elastic
diff --git a/‎x-pack/platform/packages/shared/response-ops/alerting-v2-schemas/src/rule_data_schema.ts‎
Lines changed: 5 additions & 0 deletions b/‎x-pack/platform/packages/shared/response-ops/alerting-v2-schemas/src/rule_data_schema.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎x-pack/platform/plugins/shared/alerting_v2/public/components/create_rule_page.tsx‎
Lines changed: 3 additions & 0 deletions b/‎x-pack/platform/plugins/shared/alerting_v2/public/components/create_rule_page.tsx‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎x-pack/platform/plugins/shared/alerting_v2/public/services/rules_api.ts‎
Lines changed: 2 additions & 1 deletion b/‎x-pack/platform/plugins/shared/alerting_v2/public/services/rules_api.ts‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎x-pack/platform/plugins/shared/alerting_v2/server/lib/alert_actions_client/alert_actions_client.test.ts‎
Lines changed: 12 additions & 10 deletions b/‎x-pack/platform/plugins/shared/alerting_v2/server/lib/alert_actions_client/alert_actions_client.test.ts‎
Lines changed: 12 additions & 10 deletions
diff --git a/‎x-pack/platform/plugins/shared/alerting_v2/server/lib/alert_actions_client/alert_actions_client.ts‎
Lines changed: 15 additions & 18 deletions b/‎x-pack/platform/plugins/shared/alerting_v2/server/lib/alert_actions_client/alert_actions_client.ts‎
Lines changed: 15 additions & 18 deletions
diff --git a/‎x-pack/platform/plugins/shared/alerting_v2/server/lib/director/director.mock.ts‎
Lines changed: 31 additions & 0 deletions b/‎x-pack/platform/plugins/shared/alerting_v2/server/lib/director/director.mock.ts‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎x-pack/platform/plugins/shared/alerting_v2/server/lib/dispatcher/dispatcher.test.ts‎
Lines changed: 144 additions & 0 deletions b/‎x-pack/platform/plugins/shared/alerting_v2/server/lib/dispatcher/dispatcher.test.ts‎
Lines changed: 144 additions & 0 deletions
@@ -33,9 +33,14 @@ const scheduleSchema = z
   .strict()
   .describe('Schedule configuration for the rule.');
 
+export const ruleKindSchema = z.enum(['alert', 'signal']).describe('The kind of rule.');
+
+export type RuleKind = z.infer<typeof ruleKindSchema>;
+
 export const createRuleDataSchema = z
   .object({
     name: z.string().min(1).max(64).describe('Human-readable rule name.'),
+    kind: ruleKindSchema,
     tags: z
       .array(z.string().max(64).describe('Rule tag.'))
       .max(100)
 
@@ -30,6 +30,7 @@ import { YamlRuleEditor } from '@kbn/yaml-rule-editor';
 import { RulesApi } from '../services/rules_api';
 
 const DEFAULT_RULE_YAML = `name: Example rule
+kind: alert
 tags: []
 schedule:
   custom: 1m
@@ -41,6 +42,7 @@ groupingKey: []`;
 
 const DEFAULT_RULE_VALUES: CreateRuleData = {
   name: 'Example rule',
+  kind: 'alert',
   tags: [],
   schedule: { custom: '1m' },
   enabled: true,
@@ -114,6 +116,7 @@ export const CreateRulePage = () => {
         const nextPayload: CreateRuleData = {
           ...DEFAULT_RULE_VALUES,
           name: rule.name,
+          kind: rule.kind ?? DEFAULT_RULE_VALUES.kind,
           tags: rule.tags ?? DEFAULT_RULE_VALUES.tags,
           schedule: rule.schedule?.custom
             ? { custom: rule.schedule.custom }
 
@@ -8,12 +8,13 @@
 import { inject, injectable } from 'inversify';
 import type { HttpStart } from '@kbn/core/public';
 import { CoreStart } from '@kbn/core-di-browser';
-import type { CreateRuleData } from '@kbn/alerting-v2-schemas';
+import type { CreateRuleData, RuleKind } from '@kbn/alerting-v2-schemas';
 import { INTERNAL_ALERTING_V2_RULE_API_PATH } from '../constants';
 
 export interface RuleListItem {
   id: string;
   name: string;
+  kind: RuleKind;
   enabled?: boolean;
   query?: string;
   schedule?: { custom?: string };
 
@@ -5,11 +5,12 @@
  * 2.0.
  */
 
-import { httpServerMock } from '@kbn/core-http-server-mocks';
-import { securityMock } from '@kbn/security-plugin/server/mocks';
+import type { UserProfileServiceStart } from '@kbn/core-user-profile-server';
+import type { UserService } from '../services/user_service/user_service';
 import type { CreateAlertActionBody } from '../../routes/schemas/alert_action_schema';
 import { createQueryService } from '../services/query_service/query_service.mock';
 import { createStorageService } from '../services/storage_service/storage_service.mock';
+import { createUserProfile, createUserService } from '../services/user_service/user_service.mock';
 import { AlertActionsClient } from './alert_actions_client';
 import {
   getBulkAlertEventsESQLResponse,
@@ -19,16 +20,17 @@ import {
 
 describe('AlertActionsClient', () => {
   jest.useFakeTimers().setSystemTime(new Date('2025-01-01T11:12:13.000Z'));
-  const request = httpServerMock.createKibanaRequest();
   const { queryService, mockEsClient: queryServiceEsClient } = createQueryService();
   const { storageService, mockEsClient: storageServiceEsClient } = createStorageService();
-  const security = securityMock.createStart();
+  let userService: UserService;
+  let userProfile: jest.Mocked<UserProfileServiceStart>;
   let client: AlertActionsClient;
 
   beforeEach(() => {
-    security.authc.getCurrentUser = jest.fn().mockReturnValue({ username: 'test-user' });
+    ({ userService, userProfile } = createUserService());
+    userProfile.getCurrent.mockResolvedValue(createUserProfile('test-uid'));
     storageServiceEsClient.bulk.mockResolvedValueOnce({ items: [], errors: false, took: 1 });
-    client = new AlertActionsClient(request, queryService, storageService, security);
+    client = new AlertActionsClient(queryService, storageService, userService);
   });
 
   afterEach(() => {
@@ -62,7 +64,7 @@ describe('AlertActionsClient', () => {
         episode_id: 'episode-1',
         rule_id: 'test-rule-id',
         last_series_event_timestamp: '2025-01-01T00:00:00.000Z',
-        actor: 'test-user',
+        actor: 'test-uid',
       });
       expect(docs[0]).toHaveProperty('@timestamp');
     });
@@ -104,14 +106,14 @@ describe('AlertActionsClient', () => {
       expect(docs[0]).toMatchObject({ episode_id: 'episode-2' });
     });
 
-    it('should handle null username when security is not available', async () => {
+    it('should handle null profile uid when security is not available', async () => {
       queryServiceEsClient.esql.query.mockResolvedValueOnce(getAlertEventESQLResponse());
 
+      userProfile.getCurrent.mockResolvedValueOnce(null);
       const clientWithoutSecurity = new AlertActionsClient(
-        request,
         queryService,
         storageService,
-        undefined
+        userService
       );
 
       await clientWithoutSecurity.createAction({
 
@@ -6,12 +6,8 @@
  */
 
 import Boom from '@hapi/boom';
-import { PluginStart } from '@kbn/core-di';
-import { Request } from '@kbn/core-di-server';
-import type { KibanaRequest } from '@kbn/core-http-server';
 import { esql } from '@kbn/esql-language';
-import type { SecurityPluginStart } from '@kbn/security-plugin/server';
-import { inject, injectable, optional } from 'inversify';
+import { inject, injectable } from 'inversify';
 import { groupBy, omit } from 'lodash';
 import { ALERT_ACTIONS_DATA_STREAM, type AlertAction } from '../../resources/alert_actions';
 import { ALERT_EVENTS_DATA_STREAM } from '../../resources/alert_events';
@@ -23,22 +19,23 @@ import { queryResponseToRecords } from '../services/query_service/query_response
 import { QueryService, type QueryServiceContract } from '../services/query_service/query_service';
 import type { StorageServiceContract } from '../services/storage_service/storage_service';
 import { StorageServiceScopedToken } from '../services/storage_service/tokens';
+import type { UserServiceContract } from '../services/user_service/user_service';
+import { UserService } from '../services/user_service/user_service';
 
 @injectable()
 export class AlertActionsClient {
   constructor(
-    @inject(Request) private readonly request: KibanaRequest,
     @inject(QueryService) private readonly queryService: QueryServiceContract,
     @inject(StorageServiceScopedToken) private readonly storageService: StorageServiceContract,
-    @optional() @inject(PluginStart('security')) private readonly security?: SecurityPluginStart
+    @inject(UserService) private readonly userService: UserServiceContract
   ) {}
 
   public async createAction(params: {
     groupHash: string;
     action: CreateAlertActionBody;
   }): Promise<void> {
-    const [username, alertEvent] = await Promise.all([
-      this.getUserName(),
+    const [userProfileUid, alertEvent] = await Promise.all([
+      this.getUserProfileUid(),
       this.findLastAlertEventRecordOrThrow({
         groupHash: params.groupHash,
         episodeId: 'episode_id' in params.action ? params.action.episode_id : undefined,
@@ -51,7 +48,7 @@ export class AlertActionsClient {
         this.buildAlertActionDocument({
           action: params.action,
           alertEvent,
-          username,
+          userProfileUid,
         }),
       ],
     });
@@ -60,8 +57,8 @@ export class AlertActionsClient {
   public async createBulkActions(
     actions: BulkCreateAlertActionItemBody[]
   ): Promise<{ processed: number; total: number }> {
-    const [username, records] = await Promise.all([
-      this.getUserName(),
+    const [userProfileUid, records] = await Promise.all([
+      this.getUserProfileUid(),
       this.fetchLastAlertEventRecordsForActions(actions),
     ]);
 
@@ -82,7 +79,7 @@ export class AlertActionsClient {
           return this.buildAlertActionDocument({
             action,
             alertEvent: matchingAlertEventRecord,
-            username,
+            userProfileUid,
           });
         }
       })
@@ -122,21 +119,21 @@ export class AlertActionsClient {
     );
   }
 
-  private async getUserName(): Promise<string | null> {
-    return this.security?.authc.getCurrentUser(this.request)?.username ?? null;
+  private async getUserProfileUid(): Promise<string | null> {
+    return this.userService.getCurrentUserProfileUid();
   }
 
   private buildAlertActionDocument(params: {
     action: CreateAlertActionBody;
     alertEvent: AlertEventRecord;
-    username: string | null;
+    userProfileUid: string | null;
   }): AlertAction {
-    const { action, alertEvent, username } = params;
+    const { action, alertEvent, userProfileUid } = params;
     const actionData = omit(action, ['episode_id', 'action_type']);
 
     return {
       '@timestamp': new Date().toISOString(),
-      actor: username,
+      actor: userProfileUid,
       action_type: action.action_type,
       last_series_event_timestamp: alertEvent['@timestamp'],
       rule_id: alertEvent.rule_id,
 
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ElasticsearchClient } from '@kbn/core/server';
+import type { DeeplyMockedApi } from '@kbn/core-elasticsearch-client-server-mocks';
+import { createLoggerService } from '../services/logger_service/logger_service.mock';
+import { createQueryService } from '../services/query_service/query_service.mock';
+import { BasicTransitionStrategy } from './strategies/basic_strategy';
+import { TransitionStrategyFactory } from './strategies/strategy_resolver';
+import { DirectorService } from './director';
+
+export function createDirectorService(): {
+  directorService: DirectorService;
+  mockEsClient: DeeplyMockedApi<ElasticsearchClient>;
+} {
+  const { queryService, mockEsClient } = createQueryService();
+  const { loggerService } = createLoggerService();
+
+  const basicStrategy = new BasicTransitionStrategy();
+  const strategyFactory = new TransitionStrategyFactory(basicStrategy);
+  const directorService = new DirectorService(strategyFactory, queryService, loggerService);
+
+  return {
+    directorService,
+    mockEsClient,
+  };
+}
@@ -0,0 +1,144 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { BulkResponse } from '@elastic/elasticsearch/lib/api/types';
+import type { DeeplyMockedApi } from '@kbn/core-elasticsearch-client-server-mocks';
+import type { ElasticsearchClient } from '@kbn/core/server';
+import moment from 'moment';
+import { ALERT_ACTIONS_DATA_STREAM } from '../../resources/alert_actions';
+import { createLoggerService } from '../services/logger_service/logger_service.mock';
+import type { QueryServiceContract } from '../services/query_service/query_service';
+import { createQueryService } from '../services/query_service/query_service.mock';
+import type { StorageServiceContract } from '../services/storage_service/storage_service';
+import { createStorageService } from '../services/storage_service/storage_service.mock';
+import { LOOKBACK_WINDOW_MINUTES } from './constants';
+import { DispatcherService } from './dispatcher';
+import { createDispatchableAlertEventsResponse } from './fixtures/dispatcher';
+import { getDispatchableAlertEventsQuery } from './queries';
+import type { AlertEpisode } from './types';
+
+describe('DispatcherService', () => {
+  let dispatcherService: DispatcherService;
+  let queryService: QueryServiceContract;
+  let storageService: StorageServiceContract;
+  let queryEsClient: DeeplyMockedApi<ElasticsearchClient>;
+  let storageEsClient: jest.Mocked<ElasticsearchClient>;
+
+  beforeEach(() => {
+    ({ queryService, mockEsClient: queryEsClient } = createQueryService());
+    ({ storageService, mockEsClient: storageEsClient } = createStorageService());
+    const { loggerService } = createLoggerService();
+    dispatcherService = new DispatcherService(queryService, loggerService, storageService);
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('run', () => {
+    it('indexes fire-events for dispatchable alert episodes', async () => {
+      const alertEpisodes: AlertEpisode[] = [
+        {
+          last_event_timestamp: '2026-01-22T07:10:00.000Z',
+          rule_id: 'rule-1',
+          group_hash: 'hash-1',
+          episode_id: 'episode-1',
+          episode_status: 'active',
+        },
+        {
+          last_event_timestamp: '2026-01-22T07:15:00.000Z',
+          rule_id: 'rule-2',
+          group_hash: 'hash-2',
+          episode_id: 'episode-2',
+          episode_status: 'inactive',
+        },
+      ];
+
+      queryEsClient.esql.query.mockResolvedValue(
+        createDispatchableAlertEventsResponse(alertEpisodes)
+      );
+      storageEsClient.bulk.mockResolvedValue({
+        items: [{ create: { _id: '1', status: 201 } }, { create: { _id: '2', status: 201 } }],
+        errors: false,
+      } as BulkResponse);
+
+      const previousStartedAt = new Date('2026-01-22T07:30:00.000Z');
+
+      const result = await dispatcherService.run({
+        previousStartedAt,
+      });
+
+      expect(result.startedAt).toBeInstanceOf(Date);
+
+      const expectedLookback = moment(previousStartedAt)
+        .subtract(LOOKBACK_WINDOW_MINUTES, 'minutes')
+        .toISOString();
+
+      expect(queryEsClient.esql.query).toHaveBeenCalledWith(
+        {
+          query: getDispatchableAlertEventsQuery().query,
+          drop_null_columns: false,
+          filter: {
+            range: {
+              '@timestamp': {
+                gte: expectedLookback,
+              },
+            },
+          },
+          params: undefined,
+        },
+        { signal: undefined }
+      );
+
+      expect(storageEsClient.bulk).toHaveBeenCalledWith({
+        operations: expect.any(Array),
+        refresh: 'wait_for',
+      });
+
+      const [{ operations }] = storageEsClient.bulk.mock.calls[0];
+      const safeOperations = operations ?? [];
+      const createOperations = safeOperations.filter((_, index) => index % 2 === 0);
+      const docs = safeOperations.filter((_, index) => index % 2 === 1);
+      expect(createOperations).toEqual(
+        expect.arrayContaining([{ create: { _index: ALERT_ACTIONS_DATA_STREAM } }])
+      );
+      expect(docs).toHaveLength(alertEpisodes.length);
+
+      expect(docs).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({
+            group_hash: 'hash-1',
+            last_series_event_timestamp: '2026-01-22T07:10:00.000Z',
+            actor: 'system',
+            action_type: 'fire-event',
+            rule_id: 'rule-1',
+            source: 'internal',
+          }),
+          expect.objectContaining({
+            group_hash: 'hash-2',
+            last_series_event_timestamp: '2026-01-22T07:15:00.000Z',
+            actor: 'system',
+            action_type: 'fire-event',
+            rule_id: 'rule-2',
+            source: 'internal',
+          }),
+        ])
+      );
+    });
+
+    it('handles empty alert episode responses', async () => {
+      queryEsClient.esql.query.mockResolvedValue(createDispatchableAlertEventsResponse([]));
+
+      const result = await dispatcherService.run({
+        previousStartedAt: new Date('2026-01-22T07:30:00.000Z'),
+      });
+
+      expect(result.startedAt).toBeInstanceOf(Date);
+      expect(storageEsClient.bulk).not.toHaveBeenCalled();
+    });
+  });
+});