[Attack Discovery][Scheduling] System actions + Extended telemetries (elastic#221797)

## Summary

Main ticket ([Internal
link](elastic/security-team#12008))

## Changes in this PR:

1. Fix elastic#221770

There was a bug in handling system actions which did not allow to
create/update attack discovery schedules when adding one of the system
actions - for example Cases. See screenshots and error description in
the elastic#221770

To test, just create a new attack discovery schedule with the Cases
action which should just work and new schedule should appear in the
attack discovery schedules list.

2. Extended telemetries

To improve telemetries for attack discovery schedules, we decided to add
the information about the used actions within the schedule. For more
details, see the [internal
conversation](https://elastic.slack.com/archives/C08D26QFR18/p1747673752620379).

Both the success and failure events will contain schedule info object of
a next structure:

```
"scheduleInfo": {
    "id": "9a132e03-f9f2-48ff-8e4e-8182f470656f",
    "interval": "1m",
    "actions": [
      ".email",
      ".slack",
      ".slack"
    ]
},
```

<img width="528" alt="Screenshot 2025-05-28 at 16 48 02"
src="https://github.com/user-attachments/assets/7eab674d-2d81-48ef-93e1-99c14552eb57"
/>

To test:
1. Enable `telemetry.optIn: true` in `kibana.dev.yml`
2. Create AD schedule and make sure it generates some discoveries or
fails during the rules execution (for example due to timeout)
3. Check reported events at
https://p.elstc.co/paste/Vp6Buk8R#Z-F8UWse90Lldf2sMVQK+RPtJSiLJkc2eJGyGX85+b9
(might take couple hours to appear)

## NOTES

The feature is hidden behind the feature flag (in `kibana.dev.yml`):

```
feature_flags.overrides:
  securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```

Author: e40pud

src/platform/packages/shared/kbn-rule-data-utils/src/alerts_as_data_rbac.test.ts

@@ -13,10 +13,12 @@ describe('alertsAsDataRbac', () => {
   describe('isSiemRuleType', () => {
     test('returns true for siem rule types', () => {
       expect(isSiemRuleType('siem.esqlRuleType')).toBe(true);
+      expect(isSiemRuleType('attack-discovery')).toBe(true);
     });
 
     test('returns false for NON siem rule types', () => {
       expect(isSiemRuleType('apm.anomaly')).toBe(false);
+      expect(isSiemRuleType('attack-discovery.test')).toBe(false);
     });
   });
 });

src/platform/packages/shared/kbn-rule-data-utils/src/alerts_as_data_rbac.ts

@@ -101,4 +101,5 @@ export const getEsQueryConfig = (params?: GetEsQueryConfigParamType): EsQueryCon
  * TODO: Remove when checks for specific rule type ids is not needed
  *in the codebase.
  */
-export const isSiemRuleType = (ruleTypeId: string) => ruleTypeId.startsWith('siem.');
+export const isSiemRuleType = (ruleTypeId: string) =>
+  ruleTypeId.startsWith('siem.') || ruleTypeId === 'attack-discovery';

x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/schemas/attack_discovery/schedules.gen.ts

@@ -140,7 +140,7 @@ export const AttackDiscoveryScheduleAction = z.object({
    * The action type used for sending notifications.
    */
   actionTypeId: z.string(),
-  group: AttackDiscoveryScheduleActionGroup,
+  group: AttackDiscoveryScheduleActionGroup.optional(),
   id: AttackDiscoveryScheduleActionId,
   params: AttackDiscoveryScheduleActionParams,
   uuid: NonEmptyString.optional(),

x-pack/platform/packages/shared/kbn-elastic-assistant-common/impl/schemas/attack_discovery/schedules.schema.yaml

@@ -193,7 +193,6 @@ components:
       required:
         - actionTypeId
         - id
-        - group
         - params
 
     AttackDiscoveryScheduleExecutionStatus:

x-pack/solutions/security/plugins/elastic_assistant/server/__mocks__/attack_discovery_schedules.mock.ts

@@ -5,20 +5,19 @@
  * 2.0.
  */
 
-import { CreateRuleData } from '@kbn/alerting-plugin/server/application/rule/methods/create';
-import { UpdateRuleData } from '@kbn/alerting-plugin/server/application/rule/methods/update';
 import {
-  ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,
   AttackDiscoverySchedule,
+  AttackDiscoveryScheduleAction,
   AttackDiscoveryScheduleCreateProps,
   AttackDiscoveryScheduleParams,
+  AttackDiscoveryScheduleUpdateProps,
 } from '@kbn/elastic-assistant-common';
 
 import { SanitizedRule, SanitizedRuleAction } from '@kbn/alerting-types';
 
 export const getAttackDiscoveryCreateScheduleMock = (
   enabled = true
-): CreateRuleData<AttackDiscoveryScheduleParams> => {
+): AttackDiscoveryScheduleCreateProps => {
   return {
     name: 'Test Schedule 1',
     schedule: {
@@ -35,20 +34,17 @@ export const getAttackDiscoveryCreateScheduleMock = (
       size: 100,
       start: 'now-24h',
     },
-    actions: [],
-    alertTypeId: ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,
-    consumer: 'siem',
     enabled,
-    tags: [],
   };
 };
 
 export const getAttackDiscoveryUpdateScheduleMock = (
   id: string,
-  overrides: Partial<CreateRuleData<AttackDiscoveryScheduleParams>>
-): UpdateRuleData<AttackDiscoveryScheduleParams> & { id: string } => {
+  overrides: Partial<AttackDiscoveryScheduleUpdateProps>
+): AttackDiscoveryScheduleUpdateProps & { id: string } => {
   return {
     id,
+    actions: [],
     ...getAttackDiscoveryCreateScheduleMock(),
     ...overrides,
   };
@@ -119,13 +115,55 @@ export const getAttackDiscoveryScheduleMock = (
   };
 };
 
-export const getInternalFindAttackDiscoverySchedulesMock = (
-  schedules: Array<SanitizedRule<AttackDiscoveryScheduleParams>>
-) => {
+export const getFindAttackDiscoverySchedulesMock = (schedules: AttackDiscoverySchedule[]) => {
   return {
-    page: 1,
-    perPage: 20,
     total: schedules.length,
     data: schedules,
   };
 };
+
+export const getScheduleActions = (): AttackDiscoveryScheduleAction[] => {
+  return [
+    {
+      id: 'ab81485e-3685-4215-9804-7693d0271d1b',
+      actionTypeId: '.email',
+      group: 'default',
+      params: {
+        message: 'Rule {{context.rule.name}} generated {{state.signals_count}} alerts',
+        to: ['[email protected]'],
+        subject: 'Hello there',
+      },
+      frequency: {
+        summary: true,
+        notifyWhen: 'onActiveAlert',
+        throttle: null,
+      },
+    },
+    {
+      id: 'a6c9e92a-b701-41f3-9e26-aca7563e6908',
+      actionTypeId: '.slack',
+      group: 'default',
+      params: {
+        message: 'Rule {{context.rule.name}} generated {{state.signals_count}} alerts',
+      },
+      frequency: {
+        summary: true,
+        notifyWhen: 'onActiveAlert',
+        throttle: null,
+      },
+    },
+    {
+      id: '74ad56aa-cc3d-45a4-a944-654b625ed054',
+      actionTypeId: '.cases',
+      params: {
+        subAction: 'run',
+        subActionParams: {
+          timeWindow: '5m',
+          reopenClosedCases: false,
+          groupingBy: ['kibana.alert.attack_discovery.alert_ids'],
+          templateId: null,
+        },
+      },
+    },
+  ];
+};

x-pack/solutions/security/plugins/elastic_assistant/server/ai_assistant_service/index.ts

@@ -667,6 +667,8 @@ export class AIAssistantService {
     opts: CreateAttackDiscoveryScheduleDataClientParams
   ): Promise<AttackDiscoveryScheduleDataClient | null> {
     return new AttackDiscoveryScheduleDataClient({
+      actionsClient: opts.actionsClient,
+      logger: opts.logger,
       rulesClient: opts.rulesClient,
     });
   }

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/schedules/data_client/index.test.ts

@@ -6,21 +6,67 @@
  */
 
 import { rulesClientMock } from '@kbn/alerting-plugin/server/rules_client.mock';
+import { actionsClientMock } from '@kbn/actions-plugin/server/mocks';
+import { loggerMock } from '@kbn/logging-mocks';
+import { OpenAiProviderType } from '@kbn/stack-connectors-plugin/common/openai/constants';
 
 import { AttackDiscoveryScheduleDataClient, AttackDiscoveryScheduleDataClientParams } from '.';
 import {
   getAttackDiscoveryCreateScheduleMock,
   getAttackDiscoveryUpdateScheduleMock,
+  getInternalAttackDiscoveryScheduleMock,
 } from '../../../../__mocks__/attack_discovery_schedules.mock';
+import { ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID } from '@kbn/elastic-assistant-common';
+
+const mockApiConfig = {
+  connectorId: 'connector-id',
+  actionTypeId: '.bedrock',
+  model: 'model',
+  name: 'Test Bedrock',
+  provider: OpenAiProviderType.OpenAi,
+};
+const mockBasicScheduleParams = {
+  name: 'Test Schedule 1',
+  schedule: {
+    interval: '10m',
+  },
+  params: {
+    alertsIndexPattern: '.alerts-security.alerts-default',
+    apiConfig: mockApiConfig,
+    end: 'now',
+    size: 25,
+    start: 'now-24h',
+  },
+  enabled: true,
+};
+const mockInternalAttackDiscovery = getInternalAttackDiscoveryScheduleMock(
+  getInternalAttackDiscoveryScheduleMock(mockBasicScheduleParams)
+);
 
 describe('AttackDiscoveryScheduleDataClient', () => {
   let scheduleDataClientParams: AttackDiscoveryScheduleDataClientParams;
 
   beforeEach(() => {
     jest.clearAllMocks();
     scheduleDataClientParams = {
+      actionsClient: actionsClientMock.create(),
+      logger: loggerMock.create(),
       rulesClient: rulesClientMock.create(),
     };
+
+    (scheduleDataClientParams.rulesClient.find as jest.Mock).mockResolvedValue({
+      total: 1,
+      data: [mockInternalAttackDiscovery],
+    });
+    (scheduleDataClientParams.rulesClient.get as jest.Mock).mockResolvedValue(
+      mockInternalAttackDiscovery
+    );
+    (scheduleDataClientParams.rulesClient.create as jest.Mock).mockResolvedValue(
+      mockInternalAttackDiscovery
+    );
+    (scheduleDataClientParams.rulesClient.update as jest.Mock).mockResolvedValue(
+      mockInternalAttackDiscovery
+    );
   });
 
   describe('findSchedules', () => {
@@ -106,7 +152,13 @@ describe('AttackDiscoveryScheduleDataClient', () => {
       await scheduleDataClient.createSchedule(scheduleCreateData);
 
       expect(scheduleDataClientParams.rulesClient.create).toHaveBeenCalledWith({
-        data: scheduleCreateData,
+        data: {
+          actions: [],
+          alertTypeId: ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,
+          consumer: 'siem',
+          tags: [],
+          ...scheduleCreateData,
+        },
       });
     });
   });
@@ -123,7 +175,12 @@ describe('AttackDiscoveryScheduleDataClient', () => {
 
       expect(scheduleDataClientParams.rulesClient.update).toHaveBeenCalledWith({
         id: scheduleId,
-        data: { ...getAttackDiscoveryCreateScheduleMock(), name: 'Updated schedule 5' },
+        data: {
+          actions: [],
+          tags: [],
+          ...getAttackDiscoveryCreateScheduleMock(),
+          name: 'Updated schedule 5',
+        },
       });
     });
   });

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/schedules/data_client/index.ts

@@ -5,24 +5,33 @@
  * 2.0.
  */
 
+import { ActionsClient } from '@kbn/actions-plugin/server';
 import { RulesClient } from '@kbn/alerting-plugin/server';
-import { CreateRuleData } from '@kbn/alerting-plugin/server/application/rule/methods/create';
-import { UpdateRuleData } from '@kbn/alerting-plugin/server/application/rule/methods/update';
+import { Logger } from '@kbn/core/server';
 import {
   ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,
+  AttackDiscoverySchedule,
+  AttackDiscoveryScheduleCreateProps,
   AttackDiscoveryScheduleParams,
+  AttackDiscoveryScheduleUpdateProps,
 } from '@kbn/elastic-assistant-common';
+import { convertAlertingRuleToSchedule } from '../../../../routes/attack_discovery/schedules/utils/convert_alerting_rule_to_schedule';
 import { AttackDiscoveryScheduleFindOptions } from '../types';
+import { convertScheduleActionsToAlertingActions } from './utils/transform_actions';
 
 /**
  * Params for when creating AttackDiscoveryScheduleDataClient in Request Context Factory. Useful if needing to modify
  * configuration after initial plugin start
  */
 export interface CreateAttackDiscoveryScheduleDataClientParams {
+  actionsClient: ActionsClient;
+  logger: Logger;
   rulesClient: RulesClient;
 }
 
 export interface AttackDiscoveryScheduleDataClientParams {
+  actionsClient: ActionsClient;
+  logger: Logger;
   rulesClient: RulesClient;
 }
 
@@ -35,7 +44,7 @@ export class AttackDiscoveryScheduleDataClient {
     sort: sortParam = {},
   }: AttackDiscoveryScheduleFindOptions = {}) => {
     // TODO: add filtering
-    const rules = await this.options.rulesClient.find<AttackDiscoveryScheduleParams>({
+    const results = await this.options.rulesClient.find<AttackDiscoveryScheduleParams>({
       options: {
         page: page + 1,
         perPage,
@@ -44,30 +53,63 @@ export class AttackDiscoveryScheduleDataClient {
         ruleTypeIds: [ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID],
       },
     });
-    return rules;
+
+    const { total, data } = results;
+    const schedules = data.map(convertAlertingRuleToSchedule);
+
+    return { total, data: schedules };
   };
 
-  public getSchedule = async (id: string) => {
+  public getSchedule = async (id: string): Promise<AttackDiscoverySchedule> => {
     const rule = await this.options.rulesClient.get<AttackDiscoveryScheduleParams>({ id });
-    return rule;
+    const schedule = convertAlertingRuleToSchedule(rule);
+    return schedule;
   };
 
-  public createSchedule = async (ruleToCreate: CreateRuleData<AttackDiscoveryScheduleParams>) => {
+  public createSchedule = async (
+    ruleToCreate: AttackDiscoveryScheduleCreateProps
+  ): Promise<AttackDiscoverySchedule> => {
+    const { enabled = false, actions: _, ...restScheduleAttributes } = ruleToCreate;
+    const { actions, systemActions } = convertScheduleActionsToAlertingActions({
+      actionsClient: this.options.actionsClient,
+      logger: this.options.logger,
+      scheduleActions: ruleToCreate.actions,
+    });
     const rule = await this.options.rulesClient.create<AttackDiscoveryScheduleParams>({
-      data: ruleToCreate,
+      data: {
+        actions,
+        ...(systemActions.length ? { systemActions } : {}),
+        alertTypeId: ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,
+        consumer: 'siem',
+        enabled,
+        tags: [],
+        ...restScheduleAttributes,
+      },
     });
-    return rule;
+    const schedule = convertAlertingRuleToSchedule(rule);
+    return schedule;
   };
 
   public updateSchedule = async (
-    ruleToUpdate: UpdateRuleData<AttackDiscoveryScheduleParams> & { id: string }
-  ) => {
-    const { id, ...updatePayload } = ruleToUpdate;
+    ruleToUpdate: AttackDiscoveryScheduleUpdateProps & { id: string }
+  ): Promise<AttackDiscoverySchedule> => {
+    const { id, actions: _, ...updatePayload } = ruleToUpdate;
+    const { actions, systemActions } = convertScheduleActionsToAlertingActions({
+      actionsClient: this.options.actionsClient,
+      logger: this.options.logger,
+      scheduleActions: ruleToUpdate.actions,
+    });
     const rule = await this.options.rulesClient.update<AttackDiscoveryScheduleParams>({
       id,
-      data: updatePayload,
+      data: {
+        actions,
+        ...(systemActions.length ? { systemActions } : {}),
+        tags: [],
+        ...updatePayload,
+      },
     });
-    return rule;
+    const schedule = convertAlertingRuleToSchedule(rule);
+    return schedule;
   };
 
   public deleteSchedule = async (ruleToDelete: { id: string }) => {