[8.7] [SecuritySolution] Add an option to search on alerts index without wildcard (#153439) (#153980)

# Backport

This will backport the following commits from `main` to `8.7`:
- [[SecuritySolution] Add an option to search on alerts index without
wildcard (#153439)](https://github.com/elastic/kibana/pull/153439)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Angela
Chuang","email":"6295984+angorayc@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-03-29T20:23:23Z","message":"[SecuritySolution]
Add an option to search on alerts index without wildcard (#153439)\n\n##
Summary\r\n\r\nAdd an option to search alerts without wildcard to avoid
seeing alerts\r\nfrom other spaces with the same prefix.\r\n\r\nIssue
and steps to reproduce (or visit a
[reproduced\r\nenvironment](https://kibana.siem.estc.dev/s/test/app/security/alerts?sourcerer=(default:(id:security-solution-test,selectedPatterns:!(%27auditbeat-*%27,%27filebeat-*%27,%27logs-*%27,%27packetbeat-*%27,%27winlogbeat-*%27)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272023-03-15T00:00:00.000Z%27,fromStr:now-7d%2Fd,kind:relative,to:%272023-03-22T13:10:17.682Z%27,toStr:now)),timeline:(linkTo:!(global),timerange:(from:%272023-03-15T00:00:00.000Z%27,fromStr:now-7d%2Fd,kind:relative,to:%272023-03-22T13:10:17.682Z%27,toStr:now)))&filters=!((%27$state%27:(store:appState),meta:(alias:!n,disabled:!f,field:_index,key:_index,negate:!f,params:(query:.alerts-security.alerts-test-2),type:phrase),query:(match_phrase:(_index:.alerts-security.alerts-test-2)))))):\r\n1.
In
`x-pack/plugins/security_solution/common/experimental_features.ts`\r\n,
change `chartEmbeddablesEnabled` to `false`\r\n2. Follow the steps
in\r\nhttps://github.com/elastic/security-team/issues/6231\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Marshall Main
<55718608+marshallmain@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"90b0c39c7c2f7360c3ed4b4afc9135ed50d11266","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:
SecuritySolution","v8.7.0","v8.8.0","v8.6.3"],"number":153439,"url":"https://github.com/elastic/kibana/pull/153439","mergeCommit":{"message":"[SecuritySolution]
Add an option to search on alerts index without wildcard (#153439)\n\n##
Summary\r\n\r\nAdd an option to search alerts without wildcard to avoid
seeing alerts\r\nfrom other spaces with the same prefix.\r\n\r\nIssue
and steps to reproduce (or visit a
[reproduced\r\nenvironment](https://kibana.siem.estc.dev/s/test/app/security/alerts?sourcerer=(default:(id:security-solution-test,selectedPatterns:!(%27auditbeat-*%27,%27filebeat-*%27,%27logs-*%27,%27packetbeat-*%27,%27winlogbeat-*%27)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272023-03-15T00:00:00.000Z%27,fromStr:now-7d%2Fd,kind:relative,to:%272023-03-22T13:10:17.682Z%27,toStr:now)),timeline:(linkTo:!(global),timerange:(from:%272023-03-15T00:00:00.000Z%27,fromStr:now-7d%2Fd,kind:relative,to:%272023-03-22T13:10:17.682Z%27,toStr:now)))&filters=!((%27$state%27:(store:appState),meta:(alias:!n,disabled:!f,field:_index,key:_index,negate:!f,params:(query:.alerts-security.alerts-test-2),type:phrase),query:(match_phrase:(_index:.alerts-security.alerts-test-2)))))):\r\n1.
In
`x-pack/plugins/security_solution/common/experimental_features.ts`\r\n,
change `chartEmbeddablesEnabled` to `false`\r\n2. Follow the steps
in\r\nhttps://github.com/elastic/security-team/issues/6231\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Marshall Main
<55718608+marshallmain@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"90b0c39c7c2f7360c3ed4b4afc9135ed50d11266"}},"sourceBranch":"main","suggestedTargetBranches":["8.7","8.6"],"targetPullRequestStates":[{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/153439","number":153439,"mergeCommit":{"message":"[SecuritySolution]
Add an option to search on alerts index without wildcard (#153439)\n\n##
Summary\r\n\r\nAdd an option to search alerts without wildcard to avoid
seeing alerts\r\nfrom other spaces with the same prefix.\r\n\r\nIssue
and steps to reproduce (or visit a
[reproduced\r\nenvironment](https://kibana.siem.estc.dev/s/test/app/security/alerts?sourcerer=(default:(id:security-solution-test,selectedPatterns:!(%27auditbeat-*%27,%27filebeat-*%27,%27logs-*%27,%27packetbeat-*%27,%27winlogbeat-*%27)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272023-03-15T00:00:00.000Z%27,fromStr:now-7d%2Fd,kind:relative,to:%272023-03-22T13:10:17.682Z%27,toStr:now)),timeline:(linkTo:!(global),timerange:(from:%272023-03-15T00:00:00.000Z%27,fromStr:now-7d%2Fd,kind:relative,to:%272023-03-22T13:10:17.682Z%27,toStr:now)))&filters=!((%27$state%27:(store:appState),meta:(alias:!n,disabled:!f,field:_index,key:_index,negate:!f,params:(query:.alerts-security.alerts-test-2),type:phrase),query:(match_phrase:(_index:.alerts-security.alerts-test-2)))))):\r\n1.
In
`x-pack/plugins/security_solution/common/experimental_features.ts`\r\n,
change `chartEmbeddablesEnabled` to `false`\r\n2. Follow the steps
in\r\nhttps://github.com/elastic/security-team/issues/6231\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Marshall Main
<55718608+marshallmain@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"90b0c39c7c2f7360c3ed4b4afc9135ed50d11266"}},{"branch":"8.6","label":"v8.6.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Angela Chuang <6295984+angorayc@users.noreply.github.com>

x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.test.ts

@@ -100,10 +100,33 @@ describe('RuleDataClient', () => {
 
       expect(scopedClusterClient.search).toHaveBeenCalledWith({
         body: query,
+        ignore_unavailable: true,
         index: `.alerts-observability.apm.alerts*`,
       });
     });
 
+    test('getReader searchs an index pattern without a wildcard when the namespace is provided', async () => {
+      const ruleDataClient = new RuleDataClient(
+        getRuleDataClientOptions({
+          waitUntilReadyForReading: new Promise((resolve) =>
+            setTimeout(resolve, 3000, right(scopedClusterClient))
+          ),
+        })
+      );
+
+      const query = { query: { bool: { filter: { range: { '@timestamp': { gte: 0 } } } } } };
+      const reader = ruleDataClient.getReader({ namespace: 'test' });
+      await reader.search({
+        body: query,
+      });
+
+      expect(scopedClusterClient.search).toHaveBeenCalledWith({
+        body: query,
+        ignore_unavailable: true,
+        index: `.alerts-observability.apm.alerts-test`,
+      });
+    });
+
     test('re-throws error when search throws error', async () => {
       scopedClusterClient.search.mockRejectedValueOnce(new Error('something went wrong!'));
       const ruleDataClient = new RuleDataClient(getRuleDataClientOptions({}));

x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.ts

@@ -117,6 +117,7 @@ export class RuleDataClient implements IRuleDataClient {
           return (await clusterClient.search({
             ...request,
             index: indexPattern,
+            ignore_unavailable: true,
           })) as unknown as ESSearchResponse<TAlertDoc, TSearchRequest>;
         } catch (err) {
           this.options.logger.error(`Error performing search in RuleDataClient - ${err.message}`);

x-pack/plugins/rule_registry/server/rule_data_plugin_service/index_info.ts

@@ -114,10 +114,10 @@ export class IndexInfo {
    *   - include nested registration contexts eagerly
    *   - e.g. if baseName='.alerts-observability', include '.alerts-observability.apm'
    *
-   * @example '.alerts-security.alerts-default*', '.alerts-security.alerts*'
+   * @example '.alerts-security.alerts-default', '.alerts-security.alerts*'
    */
   public getPatternForReading(namespace?: string): string {
-    return `${joinWithDash(this.baseName, namespace)}*`;
+    return namespace ? `${joinWithDash(this.baseName, namespace)}` : `${this.baseName}*`;
   }
 
   /**

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/query_signals_route.test.ts

@@ -48,6 +48,20 @@ describe('query for signal', () => {
       );
     });
 
+    test('search on an index pattern without wildcard added', async () => {
+      const response = await server.inject(
+        getSignalsQueryRequest(),
+        requestContextMock.convertContext(context)
+      );
+
+      expect(response.status).toEqual(200);
+      expect(ruleDataClient.getReader).toHaveBeenCalledWith(
+        expect.objectContaining({
+          namespace: 'default',
+        })
+      );
+    });
+
     test('returns 200 when using single agg', async () => {
       const response = await server.inject(
         getSignalsAggsQueryRequest(),