_90_days: 0,
+        minutes_on_screen_total: 0.5,
+        minutes_on_screen_7_days: 0,
+        minutes_on_screen_30_days: 0,
+        minutes_on_screen_90_days: 0,
+      },
+    });
+  });
+});
diff --git a/src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.ts b/src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.ts
index 69137681e0597..36c89d0a0b4a8 100644
--- a/src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.ts
+++ b/src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.ts
@@ -18,29 +18,42 @@
  */
 
 import moment from 'moment';
-import { ISavedObjectsRepository, SavedObjectsServiceSetup } from 'kibana/server';
+import { timer } from 'rxjs';
+import { ISavedObjectsRepository, Logger, SavedObjectsServiceSetup } from 'kibana/server';
 import { UsageCollectionSetup } from 'src/plugins/usage_collection/server';
-import { findAll } from '../find_all';
 import {
+  ApplicationUsageDaily,
   ApplicationUsageTotal,
   ApplicationUsageTransactional,
   registerMappings,
+  SAVED_OBJECTS_DAILY_TYPE,
+  SAVED_OBJECTS_TOTAL_TYPE,
+  SAVED_OBJECTS_TRANSACTIONAL_TYPE,
 } from './saved_objects_types';
 import { applicationUsageSchema } from './schema';
+import { rollDailyData, rollTotals } from './rollups';
 
 /**
- * Roll indices every 24h
+ * Roll total indices every 24h
  */
-export const ROLL_INDICES_INTERVAL = 24 * 60 * 60 * 1000;
+export const ROLL_TOTAL_INDICES_INTERVAL = 24 * 60 * 60 * 1000;
+
+/**
+ * Roll daily indices every 30 minutes.
+ * This means that, assuming a user can visit all the 44 apps we can possibly report
+ * in the 3 minutes interval the browser reports to the server, up to 22 users can have the same
+ * behaviour and we wouldn't need to paginate in the transactional documents (less than 10k docs).
+ *
+ * Based on a more normal expected use case, the users could visit up to 5 apps in those 3 minutes,
+ * allowing up to 200 users before reaching the limit.
+ */
+export const ROLL_DAILY_INDICES_INTERVAL = 30 * 60 * 1000;
 
 /**
  * Start rolling indices after 5 minutes up
  */
 export const ROLL_INDICES_START = 5 * 60 * 1000;
 
-export const SAVED_OBJECTS_TOTAL_TYPE = 'application_usage_totals';
-export const SAVED_OBJECTS_TRANSACTIONAL_TYPE = 'application_usage_transactional';
-
 export interface ApplicationUsageTelemetryReport {
   [appId: string]: {
     clicks_total: number;
@@ -55,6 +68,7 @@ export interface ApplicationUsageTelemetryReport {
 }
 
 export function registerApplicationUsageCollector(
+  logger: Logger,
   usageCollection: UsageCollectionSetup,
   registerType: SavedObjectsServiceSetup['registerType'],
   getSavedObjectsClient: () => ISavedObjectsRepository | undefined
@@ -71,10 +85,22 @@ export function registerApplicationUsageCollector(
         if (typeof savedObjectsClient === 'undefined') {
           return;
         }
-        const [rawApplicationUsageTotals, rawApplicationUsageTransactional] = await Promise.all([
-          findAll<ApplicationUsageTotal>(savedObjectsClient, { type: SAVED_OBJECTS_TOTAL_TYPE }),
-          findAll<ApplicationUsageTransactional>(savedObjectsClient, {
+        const [
+          { saved_objects: rawApplicationUsageTotals },
+          { saved_objects: rawApplicationUsageDaily },
+          { saved_objects: rawApplicationUsageTransactional },
+        ] = await Promise.all([
+          savedObjectsClient.find<ApplicationUsageTotal>({
+            type: SAVED_OBJECTS_TOTAL_TYPE,
+            perPage: 10000, // We only have 44 apps for now. This limit is OK.
+          }),
+          savedObjectsClient.find<ApplicationUsageDaily>({
+            type: SAVED_OBJECTS_DAILY_TYPE,
+            perPage: 10000, // We can have up to 44 apps * 91 days = 4004 docs. This limit is OK
+          }),
+          savedObjectsClient.find<ApplicationUsageTransactional>({
             type: SAVED_OBJECTS_TRANSACTIONAL_TYPE,
+            perPage: 10000, // If we have more than those, we won't report the rest (they'll be rolled up to the daily soon enough to become a problem)
           }),
         ]);
 
@@ -101,51 +127,51 @@ export function registerApplicationUsageCollector(
         const nowMinus30 = moment().subtract(30, 'days');
         const nowMinus90 = moment().subtract(90, 'days');
 
-        const applicationUsage = rawApplicationUsageTransactional.reduce(
-          (acc, { attributes: { appId, minutesOnScreen, numberOfClicks, timestamp } }) => {
-            const existing = acc[appId] || {
-              clicks_total: 0,
-              clicks_7_days: 0,
-              clicks_30_days: 0,
-              clicks_90_days: 0,
-              minutes_on_screen_total: 0,
-              minutes_on_screen_7_days: 0,
-              minutes_on_screen_30_days: 0,
-              minutes_on_screen_90_days: 0,
-            };
-
-            const timeOfEntry = moment(timestamp as string);
-            const isInLast7Days = timeOfEntry.isSameOrAfter(nowMinus7);
-            const isInLast30Days = timeOfEntry.isSameOrAfter(nowMinus30);
-            const isInLast90Days = timeOfEntry.isSameOrAfter(nowMinus90);
-
-            const last7Days = {
-              clicks_7_days: existing.clicks_7_days + numberOfClicks,
-              minutes_on_screen_7_days: existing.minutes_on_screen_7_days + minutesOnScreen,
-            };
-            const last30Days = {
-              clicks_30_days: existing.clicks_30_days + numberOfClicks,
-              minutes_on_screen_30_days: existing.minutes_on_screen_30_days + minutesOnScreen,
-            };
-            const last90Days = {
-              clicks_90_days: existing.clicks_90_days + numberOfClicks,
-              minutes_on_screen_90_days: existing.minutes_on_screen_90_days + minutesOnScreen,
-            };
-
-            return {
-              ...acc,
-              [appId]: {
-                ...existing,
-                clicks_total: existing.clicks_total + numberOfClicks,
-                minutes_on_screen_total: existing.minutes_on_screen_total + minutesOnScreen,
-                ...(isInLast7Days ? last7Days : {}),
-                ...(isInLast30Days ? last30Days : {}),
-                ...(isInLast90Days ? last90Days : {}),
-              },
-            };
-          },
-          applicationUsageFromTotals
-        );
+        const applicationUsage = [
+          ...rawApplicationUsageDaily,
+          ...rawApplicationUsageTransactional,
+        ].reduce((acc, { attributes: { appId, minutesOnScreen, numberOfClicks, timestamp } }) => {
+          const existing = acc[appId] || {
+            clicks_total: 0,
+            clicks_7_days: 0,
+            clicks_30_days: 0,
+            clicks_90_days: 0,
+            minutes_on_screen_total: 0,
+            minutes_on_screen_7_days: 0,
+            minutes_on_screen_30_days: 0,
+            minutes_on_screen_90_days: 0,
+          };
+
+          const timeOfEntry = moment(timestamp);
+          const isInLast7Days = timeOfEntry.isSameOrAfter(nowMinus7);
+          const isInLast30Days = timeOfEntry.isSameOrAfter(nowMinus30);
+          const isInLast90Days = timeOfEntry.isSameOrAfter(nowMinus90);
+
+          const last7Days = {
+            clicks_7_days: existing.clicks_7_days + numberOfClicks,
+            minutes_on_screen_7_days: existing.minutes_on_screen_7_days + minutesOnScreen,
+          };
+          const last30Days = {
+            clicks_30_days: existing.clicks_30_days + numberOfClicks,
+            minutes_on_screen_30_days: existing.minutes_on_screen_30_days + minutesOnScreen,
+          };
+          const last90Days = {
+            clicks_90_days: existing.clicks_90_days + numberOfClicks,
+            minutes_on_screen_90_days: existing.minutes_on_screen_90_days + minutesOnScreen,
+          };
+
+          return {
+            ...acc,
+            [appId]: {
+              ...existing,
+              clicks_total: existing.clicks_total + numberOfClicks,
+              minutes_on_screen_total: existing.minutes_on_screen_total + minutesOnScreen,
+              ...(isInLast7Days ? last7Days : {}),
+              ...(isInLast30Days ? last30Days : {}),
+              ...(isInLast90Days ? last90Days : {}),
+            },
+          };
+        }, applicationUsageFromTotals);
 
         return applicationUsage;
       },
@@ -154,65 +180,10 @@ export function registerApplicationUsageCollector(
 
   usageCollection.registerCollector(collector);
 
-  setInterval(() => rollTotals(getSavedObjectsClient()), ROLL_INDICES_INTERVAL);
-  setTimeout(() => rollTotals(getSavedObjectsClient()), ROLL_INDICES_START);
-}
-
-async function rollTotals(savedObjectsClient?: ISavedObjectsRepository) {
-  if (!savedObjectsClient) {
-    return;
-  }
-
-  try {
-    const [rawApplicationUsageTotals, rawApplicationUsageTransactional] = await Promise.all([
-      findAll<ApplicationUsageTotal>(savedObjectsClient, { type: SAVED_OBJECTS_TOTAL_TYPE }),
-      findAll<ApplicationUsageTransactional>(savedObjectsClient, {
-        type: SAVED_OBJECTS_TRANSACTIONAL_TYPE,
-        filter: `${SAVED_OBJECTS_TRANSACTIONAL_TYPE}.attributes.timestamp < now-90d`,
-      }),
-    ]);
-
-    const existingTotals = rawApplicationUsageTotals.reduce(
-      (acc, { attributes: { appId, numberOfClicks, minutesOnScreen } }) => {
-        return {
-          ...acc,
-          // No need to sum because there should be 1 document per appId only
-          [appId]: { appId, numberOfClicks, minutesOnScreen },
-        };
-      },
-      {} as Record<string, { appId: string; minutesOnScreen: number; numberOfClicks: number }>
-    );
-
-    const totals = rawApplicationUsageTransactional.reduce((acc, { attributes, id }) => {
-      const { appId, numberOfClicks, minutesOnScreen } = attributes;
-
-      const existing = acc[appId] || { minutesOnScreen: 0, numberOfClicks: 0 };
-
-      return {
-        ...acc,
-        [appId]: {
-          appId,
-          numberOfClicks: numberOfClicks + existing.numberOfClicks,
-          minutesOnScreen: minutesOnScreen + existing.minutesOnScreen,
-        },
-      };
-    }, existingTotals);
-
-    await Promise.all([
-      Object.entries(totals).length &&
-        savedObjectsClient.bulkCreate<ApplicationUsageTotal>(
-          Object.entries(totals).map(([id, entry]) => ({
-            type: SAVED_OBJECTS_TOTAL_TYPE,
-            id,
-            attributes: entry,
-          })),
-          { overwrite: true }
-        ),
-      ...rawApplicationUsageTransactional.map(
-        ({ id }) => savedObjectsClient.delete(SAVED_OBJECTS_TRANSACTIONAL_TYPE, id) // There is no bulkDelete :(
-      ),
-    ]);
-  } catch (err) {
-    // Silent failure
-  }
+  timer(ROLL_INDICES_START, ROLL_DAILY_INDICES_INTERVAL).subscribe(() =>
+    rollDailyData(logger, getSavedObjectsClient())
+  );
+  timer(ROLL_INDICES_START, ROLL_TOTAL_INDICES_INTERVAL).subscribe(() =>
+    rollTotals(logger, getSavedObjectsClient())
+  );
 }
diff --git a/src/plugins/kibana_usage_collection/server/collectors/find_all.test.ts b/src/plugins/kibana_usage_collection/server/collectors/find_all.test.ts
deleted file mode 100644
index d917cd2454e81..0000000000000
--- a/src/plugins/kibana_usage_collection/server/collectors/find_all.test.ts
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Licensed to Elasticsearch B.V. under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch B.V. licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import { savedObjectsRepositoryMock } from '../../../../core/server/mocks';
-
-import { findAll } from './find_all';
-
-describe('telemetry_application_usage', () => {
-  test('when savedObjectClient is initialised, return something', async () => {
-    const savedObjectClient = savedObjectsRepositoryMock.create();
-    savedObjectClient.find.mockImplementation(
-      async () =>
-        ({
-          saved_objects: [],
-          total: 0,
-        } as any)
-    );
-
-    expect(await findAll(savedObjectClient, { type: 'test-type' })).toStrictEqual([]);
-  });
-
-  test('paging in findAll works', async () => {
-    const savedObjectClient = savedObjectsRepositoryMock.create();
-    let total = 201;
-    const doc = { id: 'test-id', attributes: { test: 1 } };
-    savedObjectClient.find.mockImplementation(async (opts) => {
-      if ((opts.page || 1) > 2) {
-        return { saved_objects: [], total } as any;
-      }
-      const savedObjects = new Array(opts.perPage).fill(doc);
-      total = savedObjects.length * 2 + 1;
-      return { saved_objects: savedObjects, total };
-    });
-
-    expect(await findAll(savedObjectClient, { type: 'test-type' })).toStrictEqual(
-      new Array(total - 1).fill(doc)
-    );
-  });
-});
diff --git a/src/plugins/kibana_usage_collection/server/collectors/find_all.ts b/src/plugins/kibana_usage_collection/server/collectors/find_all.ts
deleted file mode 100644
index 5bb4f20b5c5b1..0000000000000
--- a/src/plugins/kibana_usage_collection/server/collectors/find_all.ts
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Licensed to Elasticsearch B.V. under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch B.V. licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import {
-  SavedObjectAttributes,
-  ISavedObjectsRepository,
-  SavedObjectsFindOptions,
-  SavedObject,
-} from 'kibana/server';
-
-export async function findAll<T extends SavedObjectAttributes>(
-  savedObjectsClient: ISavedObjectsRepository,
-  opts: SavedObjectsFindOptions
-): Promise<Array<SavedObject<T>>> {
-  const { page = 1, perPage = 10000, ...options } = opts;
-  const { saved_objects: savedObjects, total } = await savedObjectsClient.find<T>({
-    ...options,
-    page,
-    perPage,
-  });
-  if (page * perPage >= total) {
-    return savedObjects;
-  }
-  return [...savedObjects, ...(await findAll<T>(savedObjectsClient, { ...opts, page: page + 1 }))];
-}
diff --git a/src/plugins/kibana_usage_collection/server/collectors/ui_metric/telemetry_ui_metric_collector.ts b/src/plugins/kibana_usage_collection/server/collectors/ui_metric/telemetry_ui_metric_collector.ts
index 46768813b1970..9c02a9cbf3204 100644
--- a/src/plugins/kibana_usage_collection/server/collectors/ui_metric/telemetry_ui_metric_collector.ts
+++ b/src/plugins/kibana_usage_collection/server/collectors/ui_metric/telemetry_ui_metric_collector.ts
@@ -23,7 +23,6 @@ import {
   SavedObjectsServiceSetup,
 } from 'kibana/server';
 import { UsageCollectionSetup } from 'src/plugins/usage_collection/server';
-import { findAll } from '../find_all';
 
 interface UIMetricsSavedObjects extends SavedObjectAttributes {
   count: number;
@@ -55,9 +54,10 @@ export function registerUiMetricUsageCollector(
         return;
       }
 
-      const rawUiMetrics = await findAll<UIMetricsSavedObjects>(savedObjectsClient, {
+      const { saved_objects: rawUiMetrics } = await savedObjectsClient.find<UIMetricsSavedObjects>({
         type: 'ui-metric',
         fields: ['count'],
+        perPage: 10000,
       });
 
       const uiMetricsByAppName = rawUiMetrics.reduce((accum, rawUiMetric) => {
diff --git a/src/plugins/kibana_usage_collection/server/plugin.ts b/src/plugins/kibana_usage_collection/server/plugin.ts
index d4295c770803e..260acd19ab516 100644
--- a/src/plugins/kibana_usage_collection/server/plugin.ts
+++ b/src/plugins/kibana_usage_collection/server/plugin.ts
@@ -30,6 +30,7 @@ import {
   CoreStart,
   SavedObjectsServiceSetup,
   OpsMetrics,
+  Logger,
 } from '../../../core/server';
 import {
   registerApplicationUsageCollector,
@@ -47,12 +48,14 @@ interface KibanaUsageCollectionPluginsDepsSetup {
 type SavedObjectsRegisterType = SavedObjectsServiceSetup['registerType'];
 
 export class KibanaUsageCollectionPlugin implements Plugin {
+  private readonly logger: Logger;
   private readonly legacyConfig$: Observable<SharedGlobalConfig>;
   private savedObjectsClient?: ISavedObjectsRepository;
   private uiSettingsClient?: IUiSettingsClient;
   private metric$: Subject<OpsMetrics>;
 
   constructor(initializerContext: PluginInitializerContext) {
+    this.logger = initializerContext.logger.get();
     this.legacyConfig$ = initializerContext.config.legacy.globalConfig$;
     this.metric$ = new Subject<OpsMetrics>();
   }
@@ -88,7 +91,12 @@ export class KibanaUsageCollectionPlugin implements Plugin {
     registerKibanaUsageCollector(usageCollection, this.legacyConfig$);
     registerManagementUsageCollector(usageCollection, getUiSettingsClient);
     registerUiMetricUsageCollector(usageCollection, registerType, getSavedObjectsClient);
-    registerApplicationUsageCollector(usageCollection, registerType, getSavedObjectsClient);
+    registerApplicationUsageCollector(
+      this.logger.get('application-usage'),
+      usageCollection,
+      registerType,
+      getSavedObjectsClient
+    );
     registerCspCollector(usageCollection, coreSetup.http);
   }
 }
diff --git a/test/api_integration/apis/telemetry/telemetry_local.js b/test/api_integration/apis/telemetry/telemetry_local.js
index d2d61705b763d..9a5467e622ff3 100644
--- a/test/api_integration/apis/telemetry/telemetry_local.js
+++ b/test/api_integration/apis/telemetry/telemetry_local.js
@@ -154,5 +154,113 @@ export default function ({ getService }) {
 
       expect(expected.every((m) => actual.includes(m))).to.be.ok();
     });
+
+    describe('application usage limits', () => {
+      const timeRange = {
+        min: '2018-07-23T22:07:00Z',
+        max: '2018-07-23T22:13:00Z',
+      };
+
+      function createSavedObject() {
+        return supertest
+          .post('/api/saved_objects/application_usage_transactional')
+          .send({
+            attributes: {
+              appId: 'test-app',
+              minutesOnScreen: 10.99,
+              numberOfClicks: 10,
+              timestamp: new Date().toISOString(),
+            },
+          })
+          .expect(200)
+          .then((resp) => resp.body.id);
+      }
+
+      describe('basic behaviour', () => {
+        let savedObjectId;
+        before('create 1 entry', async () => {
+          return createSavedObject().then((id) => (savedObjectId = id));
+        });
+        after('cleanup', () => {
+          return supertest
+            .delete(`/api/saved_objects/application_usage_transactional/${savedObjectId}`)
+            .expect(200);
+        });
+
+        it('should return application_usage data', async () => {
+          const { body } = await supertest
+            .post('/api/telemetry/v2/clusters/_stats')
+            .set('kbn-xsrf', 'xxx')
+            .send({ timeRange, unencrypted: true })
+            .expect(200);
+
+          expect(body.length).to.be(1);
+          const stats = body[0];
+          expect(stats.stack_stats.kibana.plugins.application_usage).to.eql({
+            'test-app': {
+              clicks_total: 10,
+              clicks_7_days: 10,
+              clicks_30_days: 10,
+              clicks_90_days: 10,
+              minutes_on_screen_total: 10.99,
+              minutes_on_screen_7_days: 10.99,
+              minutes_on_screen_30_days: 10.99,
+              minutes_on_screen_90_days: 10.99,
+            },
+          });
+        });
+      });
+
+      describe('10k + 1', () => {
+        const savedObjectIds = [];
+        before('create 10k + 1 entries for application usage', async () => {
+          await supertest
+            .post('/api/saved_objects/_bulk_create')
+            .send(
+              new Array(10001).fill(0).map(() => ({
+                type: 'application_usage_transactional',
+                attributes: {
+                  appId: 'test-app',
+                  minutesOnScreen: 1,
+                  numberOfClicks: 1,
+                  timestamp: new Date().toISOString(),
+                },
+              }))
+            )
+            .expect(200)
+            .then((resp) => resp.body.saved_objects.forEach(({ id }) => savedObjectIds.push(id)));
+        });
+        after('clean them all', async () => {
+          // The SavedObjects API does not allow bulk deleting, and deleting one by one takes ages and the tests timeout
+          await es.deleteByQuery({
+            index: '.kibana',
+            body: { query: { term: { type: 'application_usage_transactional' } } },
+          });
+        });
+
+        it("should only use the first 10k docs for the application_usage data (they'll be rolled up in a later process)", async () => {
+          const { body } = await supertest
+            .post('/api/telemetry/v2/clusters/_stats')
+            .set('kbn-xsrf', 'xxx')
+            .send({ timeRange, unencrypted: true })
+            .expect(200);
+
+          expect(body.length).to.be(1);
+          const stats = body[0];
+          expect(stats.stack_stats.kibana.plugins.application_usage).to.eql({
+            'test-app': {
+              clicks_total: 10000,
+              clicks_7_days: 10000,
+              clicks_30_days: 10000,
+              clicks_90_days: 10000,
+              minutes_on_screen_total: 10000,
+              minutes_on_screen_7_days: 10000,
+              minutes_on_screen_30_days: 10000,
+              minutes_on_screen_90_days: 10000,
+            },
+          });
+        });
+      });
+    });
   });
 }

From 3688df286a146d6fc82ffac70417b09db05030e9 Mon Sep 17 00:00:00 2001
From: Shahzad <shahzad.muhammad@elastic.co>
Date: Wed, 16 Sep 2020 21:20:45 +0200
Subject: [PATCH 4/5] [RUM Dashboard] Handle invalid service name param
 (#77163)

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
---
 .../apm/e2e/cypress/integration/helpers.ts    |  9 ++++++--
 .../step_definitions/csm/csm_dashboard.ts     | 12 ++++++----
 x-pack/plugins/apm/e2e/yarn.lock              |  8 +++----
 .../app/RumDashboard/ClientMetrics/index.tsx  |  3 ++-
 .../ServiceNameFilter/index.tsx               | 22 ++++++++++++++-----
 5 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/x-pack/plugins/apm/e2e/cypress/integration/helpers.ts b/x-pack/plugins/apm/e2e/cypress/integration/helpers.ts
index 1956f1c2d9f0d..462304a959102 100644
--- a/x-pack/plugins/apm/e2e/cypress/integration/helpers.ts
+++ b/x-pack/plugins/apm/e2e/cypress/integration/helpers.ts
@@ -11,14 +11,19 @@ export const DEFAULT_TIMEOUT = 60 * 1000;
 
 export function loginAndWaitForPage(
   url: string,
-  dateRange: { to: string; from: string }
+  dateRange: { to: string; from: string },
+  selectedService?: string
 ) {
   const username = Cypress.env('elasticsearch_username');
   const password = Cypress.env('elasticsearch_password');
 
   cy.log(`Authenticating via ${username} / ${password}`);
 
-  const fullUrl = `${BASE_URL}${url}?rangeFrom=${dateRange.from}&rangeTo=${dateRange.to}`;
+  let fullUrl = `${BASE_URL}${url}?rangeFrom=${dateRange.from}&rangeTo=${dateRange.to}`;
+
+  if (selectedService) {
+    fullUrl += `&serviceName=${selectedService}`;
+  }
   cy.visit(fullUrl, { auth: { username, password } });
 
   cy.viewport('macbook-15');
diff --git a/x-pack/plugins/apm/e2e/cypress/support/step_definitions/csm/csm_dashboard.ts b/x-pack/plugins/apm/e2e/cypress/support/step_definitions/csm/csm_dashboard.ts
index a57241a197ca4..461e2960c5e02 100644
--- a/x-pack/plugins/apm/e2e/cypress/support/step_definitions/csm/csm_dashboard.ts
+++ b/x-pack/plugins/apm/e2e/cypress/support/step_definitions/csm/csm_dashboard.ts
@@ -15,10 +15,14 @@ Given(`a user browses the APM UI application for RUM Data`, () => {
   // open service overview page
   const RANGE_FROM = 'now-24h';
   const RANGE_TO = 'now';
-  loginAndWaitForPage(`/app/csm`, {
-    from: RANGE_FROM,
-    to: RANGE_TO,
-  });
+  loginAndWaitForPage(
+    `/app/csm`,
+    {
+      from: RANGE_FROM,
+      to: RANGE_TO,
+    },
+    'client'
+  );
 });
 
 Then(`should have correct client metrics`, () => {
diff --git a/x-pack/plugins/apm/e2e/yarn.lock b/x-pack/plugins/apm/e2e/yarn.lock
index 936294052aa7b..fc63189e97ea3 100644
--- a/x-pack/plugins/apm/e2e/yarn.lock
+++ b/x-pack/plugins/apm/e2e/yarn.lock
@@ -5494,10 +5494,10 @@ typedarray@^0.0.6:
   resolved "https://registry.yarnpkg.com/typedarray/-/typedarray-0.0.6.tgz#867ac74e3864187b1d3d47d996a78ec5c8830777"
   integrity sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c=
 
-typescript@3.9.6:
-  version "3.9.6"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-3.9.6.tgz#8f3e0198a34c3ae17091b35571d3afd31999365a"
-  integrity sha512-Pspx3oKAPJtjNwE92YS05HQoY7z2SFyOpHo9MqJor3BXAGNaPUs83CuVp9VISFkSjyRfiTpmKuAYGJB7S7hOxw==
+typescript@4.0.2:
+  version "4.0.2"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.0.2.tgz#7ea7c88777c723c681e33bf7988be5d008d05ac2"
+  integrity sha512-e4ERvRV2wb+rRZ/IQeb3jm2VxBsirQLpQhdxplZ2MEzGvDkkMmPglecnNDfSUBivMjP93vRbngYYDQqQ/78bcQ==
 
 umd@^3.0.0:
   version "3.0.3"
diff --git a/x-pack/plugins/apm/public/components/app/RumDashboard/ClientMetrics/index.tsx b/x-pack/plugins/apm/public/components/app/RumDashboard/ClientMetrics/index.tsx
index f54a54211359c..1edfd724dadd7 100644
--- a/x-pack/plugins/apm/public/components/app/RumDashboard/ClientMetrics/index.tsx
+++ b/x-pack/plugins/apm/public/components/app/RumDashboard/ClientMetrics/index.tsx
@@ -26,7 +26,8 @@ export function ClientMetrics() {
 
   const { data, status } = useFetcher(
     (callApmApi) => {
-      if (start && end) {
+      const { serviceName } = uiFilters;
+      if (start && end && serviceName) {
         return callApmApi({
           pathname: '/api/apm/rum/client-metrics',
           params: {
diff --git a/x-pack/plugins/apm/public/components/shared/LocalUIFilters/ServiceNameFilter/index.tsx b/x-pack/plugins/apm/public/components/shared/LocalUIFilters/ServiceNameFilter/index.tsx
index 3deba69a25df2..cbf9ba009dce2 100644
--- a/x-pack/plugins/apm/public/components/shared/LocalUIFilters/ServiceNameFilter/index.tsx
+++ b/x-pack/plugins/apm/public/components/shared/LocalUIFilters/ServiceNameFilter/index.tsx
@@ -24,7 +24,7 @@ interface Props {
 function ServiceNameFilter({ loading, serviceNames }: Props) {
   const history = useHistory();
   const {
-    urlParams: { serviceName },
+    urlParams: { serviceName: selectedServiceName },
   } = useUrlParams();
 
   const options = serviceNames.map((type) => ({
@@ -47,10 +47,22 @@ function ServiceNameFilter({ loading, serviceNames }: Props) {
   );
 
   useEffect(() => {
-    if (!serviceName && serviceNames.length > 0) {
-      updateServiceName(serviceNames[0]);
+    if (serviceNames?.length > 0) {
+      // select first from the list
+      if (!selectedServiceName) {
+        updateServiceName(serviceNames[0]);
+      }
+
+      // in case serviceName is cached from url and isn't present in current list
+      if (selectedServiceName && !serviceNames.includes(selectedServiceName)) {
+        updateServiceName(serviceNames[0]);
+      }
+    }
+
+    if (selectedServiceName && serviceNames.length === 0 && !loading) {
+      updateServiceName('');
     }
-  }, [serviceNames, serviceName, updateServiceName]);
+  }, [serviceNames, selectedServiceName, updateServiceName, loading]);
 
   return (
     <>
@@ -68,7 +80,7 @@ function ServiceNameFilter({ loading, serviceNames }: Props) {
         isLoading={loading}
         data-cy="serviceNameFilter"
         options={options}
-        value={serviceName}
+        value={selectedServiceName}
         compressed={true}
         onChange={(event) => {
           updateServiceName(event.target.value);

From 17fec25e3c281b4f66e5973efbaef0368b9152c5 Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
Date: Wed, 16 Sep 2020 15:28:30 -0400
Subject: [PATCH 5/5] [Security Solution] Refactor resolver children _source
 (#77343)

* Moving generator to safe type version

* Finished generator and alert

* Gzipping again

* Finishing type conversions for backend

* Trying to cast front end tests back to unsafe type for now

* Working reducer tests

* Adding more comments and fixing alert type

* Restoring resolver test data

* Updating snapshot with timestamp info

* Getting the models figured out

* Event models type fixes

* Adding more comments

* Fixing more comments

* Adding comments
---
 .../common/endpoint/models/event.ts           | 176 ++++++++++++++++--
 .../routes/resolver/queries/children.ts       |  68 ++++++-
 .../routes/resolver/utils/children_helper.ts  |  10 +-
 .../resolver/utils/children_pagination.ts     |   4 +-
 .../utils/children_start_query_handler.ts     |   5 +-
 5 files changed, 229 insertions(+), 34 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.ts
index 07208214a641a..9634659b1a5dd 100644
--- a/x-pack/plugins/security_solution/common/endpoint/models/event.ts
+++ b/x-pack/plugins/security_solution/common/endpoint/models/event.ts
@@ -3,20 +3,24 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import {
-  LegacyEndpointEvent,
-  ResolverEvent,
-  SafeResolverEvent,
-  SafeLegacyEndpointEvent,
-} from '../types';
+import { LegacyEndpointEvent, ResolverEvent, SafeResolverEvent, ECSField } from '../types';
 import { firstNonNullValue, hasValue, values } from './ecs_safety_helpers';
 
+/**
+ * Legacy events will define the `endgame` object. This is used to narrow a ResolverEvent.
+ */
+interface LegacyEvent {
+  endgame?: object;
+}
+
 /*
- * Determine if a `ResolverEvent` is the legacy variety. Can be used to narrow `ResolverEvent` to `LegacyEndpointEvent`.
+ * Determine if a higher level event type is the legacy variety. Can be used to narrow an event type.
+ * T optionally defines an `endgame` object field used for determining the type of event. If T doesn't contain the
+ * `endgame` field it will serve as the narrowed type.
  */
-export function isLegacyEventSafeVersion(
-  event: SafeResolverEvent
-): event is SafeLegacyEndpointEvent {
+export function isLegacyEventSafeVersion<T extends LegacyEvent>(
+  event: LegacyEvent | {}
+): event is T {
   return 'endgame' in event && event.endgame !== undefined;
 }
 
@@ -27,7 +31,30 @@ export function isLegacyEvent(event: ResolverEvent): event is LegacyEndpointEven
   return (event as LegacyEndpointEvent).endgame !== undefined;
 }
 
-export function isProcessRunning(event: SafeResolverEvent): boolean {
+/**
+ * Minimum fields needed from the `SafeResolverEvent` type for the function below to operate correctly.
+ */
+type ProcessRunningFields = Partial<
+  | {
+      endgame: object;
+      event: Partial<{
+        type: ECSField<string>;
+        action: ECSField<string>;
+      }>;
+    }
+  | {
+      event: Partial<{
+        type: ECSField<string>;
+      }>;
+    }
+>;
+
+/**
+ * Checks if an event describes a process as running (whether it was started, already running, or changed)
+ *
+ * @param event a document to check for running fields
+ */
+export function isProcessRunning(event: ProcessRunningFields): boolean {
   if (isLegacyEventSafeVersion(event)) {
     return (
       hasValue(event.event?.type, 'process_start') ||
@@ -43,7 +70,18 @@ export function isProcessRunning(event: SafeResolverEvent): boolean {
   );
 }
 
-export function timestampSafeVersion(event: SafeResolverEvent): undefined | number {
+/**
+ * Minimum fields needed from the `SafeResolverEvent` type for the function below to operate correctly.
+ */
+type TimestampFields = Pick<SafeResolverEvent, '@timestamp'>;
+
+/**
+ * Extracts the first non null value from the `@timestamp` field in the document. Returns undefined if the field doesn't
+ * exist in the document.
+ *
+ * @param event a document from ES
+ */
+export function timestampSafeVersion(event: TimestampFields): undefined | number {
   return firstNonNullValue(event?.['@timestamp']);
 }
 
@@ -51,7 +89,7 @@ export function timestampSafeVersion(event: SafeResolverEvent): undefined | numb
  * The `@timestamp` for the event, as a `Date` object.
  * If `@timestamp` couldn't be parsed as a `Date`, returns `undefined`.
  */
-export function timestampAsDateSafeVersion(event: SafeResolverEvent): Date | undefined {
+export function timestampAsDateSafeVersion(event: TimestampFields): Date | undefined {
   const value = timestampSafeVersion(event);
   if (value === undefined) {
     return undefined;
@@ -93,9 +131,30 @@ export function eventId(event: ResolverEvent): number | undefined | string {
   return event.event.id;
 }
 
-export function eventSequence(event: SafeResolverEvent): number | undefined {
+/**
+ * Minimum fields needed from the `SafeResolverEvent` type for the function below to operate correctly.
+ */
+type EventSequenceFields = Partial<
+  | {
+      endgame: Partial<{
+        serial_event_id: ECSField<number>;
+      }>;
+    }
+  | {
+      event: Partial<{
+        sequence: ECSField<number>;
+      }>;
+    }
+>;
+
+/**
+ * Extract the first non null event sequence value from a document. Returns undefined if the field doesn't exist in the document.
+ *
+ * @param event a document from ES
+ */
+export function eventSequence(event: EventSequenceFields): number | undefined {
   if (isLegacyEventSafeVersion(event)) {
-    return firstNonNullValue(event.endgame.serial_event_id);
+    return firstNonNullValue(event.endgame?.serial_event_id);
   }
   return firstNonNullValue(event.event?.sequence);
 }
@@ -113,7 +172,29 @@ export function entityId(event: ResolverEvent): string {
   return event.process.entity_id;
 }
 
-export function entityIDSafeVersion(event: SafeResolverEvent): string | undefined {
+/**
+ * Minimum fields needed from the `SafeResolverEvent` type for the function below to operate correctly.
+ */
+type EntityIDFields = Partial<
+  | {
+      endgame: Partial<{
+        unique_pid: ECSField<number>;
+      }>;
+    }
+  | {
+      process: Partial<{
+        entity_id: ECSField<string>;
+      }>;
+    }
+>;
+
+/**
+ * Extract the first non null value from either the `entity_id` or `unique_pid` depending on the document type. Returns
+ * undefined if the field doesn't exist in the document.
+ *
+ * @param event a document from ES
+ */
+export function entityIDSafeVersion(event: EntityIDFields): string | undefined {
   if (isLegacyEventSafeVersion(event)) {
     return event.endgame?.unique_pid === undefined
       ? undefined
@@ -130,14 +211,59 @@ export function parentEntityId(event: ResolverEvent): string | undefined {
   return event.process.parent?.entity_id;
 }
 
-export function parentEntityIDSafeVersion(event: SafeResolverEvent): string | undefined {
+/**
+ * Minimum fields needed from the `SafeResolverEvent` type for the function below to operate correctly.
+ */
+type ParentEntityIDFields = Partial<
+  | {
+      endgame: Partial<{
+        unique_ppid: ECSField<number>;
+      }>;
+    }
+  | {
+      process: Partial<{
+        parent: Partial<{
+          entity_id: ECSField<string>;
+        }>;
+      }>;
+    }
+>;
+
+/**
+ * Extract the first non null value from either the `parent.entity_id` or `unique_ppid` depending on the document type. Returns
+ * undefined if the field doesn't exist in the document.
+ *
+ * @param event a document from ES
+ */
+export function parentEntityIDSafeVersion(event: ParentEntityIDFields): string | undefined {
   if (isLegacyEventSafeVersion(event)) {
-    return String(firstNonNullValue(event.endgame.unique_ppid));
+    return String(firstNonNullValue(event.endgame?.unique_ppid));
   }
   return firstNonNullValue(event.process?.parent?.entity_id);
 }
 
-export function ancestryArray(event: SafeResolverEvent): string[] | undefined {
+/**
+ * Minimum fields needed from the `SafeResolverEvent` type for the function below to operate correctly.
+ */
+type AncestryArrayFields = Partial<
+  | {
+      endgame: object;
+    }
+  | {
+      process: Partial<{
+        Ext: Partial<{
+          ancestry: ECSField<string>;
+        }>;
+      }>;
+    }
+>;
+
+/**
+ * Extracts all ancestry array from a document if it exists.
+ *
+ * @param event an ES document
+ */
+export function ancestryArray(event: AncestryArrayFields): string[] | undefined {
   if (isLegacyEventSafeVersion(event)) {
     return undefined;
   }
@@ -146,7 +272,17 @@ export function ancestryArray(event: SafeResolverEvent): string[] | undefined {
   return values(event.process?.Ext?.ancestry);
 }
 
-export function getAncestryAsArray(event: SafeResolverEvent | undefined): string[] {
+/**
+ * Minimum fields needed from the `SafeResolverEvent` type for the function below to operate correctly.
+ */
+type GetAncestryArrayFields = AncestryArrayFields & ParentEntityIDFields;
+
+/**
+ * Returns an array of strings representing the ancestry for a process.
+ *
+ * @param event an ES document
+ */
+export function getAncestryAsArray(event: GetAncestryArrayFields | undefined): string[] {
   if (!event) {
     return [];
   }
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/children.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/children.ts
index 8c7daf9451217..4c7be9b8d5a24 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/children.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/children.ts
@@ -4,15 +4,59 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 import { SearchResponse } from 'elasticsearch';
-import { SafeResolverEvent } from '../../../../../common/endpoint/types';
+import { ECSField } from '../../../../../common/endpoint/types';
 import { ResolverQuery } from './base';
 import { ChildrenPaginationBuilder } from '../utils/children_pagination';
 import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common';
 
+/**
+ * This type represents the document returned from ES for a legacy event when using the ChildrenQuery to fetch legacy events.
+ * It contains only the necessary fields that the children api needs to process the results before
+ * it requests the full lifecycle information for the children in a later query.
+ */
+export type LegacyChildEvent = Partial<{
+  '@timestamp': ECSField<number>;
+  event: Partial<{
+    type: ECSField<string>;
+    action: ECSField<string>;
+  }>;
+  endgame: Partial<{
+    serial_event_id: ECSField<number>;
+    unique_pid: ECSField<number>;
+    unique_ppid: ECSField<number>;
+  }>;
+}>;
+
+/**
+ * This type represents the document returned from ES for an event when using the ChildrenQuery to fetch legacy events.
+ * It contains only the necessary fields that the children api needs to process the results before
+ * it requests the full lifecycle information for the children in a later query.
+ */
+export type EndpointChildEvent = Partial<{
+  '@timestamp': ECSField<number>;
+  event: Partial<{
+    type: ECSField<string>;
+    sequence: ECSField<number>;
+  }>;
+  process: Partial<{
+    entity_id: ECSField<string>;
+    parent: Partial<{
+      entity_id: ECSField<string>;
+    }>;
+    Ext: Partial<{
+      ancestry: ECSField<string>;
+    }>;
+  }>;
+}>;
+
+export type ChildEvent = EndpointChildEvent | LegacyChildEvent;
+
 /**
  * Builds a query for retrieving descendants of a node.
+ * The first type `ChildEvent[]` represents the final formatted result. The second type `ChildEvent` defines the type
+ * used in the `SearchResponse<T>` field returned from the ES query.
  */
-export class ChildrenQuery extends ResolverQuery<SafeResolverEvent[]> {
+export class ChildrenQuery extends ResolverQuery<ChildEvent[], ChildEvent> {
   constructor(
     private readonly pagination: ChildrenPaginationBuilder,
     indexPattern: string | string[],
@@ -24,6 +68,14 @@ export class ChildrenQuery extends ResolverQuery<SafeResolverEvent[]> {
   protected legacyQuery(endpointID: string, uniquePIDs: string[]): JsonObject {
     const paginationFields = this.pagination.buildQueryFields('endgame.serial_event_id');
     return {
+      _source: [
+        '@timestamp',
+        'endgame.serial_event_id',
+        'endgame.unique_pid',
+        'endgame.unique_ppid',
+        'event.type',
+        'event.action',
+      ],
       collapse: {
         field: 'endgame.unique_pid',
       },
@@ -64,8 +116,18 @@ export class ChildrenQuery extends ResolverQuery<SafeResolverEvent[]> {
   }
 
   protected query(entityIDs: string[]): JsonObject {
+    // we don't have to include the `event.id` in the source response because it is not needed for processing
+    // the data returned by ES, it is only used for breaking ties when ES is doing the search
     const paginationFields = this.pagination.buildQueryFields('event.id');
     return {
+      _source: [
+        '@timestamp',
+        'event.type',
+        'event.sequence',
+        'process.entity_id',
+        'process.parent.entity_id',
+        'process.Ext.ancestry',
+      ],
       /**
        * Using collapse here will only return a single event per occurrence of a process.entity_id. The events are sorted
        * based on timestamp in ascending order so it will be the first event that ocurred. The actual type of event that
@@ -126,7 +188,7 @@ export class ChildrenQuery extends ResolverQuery<SafeResolverEvent[]> {
     };
   }
 
-  formatResponse(response: SearchResponse<SafeResolverEvent>): SafeResolverEvent[] {
+  formatResponse(response: SearchResponse<ChildEvent>): ChildEvent[] {
     return this.getResults(response);
   }
 }
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts
index e9174548898dd..f54472141c1de 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts
@@ -17,6 +17,7 @@ import {
 } from '../../../../../common/endpoint/types';
 import { createChild } from './node';
 import { ChildrenPaginationBuilder } from './children_pagination';
+import { ChildEvent } from '../queries/children';
 
 /**
  * This class helps construct the children structure when building a resolver tree.
@@ -86,15 +87,12 @@ export class ChildrenNodesHelper {
    * @param queriedNodes the entity_ids of the nodes that returned these start events
    * @param startEvents an array of start events returned by ES
    */
-  addStartEvents(
-    queriedNodes: Set<string>,
-    startEvents: SafeResolverEvent[]
-  ): Set<string> | undefined {
+  addStartEvents(queriedNodes: Set<string>, startEvents: ChildEvent[]): Set<string> | undefined {
     let largestAncestryArray = 0;
     const nodesToQueryNext: Map<number, Set<string>> = new Map();
     const nonLeafNodes: Set<SafeResolverChildNode> = new Set();
 
-    const isDistantGrandchild = (event: SafeResolverEvent) => {
+    const isDistantGrandchild = (event: ChildEvent) => {
       const ancestry = getAncestryAsArray(event);
       return ancestry.length > 0 && queriedNodes.has(ancestry[ancestry.length - 1]);
     };
@@ -161,7 +159,7 @@ export class ChildrenNodesHelper {
     return nodesToQueryNext.get(largestAncestryArray);
   }
 
-  private setPaginationForNodes(nodes: Set<string>, startEvents: SafeResolverEvent[]) {
+  private setPaginationForNodes(nodes: Set<string>, startEvents: ChildEvent[]) {
     for (const nodeEntityID of nodes.values()) {
       const cachedNode = this.entityToNodeCache.get(nodeEntityID);
       if (cachedNode) {
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination.ts
index 4cc8aaf42d12b..e202124554873 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination.ts
@@ -4,10 +4,10 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { SafeResolverEvent } from '../../../../../common/endpoint/types';
 import { eventSequence, timestampSafeVersion } from '../../../../../common/endpoint/models/event';
 import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common';
 import { urlEncodeCursor, SortFields, urlDecodeCursor } from './pagination';
+import { ChildEvent } from '../queries/children';
 
 /**
  * Pagination information for the children class.
@@ -65,7 +65,7 @@ export class ChildrenPaginationBuilder {
    *
    * @param results the events that were returned by the ES query
    */
-  static buildCursor(results: SafeResolverEvent[]): string | null {
+  static buildCursor(results: ChildEvent[]): string | null {
     const lastResult = results[results.length - 1];
     const sequence = eventSequence(lastResult);
     const cursor = {
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_start_query_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_start_query_handler.ts
index 327be8d3696fd..9f5f085d5b80d 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_start_query_handler.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_start_query_handler.ts
@@ -6,8 +6,7 @@
 
 import { SearchResponse } from 'elasticsearch';
 import { ILegacyScopedClusterClient } from 'kibana/server';
-import { SafeResolverEvent } from '../../../../../common/endpoint/types';
-import { ChildrenQuery } from '../queries/children';
+import { ChildEvent, ChildrenQuery } from '../queries/children';
 import { QueryInfo } from '../queries/multi_searcher';
 import { QueryHandler } from './fetch';
 import { ChildrenNodesHelper } from './children_helper';
@@ -46,7 +45,7 @@ export class ChildrenStartQueryHandler implements QueryHandler<ChildrenNodesHelp
     this.limitLeft = 0;
   }
 
-  private handleResponse = (response: SearchResponse<SafeResolverEvent>) => {
+  private handleResponse = (response: SearchResponse<ChildEvent>) => {
     const results = this.query.formatResponse(response);
     this.nodesToQuery = this.childrenHelper.addStartEvents(this.nodesToQuery, results) ?? new Set();