[EASE] change cases alerts tab to use kibana.alert.rule.rule_id to kibana.rule.parameters.related_integration.package

[PhilippeOberti]

Summary

This PR fixes an issue introduced by this previous one. The integration logo is no longer rendered on the cases alerts table.

Reminder of the previous changes

The previous logic that was used throughout the entire alert summary page consisted of retrieving the rule_id value on the alert (via the kibana.alert.rule.rule_id field), to then retrieve the rule with the matching rule_id field. That rule has the related_integrations information used to find the matching integration (package).

We are now using the kibana.rule.parameters field on the alert, which contains the related_integrations information, accessible directly from the alert document. The kibana.rule.parameters value isn't a basic string or number value though, but a complex json object. Using a runTime field that parses that json and returns directly the package (integration) name did the trick!

This PR

The changes done in the previous PR actually broke the Integration column in the attack discovery page. This PR makes the required changes to the dataView and removes the now unnecessary rules information.

Before	After

How to test

You might need to clear localStorage as the table columns are saved in there and this PR changes the Integration column to the new runTime field.

This needs to be ran in Serverless:

• yarn es serverless --projectType security
• yarn serverless-security --no-base-path

You also need to enable the AI for SOC tier, by adding the following to your serverless.security.dev.yaml file:

xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'ai_soc', product_tier: 'search_ai_lake' },
  ]

Use one of these Serverless users:

• platform_engineer
• endpoint_operations_analyst
• endpoint_policy_manager
• admin
• system_indices_superuser

Then:

• generate data: yarn test:generate:serverless-dev
• create multiple catch all rules, each with a name of a AI for SOC integration (google_secops, microsoft_sentinel,, sentinel_one and crowdstrike) and make sure to add the related integration (with the same names) => to do that you'll need to temporary comment the serverless.security.dev.yaml config changes as the rules page is not accessible in AI for SOC.
• change this line to installedPackages: availablePackages to force having some packages installed

Checklist

• Unit or functional tests were updated or added to match the most common scenarios
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
• Review the backport guidelines and apply applicable backport:* labels.

#233302

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 085b081

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	10.4MB	10.4MB	-78.0B

History

• 💚 Build #333241 succeeded 8c351e9

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[janmonschke]

kibana-cases changes lgtm

[NicholasPeretti]

Approving on behalf of threat-hunting team

[kibanamachine]

Starting backport for target branches: 8.19, 9.1

https://github.com/elastic/kibana/actions/runs/17292051469

[kibanamachine]

💔 All backports failed

Status	Branch	Result
❌	8.19	Backport failed because of merge conflicts You might need to backport the following PRs to 8.19: - [Security Solution][AI4DSOC] Fix table not applying alert tags for Attack discovery and Cases pages in AI4DSOC (#219410) - [AI4DSOC] Add checkboxes to the alert summary table (#219169)
❌	9.1	Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 233158

Questions ?

Please refer to the Backport tool documentation