elastic · cnasikas · Feb 11, 2023 · Dec 22, 2022 · Dec 14, 2022 · Dec 22, 2022
diff --git a/packages/kbn-rule-data-utils/index.ts b/packages/kbn-rule-data-utils/index.ts
@@ -10,4 +10,5 @@ export * from './src/technical_field_names';
 export * from './src/alerts_as_data_rbac';
 export * from './src/alerts_as_data_severity';
 export * from './src/alerts_as_data_status';
+export * from './src/alerts_as_data_cases';
 export * from './src/routes/stack_rule_paths';
diff --git a/packages/kbn-rule-data-utils/src/alerts_as_data_cases.ts b/packages/kbn-rule-data-utils/src/alerts_as_data_cases.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+export const MAX_CASES_PER_ALERT = 10;
diff --git a/x-pack/plugins/cases/kibana.json b/x-pack/plugins/cases/kibana.json
@@ -32,7 +32,8 @@
      "management",
      "spaces",
      "security",
-     "notifications"
+     "notifications",
+     "ruleRegistry"
   ],
   "requiredBundles": [
     "savedObjects"

@@ -24,14 +24,14 @@ export type CasesClientGetAlertsResponse = Alert[];
 /**
  * Defines the fields necessary to update an alert's status.
  */
-export interface UpdateAlertRequest {
+export interface UpdateAlertStatusRequest {
   id: string;
   index: string;
   status: CaseStatuses;
 }
 
 export interface AlertUpdateStatus {
-  alerts: UpdateAlertRequest[];
+  alerts: UpdateAlertStatusRequest[];
 }
 
 export interface AlertGet {

@@ -31,7 +31,7 @@ import { CASE_COMMENT_SAVED_OBJECT } from '../../../common/constants';
 import { createIncident, getDurationInSeconds } from './utils';
 import { createCaseError } from '../../common/error';
 import {
-  createAlertUpdateRequest,
+  createAlertUpdateStatusRequest,
   flattenCaseSavedObject,
   getAlertInfoFromComments,
 } from '../../common/utils';
@@ -68,7 +68,7 @@ const changeAlertsStatusToClose = async (
 
   const alerts = alertAttachments.saved_objects
     .map((attachment) =>
-      createAlertUpdateRequest({
+      createAlertUpdateStatusRequest({
         comment: attachment.attributes,
         status: CaseStatuses.closed,
       })

@@ -51,11 +51,11 @@ import { arraysDifference, getCaseToUpdate } from '../utils';
 import type { AlertService, CasesService } from '../../services';
 import { createCaseError } from '../../common/error';
 import {
-  createAlertUpdateRequest,
+  createAlertUpdateStatusRequest,
   flattenCaseSavedObject,
   isCommentRequestTypeAlert,
 } from '../../common/utils';
-import type { UpdateAlertRequest } from '../alerts/types';
+import type { UpdateAlertStatusRequest } from '../alerts/types';
 import type { CasesClientArgs } from '..';
 import type { OwnerEntity } from '../../authorization';
 import { Operations } from '../../authorization';
@@ -238,14 +238,14 @@ async function updateAlerts({
 
   // create an array of requests that indicate the id, index, and status to update an alert
   const alertsToUpdate = totalAlerts.saved_objects.reduce(
-    (acc: UpdateAlertRequest[], alertComment) => {
+    (acc: UpdateAlertStatusRequest[], alertComment) => {
       if (isCommentRequestTypeAlert(alertComment.attributes)) {
         const status = getSyncStatusForComment({
           alertComment,
           casesToSyncToStatus,
         });
 
-        acc.push(...createAlertUpdateRequest({ comment: alertComment.attributes, status }));
+        acc.push(...createAlertUpdateStatusRequest({ comment: alertComment.attributes, status }));
       }
 
       return acc;

@@ -25,6 +25,8 @@ import type { LensServerPluginSetup } from '@kbn/lens-plugin/server';
 import type { SpacesPluginStart } from '@kbn/spaces-plugin/server';
 import type { LicensingPluginStart } from '@kbn/licensing-plugin/server';
 import type { NotificationsPluginStart } from '@kbn/notifications-plugin/server';
+import type { RuleRegistryPluginStartContract } from '@kbn/rule-registry-plugin/server';
+
 import { SAVED_OBJECT_TYPES } from '../../common/constants';
 import { Authorization } from '../authorization/authorization';
 import {
@@ -53,10 +55,11 @@ interface CasesClientFactoryArgs {
   actionsPluginStart: ActionsPluginStart;
   licensingPluginStart: LicensingPluginStart;
   lensEmbeddableFactory: LensServerPluginSetup['lensEmbeddableFactory'];
+  notifications: NotificationsPluginStart;
+  ruleRegistry: RuleRegistryPluginStartContract;
   persistableStateAttachmentTypeRegistry: PersistableStateAttachmentTypeRegistry;
   externalReferenceAttachmentTypeRegistry: ExternalReferenceAttachmentTypeRegistry;
   publicBaseUrl?: IBasePath['publicBaseUrl'];
-  notifications: NotificationsPluginStart;
 }
 
 /**
@@ -127,6 +130,7 @@ export class CasesClientFactory {
     });
 
     const userInfo = await this.getUserInfo(request);
+    const alertsClient = await this.options.ruleRegistry.getRacClientWithRequest(request);
 
     return createCasesClient({
       services,
@@ -141,6 +145,7 @@ export class CasesClientFactory {
       securityStartPlugin: this.options.securityPluginStart,
       publicBaseUrl: this.options.publicBaseUrl,
       spaceId: this.options.spacesPluginStart.spacesService.getSpaceId(request),
+      alertsClient,
     });
   }
 

diff --git a/x-pack/plugins/cases/server/client/mocks.ts b/x-pack/plugins/cases/server/client/mocks.ts
@@ -10,6 +10,7 @@ import { loggingSystemMock, savedObjectsClientMock } from '@kbn/core/server/mock
 import { securityMock } from '@kbn/security-plugin/server/mocks';
 
 import { actionsClientMock } from '@kbn/actions-plugin/server/actions_client.mock';
+import { alertsClientMock } from '@kbn/rule-registry-plugin/server/alert_data_client/alerts_client.mock';
 import { makeLensEmbeddableFactory } from '@kbn/lens-plugin/server/embeddable/make_lens_embeddable_factory';
 import type { CasesClient } from '.';
 import { createAuthorizationMock } from '../authorization/mock';
@@ -140,6 +141,7 @@ export const createCasesClientMockArgs = () => {
     logger: loggingSystemMock.createLogger(),
     unsecuredSavedObjectsClient: savedObjectsClientMock.create(),
     actionsClient: actionsClientMock.create(),
+    alertsClient: alertsClientMock.create(),
     user: {
       username: 'damaged_raccoon',
       email: 'damaged_raccoon@elastic.co',

diff --git a/x-pack/plugins/cases/server/client/types.ts b/x-pack/plugins/cases/server/client/types.ts
@@ -12,6 +12,7 @@ import type { LensServerPluginSetup } from '@kbn/lens-plugin/server';
 import type { SecurityPluginStart } from '@kbn/security-plugin/server';
 import type { IBasePath } from '@kbn/core-http-browser';
 import type { KueryNode } from '@kbn/es-query';
+import type { AlertsClient } from '@kbn/rule-registry-plugin/server';
 import type { CasesFindRequest, User } from '../../common/api';
 import type { Authorization } from '../authorization/authorization';
 import type {
@@ -53,6 +54,7 @@ export interface CasesClientArgs {
   readonly externalReferenceAttachmentTypeRegistry: ExternalReferenceAttachmentTypeRegistry;
   readonly securityStartPlugin: SecurityPluginStart;
   readonly spaceId: string;
+  readonly alertsClient: PublicMethodsOf<AlertsClient>;
   readonly publicBaseUrl?: IBasePath['publicBaseUrl'];
 }
 

@@ -12,6 +12,7 @@ import type {
   SavedObjectsUpdateOptions,
   SavedObjectsUpdateResponse,
 } from '@kbn/core/server';
+import pMap from 'p-map';
 import type {
   CaseResponse,
   CommentAttributes,
@@ -30,6 +31,7 @@ import {
 import {
   CASE_SAVED_OBJECT,
   MAX_ALERTS_PER_CASE,
+  MAX_CONCURRENT_SEARCHES,
   MAX_DOCS_PER_PAGE,
 } from '../../../common/constants';
 import type { CasesClientArgs } from '../../client';
@@ -41,11 +43,13 @@ import {
   flattenCommentSavedObjects,
   transformNewComment,
   getOrUpdateLensReferences,
-  createAlertUpdateRequest,
+  createAlertUpdateStatusRequest,
   isCommentRequestTypeAlert,
+  getAlertInfoFromComments,
 } from '../utils';
 
 type CaseCommentModelParams = Omit<CasesClientArgs, 'authorization'>;
+
 const ALERT_LIMIT_MSG = `Case has reached the maximum allowed number (${MAX_ALERTS_PER_CASE}) of attached alerts.`;
 
 /**
@@ -310,18 +314,21 @@ export class CaseCommentModel {
   }
 
   private async handleAlertComments(attachments: CommentRequest[]) {
-    const alerts = attachments.filter(
-      (attachment) =>
-        attachment.type === CommentType.alert && this.caseInfo.attributes.settings.syncAlerts
+    const alertAttachments = attachments.filter(
+      (attachment): attachment is CommentRequestAlertType => attachment.type === CommentType.alert
     );
 
-    await this.updateAlertsStatus(alerts);
+    if (this.caseInfo.attributes.settings.syncAlerts) {
+      await this.updateAlertsStatus(alertAttachments);
+    }
+
+    await this.updateAlertsSchemaWithCaseInfo(alertAttachments);
   }
 
   private async updateAlertsStatus(alerts: CommentRequest[]) {
     const alertsToUpdate = alerts
       .map((alert) =>
-        createAlertUpdateRequest({
+        createAlertUpdateStatusRequest({
           comment: alert,
           status: this.caseInfo.attributes.status,
         })
@@ -331,6 +338,38 @@ export class CaseCommentModel {
     await this.params.services.alertsService.updateAlertsStatus(alertsToUpdate);
   }
 
+  private async updateAlertsSchemaWithCaseInfo(alertAttachments: CommentRequestAlertType[]) {
+    try {
+      const alerts = getAlertInfoFromComments(alertAttachments);
+      const alertsGroupedByIndex = new Map<string, Set<string>>();
+
+      for (const alert of alerts) {
+        const idsSet = alertsGroupedByIndex.get(alert.index) ?? new Set();
+        idsSet.add(alert.id);
+        alertsGroupedByIndex.set(alert.index, idsSet);
+      }
+
+      await pMap(
+        alertsGroupedByIndex.entries(),
+        async ([index, idsSet]) =>
+          this.params.alertsClient.bulkUpdateCases({
+            ids: Array.from(idsSet.values()),
+            index,
+            caseIds: [this.caseInfo.id],
+          }),
+        {
+          concurrency: MAX_CONCURRENT_SEARCHES,
+        }
+      );
+    } catch (error) {
+      throw createCaseError({
+        message: `Failed to add case info to alerts for caseId ${this.caseInfo.id}: ${error}`,
+        error,
+        logger: this.params.logger,
+      });
+    }
+  }
+
   private async createCommentUserAction(
     comment: SavedObject<CommentAttributes>,
     req: CommentRequest

@@ -48,7 +48,7 @@ import {
   ConnectorTypes,
   ExternalReferenceStorageType,
 } from '../../common/api';
-import type { UpdateAlertRequest } from '../client/alerts/types';
+import type { UpdateAlertStatusRequest } from '../client/alerts/types';
 import {
   parseCommentString,
   getLensVisualizations,
@@ -267,13 +267,13 @@ export const isCommentRequestTypeExternalReferenceSO = (
 /**
  * Adds the ids and indices to a map of statuses
  */
-export function createAlertUpdateRequest({
+export function createAlertUpdateStatusRequest({
   comment,
   status,
 }: {
   comment: CommentRequest;
   status: CaseStatuses;
-}): UpdateAlertRequest[] {
+}): UpdateAlertStatusRequest[] {
   return getAlertInfoFromComments([comment]).map((alert) => ({ ...alert, status }));
 }
 

@@ -32,6 +32,7 @@ import type {
 import type { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
 import type { LicensingPluginSetup, LicensingPluginStart } from '@kbn/licensing-plugin/server';
 import type { NotificationsPluginStart } from '@kbn/notifications-plugin/server';
+import type { RuleRegistryPluginStartContract } from '@kbn/rule-registry-plugin/server';
 
 import { APP_ID } from '../common/constants';
 import {
@@ -74,6 +75,7 @@ export interface PluginsStart {
   security: SecurityPluginStart;
   spaces: SpacesPluginStart;
   notifications: NotificationsPluginStart;
+  ruleRegistry: RuleRegistryPluginStartContract;
 }
 
 export class CasePlugin {
@@ -202,6 +204,7 @@ export class CasePlugin {
       externalReferenceAttachmentTypeRegistry: this.externalReferenceAttachmentTypeRegistry,
       publicBaseUrl: core.http.basePath.publicBaseUrl,
       notifications: plugins.notifications,
+      ruleRegistry: plugins.ruleRegistry,
     });
 
     const client = core.elasticsearch.client;

@@ -16,7 +16,7 @@ import { CaseStatuses } from '../../../common/api';
 import { MAX_ALERTS_PER_CASE, MAX_CONCURRENT_SEARCHES } from '../../../common/constants';
 import { createCaseError } from '../../common/error';
 import type { AlertInfo } from '../../common/types';
-import type { UpdateAlertRequest } from '../../client/alerts/types';
+import type { UpdateAlertStatusRequest } from '../../client/alerts/types';
 import type { AggregationBuilder, AggregationResponse } from '../../client/metrics/types';
 
 export class AlertService {
@@ -75,7 +75,7 @@ export class AlertService {
     };
   }
 
-  public async updateAlertsStatus(alerts: UpdateAlertRequest[]) {
+  public async updateAlertsStatus(alerts: UpdateAlertStatusRequest[]) {
     try {
       const bucketedAlerts = this.bucketAlertsByIndexAndStatus(alerts);
       const indexBuckets = Array.from(bucketedAlerts.entries());
@@ -96,7 +96,7 @@ export class AlertService {
   }
 
   private bucketAlertsByIndexAndStatus(
-    alerts: UpdateAlertRequest[]
+    alerts: UpdateAlertStatusRequest[]
   ): Map<string, Map<STATUS_VALUES, TranslatedUpdateAlertRequest[]>> {
     return alerts.reduce<Map<string, Map<STATUS_VALUES, TranslatedUpdateAlertRequest[]>>>(
       (acc, alert) => {
@@ -130,7 +130,7 @@ export class AlertService {
     return isEmpty(alert.id) || isEmpty(alert.index);
   }
 
-  private translateStatus(alert: UpdateAlertRequest): STATUS_VALUES {
+  private translateStatus(alert: UpdateAlertStatusRequest): STATUS_VALUES {
     const translatedStatuses: Record<string, STATUS_VALUES> = {
       [CaseStatuses.open]: 'open',
       [CaseStatuses['in-progress']]: 'acknowledged',

@@ -17,6 +17,7 @@ const createAlertsClientMock = () => {
     update: jest.fn(),
     getAuthorizedAlertsIndices: jest.fn(),
     bulkUpdate: jest.fn(),
+    bulkUpdateCases: jest.fn(),
     find: jest.fn(),
     getFeatureIdsByRegistrationContexts: jest.fn(),
     getBrowserFields: jest.fn(),