[Rule Registry][RAC] Rename kibana.alert.id to kibana.alert.instance.id (#110528)

* Rename kibana.alert.id to kibana.alert.instance.id * Update test snapshot * Fix test * One more fix
2025-04-23 09:19:04 -04:00 · 2021-09-01 13:56:49 -07:00 · 2021-09-01 13:56:49 -07:00 · f58865c1f5
commit f58865c1f5
parent 2fe56f9793
21 changed files with 60 additions and 60 deletions
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@ -28,7 +28,7 @@ const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
 const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
 const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
-const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
+const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const;
 const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
 const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
 const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
@ -94,7 +94,7 @@ const fields = {
  ALERT_END,
  ALERT_EVALUATION_THRESHOLD,
  ALERT_EVALUATION_VALUE,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_RULE_CONSUMER,
  ALERT_RULE_PRODUCER,
  ALERT_REASON,
@ -143,7 +143,7 @@ export {
  ALERT_END,
  ALERT_EVALUATION_THRESHOLD,
  ALERT_EVALUATION_VALUE,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_NAMESPACE,
  ALERT_RULE_NAMESPACE,
  ALERT_RULE_CONSUMER,
--- a/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.test.tsx
+++ b/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.test.tsx
@ -10,7 +10,7 @@ import {
  ALERT_EVALUATION_THRESHOLD,
  ALERT_RULE_TYPE_ID,
  ALERT_EVALUATION_VALUE,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_RULE_PRODUCER,
  ALERT_RULE_CONSUMER,
  ALERT_SEVERITY,
@ -54,7 +54,7 @@ const alert: Alert = {
  [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
  'event.action': ['active'],
  '@timestamp': ['2021-06-01T16:16:05.183Z'],
-  [ALERT_ID]: ['apm.transaction_duration_All'],
+  [ALERT_INSTANCE_ID]: ['apm.transaction_duration_All'],
  'processor.event': ['transaction'],
  [ALERT_EVALUATION_THRESHOLD]: [500000],
  [ALERT_START]: ['2021-06-01T16:15:02.304Z'],
--- a/x-pack/plugins/apm/public/components/shared/charts/latency_chart/latency_chart.stories.tsx
+++ b/x-pack/plugins/apm/public/components/shared/charts/latency_chart/latency_chart.stories.tsx
@ -10,7 +10,7 @@ import {
  ALERT_EVALUATION_THRESHOLD,
  ALERT_RULE_TYPE_ID,
  ALERT_EVALUATION_VALUE,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_SEVERITY,
  ALERT_START,
  ALERT_STATUS,
@ -142,7 +142,7 @@ Example.args = {
        [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
        'event.action': ['active'],
        '@timestamp': ['2021-06-01T20:27:48.833Z'],
-        [ALERT_ID]: ['apm.transaction_duration_All'],
+        [ALERT_INSTANCE_ID]: ['apm.transaction_duration_All'],
        'processor.event': ['transaction'],
        [ALERT_EVALUATION_THRESHOLD]: [500000],
        [ALERT_START]: ['2021-06-02T04:00:00.000Z'],
@ -164,7 +164,7 @@ Example.args = {
        [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
        'event.action': ['active'],
        '@timestamp': ['2021-06-01T20:27:48.833Z'],
-        [ALERT_ID]: ['apm.transaction_duration_All'],
+        [ALERT_INSTANCE_ID]: ['apm.transaction_duration_All'],
        'processor.event': ['transaction'],
        [ALERT_EVALUATION_THRESHOLD]: [500000],
        [ALERT_START]: ['2021-06-02T10:45:00.000Z'],
@ -186,7 +186,7 @@ Example.args = {
        [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
        'event.action': ['active'],
        '@timestamp': ['2021-06-01T20:27:48.833Z'],
-        [ALERT_ID]: ['apm.transaction_duration_All'],
+        [ALERT_INSTANCE_ID]: ['apm.transaction_duration_All'],
        'processor.event': ['transaction'],
        [ALERT_EVALUATION_THRESHOLD]: [500000],
        [ALERT_START]: ['2021-06-02T16:50:00.000Z'],
--- a/x-pack/plugins/observability/public/pages/alerts/example_data.ts
+++ b/x-pack/plugins/observability/public/pages/alerts/example_data.ts
@ -8,7 +8,7 @@
 import {
  ALERT_DURATION,
  ALERT_END,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_SEVERITY,
  ALERT_RULE_TYPE_ID,
  ALERT_START,
@ -35,7 +35,7 @@ export const apmAlertResponseExample = [
    [ALERT_RULE_UUID]: ['474920d0-93e9-11eb-ac86-0b455460de81'],
    'event.action': ['active'],
    '@timestamp': ['2021-04-12T13:53:49.550Z'],
-    [ALERT_ID]: ['apm.error_rate_opbeans-java_production'],
+    [ALERT_INSTANCE_ID]: ['apm.error_rate_opbeans-java_production'],
    [ALERT_START]: ['2021-04-12T13:50:49.493Z'],
    [ALERT_RULE_PRODUCER]: ['apm'],
    'event.kind': ['state'],
@ -55,7 +55,7 @@ export const apmAlertResponseExample = [
    [ALERT_RULE_UUID]: ['474920d0-93e9-11eb-ac86-0b455460de81'],
    'event.action': ['close'],
    '@timestamp': ['2021-04-12T13:49:49.446Z'],
-    [ALERT_ID]: ['apm.error_rate_opbeans-java_production'],
+    [ALERT_INSTANCE_ID]: ['apm.error_rate_opbeans-java_production'],
    [ALERT_START]: ['2021-04-12T13:09:30.441Z'],
    [ALERT_RULE_PRODUCER]: ['apm'],
    'event.kind': ['state'],
@ -116,7 +116,7 @@ export const dynamicIndexPattern = {
      readFromDocValues: true,
    },
    {
-      name: ALERT_ID,
+      name: ALERT_INSTANCE_ID,
      type: 'string',
      esTypes: ['keyword'],
      searchable: true,
--- a/x-pack/plugins/rule_registry/README.md
+++ b/x-pack/plugins/rule_registry/README.md
@ -130,7 +130,7 @@ The following fields are defined in the technical field component template and s
 - `kibana.alert.rule.name`: the name of the rule (as specified by the user).
 - `kibana.alert.rule.category`: the name of the rule type (as defined by the rule type producer)
 - `kibana.alert.rule.consumer`: the feature which produced the alert (inherited from the rule producer field). Usually a Kibana feature id like `apm`, `siem`...
- `kibana.alert.id`: the id of the alert, that is unique within the context of the rule execution it was created in. E.g., for a rule that monitors latency for all services in all environments, this might be `opbeans-java:production`.
+- `kibana.alert.instance.id`: the id of the alert instance, that is unique within the context of the rule execution it was created in. E.g., for a rule that monitors latency for all services in all environments, this might be `opbeans-java:production`.
 - `kibana.alert.uuid`: the unique identifier for the alert during its lifespan. If an alert recovers (or closes), this identifier is re-generated when it is opened again.
 - `kibana.alert.status`: the status of the alert. Can be `active` or `recovered`.
 - `kibana.alert.start`: the ISO timestamp of the time at which the alert started.
--- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
@ -21,7 +21,7 @@ export const technicalRuleFieldMap = {
  [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true },
  [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true },
  [Fields.ALERT_UUID]: { type: 'keyword', required: true },
-  [Fields.ALERT_ID]: { type: 'keyword', required: true },
+  [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true },
  [Fields.ALERT_START]: { type: 'date' },
  [Fields.ALERT_END]: { type: 'date' },
  [Fields.ALERT_DURATION]: { type: 'long' },
--- a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts
@ -6,7 +6,7 @@
 */

 import {
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_RULE_CATEGORY,
  ALERT_RULE_CONSUMER,
  ALERT_RULE_NAME,
@ -30,7 +30,7 @@ import { getReadRequest } from './__mocks__/request_responses';
 import { requestMock, serverMock } from './__mocks__/server';

 const getMockAlert = (): ParsedTechnicalFields => ({
-  [ALERT_ID]: 'fake-alert-id',
+  [ALERT_INSTANCE_ID]: 'fake-alert-id',
  [ALERT_RULE_CATEGORY]: 'apm.error_rate',
  [ALERT_RULE_CONSUMER]: 'apm',
  [ALERT_RULE_NAME]: 'Check error rate',
--- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts
+++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts
@ -7,7 +7,7 @@

 import { loggerMock } from '@kbn/logging/mocks';
 import {
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_RULE_CATEGORY,
  ALERT_RULE_CONSUMER,
  ALERT_RULE_NAME,
@ -91,14 +91,14 @@ describe('createLifecycleExecutor', () => {
          // alert documents
          { index: { _id: expect.any(String) } },
          expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_0',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
            [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
            [EVENT_ACTION]: 'open',
            [EVENT_KIND]: 'signal',
          }),
          { index: { _id: expect.any(String) } },
          expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_1',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
            [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
            [EVENT_ACTION]: 'open',
            [EVENT_KIND]: 'signal',
@ -128,7 +128,7 @@ describe('createLifecycleExecutor', () => {
          {
            fields: {
              '@timestamp': '',
-              [ALERT_ID]: 'TEST_ALERT_0',
+              [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
              [ALERT_UUID]: 'ALERT_0_UUID',
              [ALERT_RULE_CATEGORY]: 'RULE_TYPE_NAME',
              [ALERT_RULE_CONSUMER]: 'CONSUMER',
@ -145,7 +145,7 @@ describe('createLifecycleExecutor', () => {
          {
            fields: {
              '@timestamp': '',
-              [ALERT_ID]: 'TEST_ALERT_1',
+              [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
              [ALERT_UUID]: 'ALERT_1_UUID',
              [ALERT_RULE_CATEGORY]: 'RULE_TYPE_NAME',
              [ALERT_RULE_CONSUMER]: 'CONSUMER',
@ -206,7 +206,7 @@ describe('createLifecycleExecutor', () => {
          // alert document
          { index: { _id: 'TEST_ALERT_0_UUID' } },
          expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_0',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
            [ALERT_WORKFLOW_STATUS]: 'closed',
            [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
            labels: { LABEL_0_KEY: 'LABEL_0_VALUE' },
@ -216,7 +216,7 @@ describe('createLifecycleExecutor', () => {
          }),
          { index: { _id: 'TEST_ALERT_1_UUID' } },
          expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_1',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
            [ALERT_WORKFLOW_STATUS]: 'open',
            [ALERT_STATUS]: ALERT_STATUS_ACTIVE,

@ -248,7 +248,7 @@ describe('createLifecycleExecutor', () => {
          {
            fields: {
              '@timestamp': '',
-              [ALERT_ID]: 'TEST_ALERT_0',
+              [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
              [ALERT_UUID]: 'ALERT_0_UUID',
              [ALERT_RULE_CATEGORY]: 'RULE_TYPE_NAME',
              [ALERT_RULE_CONSUMER]: 'CONSUMER',
@ -264,7 +264,7 @@ describe('createLifecycleExecutor', () => {
          {
            fields: {
              '@timestamp': '',
-              [ALERT_ID]: 'TEST_ALERT_1',
+              [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
              [ALERT_UUID]: 'ALERT_1_UUID',
              [ALERT_RULE_CATEGORY]: 'RULE_TYPE_NAME',
              [ALERT_RULE_CONSUMER]: 'CONSUMER',
@ -321,7 +321,7 @@ describe('createLifecycleExecutor', () => {
          // alert document
          { index: { _id: 'TEST_ALERT_0_UUID' } },
          expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_0',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
            [ALERT_STATUS]: ALERT_STATUS_RECOVERED,
            labels: { LABEL_0_KEY: 'LABEL_0_VALUE' },
            [EVENT_ACTION]: 'close',
@ -329,7 +329,7 @@ describe('createLifecycleExecutor', () => {
          }),
          { index: { _id: 'TEST_ALERT_1_UUID' } },
          expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_1',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
            [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
            [EVENT_ACTION]: 'active',
            [EVENT_KIND]: 'signal',
--- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts
+++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts
@ -22,7 +22,7 @@ import { ParsedTechnicalFields, parseTechnicalFields } from '../../common/parse_
 import {
  ALERT_DURATION,
  ALERT_END,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_RULE_UUID,
  ALERT_START,
  ALERT_STATUS,
@ -228,7 +228,7 @@ export const createLifecycleExecutor = (

    hits.hits.forEach((hit) => {
      const fields = parseTechnicalFields(hit.fields);
-      const alertId = fields[ALERT_ID];
+      const alertId = fields[ALERT_INSTANCE_ID];
      alertsDataMap[alertId] = {
        ...commonRuleFields,
        ...fields,
@ -255,7 +255,7 @@ export const createLifecycleExecutor = (
      ...alertData,
      ...commonRuleFields,
      [ALERT_DURATION]: (options.startedAt.getTime() - new Date(started).getTime()) * 1000,
-      [ALERT_ID]: alertId,
+      [ALERT_INSTANCE_ID]: alertId,
      [ALERT_START]: started,
      [ALERT_STATUS]: isActive ? ALERT_STATUS_ACTIVE : ALERT_STATUS_RECOVERED,
      [ALERT_WORKFLOW_STATUS]: alertData[ALERT_WORKFLOW_STATUS] ?? 'open',
@ -281,7 +281,7 @@ export const createLifecycleExecutor = (
    eventsToIndex
      .filter((event) => event[ALERT_STATUS] !== 'closed')
      .map((event) => {
-        const alertId = event[ALERT_ID]!;
+        const alertId = event[ALERT_INSTANCE_ID]!;
        const alertUuid = event[ALERT_UUID]!;
        const started = new Date(event[ALERT_START]!).toISOString();
        return [alertId, { alertId, alertUuid, started }];
--- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts
+++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts
@ -198,7 +198,7 @@ describe('createLifecycleRuleTypeFactory', () => {
              "event.action": "open",
              "event.kind": "signal",
              "kibana.alert.duration.us": 0,
-              "kibana.alert.id": "opbeans-java",
+              "kibana.alert.instance.id": "opbeans-java",
              "kibana.alert.rule.category": "ruleTypeName",
              "kibana.alert.rule.consumer": "consumer",
              "kibana.alert.rule.name": "name",
@ -222,7 +222,7 @@ describe('createLifecycleRuleTypeFactory', () => {
              "event.action": "open",
              "event.kind": "signal",
              "kibana.alert.duration.us": 0,
-              "kibana.alert.id": "opbeans-node",
+              "kibana.alert.instance.id": "opbeans-node",
              "kibana.alert.rule.category": "ruleTypeName",
              "kibana.alert.rule.consumer": "consumer",
              "kibana.alert.rule.name": "name",
--- a/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_factory.ts
+++ b/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_factory.ts
@ -5,7 +5,7 @@
 * 2.0.
 */

-import { ALERT_ID, VERSION } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID, VERSION } from '@kbn/rule-data-utils';
 import { getCommonAlertFields } from './get_common_alert_fields';
 import { CreatePersistenceRuleTypeFactory } from './persistence_types';

@ -31,7 +31,7 @@ export const createPersistenceRuleTypeFactory: CreatePersistenceRuleTypeFactory
                body: alerts.flatMap((event) => [
                  { index: {} },
                  {
-                    [ALERT_ID]: event.id,
+                    [ALERT_INSTANCE_ID]: event.id,
                    [VERSION]: ruleDataClient.kibanaVersion,
                    ...commonRuleFields,
                    ...event.fields,
--- a/x-pack/plugins/rule_registry/server/utils/get_common_alert_fields.ts
+++ b/x-pack/plugins/rule_registry/server/utils/get_common_alert_fields.ts
@ -9,7 +9,7 @@ import { Values } from '@kbn/utility-types';
 import { AlertExecutorOptions } from '../../../alerting/server';
 import { ParsedTechnicalFields } from '../../common/parse_technical_fields';
 import {
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_UUID,
  ALERT_RULE_CATEGORY,
  ALERT_RULE_CONSUMER,
@ -35,7 +35,7 @@ const commonAlertFieldNames = [
 ];
 export type CommonAlertFieldName = Values<typeof commonAlertFieldNames>;

-const commonAlertIdFieldNames = [ALERT_ID, ALERT_UUID];
+const commonAlertIdFieldNames = [ALERT_INSTANCE_ID, ALERT_UUID];
 export type CommonAlertIdFieldName = Values<typeof commonAlertIdFieldNames>;

 export type CommonAlertFields = Pick<ParsedTechnicalFields, CommonAlertFieldName>;
--- a/x-pack/plugins/rule_registry/server/utils/rule_executor_test_utils.ts
+++ b/x-pack/plugins/rule_registry/server/utils/rule_executor_test_utils.ts
@ -24,7 +24,7 @@ export const createDefaultAlertExecutorOptions = <
  InstanceContext extends AlertInstanceContext = {},
  ActionGroupIds extends string = ''
 >({
-  alertId = 'ALERT_ID',
+  alertId = 'ALERT_INSTANCE_ID',
  ruleName = 'ALERT_RULE_NAME',
  params,
  state,
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
@ -7,7 +7,7 @@

 import {
  ALERT_DURATION,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
  ALERT_RULE_PRODUCER,
  ALERT_START,
  ALERT_WORKFLOW_STATUS,
@ -275,7 +275,7 @@ export const buildShowBuildingBlockFilterRuleRegistry = (

 export const requiredFieldMappingsForActionsRuleRegistry = {
  '@timestamp': '@timestamp',
-  'alert.id': ALERT_ID,
+  'alert.instance.id': ALERT_INSTANCE_ID,
  'event.kind': 'event.kind',
  'alert.start': ALERT_START,
  'alert.uuid': ALERT_UUID,
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts
@ -12,7 +12,7 @@ import uuidv5 from 'uuid/v5';
 import dateMath from '@elastic/datemath';
 import type { estypes } from '@elastic/elasticsearch';
 import { ApiResponse, Context } from '@elastic/elasticsearch/lib/Transport';
-import { ALERT_ID } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID } from '@kbn/rule-data-utils';
 import type { ListArray, ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
 import { MAX_EXCEPTION_LIST_SIZE } from '@kbn/securitysolution-list-constants';
 import { hasLargeValueList } from '@kbn/securitysolution-list-utils';
@ -987,7 +987,7 @@ export const isWrappedSignalHit = (event: SimpleHit): event is WrappedSignalHit
 };

 export const isWrappedRACAlert = (event: SimpleHit): event is WrappedRACAlert => {
-  return (event as WrappedRACAlert)?._source?.[ALERT_ID] != null;
+  return (event as WrappedRACAlert)?._source?.[ALERT_INSTANCE_ID] != null;
 };

 export const getField = <T extends SearchTypes>(event: SimpleHit, field: string): T | undefined => {
--- a/x-pack/test/apm_api_integration/tests/alerts/rule_registry.ts
+++ b/x-pack/test/apm_api_integration/tests/alerts/rule_registry.ts
@ -398,7 +398,7 @@ export default function ApiTest({ getService }: FtrProviderContext) {
            "kibana.alert.evaluation.value": Array [
              50,
            ],
-            "kibana.alert.id": Array [
+            "kibana.alert.instance.id": Array [
              "apm.transaction_error_rate_opbeans-go_request_ENVIRONMENT_NOT_DEFINED",
            ],
            "kibana.alert.reason": Array [
@ -508,7 +508,7 @@ export default function ApiTest({ getService }: FtrProviderContext) {
            "kibana.alert.evaluation.value": Array [
              50,
            ],
-            "kibana.alert.id": Array [
+            "kibana.alert.instance.id": Array [
              "apm.transaction_error_rate_opbeans-go_request_ENVIRONMENT_NOT_DEFINED",
            ],
            "kibana.alert.reason": Array [
--- a/x-pack/test/timeline/security_and_spaces/tests/basic/events.ts
+++ b/x-pack/test/timeline/security_and_spaces/tests/basic/events.ts
@ -7,7 +7,7 @@

 import { JsonObject } from '@kbn/utility-types';
 import expect from '@kbn/expect';
-import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';

 import { User } from '../../../../rule_registry/common/lib/authentication/types';
 import { TimelineEdges, TimelineNonEcsData } from '../../../../../plugins/timelines/common/';
@ -77,14 +77,14 @@ export default ({ getService }: FtrProviderContext) => {
        field: ALERT_RULE_CONSUMER,
      },
      {
-        field: ALERT_ID,
+        field: ALERT_INSTANCE_ID,
      },
      {
        field: 'event.kind',
      },
    ],
    factoryQueryType: TimelineEventsQueries.all,
-    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'],
+    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_INSTANCE_ID, 'event.kind'],
    fields: [],
    filterQuery: {
      bool: {
--- a/x-pack/test/timeline/security_and_spaces/tests/trial/events.ts
+++ b/x-pack/test/timeline/security_and_spaces/tests/trial/events.ts
@ -7,7 +7,7 @@

 import { JsonObject } from '@kbn/utility-types';
 import expect from '@kbn/expect';
-import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';

 import { User } from '../../../../rule_registry/common/lib/authentication/types';
 import { TimelineEdges, TimelineNonEcsData } from '../../../../../plugins/timelines/common/';
@ -60,14 +60,14 @@ export default ({ getService }: FtrProviderContext) => {
        field: ALERT_RULE_CONSUMER,
      },
      {
-        field: ALERT_ID,
+        field: ALERT_INSTANCE_ID,
      },
      {
        field: 'event.kind',
      },
    ],
    factoryQueryType: TimelineEventsQueries.all,
-    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'],
+    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_INSTANCE_ID, 'event.kind'],
    fields: [],
    filterQuery: {
      bool: {
--- a/x-pack/test/timeline/security_only/tests/basic/events.ts
+++ b/x-pack/test/timeline/security_only/tests/basic/events.ts
@ -6,7 +6,7 @@
 */

 import { JsonObject } from '@kbn/utility-types';
-import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';

 import { getSpaceUrlPrefix } from '../../../../rule_registry/common/lib/authentication/spaces';

@ -43,14 +43,14 @@ export default ({ getService }: FtrProviderContext) => {
        field: ALERT_RULE_CONSUMER,
      },
      {
-        field: ALERT_ID,
+        field: ALERT_INSTANCE_ID,
      },
      {
        field: 'event.kind',
      },
    ],
    factoryQueryType: TimelineEventsQueries.all,
-    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'],
+    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_INSTANCE_ID, 'event.kind'],
    fields: [],
    filterQuery: {
      bool: {
--- a/x-pack/test/timeline/security_only/tests/trial/events.ts
+++ b/x-pack/test/timeline/security_only/tests/trial/events.ts
@ -6,7 +6,7 @@
 */

 import { JsonObject } from '@kbn/utility-types';
-import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';

 import { getSpaceUrlPrefix } from '../../../../rule_registry/common/lib/authentication/spaces';

@ -43,14 +43,14 @@ export default ({ getService }: FtrProviderContext) => {
        field: ALERT_RULE_CONSUMER,
      },
      {
-        field: ALERT_ID,
+        field: ALERT_INSTANCE_ID,
      },
      {
        field: 'event.kind',
      },
    ],
    factoryQueryType: TimelineEventsQueries.all,
-    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'],
+    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_INSTANCE_ID, 'event.kind'],
    fields: [],
    filterQuery: {
      bool: {
--- a/x-pack/test/timeline/spaces_only/tests/events.ts
+++ b/x-pack/test/timeline/spaces_only/tests/events.ts
@ -7,7 +7,7 @@

 import { JsonObject } from '@kbn/utility-types';
 import expect from '@kbn/expect';
-import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';

 import { FtrProviderContext } from '../../../rule_registry/common/ftr_provider_context';
 import { getSpaceUrlPrefix } from '../../../rule_registry/common/lib/authentication/spaces';
@ -38,14 +38,14 @@ export default ({ getService }: FtrProviderContext) => {
        field: ALERT_RULE_CONSUMER,
      },
      {
-        field: ALERT_ID,
+        field: ALERT_INSTANCE_ID,
      },
      {
        field: 'event.kind',
      },
    ],
    factoryQueryType: TimelineEventsQueries.all,
-    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'],
+    fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_INSTANCE_ID, 'event.kind'],
    fields: [],
    filterQuery: {
      bool: {