[RAC][Rule Registry] Make endpoints for updating alerts consistent

[banderror]

Parent ticket: #101016

Summary

The single update API endpoint (x-pack/plugins/rule_registry/server/routes/update_alert_by_id.ts) accepts a single index parameter which must be the concrete index name of the alert document being updated. The call might fail in certain cases if the corresponding alias is specified.

The bulk update API endpoint (x-pack/plugins/rule_registry/server/routes/bulk_update_alerts.ts) accepts a single index parameter and an array of alert ids. This is not convenient if you have a list of alerts stored in different concrete indices, and you want to specify the concrete indices and the ids when calling this endpoint. This can be properly implemented on the client side, by it will lead to a few calls instead of 1.

Possible solutions

Ideal solution would be:

• Make sure both endpoints can reliably work across concrete indices, i.e. a client can safely specify index alias when calling any of the two endpoints. For example, document updates should be done via esClient.updateByQuery like here. The rest of the logic should also work well with aliases.
• In this case, both endpoints could have a single index parameter.
• We need to make sure that alert document ids are unique across concrete indices

Another solution could be:

• Make sure both endpoints require concrete indices to be specified.
• Make it obvious (e.g. rename the parameters) and write docs and comments in the code describing what is required and why.
• The bulk update endpoint would probably need to accept an array of index-to-list-of-ids kind of data structure.

Also, if the ideal solution is possible, we could evaluate the possibility of (and need for) providing a registration context (observability.logs, security) instead of the corresponding full alias (.alerts-observability.logs.alerts, .alerts-security.alerts). RuleDataService exposes a method that could be used to find the alias:

  /**
   * Looks up the index information associated with the given registration context and dataset.
   */
  public findIndexByName(registrationContext: string, dataset: Dataset): IndexInfo | null {
    const baseName = this.getResourceName(`${registrationContext}.${dataset}`);
    return this.indicesByBaseName.get(baseName) ?? null;
  }

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[banderror]

cc @weltenwort

[banderror]

Hey everyone, I removed this ticket from the backlog of the Detection Rules area.

We (@elastic/security-detections-response-rules) are not the owners anymore (however feel free to still ping us if you have any tech questions about the ticket). Ownership of this ticket and other tickets related to rule_registry (like #101016) now goes to the Detection Alerts area (Team:Detection Alerts label). Please ping @peluja1012 and @marshallmain if you have any questions.