[8.6] [Security Solution][Alerts] fixes new terms multi fields timeline issue (#146185) (#146446)

# Backport

This will backport the following commits from `main` to `8.6`:
- [[Security Solution][Alerts] fixes new terms multi fields timeline
issue (#146185)](https://github.com/elastic/kibana/pull/146185)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2022-11-28T17:26:07Z","message":"[Security
Solution][Alerts] fixes new terms multi fields timeline issue
(#146185)\n\n## Summary\r\n\r\n- fixes
https://github.com/elastic/kibana/issues/146131\r\n\r\n###
Before\r\n\r\nhttps://user-images.githubusercontent.com/92328789/203600097-589d4b8b-c238-48e4-bf72-2f2efcc39ac2.mp4\r\n\r\n###
After\r\n\r\nhttps://user-images.githubusercontent.com/92328789/203599864-37a4ccc3-12b8-4c48-87ea-559d15582ef9.mov\r\n\r\n\r\n###
For maintainers\r\n\r\n\r\n\r\n\r\n- [ ] This was checked for breaking
API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"0f31951235ecf11530c23977d028069f427bae67","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections
and Resp","Team: SecuritySolution","Feature:Detection
Alerts","Team:Detection
Alerts","backport:prev-minor","v8.6.0","v8.7.0"],"number":146185,"url":"https://github.com/elastic/kibana/pull/146185","mergeCommit":{"message":"[Security
Solution][Alerts] fixes new terms multi fields timeline issue
(#146185)\n\n## Summary\r\n\r\n- fixes
https://github.com/elastic/kibana/issues/146131\r\n\r\n###
Before\r\n\r\nhttps://user-images.githubusercontent.com/92328789/203600097-589d4b8b-c238-48e4-bf72-2f2efcc39ac2.mp4\r\n\r\n###
After\r\n\r\nhttps://user-images.githubusercontent.com/92328789/203599864-37a4ccc3-12b8-4c48-87ea-559d15582ef9.mov\r\n\r\n\r\n###
For maintainers\r\n\r\n\r\n\r\n\r\n- [ ] This was checked for breaking
API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"0f31951235ecf11530c23977d028069f427bae67"}},"sourceBranch":"main","suggestedTargetBranches":["8.6"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/146185","number":146185,"mergeCommit":{"message":"[Security
Solution][Alerts] fixes new terms multi fields timeline issue
(#146185)\n\n## Summary\r\n\r\n- fixes
https://github.com/elastic/kibana/issues/146131\r\n\r\n###
Before\r\n\r\nhttps://user-images.githubusercontent.com/92328789/203600097-589d4b8b-c238-48e4-bf72-2f2efcc39ac2.mp4\r\n\r\n###
After\r\n\r\nhttps://user-images.githubusercontent.com/92328789/203599864-37a4ccc3-12b8-4c48-87ea-559d15582ef9.mov\r\n\r\n\r\n###
For maintainers\r\n\r\n\r\n\r\n\r\n- [ ] This was checked for breaking
API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"0f31951235ecf11530c23977d028069f427bae67"}}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>

x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx

@@ -7,6 +7,8 @@
 
 import sinon from 'sinon';
 import moment from 'moment';
+import set from 'lodash/set';
+import cloneDeep from 'lodash/cloneDeep';
 
 import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
 import type { Filter } from '@kbn/es-query';
@@ -16,6 +18,7 @@ import {
   sendAlertToTimelineAction,
   sendBulkEventsToTimelineAction,
   determineToAndFrom,
+  getNewTermsData,
 } from './actions';
 import {
   defaultTimelineProps,
@@ -933,6 +936,63 @@ describe('alert actions', () => {
       });
     });
 
+    describe('New terms', () => {
+      describe('getNewTermsData', () => {
+        it('should return new terms data correctly for single value field', () => {
+          const newTermsEcsMock = cloneDeep(ecsDataMockWithNoTemplateTimeline[0]);
+          set(newTermsEcsMock, 'kibana.alert.new_terms', ['host-0']);
+          set(newTermsEcsMock, 'kibana.alert.rule.parameters.new_terms_fields', ['host.name']);
+
+          expect(getNewTermsData(newTermsEcsMock).dataProviders).toEqual([
+            {
+              and: [],
+              enabled: true,
+              excluded: false,
+              id: 'send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-host-name-host-0',
+              kqlQuery: '',
+              name: 'host.name',
+              queryMatch: { field: 'host.name', operator: ':', value: 'host-0' },
+            },
+          ]);
+        });
+
+        it('should return new terms data as AND query for multiple values field', () => {
+          const newTermsEcsMock = cloneDeep(ecsDataMockWithNoTemplateTimeline[0]);
+          set(newTermsEcsMock, 'kibana.alert.new_terms', ['host-0', '127.0.0.1']);
+          set(newTermsEcsMock, 'kibana.alert.rule.parameters.new_terms_fields', [
+            'host.name',
+            'host.ip',
+          ]);
+
+          expect(getNewTermsData(newTermsEcsMock).dataProviders).toEqual([
+            {
+              and: [
+                {
+                  and: [],
+                  enabled: true,
+                  excluded: false,
+                  id: 'send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-host-ip-127.0.0.1',
+                  kqlQuery: '',
+                  name: 'host.ip',
+                  queryMatch: {
+                    field: 'host.ip',
+                    operator: ':',
+                    value: '127.0.0.1',
+                  },
+                },
+              ],
+              enabled: true,
+              excluded: false,
+              id: 'send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-host-name-host-0',
+              kqlQuery: '',
+              name: 'host.name',
+              queryMatch: { field: 'host.name', operator: ':', value: 'host-0' },
+            },
+          ]);
+        });
+      });
+    });
+
     describe('determineToAndFrom', () => {
       beforeEach(() => {
         fetchMock.mockResolvedValue({

x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx

@@ -560,29 +560,38 @@ const createThresholdTimeline = async (
   }
 };
 
-const getNewTermsData = (ecsData: Ecs | Ecs[]) => {
+export const getNewTermsData = (ecsData: Ecs | Ecs[]) => {
   const normalizedEcsData: Ecs = Array.isArray(ecsData) ? ecsData[0] : ecsData;
   const originalTimeValue = getField(normalizedEcsData, ALERT_ORIGINAL_TIME);
-  const newTermsField = getField(normalizedEcsData, `${ALERT_RULE_PARAMETERS}.new_terms_fields`)[0];
-  const newTermsValue = getField(normalizedEcsData, ALERT_NEW_TERMS)[0];
-  const newTermsFieldId = newTermsField.replace('.', '-');
-  const dataProviderPartial = {
-    id: `send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-${TimelineId.active}-${newTermsFieldId}-${newTermsValue}`,
-    name: newTermsField,
-    enabled: true,
-    excluded: false,
-    kqlQuery: '',
-    queryMatch: {
-      field: newTermsField,
-      value: newTermsValue,
-      operator: ':' as const,
-    },
-    and: [],
-  };
+  const newTermsFields: string[] =
+    getField(normalizedEcsData, `${ALERT_RULE_PARAMETERS}.new_terms_fields`) ?? [];
+
+  const dataProviderPartials = newTermsFields.map((newTermsField, index) => {
+    const newTermsFieldId = newTermsField.replace('.', '-');
+    const newTermsValue = getField(normalizedEcsData, ALERT_NEW_TERMS)[index];
+    return {
+      id: `send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-${TimelineId.active}-${newTermsFieldId}-${newTermsValue}`,
+      name: newTermsField,
+      enabled: true,
+      excluded: false,
+      kqlQuery: '',
+      queryMatch: {
+        field: newTermsField,
+        value: newTermsValue,
+        operator: ':' as const,
+      },
+      and: [],
+    };
+  });
+
+  const dataProviders = dataProviderPartials.length
+    ? [{ ...dataProviderPartials[0], and: dataProviderPartials.slice(1) }]
+    : [];
+
   return {
     from: originalTimeValue,
     to: moment().toISOString(),
-    dataProviders: [dataProviderPartial],
+    dataProviders,
   };
 };