[Security Solution][Detections] ML Rules accept multiple ML Job IDs (#97073)

* Adds helper to normalize legacy ML rule field to an array This will be used on read of rules, to normalize legacy rules while avoiding an explicit migration. * Fix our detection-specific ML search function Luckily this was just a translation layer to our anomaly call, and the underlying functions already accepted an array of strings. * WIP: Run rules against multiple ML Job IDs We don't yet support creation of rules with multiple job ids, either on the API or the UI, but when we do they will work. Note: the logic was previously to generate an error if the underlying job was not running, but to still query and generate alerts. Extending that logic to multiple jobs: if any are not running, we generate an error but continue querying and generating alerts. * WIP: updating ml rule schemas to support multiple job IDs * Simplify normalization method We don't care about null or empty string values here; those were holdovers from copying the logic of normalizeThreshold and don't apply to this situation. * Move normalized types to separate file to fix circular dependency Our use of NonEmptyArray within common/schemas seemed to be causing the above; this fixes it for now. * Normalize ML job_ids param at the API layer Previous changes to the base types already covered the majority of routes; this updates the miscellaneous helpers that don't leverage those shared utilities. At the DB level, the forthcoming migration will ensure that we always have "normalized" job IDs as an array. * Count stopped ML Jobs as partial failure during ML Rule execution Since we continue to query anomalies and potentially generate alerts, a "failure" status is no longer the most accurate for this situation. * Update 7.13 alerts migration to allow multi-job ML Rules This ensures that we can assume string[] for this field during rule execution. * Display N job statuses on rule details * WIP: converts MLJobSelect to a multiselect Unfortunately, the SuperSelect does not allow multiselect so we need to convert this to a combobox. Luckily we can reuse most of the code here and remain relatively clean. Since all combobox options must be the same (fixed) height, we're somewhat more limited than before for displaying the rows. The truncation appears fine, but I need to figure out a way to display the full description as well. * Update client-side logic to handle an array of ML job_ids * Marginally more legible error message * Conditionally call our normalize helper only if we have a value This fixes a type error where TS could not infer that the return value would not be undefined despite knowing that the argument was never undefined. I tried some fancy conditional generic types, but that didn't work. This is more analogous to normalizeThresholdObject now, anyway. * Fix remaining type error * Clean up our ML executor tests with existing contract mocks * Update ML Executor tests with new logic We now record a partial failure instead of an error. * Add and update tests for new ML normalization logic * Add and update integration tests for ML Rules Ensures that dealing with legacy job formats continues to work in the API. * Fix a type error These params can no longer be strings. * Update ML cypress test to create a rule with 2 ML jobs If we can create a rule with 2 jobs, we should also be able to create a rule with 1 job. * Remove unused constant * Persist a partial failure message written by a rule executor We added the result.warning field as a way to indicate that a partial failure was written to the rule, but neglected to account for that in the main rule execution code, which caused a success status to immediately overwrite the partial failure if the rule execution did not otherwise fail/short-circuit.
2025-04-24 09:48:58 -04:00 · 2021-04-15 21:27:43 -05:00 · 2021-04-15 21:27:43 -05:00 · b5ae056ac4
commit b5ae056ac4
parent 540924b5be
42 changed files with 365 additions and 189 deletions
--- a/x-pack/plugins/alerting/server/saved_objects/migrations.test.ts
+++ b/x-pack/plugins/alerting/server/saved_objects/migrations.test.ts
@ -973,6 +973,58 @@ describe('7.13.0', () => {
      },
    });
  });
+
+  test('security solution ML alert with string in machineLearningJobId is converted to an array', () => {
+    const migration713 = getMigrations(encryptedSavedObjectsSetup)['7.13.0'];
+    const alert = getMockData({
+      alertTypeId: 'siem.signals',
+      params: {
+        anomalyThreshold: 20,
+        machineLearningJobId: 'my_job_id',
+      },
+    });
+
+    expect(migration713(alert, migrationContext)).toEqual({
+      ...alert,
+      attributes: {
+        ...alert.attributes,
+        params: {
+          anomalyThreshold: 20,
+          machineLearningJobId: ['my_job_id'],
+          exceptionsList: [],
+          riskScoreMapping: [],
+          severityMapping: [],
+          threat: [],
+        },
+      },
+    });
+  });
+
+  test('security solution ML alert with an array in machineLearningJobId is preserved', () => {
+    const migration713 = getMigrations(encryptedSavedObjectsSetup)['7.13.0'];
+    const alert = getMockData({
+      alertTypeId: 'siem.signals',
+      params: {
+        anomalyThreshold: 20,
+        machineLearningJobId: ['my_job_id', 'my_other_job_id'],
+      },
+    });
+
+    expect(migration713(alert, migrationContext)).toEqual({
+      ...alert,
+      attributes: {
+        ...alert.attributes,
+        params: {
+          anomalyThreshold: 20,
+          machineLearningJobId: ['my_job_id', 'my_other_job_id'],
+          exceptionsList: [],
+          riskScoreMapping: [],
+          severityMapping: [],
+          threat: [],
+        },
+      },
+    });
+  });
 });

 function getUpdatedAt(): string {
--- a/x-pack/plugins/alerting/server/saved_objects/migrations.ts
+++ b/x-pack/plugins/alerting/server/saved_objects/migrations.ts
@ -400,6 +400,12 @@ function removeNullsFromSecurityRules(
            ? params.lists
            : [],
        threatFilters: convertNullToUndefined(params.threatFilters),
+        machineLearningJobId:
+          params.machineLearningJobId == null
+            ? undefined
+            : Array.isArray(params.machineLearningJobId)
+            ? params.machineLearningJobId
+            : [params.machineLearningJobId],
      },
    },
  };
--- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
@ -22,6 +22,7 @@ import { PositiveIntegerGreaterThanZero } from '../types/positive_integer_greate
 import { PositiveInteger } from '../types/positive_integer';
 import { NonEmptyString } from '../types/non_empty_string';
 import { parseScheduleDates } from '../../parse_schedule_dates';
+import { machine_learning_job_id_normalized } from '../types/normalized_ml_job_id';

 export const author = t.array(t.string);
 export type Author = t.TypeOf<typeof author>;
@ -230,7 +231,7 @@ export type AnomalyThreshold = t.TypeOf<typeof PositiveInteger>;
 export const anomalyThresholdOrUndefined = t.union([anomaly_threshold, t.undefined]);
 export type AnomalyThresholdOrUndefined = t.TypeOf<typeof anomalyThresholdOrUndefined>;

-export const machine_learning_job_id = t.string;
+export const machine_learning_job_id = t.union([t.string, machine_learning_job_id_normalized]);
 export type MachineLearningJobId = t.TypeOf<typeof machine_learning_job_id>;

 export const machineLearningJobIdOrUndefined = t.union([machine_learning_job_id, t.undefined]);
--- a/x-pack/plugins/security_solution/common/detection_engine/schemas/types/normalized_ml_job_id.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/types/normalized_ml_job_id.ts
@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+/* eslint-disable @typescript-eslint/naming-convention */
+
+import * as t from 'io-ts';
+
+import { NonEmptyArray } from './non_empty_array';
+
+export const machine_learning_job_id_normalized = NonEmptyArray(t.string);
+export type MachineLearningJobIdNormalized = t.TypeOf<typeof machine_learning_job_id_normalized>;
+
+export const machineLearningJobIdNormalizedOrUndefined = t.union([
+  machine_learning_job_id_normalized,
+  t.undefined,
+]);
+export type MachineLearningJobIdNormalizedOrUndefined = t.TypeOf<
+  typeof machineLearningJobIdNormalizedOrUndefined
+>;
--- a/x-pack/plugins/security_solution/common/detection_engine/utils.test.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/utils.test.ts
@ -10,6 +10,7 @@ import {
  hasLargeValueList,
  hasNestedEntry,
  isThreatMatchRule,
+  normalizeMachineLearningJobIds,
  normalizeThresholdField,
 } from './utils';
 import { EntriesArray } from '../shared_imports';
@ -175,3 +176,20 @@ describe('normalizeThresholdField', () => {
    expect(normalizeThresholdField('')).toEqual([]);
  });
 });
+
+describe('normalizeMachineLearningJobIds', () => {
+  it('converts a string to a string array', () => {
+    expect(normalizeMachineLearningJobIds('ml_job_id')).toEqual(['ml_job_id']);
+  });
+
+  it('preserves a single-valued array ', () => {
+    expect(normalizeMachineLearningJobIds(['ml_job_id'])).toEqual(['ml_job_id']);
+  });
+
+  it('preserves a multi-valued array ', () => {
+    expect(normalizeMachineLearningJobIds(['ml_job_id', 'other_ml_job_id'])).toEqual([
+      'ml_job_id',
+      'other_ml_job_id',
+    ]);
+  });
+});
--- a/x-pack/plugins/security_solution/common/detection_engine/utils.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/utils.ts
@ -62,5 +62,8 @@ export const normalizeThresholdObject = (threshold: Threshold): ThresholdNormali
  };
 };

+export const normalizeMachineLearningJobIds = (value: string | string[]): string[] =>
+  Array.isArray(value) ? value : [value];
+
 export const getRuleStatusText = (value: JobStatus | null | undefined): JobStatus | null =>
  value === 'partial failure' ? 'warning' : value != null ? value : null;
--- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/machine_learning_rule.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/machine_learning_rule.spec.ts
@ -129,8 +129,10 @@ describe('Detection rules, machine learning', () => {
      );
      getDetails(RULE_TYPE_DETAILS).should('have.text', 'Machine Learning');
      getDetails(TIMELINE_TEMPLATE_DETAILS).should('have.text', 'None');
-      cy.get(MACHINE_LEARNING_JOB_STATUS).should('have.text', 'Stopped');
-      cy.get(MACHINE_LEARNING_JOB_ID).should('have.text', machineLearningRule.machineLearningJob);
+      machineLearningRule.machineLearningJobs.forEach((machineLearningJob, jobIndex) => {
+        cy.get(MACHINE_LEARNING_JOB_STATUS).eq(jobIndex).should('have.text', 'Stopped');
+        cy.get(MACHINE_LEARNING_JOB_ID).eq(jobIndex).should('have.text', machineLearningJob);
+      });
    });
    cy.get(SCHEDULE_DETAILS).within(() => {
      getDetails(RUNS_EVERY_DETAILS).should(
--- a/x-pack/plugins/security_solution/cypress/objects/rule.ts
+++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts
@ -78,7 +78,7 @@ export interface ThreatIndicatorRule extends CustomRule {
 }

 export interface MachineLearningRule {
-  machineLearningJob: string;
+  machineLearningJobs: string[];
  anomalyScoreThreshold: string;
  name: string;
  description: string;
@ -244,7 +244,7 @@ export const newThresholdRule: ThresholdRule = {
 };

 export const machineLearningRule: MachineLearningRule = {
-  machineLearningJob: 'linux_anomalous_network_service',
+  machineLearningJobs: ['linux_anomalous_network_service', 'linux_anomalous_network_activity_ecs'],
  anomalyScoreThreshold: '20',
  name: 'New ML Rule Test',
  description: 'The new ML rule description.',
--- a/x-pack/plugins/security_solution/cypress/screens/create_new_rule.ts
+++ b/x-pack/plugins/security_solution/cypress/screens/create_new_rule.ts
@ -108,9 +108,10 @@ export const LOOK_BACK_INTERVAL =
 export const LOOK_BACK_TIME_TYPE =
  '[data-test-subj="detectionEngineStepScheduleRuleFrom"] [data-test-subj="timeType"]';

-export const MACHINE_LEARNING_DROPDOWN = '[data-test-subj="mlJobSelect"] button';
+export const MACHINE_LEARNING_DROPDOWN_INPUT =
+  '[data-test-subj="mlJobSelect"] [data-test-subj="comboBoxInput"]';

-export const MACHINE_LEARNING_LIST = '.euiContextMenuItem__text';
+export const MACHINE_LEARNING_DROPDOWN_ITEM = '.euiFilterSelectItem';

 export const MACHINE_LEARNING_TYPE = '[data-test-subj="machineLearningRuleType"]';

--- a/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts
@ -44,8 +44,7 @@ import {
  INVESTIGATION_NOTES_TEXTAREA,
  LOOK_BACK_INTERVAL,
  LOOK_BACK_TIME_TYPE,
-  MACHINE_LEARNING_DROPDOWN,
-  MACHINE_LEARNING_LIST,
+  MACHINE_LEARNING_DROPDOWN_INPUT,
  MACHINE_LEARNING_TYPE,
  MITRE_ATTACK_ADD_SUBTECHNIQUE_BUTTON,
  MITRE_ATTACK_ADD_TACTIC_BUTTON,
@ -86,6 +85,7 @@ import {
  THRESHOLD_FIELD_SELECTION,
  THRESHOLD_INPUT_AREA,
  THRESHOLD_TYPE,
+  MACHINE_LEARNING_DROPDOWN_ITEM,
 } from '../screens/create_new_rule';
 import { TOAST_ERROR } from '../screens/shared';
 import { SERVER_SIDE_EVENT_COUNT } from '../screens/timeline';
@ -434,14 +434,17 @@ export const fillDefineIndicatorMatchRuleAndContinue = (rule: ThreatIndicatorRul
 };

 export const fillDefineMachineLearningRuleAndContinue = (rule: MachineLearningRule) => {
-  cy.get(MACHINE_LEARNING_DROPDOWN).click({ force: true });
-  cy.contains(MACHINE_LEARNING_LIST, rule.machineLearningJob).click();
+  rule.machineLearningJobs.forEach((machineLearningJob) => {
+    cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).click({ force: true });
+    cy.contains(MACHINE_LEARNING_DROPDOWN_ITEM, machineLearningJob).click();
+    cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).type('{esc}');
+  });
  cy.get(ANOMALY_THRESHOLD_INPUT).type(`{selectall}${machineLearningRule.anomalyScoreThreshold}`, {
    force: true,
  });
  getDefineContinueButton().should('exist').click({ force: true });

-  cy.get(MACHINE_LEARNING_DROPDOWN).should('not.exist');
+  cy.get(MACHINE_LEARNING_DROPDOWN_INPUT).should('not.exist');
 };

 export const goToDefineStepTab = () => {
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx
@ -140,10 +140,7 @@ export const AddExceptionModal = memo(function AddExceptionModal({
    memoSignalIndexName
  );

-  const memoMlJobIds = useMemo(
-    () => (maybeRule?.machine_learning_job_id != null ? [maybeRule.machine_learning_job_id] : []),
-    [maybeRule]
-  );
+  const memoMlJobIds = useMemo(() => maybeRule?.machine_learning_job_id ?? [], [maybeRule]);
  const { loading: mlJobLoading, jobs } = useGetInstalledJob(memoMlJobIds);

  const memoRuleIndices = useMemo(() => {
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/edit_exception_modal/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/edit_exception_modal/index.tsx
@ -123,10 +123,7 @@ export const EditExceptionModal = memo(function EditExceptionModal({
    memoSignalIndexName
  );

-  const memoMlJobIds = useMemo(
-    () => (maybeRule?.machine_learning_job_id != null ? [maybeRule.machine_learning_job_id] : []),
-    [maybeRule]
-  );
+  const memoMlJobIds = useMemo(() => maybeRule?.machine_learning_job_id ?? [], [maybeRule]);
  const { loading: mlJobLoading, jobs } = useGetInstalledJob(memoMlJobIds);

  const memoRuleIndices = useMemo(() => {
--- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx
@ -36,7 +36,7 @@ import {
  buildThresholdDescription,
  buildThreatMappingDescription,
 } from './helpers';
-import { buildMlJobDescription } from './ml_job_description';
+import { buildMlJobsDescription } from './ml_job_description';
 import { buildActionsDescription } from './actions_description';
 import { buildThrottleDescription } from './throttle_description';
 import { Threats, Type } from '../../../../../common/detection_engine/schemas/common/schemas';
@ -74,8 +74,8 @@ export const StepRuleDescriptionComponent = <T,>({
    if (key === 'machineLearningJobId') {
      return [
        ...acc,
-        buildMlJobDescription(
-          get(key, data) as string,
+        buildMlJobsDescription(
+          get(key, data) as string[],
          (get(key, schema) as { label: string }).label
        ),
      ];
--- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/ml_job_description.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/ml_job_description.tsx
@ -104,7 +104,15 @@ const MlJobDescriptionComponent: React.FC<{ jobId: string }> = ({ jobId }) => {

 export const MlJobDescription = React.memo(MlJobDescriptionComponent);

-export const buildMlJobDescription = (jobId: string, label: string): ListItems => ({
+const MlJobsDescription: React.FC<{ jobIds: string[] }> = ({ jobIds }) => (
+  <>
+    {jobIds.map((jobId) => (
+      <MlJobDescription key={jobId} jobId={jobId} />
+    ))}
+  </>
+);
+
+export const buildMlJobsDescription = (jobIds: string[], label: string): ListItems => ({
  title: label,
-  description: <MlJobDescription jobId={jobId} />,
+  description: <MlJobsDescription jobIds={jobIds} />,
 });
--- a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx
@ -8,12 +8,13 @@
 import React, { useCallback, useMemo } from 'react';
 import { FormattedMessage } from '@kbn/i18n/react';
 import {
+  EuiComboBox,
+  EuiComboBoxOptionOption,
  EuiFlexGroup,
  EuiFlexItem,
  EuiFormRow,
  EuiIcon,
  EuiLink,
-  EuiSuperSelect,
  EuiText,
 } from '@elastic/eui';

@ -27,6 +28,13 @@ import {
  ENABLE_ML_JOB_WARNING,
 } from '../step_define_rule/translations';

+interface MlJobValue {
+  id: string;
+  description: string;
+}
+
+type MlJobOption = EuiComboBoxOptionOption<MlJobValue>;
+
 const HelpTextWarningContainer = styled.div`
  margin-top: 10px;
 `;
@ -65,9 +73,9 @@ const HelpText: React.FC<{ href: string; showEnableWarning: boolean }> = ({
  </>
 );

-const JobDisplay: React.FC<{ title: string; description: string }> = ({ title, description }) => (
+const JobDisplay: React.FC<MlJobValue> = ({ id, description }) => (
  <>
-    <strong>{title}</strong>
+    <strong>{id}</strong>
    <EuiText size="xs" color="subdued">
      <p>{description}</p>
    </EuiText>
@ -79,45 +87,44 @@ interface MlJobSelectProps {
  field: FieldHook;
 }

+const renderJobOption = (option: MlJobOption) => (
+  <JobDisplay id={option.value!.id} description={option.value!.description} />
+);
+
 export const MlJobSelect: React.FC<MlJobSelectProps> = ({ describedByIds = [], field }) => {
-  const jobId = field.value as string;
+  const jobIds = field.value as string[];
  const { isInvalid, errorMessage } = getFieldValidityAndErrorMessage(field);
  const { loading, jobs } = useSecurityJobs(false);
  const mlUrl = useKibana().services.application.getUrlForApp('ml');
-  const handleJobChange = useCallback(
-    (machineLearningJobId: string) => {
-      field.setValue(machineLearningJobId);
+  const handleJobSelect = useCallback(
+    (selectedJobOptions: MlJobOption[]): void => {
+      const selectedJobIds = selectedJobOptions.map((option) => option.value!.id);
+      field.setValue(selectedJobIds);
    },
    [field]
  );
-  const placeholderOption = {
-    value: 'placeholder',
-    inputDisplay: ML_JOB_SELECT_PLACEHOLDER_TEXT,
-    dropdownDisplay: ML_JOB_SELECT_PLACEHOLDER_TEXT,
-    disabled: true,
-  };

  const jobOptions = jobs.map((job) => ({
-    value: job.id,
-    inputDisplay: job.id,
-    dropdownDisplay: <JobDisplay title={job.id} description={job.description} />,
+    value: {
+      id: job.id,
+      description: job.description,
+    },
+    label: job.id,
  }));

-  const options = [placeholderOption, ...jobOptions];
+  const selectedJobOptions = jobOptions.filter((option) => jobIds.includes(option.value.id));

-  const isJobRunning = useMemo(() => {
-    // If the selected job is not found in the list, it means the placeholder is selected
-    // and so we don't want to show the warning, thus isJobRunning will be true when 'job == null'
-    const job = jobs.find(({ id }) => id === jobId);
-    return job == null || isJobStarted(job.jobState, job.datafeedState);
-  }, [jobs, jobId]);
+  const allJobsRunning = useMemo(() => {
+    const selectedJobs = jobs.filter(({ id }) => jobIds.includes(id));
+    return selectedJobs.every((job) => isJobStarted(job.jobState, job.datafeedState));
+  }, [jobs, jobIds]);

  return (
    <MlJobSelectEuiFlexGroup>
      <EuiFlexItem>
        <EuiFormRow
          label={field.label}
-          helpText={<HelpText href={mlUrl} showEnableWarning={!isJobRunning} />}
+          helpText={<HelpText href={mlUrl} showEnableWarning={!allJobsRunning} />}
          isInvalid={isInvalid}
          error={errorMessage}
          data-test-subj="mlJobSelect"
@ -125,12 +132,14 @@ export const MlJobSelect: React.FC<MlJobSelectProps> = ({ describedByIds = [], f
        >
          <EuiFlexGroup>
            <EuiFlexItem>
-              <EuiSuperSelect
-                hasDividers
+              <EuiComboBox
                isLoading={loading}
-                onChange={handleJobChange}
-                options={options}
-                valueOfSelected={jobId || 'placeholder'}
+                onChange={handleJobSelect}
+                options={jobOptions}
+                placeholder={ML_JOB_SELECT_PLACEHOLDER_TEXT}
+                renderOption={renderJobOption}
+                rowHeight={50}
+                selectedOptions={selectedJobOptions}
              />
            </EuiFlexItem>
          </EuiFlexGroup>
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
@ -65,7 +65,7 @@ interface StepDefineRuleProps extends RuleStepProps {
 const stepDefineDefaultValue: DefineStepRule = {
  anomalyThreshold: 50,
  index: [],
-  machineLearningJobId: '',
+  machineLearningJobId: [],
  ruleType: 'query',
  threatIndex: [],
  queryBar: {
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
@ -68,7 +68,7 @@ export const ENABLE_ML_JOB_WARNING = i18n.translate(
  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.mlEnableJobWarningTitle',
  {
    defaultMessage:
-      'This ML job is not currently running. Please set this job to run via "ML job settings" before activating this rule.',
+      'One or more selected ML jobs are not currently running. Please set these job(s) to run via "ML job settings" before activating this rule.',
  }
 );

--- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/types.ts
+++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/types.ts
@ -123,7 +123,7 @@ export const RuleSchema = t.intersection([
    last_success_message: t.string,
    last_success_at: t.string,
    meta: MetaRule,
-    machine_learning_job_id: t.string,
+    machine_learning_job_id: t.array(t.string),
    output_index: t.string,
    query: t.string,
    rule_name_override,
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/mocks/mock.ts
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/mocks/mock.ts
@ -185,7 +185,7 @@ export const mockActionsStepRule = (enabled = false): ActionsStepRule => ({
 export const mockDefineStepRule = (): DefineStepRule => ({
  ruleType: 'query',
  anomalyThreshold: 50,
-  machineLearningJobId: '',
+  machineLearningJobId: [],
  index: ['filebeat-'],
  queryBar: mockQueryBar,
  threatQueryBar: mockQueryBar,
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.test.ts
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.test.ts
@ -249,14 +249,14 @@ describe('helpers', () => {
        ...mockData,
        ruleType: 'machine_learning',
        anomalyThreshold: 44,
-        machineLearningJobId: 'some_jobert_id',
+        machineLearningJobId: ['some_jobert_id'],
      };
      const result = formatDefineStepData(mockStepData);

      const expected: DefineStepRuleJson = {
        type: 'machine_learning',
        anomaly_threshold: 44,
-        machine_learning_job_id: 'some_jobert_id',
+        machine_learning_job_id: ['some_jobert_id'],
        timeline_id: '86aa74d0-2136-11ea-9864-ebc8cc1cb8c2',
        timeline_title: 'Titled timeline',
      };
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx
@ -34,7 +34,7 @@ import {
 import { getThreatMock } from '../../../../../common/detection_engine/schemas/types/threat.mock';

 describe('rule helpers', () => {
-  // @ts-ignore
+  // @ts-expect-error
  moment.suppressDeprecationWarnings = true;
  describe('getStepsData', () => {
    test('returns object with about, define, schedule and actions step properties formatted', () => {
@ -51,7 +51,7 @@ describe('rule helpers', () => {
        ruleType: 'saved_query',
        anomalyThreshold: 50,
        index: ['auditbeat-*'],
-        machineLearningJobId: '',
+        machineLearningJobId: [],
        queryBar: {
          query: {
            query: 'user.name: root or user.name: admin',
@ -204,7 +204,7 @@ describe('rule helpers', () => {
      const expected = {
        ruleType: 'saved_query',
        anomalyThreshold: 50,
-        machineLearningJobId: '',
+        machineLearningJobId: [],
        index: ['auditbeat-*'],
        queryBar: {
          query: {
@ -246,7 +246,7 @@ describe('rule helpers', () => {
      const expected = {
        ruleType: 'saved_query',
        anomalyThreshold: 50,
-        machineLearningJobId: '',
+        machineLearningJobId: [],
        index: ['auditbeat-*'],
        queryBar: {
          query: {
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx
@ -81,7 +81,7 @@ export const getActionsStepsData = (
 export const getDefineStepsData = (rule: Rule): DefineStepRule => ({
  ruleType: rule.type,
  anomalyThreshold: rule.anomaly_threshold ?? 50,
-  machineLearningJobId: rule.machine_learning_job_id ?? '',
+  machineLearningJobId: rule.machine_learning_job_id ?? [],
  index: rule.index ?? [],
  threatIndex: rule.threat_index ?? [],
  threatQueryBar: {
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts
@ -126,7 +126,7 @@ export interface AboutStepRiskScore {
 export interface DefineStepRule {
  anomalyThreshold: number;
  index: string[];
-  machineLearningJobId: string;
+  machineLearningJobId: string[];
  queryBar: FieldValueQueryBar;
  ruleType: Type;
  timeline: FieldValueTimeline;
@ -153,7 +153,7 @@ export interface DefineStepRuleJson {
  anomaly_threshold?: number;
  index?: string[];
  filters?: Filter[];
-  machine_learning_job_id?: string;
+  machine_learning_job_id?: string[];
  saved_id?: string;
  query?: string;
  language?: string;
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/patch_rules_bulk_route.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/patch_rules_bulk_route.test.ts
@ -76,7 +76,7 @@ describe('patch_rules_bulk', () => {
          data: expect.objectContaining({
            params: expect.objectContaining({
              anomalyThreshold: 4,
-              machineLearningJobId: 'some_job_id',
+              machineLearningJobId: ['some_job_id'],
            }),
          }),
        })
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/patch_rules_route.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/patch_rules_route.test.ts
@ -105,7 +105,7 @@ describe('patch_rules', () => {
          data: expect.objectContaining({
            params: expect.objectContaining({
              anomalyThreshold: 4,
-              machineLearningJobId: 'some_job_id',
+              machineLearningJobId: ['some_job_id'],
            }),
          }),
        })
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/utils.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/utils.test.ts
@ -87,14 +87,14 @@ describe('utils', () => {
    test('transforms ML Rule fields', () => {
      const mlRule = getAlertMock(getMlRuleParams());
      mlRule.params.anomalyThreshold = 55;
-      mlRule.params.machineLearningJobId = 'some_job_id';
+      mlRule.params.machineLearningJobId = ['some_job_id'];
      mlRule.params.type = 'machine_learning';

      const rule = transformAlertToRule(mlRule);
      expect(rule).toEqual(
        expect.objectContaining({
          anomaly_threshold: 55,
-          machine_learning_job_id: 'some_job_id',
+          machine_learning_job_id: ['some_job_id'],
          type: 'machine_learning',
        })
      );
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/create_rules.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/create_rules.test.ts
@ -9,7 +9,7 @@ import { createRules } from './create_rules';
 import { getCreateMlRulesOptionsMock } from './create_rules.mock';

 describe('createRules', () => {
-  it('calls the alertsClient with ML params', async () => {
+  it('calls the alertsClient with legacy ML params', async () => {
    const ruleOptions = getCreateMlRulesOptionsMock();
    await createRules(ruleOptions);
    expect(ruleOptions.alertsClient.create).toHaveBeenCalledWith(
@ -17,7 +17,25 @@ describe('createRules', () => {
        data: expect.objectContaining({
          params: expect.objectContaining({
            anomalyThreshold: 55,
-            machineLearningJobId: 'new_job_id',
+            machineLearningJobId: ['new_job_id'],
+          }),
+        }),
+      })
+    );
+  });
+
+  it('calls the alertsClient with ML params', async () => {
+    const ruleOptions = {
+      ...getCreateMlRulesOptionsMock(),
+      machineLearningJobId: ['new_job_1', 'new_job_2'],
+    };
+    await createRules(ruleOptions);
+    expect(ruleOptions.alertsClient.create).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({
+          params: expect.objectContaining({
+            anomalyThreshold: 55,
+            machineLearningJobId: ['new_job_1', 'new_job_2'],
          }),
        }),
      })
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/create_rules.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/create_rules.ts
@ -5,7 +5,10 @@
 * 2.0.
 */

-import { normalizeThresholdObject } from '../../../../common/detection_engine/utils';
+import {
+  normalizeMachineLearningJobIds,
+  normalizeThresholdObject,
+} from '../../../../common/detection_engine/utils';
 import { transformRuleToAlertAction } from '../../../../common/detection_engine/transform_actions';
 import { SanitizedAlert } from '../../../../../alerting/common';
 import { SERVER_APP_ID, SIGNALS_ID } from '../../../../common/constants';
@ -89,7 +92,9 @@ export const createRules = async ({
        timelineId,
        timelineTitle,
        meta,
-        machineLearningJobId,
+        machineLearningJobId: machineLearningJobId
+          ? normalizeMachineLearningJobIds(machineLearningJobId)
+          : undefined,
        filters,
        maxSignals,
        riskScore,
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/patch_rules.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/patch_rules.test.ts
@ -41,7 +41,7 @@ describe('patchRules', () => {
    );
  });

-  it('calls the alertsClient with ML params', async () => {
+  it('calls the alertsClient with legacy ML params', async () => {
    const rulesOptionsMock = getPatchMlRulesOptionsMock();
    const ruleOptions: PatchRulesOptions = {
      ...rulesOptionsMock,
@ -56,7 +56,30 @@ describe('patchRules', () => {
        data: expect.objectContaining({
          params: expect.objectContaining({
            anomalyThreshold: 55,
-            machineLearningJobId: 'new_job_id',
+            machineLearningJobId: ['new_job_id'],
+          }),
+        }),
+      })
+    );
+  });
+
+  it('calls the alertsClient with new ML params', async () => {
+    const rulesOptionsMock = getPatchMlRulesOptionsMock();
+    const ruleOptions: PatchRulesOptions = {
+      ...rulesOptionsMock,
+      machineLearningJobId: ['new_job_1', 'new_job_2'],
+      enabled: true,
+    };
+    if (ruleOptions.rule != null) {
+      ruleOptions.rule.enabled = false;
+    }
+    await patchRules(ruleOptions);
+    expect(ruleOptions.alertsClient.update).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({
+          params: expect.objectContaining({
+            anomalyThreshold: 55,
+            machineLearningJobId: ['new_job_1', 'new_job_2'],
          }),
        }),
      })
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/patch_rules.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/patch_rules.ts
@ -14,7 +14,10 @@ import { addTags } from './add_tags';
 import { calculateVersion, calculateName, calculateInterval, removeUndefined } from './utils';
 import { ruleStatusSavedObjectsClientFactory } from '../signals/rule_status_saved_objects_client';
 import { internalRuleUpdate, RuleParams } from '../schemas/rule_schemas';
-import { normalizeThresholdObject } from '../../../../common/detection_engine/utils';
+import {
+  normalizeMachineLearningJobIds,
+  normalizeThresholdObject,
+} from '../../../../common/detection_engine/utils';

 class PatchError extends Error {
  public readonly statusCode: number;
@ -167,7 +170,9 @@ export const patchRules = async ({
      version: calculatedVersion,
      exceptionsList,
      anomalyThreshold,
-      machineLearningJobId,
+      machineLearningJobId: machineLearningJobId
+        ? normalizeMachineLearningJobIds(machineLearningJobId)
+        : undefined,
    }
  );

--- a/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.ts
@ -7,7 +7,10 @@

 import uuid from 'uuid';
 import { SavedObject } from 'kibana/server';
-import { normalizeThresholdObject } from '../../../../common/detection_engine/utils';
+import {
+  normalizeMachineLearningJobIds,
+  normalizeThresholdObject,
+} from '../../../../common/detection_engine/utils';
 import {
  InternalRuleCreate,
  RuleParams,
@ -103,7 +106,7 @@ export const typeSpecificSnakeToCamel = (params: CreateTypeSpecific): TypeSpecif
      return {
        type: params.type,
        anomalyThreshold: params.anomaly_threshold,
-        machineLearningJobId: params.machine_learning_job_id,
+        machineLearningJobId: normalizeMachineLearningJobIds(params.machine_learning_job_id),
      };
    }
    default: {
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.mock.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.mock.ts
@ -88,7 +88,7 @@ export const getMlRuleParams = (): MachineLearningRuleParams => {
    ...getBaseRuleParams(),
    type: 'machine_learning',
    anomalyThreshold: 42,
-    machineLearningJobId: 'my-job',
+    machineLearningJobId: ['my-job'],
  };
 };

--- a/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_schemas.ts
@ -36,7 +36,6 @@ import {
  query,
  queryOrUndefined,
  filtersOrUndefined,
-  machine_learning_job_id,
  max_signals,
  risk_score,
  risk_score_mapping,
@ -62,6 +61,7 @@ import {
  updated_at,
 } from '../../../../common/detection_engine/schemas/common/schemas';
 import { SIGNALS_ID, SERVER_APP_ID } from '../../../../common/constants';
+import { machine_learning_job_id_normalized } from '../../../../common/detection_engine/schemas/types/normalized_ml_job_id';

 const nonEqlLanguages = t.keyof({ kuery: null, lucene: null });
 export const baseRuleParams = t.exact(
@ -167,7 +167,7 @@ export type ThresholdRuleParams = t.TypeOf<typeof thresholdRuleParams>;
 const machineLearningSpecificRuleParams = t.type({
  type: t.literal('machine_learning'),
  anomalyThreshold: anomaly_threshold,
-  machineLearningJobId: machine_learning_job_id,
+  machineLearningJobId: machine_learning_job_id_normalized,
 });
 export const machineLearningRuleParams = t.intersection([
  baseRuleParams,
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.test.ts
@ -15,52 +15,21 @@ import { buildRuleMessageFactory } from '../rule_messages';
 import { getListClientMock } from '../../../../../../lists/server/services/lists/list_client.mock';
 import { findMlSignals } from '../find_ml_signals';
 import { bulkCreateMlSignals } from '../bulk_create_ml_signals';
+import { mlPluginServerMock } from '../../../../../../ml/server/mocks';
+import { sampleRuleSO } from '../__mocks__/es_results';
+import { getRuleStatusServiceMock } from '../rule_status_service.mock';

 jest.mock('../find_ml_signals');
 jest.mock('../bulk_create_ml_signals');

 describe('ml_executor', () => {
-  const jobsSummaryMock = jest.fn();
-  const mlMock = {
-    mlClient: {
-      callAsInternalUser: jest.fn(),
-      close: jest.fn(),
-      asScoped: jest.fn(),
-    },
-    jobServiceProvider: jest.fn().mockReturnValue({
-      jobsSummary: jobsSummaryMock,
-    }),
-    anomalyDetectorsProvider: jest.fn(),
-    mlSystemProvider: jest.fn(),
-    modulesProvider: jest.fn(),
-    resultsServiceProvider: jest.fn(),
-    alertingServiceProvider: jest.fn(),
-  };
+  let jobsSummaryMock: jest.Mock;
+  let mlMock: ReturnType<typeof mlPluginServerMock.createSetupContract>;
+  let ruleStatusService: ReturnType<typeof getRuleStatusServiceMock>;
  const exceptionItems = [getExceptionListItemSchemaMock()];
  let logger: ReturnType<typeof loggingSystemMock.createLogger>;
  let alertServices: AlertServicesMock;
-  let ruleStatusService: Record<string, jest.Mock>;
-  const mlSO = {
-    id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
-    type: 'alert',
-    version: '1',
-    updated_at: '2020-03-27T22:55:59.577Z',
-    attributes: {
-      actions: [],
-      enabled: true,
-      name: 'rule-name',
-      tags: ['some fake tag 1', 'some fake tag 2'],
-      createdBy: 'sample user',
-      createdAt: '2020-03-27T22:55:59.577Z',
-      updatedBy: 'sample user',
-      schedule: {
-        interval: '5m',
-      },
-      throttle: 'no_actions',
-      params: getMlRuleParams(),
-    },
-    references: [],
-  };
+  const mlSO = sampleRuleSO(getMlRuleParams());
  const buildRuleMessage = buildRuleMessageFactory({
    id: mlSO.id,
    ruleId: mlSO.attributes.params.ruleId,
@ -69,15 +38,14 @@ describe('ml_executor', () => {
  });

  beforeEach(() => {
+    jobsSummaryMock = jest.fn();
    alertServices = alertsMock.createAlertServices();
    logger = loggingSystemMock.createLogger();
-    ruleStatusService = {
-      success: jest.fn(),
-      find: jest.fn(),
-      goingToRun: jest.fn(),
-      error: jest.fn(),
-      partialFailure: jest.fn(),
-    };
+    mlMock = mlPluginServerMock.createSetupContract();
+    mlMock.jobServiceProvider.mockReturnValue({
+      jobsSummary: jobsSummaryMock,
+    });
+    ruleStatusService = getRuleStatusServiceMock();
    (findMlSignals as jest.Mock).mockResolvedValue({
      _shards: {},
      hits: {
@ -98,7 +66,7 @@ describe('ml_executor', () => {
        rule: mlSO,
        ml: undefined,
        exceptionItems,
-        ruleStatusService: (ruleStatusService as unknown) as RuleStatusService,
+        ruleStatusService,
        services: alertServices,
        logger,
        refresh: false,
@ -108,13 +76,13 @@ describe('ml_executor', () => {
    ).rejects.toThrow('ML plugin unavailable during rule execution');
  });

-  it('should throw an error if Machine learning job summary was null', async () => {
+  it('should record a partial failure if Machine learning job summary was null', async () => {
    jobsSummaryMock.mockResolvedValue([]);
    await mlExecutor({
      rule: mlSO,
      ml: mlMock,
      exceptionItems,
-      ruleStatusService: (ruleStatusService as unknown) as RuleStatusService,
+      ruleStatusService,
      services: alertServices,
      logger,
      refresh: false,
@ -122,14 +90,14 @@ describe('ml_executor', () => {
      listClient: getListClientMock(),
    });
    expect(logger.warn).toHaveBeenCalled();
-    expect(logger.warn.mock.calls[0][0]).toContain('Machine learning job is not started');
-    expect(ruleStatusService.error).toHaveBeenCalled();
-    expect(ruleStatusService.error.mock.calls[0][0]).toContain(
-      'Machine learning job is not started'
+    expect(logger.warn.mock.calls[0][0]).toContain('Machine learning job(s) are not started');
+    expect(ruleStatusService.partialFailure).toHaveBeenCalled();
+    expect(ruleStatusService.partialFailure.mock.calls[0][0]).toContain(
+      'Machine learning job(s) are not started'
    );
  });

-  it('should log an error if Machine learning job was not started', async () => {
+  it('should record a partial failure if Machine learning job was not started', async () => {
    jobsSummaryMock.mockResolvedValue([
      {
        id: 'some_job_id',
@ -150,10 +118,10 @@ describe('ml_executor', () => {
      listClient: getListClientMock(),
    });
    expect(logger.warn).toHaveBeenCalled();
-    expect(logger.warn.mock.calls[0][0]).toContain('Machine learning job is not started');
-    expect(ruleStatusService.error).toHaveBeenCalled();
-    expect(ruleStatusService.error.mock.calls[0][0]).toContain(
-      'Machine learning job is not started'
+    expect(logger.warn.mock.calls[0][0]).toContain('Machine learning job(s) are not started');
+    expect(ruleStatusService.partialFailure).toHaveBeenCalled();
+    expect(ruleStatusService.partialFailure.mock.calls[0][0]).toContain(
+      'Machine learning job(s) are not started'
    );
  });
 });
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/ml.ts
@ -58,20 +58,28 @@ export const mlExecutor = async ({
  const fakeRequest = {} as KibanaRequest;
  const summaryJobs = await ml
    .jobServiceProvider(fakeRequest, services.savedObjectsClient)
-    .jobsSummary([ruleParams.machineLearningJobId]);
-  const jobSummary = summaryJobs.find((job) => job.id === ruleParams.machineLearningJobId);
+    .jobsSummary(ruleParams.machineLearningJobId);
+  const jobSummaries = summaryJobs.filter((job) =>
+    ruleParams.machineLearningJobId.includes(job.id)
+  );

-  if (jobSummary == null || !isJobStarted(jobSummary.jobState, jobSummary.datafeedState)) {
+  if (
+    jobSummaries.length < 1 ||
+    jobSummaries.some((job) => !isJobStarted(job.jobState, job.datafeedState))
+  ) {
    const errorMessage = buildRuleMessage(
-      'Machine learning job is not started:',
-      `job id: "${ruleParams.machineLearningJobId}"`,
-      `job status: "${jobSummary?.jobState}"`,
-      `datafeed status: "${jobSummary?.datafeedState}"`
+      'Machine learning job(s) are not started:',
+      ...jobSummaries.map((job) =>
+        [
+          `job id: "${job.id}"`,
+          `job status: "${job.jobState}"`,
+          `datafeed status: "${job.datafeedState}"`,
+        ].join(', ')
+      )
    );
    logger.warn(errorMessage);
    result.warning = true;
-    // TODO: change this to partialFailure since we don't immediately exit rule function and still do actions at the end?
-    await ruleStatusService.error(errorMessage);
+    await ruleStatusService.partialFailure(errorMessage);
  }

  const anomalyResults = await findMlSignals({
@ -80,7 +88,7 @@ export const mlExecutor = async ({
    // currently unused by the mlAnomalySearch function.
    request: ({} as unknown) as KibanaRequest,
    savedObjectsClient: services.savedObjectsClient,
-    jobId: ruleParams.machineLearningJobId,
+    jobIds: ruleParams.machineLearningJobId,
    anomalyThreshold: ruleParams.anomalyThreshold,
    from: ruleParams.from,
    to: ruleParams.to,
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/find_ml_signals.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/find_ml_signals.ts
@ -16,7 +16,7 @@ export const findMlSignals = async ({
  ml,
  request,
  savedObjectsClient,
-  jobId,
+  jobIds,
  anomalyThreshold,
  from,
  to,
@ -25,7 +25,7 @@ export const findMlSignals = async ({
  ml: MlPluginSetup;
  request: KibanaRequest;
  savedObjectsClient: SavedObjectsClientContract;
-  jobId: string;
+  jobIds: string[];
  anomalyThreshold: number;
  from: string;
  to: string;
@ -33,7 +33,7 @@ export const findMlSignals = async ({
 }): Promise<AnomalyResults> => {
  const { mlAnomalySearch } = ml.mlSystemProvider(request, savedObjectsClient);
  const params = {
-    jobIds: [jobId],
+    jobIds,
    threshold: anomalyThreshold,
    earliestMs: dateMath.parse(from)?.valueOf() ?? 0,
    latestMs: dateMath.parse(to)?.valueOf() ?? 0,
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.mock.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/rule_status_service.mock.ts
@ -5,37 +5,11 @@
 * 2.0.
 */

-import { SavedObjectsClientContract } from '../../../../../../../src/core/server';
-import { RuleStatusSavedObjectsClient } from './rule_status_saved_objects_client';
 import { RuleStatusService } from './rule_status_service';

-export type RuleStatusServiceMock = jest.Mocked<RuleStatusService>;
-
-export const ruleStatusServiceFactoryMock = async ({
-  alertId,
-  ruleStatusClient,
-}: {
-  alertId: string;
-  ruleStatusClient: RuleStatusSavedObjectsClient;
-}): Promise<RuleStatusServiceMock> => {
-  return {
-    goingToRun: jest.fn(),
-
-    success: jest.fn(),
-
-    partialFailure: jest.fn(),
-
-    error: jest.fn(),
-  };
-};
-
-export type RuleStatusSavedObjectsClientMock = jest.Mocked<RuleStatusSavedObjectsClient>;
-
-export const ruleStatusSavedObjectsClientFactory = (
-  savedObjectsClient: SavedObjectsClientContract
-): RuleStatusSavedObjectsClientMock => ({
-  find: jest.fn(),
-  create: jest.fn(),
-  update: jest.fn(),
-  delete: jest.fn(),
+export const getRuleStatusServiceMock = (): jest.Mocked<RuleStatusService> => ({
+  goingToRun: jest.fn(),
+  success: jest.fn(),
+  partialFailure: jest.fn(),
+  error: jest.fn(),
 });
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
@ -330,7 +330,7 @@ export const signalRulesAlertType = ({
              `[+] Finished indexing ${result.createdSignalsCount} signals into ${outputIndex}`
            )
          );
-          if (!hasError && !wroteWarningStatus) {
+          if (!hasError && !wroteWarningStatus && !result.warning) {
            await ruleStatusService.success('succeeded', {
              bulkCreateTimeDurations: result.bulkCreateTimes,
              searchAfterTimeDurations: result.searchAfterTimes,
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_rules.ts
@ -224,6 +224,21 @@ export default ({ getService }: FtrProviderContext) => {
          expect(bodyToCompare).to.eql(getSimpleRuleOutputWithoutRuleId());
        });

+        it('creates a single Machine Learning rule from a legacy ML Rule format', async () => {
+          const legacyMlRule = {
+            ...getSimpleMlRule(),
+            machine_learning_job_id: 'some_job_id',
+          };
+          const { body } = await supertest
+            .post(DETECTION_ENGINE_RULES_URL)
+            .set('kbn-xsrf', 'true')
+            .send(legacyMlRule)
+            .expect(200);
+
+          const bodyToCompare = removeServerGeneratedProperties(body);
+          expect(bodyToCompare).to.eql(getSimpleMlRuleOutput());
+        });
+
        it('should create a single Machine Learning rule', async () => {
          const { body } = await supertest
            .post(DETECTION_ENGINE_RULES_URL)
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/patch_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/patch_rules.ts
@ -55,6 +55,22 @@ export default ({ getService }: FtrProviderContext) => {
        expect(bodyToCompare).to.eql(outputRule);
      });

+      it("should patch a machine_learning rule's job ID if in a legacy format", async () => {
+        await createRule(supertest, getSimpleMlRule('rule-1'));
+
+        // patch a simple rule's name
+        const { body } = await supertest
+          .patch(DETECTION_ENGINE_RULES_URL)
+          .set('kbn-xsrf', 'true')
+          .send({ rule_id: 'rule-1', machine_learning_job_id: 'some_job_id' })
+          .expect(200);
+
+        const outputRule = getSimpleMlRuleOutput();
+        outputRule.version = 2;
+        const bodyToCompare = removeServerGeneratedProperties(body);
+        expect(bodyToCompare).to.eql(outputRule);
+      });
+
      it('should patch a single rule property of name using a rule_id of type "machine learning"', async () => {
        await createRule(supertest, getSimpleMlRule('rule-1'));

--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/update_rules.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/update_rules.ts
@ -62,6 +62,28 @@ export default ({ getService }: FtrProviderContext) => {
        expect(bodyToCompare).to.eql(outputRule);
      });

+      it("should update a rule's machine learning job ID if given a legacy job ID format", async () => {
+        await createRule(supertest, getSimpleMlRule('rule-1'));
+
+        // update rule's machine_learning_job_id
+        const updatedRule = getSimpleMlRuleUpdate('rule-1');
+        // @ts-expect-error updatedRule is the full union type here and thus is not narrowed to our ML params
+        updatedRule.machine_learning_job_id = 'legacy_job_id';
+        delete updatedRule.id;
+
+        const { body } = await supertest
+          .put(DETECTION_ENGINE_RULES_URL)
+          .set('kbn-xsrf', 'true')
+          .send(updatedRule)
+          .expect(200);
+
+        const outputRule = getSimpleMlRuleOutput();
+        outputRule.machine_learning_job_id = ['legacy_job_id'];
+        outputRule.version = 2;
+        const bodyToCompare = removeServerGeneratedProperties(body);
+        expect(bodyToCompare).to.eql(outputRule);
+      });
+
      it('should update a single rule property of name using a rule_id with a machine learning job', async () => {
        await createRule(supertest, getSimpleMlRule('rule-1'));

--- a/x-pack/test/detection_engine_api_integration/utils.ts
+++ b/x-pack/test/detection_engine_api_integration/utils.ts
@ -172,7 +172,7 @@ export const getSimpleMlRule = (ruleId = 'rule-1', enabled = false): CreateRules
  risk_score: 1,
  rule_id: ruleId,
  severity: 'high',
-  machine_learning_job_id: 'some_job_id',
+  machine_learning_job_id: ['some_job_id'],
  type: 'machine_learning',
 });

@ -189,7 +189,7 @@ export const getSimpleMlRuleUpdate = (ruleId = 'rule-1', enabled = false): Updat
  risk_score: 1,
  rule_id: ruleId,
  severity: 'high',
-  machine_learning_job_id: 'some_job_id',
+  machine_learning_job_id: ['some_job_id'],
  type: 'machine_learning',
 });

@ -344,7 +344,7 @@ export const getSimpleMlRuleOutput = (ruleId = 'rule-1'): Partial<RulesSchema> =
    name: 'Simple ML Rule',
    description: 'Simple Machine Learning Rule',
    anomaly_threshold: 44,
-    machine_learning_job_id: 'some_job_id',
+    machine_learning_job_id: ['some_job_id'],
    type: 'machine_learning',
  };
 };