diff --git a/docs/api/dashboard-api.asciidoc b/docs/api/dashboard-api.asciidoc
index 94511c3154fe0..e6f54dd9156ec 100644
--- a/docs/api/dashboard-api.asciidoc
+++ b/docs/api/dashboard-api.asciidoc
@@ -1,7 +1,7 @@
 [[dashboard-api]]
 == Import and export dashboard APIs
 
-deprecated::[7.15.0,These experimental APIs have been deprecated in favor of <<saved-objects-api-import>> and <<saved-objects-api-export>>.]
+deprecated::[7.15.0,Both of these APIs have been deprecated in favor of <<saved-objects-api-import>> and <<saved-objects-api-export>>.]
 
 Import and export dashboards with the corresponding saved objects, such as visualizations, saved
 searches, and index patterns.
diff --git a/docs/api/dashboard/export-dashboard.asciidoc b/docs/api/dashboard/export-dashboard.asciidoc
index 098ec976569bd..3a20eff0a54d2 100644
--- a/docs/api/dashboard/export-dashboard.asciidoc
+++ b/docs/api/dashboard/export-dashboard.asciidoc
@@ -6,7 +6,7 @@
 
 deprecated::[7.15.0,Use <<saved-objects-api-export>> instead.]
 
-experimental[] Export dashboards and corresponding saved objects.
+Export dashboards and corresponding saved objects.
 
 [[dashboard-api-export-request]]
 ==== Request
diff --git a/docs/api/dashboard/import-dashboard.asciidoc b/docs/api/dashboard/import-dashboard.asciidoc
index 41eb47500c8d7..e4817d6cb7ee9 100644
--- a/docs/api/dashboard/import-dashboard.asciidoc
+++ b/docs/api/dashboard/import-dashboard.asciidoc
@@ -6,7 +6,7 @@
 
 deprecated::[7.15.0,Use <<saved-objects-api-import>> instead.]
 
-experimental[] Import dashboards and corresponding saved objects.
+Import dashboards and corresponding saved objects.
 
 [[dashboard-api-import-request]]
 ==== Request
diff --git a/packages/kbn-securitysolution-autocomplete/src/field/index.tsx b/packages/kbn-securitysolution-autocomplete/src/field/index.tsx
index 69408e919bb1e..a89e0a096b673 100644
--- a/packages/kbn-securitysolution-autocomplete/src/field/index.tsx
+++ b/packages/kbn-securitysolution-autocomplete/src/field/index.tsx
@@ -8,7 +8,7 @@
 
 import React, { useCallback, useMemo, useState } from 'react';
 import { EuiComboBox, EuiComboBoxOptionOption } from '@elastic/eui';
-import { IndexPatternBase, IndexPatternFieldBase } from '@kbn/es-query';
+import { DataViewBase, DataViewFieldBase } from '@kbn/es-query';
 
 import {
   getGenericComboBoxProps,
@@ -20,14 +20,14 @@ const AS_PLAIN_TEXT = { asPlainText: true };
 interface OperatorProps {
   fieldInputWidth?: number;
   fieldTypeFilter?: string[];
-  indexPattern: IndexPatternBase | undefined;
+  indexPattern: DataViewBase | undefined;
   isClearable: boolean;
   isDisabled: boolean;
   isLoading: boolean;
   isRequired?: boolean;
-  onChange: (a: IndexPatternFieldBase[]) => void;
+  onChange: (a: DataViewFieldBase[]) => void;
   placeholder: string;
-  selectedField: IndexPatternFieldBase | undefined;
+  selectedField: DataViewFieldBase | undefined;
 }
 
 export const FieldComponent: React.FC<OperatorProps> = ({
@@ -56,7 +56,7 @@ export const FieldComponent: React.FC<OperatorProps> = ({
 
   const handleValuesChange = useCallback(
     (newOptions: EuiComboBoxOptionOption[]): void => {
-      const newValues: IndexPatternFieldBase[] = newOptions.map(
+      const newValues: DataViewFieldBase[] = newOptions.map(
         ({ label }) => availableFields[labels.indexOf(label)]
       );
       onChange(newValues);
@@ -94,13 +94,13 @@ export const FieldComponent: React.FC<OperatorProps> = ({
 FieldComponent.displayName = 'Field';
 
 interface ComboBoxFields {
-  availableFields: IndexPatternFieldBase[];
-  selectedFields: IndexPatternFieldBase[];
+  availableFields: DataViewFieldBase[];
+  selectedFields: DataViewFieldBase[];
 }
 
 const getComboBoxFields = (
-  indexPattern: IndexPatternBase | undefined,
-  selectedField: IndexPatternFieldBase | undefined,
+  indexPattern: DataViewBase | undefined,
+  selectedField: DataViewFieldBase | undefined,
   fieldTypeFilter: string[]
 ): ComboBoxFields => {
   const existingFields = getExistingFields(indexPattern);
@@ -113,29 +113,27 @@ const getComboBoxFields = (
 const getComboBoxProps = (fields: ComboBoxFields): GetGenericComboBoxPropsReturn => {
   const { availableFields, selectedFields } = fields;
 
-  return getGenericComboBoxProps<IndexPatternFieldBase>({
+  return getGenericComboBoxProps<DataViewFieldBase>({
     getLabel: (field) => field.name,
     options: availableFields,
     selectedOptions: selectedFields,
   });
 };
 
-const getExistingFields = (indexPattern: IndexPatternBase | undefined): IndexPatternFieldBase[] => {
+const getExistingFields = (indexPattern: DataViewBase | undefined): DataViewFieldBase[] => {
   return indexPattern != null ? indexPattern.fields : [];
 };
 
-const getSelectedFields = (
-  selectedField: IndexPatternFieldBase | undefined
-): IndexPatternFieldBase[] => {
+const getSelectedFields = (selectedField: DataViewFieldBase | undefined): DataViewFieldBase[] => {
   return selectedField ? [selectedField] : [];
 };
 
 const getAvailableFields = (
-  existingFields: IndexPatternFieldBase[],
-  selectedFields: IndexPatternFieldBase[],
+  existingFields: DataViewFieldBase[],
+  selectedFields: DataViewFieldBase[],
   fieldTypeFilter: string[]
-): IndexPatternFieldBase[] => {
-  const fieldsByName = new Map<string, IndexPatternFieldBase>();
+): DataViewFieldBase[] => {
+  const fieldsByName = new Map<string, DataViewFieldBase>();
 
   existingFields.forEach((f) => fieldsByName.set(f.name, f));
   selectedFields.forEach((f) => fieldsByName.set(f.name, f));
diff --git a/src/plugins/data_views/server/fetcher/index_patterns_fetcher.test.ts b/src/plugins/data_views/server/fetcher/index_patterns_fetcher.test.ts
index a65d4d551cf7c..1a8b705480258 100644
--- a/src/plugins/data_views/server/fetcher/index_patterns_fetcher.test.ts
+++ b/src/plugins/data_views/server/fetcher/index_patterns_fetcher.test.ts
@@ -5,7 +5,6 @@
  * in compliance with, at your election, the Elastic License 2.0 or the Server
  * Side Public License, v 1.
  */
-
 import { IndexPatternsFetcher } from '.';
 import { ElasticsearchClient } from 'kibana/server';
 import * as indexNotFoundException from './index_not_found_exception.json';
@@ -15,36 +14,36 @@ describe('Index Pattern Fetcher - server', () => {
   let esClient: ElasticsearchClient;
   const emptyResponse = {
     body: {
-      count: 0,
+      indices: [],
     },
   };
   const response = {
     body: {
-      count: 1115,
+      indices: ['b'],
+      fields: [{ name: 'foo' }, { name: 'bar' }, { name: 'baz' }],
     },
   };
   const patternList = ['a', 'b', 'c'];
   beforeEach(() => {
+    jest.clearAllMocks();
     esClient = {
-      count: jest.fn().mockResolvedValueOnce(emptyResponse).mockResolvedValue(response),
+      fieldCaps: jest.fn().mockResolvedValueOnce(emptyResponse).mockResolvedValue(response),
     } as unknown as ElasticsearchClient;
     indexPatterns = new IndexPatternsFetcher(esClient);
   });
-
   it('Removes pattern without matching indices', async () => {
     const result = await indexPatterns.validatePatternListActive(patternList);
     expect(result).toEqual(['b', 'c']);
   });
-
   it('Returns all patterns when all match indices', async () => {
     esClient = {
-      count: jest.fn().mockResolvedValue(response),
+      fieldCaps: jest.fn().mockResolvedValue(response),
     } as unknown as ElasticsearchClient;
     indexPatterns = new IndexPatternsFetcher(esClient);
     const result = await indexPatterns.validatePatternListActive(patternList);
     expect(result).toEqual(patternList);
   });
-  it('Removes pattern when "index_not_found_exception" error is thrown', async () => {
+  it('Removes pattern when error is thrown', async () => {
     class ServerError extends Error {
       public body?: Record<string, any>;
       constructor(
@@ -56,9 +55,8 @@ describe('Index Pattern Fetcher - server', () => {
         this.body = errBody;
       }
     }
-
     esClient = {
-      count: jest
+      fieldCaps: jest
         .fn()
         .mockResolvedValueOnce(response)
         .mockRejectedValue(
@@ -69,4 +67,22 @@ describe('Index Pattern Fetcher - server', () => {
     const result = await indexPatterns.validatePatternListActive(patternList);
     expect(result).toEqual([patternList[0]]);
   });
+  it('When allowNoIndices is false, run validatePatternListActive', async () => {
+    const fieldCapsMock = jest.fn();
+    esClient = {
+      fieldCaps: fieldCapsMock.mockResolvedValue(response),
+    } as unknown as ElasticsearchClient;
+    indexPatterns = new IndexPatternsFetcher(esClient);
+    await indexPatterns.getFieldsForWildcard({ pattern: patternList });
+    expect(fieldCapsMock.mock.calls).toHaveLength(4);
+  });
+  it('When allowNoIndices is true, do not run validatePatternListActive', async () => {
+    const fieldCapsMock = jest.fn();
+    esClient = {
+      fieldCaps: fieldCapsMock.mockResolvedValue(response),
+    } as unknown as ElasticsearchClient;
+    indexPatterns = new IndexPatternsFetcher(esClient, true);
+    await indexPatterns.getFieldsForWildcard({ pattern: patternList });
+    expect(fieldCapsMock.mock.calls).toHaveLength(1);
+  });
 });
diff --git a/src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts b/src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts
index 7dae85c920ebf..c054d547e956f 100644
--- a/src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts
+++ b/src/plugins/data_views/server/fetcher/index_patterns_fetcher.ts
@@ -36,12 +36,10 @@ interface FieldSubType {
 export class IndexPatternsFetcher {
   private elasticsearchClient: ElasticsearchClient;
   private allowNoIndices: boolean;
-
   constructor(elasticsearchClient: ElasticsearchClient, allowNoIndices: boolean = false) {
     this.elasticsearchClient = elasticsearchClient;
     this.allowNoIndices = allowNoIndices;
   }
-
   /**
    *  Get a list of field objects for an index pattern that may contain wildcards
    *
@@ -60,23 +58,22 @@ export class IndexPatternsFetcher {
   }): Promise<FieldDescriptor[]> {
     const { pattern, metaFields, fieldCapsOptions, type, rollupIndex } = options;
     const patternList = Array.isArray(pattern) ? pattern : pattern.split(',');
+    const allowNoIndices = fieldCapsOptions
+      ? fieldCapsOptions.allow_no_indices
+      : this.allowNoIndices;
     let patternListActive: string[] = patternList;
     // if only one pattern, don't bother with validation. We let getFieldCapabilities fail if the single pattern is bad regardless
-    if (patternList.length > 1) {
+    if (patternList.length > 1 && !allowNoIndices) {
       patternListActive = await this.validatePatternListActive(patternList);
     }
     const fieldCapsResponse = await getFieldCapabilities(
       this.elasticsearchClient,
-      // if none of the patterns are active, pass the original list to get an error
-      patternListActive.length > 0 ? patternListActive : patternList,
+      patternListActive,
       metaFields,
       {
-        allow_no_indices: fieldCapsOptions
-          ? fieldCapsOptions.allow_no_indices
-          : this.allowNoIndices,
+        allow_no_indices: allowNoIndices,
       }
     );
-
     if (type === 'rollup' && rollupIndex) {
       const rollupFields: FieldDescriptor[] = [];
       const rollupIndexCapabilities = getCapabilitiesForRollupIndices(
@@ -87,13 +84,11 @@ export class IndexPatternsFetcher {
         ).body
       )[rollupIndex].aggs;
       const fieldCapsResponseObj = keyBy(fieldCapsResponse, 'name');
-
       // Keep meta fields
       metaFields!.forEach(
         (field: string) =>
           fieldCapsResponseObj[field] && rollupFields.push(fieldCapsResponseObj[field])
       );
-
       return mergeCapabilitiesWithFields(
         rollupIndexCapabilities,
         fieldCapsResponseObj,
@@ -137,23 +132,20 @@ export class IndexPatternsFetcher {
   async validatePatternListActive(patternList: string[]) {
     const result = await Promise.all(
       patternList
-        .map((pattern) =>
-          this.elasticsearchClient.count({
-            index: pattern,
-          })
-        )
-        .map((p) =>
-          p.catch((e) => {
-            if (e.body.error.type === 'index_not_found_exception') {
-              return { body: { count: 0 } };
-            }
-            throw e;
-          })
-        )
+        .map(async (index) => {
+          const searchResponse = await this.elasticsearchClient.fieldCaps({
+            index,
+            fields: '_id',
+            ignore_unavailable: true,
+            allow_no_indices: false,
+          });
+          return searchResponse.body.indices.length > 0;
+        })
+        .map((p) => p.catch(() => false))
     );
     return result.reduce(
-      (acc: string[], { body: { count } }, patternListIndex) =>
-        count > 0 ? [...acc, patternList[patternListIndex]] : acc,
+      (acc: string[], isValid, patternListIndex) =>
+        isValid ? [...acc, patternList[patternListIndex]] : acc,
       []
     );
   }
diff --git a/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx b/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx
index ace01aa851ce8..13ef1c7725a3d 100644
--- a/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx
+++ b/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx
@@ -412,6 +412,8 @@ export function AlertsTableTGrid(props: AlertsTableTGridProps) {
       },
       renderCellValue: getRenderCellValue({ setFlyoutAlert }),
       rowRenderers: NO_ROW_RENDER,
+      // TODO: implement Kibana data view runtime fields in observability
+      runtimeMappings: {},
       start: rangeFrom,
       setRefetch,
       sort: [
diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts
index 2772c3de51065..584f3ed334d89 100644
--- a/x-pack/plugins/security_solution/common/constants.ts
+++ b/x-pack/plugins/security_solution/common/constants.ts
@@ -11,8 +11,16 @@ import type { TransformConfigSchema } from './transforms/types';
 import { ENABLE_CASE_CONNECTOR } from '../../cases/common';
 import { METADATA_TRANSFORMS_PATTERN } from './endpoint/constants';
 
+/**
+ * as const
+ *
+ * The const assertion ensures that type widening does not occur
+ * https://mariusschulz.com/blog/literal-type-widening-in-typescript
+ * Please follow this convention when adding to this file
+ */
+
 export const APP_ID = 'securitySolution' as const;
-export const APP_UI_ID = 'securitySolutionUI';
+export const APP_UI_ID = 'securitySolutionUI' as const;
 export const CASES_FEATURE_ID = 'securitySolutionCases' as const;
 export const SERVER_APP_ID = 'siem' as const;
 export const APP_NAME = 'Security' as const;
@@ -26,6 +34,8 @@ export const DEFAULT_DATE_FORMAT_TZ = 'dateFormat:tz' as const;
 export const DEFAULT_DARK_MODE = 'theme:darkMode' as const;
 export const DEFAULT_INDEX_KEY = 'securitySolution:defaultIndex' as const;
 export const DEFAULT_NUMBER_FORMAT = 'format:number:defaultPattern' as const;
+export const DEFAULT_DATA_VIEW_ID = 'security-solution' as const;
+export const DEFAULT_TIME_FIELD = '@timestamp' as const;
 export const DEFAULT_TIME_RANGE = 'timepicker:timeDefaults' as const;
 export const DEFAULT_REFRESH_RATE_INTERVAL = 'timepicker:refreshIntervalDefaults' as const;
 export const DEFAULT_APP_TIME_RANGE = 'securitySolution:timeDefaults' as const;
@@ -51,7 +61,6 @@ export const DEFAULT_TIMEPICKER_QUICK_RANGES = 'timepicker:quickRanges' as const
 export const DEFAULT_TRANSFORMS = 'securitySolution:transforms' as const;
 export const SCROLLING_DISABLED_CLASS_NAME = 'scrolling-disabled' as const;
 export const GLOBAL_HEADER_HEIGHT = 96 as const; // px
-export const GLOBAL_HEADER_HEIGHT_WITH_GLOBAL_BANNER = 128 as const; // px
 export const FILTERS_GLOBAL_HEIGHT = 109 as const; // px
 export const FULL_SCREEN_TOGGLED_CLASS_NAME = 'fullScreenToggled' as const;
 export const NO_ALERT_INDEX = 'no-alert-index-049FC71A-4C2C-446F-9901-37XMC5024C51' as const;
@@ -268,6 +277,7 @@ export const TIMELINE_PREPACKAGED_URL = `${TIMELINE_URL}/_prepackaged` as const;
 
 export const NOTE_URL = '/api/note' as const;
 export const PINNED_EVENT_URL = '/api/pinned_event' as const;
+export const SOURCERER_API_URL = '/api/sourcerer' as const;
 
 /**
  * Default signals index key for kibana.dev.yml
@@ -355,7 +365,7 @@ export const ELASTIC_NAME = 'estc' as const;
 
 export const METADATA_TRANSFORM_STATS_URL = `/api/transform/transforms/${METADATA_TRANSFORMS_PATTERN}/_stats`;
 
-export const RISKY_HOSTS_INDEX_PREFIX = 'ml_host_risk_score_latest_';
+export const RISKY_HOSTS_INDEX_PREFIX = 'ml_host_risk_score_latest_' as const;
 
 export const TRANSFORM_STATES = {
   ABORTING: 'aborting',
diff --git a/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts b/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts
index 033e979d2814c..42c10614975eb 100644
--- a/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts
@@ -11,7 +11,7 @@ import type {
   CreateExceptionListItemSchema,
 } from '@kbn/securitysolution-io-ts-list-types';
 import { buildExceptionFilter } from '@kbn/securitysolution-list-utils';
-import { Filter, EsQueryConfig, IndexPatternBase, buildEsQuery } from '@kbn/es-query';
+import { Filter, EsQueryConfig, DataViewBase, buildEsQuery } from '@kbn/es-query';
 
 import { ESBoolQuery } from '../typed_json';
 import { Query, Index, TimestampOverrideOrUndefined } from './schemas/common/schemas';
@@ -24,7 +24,7 @@ export const getQueryFilter = (
   lists: Array<ExceptionListItemSchema | CreateExceptionListItemSchema>,
   excludeExceptions: boolean = true
 ): ESBoolQuery => {
-  const indexPattern: IndexPatternBase = {
+  const indexPattern: DataViewBase = {
     fields: [],
     title: index.join(),
   };
diff --git a/x-pack/plugins/security_solution/common/search_strategy/index_fields/index.ts b/x-pack/plugins/security_solution/common/search_strategy/index_fields/index.ts
index be5fd3b5c4dc5..35fd5e81b096f 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/index_fields/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/index_fields/index.ts
@@ -5,79 +5,15 @@
  * 2.0.
  */
 
-import type { IFieldSubType } from '@kbn/es-query';
-
-import type {
-  IEsSearchRequest,
-  IEsSearchResponse,
-  IIndexPattern,
-} from '../../../../../../src/plugins/data/common';
-import type { DocValueFields, Maybe } from '../common';
-
-interface FieldInfo {
-  category: string;
-  description?: string;
-  example?: string | number;
-  format?: string;
-  name: string;
-  type?: string;
-}
-
-export interface IndexField {
-  /** Where the field belong */
-  category: string;
-  /** Example of field's value */
-  example?: Maybe<string | number>;
-  /** whether the field's belong to an alias index */
-  indexes: Array<Maybe<string>>;
-  /** The name of the field */
-  name: string;
-  /** The type of the field's values as recognized by Kibana */
-  type: string;
-  /** Whether the field's values can be efficiently searched for */
-  searchable: boolean;
-  /** Whether the field's values can be aggregated */
-  aggregatable: boolean;
-  /** Description of the field */
-  description?: Maybe<string>;
-  format?: Maybe<string>;
-  /** the elastic type as mapped in the index */
-  esTypes?: string[];
-  subType?: IFieldSubType;
-  readFromDocValues: boolean;
-}
-
-export type BeatFields = Record<string, FieldInfo>;
-
-export interface IndexFieldsStrategyRequest extends IEsSearchRequest {
-  indices: string[];
-  onlyCheckIfIndicesExist: boolean;
-}
-
-export interface IndexFieldsStrategyResponse extends IEsSearchResponse {
-  indexFields: IndexField[];
-  indicesExist: string[];
-}
-
-export interface BrowserField {
-  aggregatable: boolean;
-  category: string;
-  description: string | null;
-  example: string | number | null;
-  fields: Readonly<Record<string, Partial<BrowserField>>>;
-  format: string;
-  indexes: string[];
-  name: string;
-  searchable: boolean;
-  type: string;
-  subType?: IFieldSubType;
-}
-
-export type BrowserFields = Readonly<Record<string, Partial<BrowserField>>>;
-
-export const EMPTY_BROWSER_FIELDS = {};
-export const EMPTY_DOCVALUE_FIELD: DocValueFields[] = [];
-export const EMPTY_INDEX_PATTERN: IIndexPattern = {
-  fields: [],
-  title: '',
-};
+export {
+  FieldInfo,
+  IndexField,
+  BeatFields,
+  IndexFieldsStrategyRequest,
+  IndexFieldsStrategyResponse,
+  BrowserField,
+  BrowserFields,
+  EMPTY_BROWSER_FIELDS,
+  EMPTY_DOCVALUE_FIELD,
+  EMPTY_INDEX_FIELDS,
+} from '../../../../timelines/common';
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts
index 39f23a63c8afe..d6735b59c229d 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts
@@ -10,6 +10,7 @@ export { LastEventIndexKey } from '../../../../../../timelines/common';
 export type {
   LastTimeDetails,
   TimelineEventsLastEventTimeStrategyResponse,
+  TimelineKpiStrategyRequest,
   TimelineKpiStrategyResponse,
   TimelineEventsLastEventTimeRequestOptions,
 } from '../../../../../../timelines/common';
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
index 548560ac5cb8c..2d94a36a937d5 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { IEsSearchRequest } from '../../../../../../src/plugins/data/common';
 import { ESQuery } from '../../typed_json';
 import {
@@ -41,6 +42,7 @@ export interface TimelineRequestBasicOptions extends IEsSearchRequest {
   defaultIndex: string[];
   docValueFields?: DocValueFields[];
   factoryQueryType?: TimelineFactoryQueryTypes;
+  runtimeMappings: MappingRuntimeFields;
 }
 
 export interface TimelineRequestSortField<Field = string> extends SortField<Field> {
@@ -171,6 +173,7 @@ export interface SortTimelineInput {
 export interface TimelineInput {
   columns?: Maybe<ColumnHeaderInput[]>;
   dataProviders?: Maybe<DataProviderInput[]>;
+  dataViewId?: Maybe<string>;
   description?: Maybe<string>;
   eqlOptions?: Maybe<EqlOptionsInput>;
   eventType?: Maybe<string>;
diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts
index 6d5df76b306a3..53261d54e84b0 100644
--- a/x-pack/plugins/security_solution/common/test/index.ts
+++ b/x-pack/plugins/security_solution/common/test/index.ts
@@ -7,12 +7,12 @@
 
 // For the source of these roles please consult the PR these were introduced https://github.com/elastic/kibana/pull/81866#issue-511165754
 export enum ROLES {
+  soc_manager = 'soc_manager',
   reader = 'reader',
   t1_analyst = 't1_analyst',
   t2_analyst = 't2_analyst',
   hunter = 'hunter',
   rule_author = 'rule_author',
-  soc_manager = 'soc_manager',
   platform_engineer = 'platform_engineer',
   detections_admin = 'detections_admin',
 }
diff --git a/x-pack/plugins/security_solution/common/types/timeline/index.ts b/x-pack/plugins/security_solution/common/types/timeline/index.ts
index c0046f7535db8..60fd126e6fd85 100644
--- a/x-pack/plugins/security_solution/common/types/timeline/index.ts
+++ b/x-pack/plugins/security_solution/common/types/timeline/index.ts
@@ -272,6 +272,7 @@ export type TimelineTypeLiteralWithNull = runtimeTypes.TypeOf<typeof TimelineTyp
 export const SavedTimelineRuntimeType = runtimeTypes.partial({
   columns: unionWithNullType(runtimeTypes.array(SavedColumnHeaderRuntimeType)),
   dataProviders: unionWithNullType(runtimeTypes.array(SavedDataProviderRuntimeType)),
+  dataViewId: unionWithNullType(runtimeTypes.string),
   description: unionWithNullType(runtimeTypes.string),
   eqlOptions: unionWithNullType(EqlOptionsRuntimeType),
   eventType: unionWithNullType(runtimeTypes.string),
@@ -305,7 +306,7 @@ export type SavedTimelineNote = runtimeTypes.TypeOf<typeof SavedTimelineRuntimeT
  * This type represents a timeline type stored in a saved object that does not include any fields that reference
  * other saved objects.
  */
-export type TimelineWithoutExternalRefs = Omit<SavedTimeline, 'savedQueryId'>;
+export type TimelineWithoutExternalRefs = Omit<SavedTimeline, 'dataViewId' | 'savedQueryId'>;
 
 /*
  *  Timeline IDs
@@ -719,6 +720,7 @@ export interface TimelineResult {
   created?: Maybe<number>;
   createdBy?: Maybe<string>;
   dataProviders?: Maybe<DataProviderResult[]>;
+  dataViewId?: Maybe<string>;
   dateRange?: Maybe<DateRangePickerResult>;
   description?: Maybe<string>;
   eqlOptions?: Maybe<EqlOptionsResult>;
diff --git a/x-pack/plugins/security_solution/common/types/timeline/store.ts b/x-pack/plugins/security_solution/common/types/timeline/store.ts
index 03cf0c39378e5..75cd44ba2b7d7 100644
--- a/x-pack/plugins/security_solution/common/types/timeline/store.ts
+++ b/x-pack/plugins/security_solution/common/types/timeline/store.ts
@@ -38,19 +38,20 @@ export interface SortColumnTimeline {
 }
 
 export interface TimelinePersistInput {
-  id: string;
+  columns: ColumnHeaderOptions[];
   dataProviders?: DataProvider[];
+  dataViewId: string;
   dateRange?: {
     start: string;
     end: string;
   };
+  defaultColumns?: ColumnHeaderOptions[];
   excludedRowRendererIds?: RowRendererId[];
   expandedDetail?: TimelineExpandedDetail;
   filters?: Filter[];
-  columns: ColumnHeaderOptions[];
-  defaultColumns?: ColumnHeaderOptions[];
-  itemsPerPage?: number;
+  id: string;
   indexNames: string[];
+  itemsPerPage?: number;
   kqlQuery?: {
     filterQuery: SerializedFilterQuery | null;
   };
diff --git a/x-pack/plugins/security_solution/cypress/cypress.json b/x-pack/plugins/security_solution/cypress/cypress.json
index 6a9a240af5873..8c27309becf08 100644
--- a/x-pack/plugins/security_solution/cypress/cypress.json
+++ b/x-pack/plugins/security_solution/cypress/cypress.json
@@ -12,5 +12,10 @@
   "video": false,
   "videosFolder": "../../../target/kibana-security-solution/cypress/videos",
   "viewportHeight": 900,
-  "viewportWidth": 1440
+  "viewportWidth": 1440,
+  "env": {
+    "protocol": "http",
+    "hostname": "localhost",
+    "configport": "5601"
+  }
 }
diff --git a/x-pack/plugins/security_solution/cypress/downloads/timelines_export.ndjson b/x-pack/plugins/security_solution/cypress/downloads/timelines_export.ndjson
new file mode 100644
index 0000000000000..8cf76734ad876
--- /dev/null
+++ b/x-pack/plugins/security_solution/cypress/downloads/timelines_export.ndjson
@@ -0,0 +1 @@
+{"savedObjectId":"46cca0e0-2580-11ec-8e56-9dafa0b0343b","version":"WzIyNjIzNCwxXQ==","columns":[{"id":"@timestamp"},{"id":"user.name"},{"id":"event.category"},{"id":"event.action"},{"id":"host.name"}],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"host.name: *","kind":"kuery"}}},"dateRange":{"start":"1514809376000","end":"1577881376000"},"description":"This is the best timeline","title":"Security Timeline","created":1633399341550,"createdBy":"elastic","updated":1633399341550,"updatedBy":"elastic","savedQueryId":null,"dataViewId":null,"timelineType":"default","sort":[],"eventNotes":[],"globalNotes":[],"pinnedEventIds":[]}
diff --git a/x-pack/plugins/security_solution/cypress/integration/cases/privileges.spec.ts b/x-pack/plugins/security_solution/cypress/integration/cases/privileges.spec.ts
index 23016ecc512b1..0337cd3bd6e17 100644
--- a/x-pack/plugins/security_solution/cypress/integration/cases/privileges.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/cases/privileges.spec.ts
@@ -18,184 +18,28 @@ import {
   filterStatusOpen,
 } from '../../tasks/create_new_case';
 import {
-  constructUrlWithUser,
-  getEnvAuth,
+  loginAndWaitForHostDetailsPage,
   loginWithUserAndWaitForPageWithoutDateRange,
+  logout,
 } from '../../tasks/login';
+import {
+  createUsersAndRoles,
+  deleteUsersAndRoles,
+  secAll,
+  secAllUser,
+  secReadCasesAllUser,
+  secReadCasesAll,
+} from '../../tasks/privileges';
 
 import { CASES_URL } from '../../urls/navigation';
-
-interface User {
-  username: string;
-  password: string;
-  description?: string;
-  roles: string[];
-}
-
-interface UserInfo {
-  username: string;
-  full_name: string;
-  email: string;
-}
-
-interface FeaturesPrivileges {
-  [featureId: string]: string[];
-}
-
-interface ElasticsearchIndices {
-  names: string[];
-  privileges: string[];
-}
-
-interface ElasticSearchPrivilege {
-  cluster?: string[];
-  indices?: ElasticsearchIndices[];
-}
-
-interface KibanaPrivilege {
-  spaces: string[];
-  base?: string[];
-  feature?: FeaturesPrivileges;
-}
-
-interface Role {
-  name: string;
-  privileges: {
-    elasticsearch?: ElasticSearchPrivilege;
-    kibana?: KibanaPrivilege[];
-  };
-}
-
-const secAll: Role = {
-  name: 'sec_all_role',
-  privileges: {
-    elasticsearch: {
-      indices: [
-        {
-          names: ['*'],
-          privileges: ['all'],
-        },
-      ],
-    },
-    kibana: [
-      {
-        feature: {
-          siem: ['all'],
-          securitySolutionCases: ['all'],
-          actions: ['all'],
-          actionsSimulators: ['all'],
-        },
-        spaces: ['*'],
-      },
-    ],
-  },
-};
-
-const secAllUser: User = {
-  username: 'sec_all_user',
-  password: 'password',
-  roles: [secAll.name],
-};
-
-const secReadCasesAll: Role = {
-  name: 'sec_read_cases_all_role',
-  privileges: {
-    elasticsearch: {
-      indices: [
-        {
-          names: ['*'],
-          privileges: ['all'],
-        },
-      ],
-    },
-    kibana: [
-      {
-        feature: {
-          siem: ['read'],
-          securitySolutionCases: ['all'],
-          actions: ['all'],
-          actionsSimulators: ['all'],
-        },
-        spaces: ['*'],
-      },
-    ],
-  },
-};
-
-const secReadCasesAllUser: User = {
-  username: 'sec_read_cases_all_user',
-  password: 'password',
-  roles: [secReadCasesAll.name],
-};
-
+import { openSourcerer } from '../../tasks/sourcerer';
 const usersToCreate = [secAllUser, secReadCasesAllUser];
 const rolesToCreate = [secAll, secReadCasesAll];
-
-const getUserInfo = (user: User): UserInfo => ({
-  username: user.username,
-  full_name: user.username.replace('_', ' '),
-  email: `${user.username}@elastic.co`,
-});
-
-const createUsersAndRoles = (users: User[], roles: Role[]) => {
-  const envUser = getEnvAuth();
-  for (const role of roles) {
-    cy.log(`Creating role: ${JSON.stringify(role)}`);
-    cy.request({
-      body: role.privileges,
-      headers: { 'kbn-xsrf': 'cypress-creds-via-config' },
-      method: 'PUT',
-      url: constructUrlWithUser(envUser, `/api/security/role/${role.name}`),
-    })
-      .its('status')
-      .should('eql', 204);
-  }
-
-  for (const user of users) {
-    const userInfo = getUserInfo(user);
-    cy.log(`Creating user: ${JSON.stringify(user)}`);
-    cy.request({
-      body: {
-        username: user.username,
-        password: user.password,
-        roles: user.roles,
-        full_name: userInfo.full_name,
-        email: userInfo.email,
-      },
-      headers: { 'kbn-xsrf': 'cypress-creds-via-config' },
-      method: 'POST',
-      url: constructUrlWithUser(envUser, `/internal/security/users/${user.username}`),
-    })
-      .its('status')
-      .should('eql', 200);
-  }
-};
-
-const deleteUsersAndRoles = (users: User[], roles: Role[]) => {
-  const envUser = getEnvAuth();
-  for (const user of users) {
-    cy.log(`Deleting user: ${JSON.stringify(user)}`);
-    cy.request({
-      headers: { 'kbn-xsrf': 'cypress-creds-via-config' },
-      method: 'DELETE',
-      url: constructUrlWithUser(envUser, `/internal/security/users/${user.username}`),
-      failOnStatusCode: false,
-    })
-      .its('status')
-      .should('oneOf', [204, 404]);
-  }
-
-  for (const role of roles) {
-    cy.log(`Deleting role: ${JSON.stringify(role)}`);
-    cy.request({
-      headers: { 'kbn-xsrf': 'cypress-creds-via-config' },
-      method: 'DELETE',
-      url: constructUrlWithUser(envUser, `/api/security/role/${role.name}`),
-      failOnStatusCode: false,
-    })
-      .its('status')
-      .should('oneOf', [204, 404]);
-  }
+// needed to generate index pattern
+const visitSecuritySolution = () => {
+  loginAndWaitForHostDetailsPage();
+  openSourcerer();
+  logout();
 };
 
 const testCase: TestCaseWithoutTimeline = {
@@ -205,11 +49,11 @@ const testCase: TestCaseWithoutTimeline = {
   reporter: 'elastic',
   owner: 'securitySolution',
 };
-
 describe('Cases privileges', () => {
   before(() => {
     cleanKibana();
     createUsersAndRoles(usersToCreate, rolesToCreate);
+    visitSecuritySolution();
   });
 
   after(() => {
diff --git a/x-pack/plugins/security_solution/cypress/integration/data_sources/sourcerer.spec.ts b/x-pack/plugins/security_solution/cypress/integration/data_sources/sourcerer.spec.ts
index 26c366e981d44..bd7acc38c1021 100644
--- a/x-pack/plugins/security_solution/cypress/integration/data_sources/sourcerer.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/data_sources/sourcerer.spec.ts
@@ -5,7 +5,10 @@
  * 2.0.
  */
 
-import { loginAndWaitForPage } from '../../tasks/login';
+import {
+  loginAndWaitForPage,
+  loginWithUserAndWaitForPageWithoutDateRange,
+} from '../../tasks/login';
 
 import { HOSTS_URL } from '../../urls/navigation';
 import { waitForAllHostsToBeLoaded } from '../../tasks/hosts/all_hosts';
@@ -28,20 +31,34 @@ import { openTimelineUsingToggle } from '../../tasks/security_main';
 import { populateTimeline } from '../../tasks/timeline';
 import { SERVER_SIDE_EVENT_COUNT } from '../../screens/timeline';
 import { cleanKibana } from '../../tasks/common';
+import { createUsersAndRoles, secReadCasesAll, secReadCasesAllUser } from '../../tasks/privileges';
+import { TOASTER } from '../../screens/configure_cases';
 
+const usersToCreate = [secReadCasesAllUser];
+const rolesToCreate = [secReadCasesAll];
 // Skipped at the moment as this has flake due to click handler issues. This has been raised with team members
 // and the code is being re-worked and then these tests will be unskipped
-describe.skip('Sourcerer', () => {
-  before(() => {
+describe('Sourcerer', () => {
+  beforeEach(() => {
     cleanKibana();
   });
-
-  beforeEach(() => {
-    cy.clearLocalStorage();
-    loginAndWaitForPage(HOSTS_URL);
+  describe('permissions', () => {
+    before(() => {
+      createUsersAndRoles(usersToCreate, rolesToCreate);
+    });
+    it(`role(s) ${secReadCasesAllUser.roles.join()} shows error when user does not have permissions`, () => {
+      loginWithUserAndWaitForPageWithoutDateRange(HOSTS_URL, secReadCasesAllUser);
+      cy.get(TOASTER).should('have.text', 'Write role required to generate data');
+    });
   });
+  // Originially written in December 2020, flakey from day1
+  // has always been skipped with intentions to fix, see note at top of file
+  describe.skip('Default scope', () => {
+    beforeEach(() => {
+      cy.clearLocalStorage();
+      loginAndWaitForPage(HOSTS_URL);
+    });
 
-  describe('Default scope', () => {
     it('has SIEM index patterns selected on initial load', () => {
       openSourcerer();
       isSourcererSelection(`auditbeat-*`);
@@ -52,7 +69,7 @@ describe.skip('Sourcerer', () => {
       isSourcererOptions([`metrics-*`, `logs-*`]);
     });
 
-    it('selected KIP gets added to sourcerer', () => {
+    it('selected DATA_VIEW gets added to sourcerer', () => {
       setSourcererOption(`metrics-*`);
       openSourcerer();
       isSourcererSelection(`metrics-*`);
@@ -75,8 +92,14 @@ describe.skip('Sourcerer', () => {
       isNotSourcererSelection(`metrics-*`);
     });
   });
+  // Originially written in December 2020, flakey from day1
+  // has always been skipped with intentions to fix
+  describe.skip('Timeline scope', () => {
+    beforeEach(() => {
+      cy.clearLocalStorage();
+      loginAndWaitForPage(HOSTS_URL);
+    });
 
-  describe('Timeline scope', () => {
     const alertPatterns = ['.siem-signals-default'];
     const rawPatterns = ['auditbeat-*'];
     const allPatterns = [...alertPatterns, ...rawPatterns];
diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
index 803ff4b4d0d80..033a12dd9de3e 100644
--- a/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
@@ -9,6 +9,7 @@ import { ALERT_FLYOUT, CELL_TEXT, JSON_TEXT, TABLE_ROWS } from '../../screens/al
 
 import {
   expandFirstAlert,
+  refreshAlerts,
   waitForAlertsIndexToBeCreated,
   waitForAlertsPanelToBeLoaded,
 } from '../../tasks/alerts';
@@ -32,6 +33,7 @@ describe('Alert details with unmapped fields', () => {
     createCustomRuleActivated(getUnmappedRule());
     loginAndWaitForPageWithoutDateRange(ALERTS_URL);
     waitForAlertsPanelToBeLoaded();
+    refreshAlerts();
     expandFirstAlert();
   });
 
diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/event_correlation_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/event_correlation_rule.spec.ts
index 10f556a11bf60..171d224cc32d3 100644
--- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/event_correlation_rule.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/event_correlation_rule.spec.ts
@@ -70,7 +70,7 @@ import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
 
 import { ALERTS_URL } from '../../urls/navigation';
 
-describe.skip('Detection rules, EQL', () => {
+describe('Detection rules, EQL', () => {
   const expectedUrls = getEqlRule().referenceUrls.join('');
   const expectedFalsePositives = getEqlRule().falsePositivesExamples.join('');
   const expectedTags = getEqlRule().tags.join('');
@@ -169,7 +169,7 @@ describe.skip('Detection rules, EQL', () => {
   });
 });
 
-describe.skip('Detection rules, sequence EQL', () => {
+describe('Detection rules, sequence EQL', () => {
   const expectedNumberOfRules = 1;
   const expectedNumberOfSequenceAlerts = '1 alert';
 
diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
index 02621ea49e906..378de8f0bc593 100644
--- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
@@ -114,7 +114,7 @@ import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
 import { goBackToAllRulesTable } from '../../tasks/rule_details';
 
 import { ALERTS_URL, RULE_CREATION } from '../../urls/navigation';
-import { DEFAULT_THREAT_MATCH_QUERY } from '../../../common/constants';
+const DEFAULT_THREAT_MATCH_QUERY = '@timestamp >= "now-30d"';
 
 describe('indicator match', () => {
   describe('Detection rules, Indicator Match', () => {
diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/sorting.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/sorting.spec.ts
index ef3d3a82d40bd..92f9e8180d50c 100644
--- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/sorting.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/sorting.spec.ts
@@ -34,7 +34,6 @@ import {
   waitForRuleToChangeStatus,
 } from '../../tasks/alerts_detection_rules';
 import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
-import { DEFAULT_RULE_REFRESH_INTERVAL_VALUE } from '../../../common/constants';
 
 import { ALERTS_URL } from '../../urls/navigation';
 import { createCustomRule } from '../../tasks/api_calls/rules';
@@ -46,6 +45,8 @@ import {
   getNewThresholdRule,
 } from '../../objects/rule';
 
+const DEFAULT_RULE_REFRESH_INTERVAL_VALUE = 60000;
+
 describe('Alerts detection rules', () => {
   beforeEach(() => {
     cleanKibana();
diff --git a/x-pack/plugins/security_solution/cypress/integration/ml/ml_conditional_links.spec.ts b/x-pack/plugins/security_solution/cypress/integration/ml/ml_conditional_links.spec.ts
index 89a0d5a660b97..f9d78ba12a5ea 100644
--- a/x-pack/plugins/security_solution/cypress/integration/ml/ml_conditional_links.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/ml/ml_conditional_links.spec.ts
@@ -98,7 +98,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlNetworkSingleIpNullKqlQuery);
     cy.url().should(
       'include',
-      'app/security/network/ip/127.0.0.1/source?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      'app/security/network/ip/127.0.0.1/source?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -106,7 +106,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlNetworkSingleIpKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/network/ip/127.0.0.1/source?query=(language:kuery,query:%27(process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/network/ip/127.0.0.1/source?query=(language:kuery,query:%27(process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -114,7 +114,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlNetworkMultipleIpNullKqlQuery);
     cy.url().should(
       'include',
-      'app/security/network/flows?query=(language:kuery,query:%27((source.ip:%20%22127.0.0.1%22%20or%20destination.ip:%20%22127.0.0.1%22)%20or%20(source.ip:%20%22127.0.0.2%22%20or%20destination.ip:%20%22127.0.0.2%22))%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      'app/security/network/flows?query=(language:kuery,query:%27((source.ip:%20%22127.0.0.1%22%20or%20destination.ip:%20%22127.0.0.1%22)%20or%20(source.ip:%20%22127.0.0.2%22%20or%20destination.ip:%20%22127.0.0.2%22))%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -122,7 +122,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlNetworkMultipleIpKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/network/flows?query=(language:kuery,query:%27((source.ip:%20%22127.0.0.1%22%20or%20destination.ip:%20%22127.0.0.1%22)%20or%20(source.ip:%20%22127.0.0.2%22%20or%20destination.ip:%20%22127.0.0.2%22))%20and%20((process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22))%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/network/flows?query=(language:kuery,query:%27((source.ip:%20%22127.0.0.1%22%20or%20destination.ip:%20%22127.0.0.1%22)%20or%20(source.ip:%20%22127.0.0.2%22%20or%20destination.ip:%20%22127.0.0.2%22))%20and%20((process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22))%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -130,15 +130,16 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlNetworkNullKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/network/flows?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/network/flows?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
   it('redirects from a $ip$ with a value for the query', () => {
     loginAndWaitForPageWithoutDateRange(mlNetworkKqlQuery);
+
     cy.url().should(
       'include',
-      '/app/security/network/flows?query=(language:kuery,query:%27(process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      `/app/security/network/flows?query=(language:kuery,query:%27(process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-08-28T11:00:00.000Z%27,kind:absolute,to:%272019-08-28T13:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))`
     );
   });
 
@@ -146,7 +147,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlHostSingleHostNullKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/hosts/siem-windows/anomalies?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/hosts/siem-windows/anomalies?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -154,7 +155,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlHostSingleHostKqlQueryVariable);
     cy.url().should(
       'include',
-      '/app/security/hosts/siem-windows/anomalies?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/hosts/siem-windows/anomalies?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -162,7 +163,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlHostSingleHostKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/hosts/siem-windows/anomalies?query=(language:kuery,query:%27(process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/hosts/siem-windows/anomalies?query=(language:kuery,query:%27(process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -170,7 +171,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlHostMultiHostNullKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/hosts/anomalies?query=(language:kuery,query:%27(host.name:%20%22siem-windows%22%20or%20host.name:%20%22siem-suricata%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/hosts/anomalies?query=(language:kuery,query:%27(host.name:%20%22siem-windows%22%20or%20host.name:%20%22siem-suricata%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -178,7 +179,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlHostMultiHostKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/hosts/anomalies?query=(language:kuery,query:%27(host.name:%20%22siem-windows%22%20or%20host.name:%20%22siem-suricata%22)%20and%20((process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22))%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/hosts/anomalies?query=(language:kuery,query:%27(host.name:%20%22siem-windows%22%20or%20host.name:%20%22siem-suricata%22)%20and%20((process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22))%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -186,7 +187,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlHostVariableHostNullKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/hosts/anomalies?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/hosts/anomalies?timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 
@@ -194,7 +195,7 @@ describe('ml conditional links', () => {
     loginAndWaitForPageWithoutDateRange(mlHostVariableHostKqlQuery);
     cy.url().should(
       'include',
-      '/app/security/hosts/anomalies?query=(language:kuery,query:%27(process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:!(%27auditbeat-*%27))'
+      '/app/security/hosts/anomalies?query=(language:kuery,query:%27(process.name:%20%22conhost.exe%22%20or%20process.name:%20%22sc.exe%22)%27)&timerange=(global:(linkTo:!(timeline),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)),timeline:(linkTo:!(global),timerange:(from:%272019-06-06T06:00:00.000Z%27,kind:absolute,to:%272019-06-07T05:59:59.999Z%27)))&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27auditbeat-*%27)))'
     );
   });
 });
diff --git a/x-pack/plugins/security_solution/cypress/integration/timelines/creation.spec.ts b/x-pack/plugins/security_solution/cypress/integration/timelines/creation.spec.ts
index fb41aec91b6c4..cbff911e5d982 100644
--- a/x-pack/plugins/security_solution/cypress/integration/timelines/creation.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/timelines/creation.spec.ts
@@ -121,7 +121,6 @@ describe('Create a timeline from a template', () => {
     loginAndWaitForPageWithoutDateRange(TIMELINE_TEMPLATES_URL);
     waitForTimelinesPanelToBeLoaded();
   });
-
   it('Should have the same query and open the timeline modal', () => {
     selectCustomTemplates();
     cy.wait('@timeline', { timeout: 100000 });
@@ -132,5 +131,6 @@ describe('Create a timeline from a template', () => {
     cy.get(TIMELINE_FLYOUT_WRAPPER).should('have.css', 'visibility', 'visible');
     cy.get(TIMELINE_DESCRIPTION).should('have.text', getTimeline().description);
     cy.get(TIMELINE_QUERY).should('have.text', getTimeline().query);
+    closeTimeline();
   });
 });
diff --git a/x-pack/plugins/security_solution/cypress/integration/urls/state.spec.ts b/x-pack/plugins/security_solution/cypress/integration/urls/state.spec.ts
index 73eb141f1ce3d..28fe1294e6f01 100644
--- a/x-pack/plugins/security_solution/cypress/integration/urls/state.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/urls/state.spec.ts
@@ -182,11 +182,10 @@ describe('url state', () => {
     loginAndWaitForPageWithoutDateRange(ABSOLUTE_DATE_RANGE.url);
     kqlSearch('source.ip: "10.142.0.9" {enter}');
     navigateFromHeaderTo(HOSTS);
-
     cy.get(NETWORK).should(
       'have.attr',
       'href',
-      `/app/security/network?query=(language:kuery,query:'source.ip:%20%2210.142.0.9%22%20')&sourcerer=(default:!(\'auditbeat-*\'))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2019-08-01T20:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2019-08-01T20:33:29.186Z')))`
+      `/app/security/network?query=(language:kuery,query:'source.ip:%20%2210.142.0.9%22%20')&sourcerer=(default:(id:security-solution-default,selectedPatterns:!('auditbeat-*')))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2019-08-01T20:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2019-08-01T20:33:29.186Z')))`
     );
   });
 
@@ -199,12 +198,12 @@ describe('url state', () => {
     cy.get(HOSTS).should(
       'have.attr',
       'href',
-      `/app/security/hosts?query=(language:kuery,query:'host.name:%20%22siem-kibana%22%20')&sourcerer=(default:!(\'auditbeat-*\'))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))`
+      `/app/security/hosts?query=(language:kuery,query:'host.name:%20%22siem-kibana%22%20')&sourcerer=(default:(id:security-solution-default,selectedPatterns:!('auditbeat-*')))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))`
     );
     cy.get(NETWORK).should(
       'have.attr',
       'href',
-      `/app/security/network?query=(language:kuery,query:'host.name:%20%22siem-kibana%22%20')&sourcerer=(default:!(\'auditbeat-*\'))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))`
+      `/app/security/network?query=(language:kuery,query:'host.name:%20%22siem-kibana%22%20')&sourcerer=(default:(id:security-solution-default,selectedPatterns:!('auditbeat-*')))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))`
     );
     cy.get(HOSTS_NAMES).first().should('have.text', 'siem-kibana');
 
@@ -215,21 +214,21 @@ describe('url state', () => {
     cy.get(ANOMALIES_TAB).should(
       'have.attr',
       'href',
-      "/app/security/hosts/siem-kibana/anomalies?sourcerer=(default:!('auditbeat-*'))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))&query=(language:kuery,query:'agent.type:%20%22auditbeat%22%20')"
+      "/app/security/hosts/siem-kibana/anomalies?sourcerer=(default:(id:security-solution-default,selectedPatterns:!('auditbeat-*')))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))&query=(language:kuery,query:'agent.type:%20%22auditbeat%22%20')"
     );
     cy.get(BREADCRUMBS)
       .eq(1)
       .should(
         'have.attr',
         'href',
-        `/app/security/hosts?query=(language:kuery,query:'agent.type:%20%22auditbeat%22%20')&sourcerer=(default:!(\'auditbeat-*\'))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))`
+        `/app/security/hosts?query=(language:kuery,query:'agent.type:%20%22auditbeat%22%20')&sourcerer=(default:(id:security-solution-default,selectedPatterns:!('auditbeat-*')))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))`
       );
     cy.get(BREADCRUMBS)
       .eq(2)
       .should(
         'have.attr',
         'href',
-        `/app/security/hosts/siem-kibana?query=(language:kuery,query:'agent.type:%20%22auditbeat%22%20')&sourcerer=(default:!(\'auditbeat-*\'))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))`
+        `/app/security/hosts/siem-kibana?query=(language:kuery,query:'agent.type:%20%22auditbeat%22%20')&sourcerer=(default:(id:security-solution-default,selectedPatterns:!('auditbeat-*')))&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')),timeline:(linkTo:!(global),timerange:(from:'2019-08-01T20:03:29.186Z',kind:absolute,to:'2020-01-01T21:33:29.186Z')))`
       );
   });
 
diff --git a/x-pack/plugins/security_solution/cypress/objects/timeline.ts b/x-pack/plugins/security_solution/cypress/objects/timeline.ts
index f3d9bc1b9ef1a..70b8c1b400d51 100644
--- a/x-pack/plugins/security_solution/cypress/objects/timeline.ts
+++ b/x-pack/plugins/security_solution/cypress/objects/timeline.ts
@@ -87,6 +87,7 @@ export const expectedExportedTimelineTemplate = (
         },
       },
     },
+    dataViewId: timelineTemplateBody.dataViewId,
     dateRange: {
       start: timelineTemplateBody.dateRange?.start,
       end: timelineTemplateBody.dateRange?.end,
@@ -127,6 +128,7 @@ export const expectedExportedTimeline = (timelineResponse: Cypress.Response<Time
       },
     },
     dateRange: { start: timelineBody.dateRange?.start, end: timelineBody.dateRange?.end },
+    dataViewId: timelineBody.dataViewId,
     description: timelineBody.description,
     title: timelineBody.title,
     created: timelineBody.created,
diff --git a/x-pack/plugins/security_solution/cypress/screens/sourcerer.ts b/x-pack/plugins/security_solution/cypress/screens/sourcerer.ts
index 874fc7352e908..185e06f99951c 100644
--- a/x-pack/plugins/security_solution/cypress/screens/sourcerer.ts
+++ b/x-pack/plugins/security_solution/cypress/screens/sourcerer.ts
@@ -7,10 +7,10 @@
 
 export const SOURCERER_TRIGGER = '[data-test-subj="sourcerer-trigger"]';
 export const SOURCERER_INPUT =
-  '[data-test-subj="indexPattern-switcher"] [data-test-subj="comboBoxInput"]';
+  '[data-test-subj="sourcerer-combo-box"] [data-test-subj="comboBoxInput"]';
 export const SOURCERER_OPTIONS =
-  '[data-test-subj="comboBoxOptionsList indexPattern-switcher-optionsList"]';
-export const SOURCERER_SAVE_BUTTON = 'button[data-test-subj="add-index"]';
+  '[data-test-subj="comboBoxOptionsList sourcerer-combo-box-optionsList"]';
+export const SOURCERER_SAVE_BUTTON = 'button[data-test-subj="sourcerer-save"]';
 export const SOURCERER_RESET_BUTTON = 'button[data-test-subj="sourcerer-reset"]';
 export const SOURCERER_POPOVER_TITLE = '.euiPopoverTitle';
 export const HOSTS_STAT = '[data-test-subj="stat-hosts"] [data-test-subj="stat-title"]';
diff --git a/x-pack/plugins/security_solution/cypress/tasks/alerts.ts b/x-pack/plugins/security_solution/cypress/tasks/alerts.ts
index 220c0fbdaa4cf..f4b84b83284db 100644
--- a/x-pack/plugins/security_solution/cypress/tasks/alerts.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/alerts.ts
@@ -102,6 +102,12 @@ export const goToOpenedAlerts = () => {
   cy.get(LOADING_INDICATOR).should('not.exist');
 };
 
+export const refreshAlerts = () => {
+  // ensure we've refetched fields the first time index is defined
+  cy.get(REFRESH_BUTTON).should('have.text', 'Refresh');
+  cy.get(REFRESH_BUTTON).first().click({ force: true });
+};
+
 export const openFirstAlert = () => {
   cy.get(TIMELINE_CONTEXT_MENU_BTN).first().click({ force: true });
   cy.get(OPEN_ALERT_BTN).click();
diff --git a/x-pack/plugins/security_solution/cypress/tasks/login.ts b/x-pack/plugins/security_solution/cypress/tasks/login.ts
index 96d37d2d9214a..f0137f4baf099 100644
--- a/x-pack/plugins/security_solution/cypress/tasks/login.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/login.ts
@@ -10,7 +10,7 @@ import Url, { UrlObject } from 'url';
 
 import { ROLES } from '../../common/test';
 import { TIMELINE_FLYOUT_BODY } from '../screens/timeline';
-import { hostDetailsUrl } from '../urls/navigation';
+import { hostDetailsUrl, LOGOUT_URL } from '../urls/navigation';
 
 /**
  * Credentials in the `kibana.dev.yml` config file will be used to authenticate
@@ -326,3 +326,7 @@ export const waitForPageWithoutDateRange = (url: string, role?: ROLES) => {
   cy.visit(role ? getUrlWithRoute(role, url) : url);
   cy.get('[data-test-subj="headerGlobalNav"]', { timeout: 120000 });
 };
+
+export const logout = () => {
+  cy.visit(LOGOUT_URL);
+};
diff --git a/x-pack/plugins/security_solution/cypress/tasks/privileges.ts b/x-pack/plugins/security_solution/cypress/tasks/privileges.ts
new file mode 100644
index 0000000000000..3550aff767d38
--- /dev/null
+++ b/x-pack/plugins/security_solution/cypress/tasks/privileges.ts
@@ -0,0 +1,186 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { constructUrlWithUser, getEnvAuth } from './login';
+
+interface User {
+  username: string;
+  password: string;
+  description?: string;
+  roles: string[];
+}
+
+interface UserInfo {
+  username: string;
+  full_name: string;
+  email: string;
+}
+
+interface FeaturesPrivileges {
+  [featureId: string]: string[];
+}
+
+interface ElasticsearchIndices {
+  names: string[];
+  privileges: string[];
+}
+
+interface ElasticSearchPrivilege {
+  cluster?: string[];
+  indices?: ElasticsearchIndices[];
+}
+
+interface KibanaPrivilege {
+  spaces: string[];
+  base?: string[];
+  feature?: FeaturesPrivileges;
+}
+
+interface Role {
+  name: string;
+  privileges: {
+    elasticsearch?: ElasticSearchPrivilege;
+    kibana?: KibanaPrivilege[];
+  };
+}
+
+export const secAll: Role = {
+  name: 'sec_all_role',
+  privileges: {
+    elasticsearch: {
+      indices: [
+        {
+          names: ['*'],
+          privileges: ['all'],
+        },
+      ],
+    },
+    kibana: [
+      {
+        feature: {
+          siem: ['all'],
+          securitySolutionCases: ['all'],
+          actions: ['all'],
+          actionsSimulators: ['all'],
+          // TODO: Steph/sourcerer remove once we have our internal saved object client
+          // https://github.com/elastic/security-team/issues/1978
+          indexPatterns: ['read'],
+          savedObjectsManagement: ['read'],
+        },
+        spaces: ['*'],
+      },
+    ],
+  },
+};
+
+export const secAllUser: User = {
+  username: 'sec_all_user',
+  password: 'password',
+  roles: [secAll.name],
+};
+
+export const secReadCasesAll: Role = {
+  name: 'sec_read_cases_all_role',
+  privileges: {
+    elasticsearch: {
+      indices: [
+        {
+          names: ['*'],
+          privileges: ['all'],
+        },
+      ],
+    },
+    kibana: [
+      {
+        feature: {
+          siem: ['read'],
+          securitySolutionCases: ['all'],
+          actions: ['all'],
+          actionsSimulators: ['all'],
+          // TODO: Steph/sourcerer remove once we have our internal saved object client
+          // https://github.com/elastic/security-team/issues/1978
+          indexPatterns: ['read'],
+          savedObjectsManagement: ['read'],
+        },
+        spaces: ['*'],
+      },
+    ],
+  },
+};
+
+export const secReadCasesAllUser: User = {
+  username: 'sec_read_cases_all_user',
+  password: 'password',
+  roles: [secReadCasesAll.name],
+};
+
+const getUserInfo = (user: User): UserInfo => ({
+  username: user.username,
+  full_name: user.username.replace('_', ' '),
+  email: `${user.username}@elastic.co`,
+});
+
+export const createUsersAndRoles = (users: User[], roles: Role[]) => {
+  const envUser = getEnvAuth();
+  for (const role of roles) {
+    cy.log(`Creating role: ${JSON.stringify(role)}`);
+    cy.request({
+      body: role.privileges,
+      headers: { 'kbn-xsrf': 'cypress-creds-via-config' },
+      method: 'PUT',
+      url: constructUrlWithUser(envUser, `/api/security/role/${role.name}`),
+    })
+      .its('status')
+      .should('eql', 204);
+  }
+
+  for (const user of users) {
+    const userInfo = getUserInfo(user);
+    cy.log(`Creating user: ${JSON.stringify(user)}`);
+    cy.request({
+      body: {
+        username: user.username,
+        password: user.password,
+        roles: user.roles,
+        full_name: userInfo.full_name,
+        email: userInfo.email,
+      },
+      headers: { 'kbn-xsrf': 'cypress-creds-via-config' },
+      method: 'POST',
+      url: constructUrlWithUser(envUser, `/internal/security/users/${user.username}`),
+    })
+      .its('status')
+      .should('eql', 200);
+  }
+};
+
+export const deleteUsersAndRoles = (users: User[], roles: Role[]) => {
+  const envUser = getEnvAuth();
+  for (const user of users) {
+    cy.log(`Deleting user: ${JSON.stringify(user)}`);
+    cy.request({
+      headers: { 'kbn-xsrf': 'cypress-creds-via-config' },
+      method: 'DELETE',
+      url: constructUrlWithUser(envUser, `/internal/security/users/${user.username}`),
+      failOnStatusCode: false,
+    })
+      .its('status')
+      .should('oneOf', [204, 404]);
+  }
+
+  for (const role of roles) {
+    cy.log(`Deleting role: ${JSON.stringify(role)}`);
+    cy.request({
+      headers: { 'kbn-xsrf': 'cypress-creds-via-config' },
+      method: 'DELETE',
+      url: constructUrlWithUser(envUser, `/api/security/role/${role.name}`),
+      failOnStatusCode: false,
+    })
+      .its('status')
+      .should('oneOf', [204, 404]);
+  }
+};
diff --git a/x-pack/plugins/security_solution/cypress/urls/navigation.ts b/x-pack/plugins/security_solution/cypress/urls/navigation.ts
index a9fad865f506c..901c06193d73c 100644
--- a/x-pack/plugins/security_solution/cypress/urls/navigation.ts
+++ b/x-pack/plugins/security_solution/cypress/urls/navigation.ts
@@ -41,3 +41,4 @@ export const OVERVIEW_URL = '/app/security/overview';
 export const RULE_CREATION = 'app/security/rules/create';
 export const TIMELINES_URL = '/app/security/timelines';
 export const TIMELINE_TEMPLATES_URL = '/app/security/timelines/template';
+export const LOGOUT_URL = '/logout';
diff --git a/x-pack/plugins/security_solution/public/app/home/index.tsx b/x-pack/plugins/security_solution/public/app/home/index.tsx
index e7f825691c58d..3a02adc155e6e 100644
--- a/x-pack/plugins/security_solution/public/app/home/index.tsx
+++ b/x-pack/plugins/security_solution/public/app/home/index.tsx
@@ -16,8 +16,8 @@ import { UseUrlState } from '../../common/components/url_state';
 import { navTabs } from './home_navigations';
 import {
   useInitSourcerer,
-  useSourcererScope,
   getScopeFromPath,
+  useSourcererDataView,
 } from '../../common/containers/sourcerer';
 import { useUpgradeSecurityPackages } from '../../common/hooks/use_upgrade_security_packages';
 import { GlobalHeader } from './global_header';
@@ -38,8 +38,7 @@ const HomePageComponent: React.FC<HomePageProps> = ({
 
   useInitSourcerer(getScopeFromPath(pathname));
 
-  const { browserFields, indexPattern } = useSourcererScope(getScopeFromPath(pathname));
-
+  const { browserFields, indexPattern } = useSourcererDataView(getScopeFromPath(pathname));
   // side effect: this will attempt to upgrade the endpoint package if it is not up to date
   // this will run when a user navigates to the Security Solution app and when they navigate between
   // tabs in the app. This is useful for keeping the endpoint package as up to date as possible until
diff --git a/x-pack/plugins/security_solution/public/app/home/template_wrapper/bottom_bar/index.tsx b/x-pack/plugins/security_solution/public/app/home/template_wrapper/bottom_bar/index.tsx
index 8e972b92c2fa1..c283bb10c7928 100644
--- a/x-pack/plugins/security_solution/public/app/home/template_wrapper/bottom_bar/index.tsx
+++ b/x-pack/plugins/security_solution/public/app/home/template_wrapper/bottom_bar/index.tsx
@@ -8,25 +8,23 @@
 /* eslint-disable react/display-name */
 
 import React from 'react';
-import { useLocation } from 'react-router-dom';
 import { KibanaPageTemplateProps } from '../../../../../../../../src/plugins/kibana_react/public';
 import { AppLeaveHandler } from '../../../../../../../../src/core/public';
 import { useShowTimeline } from '../../../../common/utils/timeline/use_show_timeline';
-import { useSourcererScope, getScopeFromPath } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { TimelineId } from '../../../../../common/types/timeline';
 import { AutoSaveWarningMsg } from '../../../../timelines/components/timeline/auto_save_warning';
 import { Flyout } from '../../../../timelines/components/flyout';
 import { useResolveRedirect } from '../../../../common/hooks/use_resolve_redirect';
+import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
 
 export const BOTTOM_BAR_CLASSNAME = 'timeline-bottom-bar';
 
 export const SecuritySolutionBottomBar = React.memo(
   ({ onAppLeave }: { onAppLeave: (handler: AppLeaveHandler) => void }) => {
-    const { pathname } = useLocation();
-
     const [showTimeline] = useShowTimeline();
 
-    const { indicesExist } = useSourcererScope(getScopeFromPath(pathname));
+    const { indicesExist } = useSourcererDataView(SourcererScopeName.timeline);
     useResolveRedirect();
 
     return indicesExist && showTimeline ? (
diff --git a/x-pack/plugins/security_solution/public/cases/components/case_view/helpers.ts b/x-pack/plugins/security_solution/public/cases/components/case_view/helpers.ts
index 94813862a983a..bfaa5fb7652d4 100644
--- a/x-pack/plugins/security_solution/public/cases/components/case_view/helpers.ts
+++ b/x-pack/plugins/security_solution/public/cases/components/case_view/helpers.ts
@@ -7,7 +7,7 @@
 
 import { isObject, get, isString, isNumber } from 'lodash';
 import { useMemo } from 'react';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 import { SourcererScopeName } from '../../../common/store/sourcerer/model';
 import { useQueryAlerts } from '../../../detections/containers/detection_engine/alerts/use_query';
 import { Ecs } from '../../../../../cases/common';
@@ -102,7 +102,7 @@ export interface Alert {
   [key: string]: unknown;
 }
 export const useFetchAlertData = (alertIds: string[]): [boolean, Record<string, Ecs>] => {
-  const { selectedPatterns } = useSourcererScope(SourcererScopeName.detections);
+  const { selectedPatterns } = useSourcererDataView(SourcererScopeName.detections);
   const alertsQuery = useMemo(() => buildAlertsQuery(alertIds), [alertIds]);
 
   const { loading: isLoadingAlerts, data: alertsData } = useQueryAlerts<SignalHit, unknown>({
diff --git a/x-pack/plugins/security_solution/public/cases/components/case_view/index.tsx b/x-pack/plugins/security_solution/public/cases/components/case_view/index.tsx
index bdf4a1dbc1579..fc65d5c370bae 100644
--- a/x-pack/plugins/security_solution/public/cases/components/case_view/index.tsx
+++ b/x-pack/plugins/security_solution/public/cases/components/case_view/index.tsx
@@ -21,7 +21,7 @@ import { SecurityPageName } from '../../../app/types';
 import { useKibana } from '../../../common/lib/kibana';
 import { APP_UI_ID } from '../../../../common/constants';
 import { timelineActions } from '../../../timelines/store/timeline';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 import { SourcererScopeName } from '../../../common/store/sourcerer/model';
 import { DetailsPanel } from '../../../timelines/components/side_panel';
 import { InvestigateInTimelineAction } from '../../../detections/components/alerts_table/timeline_actions/investigate_in_timeline_action';
@@ -53,14 +53,16 @@ export interface CaseProps extends Props {
 }
 
 const TimelineDetailsPanel = () => {
-  const { browserFields, docValueFields } = useSourcererScope(SourcererScopeName.detections);
-
+  const { browserFields, docValueFields, runtimeMappings } = useSourcererDataView(
+    SourcererScopeName.detections
+  );
   return (
     <DetailsPanel
       browserFields={browserFields}
       docValueFields={docValueFields}
       entityType="events"
       isFlyoutView
+      runtimeMappings={runtimeMappings}
       timelineId={TimelineId.casePage}
     />
   );
@@ -134,6 +136,7 @@ export const CaseView = React.memo(
         timelineActions.createTimeline({
           id: TimelineId.casePage,
           columns: [],
+          dataViewId: '',
           indexNames: [],
           expandedDetail: {},
           show: false,
diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap
index 6ef797580be9b..93c083eafbdf3 100644
--- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/__snapshots__/drag_drop_context_wrapper.test.tsx.snap
@@ -125,6 +125,7 @@ exports[`DragDropContextWrapper rendering it renders against the snapshot 1`] =
               "packetbeat",
             ],
             "name": "@timestamp",
+            "readFromDocValues": true,
             "searchable": true,
             "type": "date",
           },
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap
index a907b64d00cac..40784270e6c60 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap
@@ -676,7 +676,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
                   <div
                     data-test-subj="more-actions-source.ip"
                     field="source.ip"
-                    items="[object Object]"
+                    items="[object Object],[object Object]"
                     value="185.156.74.3"
                   >
                     Overflow button
@@ -1368,7 +1368,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
                   <div
                     data-test-subj="more-actions-source.ip"
                     field="source.ip"
-                    items="[object Object]"
+                    items="[object Object],[object Object]"
                     value="185.156.74.3"
                   >
                     Overflow button
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/table/field_name_cell.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/table/field_name_cell.tsx
index 327d8d963c75e..74b366ffc1b3e 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/table/field_name_cell.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/table/field_name_cell.tsx
@@ -10,7 +10,7 @@ import { EuiFlexGroup, EuiFlexItem, EuiBadge, EuiText, EuiToolTip } from '@elast
 import { isEmpty } from 'lodash';
 import * as i18n from '../translations';
 import { FieldIcon } from '../../../../../../../../src/plugins/kibana_react/public';
-import { IndexPatternField } from '../../../../../../../../src/plugins/data/public';
+import { DataViewField } from '../../../../../../../../src/plugins/data_views/common';
 import { getExampleText } from '../helpers';
 import { BrowserField } from '../../../containers/source';
 import { EventFieldsData } from '../types';
@@ -20,7 +20,7 @@ export interface FieldNameCellProps {
   data: EventFieldsData;
   field: string;
   fieldFromBrowserField: BrowserField;
-  fieldMapping?: IndexPatternField;
+  fieldMapping?: DataViewField;
   scripted?: boolean;
 }
 export const FieldNameCell = React.memo(
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/table/field_value_cell.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/table/field_value_cell.test.tsx
index d703e736d8b61..710cf5fceeb21 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/table/field_value_cell.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/table/field_value_cell.test.tsx
@@ -30,6 +30,7 @@ const hostIpData: EventFieldsData = {
   isObjectArray: false,
   name: 'host.ip',
   originalValue: ['127.0.0.1', '::1', '10.1.2.3', '2001:0DB8:AC10:FE01::'],
+  readFromDocValues: false,
   searchable: true,
   type: 'ip',
   values: ['127.0.0.1', '::1', '10.1.2.3', '2001:0DB8:AC10:FE01::'],
@@ -101,6 +102,7 @@ describe('FieldValueCell', () => {
       isObjectArray: false,
       name: 'message',
       originalValue: ['Endpoint network event'],
+      readFromDocValues: false,
       searchable: true,
       type: 'string',
       values: ['Endpoint network event'],
@@ -117,6 +119,7 @@ describe('FieldValueCell', () => {
       format: '',
       indexes: ['auditbeat-*', 'filebeat-*', 'logs-*', 'winlogbeat-*'],
       name: 'message',
+      readFromDocValues: false,
       searchable: true,
       type: 'string',
     };
@@ -156,6 +159,7 @@ describe('FieldValueCell', () => {
       format: '',
       indexes: ['auditbeat-*', 'filebeat-*', 'logs-*', 'winlogbeat-*'],
       name: 'host.ip',
+      readFromDocValues: false,
       searchable: true,
       type: 'ip',
     };
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
index 7b7a1ead5d702..a611d140f61d1 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
@@ -16,8 +16,12 @@ import { mockEventViewerResponse, mockEventViewerResponseWithEvents } from './mo
 import { StatefulEventsViewer } from '.';
 import { EventsViewer } from './events_viewer';
 import { defaultHeaders } from './default_headers';
-import { useSourcererScope } from '../../containers/sourcerer';
-import { mockBrowserFields, mockDocValueFields } from '../../containers/source/mock';
+import { useSourcererDataView } from '../../containers/sourcerer';
+import {
+  mockBrowserFields,
+  mockDocValueFields,
+  mockRuntimeMappings,
+} from '../../containers/source/mock';
 import { eventsDefaultModel } from './default_model';
 import { useMountAppended } from '../../utils/use_mount_appended';
 import { inputsModel } from '../../store/inputs';
@@ -91,7 +95,7 @@ jest.mock('../../../timelines/containers', () => ({
 
 jest.mock('../../components/url_state/normalize_time_range.ts');
 
-const mockUseSourcererScope: jest.Mock = useSourcererScope as jest.Mock;
+const mockUseSourcererDataView: jest.Mock = useSourcererDataView as jest.Mock;
 jest.mock('../../containers/sourcerer');
 
 const mockUseResizeObserver: jest.Mock = useResizeObserver as jest.Mock;
@@ -107,6 +111,7 @@ const to = '2019-08-27T22:10:56.794Z';
 const defaultMocks = {
   browserFields: mockBrowserFields,
   docValueFields: mockDocValueFields,
+  runtimeMappings: mockRuntimeMappings,
   indexPattern: mockIndexPattern,
   loading: false,
   selectedPatterns: mockIndexNames,
@@ -139,6 +144,7 @@ const eventsViewerDefaultProps = {
   },
   renderCellValue: DefaultCellRenderer,
   rowRenderers: defaultRowRenderers,
+  runtimeMappings: {},
   start: from,
   sort: [
     {
@@ -169,7 +175,7 @@ describe('EventsViewer', () => {
     mockUseTimelineEvents.mockReset();
   });
   beforeAll(() => {
-    mockUseSourcererScope.mockImplementation(() => defaultMocks);
+    mockUseSourcererDataView.mockImplementation(() => defaultMocks);
   });
 
   describe('event details', () => {
@@ -278,7 +284,7 @@ describe('EventsViewer', () => {
 
   describe('loading', () => {
     beforeAll(() => {
-      mockUseSourcererScope.mockImplementation(() => ({ ...defaultMocks, loading: true }));
+      mockUseSourcererDataView.mockImplementation(() => ({ ...defaultMocks, loading: true }));
     });
     beforeEach(() => {
       mockUseTimelineEvents.mockReturnValue([false, mockEventViewerResponse]);
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
index fd644d1380ddb..5a3aa2e6dc38a 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
@@ -11,6 +11,8 @@ import styled from 'styled-components';
 import deepEqual from 'fast-deep-equal';
 
 import { useDispatch } from 'react-redux';
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { Direction } from '../../../../common/search_strategy';
 import { BrowserFields, DocValueFields } from '../../containers/source';
 import { useTimelineEvents } from '../../../timelines/containers';
@@ -30,12 +32,7 @@ import {
 import { TimelineRefetch } from '../../../timelines/components/timeline/refetch_timeline';
 import { EventDetailsWidthProvider } from './event_details_width_context';
 import * as i18n from './translations';
-import {
-  Filter,
-  esQuery,
-  IIndexPattern,
-  Query,
-} from '../../../../../../../src/plugins/data/public';
+import { esQuery } from '../../../../../../../src/plugins/data/public';
 import { inputsModel } from '../../store';
 import { ExitFullScreen } from '../exit_full_screen';
 import { useGlobalFullScreen } from '../../containers/use_full_screen';
@@ -123,7 +120,7 @@ interface Props {
   headerFilterGroup?: React.ReactNode;
   id: TimelineId;
   indexNames: string[];
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   isLive: boolean;
   isLoadingIndexPattern: boolean;
   itemsPerPage: number;
@@ -133,6 +130,7 @@ interface Props {
   onRuleChange?: () => void;
   renderCellValue: (props: CellValueElementProps) => React.ReactNode;
   rowRenderers: RowRenderer[];
+  runtimeMappings: MappingRuntimeFields;
   start: string;
   sort: Sort[];
   showTotalCount?: boolean;
@@ -162,6 +160,7 @@ const EventsViewerComponent: React.FC<Props> = ({
   query,
   renderCellValue,
   rowRenderers,
+  runtimeMappings,
   start,
   sort,
   showTotalCount = true,
@@ -240,6 +239,7 @@ const EventsViewerComponent: React.FC<Props> = ({
       id,
       indexNames,
       limit: itemsPerPage,
+      runtimeMappings,
       sort: sortField,
       startDate: start,
       endDate: end,
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx
index 1e61e69180f91..5be966ab64980 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx
@@ -22,7 +22,7 @@ import { InspectButtonContainer } from '../inspect';
 import { useGlobalFullScreen } from '../../containers/use_full_screen';
 import { useIsExperimentalFeatureEnabled } from '../../hooks/use_experimental_features';
 import { SourcererScopeName } from '../../store/sourcerer/model';
-import { useSourcererScope } from '../../containers/sourcerer';
+import { useSourcererDataView } from '../../containers/sourcerer';
 import type { EntityType } from '../../../../../timelines/common';
 import { TGridCellAction } from '../../../../../timelines/common/types';
 import { DetailsPanel } from '../../../timelines/components/side_panel';
@@ -117,9 +117,12 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
     browserFields,
     docValueFields,
     indexPattern,
+    runtimeMappings,
     selectedPatterns,
+    dataViewId: selectedDataViewId,
     loading: isLoadingIndexPattern,
-  } = useSourcererScope(scopeId);
+  } = useSourcererDataView(scopeId);
+
   const { globalFullScreen } = useGlobalFullScreen();
   // TODO: Once we are past experimental phase this code should be removed
   const tGridEnabled = useIsExperimentalFeatureEnabled('tGridEnabled');
@@ -129,14 +132,15 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
   useEffect(() => {
     if (createTimeline != null) {
       createTimeline({
-        id,
         columns,
+        dataViewId: selectedDataViewId,
         defaultColumns,
         excludedRowRendererIds,
+        id,
         indexNames: selectedPatterns,
-        sort,
         itemsPerPage,
         showCheckboxes,
+        sort,
       });
     }
     return () => {
@@ -206,6 +210,7 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
               query,
               renderCellValue,
               rowRenderers,
+              runtimeMappings,
               setQuery,
               sort,
               start,
@@ -235,6 +240,7 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
               onRuleChange={onRuleChange}
               renderCellValue={renderCellValue}
               rowRenderers={rowRenderers}
+              runtimeMappings={runtimeMappings}
               start={start}
               sort={sort}
               showTotalCount={isEmpty(graphEventId) ? true : false}
@@ -249,6 +255,7 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
         entityType={entityType}
         docValueFields={docValueFields}
         isFlyoutView
+        runtimeMappings={runtimeMappings}
         timelineId={id}
       />
     </>
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx
index a90ec21f992f8..37f250ffd2d4d 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx
@@ -42,13 +42,13 @@ import { getCommentsArrayMock } from '../../../../../lists/common/schemas/types/
 import { fields } from '../../../../../../../src/plugins/data/common/mocks';
 import { ENTRIES, OLD_DATE_RELATIVE_TO_DATE_NOW } from '../../../../../lists/common/constants.mock';
 import { CodeSignature } from '../../../../common/ecs/file';
-import { IndexPatternBase } from '@kbn/es-query';
+import { DataViewBase } from '@kbn/es-query';
 
 jest.mock('uuid', () => ({
   v4: jest.fn().mockReturnValue('123'),
 }));
 
-const getMockIndexPattern = (): IndexPatternBase => ({
+const getMockIndexPattern = (): DataViewBase => ({
   fields,
   id: '1234',
   title: 'logstash-*',
@@ -364,7 +364,7 @@ describe('Exception helpers', () => {
           name: 'nested.field',
         },
       ],
-    } as IndexPatternBase;
+    } as DataViewBase;
 
     test('it should return false with an empty array', () => {
       const payload: ExceptionListItemSchema[] = [];
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
index 58da977fcb8f0..e14c151ed367c 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
@@ -33,7 +33,7 @@ import {
   addIdToEntries,
   ExceptionsBuilderExceptionItem,
 } from '@kbn/securitysolution-list-utils';
-import { IndexPatternBase } from '@kbn/es-query';
+import { DataViewBase } from '@kbn/es-query';
 import * as i18n from './translations';
 import { AlertData, Flattened } from './types';
 
@@ -46,10 +46,10 @@ import exceptionableEndpointFields from './exceptionable_endpoint_fields.json';
 import exceptionableEndpointEventFields from './exceptionable_endpoint_event_fields.json';
 
 export const filterIndexPatterns = (
-  patterns: IndexPatternBase,
+  patterns: DataViewBase,
   type: ExceptionListType,
   osTypes?: OsTypeArray
-): IndexPatternBase => {
+): DataViewBase => {
   switch (type) {
     case 'endpoint':
       const osFilterForEndpoint: (name: string) => boolean = osTypes?.includes('linux')
@@ -752,7 +752,7 @@ export const getPrepopulatedBehaviorException = ({
  */
 export const entryHasNonEcsType = (
   exceptionItems: Array<ExceptionListItemSchema | CreateExceptionListItemSchema>,
-  indexPatterns: IndexPatternBase
+  indexPatterns: DataViewBase
 ): boolean => {
   const doesFieldNameExist = (exceptionEntry: Entry): boolean => {
     return indexPatterns.fields.some(({ name }) => name === exceptionEntry.field);
diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.tsx
index 738103f02dcdf..40b978cfe20fb 100644
--- a/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.tsx
@@ -17,7 +17,7 @@ import { i18n } from '@kbn/i18n';
 import { StatefulTopN } from '../../top_n';
 import { TimelineId } from '../../../../../common/types/timeline';
 import { SourcererScopeName } from '../../../store/sourcerer/model';
-import { useSourcererScope } from '../../../containers/sourcerer';
+import { useSourcererDataView } from '../../../containers/sourcerer';
 import { TooltipWithKeyboardShortcut } from '../../accessibility';
 import { getAdditionalScreenReaderOnlyContext } from '../utils';
 import { SHOW_TOP_N_KEYBOARD_SHORTCUT } from '../keyboard_shortcut_constants';
@@ -85,7 +85,8 @@ export const ShowTopNButton: React.FC<Props> = React.memo(
           )
         ? SourcererScopeName.detections
         : SourcererScopeName.default;
-    const { browserFields, indexPattern } = useSourcererScope(activeScope);
+    const { browserFields, indexPattern } = useSourcererDataView(activeScope);
+
     const icon = iconType ?? 'visBarVertical';
     const side = iconSide ?? 'left';
     const buttonTitle = title ?? SHOW_TOP(field);
diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx
index 0abcbefc71954..1f6436f59602c 100644
--- a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx
@@ -13,7 +13,7 @@ import { DataProvider } from '../../../../common/types/timeline';
 jest.mock('../../lib/kibana');
 jest.mock('../../hooks/use_selector');
 jest.mock('../../containers/sourcerer', () => ({
-  useSourcererScope: jest.fn().mockReturnValue({ browserFields: {} }),
+  useSourcererDataView: jest.fn().mockReturnValue({ browserFields: {} }),
 }));
 
 describe('useHoverActionItems', () => {
diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.tsx
index 61cef7930a3a5..44321d6846769 100644
--- a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.tsx
@@ -17,7 +17,7 @@ import { allowTopN } from '../drag_and_drop/helpers';
 import { useDeepEqualSelector } from '../../hooks/use_selector';
 import { ColumnHeaderOptions, DataProvider, TimelineId } from '../../../../common/types/timeline';
 import { SourcererScopeName } from '../../store/sourcerer/model';
-import { useSourcererScope } from '../../containers/sourcerer';
+import { useSourcererDataView } from '../../containers/sourcerer';
 import { timelineSelectors } from '../../../timelines/store/timeline';
 import { ShowTopNButton } from './actions/show_top_n';
 import { FilterManager } from '../../../../../../../src/plugins/data/public';
@@ -116,7 +116,7 @@ export const useHoverActionItems = ({
         )
       ? SourcererScopeName.detections
       : SourcererScopeName.default;
-  const { browserFields } = useSourcererScope(activeScope);
+  const { browserFields } = useSourcererDataView(activeScope);
 
   /*
    * In the case of `DisableOverflowButton`, we show filters only when topN is NOT opened. As after topN button is clicked, the chart panel replace current hover actions in the hover actions' popover, so we have to hide all the actions.
diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/helpers.ts b/x-pack/plugins/security_solution/public/common/components/navigation/helpers.ts
index 2674150ff5d1c..610a3c086fc2c 100644
--- a/x-pack/plugins/security_solution/public/common/components/navigation/helpers.ts
+++ b/x-pack/plugins/security_solution/public/common/components/navigation/helpers.ts
@@ -20,7 +20,7 @@ import {
 import { Query, Filter } from '../../../../../../../src/plugins/data/public';
 
 import { SearchNavTab } from './types';
-import { SourcererScopePatterns } from '../../store/sourcerer/model';
+import { SourcererUrlState } from '../../store/sourcerer/model';
 
 export const getSearch = (tab: SearchNavTab, urlState: UrlState): string => {
   if (tab && tab.urlKey != null && !isAdministration(tab.urlKey)) {
@@ -29,7 +29,7 @@ export const getSearch = (tab: SearchNavTab, urlState: UrlState): string => {
         let urlStateToReplace:
           | Filter[]
           | Query
-          | SourcererScopePatterns
+          | SourcererUrlState
           | TimelineUrl
           | UrlInputsModel
           | string = '';
diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/tab_navigation/types.ts b/x-pack/plugins/security_solution/public/common/components/navigation/tab_navigation/types.ts
index c99d50698db2b..9a066037b2768 100644
--- a/x-pack/plugins/security_solution/public/common/components/navigation/tab_navigation/types.ts
+++ b/x-pack/plugins/security_solution/public/common/components/navigation/tab_navigation/types.ts
@@ -7,7 +7,7 @@
 
 import { UrlInputsModel } from '../../../store/inputs/model';
 import { CONSTANTS } from '../../url_state/constants';
-import { SourcererScopePatterns } from '../../../store/sourcerer/model';
+import { SourcererUrlState } from '../../../store/sourcerer/model';
 import { TimelineUrl } from '../../../../timelines/store/timeline/model';
 import { Filter, Query } from '../../../../../../../../src/plugins/data/public';
 
@@ -21,7 +21,7 @@ export interface TabNavigationProps extends SecuritySolutionTabNavigationProps {
   [CONSTANTS.appQuery]?: Query;
   [CONSTANTS.filters]?: Filter[];
   [CONSTANTS.savedQuery]?: string;
-  [CONSTANTS.sourcerer]: SourcererScopePatterns;
+  [CONSTANTS.sourcerer]: SourcererUrlState;
   [CONSTANTS.timerange]: UrlInputsModel;
   [CONSTANTS.timeline]: TimelineUrl;
 }
diff --git a/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx b/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx
index f8738d827e73f..253f2c3862e0c 100644
--- a/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/query_bar/index.tsx
@@ -8,11 +8,9 @@
 import React, { memo, useMemo, useCallback } from 'react';
 import deepEqual from 'fast-deep-equal';
 
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import {
-  Filter,
-  IIndexPattern,
   FilterManager,
-  Query,
   TimeHistory,
   TimeRange,
   SavedQuery,
@@ -26,7 +24,7 @@ export interface QueryBarComponentProps {
   dateRangeFrom?: string;
   dateRangeTo?: string;
   hideSavedQuery?: boolean;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   isLoading?: boolean;
   isRefreshPaused?: boolean;
   filterQuery: Query;
diff --git a/x-pack/plugins/security_solution/public/common/components/search_bar/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/search_bar/index.test.tsx
index 8f82733314361..749156425bb1b 100644
--- a/x-pack/plugins/security_solution/public/common/components/search_bar/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/search_bar/index.test.tsx
@@ -6,13 +6,42 @@
  */
 
 import React from 'react';
-import { mount } from 'enzyme';
-
+import { render, fireEvent } from '@testing-library/react';
 import { InputsModelId } from '../../store/inputs/constants';
 import { SearchBarComponent } from '.';
 import { TestProviders } from '../../mock';
+import { FilterManager } from '../../../../../../../src/plugins/data/public';
+import { coreMock } from '../../../../../../../src/core/public/mocks';
 
-jest.mock('../../lib/kibana');
+const mockFilterManager = new FilterManager(coreMock.createStart().uiSettings);
+jest.mock('../../lib/kibana', () => {
+  const original = jest.requireActual('../../lib/kibana');
+  return {
+    useKibana: () => ({
+      services: {
+        ...original.useKibana().services,
+        data: {
+          ...original.useKibana().services.data,
+          query: {
+            ...original.useKibana().services.data.query,
+            filterManager: mockFilterManager,
+          },
+          ui: {
+            SearchBar: jest.fn().mockImplementation((props) => (
+              <button
+                data-test-subj="querySubmitButton"
+                onClick={() => props.onQuerySubmit({ dateRange: { from: 'now', to: 'now' } })}
+                type="button"
+              >
+                {'Hello world'}
+              </button>
+            )),
+          },
+        },
+      },
+    }),
+  };
+});
 
 describe('SearchBarComponent', () => {
   const props = {
@@ -37,9 +66,38 @@ describe('SearchBarComponent', () => {
     savedQuery: undefined,
   };
 
+  const pollForSignalIndex = jest.fn();
+  beforeEach(() => {
+    jest.resetAllMocks();
+  });
+
   it('calls setSearchBarFilter on mount', () => {
-    mount(<SearchBarComponent {...props} />, { wrappingComponent: TestProviders });
+    render(
+      <TestProviders>
+        <SearchBarComponent {...props} />
+      </TestProviders>
+    );
 
     expect(props.setSearchBarFilter).toHaveBeenCalled();
   });
+
+  it('calls pollForSignalIndex on Refresh button click', () => {
+    const { getByTestId } = render(
+      <TestProviders>
+        <SearchBarComponent {...props} pollForSignalIndex={pollForSignalIndex} />
+      </TestProviders>
+    );
+    fireEvent.click(getByTestId('querySubmitButton'));
+    expect(pollForSignalIndex).toHaveBeenCalled();
+  });
+
+  it('does not call pollForSignalIndex on Refresh button click if pollForSignalIndex not passed', () => {
+    const { getByTestId } = render(
+      <TestProviders>
+        <SearchBarComponent {...props} />
+      </TestProviders>
+    );
+    fireEvent.click(getByTestId('querySubmitButton'));
+    expect(pollForSignalIndex).not.toHaveBeenCalled();
+  });
 });
diff --git a/x-pack/plugins/security_solution/public/common/components/search_bar/index.tsx b/x-pack/plugins/security_solution/public/common/components/search_bar/index.tsx
index baaffdf239dc8..9531443e98514 100644
--- a/x-pack/plugins/security_solution/public/common/components/search_bar/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/search_bar/index.tsx
@@ -13,14 +13,9 @@ import { Dispatch } from 'redux';
 import { Subscription } from 'rxjs';
 import styled from 'styled-components';
 import deepEqual from 'fast-deep-equal';
-import {
-  FilterManager,
-  IIndexPattern,
-  TimeRange,
-  Query,
-  Filter,
-  SavedQuery,
-} from 'src/plugins/data/public';
+
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
+import { FilterManager, TimeRange, SavedQuery } from 'src/plugins/data/public';
 
 import { OnTimeChangeProps } from '@elastic/eui';
 
@@ -48,7 +43,8 @@ const APP_STATE_STORAGE_KEY = 'securitySolution.searchBar.appState';
 
 interface SiemSearchBarProps {
   id: InputsModelId;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
+  pollForSignalIndex?: () => void;
   timelineId?: string;
   dataTestSubj?: string;
 }
@@ -67,6 +63,7 @@ export const SearchBarComponent = memo<SiemSearchBarProps & PropsFromRedux>(
     id,
     indexPattern,
     isLoading = false,
+    pollForSignalIndex,
     queries,
     savedQuery,
     setSavedQuery,
@@ -100,6 +97,11 @@ export const SearchBarComponent = memo<SiemSearchBarProps & PropsFromRedux>(
 
     const onQuerySubmit = useCallback(
       (payload: { dateRange: TimeRange; query?: Query }) => {
+        // if the function is there, call it to check if the signals index exists yet
+        // in order to update the index fields
+        if (pollForSignalIndex != null) {
+          pollForSignalIndex();
+        }
         const isQuickSelection =
           payload.dateRange.from.includes('now') || payload.dateRange.to.includes('now');
         let updateSearchBar: UpdateReduxSearchBar = {
@@ -144,7 +146,18 @@ export const SearchBarComponent = memo<SiemSearchBarProps & PropsFromRedux>(
 
         window.setTimeout(() => updateSearch(updateSearchBar), 0);
       },
-      [id, toStr, end, fromStr, start, filterManager, filterQuery, queries, updateSearch]
+      [
+        id,
+        pollForSignalIndex,
+        toStr,
+        end,
+        fromStr,
+        start,
+        filterManager,
+        filterQuery,
+        queries,
+        updateSearch,
+      ]
     );
 
     const onRefresh = useCallback(
diff --git a/x-pack/plugins/security_solution/public/common/components/sourcerer/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/sourcerer/index.test.tsx
index 591cba6b19381..1b23d23c5eb62 100644
--- a/x-pack/plugins/security_solution/public/common/components/sourcerer/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/sourcerer/index.test.tsx
@@ -6,13 +6,9 @@
  */
 
 import React from 'react';
-import { mount } from 'enzyme';
-import { waitFor } from '@testing-library/react';
-
-import { EuiComboBox, EuiComboBoxOptionOption } from '@elastic/eui';
+import { mount, ReactWrapper } from 'enzyme';
 import { SourcererScopeName } from '../../store/sourcerer/model';
 import { Sourcerer } from './index';
-import { DEFAULT_INDEX_PATTERN } from '../../../../common/constants';
 import { sourcererActions, sourcererModel } from '../../store/sourcerer';
 import {
   createSecuritySolutionStorageMock,
@@ -22,6 +18,7 @@ import {
   TestProviders,
 } from '../../mock';
 import { createStore, State } from '../../store';
+import { EuiSuperSelectOption } from '@elastic/eui/src/components/form/super_select/super_select_control';
 
 const mockDispatch = jest.fn();
 jest.mock('react-redux', () => {
@@ -49,16 +46,28 @@ const defaultProps = {
 };
 
 describe('Sourcerer component', () => {
-  beforeEach(() => {
-    jest.clearAllMocks();
-    jest.restoreAllMocks();
-  });
   const state: State = mockGlobalState;
+  const { id, patternList, title } = state.sourcerer.defaultDataView;
+  const patternListNoSignals = patternList
+    .filter((p) => p !== state.sourcerer.signalIndexName)
+    .sort();
+  const checkOptionsAndSelections = (wrapper: ReactWrapper, patterns: string[]) => ({
+    availableOptionCount: wrapper.find(`[data-test-subj="sourcerer-combo-option"]`).length,
+    optionsSelected: patterns.every((pattern) =>
+      wrapper
+        .find(`[data-test-subj="sourcerer-combo-box"] span[title="${pattern}"]`)
+        .first()
+        .exists()
+    ),
+  });
+
   const { storage } = createSecuritySolutionStorageMock();
   let store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
 
   beforeEach(() => {
     store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
+    jest.clearAllMocks();
+    jest.restoreAllMocks();
   });
 
   it('renders tooltip', () => {
@@ -99,20 +108,145 @@ describe('Sourcerer component', () => {
     );
     wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
     expect(
-      wrapper.find(`[data-test-subj="indexPattern-switcher"]`).first().prop('selectedOptions')
-    ).toEqual(mockOptions);
+      wrapper.find(`[data-test-subj="sourcerer-combo-box"]`).first().prop('selectedOptions')
+    ).toEqual(
+      patternListNoSignals.map((p) => ({
+        label: p,
+        value: p,
+      }))
+    );
+  });
+  it('Removes duplicate options from title', () => {
+    store = createStore(
+      {
+        ...state,
+        sourcerer: {
+          ...state.sourcerer,
+          defaultDataView: {
+            ...state.sourcerer.defaultDataView,
+            id: '1234',
+            title: 'filebeat-*,auditbeat-*,auditbeat-*,auditbeat-*,auditbeat-*',
+            patternList: ['filebeat-*', 'auditbeat-*'],
+          },
+          kibanaDataViews: [
+            {
+              ...state.sourcerer.defaultDataView,
+              id: '1234',
+              title: 'filebeat-*,auditbeat-*,auditbeat-*,auditbeat-*,auditbeat-*',
+              patternList: ['filebeat-*', 'auditbeat-*'],
+            },
+          ],
+          sourcererScopes: {
+            ...state.sourcerer.sourcererScopes,
+            [SourcererScopeName.default]: {
+              ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+              loading: false,
+              selectedDataViewId: '1234',
+              selectedPatterns: ['filebeat-*'],
+            },
+          },
+        },
+      },
+      SUB_PLUGINS_REDUCER,
+      kibanaObservable,
+      storage
+    );
+    const wrapper = mount(
+      <TestProviders store={store}>
+        <Sourcerer {...defaultProps} />
+      </TestProviders>
+    );
+    wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
+    wrapper
+      .find(`[data-test-subj="sourcerer-combo-box"] [data-test-subj="comboBoxToggleListButton"]`)
+      .first()
+      .simulate('click');
+    const options: Array<EuiSuperSelectOption<string>> = wrapper
+      .find(`[data-test-subj="sourcerer-combo-box"]`)
+      .first()
+      .prop('options');
+    expect(options.length).toEqual(2);
+  });
+  it('Disables options with no data', () => {
+    store = createStore(
+      {
+        ...state,
+        sourcerer: {
+          ...state.sourcerer,
+          defaultDataView: {
+            ...state.sourcerer.defaultDataView,
+            id: '1234',
+            title: 'filebeat-*,auditbeat-*,fakebeat-*',
+            patternList: ['filebeat-*', 'auditbeat-*'],
+          },
+          kibanaDataViews: [
+            {
+              ...state.sourcerer.defaultDataView,
+              id: '1234',
+              title: 'filebeat-*,auditbeat-*,fakebeat-*',
+              patternList: ['filebeat-*', 'auditbeat-*'],
+            },
+          ],
+          sourcererScopes: {
+            ...state.sourcerer.sourcererScopes,
+            [SourcererScopeName.default]: {
+              ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+              loading: false,
+              selectedDataViewId: '1234',
+              selectedPatterns: ['filebeat-*'],
+            },
+          },
+        },
+      },
+      SUB_PLUGINS_REDUCER,
+      kibanaObservable,
+      storage
+    );
+    const wrapper = mount(
+      <TestProviders store={store}>
+        <Sourcerer {...defaultProps} />
+      </TestProviders>
+    );
+    wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
+    wrapper
+      .find(`[data-test-subj="sourcerer-combo-box"] [data-test-subj="comboBoxToggleListButton"]`)
+      .first()
+      .simulate('click');
+    const options: Array<EuiSuperSelectOption<string>> = wrapper
+      .find(`[data-test-subj="sourcerer-combo-box"]`)
+      .first()
+      .prop('options');
+    const disabledOption = options.find((o) => o.disabled);
+    expect(disabledOption?.value).toEqual('fakebeat-*');
   });
-  it('Mounts with some options selected', () => {
+  it('Mounts with multiple options selected - default', () => {
     const state2 = {
       ...mockGlobalState,
       sourcerer: {
         ...mockGlobalState.sourcerer,
+        kibanaDataViews: [
+          state.sourcerer.defaultDataView,
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '1234',
+            title: 'auditbeat-*',
+            patternList: ['auditbeat-*'],
+          },
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '12347',
+            title: 'packetbeat-*',
+            patternList: ['packetbeat-*'],
+          },
+        ],
         sourcererScopes: {
           ...mockGlobalState.sourcerer.sourcererScopes,
           [SourcererScopeName.default]: {
             ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
             loading: false,
-            selectedPatterns: [DEFAULT_INDEX_PATTERN[0]],
+            patternList,
+            selectedDataViewId: id,
+            selectedPatterns: patternList.slice(0, 2),
           },
         },
       },
@@ -125,46 +259,84 @@ describe('Sourcerer component', () => {
       </TestProviders>
     );
     wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
-    expect(
-      wrapper.find(`[data-test-subj="indexPattern-switcher"]`).first().prop('selectedOptions')
-    ).toEqual([mockOptions[0]]);
+    wrapper.find(`[data-test-subj="comboBoxInput"]`).first().simulate('click');
+    expect(checkOptionsAndSelections(wrapper, patternList.slice(0, 2))).toEqual({
+      // should hide signal index
+      availableOptionCount: title.split(',').length - 3,
+      optionsSelected: true,
+    });
   });
-  it('onChange calls updateSourcererScopeIndices', async () => {
+  it('Mounts with multiple options selected - timeline', () => {
+    const state2 = {
+      ...mockGlobalState,
+      sourcerer: {
+        ...mockGlobalState.sourcerer,
+        kibanaDataViews: [
+          state.sourcerer.defaultDataView,
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '1234',
+            title: 'auditbeat-*',
+            patternList: ['auditbeat-*'],
+          },
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '12347',
+            title: 'packetbeat-*',
+            patternList: ['packetbeat-*'],
+          },
+        ],
+        sourcererScopes: {
+          ...mockGlobalState.sourcerer.sourcererScopes,
+          [SourcererScopeName.timeline]: {
+            ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
+            loading: false,
+            patternList,
+            selectedDataViewId: id,
+            selectedPatterns: patternList.slice(0, 2),
+          },
+        },
+      },
+    };
+
+    store = createStore(state2, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
     const wrapper = mount(
       <TestProviders store={store}>
-        <Sourcerer {...defaultProps} />
+        <Sourcerer scope={sourcererModel.SourcererScopeName.timeline} />
       </TestProviders>
     );
     wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
-    expect(
-      wrapper.find(`[data-test-subj="sourcerer-popover"]`).first().prop('isOpen')
-    ).toBeTruthy();
-    await waitFor(() => {
-      (
-        wrapper.find(EuiComboBox).props() as unknown as {
-          onChange: (a: EuiComboBoxOptionOption[]) => void;
-        }
-      ).onChange([mockOptions[0], mockOptions[1]]);
-      wrapper.update();
+    wrapper.find(`[data-test-subj="comboBoxInput"]`).first().simulate('click');
+    expect(checkOptionsAndSelections(wrapper, patternList.slice(0, 2))).toEqual({
+      // should show every option except fakebeat-*
+      availableOptionCount: title.split(',').length - 2,
+      optionsSelected: true,
     });
-    wrapper.find(`[data-test-subj="add-index"]`).first().simulate('click');
-    expect(wrapper.find(`[data-test-subj="sourcerer-popover"]`).first().prop('isOpen')).toBeFalsy();
-
-    expect(mockDispatch).toHaveBeenCalledWith(
-      sourcererActions.setSelectedIndexPatterns({
-        id: SourcererScopeName.default,
-        selectedPatterns: [mockOptions[0].value, mockOptions[1].value],
-      })
-    );
   });
-  it('resets to config index patterns', async () => {
+  it('onSave dispatches setSelectedDataView', async () => {
     store = createStore(
       {
         ...state,
         sourcerer: {
           ...state.sourcerer,
-          kibanaIndexPatterns: [{ id: '1234', title: 'auditbeat-*' }],
-          configIndexPatterns: ['packetbeat-*'],
+          kibanaDataViews: [
+            state.sourcerer.defaultDataView,
+            {
+              ...state.sourcerer.defaultDataView,
+              id: '1234',
+              title: 'filebeat-*',
+              patternList: ['filebeat-*'],
+            },
+          ],
+          sourcererScopes: {
+            ...state.sourcerer.sourcererScopes,
+            [SourcererScopeName.default]: {
+              ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+              loading: false,
+              selectedDataViewId: id,
+              selectedPatterns: patternList.slice(0, 2),
+            },
+          },
         },
       },
       SUB_PLUGINS_REDUCER,
@@ -177,16 +349,60 @@ describe('Sourcerer component', () => {
       </TestProviders>
     );
     wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
-    expect(wrapper.find(`[data-test-subj="config-option"]`).first().exists()).toBeFalsy();
+    wrapper.find(`[data-test-subj="comboBoxInput"]`).first().simulate('click');
+    expect(checkOptionsAndSelections(wrapper, patternList.slice(0, 2))).toEqual({
+      availableOptionCount: title.split(',').length - 3,
+      optionsSelected: true,
+    });
+
+    wrapper.find(`[data-test-subj="sourcerer-combo-option"]`).first().simulate('click');
+    expect(checkOptionsAndSelections(wrapper, patternList.slice(0, 3))).toEqual({
+      availableOptionCount: title.split(',').length - 4,
+      optionsSelected: true,
+    });
+    wrapper.find(`[data-test-subj="sourcerer-save"]`).first().simulate('click');
+    expect(wrapper.find(`[data-test-subj="sourcerer-popover"]`).first().prop('isOpen')).toBeFalsy();
+
+    expect(mockDispatch).toHaveBeenCalledWith(
+      sourcererActions.setSelectedDataView({
+        id: SourcererScopeName.default,
+        selectedDataViewId: id,
+        selectedPatterns: patternList.slice(0, 3),
+      })
+    );
+  });
+  it('resets to default index pattern', async () => {
+    const wrapper = mount(
+      <TestProviders store={store}>
+        <Sourcerer {...defaultProps} />
+      </TestProviders>
+    );
+    wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
+    wrapper.find(`[data-test-subj="comboBoxInput"]`).first().simulate('click');
+
+    expect(checkOptionsAndSelections(wrapper, patternListNoSignals)).toEqual({
+      availableOptionCount: 1,
+      optionsSelected: true,
+    });
+
     wrapper
       .find(
-        `[data-test-subj="indexPattern-switcher"] [title="packetbeat-*"] button.euiBadge__iconButton`
+        `[data-test-subj="sourcerer-combo-box"] [title="${patternList[0]}"] button.euiBadge__iconButton`
       )
       .first()
       .simulate('click');
-    expect(wrapper.find(`[data-test-subj="config-option"]`).first().exists()).toBeTruthy();
+    expect(
+      checkOptionsAndSelections(wrapper, patternListNoSignals.slice(1, patternListNoSignals.length))
+    ).toEqual({
+      availableOptionCount: 2,
+      optionsSelected: true,
+    });
+
     wrapper.find(`[data-test-subj="sourcerer-reset"]`).first().simulate('click');
-    expect(wrapper.find(`[data-test-subj="config-option"]`).first().exists()).toBeFalsy();
+    expect(checkOptionsAndSelections(wrapper, patternListNoSignals)).toEqual({
+      availableOptionCount: 1,
+      optionsSelected: true,
+    });
   });
   it('disables saving when no index patterns are selected', () => {
     store = createStore(
@@ -194,7 +410,15 @@ describe('Sourcerer component', () => {
         ...state,
         sourcerer: {
           ...state.sourcerer,
-          kibanaIndexPatterns: [{ id: '1234', title: 'auditbeat-*' }],
+          kibanaDataViews: [
+            state.sourcerer.defaultDataView,
+            {
+              ...state.sourcerer.defaultDataView,
+              id: '1234',
+              title: 'auditbeat-*',
+              patternList: ['auditbeat-*'],
+            },
+          ],
         },
       },
       SUB_PLUGINS_REDUCER,
@@ -208,78 +432,152 @@ describe('Sourcerer component', () => {
     );
     wrapper.find('[data-test-subj="sourcerer-trigger"]').first().simulate('click');
     wrapper.find('[data-test-subj="comboBoxClearButton"]').first().simulate('click');
-    expect(wrapper.find('[data-test-subj="add-index"]').first().prop('disabled')).toBeTruthy();
+    expect(wrapper.find('[data-test-subj="sourcerer-save"]').first().prop('disabled')).toBeTruthy();
   });
-  it('returns index pattern options for kibanaIndexPatterns and configIndexPatterns', () => {
-    store = createStore(
-      {
-        ...state,
-        sourcerer: {
-          ...state.sourcerer,
-          kibanaIndexPatterns: [{ id: '1234', title: 'auditbeat-*' }],
-          configIndexPatterns: ['packetbeat-*'],
+  it('Selects a different index pattern', async () => {
+    const state2 = {
+      ...mockGlobalState,
+      sourcerer: {
+        ...mockGlobalState.sourcerer,
+        kibanaDataViews: [
+          state.sourcerer.defaultDataView,
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '1234',
+            title: 'fakebeat-*,neatbeat-*',
+            patternList: ['fakebeat-*'],
+          },
+        ],
+        sourcererScopes: {
+          ...mockGlobalState.sourcerer.sourcererScopes,
+          [SourcererScopeName.default]: {
+            ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+            loading: false,
+            patternList,
+            selectedDataViewId: id,
+            selectedPatterns: patternList.slice(0, 2),
+          },
         },
       },
-      SUB_PLUGINS_REDUCER,
-      kibanaObservable,
-      storage
-    );
+    };
+
+    store = createStore(state2, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
     const wrapper = mount(
       <TestProviders store={store}>
         <Sourcerer {...defaultProps} />
       </TestProviders>
     );
     wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
-    expect(wrapper.find(`[data-test-subj="config-option"]`).first().exists()).toBeFalsy();
-    wrapper
-      .find(
-        `[data-test-subj="indexPattern-switcher"] [title="auditbeat-*"] button.euiBadge__iconButton`
-      )
-      .first()
-      .simulate('click');
-    wrapper.update();
-    expect(wrapper.find(`[data-test-subj="kip-option"]`).first().text()).toEqual(' auditbeat-*');
-    wrapper
-      .find(
-        `[data-test-subj="indexPattern-switcher"] [title="packetbeat-*"] button.euiBadge__iconButton`
-      )
-      .first()
-      .simulate('click');
-    wrapper.update();
-    expect(wrapper.find(`[data-test-subj="config-option"]`).first().text()).toEqual('packetbeat-*');
+    wrapper.find(`button[data-test-subj="sourcerer-select"]`).first().simulate('click');
+
+    wrapper.find(`[data-test-subj="dataView-option-super"]`).first().simulate('click');
+    expect(checkOptionsAndSelections(wrapper, ['fakebeat-*'])).toEqual({
+      availableOptionCount: 0,
+      optionsSelected: true,
+    });
+    wrapper.find(`[data-test-subj="sourcerer-save"]`).first().simulate('click');
+
+    expect(mockDispatch).toHaveBeenCalledWith(
+      sourcererActions.setSelectedDataView({
+        id: SourcererScopeName.default,
+        selectedDataViewId: '1234',
+        selectedPatterns: ['fakebeat-*'],
+      })
+    );
   });
-  it('combines index pattern options for kibanaIndexPatterns and configIndexPatterns', () => {
-    store = createStore(
-      {
-        ...state,
-        sourcerer: {
-          ...state.sourcerer,
-          kibanaIndexPatterns: [
-            { id: '1234', title: 'auditbeat-*' },
-            { id: '5678', title: 'packetbeat-*' },
-          ],
-          configIndexPatterns: ['packetbeat-*'],
+  it('Does display signals index on timeline sourcerer', () => {
+    const state2 = {
+      ...mockGlobalState,
+      sourcerer: {
+        ...mockGlobalState.sourcerer,
+        kibanaDataViews: [
+          state.sourcerer.defaultDataView,
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '1234',
+            title: 'auditbeat-*',
+            patternList: ['auditbeat-*'],
+          },
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '12347',
+            title: 'packetbeat-*',
+            patternList: ['packetbeat-*'],
+          },
+        ],
+        sourcererScopes: {
+          ...mockGlobalState.sourcerer.sourcererScopes,
+          [SourcererScopeName.timeline]: {
+            ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
+            loading: false,
+            patternList,
+            selectedDataViewId: id,
+            selectedPatterns: patternList.slice(0, 2),
+          },
         },
       },
-      SUB_PLUGINS_REDUCER,
-      kibanaObservable,
-      storage
+    };
+
+    store = createStore(state2, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
+    const wrapper = mount(
+      <TestProviders store={store}>
+        <Sourcerer scope={sourcererModel.SourcererScopeName.timeline} />
+      </TestProviders>
+    );
+    wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
+    wrapper.find(`[data-test-subj="comboBoxToggleListButton"]`).first().simulate('click');
+    expect(wrapper.find(`[data-test-subj="sourcerer-combo-option"]`).at(6).text()).toEqual(
+      mockGlobalState.sourcerer.signalIndexName
     );
+  });
+  it('Does not display signals index on default sourcerer', () => {
+    const state2 = {
+      ...mockGlobalState,
+      sourcerer: {
+        ...mockGlobalState.sourcerer,
+        kibanaDataViews: [
+          state.sourcerer.defaultDataView,
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '1234',
+            title: 'auditbeat-*',
+            patternList: ['auditbeat-*'],
+          },
+          {
+            ...state.sourcerer.defaultDataView,
+            id: '12347',
+            title: 'packetbeat-*',
+            patternList: ['packetbeat-*'],
+          },
+        ],
+        sourcererScopes: {
+          ...mockGlobalState.sourcerer.sourcererScopes,
+          [SourcererScopeName.default]: {
+            ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+            loading: false,
+            patternList,
+            selectedDataViewId: id,
+            selectedPatterns: patternList.slice(0, 2),
+          },
+        },
+      },
+    };
+
+    store = createStore(state2, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
     const wrapper = mount(
       <TestProviders store={store}>
         <Sourcerer {...defaultProps} />
       </TestProviders>
     );
     wrapper.find(`[data-test-subj="sourcerer-trigger"]`).first().simulate('click');
-    wrapper
-      .find(
-        `[data-test-subj="indexPattern-switcher"] [title="packetbeat-*"] button.euiBadge__iconButton`
-      )
-      .first()
-      .simulate('click');
-    wrapper.update();
+    wrapper.find(`[data-test-subj="comboBoxInput"]`).first().simulate('click');
     expect(
-      wrapper.find(`[title="packetbeat-*"] [data-test-subj="kip-option"]`).first().text()
-    ).toEqual(' packetbeat-*');
+      wrapper
+        .find(
+          `[data-test-subj="sourcerer-combo-box"] span[title="${mockGlobalState.sourcerer.signalIndexName}"]`
+        )
+        .first()
+        .exists()
+    ).toBeFalsy();
   });
 });
diff --git a/x-pack/plugins/security_solution/public/common/components/sourcerer/index.tsx b/x-pack/plugins/security_solution/public/common/components/sourcerer/index.tsx
index 3e922176f9982..6f32282c53040 100644
--- a/x-pack/plugins/security_solution/public/common/components/sourcerer/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/sourcerer/index.tsx
@@ -10,24 +10,26 @@ import {
   EuiButtonEmpty,
   EuiComboBox,
   EuiComboBoxOptionOption,
-  EuiIcon,
   EuiFlexGroup,
   EuiFlexItem,
+  EuiIcon,
   EuiPopover,
   EuiPopoverTitle,
   EuiSpacer,
+  EuiSuperSelect,
   EuiText,
   EuiToolTip,
 } from '@elastic/eui';
 import deepEqual from 'fast-deep-equal';
 import React, { useCallback, useEffect, useMemo, useState } from 'react';
-import { useDispatch, useSelector } from 'react-redux';
+import { useDispatch } from 'react-redux';
 import styled from 'styled-components';
 
 import * as i18n from './translations';
-import { sourcererActions, sourcererModel } from '../../store/sourcerer';
-import { State } from '../../store';
-import { getSourcererScopeSelector, SourcererScopeSelector } from './selectors';
+import { sourcererActions, sourcererModel, sourcererSelectors } from '../../store/sourcerer';
+import { getScopePatternListSelection } from '../../store/sourcerer/helpers';
+import { useDeepEqualSelector } from '../../hooks/use_selector';
+import { SourcererScopeName } from '../../store/sourcerer/model';
 
 const PopoverContent = styled.div`
   width: 600px;
@@ -40,30 +42,77 @@ interface SourcererComponentProps {
   scope: sourcererModel.SourcererScopeName;
 }
 
+const getPatternListWithoutSignals = (
+  patternList: string[],
+  signalIndexName: string | null
+): string[] => patternList.filter((p) => p !== signalIndexName);
+
 export const Sourcerer = React.memo<SourcererComponentProps>(({ scope: scopeId }) => {
   const dispatch = useDispatch();
-  const sourcererScopeSelector = useMemo(getSourcererScopeSelector, []);
-  const { configIndexPatterns, kibanaIndexPatterns, sourcererScope } = useSelector<
-    State,
-    SourcererScopeSelector
-  >((state) => sourcererScopeSelector(state, scopeId), deepEqual);
-  const { selectedPatterns, loading } = sourcererScope;
+  const sourcererScopeSelector = useMemo(() => sourcererSelectors.getSourcererScopeSelector(), []);
+  const {
+    defaultDataView,
+    kibanaDataViews,
+    signalIndexName,
+    sourcererScope: { selectedDataViewId, selectedPatterns, loading },
+  } = useDeepEqualSelector((state) => sourcererScopeSelector(state, scopeId));
+
   const [isPopoverOpen, setPopoverIsOpen] = useState(false);
+
+  const [dataViewId, setDataViewId] = useState<string>(selectedDataViewId ?? defaultDataView.id);
+
+  const { patternList, selectablePatterns } = useMemo(() => {
+    const theDataView = kibanaDataViews.find((dataView) => dataView.id === dataViewId);
+    return theDataView != null
+      ? scopeId === SourcererScopeName.default
+        ? {
+            patternList: getPatternListWithoutSignals(
+              theDataView.title
+                .split(',')
+                // remove duplicates patterns from selector
+                .filter((pattern, i, self) => self.indexOf(pattern) === i),
+              signalIndexName
+            ),
+            selectablePatterns: getPatternListWithoutSignals(
+              theDataView.patternList,
+              signalIndexName
+            ),
+          }
+        : {
+            patternList: theDataView.title
+              .split(',')
+              // remove duplicates patterns from selector
+              .filter((pattern, i, self) => self.indexOf(pattern) === i),
+            selectablePatterns: theDataView.patternList,
+          }
+      : { patternList: [], selectablePatterns: [] };
+  }, [kibanaDataViews, scopeId, signalIndexName, dataViewId]);
+
+  const selectableOptions = useMemo(
+    () =>
+      patternList.map((indexName) => ({
+        label: indexName,
+        value: indexName,
+        disabled: !selectablePatterns.includes(indexName),
+      })),
+    [selectablePatterns, patternList]
+  );
+
   const [selectedOptions, setSelectedOptions] = useState<Array<EuiComboBoxOptionOption<string>>>(
-    selectedPatterns.map((indexSelected) => ({
-      label: indexSelected,
-      value: indexSelected,
+    selectedPatterns.map((indexName) => ({
+      label: indexName,
+      value: indexName,
     }))
   );
   const isSavingDisabled = useMemo(() => selectedOptions.length === 0, [selectedOptions]);
 
   const setPopoverIsOpenCb = useCallback(() => setPopoverIsOpen((prevState) => !prevState), []);
-
-  const onChangeIndexPattern = useCallback(
-    (newSelectedPatterns: string[]) => {
+  const onChangeDataView = useCallback(
+    (newSelectedDataView: string, newSelectedPatterns: string[]) => {
       dispatch(
-        sourcererActions.setSelectedIndexPatterns({
+        sourcererActions.setSelectedDataView({
           id: scopeId,
+          selectedDataViewId: newSelectedDataView,
           selectedPatterns: newSelectedPatterns,
         })
       );
@@ -72,52 +121,55 @@ export const Sourcerer = React.memo<SourcererComponentProps>(({ scope: scopeId }
   );
 
   const renderOption = useCallback(
-    ({ value }) =>
-      kibanaIndexPatterns.some((kip) => kip.title === value) ? (
-        <span data-test-subj="kip-option">
-          <EuiIcon type="logoKibana" size="s" /> {value}
-        </span>
-      ) : (
-        <span data-test-subj="config-option">{value}</span>
-      ),
-    [kibanaIndexPatterns]
+    ({ value }) => <span data-test-subj="sourcerer-combo-option">{value}</span>,
+    []
   );
 
   const onChangeCombo = useCallback((newSelectedOptions) => {
     setSelectedOptions(newSelectedOptions);
   }, []);
 
+  const onChangeSuper = useCallback(
+    (newSelectedOption) => {
+      setDataViewId(newSelectedOption);
+      setSelectedOptions(
+        getScopePatternListSelection(
+          kibanaDataViews.find((dataView) => dataView.id === newSelectedOption),
+          scopeId,
+          signalIndexName,
+          newSelectedOption === defaultDataView.id
+        ).map((indexSelected: string) => ({
+          label: indexSelected,
+          value: indexSelected,
+        }))
+      );
+    },
+    [defaultDataView.id, kibanaDataViews, scopeId, signalIndexName]
+  );
+
   const resetDataSources = useCallback(() => {
+    setDataViewId(defaultDataView.id);
     setSelectedOptions(
-      configIndexPatterns.map((indexSelected) => ({
-        label: indexSelected,
-        value: indexSelected,
-      }))
+      getScopePatternListSelection(defaultDataView, scopeId, signalIndexName, true).map(
+        (indexSelected: string) => ({
+          label: indexSelected,
+          value: indexSelected,
+        })
+      )
     );
-  }, [configIndexPatterns]);
+  }, [defaultDataView, scopeId, signalIndexName]);
 
   const handleSaveIndices = useCallback(() => {
-    onChangeIndexPattern(selectedOptions.map((so) => so.label));
+    onChangeDataView(
+      dataViewId,
+      selectedOptions.map((so) => so.label)
+    );
     setPopoverIsOpen(false);
-  }, [onChangeIndexPattern, selectedOptions]);
+  }, [onChangeDataView, dataViewId, selectedOptions]);
 
   const handleClosePopOver = useCallback(() => {
     setPopoverIsOpen(false);
   }, []);
-
-  const indexesPatternOptions = useMemo(
-    () =>
-      [...configIndexPatterns, ...kibanaIndexPatterns.map((kip) => kip.title)].reduce<
-        Array<EuiComboBoxOptionOption<string>>
-      >((acc, index) => {
-        if (index != null && !acc.some((o) => o.label.includes(index))) {
-          return [...acc, { label: index, value: index }];
-        }
-        return acc;
-      }, []),
-    [configIndexPatterns, kibanaIndexPatterns]
-  );
-
   const trigger = useMemo(
     () => (
       <EuiButtonEmpty
@@ -136,37 +188,43 @@ export const Sourcerer = React.memo<SourcererComponentProps>(({ scope: scopeId }
     [setPopoverIsOpenCb, loading]
   );
 
-  const comboBox = useMemo(
-    () => (
-      <EuiComboBox
-        data-test-subj="indexPattern-switcher"
-        placeholder={i18n.PICK_INDEX_PATTERNS}
-        fullWidth
-        options={indexesPatternOptions}
-        selectedOptions={selectedOptions}
-        onChange={onChangeCombo}
-        renderOption={renderOption}
-      />
-    ),
-    [indexesPatternOptions, onChangeCombo, renderOption, selectedOptions]
+  const dataViewSelectOptions = useMemo(
+    () =>
+      kibanaDataViews.map(({ title, id }) => ({
+        inputDisplay:
+          id === defaultDataView.id ? (
+            <span data-test-subj="security-option-super">
+              <EuiIcon type="logoSecurity" size="s" /> {i18n.SIEM_DATA_VIEW_LABEL}
+            </span>
+          ) : (
+            <span data-test-subj="dataView-option-super">
+              <EuiIcon type="logoKibana" size="s" /> {title}
+            </span>
+          ),
+        value: id,
+      })),
+    [defaultDataView.id, kibanaDataViews]
   );
 
   useEffect(() => {
-    const newSelecteOptions = selectedPatterns.map((indexSelected) => ({
-      label: indexSelected,
-      value: indexSelected,
-    }));
-    setSelectedOptions((prevSelectedOptions) => {
-      if (!deepEqual(newSelecteOptions, prevSelectedOptions)) {
-        return newSelecteOptions;
-      }
-      return prevSelectedOptions;
-    });
+    setDataViewId((prevSelectedOption) =>
+      selectedDataViewId != null && !deepEqual(selectedDataViewId, prevSelectedOption)
+        ? selectedDataViewId
+        : prevSelectedOption
+    );
+  }, [selectedDataViewId]);
+  useEffect(() => {
+    setSelectedOptions(
+      selectedPatterns.map((indexName) => ({
+        label: indexName,
+        value: indexName,
+      }))
+    );
   }, [selectedPatterns]);
 
   const tooltipContent = useMemo(
-    () => (isPopoverOpen ? null : sourcererScope.selectedPatterns.sort().join(', ')),
-    [isPopoverOpen, sourcererScope.selectedPatterns]
+    () => (isPopoverOpen ? null : selectedPatterns.join(', ')),
+    [selectedPatterns, isPopoverOpen]
   );
 
   const buttonWithTooptip = useMemo(() => {
@@ -196,7 +254,24 @@ export const Sourcerer = React.memo<SourcererComponentProps>(({ scope: scopeId }
         <EuiSpacer size="s" />
         <EuiText color="default">{i18n.INDEX_PATTERNS_SELECTION_LABEL}</EuiText>
         <EuiSpacer size="xs" />
-        {comboBox}
+        <EuiSuperSelect
+          data-test-subj="sourcerer-select"
+          placeholder={i18n.PICK_INDEX_PATTERNS}
+          fullWidth
+          options={dataViewSelectOptions}
+          valueOfSelected={dataViewId}
+          onChange={onChangeSuper}
+        />
+        <EuiSpacer size="xs" />
+        <EuiComboBox
+          data-test-subj="sourcerer-combo-box"
+          fullWidth
+          onChange={onChangeCombo}
+          options={selectableOptions}
+          placeholder={i18n.PICK_INDEX_PATTERNS}
+          renderOption={renderOption}
+          selectedOptions={selectedOptions}
+        />
         <EuiSpacer size="s" />
         <EuiFlexGroup alignItems="center" justifyContent="spaceBetween">
           <EuiFlexItem>
@@ -214,7 +289,7 @@ export const Sourcerer = React.memo<SourcererComponentProps>(({ scope: scopeId }
             <EuiButton
               onClick={handleSaveIndices}
               disabled={isSavingDisabled}
-              data-test-subj="add-index"
+              data-test-subj="sourcerer-save"
               fill
               fullWidth
               size="s"
diff --git a/x-pack/plugins/security_solution/public/common/components/sourcerer/selectors.tsx b/x-pack/plugins/security_solution/public/common/components/sourcerer/selectors.tsx
deleted file mode 100644
index 13cf6fff4a5c8..0000000000000
--- a/x-pack/plugins/security_solution/public/common/components/sourcerer/selectors.tsx
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { State } from '../../store';
-import { sourcererSelectors } from '../../store/sourcerer';
-import { KibanaIndexPatterns, ManageScope, SourcererScopeName } from '../../store/sourcerer/model';
-
-export interface SourcererScopeSelector {
-  configIndexPatterns: string[];
-  kibanaIndexPatterns: KibanaIndexPatterns;
-  sourcererScope: ManageScope;
-}
-
-export const getSourcererScopeSelector = () => {
-  const getKibanaIndexPatternsSelector = sourcererSelectors.kibanaIndexPatternsSelector();
-  const getScopesSelector = sourcererSelectors.scopesSelector();
-  const getConfigIndexPatternsSelector = sourcererSelectors.configIndexPatternsSelector();
-
-  const mapStateToProps = (state: State, scopeId: SourcererScopeName): SourcererScopeSelector => {
-    const kibanaIndexPatterns = getKibanaIndexPatternsSelector(state);
-    const scope = getScopesSelector(state)[scopeId];
-    const configIndexPatterns = getConfigIndexPatternsSelector(state);
-
-    return {
-      kibanaIndexPatterns,
-      configIndexPatterns,
-      sourcererScope: scope,
-    };
-  };
-
-  return mapStateToProps;
-};
diff --git a/x-pack/plugins/security_solution/public/common/components/sourcerer/translations.ts b/x-pack/plugins/security_solution/public/common/components/sourcerer/translations.ts
index 45299afad99d1..03fdc5d191719 100644
--- a/x-pack/plugins/security_solution/public/common/components/sourcerer/translations.ts
+++ b/x-pack/plugins/security_solution/public/common/components/sourcerer/translations.ts
@@ -11,9 +11,12 @@ export const SOURCERER = i18n.translate('xpack.securitySolution.indexPatterns.da
   defaultMessage: 'Data sources',
 });
 
-export const ALL_DEFAULT = i18n.translate('xpack.securitySolution.indexPatterns.allDefault', {
-  defaultMessage: 'All default',
-});
+export const SIEM_DATA_VIEW_LABEL = i18n.translate(
+  'xpack.securitySolution.indexPatterns.kipLabel',
+  {
+    defaultMessage: 'Default Security Data View',
+  }
+);
 
 export const SELECT_INDEX_PATTERNS = i18n.translate('xpack.securitySolution.indexPatterns.help', {
   defaultMessage: 'Data sources selection',
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/entry_item.test.tsx b/x-pack/plugins/security_solution/public/common/components/threat_match/entry_item.test.tsx
index 4b153f0c75775..0550ef389585e 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/entry_item.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/entry_item.test.tsx
@@ -11,7 +11,7 @@ import { EuiComboBox, EuiComboBoxOptionOption } from '@elastic/eui';
 
 import { EntryItem } from './entry_item';
 import { fields, getField } from '../../../../../../../src/plugins/data/common/mocks';
-import { IndexPattern } from 'src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
 
 jest.mock('../../../common/lib/kibana');
 
@@ -31,7 +31,7 @@ describe('EntryItem', () => {
             id: '1234',
             title: 'logstash-*',
             fields,
-          } as IndexPattern
+          } as DataViewBase
         }
         showLabel={true}
         onChange={jest.fn()}
@@ -40,7 +40,7 @@ describe('EntryItem', () => {
             id: '1234',
             title: 'logstash-*',
             fields,
-          } as IndexPattern
+          } as DataViewBase
         }
       />
     );
@@ -64,14 +64,14 @@ describe('EntryItem', () => {
             id: '1234',
             title: 'logstash-*',
             fields,
-          } as IndexPattern
+          } as DataViewBase
         }
         threatIndexPatterns={
           {
             id: '1234',
             title: 'logstash-*',
             fields,
-          } as IndexPattern
+          } as DataViewBase
         }
         showLabel={false}
         onChange={mockOnChange}
@@ -111,14 +111,14 @@ describe('EntryItem', () => {
             id: '1234',
             title: 'logstash-*',
             fields,
-          } as IndexPattern
+          } as DataViewBase
         }
         threatIndexPatterns={
           {
             id: '1234',
             title: 'logstash-*',
             fields,
-          } as IndexPattern
+          } as DataViewBase
         }
         showLabel={false}
         onChange={mockOnChange}
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/entry_item.tsx b/x-pack/plugins/security_solution/public/common/components/threat_match/entry_item.tsx
index 99c5b37046505..777ef2069ff4f 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/entry_item.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/entry_item.tsx
@@ -10,16 +10,15 @@ import { EuiFormRow, EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import styled from 'styled-components';
 
 import { FieldComponent } from '@kbn/securitysolution-autocomplete';
-import { IndexPatternFieldBase } from '@kbn/es-query';
-import { IndexPattern } from '../../../../../../../src/plugins/data/common';
+import { DataViewBase, DataViewFieldBase } from '@kbn/es-query';
 import { FormattedEntry, Entry } from './types';
 import * as i18n from './translations';
 import { getEntryOnFieldChange, getEntryOnThreatFieldChange } from './helpers';
 
 interface EntryItemProps {
   entry: FormattedEntry;
-  indexPattern: IndexPattern;
-  threatIndexPatterns: IndexPattern;
+  indexPattern: DataViewBase;
+  threatIndexPatterns: DataViewBase;
   showLabel: boolean;
   onChange: (arg: Entry, i: number) => void;
 }
@@ -41,7 +40,7 @@ export const EntryItem: React.FC<EntryItemProps> = ({
   onChange,
 }): JSX.Element => {
   const handleFieldChange = useCallback(
-    ([newField]: IndexPatternFieldBase[]): void => {
+    ([newField]: DataViewFieldBase[]): void => {
       const { updatedEntry, index } = getEntryOnFieldChange(entry, newField);
       onChange(updatedEntry, index);
     },
@@ -49,7 +48,7 @@ export const EntryItem: React.FC<EntryItemProps> = ({
   );
 
   const handleThreatFieldChange = useCallback(
-    ([newField]: IndexPatternFieldBase[]): void => {
+    ([newField]: DataViewFieldBase[]): void => {
       const { updatedEntry, index } = getEntryOnThreatFieldChange(entry, newField);
       onChange(updatedEntry, index);
     },
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/threat_match/helpers.test.tsx
index 0e5f379a18767..9a5051fe0cafb 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/helpers.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/helpers.test.tsx
@@ -7,7 +7,8 @@
 
 import { fields, getField } from '../../../../../../../src/plugins/data/common/mocks';
 import { Entry, EmptyEntry, ThreatMapEntries, FormattedEntry } from './types';
-import { FieldSpec, IndexPattern } from '../../../../../../../src/plugins/data/common';
+import { FieldSpec } from '../../../../../../../src/plugins/data/common';
+import { DataViewBase } from '@kbn/es-query';
 import moment from 'moment-timezone';
 
 import {
@@ -24,12 +25,12 @@ jest.mock('uuid', () => ({
   v4: jest.fn().mockReturnValue('123'),
 }));
 
-const getMockIndexPattern = (): IndexPattern =>
+const getMockIndexPattern = (): DataViewBase =>
   ({
     id: '1234',
     title: 'logstash-*',
     fields,
-  } as IndexPattern);
+  } as DataViewBase);
 
 const getMockEntry = (): FormattedEntry => ({
   id: '123',
@@ -51,7 +52,7 @@ describe('Helpers', () => {
 
   describe('#getFormattedEntry', () => {
     test('it returns entry with a value when "item.field" is of type "text" and matching keyword field exists', () => {
-      const payloadIndexPattern: IndexPattern = {
+      const payloadIndexPattern: DataViewBase = {
         ...getMockIndexPattern(),
         fields: [
           ...fields,
@@ -66,7 +67,7 @@ describe('Helpers', () => {
             readFromDocValues: true,
           },
         ],
-      } as IndexPattern;
+      } as DataViewBase;
       const payloadItem: Entry = {
         field: 'machine.os.raw.text',
         type: 'mapping',
@@ -171,7 +172,7 @@ describe('Helpers', () => {
     });
 
     test('it returns formatted entries', () => {
-      const payloadIndexPattern: IndexPattern = getMockIndexPattern();
+      const payloadIndexPattern: DataViewBase = getMockIndexPattern();
       const payloadItems: Entry[] = [
         { field: 'machine.os', type: 'mapping', value: 'machine.os' },
         { field: 'ip', type: 'mapping', value: 'ip' },
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/threat_match/helpers.tsx
index 3f8e5b1602db8..7b0385ab6902f 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/helpers.tsx
@@ -10,8 +10,7 @@ import { i18n } from '@kbn/i18n';
 import { addIdToItem } from '@kbn/securitysolution-utils';
 import { ThreatMap, threatMap, ThreatMapping } from '@kbn/securitysolution-io-ts-alerting-types';
 
-import { IndexPatternFieldBase } from '@kbn/es-query';
-import { IndexPattern } from '../../../../../../../src/plugins/data/common';
+import { DataViewBase, DataViewFieldBase } from '@kbn/es-query';
 import { Entry, FormattedEntry, ThreatMapEntries, EmptyEntry } from './types';
 import { ValidationFunc } from '../../../../../../../src/plugins/es_ui_shared/static/forms/hook_form_lib';
 import { ERROR_CODE } from '../../../../../../../src/plugins/es_ui_shared/static/forms/helpers/field_validators/types';
@@ -19,13 +18,13 @@ import { ERROR_CODE } from '../../../../../../../src/plugins/es_ui_shared/static
 /**
  * Formats the entry into one that is easily usable for the UI.
  *
- * @param patterns IndexPattern containing available fields on rule index
+ * @param patterns DataViewBase containing available fields on rule index
  * @param item item entry
  * @param itemIndex entry index
  */
 export const getFormattedEntry = (
-  indexPattern: IndexPattern,
-  threatIndexPatterns: IndexPattern,
+  indexPattern: DataViewBase,
+  threatIndexPatterns: DataViewBase,
   item: Entry,
   itemIndex: number,
   uuidGen: () => string = uuid.v4
@@ -51,12 +50,12 @@ export const getFormattedEntry = (
 /**
  * Formats the entries to be easily usable for the UI
  *
- * @param patterns IndexPattern containing available fields on rule index
+ * @param patterns DataViewBase containing available fields on rule index
  * @param entries item entries
  */
 export const getFormattedEntries = (
-  indexPattern: IndexPattern,
-  threatIndexPatterns: IndexPattern,
+  indexPattern: DataViewBase,
+  threatIndexPatterns: DataViewBase,
   entries: Entry[]
 ): FormattedEntry[] => {
   return entries.reduce<FormattedEntry[]>((acc, item, index) => {
@@ -91,7 +90,7 @@ export const getUpdatedEntriesOnDelete = (
  */
 export const getEntryOnFieldChange = (
   item: FormattedEntry,
-  newField: IndexPatternFieldBase
+  newField: DataViewFieldBase
 ): { updatedEntry: Entry; index: number } => {
   const { entryIndex } = item;
   return {
@@ -114,7 +113,7 @@ export const getEntryOnFieldChange = (
  */
 export const getEntryOnThreatFieldChange = (
   item: FormattedEntry,
-  newField: IndexPatternFieldBase
+  newField: DataViewFieldBase
 ): { updatedEntry: Entry; index: number } => {
   const { entryIndex } = item;
   return {
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/threat_match/index.test.tsx
index 872f78d91eebb..e26c889b7e94a 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/index.test.tsx
@@ -16,7 +16,7 @@ import { useKibana } from '../../../common/lib/kibana';
 
 import { ThreatMatchComponent } from './';
 import { ThreatMapEntries } from './types';
-import { IndexPattern } from 'src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
 import { getMockTheme } from '../../lib/kibana/kibana_react.mock';
 
 const mockTheme = getMockTheme({
@@ -65,14 +65,14 @@ describe('ThreatMatchComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           onChange={jest.fn()}
         />
@@ -94,14 +94,14 @@ describe('ThreatMatchComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           onChange={jest.fn()}
         />
@@ -123,14 +123,14 @@ describe('ThreatMatchComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           onChange={jest.fn()}
         />
@@ -151,14 +151,14 @@ describe('ThreatMatchComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           onChange={jest.fn()}
         />
@@ -188,14 +188,14 @@ describe('ThreatMatchComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           onChange={jest.fn()}
         />
@@ -225,14 +225,14 @@ describe('ThreatMatchComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           onChange={jest.fn()}
         />
@@ -255,14 +255,14 @@ describe('ThreatMatchComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           onChange={jest.fn()}
         />
@@ -286,14 +286,14 @@ describe('ThreatMatchComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           onChange={jest.fn()}
         />
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/index.tsx b/x-pack/plugins/security_solution/public/common/components/threat_match/index.tsx
index 3e4f0283145e4..5ea17939ed780 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/index.tsx
@@ -8,10 +8,9 @@
 import React, { useCallback, useEffect, useReducer } from 'react';
 import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import styled from 'styled-components';
-
+import { DataViewBase } from '@kbn/es-query';
 import { ThreatMapping } from '@kbn/securitysolution-io-ts-alerting-types';
 import { ListItemComponent } from './list_item';
-import { IndexPattern } from '../../../../../../../src/plugins/data/common';
 import { AndOrBadge } from '../and_or_badge';
 import { LogicButtons } from './logic_buttons';
 import { ThreatMapEntries } from './types';
@@ -45,8 +44,8 @@ interface OnChangeProps {
 
 interface ThreatMatchComponentProps {
   listItems: ThreatMapEntries[];
-  indexPatterns: IndexPattern;
-  threatIndexPatterns: IndexPattern;
+  indexPatterns: DataViewBase;
+  threatIndexPatterns: DataViewBase;
   onChange: (arg: OnChangeProps) => void;
 }
 
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/list_item.test.tsx b/x-pack/plugins/security_solution/public/common/components/threat_match/list_item.test.tsx
index d6704b3a9cf17..e2325ace26591 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/list_item.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/list_item.test.tsx
@@ -14,7 +14,7 @@ import { fields } from '../../../../../../../src/plugins/data/common/mocks';
 
 import { ListItemComponent } from './list_item';
 import { ThreatMapEntries } from './types';
-import { IndexPattern } from 'src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
 import { getMockTheme } from '../../lib/kibana/kibana_react.mock';
 
 const mockTheme = getMockTheme({
@@ -81,14 +81,14 @@ describe('ListItemComponent', () => {
                 id: '1234',
                 title: 'logstash-*',
                 fields,
-              } as IndexPattern
+              } as DataViewBase
             }
             threatIndexPatterns={
               {
                 id: '1234',
                 title: 'logstash-*',
                 fields,
-              } as IndexPattern
+              } as DataViewBase
             }
             andLogicIncluded={true}
             isOnlyItem={false}
@@ -114,7 +114,7 @@ describe('ListItemComponent', () => {
                 id: '1234',
                 title: 'logstash-*',
                 fields,
-              } as IndexPattern
+              } as DataViewBase
             }
             andLogicIncluded={true}
             isOnlyItem={false}
@@ -125,7 +125,7 @@ describe('ListItemComponent', () => {
                 id: '1234',
                 title: 'logstash-*',
                 fields,
-              } as IndexPattern
+              } as DataViewBase
             }
           />
         </ThemeProvider>
@@ -145,14 +145,14 @@ describe('ListItemComponent', () => {
                 id: '1234',
                 title: 'logstash-*',
                 fields,
-              } as IndexPattern
+              } as DataViewBase
             }
             threatIndexPatterns={
               {
                 id: '1234',
                 title: 'logstash-*',
                 fields,
-              } as IndexPattern
+              } as DataViewBase
             }
             andLogicIncluded={true}
             isOnlyItem={false}
@@ -178,14 +178,14 @@ describe('ListItemComponent', () => {
                 id: '1234',
                 title: 'logstash-*',
                 fields,
-              } as IndexPattern
+              } as DataViewBase
             }
             threatIndexPatterns={
               {
                 id: '1234',
                 title: 'logstash-*',
                 fields,
-              } as IndexPattern
+              } as DataViewBase
             }
             andLogicIncluded={false}
             isOnlyItem={false}
@@ -219,14 +219,14 @@ describe('ListItemComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           andLogicIncluded={false}
           isOnlyItem={true}
@@ -250,14 +250,14 @@ describe('ListItemComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           andLogicIncluded={false}
           isOnlyItem={false}
@@ -281,14 +281,14 @@ describe('ListItemComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           andLogicIncluded={false}
           // if entryItemIndex is not 0, wouldn't make sense for
@@ -314,14 +314,14 @@ describe('ListItemComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           andLogicIncluded={false}
           isOnlyItem={true}
@@ -346,14 +346,14 @@ describe('ListItemComponent', () => {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           threatIndexPatterns={
             {
               id: '1234',
               title: 'logstash-*',
               fields,
-            } as IndexPattern
+            } as DataViewBase
           }
           andLogicIncluded={false}
           isOnlyItem={true}
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/list_item.tsx b/x-pack/plugins/security_solution/public/common/components/threat_match/list_item.tsx
index eda12ce3b0f5a..e01c28ecb54eb 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/list_item.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/list_item.tsx
@@ -9,7 +9,7 @@ import React, { useMemo, useCallback } from 'react';
 import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import styled from 'styled-components';
 
-import { IndexPattern } from '../../../../../../../src/plugins/data/common';
+import { DataViewBase } from '@kbn/es-query';
 import { getFormattedEntries, getUpdatedEntriesOnDelete } from './helpers';
 import { FormattedEntry, ThreatMapEntries, Entry } from './types';
 import { EntryItem } from './entry_item';
@@ -24,8 +24,8 @@ const MyOverflowContainer = styled(EuiFlexItem)`
 interface ListItemProps {
   listItem: ThreatMapEntries;
   listItemIndex: number;
-  indexPattern: IndexPattern;
-  threatIndexPatterns: IndexPattern;
+  indexPattern: DataViewBase;
+  threatIndexPatterns: DataViewBase;
   andLogicIncluded: boolean;
   isOnlyItem: boolean;
   onDeleteEntryItem: (item: ThreatMapEntries, index: number) => void;
diff --git a/x-pack/plugins/security_solution/public/common/components/threat_match/types.ts b/x-pack/plugins/security_solution/public/common/components/threat_match/types.ts
index 3d3a18b425e01..852e68aa259c8 100644
--- a/x-pack/plugins/security_solution/public/common/components/threat_match/types.ts
+++ b/x-pack/plugins/security_solution/public/common/components/threat_match/types.ts
@@ -5,14 +5,14 @@
  * 2.0.
  */
 
-import { IndexPatternFieldBase } from '@kbn/es-query';
+import { DataViewFieldBase } from '@kbn/es-query';
 import { ThreatMap, ThreatMapEntry } from '@kbn/securitysolution-io-ts-alerting-types';
 
 export interface FormattedEntry {
   id: string;
-  field: IndexPatternFieldBase | undefined;
+  field: DataViewFieldBase | undefined;
   type: 'mapping';
-  value: IndexPatternFieldBase | undefined;
+  value: DataViewFieldBase | undefined;
   entryIndex: number;
 }
 
diff --git a/x-pack/plugins/security_solution/public/common/components/top_n/index.tsx b/x-pack/plugins/security_solution/public/common/components/top_n/index.tsx
index 1eef44d587ed0..ac9acb62c5834 100644
--- a/x-pack/plugins/security_solution/public/common/components/top_n/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/top_n/index.tsx
@@ -8,15 +8,11 @@
 import React, { useMemo } from 'react';
 import { connect, ConnectedProps } from 'react-redux';
 
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import { useGlobalTime } from '../../containers/use_global_time';
 import { BrowserFields } from '../../containers/source';
 import { useKibana } from '../../lib/kibana';
-import {
-  esQuery,
-  Filter,
-  Query,
-  IIndexPattern,
-} from '../../../../../../../src/plugins/data/public';
+import { esQuery } from '../../../../../../../src/plugins/data/public';
 import { inputsModel, inputsSelectors, State } from '../../store';
 import { timelineDefaults } from '../../../timelines/store/timeline/defaults';
 import { timelineSelectors } from '../../../timelines/store/timeline';
@@ -77,7 +73,7 @@ const connector = connect(makeMapStateToProps);
 export interface OwnProps {
   browserFields: BrowserFields;
   field: string;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   timelineId?: string;
   toggleTopN: () => void;
   onFilterAdded?: () => void;
diff --git a/x-pack/plugins/security_solution/public/common/components/top_n/selectors.tsx b/x-pack/plugins/security_solution/public/common/components/top_n/selectors.tsx
index f13a85da6baed..de3472b7c455f 100644
--- a/x-pack/plugins/security_solution/public/common/components/top_n/selectors.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/top_n/selectors.tsx
@@ -7,6 +7,7 @@
 
 import { State } from '../../store';
 import { sourcererSelectors } from '../../store/selectors';
+import { SourcererScopeName } from '../../store/sourcerer/model';
 
 export interface IndicesSelector {
   all: string[];
@@ -14,25 +15,17 @@ export interface IndicesSelector {
 }
 
 export const getIndicesSelector = () => {
-  const getkibanaIndexPatternsSelector = sourcererSelectors.kibanaIndexPatternsSelector();
-  const getConfigIndexPatternsSelector = sourcererSelectors.configIndexPatternsSelector();
   const getSignalIndexNameSelector = sourcererSelectors.signalIndexNameSelector();
+  const getScopeSelector = sourcererSelectors.scopeIdSelector();
 
-  const mapStateToProps = (state: State): IndicesSelector => {
-    const rawIndices = new Set(getConfigIndexPatternsSelector(state));
-    const kibanaIndexPatterns = getkibanaIndexPatternsSelector(state);
-    const alertIndexName = getSignalIndexNameSelector(state);
-    kibanaIndexPatterns.forEach(({ title }) => {
-      if (title !== alertIndexName) {
-        rawIndices.add(title);
-      }
-    });
+  return (state: State, scopeId: SourcererScopeName): IndicesSelector => {
+    const signalIndexName = getSignalIndexNameSelector(state);
+    const { selectedPatterns } = getScopeSelector(state, scopeId);
+    const raw: string[] = selectedPatterns.filter((index) => index !== signalIndexName);
 
     return {
-      all: alertIndexName != null ? [...rawIndices, alertIndexName] : [...rawIndices],
-      raw: [...rawIndices],
+      all: signalIndexName != null ? [...raw, signalIndexName] : [...raw],
+      raw,
     };
   };
-
-  return mapStateToProps;
 };
diff --git a/x-pack/plugins/security_solution/public/common/components/top_n/top_n.tsx b/x-pack/plugins/security_solution/public/common/components/top_n/top_n.tsx
index f40ee8670171c..9c99189e1b79e 100644
--- a/x-pack/plugins/security_solution/public/common/components/top_n/top_n.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/top_n/top_n.tsx
@@ -11,10 +11,10 @@ import React, { useCallback, useEffect, useMemo, useState } from 'react';
 import { useSelector } from 'react-redux';
 import styled from 'styled-components';
 
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import { GlobalTimeArgs } from '../../containers/use_global_time';
 import { EventsByDataset } from '../../../overview/components/events_by_dataset';
 import { SignalsByCategory } from '../../../overview/components/signals_by_category';
-import { Filter, IIndexPattern, Query } from '../../../../../../../src/plugins/data/public';
 import { InputsModelId } from '../../store/inputs/constants';
 import { TimelineEventsType } from '../../../../common/types/timeline';
 
@@ -23,6 +23,7 @@ import * as i18n from './translations';
 import { getIndicesSelector, IndicesSelector } from './selectors';
 import { State } from '../../store';
 import { AlertsStackByField } from '../../../detections/components/alerts_kpis/common/types';
+import { SourcererScopeName } from '../../store/sourcerer/model';
 
 const TopNContainer = styled.div`
   min-width: 600px;
@@ -53,7 +54,7 @@ export interface Props extends Pick<GlobalTimeArgs, 'from' | 'to' | 'deleteQuery
   defaultView: TimelineEventsType;
   field: AlertsStackByField;
   filters: Filter[];
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   options: TopNOption[];
   paddingSize?: 's' | 'm' | 'l' | 'none';
   query: Query;
@@ -90,7 +91,15 @@ const TopNComponent: React.FC<Props> = ({
   );
   const indicesSelector = useMemo(getIndicesSelector, []);
   const { all: allIndices, raw: rawIndices } = useSelector<State, IndicesSelector>(
-    (state) => indicesSelector(state),
+    (state) =>
+      indicesSelector(
+        state,
+        timelineId != null
+          ? defaultView === 'alert'
+            ? SourcererScopeName.detections
+            : SourcererScopeName.timeline
+          : SourcererScopeName.default
+      ),
     deepEqual
   );
 
diff --git a/x-pack/plugins/security_solution/public/common/components/url_state/helpers.ts b/x-pack/plugins/security_solution/public/common/components/url_state/helpers.ts
index 5b6bb0400ccdf..1ff98528a20b8 100644
--- a/x-pack/plugins/security_solution/public/common/components/url_state/helpers.ts
+++ b/x-pack/plugins/security_solution/public/common/components/url_state/helpers.ts
@@ -24,7 +24,7 @@ import { NavTab } from '../navigation/types';
 import { CONSTANTS, UrlStateType } from './constants';
 import { ReplaceStateInLocation, KeyUrlState, ValueUrlState } from './types';
 import { sourcererSelectors } from '../../store/sourcerer';
-import { SourcererScopeName, SourcererScopePatterns } from '../../store/sourcerer/model';
+import { SourcererScopeName, SourcererUrlState } from '../../store/sourcerer/model';
 
 export const isDetectionsPages = (pageName: string) =>
   pageName === SecurityPageName.alerts ||
@@ -156,9 +156,18 @@ export const makeMapStateToProps = () => {
     }
     const sourcerer = getSourcererScopes(state);
     const activeScopes: SourcererScopeName[] = Object.keys(sourcerer) as SourcererScopeName[];
-    const selectedPatterns: SourcererScopePatterns = activeScopes
+    const selectedPatterns: SourcererUrlState = activeScopes
       .filter((scope) => scope === SourcererScopeName.default)
-      .reduce((acc, scope) => ({ ...acc, [scope]: sourcerer[scope]?.selectedPatterns }), {});
+      .reduce(
+        (acc, scope) => ({
+          ...acc,
+          [scope]: {
+            id: sourcerer[scope]?.selectedDataViewId,
+            selectedPatterns: sourcerer[scope]?.selectedPatterns,
+          },
+        }),
+        {}
+      );
 
     return {
       urlState: {
diff --git a/x-pack/plugins/security_solution/public/common/components/url_state/initialize_redux_by_url.tsx b/x-pack/plugins/security_solution/public/common/components/url_state/initialize_redux_by_url.tsx
index f04cf30da61f5..11312e942c1eb 100644
--- a/x-pack/plugins/security_solution/public/common/components/url_state/initialize_redux_by_url.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/url_state/initialize_redux_by_url.tsx
@@ -28,7 +28,7 @@ import {
   queryTimelineById,
   dispatchUpdateTimeline,
 } from '../../../timelines/components/open_timeline/helpers';
-import { SourcererScopeName, SourcererScopePatterns } from '../../store/sourcerer/model';
+import { SourcererScopeName, SourcererUrlState } from '../../store/sourcerer/model';
 import { timelineActions } from '../../../timelines/store/timeline';
 
 export const useSetInitialStateFromUrl = () => {
@@ -55,16 +55,17 @@ export const useSetInitialStateFromUrl = () => {
           updateTimerange(newUrlStateString, dispatch);
         }
         if (urlKey === CONSTANTS.sourcerer) {
-          const sourcererState = decodeRisonUrlState<SourcererScopePatterns>(newUrlStateString);
+          const sourcererState = decodeRisonUrlState<SourcererUrlState>(newUrlStateString);
           if (sourcererState != null) {
             const activeScopes: SourcererScopeName[] = Object.keys(sourcererState).filter(
               (key) => !(key === SourcererScopeName.default && isDetectionsPages(pageName))
             ) as SourcererScopeName[];
             activeScopes.forEach((scope) =>
               dispatch(
-                sourcererActions.setSelectedIndexPatterns({
+                sourcererActions.setSelectedDataView({
                   id: scope,
-                  selectedPatterns: sourcererState[scope] ?? [],
+                  selectedDataViewId: sourcererState[scope]?.id ?? '',
+                  selectedPatterns: sourcererState[scope]?.selectedPatterns ?? [],
                 })
               )
             );
diff --git a/x-pack/plugins/security_solution/public/common/components/url_state/normalize_time_range.test.ts b/x-pack/plugins/security_solution/public/common/components/url_state/normalize_time_range.test.ts
index b5e4b04d2cd95..a87b1206c0082 100644
--- a/x-pack/plugins/security_solution/public/common/components/url_state/normalize_time_range.test.ts
+++ b/x-pack/plugins/security_solution/public/common/components/url_state/normalize_time_range.test.ts
@@ -13,23 +13,12 @@ import {
   RelativeTimeRange,
   isRelativeTimeRange,
 } from '../../store/inputs/model';
-
+import DateMath from '@elastic/datemath';
 import { getTimeRangeSettings } from '../../utils/default_date_settings';
 
 const getTimeRangeSettingsMock = getTimeRangeSettings as jest.Mock;
 
 jest.mock('../../utils/default_date_settings');
-jest.mock('@elastic/datemath', () => ({
-  parse: (date: string) => {
-    if (date === 'now') {
-      return { toISOString: () => '2020-07-08T08:20:18.966Z' };
-    }
-
-    if (date === 'now-24h') {
-      return { toISOString: () => '2020-07-07T08:20:18.966Z' };
-    }
-  },
-}));
 
 getTimeRangeSettingsMock.mockImplementation(() => ({
   from: '2020-07-04T08:20:18.966Z',
@@ -39,6 +28,19 @@ getTimeRangeSettingsMock.mockImplementation(() => ({
 }));
 
 describe('#normalizeTimeRange', () => {
+  let dateMathSpy: jest.SpyInstance;
+  beforeAll(() => {
+    dateMathSpy = jest.spyOn(DateMath, 'parse');
+    dateMathSpy.mockImplementation((date: string) =>
+      date === 'now'
+        ? { toISOString: () => new Date('2020-07-08T08:20:18.966Z') }
+        : { toISOString: () => new Date('2020-07-07T08:20:18.966Z') }
+    );
+  });
+
+  afterAll(() => {
+    jest.clearAllMocks();
+  });
   test('Absolute time range returns defaults for empty strings', () => {
     const dateTimeRange: URLTimeRange = {
       kind: 'absolute',
diff --git a/x-pack/plugins/security_solution/public/common/components/url_state/test_dependencies.ts b/x-pack/plugins/security_solution/public/common/components/url_state/test_dependencies.ts
index f0bd69b21c617..f722c5ec0da00 100644
--- a/x-pack/plugins/security_solution/public/common/components/url_state/test_dependencies.ts
+++ b/x-pack/plugins/security_solution/public/common/components/url_state/test_dependencies.ts
@@ -84,9 +84,7 @@ export const defaultProps: UrlStateContainerPropTypes = {
   indexPattern: {
     fields: [
       {
-        aggregatable: true,
         name: '@timestamp',
-        searchable: true,
         type: 'date',
       },
     ],
diff --git a/x-pack/plugins/security_solution/public/common/components/url_state/types.ts b/x-pack/plugins/security_solution/public/common/components/url_state/types.ts
index 06ed33ac69f6e..2626f4fb03c23 100644
--- a/x-pack/plugins/security_solution/public/common/components/url_state/types.ts
+++ b/x-pack/plugins/security_solution/public/common/components/url_state/types.ts
@@ -5,21 +5,15 @@
  * 2.0.
  */
 
-import {
-  Filter,
-  FilterManager,
-  IIndexPattern,
-  Query,
-  SavedQueryService,
-} from 'src/plugins/data/public';
-
+import { Filter, FilterManager, Query, SavedQueryService } from 'src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
 import { UrlInputsModel } from '../../store/inputs/model';
 import { TimelineUrl } from '../../../timelines/store/timeline/model';
 import { RouteSpyState } from '../../utils/route/types';
 import { SecurityNav } from '../navigation/types';
 
 import { CONSTANTS, UrlStateType } from './constants';
-import { SourcererScopePatterns } from '../../store/sourcerer/model';
+import { SourcererUrlState } from '../../store/sourcerer/model';
 
 export const ALL_URL_STATE_KEYS: KeyUrlState[] = [
   CONSTANTS.appQuery,
@@ -48,7 +42,7 @@ export interface UrlState {
   [CONSTANTS.appQuery]?: Query;
   [CONSTANTS.filters]?: Filter[];
   [CONSTANTS.savedQuery]?: string;
-  [CONSTANTS.sourcerer]: SourcererScopePatterns;
+  [CONSTANTS.sourcerer]: SourcererUrlState;
   [CONSTANTS.timerange]: UrlInputsModel;
   [CONSTANTS.timeline]: TimelineUrl;
 }
@@ -58,7 +52,7 @@ export type ValueUrlState = UrlState[keyof UrlState];
 
 export interface UrlStateProps {
   navTabs: SecurityNav;
-  indexPattern?: IIndexPattern;
+  indexPattern?: DataViewBase;
   mapToUrlState?: (value: string) => UrlState;
   onChange?: (urlState: UrlState, previousUrlState: UrlState) => void;
   onInitialize?: (urlState: UrlState) => void;
@@ -89,7 +83,7 @@ export interface UrlStateToRedux {
 
 export interface SetInitialStateFromUrl {
   filterManager: FilterManager;
-  indexPattern: IIndexPattern | undefined;
+  indexPattern: DataViewBase | undefined;
   pageName: string;
   savedQueries: SavedQueryService;
   urlStateToUpdate: UrlStateToRedux[];
diff --git a/x-pack/plugins/security_solution/public/common/containers/kuery_autocompletion/index.tsx b/x-pack/plugins/security_solution/public/common/containers/kuery_autocompletion/index.tsx
deleted file mode 100644
index 7ed4ba6944eb7..0000000000000
--- a/x-pack/plugins/security_solution/public/common/containers/kuery_autocompletion/index.tsx
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import React, { useState } from 'react';
-import { QuerySuggestion, IIndexPattern } from '../../../../../../../src/plugins/data/public';
-import { useKibana } from '../../lib/kibana';
-
-type RendererResult = React.ReactElement<JSX.Element> | null;
-type RendererFunction<RenderArgs, Result = RendererResult> = (args: RenderArgs) => Result;
-
-interface KueryAutocompletionLifecycleProps {
-  children: RendererFunction<{
-    isLoadingSuggestions: boolean;
-    loadSuggestions: (expression: string, cursorPosition: number, maxSuggestions?: number) => void;
-    suggestions: QuerySuggestion[];
-  }>;
-  indexPattern: IIndexPattern;
-}
-
-interface KueryAutocompletionCurrentRequest {
-  expression: string;
-  cursorPosition: number;
-}
-
-export const KueryAutocompletion = React.memo<KueryAutocompletionLifecycleProps>(
-  ({ children, indexPattern }) => {
-    const [currentRequest, setCurrentRequest] = useState<KueryAutocompletionCurrentRequest | null>(
-      null
-    );
-    const [suggestions, setSuggestions] = useState<QuerySuggestion[]>([]);
-    const kibana = useKibana();
-    const loadSuggestions = async (
-      expression: string,
-      cursorPosition: number,
-      maxSuggestions?: number
-    ) => {
-      const language = 'kuery';
-
-      if (!kibana.services.data.autocomplete.hasQuerySuggestions(language)) {
-        return;
-      }
-
-      const futureRequest = {
-        expression,
-        cursorPosition,
-      };
-      setCurrentRequest({
-        expression,
-        cursorPosition,
-      });
-      setSuggestions([]);
-
-      if (
-        futureRequest &&
-        futureRequest.expression !== (currentRequest && currentRequest.expression) &&
-        futureRequest.cursorPosition !== (currentRequest && currentRequest.cursorPosition)
-      ) {
-        const newSuggestions =
-          (await kibana.services.data.autocomplete.getQuerySuggestions({
-            language: 'kuery',
-            indexPatterns: [indexPattern],
-            boolFilter: [],
-            query: expression,
-            selectionStart: cursorPosition,
-            selectionEnd: cursorPosition,
-          })) || [];
-
-        setCurrentRequest(null);
-        setSuggestions(maxSuggestions ? newSuggestions.slice(0, maxSuggestions) : newSuggestions);
-      }
-    };
-
-    return children({
-      isLoadingSuggestions: currentRequest !== null,
-      loadSuggestions,
-      suggestions,
-    });
-  }
-);
-
-KueryAutocompletion.displayName = 'KueryAutocompletion';
diff --git a/x-pack/plugins/security_solution/public/common/containers/source/index.test.tsx b/x-pack/plugins/security_solution/public/common/containers/source/index.test.tsx
index 564d47f85da3f..d33afdf881f97 100644
--- a/x-pack/plugins/security_solution/public/common/containers/source/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/containers/source/index.test.tsx
@@ -7,7 +7,31 @@
 
 import { IndexField } from '../../../../common/search_strategy/index_fields';
 import { getBrowserFields } from '.';
+import { useDataView } from './use_data_view';
 import { mockBrowserFields, mocksSource } from './mock';
+import { SourcererScopeName } from '../../store/sourcerer/model';
+import { createStore, State } from '../../store';
+import {
+  createSecuritySolutionStorageMock,
+  kibanaObservable,
+  mockGlobalState,
+  SUB_PLUGINS_REDUCER,
+} from '../../mock';
+import { act, renderHook } from '@testing-library/react-hooks';
+import { Provider } from 'react-redux';
+import React from 'react';
+import { useKibana } from '../../lib/kibana';
+
+const mockDispatch = jest.fn();
+jest.mock('react-redux', () => {
+  const original = jest.requireActual('react-redux');
+
+  return {
+    ...original,
+    useDispatch: () => mockDispatch,
+  };
+});
+jest.mock('../../lib/kibana'); // , () => ({
 
 describe('source/index.tsx', () => {
   describe('getBrowserFields', () => {
@@ -28,4 +52,89 @@ describe('source/index.tsx', () => {
       expect(fields).toEqual(mockBrowserFields);
     });
   });
+  describe('useDataView hook', () => {
+    const sourcererState = mockGlobalState.sourcerer;
+    const state: State = {
+      ...mockGlobalState,
+      sourcerer: {
+        ...sourcererState,
+        kibanaDataViews: [
+          ...sourcererState.kibanaDataViews,
+          {
+            ...sourcererState.defaultDataView,
+            id: 'something-random',
+            title: 'something,random',
+            patternList: ['something', 'random'],
+          },
+        ],
+        sourcererScopes: {
+          ...sourcererState.sourcererScopes,
+          [SourcererScopeName.default]: {
+            ...sourcererState.sourcererScopes[SourcererScopeName.default],
+          },
+          [SourcererScopeName.detections]: {
+            ...sourcererState.sourcererScopes[SourcererScopeName.detections],
+          },
+          [SourcererScopeName.timeline]: {
+            ...sourcererState.sourcererScopes[SourcererScopeName.timeline],
+          },
+        },
+      },
+    };
+    const mockSearchResponse = {
+      ...mocksSource,
+      indicesExist: ['auditbeat-*', sourcererState.signalIndexName],
+      isRestore: false,
+      rawResponse: {},
+      runtimeMappings: {},
+    };
+    const { storage } = createSecuritySolutionStorageMock();
+    const store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+      const mock = {
+        subscribe: ({ next }: { next: Function }) => next(mockSearchResponse),
+        unsubscribe: jest.fn(),
+      };
+
+      (useKibana as jest.Mock).mockReturnValue({
+        services: {
+          data: {
+            search: {
+              search: jest.fn().mockReturnValue({
+                subscribe: ({ next }: { next: Function }) => {
+                  next(mockSearchResponse);
+                  return mock;
+                },
+                unsubscribe: jest.fn(),
+              }),
+            },
+          },
+        },
+      });
+    });
+    it('sets field data for data view', async () => {
+      await act(async () => {
+        const { rerender, waitForNextUpdate, result } = renderHook<
+          string,
+          { indexFieldsSearch: (id: string) => void }
+        >(() => useDataView(), {
+          wrapper: ({ children }) => <Provider store={store}>{children}</Provider>,
+        });
+        await waitForNextUpdate();
+        rerender();
+        act(() => result.current.indexFieldsSearch('neato'));
+        expect(mockDispatch.mock.calls[0][0]).toEqual({
+          type: 'x-pack/security_solution/local/sourcerer/SET_DATA_VIEW_LOADING',
+          payload: { id: 'neato', loading: true },
+        });
+        const { type: sourceType, payload } = mockDispatch.mock.calls[1][0];
+        expect(sourceType).toEqual('x-pack/security_solution/local/sourcerer/SET_DATA_VIEW');
+        expect(payload.id).toEqual('neato');
+        expect(Object.keys(payload.browserFields)).toHaveLength(10);
+        expect(payload.docValueFields).toEqual([{ field: '@timestamp' }]);
+      });
+    });
+  });
 });
diff --git a/x-pack/plugins/security_solution/public/common/containers/source/index.tsx b/x-pack/plugins/security_solution/public/common/containers/source/index.tsx
index a894dbdd1dda7..cb5489035e258 100644
--- a/x-pack/plugins/security_solution/public/common/containers/source/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/containers/source/index.tsx
@@ -5,27 +5,23 @@
  * 2.0.
  */
 
-import { keyBy, pick, isEmpty, isEqual, isUndefined } from 'lodash/fp';
+import { isEmpty, isEqual, isUndefined, keyBy, pick } from 'lodash/fp';
 import memoizeOne from 'memoize-one';
-import { useCallback, useEffect, useMemo, useRef, useState } from 'react';
-import { useDispatch } from 'react-redux';
-import { IIndexPattern } from 'src/plugins/data/public';
+import { useCallback, useEffect, useRef, useState } from 'react';
+import { DataViewBase } from '@kbn/es-query';
 import { Subscription } from 'rxjs';
 
 import { useKibana } from '../../lib/kibana';
 import {
-  IndexField,
-  IndexFieldsStrategyResponse,
-  IndexFieldsStrategyRequest,
   BrowserField,
   BrowserFields,
-} from '../../../../common/search_strategy/index_fields';
-import { isErrorResponse, isCompleteResponse } from '../../../../../../../src/plugins/data/common';
-import { useDeepEqualSelector } from '../../../common/hooks/use_selector';
+  DocValueFields,
+  IndexField,
+  IndexFieldsStrategyRequest,
+  IndexFieldsStrategyResponse,
+} from '../../../../../timelines/common';
+import { isCompleteResponse, isErrorResponse } from '../../../../../../../src/plugins/data/common';
 import * as i18n from './translations';
-import { SourcererScopeName } from '../../store/sourcerer/model';
-import { sourcererActions, sourcererSelectors } from '../../store/sourcerer';
-import { DocValueFields } from '../../../../common/search_strategy/common';
 import { useAppToasts } from '../../hooks/use_app_toasts';
 
 export { BrowserField, BrowserFields, DocValueFields };
@@ -45,7 +41,7 @@ export const getAllFieldsByName = (
   keyBy('name', getAllBrowserFields(browserFields));
 
 export const getIndexFields = memoizeOne(
-  (title: string, fields: IndexField[]): IIndexPattern =>
+  (title: string, fields: IndexField[]): DataViewBase =>
     fields && fields.length > 0
       ? {
           fields: fields.map((field) =>
@@ -95,7 +91,6 @@ export const getDocValueFields = memoizeOne(
               ...accumulator,
               {
                 field: field.name,
-                format: field.format ? field.format : undefined,
               },
             ];
           }
@@ -119,9 +114,13 @@ interface FetchIndexReturn {
   docValueFields: DocValueFields[];
   indexes: string[];
   indexExists: boolean;
-  indexPatterns: IIndexPattern;
+  indexPatterns: DataViewBase;
 }
 
+/**
+ * Independent index fields hook/request
+ * returns state directly, no redux
+ */
 export const useFetchIndex = (
   indexNames: string[],
   onlyCheckIfIndicesExist: boolean = false
@@ -147,7 +146,7 @@ export const useFetchIndex = (
         abortCtrl.current = new AbortController();
         setLoading(true);
         searchSubscription$.current = data.search
-          .search<IndexFieldsStrategyRequest, IndexFieldsStrategyResponse>(
+          .search<IndexFieldsStrategyRequest<'indices'>, IndexFieldsStrategyResponse>(
             { indices: iNames, onlyCheckIfIndicesExist },
             {
               abortSignal: abortCtrl.current.signal,
@@ -161,7 +160,6 @@ export const useFetchIndex = (
 
                 previousIndexesName.current = response.indicesExist;
                 setLoading(false);
-
                 setState({
                   browserFields: getBrowserFields(stringifyIndices, response.indexFields),
                   docValueFields: getDocValueFields(stringifyIndices, response.indexFields),
@@ -205,95 +203,3 @@ export const useFetchIndex = (
 
   return [isLoading, state];
 };
-
-export const useIndexFields = (sourcererScopeName: SourcererScopeName) => {
-  const { data } = useKibana().services;
-  const abortCtrl = useRef(new AbortController());
-  const searchSubscription$ = useRef(new Subscription());
-  const dispatch = useDispatch();
-  const indexNamesSelectedSelector = useMemo(
-    () => sourcererSelectors.getIndexNamesSelectedSelector(),
-    []
-  );
-  const { indexNames, previousIndexNames } = useDeepEqualSelector<{
-    indexNames: string[];
-    previousIndexNames: string;
-  }>((state) => indexNamesSelectedSelector(state, sourcererScopeName));
-  const { addError, addWarning } = useAppToasts();
-
-  const setLoading = useCallback(
-    (loading: boolean) => {
-      dispatch(sourcererActions.setSourcererScopeLoading({ id: sourcererScopeName, loading }));
-    },
-    [dispatch, sourcererScopeName]
-  );
-
-  const indexFieldsSearch = useCallback(
-    (indicesName) => {
-      const asyncSearch = async () => {
-        abortCtrl.current = new AbortController();
-        setLoading(true);
-        searchSubscription$.current = data.search
-          .search<IndexFieldsStrategyRequest, IndexFieldsStrategyResponse>(
-            { indices: indicesName, onlyCheckIfIndicesExist: false },
-            {
-              abortSignal: abortCtrl.current.signal,
-              strategy: 'indexFields',
-            }
-          )
-          .subscribe({
-            next: (response) => {
-              if (isCompleteResponse(response)) {
-                const stringifyIndices = response.indicesExist.sort().join();
-                dispatch(
-                  sourcererActions.setSource({
-                    id: sourcererScopeName,
-                    payload: {
-                      browserFields: getBrowserFields(stringifyIndices, response.indexFields),
-                      docValueFields: getDocValueFields(stringifyIndices, response.indexFields),
-                      errorMessage: null,
-                      id: sourcererScopeName,
-                      indexPattern: getIndexFields(stringifyIndices, response.indexFields),
-                      // If checking for DE signals index, lie and say the index is created (it's
-                      // no longer created on startup, but is created lazily before writing).
-                      indicesExist:
-                        sourcererScopeName === SourcererScopeName.detections
-                          ? true
-                          : response.indicesExist.length > 0,
-                      loading: false,
-                    },
-                  })
-                );
-                searchSubscription$.current.unsubscribe();
-              } else if (isErrorResponse(response)) {
-                setLoading(false);
-                addWarning(i18n.ERROR_BEAT_FIELDS);
-                searchSubscription$.current.unsubscribe();
-              }
-            },
-            error: (msg) => {
-              setLoading(false);
-              addError(msg, {
-                title: i18n.FAIL_BEAT_FIELDS,
-              });
-              searchSubscription$.current.unsubscribe();
-            },
-          });
-      };
-      searchSubscription$.current.unsubscribe();
-      abortCtrl.current.abort();
-      asyncSearch();
-    },
-    [data.search, dispatch, addError, addWarning, setLoading, sourcererScopeName]
-  );
-
-  useEffect(() => {
-    if (!isEmpty(indexNames) && previousIndexNames !== indexNames.sort().join()) {
-      indexFieldsSearch(indexNames);
-    }
-    return () => {
-      searchSubscription$.current.unsubscribe();
-      abortCtrl.current.abort();
-    };
-  }, [indexNames, indexFieldsSearch, previousIndexNames]);
-};
diff --git a/x-pack/plugins/security_solution/public/common/containers/source/mock.ts b/x-pack/plugins/security_solution/public/common/containers/source/mock.ts
index c176e64da1ba2..e34972f5226f3 100644
--- a/x-pack/plugins/security_solution/public/common/containers/source/mock.ts
+++ b/x-pack/plugins/security_solution/public/common/containers/source/mock.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { DEFAULT_INDEX_PATTERN } from '../../../../common/constants';
 import { DocValueFields } from '../../../../common/search_strategy';
 import { BrowserFields } from '../../../../common/search_strategy/index_fields';
@@ -22,6 +23,7 @@ export const mocksSource = {
       searchable: true,
       type: 'date',
       aggregatable: true,
+      readFromDocValues: true,
     },
     {
       category: 'agent',
@@ -330,7 +332,13 @@ export const mocksSource = {
 };
 
 export const mockIndexFields = [
-  { aggregatable: true, name: '@timestamp', searchable: true, type: 'date' },
+  {
+    aggregatable: true,
+    name: '@timestamp',
+    searchable: true,
+    type: 'date',
+    readFromDocValues: true,
+  },
   { aggregatable: true, name: 'agent.ephemeral_id', searchable: true, type: 'string' },
   { aggregatable: true, name: 'agent.hostname', searchable: true, type: 'string' },
   { aggregatable: true, name: 'agent.id', searchable: true, type: 'string' },
@@ -459,6 +467,7 @@ export const mockBrowserFields: BrowserFields = {
         name: '@timestamp',
         searchable: true,
         type: 'date',
+        readFromDocValues: true,
       },
     },
   },
@@ -726,3 +735,12 @@ export const mockDocValueFields: DocValueFields[] = [
     format: 'date_time',
   },
 ];
+
+export const mockRuntimeMappings: MappingRuntimeFields = {
+  '@a.runtime.field': {
+    script: {
+      source: 'emit("Radical dude: " + doc[\'host.name\'].value)',
+    },
+    type: 'keyword',
+  },
+};
diff --git a/x-pack/plugins/security_solution/public/common/containers/source/use_data_view.tsx b/x-pack/plugins/security_solution/public/common/containers/source/use_data_view.tsx
new file mode 100644
index 0000000000000..a0178d45a9e07
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/containers/source/use_data_view.tsx
@@ -0,0 +1,120 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useCallback, useEffect, useRef } from 'react';
+import { Subscription } from 'rxjs';
+import { useDispatch } from 'react-redux';
+import memoizeOne from 'memoize-one';
+import { pick } from 'lodash/fp';
+import { useKibana } from '../../lib/kibana';
+import { useAppToasts } from '../../hooks/use_app_toasts';
+import { sourcererActions } from '../../store/sourcerer';
+import {
+  DELETED_SECURITY_SOLUTION_DATA_VIEW,
+  IndexField,
+  IndexFieldsStrategyRequest,
+  IndexFieldsStrategyResponse,
+} from '../../../../../timelines/common';
+import {
+  FieldSpec,
+  isCompleteResponse,
+  isErrorResponse,
+} from '../../../../../../../src/plugins/data/common';
+import * as i18n from './translations';
+import { getBrowserFields, getDocValueFields } from './';
+
+const getEsFields = memoizeOne(
+  (fields: IndexField[]): FieldSpec[] =>
+    fields && fields.length > 0
+      ? fields.map((field) =>
+          pick(['name', 'searchable', 'type', 'aggregatable', 'esTypes', 'subType'], field)
+        )
+      : [],
+  (newArgs, lastArgs) => newArgs[0].length === lastArgs[0].length
+);
+
+export const useDataView = (): { indexFieldsSearch: (selectedDataViewId: string) => void } => {
+  const { data } = useKibana().services;
+  const abortCtrl = useRef(new AbortController());
+  const searchSubscription$ = useRef(new Subscription());
+  const dispatch = useDispatch();
+  const { addError, addWarning } = useAppToasts();
+
+  const setLoading = useCallback(
+    ({ id, loading }: { id: string; loading: boolean }) => {
+      dispatch(sourcererActions.setDataViewLoading({ id, loading }));
+    },
+    [dispatch]
+  );
+
+  const indexFieldsSearch = useCallback(
+    (selectedDataViewId: string) => {
+      const asyncSearch = async () => {
+        abortCtrl.current = new AbortController();
+        setLoading({ id: selectedDataViewId, loading: true });
+        searchSubscription$.current = data.search
+          .search<IndexFieldsStrategyRequest<'dataView'>, IndexFieldsStrategyResponse>(
+            {
+              dataViewId: selectedDataViewId,
+              onlyCheckIfIndicesExist: false,
+            },
+            {
+              abortSignal: abortCtrl.current.signal,
+              strategy: 'indexFields',
+            }
+          )
+          .subscribe({
+            next: (response) => {
+              if (isCompleteResponse(response)) {
+                const patternString = response.indicesExist.sort().join();
+
+                dispatch(
+                  sourcererActions.setDataView({
+                    browserFields: getBrowserFields(patternString, response.indexFields),
+                    docValueFields: getDocValueFields(patternString, response.indexFields),
+                    id: selectedDataViewId,
+                    indexFields: getEsFields(response.indexFields),
+                    loading: false,
+                    runtimeMappings: response.runtimeMappings,
+                  })
+                );
+                searchSubscription$.current.unsubscribe();
+              } else if (isErrorResponse(response)) {
+                setLoading({ id: selectedDataViewId, loading: false });
+                addWarning(i18n.ERROR_BEAT_FIELDS);
+                searchSubscription$.current.unsubscribe();
+              }
+            },
+            error: (msg) => {
+              if (msg.message === DELETED_SECURITY_SOLUTION_DATA_VIEW) {
+                // reload app if security solution data view is deleted
+                return location.reload();
+              }
+              setLoading({ id: selectedDataViewId, loading: false });
+              addError(msg, {
+                title: i18n.FAIL_BEAT_FIELDS,
+              });
+              searchSubscription$.current.unsubscribe();
+            },
+          });
+      };
+      searchSubscription$.current.unsubscribe();
+      abortCtrl.current.abort();
+      asyncSearch();
+    },
+    [addError, addWarning, data.search, dispatch, setLoading]
+  );
+
+  useEffect(() => {
+    return () => {
+      searchSubscription$.current.unsubscribe();
+      abortCtrl.current.abort();
+    };
+  }, []);
+
+  return { indexFieldsSearch };
+};
diff --git a/x-pack/plugins/security_solution/public/common/containers/sourcerer/api.ts b/x-pack/plugins/security_solution/public/common/containers/sourcerer/api.ts
new file mode 100644
index 0000000000000..54008848c2f71
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/containers/sourcerer/api.ts
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { KibanaServices } from '../../lib/kibana';
+import { SOURCERER_API_URL } from '../../../../common/constants';
+import { KibanaDataView } from '../../store/sourcerer/model';
+
+export interface GetSourcererDataView {
+  signal: AbortSignal;
+  body: {
+    patternList: string[];
+  };
+}
+
+export interface SecurityDataView {
+  defaultDataView: KibanaDataView;
+  kibanaDataViews: KibanaDataView[];
+}
+
+export const postSourcererDataView = async ({
+  body,
+  signal,
+}: GetSourcererDataView): Promise<SecurityDataView> =>
+  KibanaServices.get().http.fetch(SOURCERER_API_URL, {
+    method: 'POST',
+    body: JSON.stringify(body),
+    signal,
+  });
diff --git a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx
index ec28326f7d170..2e060973c431f 100644
--- a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx
@@ -7,14 +7,14 @@
 
 import React from 'react';
 import { act, renderHook } from '@testing-library/react-hooks';
+import { waitFor } from '@testing-library/react';
 import { Provider } from 'react-redux';
 
-import { getScopeFromPath, useInitSourcerer } from '.';
+import { getScopeFromPath, useInitSourcerer, useSourcererDataView } from '.';
 import { mockPatterns } from './mocks';
-// import { SourcererScopeName } from '../../store/sourcerer/model';
 import { RouteSpyState } from '../../utils/route/types';
-import { SecurityPageName } from '../../../../common/constants';
-import { createStore, State } from '../../store';
+import { DEFAULT_INDEX_PATTERN, SecurityPageName } from '../../../../common/constants';
+import { createStore } from '../../store';
 import {
   useUserInfo,
   initialState as userInfoState,
@@ -24,8 +24,10 @@ import {
   kibanaObservable,
   mockGlobalState,
   SUB_PLUGINS_REDUCER,
+  mockSourcererState,
 } from '../../mock';
-import { SourcererScopeName } from '../../store/sourcerer/model';
+import { SelectedDataView, SourcererScopeName } from '../../store/sourcerer/model';
+import { postSourcererDataView } from './api';
 
 const mockRouteSpy: RouteSpyState = {
   pageName: SecurityPageName.overview,
@@ -37,6 +39,7 @@ const mockRouteSpy: RouteSpyState = {
 const mockDispatch = jest.fn();
 const mockUseUserInfo = useUserInfo as jest.Mock;
 jest.mock('../../../detections/components/user_info');
+jest.mock('./api');
 jest.mock('react-redux', () => {
   const original = jest.requireActual('react-redux');
 
@@ -48,6 +51,7 @@ jest.mock('react-redux', () => {
 jest.mock('../../utils/route/use_route_spy', () => ({
   useRouteSpy: () => [mockRouteSpy],
 }));
+
 jest.mock('../../lib/kibana', () => ({
   useToasts: jest.fn().mockReturnValue({
     addError: jest.fn(),
@@ -84,36 +88,13 @@ jest.mock('../../lib/kibana', () => ({
 }));
 
 describe('Sourcerer Hooks', () => {
-  const state: State = {
-    ...mockGlobalState,
-    sourcerer: {
-      ...mockGlobalState.sourcerer,
-      sourcererScopes: {
-        ...mockGlobalState.sourcerer.sourcererScopes,
-        [SourcererScopeName.default]: {
-          ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
-          indexPattern: {
-            fields: [],
-            title: '',
-          },
-        },
-        [SourcererScopeName.timeline]: {
-          ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
-          indexPattern: {
-            fields: [],
-            title: '',
-          },
-        },
-      },
-    },
-  };
   const { storage } = createSecuritySolutionStorageMock();
-  let store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
+  let store: ReturnType<typeof createStore>;
 
   beforeEach(() => {
     jest.clearAllMocks();
     jest.restoreAllMocks();
-    store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
+    store = createStore(mockGlobalState, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
     mockUseUserInfo.mockImplementation(() => userInfoState);
   });
   it('initializes loading default and timeline index patterns', async () => {
@@ -125,34 +106,88 @@ describe('Sourcerer Hooks', () => {
       rerender();
       expect(mockDispatch).toBeCalledTimes(2);
       expect(mockDispatch.mock.calls[0][0]).toEqual({
-        type: 'x-pack/security_solution/local/sourcerer/SET_SOURCERER_SCOPE_LOADING',
-        payload: { id: 'default', loading: true },
+        type: 'x-pack/security_solution/local/sourcerer/SET_DATA_VIEW_LOADING',
+        payload: { id: 'security-solution', loading: true },
       });
       expect(mockDispatch.mock.calls[1][0]).toEqual({
-        type: 'x-pack/security_solution/local/sourcerer/SET_SOURCERER_SCOPE_LOADING',
-        payload: { id: 'timeline', loading: true },
+        type: 'x-pack/security_solution/local/sourcerer/SET_SELECTED_DATA_VIEW',
+        payload: {
+          id: 'timeline',
+          selectedDataViewId: 'security-solution',
+          selectedPatterns: [
+            '.siem-signals-spacename',
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'traces-apm*',
+            'winlogbeat-*',
+          ],
+        },
       });
     });
   });
   it('sets signal index name', async () => {
+    const mockNewDataViews = {
+      defaultDataView: mockSourcererState.defaultDataView,
+      kibanaDataViews: [mockSourcererState.defaultDataView],
+    };
+    (postSourcererDataView as jest.Mock).mockResolvedValue(mockNewDataViews);
+
+    store = createStore(
+      {
+        ...mockGlobalState,
+        sourcerer: {
+          ...mockGlobalState.sourcerer,
+          signalIndexName: null,
+          defaultDataView: {
+            ...mockGlobalState.sourcerer.defaultDataView,
+            title: DEFAULT_INDEX_PATTERN.join(','),
+            patternList: DEFAULT_INDEX_PATTERN,
+          },
+        },
+      },
+      SUB_PLUGINS_REDUCER,
+      kibanaObservable,
+      storage
+    );
     await act(async () => {
       mockUseUserInfo.mockImplementation(() => ({
         ...userInfoState,
         loading: false,
-        signalIndexName: 'signals-*',
+        signalIndexName: mockSourcererState.signalIndexName,
       }));
       const { rerender, waitForNextUpdate } = renderHook<string, void>(() => useInitSourcerer(), {
         wrapper: ({ children }) => <Provider store={store}>{children}</Provider>,
       });
       await waitForNextUpdate();
       rerender();
-      expect(mockDispatch.mock.calls[2][0]).toEqual({
-        type: 'x-pack/security_solution/local/sourcerer/SET_SIGNAL_INDEX_NAME',
-        payload: { signalIndexName: 'signals-*' },
-      });
-      expect(mockDispatch.mock.calls[3][0]).toEqual({
-        type: 'x-pack/security_solution/local/sourcerer/SET_SELECTED_INDEX_PATTERNS',
-        payload: { id: 'timeline', selectedPatterns: ['signals-*'] },
+      await waitFor(() => {
+        expect(mockDispatch.mock.calls[2][0]).toEqual({
+          type: 'x-pack/security_solution/local/sourcerer/SET_SOURCERER_SCOPE_LOADING',
+          payload: { loading: true },
+        });
+        expect(mockDispatch.mock.calls[3][0]).toEqual({
+          type: 'x-pack/security_solution/local/sourcerer/SET_SIGNAL_INDEX_NAME',
+          payload: { signalIndexName: mockSourcererState.signalIndexName },
+        });
+        expect(mockDispatch.mock.calls[4][0]).toEqual({
+          type: 'x-pack/security_solution/local/sourcerer/SET_DATA_VIEW_LOADING',
+          payload: {
+            id: mockSourcererState.defaultDataView.id,
+            loading: true,
+          },
+        });
+        expect(mockDispatch.mock.calls[5][0]).toEqual({
+          type: 'x-pack/security_solution/local/sourcerer/SET_SOURCERER_DATA_VIEWS',
+          payload: mockNewDataViews,
+        });
+        expect(mockDispatch.mock.calls[6][0]).toEqual({
+          type: 'x-pack/security_solution/local/sourcerer/SET_SOURCERER_SCOPE_LOADING',
+          payload: { loading: false },
+        });
       });
     });
   });
@@ -160,7 +195,7 @@ describe('Sourcerer Hooks', () => {
     await act(async () => {
       mockUseUserInfo.mockImplementation(() => ({
         ...userInfoState,
-        signalIndexName: 'signals-*',
+        signalIndexName: mockSourcererState.signalIndexName,
         isSignalIndexExists: true,
       }));
       const { rerender, waitForNextUpdate } = renderHook<string, void>(
@@ -171,9 +206,130 @@ describe('Sourcerer Hooks', () => {
       );
       await waitForNextUpdate();
       rerender();
-      expect(mockDispatch.mock.calls[1][0]).toEqual({
-        type: 'x-pack/security_solution/local/sourcerer/SET_SELECTED_INDEX_PATTERNS',
-        payload: { id: 'detections', selectedPatterns: ['signals-*'] },
+      expect(mockDispatch.mock.calls[2][0]).toEqual({
+        type: 'x-pack/security_solution/local/sourcerer/SET_SELECTED_DATA_VIEW',
+        payload: {
+          id: 'detections',
+          selectedDataViewId: mockSourcererState.defaultDataView.id,
+          selectedPatterns: [mockSourcererState.signalIndexName],
+        },
+      });
+    });
+  });
+
+  describe('useSourcererDataView', () => {
+    it('Should exclude elastic cloud alias when selected patterns include "logs-*" as an alias', async () => {
+      await act(async () => {
+        const { result, rerender, waitForNextUpdate } = renderHook<
+          SourcererScopeName,
+          SelectedDataView
+        >(() => useSourcererDataView(), {
+          wrapper: ({ children }) => <Provider store={store}>{children}</Provider>,
+        });
+        await waitForNextUpdate();
+        rerender();
+        expect(result.current.selectedPatterns).toEqual([
+          '-*elastic-cloud-logs-*',
+          ...mockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns,
+        ]);
+      });
+    });
+
+    it('Should NOT exclude elastic cloud alias when selected patterns does NOT include "logs-*" as an alias', async () => {
+      await act(async () => {
+        store = createStore(
+          {
+            ...mockGlobalState,
+            sourcerer: {
+              ...mockGlobalState.sourcerer,
+              sourcererScopes: {
+                ...mockGlobalState.sourcerer.sourcererScopes,
+                [SourcererScopeName.default]: {
+                  ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+                  selectedPatterns: [
+                    'apm-*-transaction*',
+                    'auditbeat-*',
+                    'endgame-*',
+                    'filebeat-*',
+                    'packetbeat-*',
+                    'traces-apm*',
+                    'winlogbeat-*',
+                  ],
+                },
+              },
+            },
+          },
+          SUB_PLUGINS_REDUCER,
+          kibanaObservable,
+          storage
+        );
+        const { result, rerender, waitForNextUpdate } = renderHook<
+          SourcererScopeName,
+          SelectedDataView
+        >(() => useSourcererDataView(), {
+          wrapper: ({ children }) => <Provider store={store}>{children}</Provider>,
+        });
+        await waitForNextUpdate();
+        rerender();
+        expect(result.current.selectedPatterns).toEqual([
+          'apm-*-transaction*',
+          'auditbeat-*',
+          'endgame-*',
+          'filebeat-*',
+          'packetbeat-*',
+          'traces-apm*',
+          'winlogbeat-*',
+        ]);
+      });
+    });
+
+    it('Should NOT exclude elastic cloud alias when selected patterns include "logs-endpoint.event-*" as an alias', async () => {
+      await act(async () => {
+        store = createStore(
+          {
+            ...mockGlobalState,
+            sourcerer: {
+              ...mockGlobalState.sourcerer,
+              sourcererScopes: {
+                ...mockGlobalState.sourcerer.sourcererScopes,
+                [SourcererScopeName.default]: {
+                  ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+                  selectedPatterns: [
+                    'apm-*-transaction*',
+                    'auditbeat-*',
+                    'endgame-*',
+                    'filebeat-*',
+                    'packetbeat-*',
+                    'traces-apm*',
+                    'winlogbeat-*',
+                    'logs-endpoint.event-*',
+                  ],
+                },
+              },
+            },
+          },
+          SUB_PLUGINS_REDUCER,
+          kibanaObservable,
+          storage
+        );
+        const { result, rerender, waitForNextUpdate } = renderHook<
+          SourcererScopeName,
+          SelectedDataView
+        >(() => useSourcererDataView(), {
+          wrapper: ({ children }) => <Provider store={store}>{children}</Provider>,
+        });
+        await waitForNextUpdate();
+        rerender();
+        expect(result.current.selectedPatterns).toEqual([
+          'apm-*-transaction*',
+          'auditbeat-*',
+          'endgame-*',
+          'filebeat-*',
+          'logs-endpoint.event-*',
+          'packetbeat-*',
+          'traces-apm*',
+          'winlogbeat-*',
+        ]);
       });
     });
   });
diff --git a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx
index 615bc104b14f9..4ca8bf037261a 100644
--- a/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx
@@ -5,133 +5,298 @@
  * 2.0.
  */
 
-import { useEffect, useMemo, useRef } from 'react';
+import { useCallback, useEffect, useMemo, useRef } from 'react';
 import { useDispatch } from 'react-redux';
-
+import { i18n } from '@kbn/i18n';
 import { matchPath } from 'react-router-dom';
 import { sourcererActions, sourcererSelectors } from '../../store/sourcerer';
-import { SourcererScopeName } from '../../store/sourcerer/model';
-import { useIndexFields } from '../source';
+import { SelectedDataView, SourcererScopeName } from '../../store/sourcerer/model';
 import { useUserInfo } from '../../../detections/components/user_info';
 import { timelineSelectors } from '../../../timelines/store/timeline';
 import { ALERTS_PATH, CASES_PATH, RULES_PATH, UEBA_PATH } from '../../../../common/constants';
 import { TimelineId } from '../../../../common';
 import { useDeepEqualSelector } from '../../hooks/use_selector';
+import { getScopePatternListSelection } from '../../store/sourcerer/helpers';
+import { useAppToasts } from '../../hooks/use_app_toasts';
+import { postSourcererDataView } from './api';
+import { useDataView } from '../source/use_data_view';
 
 export const useInitSourcerer = (
   scopeId: SourcererScopeName.default | SourcererScopeName.detections = SourcererScopeName.default
 ) => {
   const dispatch = useDispatch();
+  const abortCtrl = useRef(new AbortController());
   const initialTimelineSourcerer = useRef(true);
   const initialDetectionSourcerer = useRef(true);
   const { loading: loadingSignalIndex, isSignalIndexExists, signalIndexName } = useUserInfo();
-  const getConfigIndexPatternsSelector = useMemo(
-    () => sourcererSelectors.configIndexPatternsSelector(),
+  const getDefaultDataViewSelector = useMemo(
+    () => sourcererSelectors.defaultDataViewSelector(),
     []
   );
-  const ConfigIndexPatterns = useDeepEqualSelector(getConfigIndexPatternsSelector);
+  const defaultDataView = useDeepEqualSelector(getDefaultDataViewSelector);
+
+  const { addError } = useAppToasts();
+
+  useEffect(() => {
+    if (defaultDataView.error != null) {
+      addError(defaultDataView.error, {
+        title: i18n.translate('xpack.securitySolution.sourcerer.permissions.title', {
+          defaultMessage: 'Write role required to generate data',
+        }),
+        toastMessage: i18n.translate('xpack.securitySolution.sourcerer.permissions.toastMessage', {
+          defaultMessage:
+            'Users with write permission need to access the Elastic Security app to initialize the app source data.',
+        }),
+      });
+    }
+  }, [addError, defaultDataView.error]);
 
   const getSignalIndexNameSelector = useMemo(
     () => sourcererSelectors.signalIndexNameSelector(),
     []
   );
-  const signalIndexNameSelector = useDeepEqualSelector(getSignalIndexNameSelector);
+  const signalIndexNameSourcerer = useDeepEqualSelector(getSignalIndexNameSelector);
 
   const getTimelineSelector = useMemo(() => timelineSelectors.getTimelineByIdSelector(), []);
   const activeTimeline = useDeepEqualSelector((state) =>
     getTimelineSelector(state, TimelineId.active)
   );
+  const scopeIdSelector = useMemo(() => sourcererSelectors.scopeIdSelector(), []);
+  const { selectedDataViewId: scopeDataViewId } = useDeepEqualSelector((state) =>
+    scopeIdSelector(state, scopeId)
+  );
+  const { selectedDataViewId: timelineDataViewId } = useDeepEqualSelector((state) =>
+    scopeIdSelector(state, SourcererScopeName.timeline)
+  );
+  const activeDataViewIds = useMemo(
+    () => [...new Set([scopeDataViewId, timelineDataViewId])],
+    [scopeDataViewId, timelineDataViewId]
+  );
+  const { indexFieldsSearch } = useDataView();
 
-  useIndexFields(scopeId);
-  useIndexFields(SourcererScopeName.timeline);
-
-  useEffect(() => {
-    if (!loadingSignalIndex && signalIndexName != null && signalIndexNameSelector == null) {
-      dispatch(sourcererActions.setSignalIndexName({ signalIndexName }));
-    }
-  }, [dispatch, loadingSignalIndex, signalIndexName, signalIndexNameSelector]);
+  useEffect(
+    () => activeDataViewIds.forEach((id) => id != null && id.length > 0 && indexFieldsSearch(id)),
+    [activeDataViewIds, indexFieldsSearch]
+  );
 
   // Related to timeline
   useEffect(() => {
     if (
       !loadingSignalIndex &&
       signalIndexName != null &&
-      signalIndexNameSelector == null &&
+      signalIndexNameSourcerer == null &&
       (activeTimeline == null || activeTimeline.savedObjectId == null) &&
-      initialTimelineSourcerer.current
+      initialTimelineSourcerer.current &&
+      defaultDataView.id.length > 0
     ) {
       initialTimelineSourcerer.current = false;
       dispatch(
-        sourcererActions.setSelectedIndexPatterns({
+        sourcererActions.setSelectedDataView({
           id: SourcererScopeName.timeline,
-          selectedPatterns: [...ConfigIndexPatterns, signalIndexName],
+          selectedDataViewId: defaultDataView.id,
+          selectedPatterns: getScopePatternListSelection(
+            defaultDataView,
+            SourcererScopeName.timeline,
+            signalIndexName,
+            true
+          ),
         })
       );
     } else if (
-      signalIndexNameSelector != null &&
+      signalIndexNameSourcerer != null &&
       (activeTimeline == null || activeTimeline.savedObjectId == null) &&
-      initialTimelineSourcerer.current
+      initialTimelineSourcerer.current &&
+      defaultDataView.id.length > 0
     ) {
       initialTimelineSourcerer.current = false;
       dispatch(
-        sourcererActions.setSelectedIndexPatterns({
+        sourcererActions.setSelectedDataView({
           id: SourcererScopeName.timeline,
-          selectedPatterns: [...ConfigIndexPatterns, signalIndexNameSelector],
+          selectedDataViewId: defaultDataView.id,
+          selectedPatterns: getScopePatternListSelection(
+            defaultDataView,
+            SourcererScopeName.timeline,
+            signalIndexNameSourcerer,
+            true
+          ),
         })
       );
     }
   }, [
     activeTimeline,
-    ConfigIndexPatterns,
+    defaultDataView,
     dispatch,
     loadingSignalIndex,
     signalIndexName,
-    signalIndexNameSelector,
+    signalIndexNameSourcerer,
   ]);
 
+  const updateSourcererDataView = useCallback(
+    (newSignalsIndex: string) => {
+      const asyncSearch = async (newPatternList: string[]) => {
+        abortCtrl.current = new AbortController();
+
+        dispatch(sourcererActions.setSourcererScopeLoading({ loading: true }));
+        try {
+          const response = await postSourcererDataView({
+            body: { patternList: newPatternList },
+            signal: abortCtrl.current.signal,
+          });
+
+          if (response.defaultDataView.patternList.includes(newSignalsIndex)) {
+            // first time signals is defined and validated in the sourcerer
+            // redo indexFieldsSearch
+            indexFieldsSearch(response.defaultDataView.id);
+          }
+          dispatch(sourcererActions.setSourcererDataViews(response));
+          dispatch(sourcererActions.setSourcererScopeLoading({ loading: false }));
+        } catch (err) {
+          addError(err, {
+            title: i18n.translate('xpack.securitySolution.sourcerer.error.title', {
+              defaultMessage: 'Error updating Security Data View',
+            }),
+            toastMessage: i18n.translate('xpack.securitySolution.sourcerer.error.toastMessage', {
+              defaultMessage: 'Refresh the page',
+            }),
+          });
+          dispatch(sourcererActions.setSourcererScopeLoading({ loading: false }));
+        }
+      };
+
+      if (defaultDataView.title.indexOf(newSignalsIndex) === -1) {
+        abortCtrl.current.abort();
+        asyncSearch([...defaultDataView.title.split(','), newSignalsIndex]);
+      }
+    },
+    [defaultDataView.title, dispatch, indexFieldsSearch, addError]
+  );
+  useEffect(() => {
+    if (
+      !loadingSignalIndex &&
+      signalIndexName != null &&
+      signalIndexNameSourcerer == null &&
+      defaultDataView.id.length > 0
+    ) {
+      // update signal name also updates sourcerer
+      // we hit this the first time signal index is created
+      updateSourcererDataView(signalIndexName);
+      dispatch(sourcererActions.setSignalIndexName({ signalIndexName }));
+    }
+  }, [
+    defaultDataView.id,
+    dispatch,
+    indexFieldsSearch,
+    isSignalIndexExists,
+    loadingSignalIndex,
+    signalIndexName,
+    signalIndexNameSourcerer,
+    updateSourcererDataView,
+  ]);
   // Related to the detection page
   useEffect(() => {
     if (
       scopeId === SourcererScopeName.detections &&
       isSignalIndexExists &&
       signalIndexName != null &&
-      initialDetectionSourcerer.current
+      initialDetectionSourcerer.current &&
+      defaultDataView.id.length > 0
     ) {
       initialDetectionSourcerer.current = false;
       dispatch(
-        sourcererActions.setSelectedIndexPatterns({
-          id: scopeId,
-          selectedPatterns: [signalIndexName],
+        sourcererActions.setSelectedDataView({
+          id: SourcererScopeName.detections,
+          selectedDataViewId: defaultDataView.id,
+          selectedPatterns: getScopePatternListSelection(
+            defaultDataView,
+            SourcererScopeName.detections,
+            signalIndexName,
+            true
+          ),
         })
       );
     } else if (
       scopeId === SourcererScopeName.detections &&
-      signalIndexNameSelector != null &&
-      initialTimelineSourcerer.current
+      signalIndexNameSourcerer != null &&
+      initialTimelineSourcerer.current &&
+      defaultDataView.id.length > 0
     ) {
       initialDetectionSourcerer.current = false;
-      dispatch(
-        sourcererActions.setSelectedIndexPatterns({
-          id: scopeId,
-          selectedPatterns: [signalIndexNameSelector],
-        })
-      );
+      sourcererActions.setSelectedDataView({
+        id: SourcererScopeName.detections,
+        selectedDataViewId: defaultDataView.id,
+        selectedPatterns: getScopePatternListSelection(
+          defaultDataView,
+          SourcererScopeName.detections,
+          signalIndexNameSourcerer,
+          true
+        ),
+      });
     }
-  }, [dispatch, isSignalIndexExists, scopeId, signalIndexName, signalIndexNameSelector]);
+  }, [
+    defaultDataView,
+    dispatch,
+    isSignalIndexExists,
+    scopeId,
+    signalIndexName,
+    signalIndexNameSourcerer,
+  ]);
 };
 
-export const useSourcererScope = (scope: SourcererScopeName = SourcererScopeName.default) => {
+const LOGS_WILDCARD_INDEX = 'logs-*';
+export const EXCLUDE_ELASTIC_CLOUD_INDEX = '-*elastic-cloud-logs-*';
+
+export const useSourcererDataView = (
+  scopeId: SourcererScopeName = SourcererScopeName.default
+): SelectedDataView => {
   const sourcererScopeSelector = useMemo(() => sourcererSelectors.getSourcererScopeSelector(), []);
-  return useDeepEqualSelector((state) => sourcererScopeSelector(state, scope));
+  const {
+    signalIndexName,
+    sourcererDataView: selectedDataView,
+    sourcererScope: { selectedPatterns: scopeSelectedPatterns, loading },
+  }: sourcererSelectors.SourcererScopeSelector = useDeepEqualSelector((state) =>
+    sourcererScopeSelector(state, scopeId)
+  );
+
+  const selectedPatterns = useMemo(
+    () =>
+      scopeSelectedPatterns.some((index) => index === LOGS_WILDCARD_INDEX)
+        ? [...scopeSelectedPatterns, EXCLUDE_ELASTIC_CLOUD_INDEX]
+        : scopeSelectedPatterns,
+    [scopeSelectedPatterns]
+  );
+
+  return useMemo(
+    () => ({
+      browserFields: selectedDataView.browserFields,
+      dataViewId: selectedDataView.id,
+      docValueFields: selectedDataView.docValueFields,
+      indexPattern: {
+        fields: selectedDataView.indexFields,
+        title: selectedPatterns.join(','),
+      },
+      indicesExist:
+        scopeId === SourcererScopeName.detections
+          ? selectedDataView.patternList.includes(`${signalIndexName}`)
+          : scopeId === SourcererScopeName.default
+          ? selectedDataView.patternList.filter((i) => i !== signalIndexName).length > 0
+          : selectedDataView.patternList.length > 0,
+      loading: loading || selectedDataView.loading,
+      runtimeMappings: selectedDataView.runtimeMappings,
+      // all active & inactive patterns in DATA_VIEW
+      patternList: selectedDataView.title.split(','),
+      // selected patterns in DATA_VIEW
+      selectedPatterns: selectedPatterns.sort(),
+    }),
+    [loading, selectedPatterns, signalIndexName, scopeId, selectedDataView]
+  );
 };
 
 export const getScopeFromPath = (
   pathname: string
-): SourcererScopeName.default | SourcererScopeName.detections => {
-  return matchPath(pathname, {
+): SourcererScopeName.default | SourcererScopeName.detections =>
+  matchPath(pathname, {
     path: [ALERTS_PATH, `${RULES_PATH}/id/:id`, `${UEBA_PATH}/:id`, `${CASES_PATH}/:detailName`],
     strict: false,
   }) == null
     ? SourcererScopeName.default
     : SourcererScopeName.detections;
-};
diff --git a/x-pack/plugins/security_solution/public/common/containers/sourcerer/use_signal_helpers.test.tsx b/x-pack/plugins/security_solution/public/common/containers/sourcerer/use_signal_helpers.test.tsx
new file mode 100644
index 0000000000000..a387bd2211a66
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/containers/sourcerer/use_signal_helpers.test.tsx
@@ -0,0 +1,95 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import {
+  createSecuritySolutionStorageMock,
+  kibanaObservable,
+  mockGlobalState,
+  SUB_PLUGINS_REDUCER,
+  TestProviders,
+} from '../../mock';
+import { act, renderHook } from '@testing-library/react-hooks';
+import { useSignalHelpers } from './use_signal_helpers';
+import { createStore, State } from '../../store';
+
+describe('useSignalHelpers', () => {
+  const wrapperContainer: React.FC<{ children?: React.ReactNode }> = ({ children }) => (
+    <TestProviders>{children}</TestProviders>
+  );
+
+  test('Default state, does not need init and does not need poll', async () => {
+    await act(async () => {
+      const { result, waitForNextUpdate } = renderHook(() => useSignalHelpers(), {
+        wrapper: wrapperContainer,
+      });
+      await waitForNextUpdate();
+      expect(result.current.signalIndexNeedsInit).toEqual(false);
+      expect(result.current.pollForSignalIndex).toEqual(undefined);
+    });
+  });
+  test('Needs init and does not need poll when signal index is not yet in default data view', async () => {
+    const state: State = {
+      ...mockGlobalState,
+      sourcerer: {
+        ...mockGlobalState.sourcerer,
+        defaultDataView: {
+          ...mockGlobalState.sourcerer.defaultDataView,
+          title: `auditbeat-*,packetbeat-*`,
+          patternList: ['packetbeat-*', 'auditbeat-*'],
+        },
+        kibanaDataViews: [
+          {
+            ...mockGlobalState.sourcerer.defaultDataView,
+            title: `auditbeat-*,packetbeat-*`,
+            patternList: ['packetbeat-*', 'auditbeat-*'],
+          },
+        ],
+      },
+    };
+    const { storage } = createSecuritySolutionStorageMock();
+    const store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
+    await act(async () => {
+      const { result, waitForNextUpdate } = renderHook(() => useSignalHelpers(), {
+        wrapper: ({ children }) => <TestProviders store={store}>{children}</TestProviders>,
+      });
+      await waitForNextUpdate();
+      expect(result.current.signalIndexNeedsInit).toEqual(true);
+      expect(result.current.pollForSignalIndex).toEqual(undefined);
+    });
+  });
+  test('Init happened and signal index does not have data yet, poll function becomes available', async () => {
+    const state: State = {
+      ...mockGlobalState,
+      sourcerer: {
+        ...mockGlobalState.sourcerer,
+        defaultDataView: {
+          ...mockGlobalState.sourcerer.defaultDataView,
+          title: `auditbeat-*,packetbeat-*,${mockGlobalState.sourcerer.signalIndexName}`,
+          patternList: ['packetbeat-*', 'auditbeat-*'],
+        },
+        kibanaDataViews: [
+          {
+            ...mockGlobalState.sourcerer.defaultDataView,
+            title: `auditbeat-*,packetbeat-*,${mockGlobalState.sourcerer.signalIndexName}`,
+            patternList: ['packetbeat-*', 'auditbeat-*'],
+          },
+        ],
+      },
+    };
+    const { storage } = createSecuritySolutionStorageMock();
+    const store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
+    await act(async () => {
+      const { result, waitForNextUpdate } = renderHook(() => useSignalHelpers(), {
+        wrapper: ({ children }) => <TestProviders store={store}>{children}</TestProviders>,
+      });
+      await waitForNextUpdate();
+      expect(result.current.signalIndexNeedsInit).toEqual(false);
+      expect(result.current.pollForSignalIndex).not.toEqual(undefined);
+    });
+  });
+});
diff --git a/x-pack/plugins/security_solution/public/common/containers/sourcerer/use_signal_helpers.tsx b/x-pack/plugins/security_solution/public/common/containers/sourcerer/use_signal_helpers.tsx
new file mode 100644
index 0000000000000..602997361f38b
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/containers/sourcerer/use_signal_helpers.tsx
@@ -0,0 +1,92 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useCallback, useMemo, useRef } from 'react';
+import { i18n } from '@kbn/i18n';
+import { useDispatch } from 'react-redux';
+import { sourcererSelectors } from '../../store';
+import { useDeepEqualSelector } from '../../hooks/use_selector';
+import { useSourcererDataView } from '.';
+import { SourcererScopeName } from '../../store/sourcerer/model';
+import { postSourcererDataView } from './api';
+import { sourcererActions } from '../../store/sourcerer';
+import { useDataView } from '../source/use_data_view';
+import { useAppToasts } from '../../hooks/use_app_toasts';
+
+export const useSignalHelpers = (): {
+  /* when defined, signal index has been initiated but does not exist */
+  pollForSignalIndex?: () => void;
+  /* when false, signal index has been initiated */
+  signalIndexNeedsInit: boolean;
+} => {
+  const { indicesExist } = useSourcererDataView(SourcererScopeName.detections);
+  const { indexFieldsSearch } = useDataView();
+  const dispatch = useDispatch();
+  const { addError } = useAppToasts();
+  const abortCtrl = useRef(new AbortController());
+
+  const getDefaultDataViewSelector = useMemo(
+    () => sourcererSelectors.defaultDataViewSelector(),
+    []
+  );
+  const getSignalIndexNameSelector = useMemo(
+    () => sourcererSelectors.signalIndexNameSelector(),
+    []
+  );
+  const signalIndexNameSourcerer = useDeepEqualSelector(getSignalIndexNameSelector);
+  const defaultDataView = useDeepEqualSelector(getDefaultDataViewSelector);
+
+  const signalIndexNeedsInit = useMemo(
+    () => !defaultDataView.title.includes(`${signalIndexNameSourcerer}`),
+    [defaultDataView.title, signalIndexNameSourcerer]
+  );
+  const shouldWePollForIndex = useMemo(
+    () => !indicesExist && !signalIndexNeedsInit,
+    [indicesExist, signalIndexNeedsInit]
+  );
+
+  const pollForSignalIndex = useCallback(() => {
+    const asyncSearch = async () => {
+      abortCtrl.current = new AbortController();
+      try {
+        const response = await postSourcererDataView({
+          body: { patternList: defaultDataView.title.split(',') },
+          signal: abortCtrl.current.signal,
+        });
+
+        if (
+          signalIndexNameSourcerer !== null &&
+          response.defaultDataView.patternList.includes(signalIndexNameSourcerer)
+        ) {
+          // first time signals is defined and validated in the sourcerer
+          // redo indexFieldsSearch
+          indexFieldsSearch(response.defaultDataView.id);
+          dispatch(sourcererActions.setSourcererDataViews(response));
+        }
+      } catch (err) {
+        addError(err, {
+          title: i18n.translate('xpack.securitySolution.sourcerer.error.title', {
+            defaultMessage: 'Error updating Security Data View',
+          }),
+          toastMessage: i18n.translate('xpack.securitySolution.sourcerer.error.toastMessage', {
+            defaultMessage: 'Refresh the page',
+          }),
+        });
+      }
+    };
+
+    if (signalIndexNameSourcerer !== null) {
+      abortCtrl.current.abort();
+      asyncSearch();
+    }
+  }, [addError, defaultDataView.title, dispatch, indexFieldsSearch, signalIndexNameSourcerer]);
+
+  return {
+    ...(shouldWePollForIndex ? { pollForSignalIndex } : {}),
+    signalIndexNeedsInit,
+  };
+};
diff --git a/x-pack/plugins/security_solution/public/common/lib/keury/index.ts b/x-pack/plugins/security_solution/public/common/lib/keury/index.ts
index 1e7574cdae26d..b9f2f9a297bce 100644
--- a/x-pack/plugins/security_solution/public/common/lib/keury/index.ts
+++ b/x-pack/plugins/security_solution/public/common/lib/keury/index.ts
@@ -14,12 +14,12 @@ import {
   buildEsQuery,
   toElasticsearchQuery,
   fromKueryExpression,
-  IndexPatternBase,
+  DataViewBase,
 } from '@kbn/es-query';
 
 export const convertKueryToElasticSearchQuery = (
   kueryExpression: string,
-  indexPattern?: IndexPatternBase
+  indexPattern?: DataViewBase
 ) => {
   try {
     return kueryExpression
@@ -30,10 +30,7 @@ export const convertKueryToElasticSearchQuery = (
   }
 };
 
-export const convertKueryToDslFilter = (
-  kueryExpression: string,
-  indexPattern: IndexPatternBase
-) => {
+export const convertKueryToDslFilter = (kueryExpression: string, indexPattern: DataViewBase) => {
   try {
     return kueryExpression
       ? toElasticsearchQuery(fromKueryExpression(kueryExpression), indexPattern)
@@ -75,7 +72,7 @@ export const convertToBuildEsQuery = ({
   filters,
 }: {
   config: EsQueryConfig;
-  indexPattern: IndexPatternBase;
+  indexPattern: DataViewBase;
   queries: Query[];
   filters: Filter[];
 }): [string, undefined] | [undefined, Error] => {
diff --git a/x-pack/plugins/security_solution/public/common/mock/global_state.ts b/x-pack/plugins/security_solution/public/common/mock/global_state.ts
index cb6536d585c1e..2d804392580d0 100644
--- a/x-pack/plugins/security_solution/public/common/mock/global_state.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/global_state.ts
@@ -26,6 +26,8 @@ import {
   DEFAULT_INTERVAL_TYPE,
   DEFAULT_INTERVAL_VALUE,
   DEFAULT_INDEX_PATTERN,
+  DEFAULT_DATA_VIEW_ID,
+  DEFAULT_SIGNALS_INDEX,
 } from '../../../common/constants';
 import { networkModel } from '../../network/store';
 import { uebaModel } from '../../ueba/store';
@@ -33,9 +35,30 @@ import { TimelineType, TimelineStatus, TimelineTabs } from '../../../common/type
 import { mockManagementState } from '../../management/store/reducer';
 import { ManagementState } from '../../management/types';
 import { initialSourcererState, SourcererScopeName } from '../store/sourcerer/model';
-import { mockBrowserFields, mockDocValueFields } from '../containers/source/mock';
-import { mockIndexPattern } from './index_pattern';
 import { allowedExperimentalValues } from '../../../common/experimental_features';
+import { getScopePatternListSelection } from '../store/sourcerer/helpers';
+import {
+  mockBrowserFields,
+  mockDocValueFields,
+  mockIndexFields,
+  mockRuntimeMappings,
+} from '../containers/source/mock';
+
+export const mockSourcererState = {
+  ...initialSourcererState,
+  signalIndexName: `${DEFAULT_SIGNALS_INDEX}-spacename`,
+  defaultDataView: {
+    ...initialSourcererState.defaultDataView,
+    browserFields: mockBrowserFields,
+    docValueFields: mockDocValueFields,
+    id: DEFAULT_DATA_VIEW_ID,
+    indexFields: mockIndexFields,
+    loading: false,
+    patternList: [...DEFAULT_INDEX_PATTERN, `${DEFAULT_SIGNALS_INDEX}-spacename`],
+    runtimeMappings: mockRuntimeMappings,
+    title: [...DEFAULT_INDEX_PATTERN, `${DEFAULT_SIGNALS_INDEX}-spacename`].join(','),
+  },
+};
 
 export const mockGlobalState: State = {
   app: {
@@ -241,6 +264,7 @@ export const mockGlobalState: State = {
       test: {
         activeTab: TimelineTabs.query,
         prevActiveTab: TimelineTabs.notes,
+        dataViewId: DEFAULT_DATA_VIEW_ID,
         deletedEventIds: [],
         documentType: '',
         queryFields: [],
@@ -294,24 +318,48 @@ export const mockGlobalState: State = {
     insertTimeline: null,
   },
   sourcerer: {
-    ...initialSourcererState,
+    ...mockSourcererState,
+    defaultDataView: {
+      ...mockSourcererState.defaultDataView,
+      title: `${mockSourcererState.defaultDataView.title},fakebeat-*`,
+    },
+    kibanaDataViews: [
+      {
+        ...mockSourcererState.defaultDataView,
+        title: `${mockSourcererState.defaultDataView.title},fakebeat-*`,
+      },
+    ],
     sourcererScopes: {
-      ...initialSourcererState.sourcererScopes,
+      ...mockSourcererState.sourcererScopes,
       [SourcererScopeName.default]: {
-        ...initialSourcererState.sourcererScopes[SourcererScopeName.default],
-        selectedPatterns: DEFAULT_INDEX_PATTERN,
-        browserFields: mockBrowserFields,
-        indexPattern: mockIndexPattern,
-        docValueFields: mockDocValueFields,
-        loading: false,
+        ...mockSourcererState.sourcererScopes[SourcererScopeName.default],
+        selectedDataViewId: mockSourcererState.defaultDataView.id,
+        selectedPatterns: getScopePatternListSelection(
+          mockSourcererState.defaultDataView,
+          SourcererScopeName.default,
+          mockSourcererState.signalIndexName,
+          true
+        ),
+      },
+      [SourcererScopeName.detections]: {
+        ...mockSourcererState.sourcererScopes[SourcererScopeName.detections],
+        selectedDataViewId: mockSourcererState.defaultDataView.id,
+        selectedPatterns: getScopePatternListSelection(
+          mockSourcererState.defaultDataView,
+          SourcererScopeName.detections,
+          mockSourcererState.signalIndexName,
+          true
+        ),
       },
       [SourcererScopeName.timeline]: {
-        ...initialSourcererState.sourcererScopes[SourcererScopeName.timeline],
-        selectedPatterns: DEFAULT_INDEX_PATTERN,
-        browserFields: mockBrowserFields,
-        indexPattern: mockIndexPattern,
-        docValueFields: mockDocValueFields,
-        loading: false,
+        ...mockSourcererState.sourcererScopes[SourcererScopeName.timeline],
+        selectedDataViewId: mockSourcererState.defaultDataView.id,
+        selectedPatterns: getScopePatternListSelection(
+          mockSourcererState.defaultDataView,
+          SourcererScopeName.timeline,
+          mockSourcererState.signalIndexName,
+          true
+        ),
       },
     },
   },
diff --git a/x-pack/plugins/security_solution/public/common/mock/index_pattern.ts b/x-pack/plugins/security_solution/public/common/mock/index_pattern.ts
index d19d6ee734654..a03976f0f7e76 100644
--- a/x-pack/plugins/security_solution/public/common/mock/index_pattern.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/index_pattern.ts
@@ -5,9 +5,9 @@
  * 2.0.
  */
 
-import { IIndexPattern } from '../../../../../../src/plugins/data/common';
+import { SecuritySolutionDataViewBase } from '../types';
 
-export const mockIndexPattern: IIndexPattern = {
+export const mockIndexPattern: SecuritySolutionDataViewBase = {
   fields: [
     {
       name: '@timestamp',
diff --git a/x-pack/plugins/security_solution/public/common/mock/timeline_results.ts b/x-pack/plugins/security_solution/public/common/mock/timeline_results.ts
index 80899324fe92f..a6c16a82deca0 100644
--- a/x-pack/plugins/security_solution/public/common/mock/timeline_results.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/timeline_results.ts
@@ -1955,6 +1955,7 @@ export const mockTimelineModel: TimelineModel = {
   columns: mockTimelineModelColumns,
   defaultColumns: mockTimelineModelColumns,
   dataProviders: [],
+  dataViewId: '',
   dateRange: {
     end: '2020-03-18T13:52:38.929Z',
     start: '2020-03-18T13:46:38.929Z',
@@ -2091,6 +2092,7 @@ export const defaultTimelineProps: CreateTimelineProps = {
         queryMatch: { field: '_id', operator: ':', value: '1' },
       },
     ],
+    dataViewId: '',
     dateRange: { end: '2018-11-05T19:03:25.937Z', start: '2018-11-05T18:58:25.937Z' },
     deletedEventIds: [],
     description: '',
diff --git a/x-pack/plugins/security_solution/public/common/store/reducer.test.ts b/x-pack/plugins/security_solution/public/common/store/reducer.test.ts
index 6b4d61035258d..1cbf08c354b33 100644
--- a/x-pack/plugins/security_solution/public/common/store/reducer.test.ts
+++ b/x-pack/plugins/security_solution/public/common/store/reducer.test.ts
@@ -5,10 +5,15 @@
  * 2.0.
  */
 
-import { parseExperimentalConfigValue } from '../../..//common/experimental_features';
+import { parseExperimentalConfigValue } from '../../../common/experimental_features';
 import { SecuritySubPlugins } from '../../app/types';
 import { createInitialState } from './reducer';
+import { mockSourcererState } from '../mock';
+import { useSourcererDataView } from '../containers/sourcerer';
+import { useDeepEqualSelector } from '../hooks/use_selector';
+import { renderHook } from '@testing-library/react-hooks';
 
+jest.mock('../hooks/use_selector');
 jest.mock('../lib/kibana', () => ({
   KibanaServices: {
     get: jest.fn(() => ({ uiSettings: { get: () => ({ from: 'now-24h', to: 'now' }) } })),
@@ -21,26 +26,38 @@ describe('createInitialState', () => {
       SecuritySubPlugins['store']['initialState'],
       'app' | 'dragAndDrop' | 'inputs' | 'sourcerer'
     >;
-    test('indicesExist should be TRUE if configIndexPatterns is NOT empty', () => {
-      const initState = createInitialState(mockPluginState, {
-        kibanaIndexPatterns: [{ id: '1234567890987654321', title: 'mock-kibana' }],
-        configIndexPatterns: ['auditbeat-*', 'filebeat'],
-        signalIndexName: 'siem-signals-default',
-        enableExperimental: parseExperimentalConfigValue([]),
-      });
+    const defaultState = {
+      defaultDataView: mockSourcererState.defaultDataView,
+      enableExperimental: parseExperimentalConfigValue([]),
+      kibanaDataViews: [mockSourcererState.defaultDataView],
+      signalIndexName: 'siem-signals-default',
+    };
+    const initState = createInitialState(mockPluginState, defaultState);
+    beforeEach(() => {
+      (useDeepEqualSelector as jest.Mock).mockImplementation((cb) => cb(initState));
+    });
+    afterEach(() => {
+      (useDeepEqualSelector as jest.Mock).mockClear();
+    });
 
-      expect(initState.sourcerer?.sourcererScopes.default.indicesExist).toEqual(true);
+    test('indicesExist should be TRUE if configIndexPatterns is NOT empty', async () => {
+      const { result } = renderHook(() => useSourcererDataView());
+      expect(result.current.indicesExist).toEqual(true);
     });
 
     test('indicesExist should be FALSE if configIndexPatterns is empty', () => {
-      const initState = createInitialState(mockPluginState, {
-        kibanaIndexPatterns: [{ id: '1234567890987654321', title: 'mock-kibana' }],
-        configIndexPatterns: [],
-        signalIndexName: 'siem-signals-default',
-        enableExperimental: parseExperimentalConfigValue([]),
+      const state = createInitialState(mockPluginState, {
+        ...defaultState,
+        defaultDataView: {
+          ...defaultState.defaultDataView,
+          id: '',
+          title: '',
+          patternList: [],
+        },
       });
-
-      expect(initState.sourcerer?.sourcererScopes.default.indicesExist).toEqual(false);
+      (useDeepEqualSelector as jest.Mock).mockImplementation((cb) => cb(state));
+      const { result } = renderHook(() => useSourcererDataView());
+      expect(result.current.indicesExist).toEqual(false);
     });
   });
 });
diff --git a/x-pack/plugins/security_solution/public/common/store/reducer.ts b/x-pack/plugins/security_solution/public/common/store/reducer.ts
index 4a6009b2e41a8..9faa00ae20bb8 100644
--- a/x-pack/plugins/security_solution/public/common/store/reducer.ts
+++ b/x-pack/plugins/security_solution/public/common/store/reducer.ts
@@ -21,15 +21,15 @@ import { SecuritySubPlugins } from '../../app/types';
 import { ManagementPluginReducer } from '../../management';
 import { State } from './types';
 import { AppAction } from './actions';
-import { KibanaIndexPatterns } from './sourcerer/model';
+import { initDataView, SourcererModel, SourcererScopeName } from './sourcerer/model';
 import { ExperimentalFeatures } from '../../../common/experimental_features';
+import { getScopePatternListSelection } from './sourcerer/helpers';
 
 export type SubPluginsInitReducer = HostsPluginReducer &
   UebaPluginReducer &
   NetworkPluginReducer &
   TimelinePluginReducer &
   ManagementPluginReducer;
-
 /**
  * Factory for the 'initialState' that is used to preload state into the Security App's redux store.
  */
@@ -39,17 +39,38 @@ export const createInitialState = (
     'app' | 'dragAndDrop' | 'inputs' | 'sourcerer'
   >,
   {
-    kibanaIndexPatterns,
-    configIndexPatterns,
+    defaultDataView,
+    kibanaDataViews,
     signalIndexName,
     enableExperimental,
   }: {
-    kibanaIndexPatterns: KibanaIndexPatterns;
-    configIndexPatterns: string[];
-    signalIndexName: string | null;
+    defaultDataView: SourcererModel['defaultDataView'];
+    kibanaDataViews: SourcererModel['kibanaDataViews'];
+    signalIndexName: SourcererModel['signalIndexName'];
     enableExperimental: ExperimentalFeatures;
   }
 ): State => {
+  const initialPatterns = {
+    [SourcererScopeName.default]: getScopePatternListSelection(
+      defaultDataView,
+      SourcererScopeName.default,
+      signalIndexName,
+      true
+    ),
+    [SourcererScopeName.detections]: getScopePatternListSelection(
+      defaultDataView,
+      SourcererScopeName.detections,
+      signalIndexName,
+      true
+    ),
+    [SourcererScopeName.timeline]: getScopePatternListSelection(
+      defaultDataView,
+      SourcererScopeName.timeline,
+      signalIndexName,
+      true
+    ),
+  };
+
   const preloadedState: State = {
     ...pluginsInitState,
     app: { ...initialAppState, enableExperimental },
@@ -59,13 +80,24 @@ export const createInitialState = (
       ...sourcererModel.initialSourcererState,
       sourcererScopes: {
         ...sourcererModel.initialSourcererState.sourcererScopes,
-        default: {
+        [SourcererScopeName.default]: {
           ...sourcererModel.initialSourcererState.sourcererScopes.default,
-          indicesExist: configIndexPatterns.length > 0,
+          selectedDataViewId: defaultDataView.id,
+          selectedPatterns: initialPatterns[SourcererScopeName.default],
+        },
+        [SourcererScopeName.detections]: {
+          ...sourcererModel.initialSourcererState.sourcererScopes.detections,
+          selectedDataViewId: defaultDataView.id,
+          selectedPatterns: initialPatterns[SourcererScopeName.detections],
+        },
+        [SourcererScopeName.timeline]: {
+          ...sourcererModel.initialSourcererState.sourcererScopes.timeline,
+          selectedDataViewId: defaultDataView.id,
+          selectedPatterns: initialPatterns[SourcererScopeName.timeline],
         },
       },
-      kibanaIndexPatterns,
-      configIndexPatterns,
+      defaultDataView,
+      kibanaDataViews: kibanaDataViews.map((dataView) => ({ ...initDataView, ...dataView })),
       signalIndexName,
     },
   };
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/actions.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/actions.ts
index 5162776d3ddf5..aa0689de9cca3 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/actions.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/actions.ts
@@ -8,35 +8,39 @@
 import actionCreatorFactory from 'typescript-fsa';
 import { TimelineEventsType } from '../../../../common/types/timeline';
 
-import { KibanaIndexPatterns, ManageScopeInit, SourcererScopeName } from './model';
+import { SourcererDataView, SourcererScopeName } from './model';
+import { SecurityDataView } from '../../containers/sourcerer/api';
 
 const actionCreator = actionCreatorFactory('x-pack/security_solution/local/sourcerer');
 
-export const setSource = actionCreator<{
-  id: SourcererScopeName;
-  payload: ManageScopeInit;
-}>('SET_SOURCE');
+export const setDataView = actionCreator<{
+  browserFields: SourcererDataView['browserFields'];
+  docValueFields: SourcererDataView['docValueFields'];
+  id: SourcererDataView['id'];
+  indexFields: SourcererDataView['indexFields'];
+  loading: SourcererDataView['loading'];
+  runtimeMappings: SourcererDataView['runtimeMappings'];
+}>('SET_DATA_VIEW');
 
-export const setIndexPatternsList = actionCreator<{
-  kibanaIndexPatterns: KibanaIndexPatterns;
-  configIndexPatterns: string[];
-}>('SET_INDEX_PATTERNS_LIST');
+export const setDataViewLoading = actionCreator<{
+  id: string;
+  loading: boolean;
+}>('SET_DATA_VIEW_LOADING');
 
 export const setSignalIndexName =
   actionCreator<{ signalIndexName: string }>('SET_SIGNAL_INDEX_NAME');
 
-export const setSourcererScopeLoading = actionCreator<{ id: SourcererScopeName; loading: boolean }>(
-  'SET_SOURCERER_SCOPE_LOADING'
-);
+export const setSourcererDataViews = actionCreator<SecurityDataView>('SET_SOURCERER_DATA_VIEWS');
 
-export const setSelectedIndexPatterns = actionCreator<{
-  id: SourcererScopeName;
-  selectedPatterns: string[];
-  eventType?: TimelineEventsType;
-}>('SET_SELECTED_INDEX_PATTERNS');
+export const setSourcererScopeLoading = actionCreator<{
+  id?: SourcererScopeName;
+  loading: boolean;
+}>('SET_SOURCERER_SCOPE_LOADING');
 
-export const initTimelineIndexPatterns = actionCreator<{
+export interface SelectedDataViewPayload {
   id: SourcererScopeName;
+  selectedDataViewId: string;
   selectedPatterns: string[];
   eventType?: TimelineEventsType;
-}>('INIT_TIMELINE_INDEX_PATTERNS');
+}
+export const setSelectedDataView = actionCreator<SelectedDataViewPayload>('SET_SELECTED_DATA_VIEW');
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.test.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.test.ts
index f498cb640317a..83a556442f849 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.test.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.test.ts
@@ -5,58 +5,242 @@
  * 2.0.
  */
 
-import { createDefaultIndexPatterns, Args } from './helpers';
-import { initialSourcererState, SourcererScopeName } from './model';
+import { mockGlobalState } from '../../mock';
+import { SourcererScopeName } from './model';
+import {
+  defaultDataViewByEventType,
+  getScopePatternListSelection,
+  validateSelectedPatterns,
+} from './helpers';
 
-let defaultArgs: Args = {
-  eventType: 'all',
-  id: SourcererScopeName.default,
-  selectedPatterns: ['auditbeat-*', 'packetbeat-*'],
-  state: {
-    ...initialSourcererState,
-    configIndexPatterns: ['filebeat-*', 'auditbeat-*', 'packetbeat-*'],
-    kibanaIndexPatterns: [{ id: '123', title: 'journalbeat-*' }],
-    signalIndexName: 'signals-*',
-  },
+const signalIndexName = mockGlobalState.sourcerer.signalIndexName;
+
+const dataView = {
+  ...mockGlobalState.sourcerer.defaultDataView,
+  title: `auditbeat-*,packetbeat-*,${signalIndexName}`,
+  patternList: ['packetbeat-*', 'auditbeat-*', `${signalIndexName}`],
 };
-const eventTypes: Array<Args['eventType']> = ['all', 'raw', 'alert', 'signal', 'custom'];
-const ids: Array<Args['id']> = [
-  SourcererScopeName.default,
-  SourcererScopeName.detections,
-  SourcererScopeName.timeline,
-];
-describe('createDefaultIndexPatterns', () => {
-  ids.forEach((id) => {
-    eventTypes.forEach((et) => {
-      describe(`id: ${id}, eventType: ${et}`, () => {
-        beforeEach(() => {
-          defaultArgs = {
-            ...defaultArgs,
-            id,
-            eventType: et,
-          };
+const patternListNoSignals = mockGlobalState.sourcerer.defaultDataView.patternList
+  .filter((p) => p !== signalIndexName)
+  .sort();
+const patternListSignals = [
+  signalIndexName,
+  ...mockGlobalState.sourcerer.defaultDataView.patternList.filter((p) => p !== signalIndexName),
+].sort();
+
+describe('sourcerer store helpers', () => {
+  describe('getScopePatternListSelection', () => {
+    it('is not a default data view, returns patternList sorted', () => {
+      const result = getScopePatternListSelection(
+        {
+          ...dataView,
+          id: '1234',
+        },
+        SourcererScopeName.default,
+        signalIndexName,
+        false
+      );
+      expect(result).toEqual([`${signalIndexName}`, 'auditbeat-*', 'packetbeat-*']);
+    });
+    it('default data view, SourcererScopeName.timeline, returns patternList sorted', () => {
+      const result = getScopePatternListSelection(
+        dataView,
+        SourcererScopeName.timeline,
+        signalIndexName,
+        true
+      );
+      expect(result).toEqual([signalIndexName, 'auditbeat-*', 'packetbeat-*']);
+    });
+    it('default data view, SourcererScopeName.default, returns patternList sorted without signals index', () => {
+      const result = getScopePatternListSelection(
+        dataView,
+        SourcererScopeName.default,
+        signalIndexName,
+        true
+      );
+      expect(result).toEqual(['auditbeat-*', 'packetbeat-*']);
+    });
+    it('default data view, SourcererScopeName.detections, returns patternList with only signals index', () => {
+      const result = getScopePatternListSelection(
+        dataView,
+        SourcererScopeName.detections,
+        signalIndexName,
+        true
+      );
+      expect(result).toEqual([signalIndexName]);
+    });
+  });
+  describe('validateSelectedPatterns', () => {
+    const payload = {
+      id: SourcererScopeName.default,
+      selectedDataViewId: dataView.id,
+      selectedPatterns: ['auditbeat-*'],
+    };
+    it('sets selectedPattern', () => {
+      const result = validateSelectedPatterns(mockGlobalState.sourcerer, payload);
+      expect(result).toEqual({
+        [SourcererScopeName.default]: {
+          ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+          selectedPatterns: ['auditbeat-*'],
+        },
+      });
+    });
+    it('sets to default when empty array is passed and scope is default', () => {
+      const result = validateSelectedPatterns(mockGlobalState.sourcerer, {
+        ...payload,
+        selectedPatterns: [],
+      });
+      expect(result).toEqual({
+        [SourcererScopeName.default]: {
+          ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.default],
+          selectedPatterns: patternListNoSignals,
+        },
+      });
+    });
+    it('sets to default when empty array is passed and scope is detections', () => {
+      const result = validateSelectedPatterns(mockGlobalState.sourcerer, {
+        ...payload,
+        id: SourcererScopeName.detections,
+        selectedPatterns: [],
+      });
+      expect(result).toEqual({
+        [SourcererScopeName.detections]: {
+          ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.detections],
+          selectedDataViewId: dataView.id,
+          selectedPatterns: [signalIndexName],
+        },
+      });
+    });
+    it('sets to default when empty array is passed and scope is timeline', () => {
+      const result = validateSelectedPatterns(mockGlobalState.sourcerer, {
+        ...payload,
+        id: SourcererScopeName.timeline,
+        selectedPatterns: [],
+      });
+      expect(result).toEqual({
+        [SourcererScopeName.timeline]: {
+          ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
+          selectedDataViewId: dataView.id,
+          selectedPatterns: [
+            signalIndexName,
+            ...mockGlobalState.sourcerer.defaultDataView.patternList.filter(
+              (p) => p !== signalIndexName
+            ),
+          ].sort(),
+        },
+      });
+    });
+    describe('handles missing dataViewId, 7.16 -> 8.0', () => {
+      it('selectedPatterns.length > 0 & all selectedPatterns exist in defaultDataView, set dataViewId to defaultDataView.id', () => {
+        const result = validateSelectedPatterns(mockGlobalState.sourcerer, {
+          ...payload,
+          id: SourcererScopeName.timeline,
+          selectedDataViewId: '',
+          selectedPatterns: [
+            mockGlobalState.sourcerer.defaultDataView.patternList[3],
+            mockGlobalState.sourcerer.defaultDataView.patternList[4],
+          ],
         });
-        it('Selected patterns', () => {
-          const result = createDefaultIndexPatterns(defaultArgs);
-          expect(result).toEqual(['auditbeat-*', 'packetbeat-*']);
+        expect(result).toEqual({
+          [SourcererScopeName.timeline]: {
+            ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
+            selectedDataViewId: dataView.id,
+            selectedPatterns: [
+              mockGlobalState.sourcerer.defaultDataView.patternList[3],
+              mockGlobalState.sourcerer.defaultDataView.patternList[4],
+            ],
+          },
         });
-        it('No selected patterns', () => {
-          const newArgs = {
-            ...defaultArgs,
-            selectedPatterns: [],
-          };
-          const result = createDefaultIndexPatterns(newArgs);
-          if (
-            id === SourcererScopeName.detections ||
-            (id === SourcererScopeName.timeline && (et === 'alert' || et === 'signal'))
-          ) {
-            expect(result).toEqual(['signals-*']);
-          } else if (id === SourcererScopeName.timeline && et === 'all') {
-            expect(result).toEqual(['filebeat-*', 'auditbeat-*', 'packetbeat-*', 'signals-*']);
-          } else {
-            expect(result).toEqual(['filebeat-*', 'auditbeat-*', 'packetbeat-*']);
-          }
+      });
+      it('selectedPatterns.length > 0 & a pattern in selectedPatterns does not exist in defaultDataView, set dataViewId to null', () => {
+        const result = validateSelectedPatterns(mockGlobalState.sourcerer, {
+          ...payload,
+          id: SourcererScopeName.timeline,
+          selectedDataViewId: '',
+          selectedPatterns: [
+            mockGlobalState.sourcerer.defaultDataView.patternList[3],
+            'journalbeat-*',
+          ],
         });
+        expect(result).toEqual({
+          [SourcererScopeName.timeline]: {
+            ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
+            selectedDataViewId: null,
+            selectedPatterns: [
+              mockGlobalState.sourcerer.defaultDataView.patternList[3],
+              'journalbeat-*',
+            ],
+          },
+        });
+      });
+    });
+  });
+  describe('defaultDataViewByEventType', () => {
+    it('defaults with no eventType', () => {
+      const result = defaultDataViewByEventType({ state: mockGlobalState.sourcerer });
+      expect(result).toEqual({
+        selectedDataViewId: dataView.id,
+        selectedPatterns: patternListSignals,
+      });
+    });
+    it('defaults with eventType: all', () => {
+      const result = defaultDataViewByEventType({
+        state: mockGlobalState.sourcerer,
+        eventType: 'all',
+      });
+      expect(result).toEqual({
+        selectedDataViewId: dataView.id,
+        selectedPatterns: patternListSignals,
+      });
+    });
+    it('defaults with eventType: raw', () => {
+      const result = defaultDataViewByEventType({
+        state: mockGlobalState.sourcerer,
+        eventType: 'raw',
+      });
+      expect(result).toEqual({
+        selectedDataViewId: dataView.id,
+        selectedPatterns: patternListNoSignals,
+      });
+    });
+    it('defaults with eventType: alert', () => {
+      const result = defaultDataViewByEventType({
+        state: mockGlobalState.sourcerer,
+        eventType: 'alert',
+      });
+      expect(result).toEqual({
+        selectedDataViewId: dataView.id,
+        selectedPatterns: [signalIndexName],
+      });
+    });
+    it('defaults with eventType: signal', () => {
+      const result = defaultDataViewByEventType({
+        state: mockGlobalState.sourcerer,
+        eventType: 'signal',
+      });
+      expect(result).toEqual({
+        selectedDataViewId: dataView.id,
+        selectedPatterns: [signalIndexName],
+      });
+    });
+    it('defaults with eventType: custom', () => {
+      const result = defaultDataViewByEventType({
+        state: mockGlobalState.sourcerer,
+        eventType: 'custom',
+      });
+      expect(result).toEqual({
+        selectedDataViewId: dataView.id,
+        selectedPatterns: patternListSignals,
+      });
+    });
+    it('defaults with eventType: eql', () => {
+      const result = defaultDataViewByEventType({
+        state: mockGlobalState.sourcerer,
+        eventType: 'eql',
+      });
+      expect(result).toEqual({
+        selectedDataViewId: dataView.id,
+        selectedPatterns: patternListSignals,
       });
     });
   });
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.ts
index fd3a6f1fab3c1..1b4efa72127f3 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/helpers.ts
@@ -6,8 +6,9 @@
  */
 
 import { isEmpty } from 'lodash';
-import { SourcererModel, SourcererScopeName } from './model';
-import { TimelineEventsType } from '../../../../common/types/timeline';
+import { SourcererDataView, SourcererModel, SourcererScopeById, SourcererScopeName } from './model';
+import { TimelineEventsType } from '../../../../common';
+import { SelectedDataViewPayload } from './actions';
 
 export interface Args {
   eventType?: TimelineEventsType;
@@ -15,40 +16,131 @@ export interface Args {
   selectedPatterns: string[];
   state: SourcererModel;
 }
-export const createDefaultIndexPatterns = ({ eventType, id, selectedPatterns, state }: Args) => {
-  const kibanaIndexPatterns = state.kibanaIndexPatterns.map((kip) => kip.title);
-  const newSelectedPatterns = selectedPatterns.filter(
-    (sp) =>
-      state.configIndexPatterns.includes(sp) ||
-      kibanaIndexPatterns.includes(sp) ||
-      (!isEmpty(state.signalIndexName) && state.signalIndexName === sp)
-  );
-  if (isEmpty(newSelectedPatterns)) {
-    let defaultIndexPatterns = state.configIndexPatterns;
-    if (id === SourcererScopeName.timeline && isEmpty(newSelectedPatterns)) {
-      defaultIndexPatterns = defaultIndexPatternByEventType({ state, eventType });
-    } else if (id === SourcererScopeName.detections && isEmpty(newSelectedPatterns)) {
-      defaultIndexPatterns = [state.signalIndexName ?? ''];
+
+export const getScopePatternListSelection = (
+  theDataView: SourcererDataView | undefined,
+  sourcererScope: SourcererScopeName,
+  signalIndexName: SourcererModel['signalIndexName'],
+  isDefaultDataView: boolean
+): string[] => {
+  const patternList: string[] =
+    theDataView != null && theDataView.id !== null ? theDataView.patternList : [];
+
+  if (!isDefaultDataView) {
+    return patternList.sort();
+  }
+  // when our SIEM data view is set, here are the defaults
+  switch (sourcererScope) {
+    case SourcererScopeName.default:
+      return patternList.filter((index) => index !== signalIndexName).sort();
+    case SourcererScopeName.detections:
+      // set to signalIndexName whether or not it exists yet in the patternList
+      return (signalIndexName != null ? [signalIndexName] : []).sort();
+    case SourcererScopeName.timeline:
+      return (
+        signalIndexName != null
+          ? [
+              // remove signalIndexName in case its already in there and add it whether or not it exists yet in the patternList
+              ...patternList.filter((index) => index !== signalIndexName),
+              signalIndexName,
+            ]
+          : patternList
+      ).sort();
+  }
+};
+
+export const validateSelectedPatterns = (
+  state: SourcererModel,
+  payload: SelectedDataViewPayload
+): Partial<SourcererScopeById> => {
+  const { id, eventType, ...rest } = payload;
+  let dataView = state.kibanaDataViews.find((p) => p.id === rest.selectedDataViewId);
+  // dedupe because these could come from a silly url or pre 8.0 timeline
+  const dedupePatterns = [...new Set(rest.selectedPatterns)];
+  let selectedPatterns =
+    dataView != null
+      ? dedupePatterns.filter(
+          (pattern) =>
+            // Typescript is being mean and telling me dataView could be undefined here
+            // so redoing the dataView != null check
+            (dataView != null && dataView.patternList.includes(pattern)) ||
+            // this is a hack, but sometimes signal index is deleted and is getting regenerated. it gets set before it is put in the dataView
+            state.signalIndexName == null
+        )
+      : // 7.16 -> 8.0 this will get hit because dataView == null
+        dedupePatterns;
+  if (selectedPatterns.length > 0 && dataView == null) {
+    // we have index patterns, but not a data view id
+    // find out if we have these index patterns in the defaultDataView
+    const areAllPatternsInDefault = selectedPatterns.every(
+      (pattern) => state.defaultDataView.title.indexOf(pattern) > -1
+    );
+    if (areAllPatternsInDefault) {
+      dataView = state.defaultDataView;
+      selectedPatterns = selectedPatterns.filter(
+        (pattern) => dataView != null && dataView.patternList.includes(pattern)
+      );
     }
-    return defaultIndexPatterns;
   }
-  return newSelectedPatterns;
+
+  // TO DO: Steph/sourcerer If dataView is still undefined here, create temporary dataView
+  // and prompt user to go create this dataView
+  // currently UI will take the undefined dataView and default to defaultDataView anyways
+  // this is a "strategically merged" bug ;)
+  // https://github.com/elastic/security-team/issues/1921
+
+  return {
+    [id]: {
+      ...state.sourcererScopes[id],
+      ...rest,
+      selectedDataViewId: dataView?.id ?? null,
+      selectedPatterns,
+      ...(isEmpty(selectedPatterns)
+        ? id === SourcererScopeName.timeline
+          ? defaultDataViewByEventType({ state, eventType })
+          : {
+              selectedPatterns: getScopePatternListSelection(
+                dataView ?? state.defaultDataView,
+                id,
+                state.signalIndexName,
+                (dataView ?? state.defaultDataView).id === state.defaultDataView.id
+              ),
+            }
+        : {}),
+      loading: false,
+    },
+  };
 };
 
-export const defaultIndexPatternByEventType = ({
+// TODO: Steph/sourcerer eventType will be alerts only, when ui updates delete raw
+export const defaultDataViewByEventType = ({
   state,
   eventType,
 }: {
   state: SourcererModel;
   eventType?: TimelineEventsType;
 }) => {
-  let defaultIndexPatterns = state.configIndexPatterns;
-  if (eventType === 'all' && !isEmpty(state.signalIndexName)) {
-    defaultIndexPatterns = [...state.configIndexPatterns, state.signalIndexName ?? ''];
+  const {
+    signalIndexName,
+    defaultDataView: { id, patternList },
+  } = state;
+  if (signalIndexName != null && (eventType === 'signal' || eventType === 'alert')) {
+    return {
+      selectedPatterns: [signalIndexName],
+      selectedDataViewId: id,
+    };
   } else if (eventType === 'raw') {
-    defaultIndexPatterns = state.configIndexPatterns;
-  } else if (!isEmpty(state.signalIndexName) && (eventType === 'signal' || eventType === 'alert')) {
-    defaultIndexPatterns = [state.signalIndexName ?? ''];
+    return {
+      selectedPatterns: patternList.filter((index) => index !== signalIndexName).sort(),
+      selectedDataViewId: id,
+    };
   }
-  return defaultIndexPatterns;
+  return {
+    selectedPatterns: [
+      // remove signalIndexName in case its already in there and add it whether or not it exists yet in the patternList
+      ...patternList.filter((index) => index !== signalIndexName),
+      signalIndexName,
+    ].sort(),
+    selectedDataViewId: id,
+  };
 };
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/model.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/model.ts
index 8f7fbd99f932d..a22a04d025d19 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/model.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/model.ts
@@ -5,72 +5,133 @@
  * 2.0.
  */
 
-import { IIndexPattern } from '../../../../../../../src/plugins/data/common';
-import { DocValueFields } from '../../../../common/search_strategy/common';
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import {
   BrowserFields,
+  DocValueFields,
   EMPTY_BROWSER_FIELDS,
   EMPTY_DOCVALUE_FIELD,
-  EMPTY_INDEX_PATTERN,
-} from '../../../../common/search_strategy/index_fields';
-
-export type ErrorModel = Error[];
-
+  EMPTY_INDEX_FIELDS,
+} from '../../../../../timelines/common';
+import { SecuritySolutionDataViewBase } from '../../types';
+/** Uniquely identifies a Sourcerer Scope */
 export enum SourcererScopeName {
   default = 'default',
   detections = 'detections',
   timeline = 'timeline',
 }
 
-export interface ManageScope {
-  browserFields: BrowserFields;
-  docValueFields: DocValueFields[];
-  errorMessage: string | null;
+/**
+ * Data related to each sourcerer scope
+ */
+export interface SourcererScope {
+  /** Uniquely identifies a Sourcerer Scope */
   id: SourcererScopeName;
-  indexPattern: Omit<IIndexPattern, 'fieldFormatMap'>;
-  indicesExist: boolean | undefined | null;
+  /** is an update being made to the sourcerer data view */
   loading: boolean;
+  /** selected data view id */
+  selectedDataViewId: string;
+  /** selected patterns within the data view */
   selectedPatterns: string[];
 }
 
-export interface ManageScopeInit extends Partial<ManageScope> {
-  id: SourcererScopeName;
+export type SourcererScopeById = Record<SourcererScopeName, SourcererScope>;
+
+export interface KibanaDataView {
+  /** Uniquely identifies a Kibana Data View */
+  id: string;
+  /**  list of active patterns that return data  */
+  patternList: string[];
+  /**
+   * title of Kibana Data View
+   * title also serves as "all pattern list", including inactive
+   * comma separated string
+   */
+  title: string;
 }
 
-export type SourcererScopeById = Record<SourcererScopeName | string, ManageScope>;
+/**
+ * DataView from Kibana + timelines/index_fields enhanced field data
+ */
+export interface SourcererDataView extends KibanaDataView {
+  /** we need this for @timestamp data */
+  browserFields: BrowserFields;
+  /** we need this for @timestamp data */
+  docValueFields: DocValueFields[];
+  /** comes from dataView.fields.toSpec() */
+  indexFields: SecuritySolutionDataViewBase['fields'];
+  /** set when data view fields are fetched */
+  loading: boolean;
+  /**
+   * Needed to pass to search strategy
+   * Remove once issue resolved: https://github.com/elastic/kibana/issues/111762
+   */
+  runtimeMappings: MappingRuntimeFields;
+}
 
-export type KibanaIndexPatterns = Array<{ id: string; title: string }>;
+/**
+ * Combined data from SourcererDataView and SourcererScope to create
+ * selected data view state
+ */
+export interface SelectedDataView {
+  browserFields: SourcererDataView['browserFields'];
+  dataViewId: SourcererDataView['id'];
+  docValueFields: SourcererDataView['docValueFields'];
+  /**
+   * DataViewBase with enhanced index fields used in timelines
+   */
+  indexPattern: SecuritySolutionDataViewBase;
+  /** do the selected indices exist  */
+  indicesExist: boolean;
+  /** is an update being made to the data view */
+  loading: boolean;
+  /** all active & inactive patterns from SourcererDataView['title']  */
+  patternList: string[];
+  runtimeMappings: SourcererDataView['runtimeMappings'];
+  /** all selected patterns from SourcererScope['selectedPatterns']  */
+  selectedPatterns: string[];
+}
 
-// ManageSourcerer
+/**
+ * sourcerer model for redux
+ */
 export interface SourcererModel {
-  kibanaIndexPatterns: KibanaIndexPatterns;
-  configIndexPatterns: string[];
+  /** default security-solution data view */
+  defaultDataView: SourcererDataView & { error?: unknown };
+  /** all Kibana data views, including security-solution */
+  kibanaDataViews: SourcererDataView[];
+  /** security solution signals index name */
   signalIndexName: string | null;
+  /** sourcerer scope data by id */
   sourcererScopes: SourcererScopeById;
 }
 
-export const initSourcererScope: Pick<
-  ManageScope,
-  | 'browserFields'
-  | 'docValueFields'
-  | 'errorMessage'
-  | 'indexPattern'
-  | 'indicesExist'
-  | 'loading'
-  | 'selectedPatterns'
-> = {
+export type SourcererUrlState = Partial<{
+  [id in SourcererScopeName]: {
+    id: string;
+    selectedPatterns: string[];
+  };
+}>;
+
+export const initSourcererScope: Omit<SourcererScope, 'id'> = {
+  loading: false,
+  selectedDataViewId: '',
+  selectedPatterns: [],
+};
+export const initDataView = {
   browserFields: EMPTY_BROWSER_FIELDS,
   docValueFields: EMPTY_DOCVALUE_FIELD,
-  errorMessage: null,
-  indexPattern: EMPTY_INDEX_PATTERN,
-  indicesExist: true,
+  id: '',
+  indexFields: EMPTY_INDEX_FIELDS,
   loading: false,
-  selectedPatterns: [],
+  patternList: [],
+  runtimeMappings: {},
+  title: '',
 };
 
 export const initialSourcererState: SourcererModel = {
-  kibanaIndexPatterns: [],
-  configIndexPatterns: [],
+  defaultDataView: initDataView,
+  kibanaDataViews: [],
   signalIndexName: null,
   sourcererScopes: {
     [SourcererScopeName.default]: {
@@ -87,8 +148,3 @@ export const initialSourcererState: SourcererModel = {
     },
   },
 };
-
-export type FSourcererScopePatterns = {
-  [id in SourcererScopeName]: string[];
-};
-export type SourcererScopePatterns = Partial<FSourcererScopePatterns>;
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/reducer.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/reducer.ts
index 662671e1dda3a..e1747a6786cdb 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/reducer.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/reducer.ts
@@ -5,83 +5,89 @@
  * 2.0.
  */
 
-import { isEmpty } from 'lodash/fp';
 import { reducerWithInitialState } from 'typescript-fsa-reducers';
 
 import {
-  setIndexPatternsList,
+  setSourcererDataViews,
   setSourcererScopeLoading,
-  setSelectedIndexPatterns,
+  setSelectedDataView,
   setSignalIndexName,
-  setSource,
-  initTimelineIndexPatterns,
+  setDataView,
+  setDataViewLoading,
 } from './actions';
-import { initialSourcererState, SourcererModel } from './model';
-import { createDefaultIndexPatterns, defaultIndexPatternByEventType } from './helpers';
+import { initDataView, initialSourcererState, SourcererModel, SourcererScopeName } from './model';
+import { validateSelectedPatterns } from './helpers';
 
 export type SourcererState = SourcererModel;
 
 export const sourcererReducer = reducerWithInitialState(initialSourcererState)
-  .case(setIndexPatternsList, (state, { kibanaIndexPatterns, configIndexPatterns }) => ({
-    ...state,
-    kibanaIndexPatterns,
-    configIndexPatterns,
-  }))
   .case(setSignalIndexName, (state, { signalIndexName }) => ({
     ...state,
     signalIndexName,
   }))
+  .case(setDataViewLoading, (state, { id, loading }) => ({
+    ...state,
+    ...(id === state.defaultDataView.id
+      ? {
+          defaultDataView: { ...state.defaultDataView, loading },
+        }
+      : {}),
+    kibanaDataViews: state.kibanaDataViews.map((dv) => (dv.id === id ? { ...dv, loading } : dv)),
+  }))
+  .case(setSourcererDataViews, (state, { defaultDataView, kibanaDataViews }) => ({
+    ...state,
+    defaultDataView: {
+      ...state.defaultDataView,
+      ...defaultDataView,
+    },
+    kibanaDataViews: kibanaDataViews.map((dataView) => ({
+      ...(state.kibanaDataViews.find(({ id }) => id === dataView.id) ?? initDataView),
+      ...dataView,
+    })),
+  }))
   .case(setSourcererScopeLoading, (state, { id, loading }) => ({
     ...state,
     sourcererScopes: {
       ...state.sourcererScopes,
-      [id]: {
-        ...state.sourcererScopes[id],
-        loading,
-      },
+      ...(id != null
+        ? {
+            [id]: {
+              ...state.sourcererScopes[id],
+              loading,
+            },
+          }
+        : {
+            [SourcererScopeName.default]: {
+              ...state.sourcererScopes[SourcererScopeName.default],
+              loading,
+            },
+            [SourcererScopeName.detections]: {
+              ...state.sourcererScopes[SourcererScopeName.detections],
+              loading,
+            },
+            [SourcererScopeName.timeline]: {
+              ...state.sourcererScopes[SourcererScopeName.timeline],
+              loading,
+            },
+          }),
     },
   }))
-  .case(setSelectedIndexPatterns, (state, { id, selectedPatterns, eventType }) => {
-    return {
-      ...state,
-      sourcererScopes: {
-        ...state.sourcererScopes,
-        [id]: {
-          ...state.sourcererScopes[id],
-          selectedPatterns: createDefaultIndexPatterns({ eventType, id, selectedPatterns, state }),
-        },
-      },
-    };
-  })
-  .case(initTimelineIndexPatterns, (state, { id, selectedPatterns, eventType }) => {
-    return {
-      ...state,
-      sourcererScopes: {
-        ...state.sourcererScopes,
-        [id]: {
-          ...state.sourcererScopes[id],
-          selectedPatterns: isEmpty(selectedPatterns)
-            ? defaultIndexPatternByEventType({ state, eventType })
-            : selectedPatterns,
-        },
-      },
-    };
-  })
-
-  .case(setSource, (state, { id, payload }) => {
-    const { ...sourcererScopes } = payload;
-    return {
-      ...state,
-      sourcererScopes: {
-        ...state.sourcererScopes,
-        [id]: {
-          ...state.sourcererScopes[id],
-          ...sourcererScopes,
-          ...(state.sourcererScopes[id].selectedPatterns.length === 0
-            ? { selectedPatterns: state.configIndexPatterns }
-            : {}),
-        },
-      },
-    };
-  })
+  .case(setSelectedDataView, (state, payload) => ({
+    ...state,
+    sourcererScopes: {
+      ...state.sourcererScopes,
+      ...validateSelectedPatterns(state, payload),
+    },
+  }))
+  .case(setDataView, (state, dataView) => ({
+    ...state,
+    ...(dataView.id === state.defaultDataView.id
+      ? {
+          defaultDataView: { ...state.defaultDataView, ...dataView },
+        }
+      : {}),
+    kibanaDataViews: state.kibanaDataViews.map((dv) =>
+      dv.id === dataView.id ? { ...dv, ...dataView } : dv
+    ),
+  }))
   .build();
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.test.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.test.ts
deleted file mode 100644
index 1edda4f997cdf..0000000000000
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.test.ts
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { cloneDeep } from 'lodash/fp';
-import { mockGlobalState } from '../../mock';
-import { SourcererScopeName } from './model';
-import { getSourcererScopeSelector } from './selectors';
-
-describe('Sourcerer selectors', () => {
-  describe('getSourcererScopeSelector', () => {
-    it('Should exclude elastic cloud alias when selected patterns include "logs-*" as an alias', () => {
-      const mapStateToProps = getSourcererScopeSelector();
-      expect(mapStateToProps(mockGlobalState, SourcererScopeName.default).selectedPatterns).toEqual(
-        [
-          'apm-*-transaction*',
-          'auditbeat-*',
-          'endgame-*',
-          'filebeat-*',
-          'logs-*',
-          'packetbeat-*',
-          'traces-apm*',
-          'winlogbeat-*',
-          '-*elastic-cloud-logs-*',
-        ]
-      );
-    });
-
-    it('Should NOT exclude elastic cloud alias when selected patterns does NOT include "logs-*" as an alias', () => {
-      const mapStateToProps = getSourcererScopeSelector();
-      const myMockGlobalState = cloneDeep(mockGlobalState);
-      myMockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns =
-        myMockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns.filter(
-          (index) => !index.includes('logs-*')
-        );
-      expect(
-        mapStateToProps(myMockGlobalState, SourcererScopeName.default).selectedPatterns
-      ).toEqual([
-        'apm-*-transaction*',
-        'auditbeat-*',
-        'endgame-*',
-        'filebeat-*',
-        'packetbeat-*',
-        'traces-apm*',
-        'winlogbeat-*',
-      ]);
-    });
-
-    it('Should NOT exclude elastic cloud alias when selected patterns include "logs-endpoint.event-*" as an alias', () => {
-      const mapStateToProps = getSourcererScopeSelector();
-      const myMockGlobalState = cloneDeep(mockGlobalState);
-      myMockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns = [
-        ...myMockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns.filter(
-          (index) => !index.includes('logs-*')
-        ),
-        'logs-endpoint.event-*',
-      ];
-      expect(
-        mapStateToProps(myMockGlobalState, SourcererScopeName.default).selectedPatterns
-      ).toEqual([
-        'apm-*-transaction*',
-        'auditbeat-*',
-        'endgame-*',
-        'filebeat-*',
-        'logs-endpoint.event-*',
-        'packetbeat-*',
-        'traces-apm*',
-        'winlogbeat-*',
-      ]);
-    });
-  });
-});
diff --git a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
index 53702bcf23b89..b72d7bfde2dcc 100644
--- a/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
+++ b/x-pack/plugins/security_solution/public/common/store/sourcerer/selectors.ts
@@ -5,24 +5,34 @@
  * 2.0.
  */
 
-import memoizeOne from 'memoize-one';
 import { createSelector } from 'reselect';
 import { State } from '../types';
-import { SourcererScopeById, ManageScope, KibanaIndexPatterns, SourcererScopeName } from './model';
-
-export const sourcererKibanaIndexPatternsSelector = ({ sourcerer }: State): KibanaIndexPatterns =>
-  sourcerer.kibanaIndexPatterns;
+import {
+  SourcererDataView,
+  SourcererModel,
+  SourcererScope,
+  SourcererScopeById,
+  SourcererScopeName,
+} from './model';
+
+export const sourcererKibanaDataViewsSelector = ({
+  sourcerer,
+}: State): SourcererModel['kibanaDataViews'] => sourcerer.kibanaDataViews;
 
 export const sourcererSignalIndexNameSelector = ({ sourcerer }: State): string | null =>
   sourcerer.signalIndexName;
 
-export const sourcererConfigIndexPatternsSelector = ({ sourcerer }: State): string[] =>
-  sourcerer.configIndexPatterns;
+export const sourcererDefaultDataViewSelector = ({
+  sourcerer,
+}: State): SourcererModel['defaultDataView'] => sourcerer.defaultDataView;
+
+export const dataViewSelector = ({ sourcerer }: State, id: string): SourcererDataView =>
+  sourcerer.kibanaDataViews.find((dataView) => dataView.id === id) ?? sourcerer.defaultDataView;
 
 export const sourcererScopeIdSelector = (
   { sourcerer }: State,
   scopeId: SourcererScopeName
-): ManageScope => sourcerer.sourcererScopes[scopeId];
+): SourcererScope => sourcerer.sourcererScopes[scopeId];
 
 export const scopeIdSelector = () => createSelector(sourcererScopeIdSelector, (scope) => scope);
 
@@ -31,85 +41,43 @@ export const sourcererScopesSelector = ({ sourcerer }: State): SourcererScopeByI
 
 export const scopesSelector = () => createSelector(sourcererScopesSelector, (scopes) => scopes);
 
-export const kibanaIndexPatternsSelector = () =>
-  createSelector(
-    sourcererKibanaIndexPatternsSelector,
-    (kibanaIndexPatterns) => kibanaIndexPatterns
-  );
+export const kibanaDataViewsSelector = () =>
+  createSelector(sourcererKibanaDataViewsSelector, (dataViews) => dataViews);
 
 export const signalIndexNameSelector = () =>
   createSelector(sourcererSignalIndexNameSelector, (signalIndexName) => signalIndexName);
 
-export const configIndexPatternsSelector = () =>
-  createSelector(
-    sourcererConfigIndexPatternsSelector,
-    (configIndexPatterns) => configIndexPatterns
-  );
+export const defaultDataViewSelector = () =>
+  createSelector(sourcererDefaultDataViewSelector, (dataViews) => dataViews);
 
-export const getIndexNamesSelectedSelector = () => {
-  const getScopeSelector = scopeIdSelector();
-  const getConfigIndexPatternsSelector = configIndexPatternsSelector();
+export const sourcererDataViewSelector = () =>
+  createSelector(dataViewSelector, (dataView) => dataView);
 
-  const mapStateToProps = (
-    state: State,
-    scopeId: SourcererScopeName
-  ): { indexNames: string[]; previousIndexNames: string } => {
-    const scope = getScopeSelector(state, scopeId);
-    const configIndexPatterns = getConfigIndexPatternsSelector(state);
-    return {
-      indexNames:
-        scope.selectedPatterns.length === 0 ? configIndexPatterns : scope.selectedPatterns,
-      previousIndexNames: scope.indexPattern.title,
-    };
-  };
-  return mapStateToProps;
-};
+export interface SourcererScopeSelector extends Omit<SourcererModel, 'sourcererScopes'> {
+  sourcererDataView: SourcererDataView;
+  sourcererScope: SourcererScope;
+}
 
-export const getAllExistingIndexNamesSelector = () => {
+export const getSourcererScopeSelector = () => {
+  const getKibanaDataViewsSelector = kibanaDataViewsSelector();
+  const getDefaultDataViewSelector = defaultDataViewSelector();
   const getSignalIndexNameSelector = signalIndexNameSelector();
-  const getConfigIndexPatternsSelector = configIndexPatternsSelector();
+  const getSourcererDataViewSelector = sourcererDataViewSelector();
+  const getScopeSelector = scopeIdSelector();
 
-  const mapStateToProps = (state: State): string[] => {
+  return (state: State, scopeId: SourcererScopeName): SourcererScopeSelector => {
+    const kibanaDataViews = getKibanaDataViewsSelector(state);
+    const defaultDataView = getDefaultDataViewSelector(state);
     const signalIndexName = getSignalIndexNameSelector(state);
-    const configIndexPatterns = getConfigIndexPatternsSelector(state);
-
-    return signalIndexName != null
-      ? [...configIndexPatterns, signalIndexName]
-      : configIndexPatterns;
-  };
-
-  return mapStateToProps;
-};
-
-const EXCLUDE_ELASTIC_CLOUD_INDEX = '-*elastic-cloud-logs-*';
-
-export const getSourcererScopeSelector = () => {
-  const getScopeIdSelector = scopeIdSelector();
-  const getSelectedPatterns = memoizeOne((selectedPatternsStr: string): string[] => {
-    const selectedPatterns = selectedPatternsStr.length > 0 ? selectedPatternsStr.split(',') : [];
-    return selectedPatterns.some((index) => index === 'logs-*')
-      ? [...selectedPatterns, EXCLUDE_ELASTIC_CLOUD_INDEX]
-      : selectedPatterns;
-  });
-
-  const getIndexPattern = memoizeOne(
-    (indexPattern, title) => ({
-      ...indexPattern,
-      title,
-    }),
-    (newArgs, lastArgs) => newArgs[0] === lastArgs[0] && newArgs[1].length === lastArgs[1].length
-  );
-
-  const mapStateToProps = (state: State, scopeId: SourcererScopeName): ManageScope => {
-    const scope = getScopeIdSelector(state, scopeId);
-    const selectedPatterns = getSelectedPatterns(scope.selectedPatterns.sort().join());
-    const indexPattern = getIndexPattern(scope.indexPattern, selectedPatterns.join());
+    const scope = getScopeSelector(state, scopeId);
+    const sourcererDataView = getSourcererDataViewSelector(state, scope.selectedDataViewId);
 
     return {
-      ...scope,
-      selectedPatterns,
-      indexPattern,
+      defaultDataView,
+      kibanaDataViews,
+      signalIndexName,
+      sourcererDataView,
+      sourcererScope: scope,
     };
   };
-  return mapStateToProps;
 };
diff --git a/x-pack/plugins/security_solution/public/common/types.ts b/x-pack/plugins/security_solution/public/common/types.ts
index 7d7dab6e4fc3c..83a93769603e7 100644
--- a/x-pack/plugins/security_solution/public/common/types.ts
+++ b/x-pack/plugins/security_solution/public/common/types.ts
@@ -6,6 +6,9 @@
  */
 
 import { ResponseErrorAttributes } from 'kibana/server';
+import { DataViewBase } from '@kbn/es-query';
+import { FieldSpec } from '../../../../../src/plugins/data_views/common';
+
 export interface ServerApiError {
   statusCode: number;
   error: string;
@@ -16,3 +19,10 @@ export interface ServerApiError {
 export interface SecuritySolutionUiConfigType {
   enableExperimental: string[];
 }
+
+/**
+ * DataViewBase with enhanced index fields used in timelines
+ */
+export interface SecuritySolutionDataViewBase extends DataViewBase {
+  fields: FieldSpec[];
+}
diff --git a/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.test.tsx b/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.test.tsx
index 981f7e9e876ea..01dbfbed6a0c2 100644
--- a/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.test.tsx
@@ -16,7 +16,7 @@ jest.mock('../route/use_route_spy', () => ({
     .mockImplementationOnce(() => [{ pageName: 'network' }]),
 }));
 jest.mock('../../../common/containers/sourcerer', () => ({
-  useSourcererScope: jest
+  useSourcererDataView: jest
     .fn()
     .mockImplementationOnce(() => [{ indicesExist: false }])
     .mockImplementationOnce(() => [{ indicesExist: false }])
diff --git a/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.tsx b/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.tsx
index 10cc4be10a61b..f863cecffe3d6 100644
--- a/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.tsx
+++ b/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.tsx
@@ -8,7 +8,7 @@
 import { useState, useEffect } from 'react';
 import { useRouteSpy } from '../route/use_route_spy';
 import { SecurityPageName } from '../../../app/types';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../containers/sourcerer';
 
 // Used to detect if we're on a top level page that is empty and set page background color to match the subdued Empty State
 const isPageNameWithEmptyView = (currentName: string) => {
@@ -23,7 +23,7 @@ const isPageNameWithEmptyView = (currentName: string) => {
 
 export const useShowPagesWithEmptyView = () => {
   const [{ pageName }] = useRouteSpy();
-  const { indicesExist } = useSourcererScope();
+  const { indicesExist } = useSourcererDataView();
 
   const shouldShowEmptyState = isPageNameWithEmptyView(pageName) && !indicesExist;
 
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
index 835784031e065..a4660356b8630 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
@@ -142,6 +142,7 @@ describe('alert actions', () => {
             ],
             defaultColumns: defaultHeaders,
             dataProviders: [],
+            dataViewId: '',
             dateRange: {
               end: '2018-11-05T19:03:25.937Z',
               start: '2018-11-05T18:58:25.937Z',
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx
index 4bd516d0b1338..7777d075a4b9c 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx
@@ -18,7 +18,7 @@ import {
   displaySuccessToast,
   useStateToaster,
 } from '../../../common/components/toasters';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 import { useAppToasts } from '../../../common/hooks/use_app_toasts';
 import { useIsExperimentalFeatureEnabled } from '../../../common/hooks/use_experimental_features';
 import { useInvalidFilterQuery } from '../../../common/hooks/use_invalid_filter_query';
@@ -100,7 +100,7 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
     indexPattern: indexPatterns,
     loading: indexPatternsLoading,
     selectedPatterns,
-  } = useSourcererScope(SourcererScopeName.detections);
+  } = useSourcererDataView(SourcererScopeName.detections);
   const kibana = useKibana();
   const [, dispatchToaster] = useStateToaster();
   const { addWarning } = useAppToasts();
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/autocomplete_field/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/autocomplete_field/index.tsx
index 22fabcd15b194..91dbadbb209e1 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/autocomplete_field/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/autocomplete_field/index.tsx
@@ -8,14 +8,14 @@
 import React, { useCallback, useMemo } from 'react';
 import { EuiFormRow } from '@elastic/eui';
 import { FieldComponent } from '@kbn/securitysolution-autocomplete';
-import { IndexPatternBase, IndexPatternFieldBase } from '@kbn/es-query';
+import { DataViewBase, DataViewFieldBase } from '@kbn/es-query';
 import { FieldHook } from '../../../../../../../../src/plugins/es_ui_shared/static/forms/hook_form_lib';
 
 interface AutocompleteFieldProps {
   dataTestSubj: string;
   field: FieldHook;
   idAria: string;
-  indices: IndexPatternBase;
+  indices: DataViewBase;
   isDisabled: boolean;
   fieldType: string;
   placeholder?: string;
@@ -31,7 +31,7 @@ export const AutocompleteField = ({
   placeholder,
 }: AutocompleteFieldProps) => {
   const handleFieldChange = useCallback(
-    ([newField]: IndexPatternFieldBase[]): void => {
+    ([newField]: DataViewFieldBase[]): void => {
       // TODO: Update onChange type in FieldComponent as newField can be undefined
       field.setValue(newField?.name ?? '');
     },
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.test.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.test.tsx
index 62e787952aa73..1ab9f92bc6d80 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.test.tsx
@@ -14,8 +14,8 @@ import {
   esFilters,
   FilterManager,
   UI_SETTINGS,
-  IndexPattern,
 } from '../../../../../../../../src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
 import { SeverityBadge } from '../severity_badge';
 
 import * as i18n from './translations';
@@ -146,7 +146,7 @@ describe('helpers', () => {
           fields: [{ name: 'event.category', type: 'test type' }],
           title: 'test title',
           getFormatterForField: () => ({ convert: (val: unknown) => val }),
-        } as unknown as IndexPattern,
+        } as unknown as DataViewBase,
       });
       const wrapper = shallow<React.ReactElement>(result[0].description as React.ReactElement);
       const filterLabelComponent = wrapper.find(esFilters.FilterLabel).at(0);
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx
index ab84f1a65cc4b..e403da9e49090 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx
@@ -11,12 +11,8 @@ import React, { memo, useState } from 'react';
 import styled from 'styled-components';
 
 import { ThreatMapping, Threats, Type } from '@kbn/securitysolution-io-ts-alerting-types';
-import {
-  IIndexPattern,
-  Filter,
-  esFilters,
-  FilterManager,
-} from '../../../../../../../../src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
+import { Filter, esFilters, FilterManager } from '../../../../../../../../src/plugins/data/public';
 import { DEFAULT_TIMELINE_TITLE } from '../../../../timelines/components/timeline/translations';
 import { useKibana } from '../../../../common/lib/kibana';
 import { AboutStepRiskScore, AboutStepSeverity } from '../../../pages/detection_engine/rules/types';
@@ -55,7 +51,7 @@ const DescriptionListContainer = styled(EuiDescriptionList)`
 interface StepRuleDescriptionProps<T> {
   columns?: 'multi' | 'single' | 'singleSplit';
   data: unknown;
-  indexPatterns?: IIndexPattern;
+  indexPatterns?: DataViewBase;
   schema: FormSchema<T>;
 }
 
@@ -129,7 +125,7 @@ export const buildListItems = <T,>(
   data: unknown,
   schema: FormSchema<T>,
   filterManager: FilterManager,
-  indexPatterns?: IIndexPattern
+  indexPatterns?: DataViewBase
 ): ListItems[] =>
   Object.keys(schema).reduce<ListItems[]>(
     (acc, field) => [
@@ -161,7 +157,7 @@ export const getDescriptionItem = (
   label: string,
   data: unknown,
   filterManager: FilterManager,
-  indexPatterns?: IIndexPattern
+  indexPatterns?: DataViewBase
 ): ListItems[] => {
   if (field === 'queryBar') {
     const filters = addFilterStateIfNotThere(get('queryBar.filters', data) ?? []);
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/types.ts b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/types.ts
index dc5e7fea8e771..02c25e5c12bee 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/types.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/types.ts
@@ -7,12 +7,8 @@
 
 import { ReactNode } from 'react';
 import { Threats } from '@kbn/securitysolution-io-ts-alerting-types';
-
-import {
-  IIndexPattern,
-  Filter,
-  FilterManager,
-} from '../../../../../../../../src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
+import { Filter, FilterManager } from '../../../../../../../../src/plugins/data/public';
 
 export interface ListItems {
   title: NonNullable<ReactNode>;
@@ -25,7 +21,7 @@ export interface BuildQueryBarDescription {
   filterManager: FilterManager;
   query: string;
   savedId: string;
-  indexPatterns?: IIndexPattern;
+  indexPatterns?: DataViewBase;
   queryLabel?: string;
 }
 
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/query_bar/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/query_bar/index.tsx
index 6bda4a0e0f6b8..42f92f8cb6ce1 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/query_bar/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/query_bar/index.tsx
@@ -10,14 +10,8 @@ import React, { useCallback, useEffect, useState } from 'react';
 import { Subscription } from 'rxjs';
 import styled from 'styled-components';
 import deepEqual from 'fast-deep-equal';
-
-import {
-  Filter,
-  IIndexPattern,
-  Query,
-  FilterManager,
-  SavedQuery,
-} from '../../../../../../../../src/plugins/data/public';
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
+import { FilterManager, SavedQuery } from '../../../../../../../../src/plugins/data/public';
 
 import { BrowserFields } from '../../../../common/containers/source';
 import { OpenTimelineModal } from '../../../../timelines/components/open_timeline/open_timeline_modal';
@@ -43,7 +37,7 @@ interface QueryBarDefineRuleProps {
   field: FieldHook;
   idAria: string;
   isLoading: boolean;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   onCloseTimelineSearch: () => void;
   openTimelineSearch: boolean;
   resizeParentContainer?: (height: number) => void;
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx
index e9cbcb6c38268..fbeea64cae7da 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx
@@ -21,7 +21,7 @@ import styled from 'styled-components';
 import { noop } from 'lodash/fp';
 import { RiskScoreMapping } from '@kbn/securitysolution-io-ts-alerting-types';
 import { FieldComponent } from '@kbn/securitysolution-autocomplete';
-import { IndexPatternBase, IndexPatternFieldBase } from '@kbn/es-query';
+import { DataViewBase, DataViewFieldBase } from '@kbn/es-query';
 import * as i18n from './translations';
 import { FieldHook } from '../../../../../../../../src/plugins/es_ui_shared/static/forms/hook_form_lib';
 import { AboutStepRiskScore } from '../../../pages/detection_engine/rules/types';
@@ -46,7 +46,7 @@ interface RiskScoreFieldProps {
   dataTestSubj: string;
   field: FieldHook<AboutStepRiskScore>;
   idAria: string;
-  indices: IndexPatternBase;
+  indices: DataViewBase;
   isDisabled: boolean;
   placeholder?: string;
 }
@@ -78,7 +78,7 @@ export const RiskScoreField = ({
   );
 
   const handleRiskScoreMappingChange = useCallback(
-    ([newField]: IndexPatternFieldBase[]): void => {
+    ([newField]: DataViewFieldBase[]): void => {
       setValue({
         value,
         isMappingChecked,
@@ -231,8 +231,8 @@ export const RiskScoreField = ({
 };
 
 /**
- * Looks for field metadata (IndexPatternFieldBase) in existing index pattern.
- * If specified field doesn't exist, returns a stub IndexPatternFieldBase created based on the mapping --
+ * Looks for field metadata (DataViewFieldBase) in existing index pattern.
+ * If specified field doesn't exist, returns a stub DataViewFieldBase created based on the mapping --
  * because the field might not have been indexed yet, but we still need to display the mapping.
  *
  * @param mapping Mapping of a specified field name to risk score.
@@ -240,8 +240,8 @@ export const RiskScoreField = ({
  */
 const getFieldTypeByMapping = (
   mapping: RiskScoreMapping,
-  pattern: IndexPatternBase
-): IndexPatternFieldBase => {
+  pattern: DataViewBase
+): DataViewFieldBase => {
   const field = mapping?.[0]?.field ?? '';
   const [knownFieldType] = pattern.fields.filter(({ name }) => field != null && field === name);
   return knownFieldType ?? { name: field, type: 'number' };
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx
index 4eca6f32d0c1f..f6578fab0c5fb 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx
@@ -29,7 +29,7 @@ import {
   AutocompleteFieldMatchComponent,
 } from '@kbn/securitysolution-autocomplete';
 
-import { IndexPatternBase, IndexPatternFieldBase } from '@kbn/es-query';
+import { DataViewBase, DataViewFieldBase } from '@kbn/es-query';
 import * as i18n from './translations';
 import { FieldHook } from '../../../../../../../../src/plugins/es_ui_shared/static/forms/hook_form_lib';
 import { SeverityOptionItem } from '../step_about_rule/data';
@@ -56,7 +56,7 @@ interface SeverityFieldProps {
   dataTestSubj: string;
   field: FieldHook<AboutStepSeverity>;
   idAria: string;
-  indices: IndexPatternBase;
+  indices: DataViewBase;
   isDisabled: boolean;
   options: SeverityOptionItem[];
 }
@@ -85,7 +85,7 @@ export const SeverityField = ({
   );
 
   const handleFieldChange = useCallback(
-    (index: number, severity: Severity, [newField]: IndexPatternFieldBase[]): void => {
+    (index: number, severity: Severity, [newField]: DataViewFieldBase[]): void => {
       const newMappingItems: SeverityMapping = [
         {
           ...mapping[index],
@@ -295,8 +295,8 @@ export const SeverityField = ({
 };
 
 /**
- * Looks for field metadata (IndexPatternFieldBase) in existing index pattern.
- * If specified field doesn't exist, returns a stub IndexPatternFieldBase created based on the mapping --
+ * Looks for field metadata (DataViewFieldBase) in existing index pattern.
+ * If specified field doesn't exist, returns a stub DataViewFieldBase created based on the mapping --
  * because the field might not have been indexed yet, but we still need to display the mapping.
  *
  * @param mapping Mapping of a specified field name + value to a certain severity value.
@@ -304,8 +304,8 @@ export const SeverityField = ({
  */
 const getFieldTypeByMapping = (
   mapping: SeverityMappingItem,
-  pattern: IndexPatternBase
-): IndexPatternFieldBase => {
+  pattern: DataViewBase
+): DataViewFieldBase => {
   const { field } = mapping;
   const [knownFieldType] = pattern.fields.filter(({ name }) => field === name);
   return knownFieldType ?? { name: field, type: 'string' };
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
index 65528d86a4027..6471faf657fa0 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx
@@ -10,7 +10,6 @@ import React, { FC, memo, useCallback, useState, useEffect, useMemo } from 'reac
 import styled from 'styled-components';
 import { isEqual } from 'lodash';
 
-import { IndexPattern } from 'src/plugins/data/public';
 import {
   DEFAULT_INDEX_KEY,
   DEFAULT_THREAT_INDEX_KEY,
@@ -324,10 +323,10 @@ const StepDefineRuleComponent: FC<StepDefineRuleProps> = ({
     ({ threatMapping }) => (
       <ThreatMatchInput
         handleResetThreatIndices={handleResetThreatIndices}
-        indexPatterns={indexPatterns as IndexPattern}
+        indexPatterns={indexPatterns}
         threatBrowserFields={threatBrowserFields}
         threatIndexModified={threatIndexModified}
-        threatIndexPatterns={threatIndexPatterns as IndexPattern}
+        threatIndexPatterns={threatIndexPatterns}
         threatIndexPatternsLoading={threatIndexPatternsLoading}
         threatMapping={threatMapping}
         onValidityChange={setIsThreatQueryBarValid}
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
index 7b5342d85f82a..d41d36813dee2 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/translations.tsx
@@ -21,20 +21,6 @@ export const INVALID_CUSTOM_QUERY = i18n.translate(
   }
 );
 
-export const CONFIG_INDICES = i18n.translate(
-  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesFromConfigDescription',
-  {
-    defaultMessage: 'Use Elasticsearch indices from Security Solution advanced settings',
-  }
-);
-
-export const CUSTOM_INDICES = i18n.translate(
-  'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesCustomDescription',
-  {
-    defaultMessage: 'Provide custom list of indices',
-  }
-);
-
 export const INDEX_HELPER_TEXT = i18n.translate(
   'xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesHelperDescription',
   {
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/threatmatch_input/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/threatmatch_input/index.tsx
index 73e9dcdd94c03..91158979a82c5 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/threatmatch_input/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/threatmatch_input/index.tsx
@@ -7,7 +7,7 @@
 
 import React, { useCallback, useEffect, useState } from 'react';
 import { EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiFormRow } from '@elastic/eui';
-
+import { DataViewBase } from '@kbn/es-query';
 import { ThreatMapEntries } from '../../../../common/components/threat_match/types';
 import { ThreatMatchComponent } from '../../../../common/components/threat_match';
 import { BrowserField } from '../../../../common/containers/source';
@@ -21,7 +21,6 @@ import {
 import { DefineStepRule } from '../../../pages/detection_engine/rules/types';
 import { schema } from '../step_define_rule/schema';
 import { QueryBarDefineRule } from '../query_bar';
-import { IndexPattern } from '../../../../../../../../src/plugins/data/public';
 import * as i18n from '../step_define_rule/translations';
 import { MyLabelButton } from '../step_define_rule';
 
@@ -30,8 +29,8 @@ const CommonUseField = getUseField({ component: Field });
 interface ThreatMatchInputProps {
   threatMapping: FieldHook;
   threatBrowserFields: Readonly<Record<string, Partial<BrowserField>>>;
-  threatIndexPatterns: IndexPattern;
-  indexPatterns: IndexPattern;
+  threatIndexPatterns: DataViewBase;
+  indexPatterns: DataViewBase;
   threatIndexPatternsLoading: boolean;
   threatIndexModified: boolean;
   handleResetThreatIndices: () => void;
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine.test.tsx
index 0d0c51bc540b4..eeb22a2aa071c 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine.test.tsx
@@ -19,7 +19,7 @@ import {
 } from '../../../common/mock';
 import { DetectionEnginePage } from './detection_engine';
 import { useUserData } from '../../components/user_info';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 import { createStore, State } from '../../../common/store';
 import { mockHistory, Router } from '../../../common/mock/router';
 import { mockTimelines } from '../../../common/mock/mock_timelines_plugin';
@@ -110,7 +110,7 @@ describe('DetectionEnginePageComponent', () => {
         canUserREAD: true,
       },
     ]);
-    (useSourcererScope as jest.Mock).mockReturnValue({
+    (useSourcererDataView as jest.Mock).mockReturnValue({
       indicesExist: true,
       indexPattern: {},
     });
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine.tsx
index ebda4f2b4232f..204387f4a241b 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/detection_engine.tsx
@@ -66,7 +66,9 @@ import {
   buildShowBuildingBlockFilterRuleRegistry,
   buildThreatMatchFilter,
 } from '../../components/alerts_table/default_config';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
+import { useSignalHelpers } from '../../../common/containers/sourcerer/use_signal_helpers';
+
 import { SourcererScopeName } from '../../../common/store/sourcerer/model';
 import { NeedAdminForUpdateRulesCallOut } from '../../components/callouts/need_admin_for_update_callout';
 import { MissingPrivilegesCallOut } from '../../components/callouts/missing_privileges_callout';
@@ -78,7 +80,6 @@ import {
   FILTER_OPEN,
 } from '../../components/alerts_table/alerts_filter_group';
 import { EmptyPage } from '../../../common/components/empty_page';
-
 /**
  * Need a 100% height here to account for the graph/analyze tool, which sets no explicit height parameters, but fills the available space.
  */
@@ -235,7 +236,9 @@ const DetectionEnginePageComponent: React.FC<DetectionEngineComponentProps> = ({
     [setShowOnlyThreatIndicatorAlerts]
   );
 
-  const { indicesExist, indexPattern } = useSourcererScope(SourcererScopeName.detections);
+  const { indexPattern } = useSourcererDataView(SourcererScopeName.detections);
+
+  const { signalIndexNeedsInit, pollForSignalIndex } = useSignalHelpers();
 
   const onSkipFocusBeforeEventsTable = useCallback(() => {
     focusUtilityBarAction(containerElement.current);
@@ -291,35 +294,38 @@ const DetectionEnginePageComponent: React.FC<DetectionEngineComponentProps> = ({
     );
   }
 
-  if (!loading && (indicesExist === false || needsListsConfiguration)) {
+  if ((!loading && signalIndexNeedsInit) || needsListsConfiguration) {
     return (
       <SecuritySolutionPageWrapper>
         <DetectionEngineHeaderPage border title={i18n.PAGE_TITLE} />
         <DetectionEngineNoIndex
-          needsSignalsIndex={indicesExist === false}
+          needsSignalsIndex={signalIndexNeedsInit}
           needsListsIndex={needsListsConfiguration}
         />
       </SecuritySolutionPageWrapper>
     );
   }
-
   return (
     <>
       {hasEncryptionKey != null && !hasEncryptionKey && <NoApiIntegrationKeyCallOut />}
       <NeedAdminForUpdateRulesCallOut />
       <MissingPrivilegesCallOut />
-      {indicesExist && (hasIndexRead === false || canUserREAD === false) ? (
+      {!signalIndexNeedsInit && (hasIndexRead === false || canUserREAD === false) ? (
         <EmptyPage
           actions={emptyPageActions}
           message={i18n.ALERTS_FEATURE_NO_PERMISSIONS_MSG}
           data-test-subj="no_feature_permissions-alerts"
           title={i18n.FEATURE_NO_PERMISSIONS_TITLE}
         />
-      ) : indicesExist && hasIndexRead && canUserREAD ? (
+      ) : !signalIndexNeedsInit && hasIndexRead && canUserREAD ? (
         <StyledFullHeightContainer onKeyDown={onKeyDown} ref={containerElement}>
           <EuiWindowEvent event="resize" handler={noop} />
           <FiltersGlobal show={showGlobalFilters({ globalFullScreen, graphEventId })}>
-            <SiemSearchBar id="global" indexPattern={indexPattern} />
+            <SiemSearchBar
+              id="global"
+              pollForSignalIndex={pollForSignalIndex}
+              indexPattern={indexPattern}
+            />
           </FiltersGlobal>
           <SecuritySolutionPageWrapper
             noPadding={globalFullScreen}
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.test.tsx
index 006e497a20a7b..9227de3462d0e 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.test.tsx
@@ -23,7 +23,7 @@ import { useUserData } from '../../../../components/user_info';
 import { useRuleStatus } from '../../../../containers/detection_engine/rules';
 import { useRuleWithFallback } from '../../../../containers/detection_engine/rules/use_rule_with_fallback';
 
-import { useSourcererScope } from '../../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../../common/containers/sourcerer';
 import { useParams } from 'react-router-dom';
 import { mockHistory, Router } from '../../../../../common/mock/router';
 
@@ -128,7 +128,7 @@ describe('RuleDetailsPageComponent', () => {
   beforeAll(() => {
     (useUserData as jest.Mock).mockReturnValue([{}]);
     (useParams as jest.Mock).mockReturnValue({});
-    (useSourcererScope as jest.Mock).mockReturnValue({
+    (useSourcererDataView as jest.Mock).mockReturnValue({
       indicesExist: true,
       indexPattern: {},
     });
diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
index ca71ac6783f59..9f56467043dd2 100644
--- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/index.tsx
@@ -60,7 +60,6 @@ import { DetectionEngineHeaderPage } from '../../../../components/detection_engi
 import { AlertsHistogramPanel } from '../../../../components/alerts_kpis/alerts_histogram_panel';
 import { AlertsTable } from '../../../../components/alerts_table';
 import { useUserData } from '../../../../components/user_info';
-import { OverviewEmpty } from '../../../../../overview/components/overview_empty';
 import { StepDefineRule } from '../../../../components/rules/step_define_rule';
 import { StepScheduleRule } from '../../../../components/rules/step_schedule_rule';
 import {
@@ -104,7 +103,7 @@ import {
 } from '../../../../../timelines/components/timeline/helpers';
 import { timelineActions, timelineSelectors } from '../../../../../timelines/store/timeline';
 import { timelineDefaults } from '../../../../../timelines/store/timeline/defaults';
-import { useSourcererScope } from '../../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../../common/containers/sourcerer';
 import { SourcererScopeName } from '../../../../../common/store/sourcerer/model';
 import {
   getToolTipContent,
@@ -127,6 +126,7 @@ import {
   AlertsTableFilterGroup,
   FILTER_OPEN,
 } from '../../../../components/alerts_table/alerts_filter_group';
+import { useSignalHelpers } from '../../../../../common/containers/sourcerer/use_signal_helpers';
 
 /**
  * Need a 100% height here to account for the graph/analyze tool, which sets no explicit height parameters, but fills the available space.
@@ -218,6 +218,7 @@ const RuleDetailsPageComponent: React.FC<DetectionEngineComponentProps> = ({
     loading: ruleLoading,
     isExistingRule,
   } = useRuleWithFallback(ruleId);
+  const { pollForSignalIndex } = useSignalHelpers();
   const [loadingStatus, ruleStatus, fetchRuleStatus] = useRuleStatus(ruleId);
   const [currentStatus, setCurrentStatus] = useState<RuleInfoStatus | null>(
     ruleStatus?.current_status ?? null
@@ -623,8 +624,7 @@ const RuleDetailsPageComponent: React.FC<DetectionEngineComponentProps> = ({
     [setShowOnlyThreatIndicatorAlerts]
   );
 
-  const { indicesExist, indexPattern } = useSourcererScope(SourcererScopeName.detections);
-
+  const { indexPattern } = useSourcererDataView(SourcererScopeName.detections);
   const exceptionLists = useMemo((): {
     lists: ExceptionListIdentifiers[];
     allowedExceptionListTypes: ExceptionListTypeEnum[];
@@ -696,192 +696,188 @@ const RuleDetailsPageComponent: React.FC<DetectionEngineComponentProps> = ({
     <>
       <NeedAdminForUpdateRulesCallOut />
       <MissingPrivilegesCallOut />
-      {indicesExist ? (
-        <StyledFullHeightContainer onKeyDown={onKeyDown} ref={containerElement}>
-          <EuiWindowEvent event="resize" handler={noop} />
-          <FiltersGlobal show={showGlobalFilters({ globalFullScreen, graphEventId })}>
-            <SiemSearchBar id="global" indexPattern={indexPattern} />
-          </FiltersGlobal>
-
-          <SecuritySolutionPageWrapper noPadding={globalFullScreen}>
-            <Display show={!globalFullScreen}>
-              <DetectionEngineHeaderPage
-                backOptions={{
-                  path: getRulesUrl(),
-                  text: i18n.BACK_TO_RULES,
-                  pageId: SecurityPageName.rules,
-                  dataTestSubj: 'ruleDetailsBackToAllRules',
-                }}
-                border
-                subtitle={subTitle}
-                subtitle2={
-                  <>
-                    <EuiFlexGroup gutterSize="xs" alignItems="center" justifyContent="flexStart">
-                      <EuiFlexItem grow={false}>
-                        {statusI18n.STATUS}
-                        {':'}
-                      </EuiFlexItem>
-                      {ruleStatusInfo}
-                    </EuiFlexGroup>
-                  </>
-                }
-                title={title}
-                badgeOptions={badgeOptions}
-              >
-                <EuiFlexGroup alignItems="center">
-                  <EuiFlexItem grow={false}>
-                    <EuiToolTip
-                      position="top"
-                      content={getToolTipContent(rule, hasMlPermissions, hasActionsPrivileges)}
-                    >
-                      <EuiFlexGroup>
-                        <RuleSwitch
-                          id={rule?.id ?? '-1'}
-                          isDisabled={
-                            !isExistingRule ||
-                            !canEditRuleWithActions(rule, hasActionsPrivileges) ||
-                            !userHasPermissions(canUserCRUD) ||
-                            (!hasMlPermissions && !rule?.enabled)
-                          }
-                          enabled={isExistingRule && (rule?.enabled ?? false)}
-                          onChange={handleOnChangeEnabledRule}
-                        />
-                        <EuiFlexItem>{i18n.ACTIVATE_RULE}</EuiFlexItem>
-                      </EuiFlexGroup>
-                    </EuiToolTip>
-                  </EuiFlexItem>
-
-                  <EuiFlexItem grow={false}>
-                    <EuiFlexGroup alignItems="center" gutterSize="s" responsive={false}>
-                      <EuiFlexItem grow={false}>{editRule}</EuiFlexItem>
-                      <EuiFlexItem grow={false}>
-                        <RuleActionsOverflow
-                          rule={rule}
-                          userHasPermissions={isExistingRule && userHasPermissions(canUserCRUD)}
-                          canDuplicateRuleWithActions={canEditRuleWithActions(
-                            rule,
-                            hasActionsPrivileges
-                          )}
-                        />
-                      </EuiFlexItem>
+      <StyledFullHeightContainer onKeyDown={onKeyDown} ref={containerElement}>
+        <EuiWindowEvent event="resize" handler={noop} />
+        <FiltersGlobal show={showGlobalFilters({ globalFullScreen, graphEventId })}>
+          <SiemSearchBar
+            id="global"
+            pollForSignalIndex={pollForSignalIndex}
+            indexPattern={indexPattern}
+          />
+        </FiltersGlobal>
+
+        <SecuritySolutionPageWrapper noPadding={globalFullScreen}>
+          <Display show={!globalFullScreen}>
+            <DetectionEngineHeaderPage
+              backOptions={{
+                path: getRulesUrl(),
+                text: i18n.BACK_TO_RULES,
+                pageId: SecurityPageName.rules,
+                dataTestSubj: 'ruleDetailsBackToAllRules',
+              }}
+              border
+              subtitle={subTitle}
+              subtitle2={
+                <>
+                  <EuiFlexGroup gutterSize="xs" alignItems="center" justifyContent="flexStart">
+                    <EuiFlexItem grow={false}>
+                      {statusI18n.STATUS}
+                      {':'}
+                    </EuiFlexItem>
+                    {ruleStatusInfo}
+                  </EuiFlexGroup>
+                </>
+              }
+              title={title}
+              badgeOptions={badgeOptions}
+            >
+              <EuiFlexGroup alignItems="center">
+                <EuiFlexItem grow={false}>
+                  <EuiToolTip
+                    position="top"
+                    content={getToolTipContent(rule, hasMlPermissions, hasActionsPrivileges)}
+                  >
+                    <EuiFlexGroup>
+                      <RuleSwitch
+                        id={rule?.id ?? '-1'}
+                        isDisabled={
+                          !isExistingRule ||
+                          !canEditRuleWithActions(rule, hasActionsPrivileges) ||
+                          !userHasPermissions(canUserCRUD) ||
+                          (!hasMlPermissions && !rule?.enabled)
+                        }
+                        enabled={isExistingRule && (rule?.enabled ?? false)}
+                        onChange={handleOnChangeEnabledRule}
+                      />
+                      <EuiFlexItem>{i18n.ACTIVATE_RULE}</EuiFlexItem>
                     </EuiFlexGroup>
-                  </EuiFlexItem>
-                </EuiFlexGroup>
-              </DetectionEngineHeaderPage>
-              {ruleError}
-              {getLegacyUrlConflictCallout}
-              <EuiSpacer />
-              <EuiFlexGroup>
-                <EuiFlexItem data-test-subj="aboutRule" component="section" grow={1}>
-                  <StepAboutRuleToggleDetails
-                    loading={isLoading}
-                    stepData={aboutRuleData}
-                    stepDataDetails={modifiedAboutRuleDetailsData}
-                  />
+                  </EuiToolTip>
                 </EuiFlexItem>
 
-                <EuiFlexItem grow={1}>
-                  <EuiFlexGroup direction="column">
-                    <EuiFlexItem component="section" grow={1}>
-                      <StepPanel loading={isLoading} title={ruleI18n.DEFINITION}>
-                        {defineRuleData != null && (
-                          <StepDefineRule
-                            descriptionColumns="singleSplit"
-                            isReadOnlyView={true}
-                            isLoading={false}
-                            defaultValues={defineRuleData}
-                          />
+                <EuiFlexItem grow={false}>
+                  <EuiFlexGroup alignItems="center" gutterSize="s" responsive={false}>
+                    <EuiFlexItem grow={false}>{editRule}</EuiFlexItem>
+                    <EuiFlexItem grow={false}>
+                      <RuleActionsOverflow
+                        rule={rule}
+                        userHasPermissions={isExistingRule && userHasPermissions(canUserCRUD)}
+                        canDuplicateRuleWithActions={canEditRuleWithActions(
+                          rule,
+                          hasActionsPrivileges
                         )}
-                      </StepPanel>
-                    </EuiFlexItem>
-                    <EuiSpacer />
-                    <EuiFlexItem data-test-subj="schedule" component="section" grow={1}>
-                      <StepPanel loading={isLoading} title={ruleI18n.SCHEDULE}>
-                        {scheduleRuleData != null && (
-                          <StepScheduleRule
-                            descriptionColumns="singleSplit"
-                            isReadOnlyView={true}
-                            isLoading={false}
-                            defaultValues={scheduleRuleData}
-                          />
-                        )}
-                      </StepPanel>
+                      />
                     </EuiFlexItem>
                   </EuiFlexGroup>
                 </EuiFlexItem>
               </EuiFlexGroup>
-              <EuiSpacer />
-              {tabs}
-              <EuiSpacer />
-            </Display>
-            {ruleDetailTab === RuleDetailTabs.alerts && hasIndexRead && (
-              <>
-                <EuiFlexGroup alignItems="center" justifyContent="spaceBetween">
-                  <EuiFlexItem grow={false}>
-                    <AlertsTableFilterGroup
-                      status={filterGroup}
-                      onFilterGroupChanged={onFilterGroupChangedCallback}
-                    />
+            </DetectionEngineHeaderPage>
+            {ruleError}
+            {getLegacyUrlConflictCallout}
+            <EuiSpacer />
+            <EuiFlexGroup>
+              <EuiFlexItem data-test-subj="aboutRule" component="section" grow={1}>
+                <StepAboutRuleToggleDetails
+                  loading={isLoading}
+                  stepData={aboutRuleData}
+                  stepDataDetails={modifiedAboutRuleDetailsData}
+                />
+              </EuiFlexItem>
+
+              <EuiFlexItem grow={1}>
+                <EuiFlexGroup direction="column">
+                  <EuiFlexItem component="section" grow={1}>
+                    <StepPanel loading={isLoading} title={ruleI18n.DEFINITION}>
+                      {defineRuleData != null && (
+                        <StepDefineRule
+                          descriptionColumns="singleSplit"
+                          isReadOnlyView={true}
+                          isLoading={false}
+                          defaultValues={defineRuleData}
+                        />
+                      )}
+                    </StepPanel>
                   </EuiFlexItem>
-                  <EuiFlexItem grow={false}>
-                    {updatedAt &&
-                      timelinesUi.getLastUpdated({
-                        updatedAt: updatedAt || Date.now(),
-                        showUpdating,
-                      })}
+                  <EuiSpacer />
+                  <EuiFlexItem data-test-subj="schedule" component="section" grow={1}>
+                    <StepPanel loading={isLoading} title={ruleI18n.SCHEDULE}>
+                      {scheduleRuleData != null && (
+                        <StepScheduleRule
+                          descriptionColumns="singleSplit"
+                          isReadOnlyView={true}
+                          isLoading={false}
+                          defaultValues={scheduleRuleData}
+                        />
+                      )}
+                    </StepPanel>
                   </EuiFlexItem>
                 </EuiFlexGroup>
-                <EuiSpacer size="l" />
-                <Display show={!globalFullScreen}>
-                  <AlertsHistogramPanel
-                    filters={alertMergedFilters}
-                    query={query}
-                    signalIndexName={signalIndexName}
-                    defaultStackByOption={defaultRuleStackByOption}
-                    updateDateRange={updateDateRangeCallback}
-                  />
-                  <EuiSpacer />
-                </Display>
-                {ruleId != null && (
-                  <AlertsTable
-                    filterGroup={filterGroup}
-                    timelineId={TimelineId.detectionsRulesDetailsPage}
-                    defaultFilters={alertsTableDefaultFilters}
-                    hasIndexWrite={hasIndexWrite ?? false}
-                    hasIndexMaintenance={hasIndexMaintenance ?? false}
-                    from={from}
-                    loading={loading}
-                    showBuildingBlockAlerts={showBuildingBlockAlerts}
-                    showOnlyThreatIndicatorAlerts={showOnlyThreatIndicatorAlerts}
-                    onShowBuildingBlockAlertsChanged={onShowBuildingBlockAlertsChangedCallback}
-                    onShowOnlyThreatIndicatorAlertsChanged={onShowOnlyThreatIndicatorAlertsCallback}
-                    onRuleChange={refreshRule}
-                    to={to}
+              </EuiFlexItem>
+            </EuiFlexGroup>
+            <EuiSpacer />
+            {tabs}
+            <EuiSpacer />
+          </Display>
+          {ruleDetailTab === RuleDetailTabs.alerts && hasIndexRead && (
+            <>
+              <EuiFlexGroup alignItems="center" justifyContent="spaceBetween">
+                <EuiFlexItem grow={false}>
+                  <AlertsTableFilterGroup
+                    status={filterGroup}
+                    onFilterGroupChanged={onFilterGroupChangedCallback}
                   />
-                )}
-              </>
-            )}
-            {ruleDetailTab === RuleDetailTabs.exceptions && (
-              <ExceptionsViewer
-                ruleId={ruleId ?? ''}
-                ruleName={rule?.name ?? ''}
-                ruleIndices={ruleIndices}
-                availableListTypes={exceptionLists.allowedExceptionListTypes}
-                commentsAccordionId={'ruleDetailsTabExceptions'}
-                exceptionListsMeta={exceptionLists.lists}
-                onRuleChange={refreshRule}
-              />
-            )}
-            {ruleDetailTab === RuleDetailTabs.failures && <FailureHistory id={rule?.id} />}
-          </SecuritySolutionPageWrapper>
-        </StyledFullHeightContainer>
-      ) : (
-        <SecuritySolutionPageWrapper>
-          <DetectionEngineHeaderPage border title={i18n.PAGE_TITLE} />
-
-          <OverviewEmpty />
+                </EuiFlexItem>
+                <EuiFlexItem grow={false}>
+                  {updatedAt &&
+                    timelinesUi.getLastUpdated({
+                      updatedAt: updatedAt || Date.now(),
+                      showUpdating,
+                    })}
+                </EuiFlexItem>
+              </EuiFlexGroup>
+              <EuiSpacer size="l" />
+              <Display show={!globalFullScreen}>
+                <AlertsHistogramPanel
+                  filters={alertMergedFilters}
+                  query={query}
+                  signalIndexName={signalIndexName}
+                  defaultStackByOption={defaultRuleStackByOption}
+                  updateDateRange={updateDateRangeCallback}
+                />
+                <EuiSpacer />
+              </Display>
+              {ruleId != null && (
+                <AlertsTable
+                  filterGroup={filterGroup}
+                  timelineId={TimelineId.detectionsRulesDetailsPage}
+                  defaultFilters={alertsTableDefaultFilters}
+                  hasIndexWrite={hasIndexWrite ?? false}
+                  hasIndexMaintenance={hasIndexMaintenance ?? false}
+                  from={from}
+                  loading={loading}
+                  showBuildingBlockAlerts={showBuildingBlockAlerts}
+                  showOnlyThreatIndicatorAlerts={showOnlyThreatIndicatorAlerts}
+                  onShowBuildingBlockAlertsChanged={onShowBuildingBlockAlertsChangedCallback}
+                  onShowOnlyThreatIndicatorAlertsChanged={onShowOnlyThreatIndicatorAlertsCallback}
+                  onRuleChange={refreshRule}
+                  to={to}
+                />
+              )}
+            </>
+          )}
+          {ruleDetailTab === RuleDetailTabs.exceptions && (
+            <ExceptionsViewer
+              ruleId={ruleId ?? ''}
+              ruleName={rule?.name ?? ''}
+              ruleIndices={ruleIndices}
+              availableListTypes={exceptionLists.allowedExceptionListTypes}
+              commentsAccordionId={'ruleDetailsTabExceptions'}
+              exceptionListsMeta={exceptionLists.lists}
+              onRuleChange={refreshRule}
+            />
+          )}
+          {ruleDetailTab === RuleDetailTabs.failures && <FailureHistory id={rule?.id} />}
         </SecuritySolutionPageWrapper>
-      )}
+      </StyledFullHeightContainer>
 
       <SpyRoute pageName={SecurityPageName.rules} state={{ ruleName: rule?.name }} />
     </>
diff --git a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx
index 9bf046f40edb4..55c799f3bda43 100644
--- a/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/hosts/pages/details/index.tsx
@@ -47,11 +47,11 @@ import { Display } from '../display';
 import { timelineSelectors } from '../../../timelines/store/timeline';
 import { TimelineId } from '../../../../common/types/timeline';
 import { timelineDefaults } from '../../../timelines/store/timeline/defaults';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
 import { useDeepEqualSelector, useShallowEqualSelector } from '../../../common/hooks/use_selector';
 import { ID, useHostDetails } from '../../containers/hosts/details';
 import { manageQuery } from '../../../common/components/page/manage_query';
 import { useInvalidFilterQuery } from '../../../common/hooks/use_invalid_filter_query';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 
 const HostOverviewManage = manageQuery(HostOverview);
 
@@ -97,7 +97,7 @@ const HostDetailsComponent: React.FC<HostDetailsProps> = ({ detailName, hostDeta
     [dispatch]
   );
 
-  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererScope();
+  const { docValueFields, indexPattern, indicesExist, selectedPatterns } = useSourcererDataView();
   const [loading, { inspect, hostDetails: hostOverview, id, refetch }] = useHostDetails({
     endDate: to,
     startDate: from,
diff --git a/x-pack/plugins/security_solution/public/hosts/pages/details/types.ts b/x-pack/plugins/security_solution/public/hosts/pages/details/types.ts
index 21924fe929320..cd9ee9ce01869 100644
--- a/x-pack/plugins/security_solution/public/hosts/pages/details/types.ts
+++ b/x-pack/plugins/security_solution/public/hosts/pages/details/types.ts
@@ -6,7 +6,7 @@
  */
 
 import { ActionCreator } from 'typescript-fsa';
-import { Query, IIndexPattern, Filter } from 'src/plugins/data/public';
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import { InputsModelId } from '../../../common/store/inputs/constants';
 import { HostsTableType } from '../../store/model';
 import { HostsQueryProps } from '../types';
@@ -62,7 +62,7 @@ export type HostDetailsTabsProps = HostBodyComponentDispatchProps &
     indexNames: string[];
     pageFilters?: Filter[];
     filterQuery?: string;
-    indexPattern: IIndexPattern;
+    indexPattern: DataViewBase;
     type: hostsModel.HostsType;
   };
 
diff --git a/x-pack/plugins/security_solution/public/hosts/pages/hosts.test.tsx b/x-pack/plugins/security_solution/public/hosts/pages/hosts.test.tsx
index d05b091381cca..51dd9d230324f 100644
--- a/x-pack/plugins/security_solution/public/hosts/pages/hosts.test.tsx
+++ b/x-pack/plugins/security_solution/public/hosts/pages/hosts.test.tsx
@@ -23,7 +23,7 @@ import { inputsActions } from '../../common/store/inputs';
 import { State, createStore } from '../../common/store';
 import { Hosts } from './hosts';
 import { HostsTabs } from './hosts_tabs';
-import { useSourcererScope } from '../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../common/containers/sourcerer';
 
 jest.mock('../../common/containers/sourcerer');
 
@@ -57,10 +57,10 @@ const mockHistory = {
   createHref: jest.fn(),
   listen: jest.fn(),
 };
-const mockUseSourcererScope = useSourcererScope as jest.Mock;
+const mockUseSourcererDataView = useSourcererDataView as jest.Mock;
 describe('Hosts - rendering', () => {
   test('it renders the Setup Instructions text when no index is available', async () => {
-    mockUseSourcererScope.mockReturnValue({
+    mockUseSourcererDataView.mockReturnValue({
       indicesExist: false,
     });
 
@@ -75,7 +75,7 @@ describe('Hosts - rendering', () => {
   });
 
   test('it DOES NOT render the Setup Instructions text when an index is available', async () => {
-    mockUseSourcererScope.mockReturnValue({
+    mockUseSourcererDataView.mockReturnValue({
       indicesExist: true,
       indexPattern: {},
     });
@@ -90,7 +90,7 @@ describe('Hosts - rendering', () => {
   });
 
   test('it should render tab navigation', async () => {
-    mockUseSourcererScope.mockReturnValue({
+    mockUseSourcererDataView.mockReturnValue({
       indicesExist: true,
       indexPattern: {},
     });
@@ -137,7 +137,7 @@ describe('Hosts - rendering', () => {
         },
       },
     ];
-    mockUseSourcererScope.mockReturnValue({
+    mockUseSourcererDataView.mockReturnValue({
       indicesExist: true,
       indexPattern: { fields: [], title: 'title' },
     });
diff --git a/x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx b/x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx
index b1c7c25c794c1..8417e8f3ae8b3 100644
--- a/x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx
+++ b/x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx
@@ -50,7 +50,7 @@ import {
 } from '../../timelines/components/timeline/helpers';
 import { timelineSelectors } from '../../timelines/store/timeline';
 import { timelineDefaults } from '../../timelines/store/timeline/defaults';
-import { useSourcererScope } from '../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../common/containers/sourcerer';
 import { useDeepEqualSelector, useShallowEqualSelector } from '../../common/hooks/use_selector';
 import { useInvalidFilterQuery } from '../../common/hooks/use_invalid_filter_query';
 import { ID } from '../containers/hosts';
@@ -111,7 +111,7 @@ const HostsComponent = () => {
     },
     [dispatch]
   );
-  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererScope();
+  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererDataView();
   const [filterQuery, kqlError] = useMemo(
     () =>
       convertToBuildEsQuery({
diff --git a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/action.ts b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/action.ts
index 05d28c1cbf27f..6e9c1f69cb060 100644
--- a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/action.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/action.ts
@@ -7,6 +7,7 @@
 
 import { Action } from 'redux';
 import { EuiSuperDatePickerRecentRange } from '@elastic/eui';
+import { DataViewBase } from '@kbn/es-query';
 import {
   HostResultList,
   HostInfo,
@@ -17,7 +18,6 @@ import {
 import { ServerApiError } from '../../../../common/types';
 import { GetPolicyListResponse } from '../../policy/types';
 import { EndpointState } from '../types';
-import { IIndexPattern } from '../../../../../../../../src/plugins/data/public';
 
 export interface ServerReturnedEndpointList {
   type: 'serverReturnedEndpointList';
@@ -96,7 +96,7 @@ export interface ServerReturnedEndpointExistValue {
 
 export interface ServerReturnedMetadataPatterns {
   type: 'serverReturnedMetadataPatterns';
-  payload: IIndexPattern[];
+  payload: DataViewBase[];
 }
 
 export interface ServerFailedToReturnMetadataPatterns {
diff --git a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts
index 3506d2c22ce3f..ec9672b645ca3 100644
--- a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts
@@ -9,6 +9,7 @@ import { Dispatch } from 'redux';
 import semverGte from 'semver/functions/gte';
 
 import { CoreStart, HttpStart } from 'kibana/public';
+import { DataViewBase, Query } from '@kbn/es-query';
 import {
   ActivityLog,
   GetHostPolicyResponse,
@@ -67,7 +68,6 @@ import {
   metadataCurrentIndexPattern,
   METADATA_UNITED_INDEX,
 } from '../../../../../common/endpoint/constants';
-import { IIndexPattern, Query } from '../../../../../../../../src/plugins/data/public';
 import {
   createFailedResourceState,
   createLoadedResourceState,
@@ -94,7 +94,7 @@ export const endpointMiddlewareFactory: ImmutableMiddlewareFactory<EndpointState
   // or else wrong pattern might be loaded
   async function fetchIndexPatterns(
     state: ImmutableObject<EndpointState>
-  ): Promise<IIndexPattern[]> {
+  ): Promise<DataViewBase[]> {
     const packageVersion = endpointPackageVersion(state) ?? '';
     const parsedPackageVersion = packageVersion.includes('-')
       ? packageVersion.substring(0, packageVersion.indexOf('-'))
@@ -108,7 +108,7 @@ export const endpointMiddlewareFactory: ImmutableMiddlewareFactory<EndpointState
     const fields = await indexPatterns.getFieldsForWildcard({
       pattern: indexPatternToFetch,
     });
-    const indexPattern: IIndexPattern = {
+    const indexPattern: DataViewBase = {
       title: indexPatternToFetch,
       fields,
     };
@@ -397,7 +397,7 @@ async function endpointDetailsListMiddleware({
 }: {
   store: ImmutableMiddlewareAPI<EndpointState, AppAction>;
   coreStart: CoreStart;
-  fetchIndexPatterns: (state: ImmutableObject<EndpointState>) => Promise<IIndexPattern[]>;
+  fetchIndexPatterns: (state: ImmutableObject<EndpointState>) => Promise<DataViewBase[]>;
 }) {
   const { getState, dispatch } = store;
 
diff --git a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/types.ts b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/types.ts
index 0fa96fe00fd2c..1a87223cdd01f 100644
--- a/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/types.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/types.ts
@@ -6,6 +6,7 @@
  */
 
 import { EuiSuperDatePickerRecentRange } from '@elastic/eui';
+import { DataViewBase } from '@kbn/es-query';
 import {
   ActivityLog,
   HostInfo,
@@ -20,7 +21,6 @@ import {
 } from '../../../../common/endpoint/types';
 import { ServerApiError } from '../../../common/types';
 import { GetPackagesResponse } from '../../../../../fleet/common';
-import { IIndexPattern } from '../../../../../../../src/plugins/data/public';
 import { AsyncResourceState } from '../../state';
 import { TRANSFORM_STATES } from '../../../../common/constants';
 
@@ -86,7 +86,7 @@ export interface EndpointState {
   /** Tracks whether hosts exist and helps control if onboarding should be visible */
   endpointsExist: boolean;
   /** index patterns for query bar */
-  patterns: IIndexPattern[];
+  patterns: DataViewBase[];
   /** api error from retrieving index patters for query bar */
   patternsError?: ServerApiError;
   /** Is auto-refresh enabled */
diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.test.tsx b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.test.tsx
index 63a4571ca11e5..d9201e62268ab 100644
--- a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.test.tsx
+++ b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.test.tsx
@@ -52,7 +52,7 @@ jest.mock('./index_patterns_missing_prompt', () => {
 describe('EmbeddedMapComponent', () => {
   const setQuery: jest.Mock = jest.fn();
   const mockSelector = {
-    kibanaIndexPatterns: [
+    kibanaDataViews: [
       { id: '6f1eeb50-023d-11eb-bcb6-6ba0578012a9', title: 'filebeat-*' },
       { id: '28995490-023d-11eb-bcb6-6ba0578012a9', title: 'auditbeat-*' },
     ],
@@ -132,7 +132,7 @@ describe('EmbeddedMapComponent', () => {
     const spy = jest.spyOn(redux, 'useSelector');
     spy.mockReturnValue({
       ...mockSelector,
-      kibanaIndexPatterns: [],
+      kibanaDataViews: [],
     });
 
     (createEmbeddable as jest.Mock).mockResolvedValue(mockCreateEmbeddable);
diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.tsx b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.tsx
index f2cb974a5b5c1..15a0f870d7bda 100644
--- a/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.tsx
+++ b/x-pack/plugins/security_solution/public/network/components/embeddables/embedded_map.tsx
@@ -28,8 +28,9 @@ import * as i18n from './translations';
 import { MapEmbeddable } from '../../../../../../plugins/maps/public/embeddable';
 import { Query, Filter } from '../../../../../../../src/plugins/data/public';
 import { useKibana } from '../../../common/lib/kibana';
-import { getDefaultSourcererSelector } from './selector';
 import { getLayerList } from './map_config';
+import { sourcererSelectors } from '../../../common/store/sourcerer';
+import { SourcererScopeName } from '../../../common/store/sourcerer/model';
 import { useDeepEqualSelector } from '../../../common/hooks/use_selector';
 
 interface EmbeddableMapProps {
@@ -95,13 +96,13 @@ export const EmbeddedMapComponent = ({
   const [isIndexError, setIsIndexError] = useState(false);
 
   const [, dispatchToaster] = useStateToaster();
-  const defaultSourcererScopeSelector = useMemo(getDefaultSourcererSelector, []);
-  const { kibanaIndexPatterns, sourcererScope } = useDeepEqualSelector(
-    defaultSourcererScopeSelector
-  );
+
+  const sourcererScopeSelector = useMemo(() => sourcererSelectors.getSourcererScopeSelector(), []);
+  const { kibanaDataViews, sourcererScope }: sourcererSelectors.SourcererScopeSelector =
+    useDeepEqualSelector((state) => sourcererScopeSelector(state, SourcererScopeName.default));
 
   const [mapIndexPatterns, setMapIndexPatterns] = useState(
-    kibanaIndexPatterns.filter((kip) => sourcererScope.selectedPatterns.includes(kip.title))
+    kibanaDataViews.filter((dataView) => sourcererScope.selectedPatterns.includes(dataView.title))
   );
 
   // This portalNode provided by react-reverse-portal allows us re-parent the MapToolTip within our
@@ -114,8 +115,8 @@ export const EmbeddedMapComponent = ({
 
   useEffect(() => {
     setMapIndexPatterns((prevMapIndexPatterns) => {
-      const newIndexPatterns = kibanaIndexPatterns.filter((kip) =>
-        sourcererScope.selectedPatterns.includes(kip.title)
+      const newIndexPatterns = kibanaDataViews.filter((dataView) =>
+        sourcererScope.selectedPatterns.includes(dataView.title)
       );
       if (!deepEqual(newIndexPatterns, prevMapIndexPatterns)) {
         if (newIndexPatterns.length === 0) {
@@ -125,7 +126,7 @@ export const EmbeddedMapComponent = ({
       }
       return prevMapIndexPatterns;
     });
-  }, [kibanaIndexPatterns, sourcererScope.selectedPatterns]);
+  }, [kibanaDataViews, sourcererScope.selectedPatterns]);
 
   // Initial Load useEffect
   useEffect(() => {
diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/selector.test.tsx b/x-pack/plugins/security_solution/public/network/components/embeddables/selector.test.tsx
deleted file mode 100644
index 99efe50a467a2..0000000000000
--- a/x-pack/plugins/security_solution/public/network/components/embeddables/selector.test.tsx
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { State } from '../../../common/store';
-
-import { getDefaultSourcererSelector } from './selector';
-
-jest.mock('../../../common/store/sourcerer', () => ({
-  sourcererSelectors: {
-    kibanaIndexPatternsSelector: jest.fn().mockReturnValue(jest.fn()),
-    scopesSelector: jest.fn().mockReturnValue(jest.fn().mockReturnValue({ default: '' })),
-  },
-}));
-
-describe('getDefaultSourcererSelector', () => {
-  test('Returns correct format', () => {
-    const mockMapStateToProps = getDefaultSourcererSelector();
-    const result = mockMapStateToProps({} as State);
-    expect(result).toHaveProperty('kibanaIndexPatterns');
-    expect(result).toHaveProperty('sourcererScope');
-  });
-});
diff --git a/x-pack/plugins/security_solution/public/network/components/embeddables/selector.tsx b/x-pack/plugins/security_solution/public/network/components/embeddables/selector.tsx
deleted file mode 100644
index c646276d710a2..0000000000000
--- a/x-pack/plugins/security_solution/public/network/components/embeddables/selector.tsx
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { State } from '../../../common/store';
-import { sourcererSelectors } from '../../../common/store/sourcerer';
-import {
-  KibanaIndexPatterns,
-  ManageScope,
-  SourcererScopeName,
-} from '../../../common/store/sourcerer/model';
-
-export interface DefaultSourcererSelector {
-  kibanaIndexPatterns: KibanaIndexPatterns;
-  sourcererScope: ManageScope;
-}
-
-export const getDefaultSourcererSelector = () => {
-  const getKibanaIndexPatternsSelector = sourcererSelectors.kibanaIndexPatternsSelector();
-  const getScopesSelector = sourcererSelectors.scopesSelector();
-
-  const mapStateToProps = (state: State): DefaultSourcererSelector => {
-    const kibanaIndexPatterns = getKibanaIndexPatternsSelector(state);
-    const scope = getScopesSelector(state)[SourcererScopeName.default];
-
-    return {
-      kibanaIndexPatterns,
-      sourcererScope: scope,
-    };
-  };
-
-  return mapStateToProps;
-};
diff --git a/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/columns.tsx b/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/columns.tsx
index 28953730ce3cf..4c50a3a0f49c5 100644
--- a/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/columns.tsx
+++ b/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/columns.tsx
@@ -8,8 +8,7 @@
 import { get } from 'lodash/fp';
 import numeral from '@elastic/numeral';
 import React from 'react';
-import { IIndexPattern } from 'src/plugins/data/public';
-
+import { DataViewBase } from '@kbn/es-query';
 import { CountryFlagAndName } from '../source_destination/country_flag';
 import {
   FlowTargetSourceDest,
@@ -47,7 +46,7 @@ export type NetworkTopCountriesColumnsNetworkDetails = [
 ];
 
 export const getNetworkTopCountriesColumns = (
-  indexPattern: IIndexPattern,
+  indexPattern: DataViewBase,
   flowTarget: FlowTargetSourceDest,
   type: networkModel.NetworkType,
   tableId: string
@@ -161,7 +160,7 @@ export const getNetworkTopCountriesColumns = (
 ];
 
 export const getCountriesColumnsCurated = (
-  indexPattern: IIndexPattern,
+  indexPattern: DataViewBase,
   flowTarget: FlowTargetSourceDest,
   type: networkModel.NetworkType,
   tableId: string
diff --git a/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/index.tsx b/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/index.tsx
index d4a611c7f557f..23b453c0f7384 100644
--- a/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/index.tsx
+++ b/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/index.tsx
@@ -9,7 +9,7 @@ import { last } from 'lodash/fp';
 import React, { useCallback, useMemo } from 'react';
 import { useDispatch } from 'react-redux';
 import deepEqual from 'fast-deep-equal';
-import { IIndexPattern } from 'src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
 
 import { networkActions, networkModel, networkSelectors } from '../../store';
 import {
@@ -31,7 +31,7 @@ interface NetworkTopCountriesTableProps {
   fakeTotalCount: number;
   flowTargeted: FlowTargetSourceDest;
   id: string;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   isInspect: boolean;
   loading: boolean;
   loadPage: (newActivePage: number) => void;
diff --git a/x-pack/plugins/security_solution/public/network/pages/details/index.test.tsx b/x-pack/plugins/security_solution/public/network/pages/details/index.test.tsx
index 612acdc813c92..7d8389d95f33e 100644
--- a/x-pack/plugins/security_solution/public/network/pages/details/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/network/pages/details/index.test.tsx
@@ -10,7 +10,7 @@ import { Router, useParams } from 'react-router-dom';
 
 import '../../../common/mock/match_media';
 
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 import {
   mockGlobalState,
   TestProviders,
@@ -87,7 +87,7 @@ const getMockHistory = (ip: string) => ({
 describe('Network Details', () => {
   const mount = useMountAppended();
   beforeAll(() => {
-    (useSourcererScope as jest.Mock).mockReturnValue({
+    (useSourcererDataView as jest.Mock).mockReturnValue({
       indicesExist: false,
       indexPattern: {},
     });
@@ -131,7 +131,7 @@ describe('Network Details', () => {
 
   test('it renders ipv6 headline', async () => {
     const ip = 'fe80--24ce-f7ff-fede-a571';
-    (useSourcererScope as jest.Mock).mockReturnValue({
+    (useSourcererDataView as jest.Mock).mockReturnValue({
       indicesExist: true,
       indexPattern: {},
     });
diff --git a/x-pack/plugins/security_solution/public/network/pages/details/index.tsx b/x-pack/plugins/security_solution/public/network/pages/details/index.tsx
index 5aee4022a7f30..e0ede2d23846e 100644
--- a/x-pack/plugins/security_solution/public/network/pages/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/network/pages/details/index.tsx
@@ -48,7 +48,7 @@ import { AnomaliesQueryTabBody } from '../../../common/containers/anomalies/anom
 import { esQuery } from '../../../../../../../src/plugins/data/public';
 import { networkModel } from '../../store';
 import { SecurityPageName } from '../../../app/types';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 import { useInvalidFilterQuery } from '../../../common/hooks/use_invalid_filter_query';
 export { getBreadcrumbs } from './utils';
 
@@ -92,7 +92,7 @@ const NetworkDetailsComponent: React.FC = () => {
     dispatch(setNetworkDetailsTablesActivePageToZero());
   }, [detailName, dispatch]);
 
-  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererScope();
+  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererDataView();
   const ip = decodeIpv6(detailName);
   const [filterQuery, kqlError] = convertToBuildEsQuery({
     config: esQuery.getEsQueryConfig(uiSettings),
diff --git a/x-pack/plugins/security_solution/public/network/pages/details/types.ts b/x-pack/plugins/security_solution/public/network/pages/details/types.ts
index b91a22cbd5fc3..02722f4709bcc 100644
--- a/x-pack/plugins/security_solution/public/network/pages/details/types.ts
+++ b/x-pack/plugins/security_solution/public/network/pages/details/types.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { IIndexPattern } from 'src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
 
 import { ESTermQuery } from '../../../../common/typed_json';
 import { NetworkType } from '../../store/model';
@@ -38,5 +38,5 @@ export type TlsQueryTableComponentProps = OwnProps & {
 
 export type NetworkWithIndexComponentsQueryTableProps = OwnProps & {
   flowTarget: FlowTargetSourceDest;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
 };
diff --git a/x-pack/plugins/security_solution/public/network/pages/navigation/types.ts b/x-pack/plugins/security_solution/public/network/pages/navigation/types.ts
index 075aa46637a07..96b72caf03300 100644
--- a/x-pack/plugins/security_solution/public/network/pages/navigation/types.ts
+++ b/x-pack/plugins/security_solution/public/network/pages/navigation/types.ts
@@ -5,8 +5,8 @@
  * 2.0.
  */
 
+import { DataViewBase } from '@kbn/es-query';
 import { ESTermQuery } from '../../../../common/typed_json';
-import { IIndexPattern } from '../../../../../../../src/plugins/data/common';
 
 import { NavTab } from '../../../common/components/navigation/types';
 import { FlowTargetSourceDest } from '../../../../common/search_strategy/security_solution/network';
@@ -32,7 +32,7 @@ export type NetworkComponentQueryProps = QueryTabBodyProps & {
 };
 
 export type IPsQueryTabBodyProps = QueryTabBodyProps & {
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   flowTarget: FlowTargetSourceDest;
 };
 
@@ -49,7 +49,7 @@ export type NetworkRoutesProps = GlobalTimeArgs & {
   docValueFields: DocValueFields[];
   type: networkModel.NetworkType;
   filterQuery?: string | ESTermQuery;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   indexNames: string[];
   setAbsoluteRangeDatePicker: SetAbsoluteRangeDatePicker;
 };
diff --git a/x-pack/plugins/security_solution/public/network/pages/network.test.tsx b/x-pack/plugins/security_solution/public/network/pages/network.test.tsx
index 764b8fcd0444b..d0fff882cdc86 100644
--- a/x-pack/plugins/security_solution/public/network/pages/network.test.tsx
+++ b/x-pack/plugins/security_solution/public/network/pages/network.test.tsx
@@ -11,7 +11,7 @@ import { Router } from 'react-router-dom';
 import { waitFor } from '@testing-library/react';
 import '../../common/mock/match_media';
 import { Filter } from '../../../../../../src/plugins/data/common/es_query';
-import { useSourcererScope } from '../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../common/containers/sourcerer';
 import {
   TestProviders,
   mockGlobalState,
@@ -70,10 +70,10 @@ const mockProps = {
   capabilitiesFetched: true,
   hasMlUserPermissions: true,
 };
-const mockUseSourcererScope = useSourcererScope as jest.Mock;
+const mockUseSourcererDataView = useSourcererDataView as jest.Mock;
 describe('Network page - rendering', () => {
   test('it renders the Setup Instructions text when no index is available', () => {
-    mockUseSourcererScope.mockReturnValue({
+    mockUseSourcererDataView.mockReturnValue({
       selectedPatterns: [],
       indicesExist: false,
     });
@@ -89,7 +89,7 @@ describe('Network page - rendering', () => {
   });
 
   test('it DOES NOT render the Setup Instructions text when an index is available', async () => {
-    mockUseSourcererScope.mockReturnValue({
+    mockUseSourcererDataView.mockReturnValue({
       selectedPatterns: [],
       indicesExist: true,
       indexPattern: {},
@@ -138,7 +138,7 @@ describe('Network page - rendering', () => {
         },
       },
     ];
-    mockUseSourcererScope.mockReturnValue({
+    mockUseSourcererDataView.mockReturnValue({
       selectedPatterns: [],
       indicesExist: true,
       indexPattern: { fields: [], title: 'title' },
diff --git a/x-pack/plugins/security_solution/public/network/pages/network.tsx b/x-pack/plugins/security_solution/public/network/pages/network.tsx
index af7f513afd744..f38a26da00599 100644
--- a/x-pack/plugins/security_solution/public/network/pages/network.tsx
+++ b/x-pack/plugins/security_solution/public/network/pages/network.tsx
@@ -49,7 +49,7 @@ import {
 import { timelineSelectors } from '../../timelines/store/timeline';
 import { TimelineId } from '../../../common/types/timeline';
 import { timelineDefaults } from '../../timelines/store/timeline/defaults';
-import { useSourcererScope } from '../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../common/containers/sourcerer';
 import { useDeepEqualSelector, useShallowEqualSelector } from '../../common/hooks/use_selector';
 import { useInvalidFilterQuery } from '../../common/hooks/use_invalid_filter_query';
 /**
@@ -109,7 +109,7 @@ const NetworkComponent = React.memo<NetworkComponentProps>(
       [dispatch]
     );
 
-    const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererScope();
+    const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererDataView();
 
     const onSkipFocusBeforeEventsTable = useCallback(() => {
       containerElement.current
diff --git a/x-pack/plugins/security_solution/public/overview/components/alerts_by_category/index.tsx b/x-pack/plugins/security_solution/public/overview/components/alerts_by_category/index.tsx
index e74e8f82d8244..bce9dd9fa9d0c 100644
--- a/x-pack/plugins/security_solution/public/overview/components/alerts_by_category/index.tsx
+++ b/x-pack/plugins/security_solution/public/overview/components/alerts_by_category/index.tsx
@@ -9,17 +9,13 @@ import numeral from '@elastic/numeral';
 import React, { useEffect, useMemo, useCallback } from 'react';
 import { Position } from '@elastic/charts';
 
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import { DEFAULT_NUMBER_FORMAT, APP_UI_ID } from '../../../../common/constants';
 import { SHOWING, UNIT } from '../../../common/components/alerts_viewer/translations';
 import { MatrixHistogram } from '../../../common/components/matrix_histogram';
 import { useKibana, useUiSetting$ } from '../../../common/lib/kibana';
 import { convertToBuildEsQuery } from '../../../common/lib/keury';
-import {
-  Filter,
-  esQuery,
-  IIndexPattern,
-  Query,
-} from '../../../../../../../src/plugins/data/public';
+import { esQuery } from '../../../../../../../src/plugins/data/public';
 import { HostsTableType } from '../../../hosts/store/model';
 
 import * as i18n from '../../pages/translations';
@@ -42,7 +38,7 @@ const DEFAULT_STACK_BY = 'event.module';
 interface Props extends Pick<GlobalTimeArgs, 'from' | 'to' | 'deleteQuery' | 'setQuery'> {
   filters: Filter[];
   hideHeaderChildren?: boolean;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   indexNames: string[];
   query: Query;
 }
diff --git a/x-pack/plugins/security_solution/public/overview/components/event_counts/index.tsx b/x-pack/plugins/security_solution/public/overview/components/event_counts/index.tsx
index 919057d6b5eab..8ec38549477fa 100644
--- a/x-pack/plugins/security_solution/public/overview/components/event_counts/index.tsx
+++ b/x-pack/plugins/security_solution/public/overview/components/event_counts/index.tsx
@@ -9,6 +9,7 @@ import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
 import React, { useMemo } from 'react';
 import styled from 'styled-components';
 
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import { ID as OverviewHostQueryId } from '../../containers/overview_host';
 import { OverviewHost } from '../overview_host';
 import { OverviewNetwork } from '../overview_network';
@@ -16,12 +17,7 @@ import { filterHostData } from '../../../hosts/pages/navigation/alerts_query_tab
 import { useKibana } from '../../../common/lib/kibana';
 import { convertToBuildEsQuery } from '../../../common/lib/keury';
 import { filterNetworkData } from '../../../network/pages/navigation/alerts_query_tab_body';
-import {
-  Filter,
-  esQuery,
-  IIndexPattern,
-  Query,
-} from '../../../../../../../src/plugins/data/public';
+import { esQuery } from '../../../../../../../src/plugins/data/public';
 import { GlobalTimeArgs } from '../../../common/containers/use_global_time';
 import { useInvalidFilterQuery } from '../../../common/hooks/use_invalid_filter_query';
 
@@ -32,7 +28,7 @@ const HorizontalSpacer = styled(EuiFlexItem)`
 interface Props extends Pick<GlobalTimeArgs, 'from' | 'to' | 'setQuery'> {
   filters: Filter[];
   indexNames: string[];
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   query: Query;
 }
 
diff --git a/x-pack/plugins/security_solution/public/overview/components/events_by_dataset/index.tsx b/x-pack/plugins/security_solution/public/overview/components/events_by_dataset/index.tsx
index 562d1d1fd7aad..a184ba572d77c 100644
--- a/x-pack/plugins/security_solution/public/overview/components/events_by_dataset/index.tsx
+++ b/x-pack/plugins/security_solution/public/overview/components/events_by_dataset/index.tsx
@@ -10,6 +10,7 @@ import numeral from '@elastic/numeral';
 import React, { useEffect, useMemo, useCallback } from 'react';
 import uuid from 'uuid';
 
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import { DEFAULT_NUMBER_FORMAT, APP_UI_ID } from '../../../../common/constants';
 import { SHOWING, UNIT } from '../../../common/components/events_viewer/translations';
 import { getTabsOnHostsUrl } from '../../../common/components/link_to/redirect_to_hosts';
@@ -22,12 +23,7 @@ import { eventsStackByOptions } from '../../../hosts/pages/navigation';
 import { convertToBuildEsQuery } from '../../../common/lib/keury';
 import { useKibana, useUiSetting$ } from '../../../common/lib/kibana';
 import { histogramConfigs } from '../../../hosts/pages/navigation/events_query_tab_body';
-import {
-  Filter,
-  esQuery,
-  IIndexPattern,
-  Query,
-} from '../../../../../../../src/plugins/data/public';
+import { esQuery } from '../../../../../../../src/plugins/data/public';
 import { HostsTableType } from '../../../hosts/store/model';
 import { InputsModelId } from '../../../common/store/inputs/constants';
 import { GlobalTimeArgs } from '../../../common/containers/use_global_time';
@@ -46,7 +42,7 @@ interface Props extends Pick<GlobalTimeArgs, 'from' | 'to' | 'deleteQuery' | 'se
   combinedQueries?: string;
   filters: Filter[];
   headerChildren?: React.ReactNode;
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   indexNames: string[];
   onlyField?: string;
   paddingSize?: 's' | 'm' | 'l' | 'none';
diff --git a/x-pack/plugins/security_solution/public/overview/pages/overview.test.tsx b/x-pack/plugins/security_solution/public/overview/pages/overview.test.tsx
index ab5ae4f613e38..2539490be16fb 100644
--- a/x-pack/plugins/security_solution/public/overview/pages/overview.test.tsx
+++ b/x-pack/plugins/security_solution/public/overview/pages/overview.test.tsx
@@ -21,7 +21,7 @@ import {
   initialUserPrivilegesState,
   useUserPrivileges,
 } from '../../common/components/user_privileges';
-import { useSourcererScope } from '../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../common/containers/sourcerer';
 import { useFetchIndex } from '../../common/containers/source';
 import { useIsThreatIntelModuleEnabled } from '../containers/overview_cti_links/use_is_threat_intel_module_enabled';
 import { useCtiEventCounts } from '../containers/overview_cti_links/use_cti_event_counts';
@@ -107,7 +107,7 @@ const endpointNoticeMessage = (hasMessageValue: boolean) => {
     clearAllMessages: () => undefined,
   };
 };
-const mockUseSourcererScope = useSourcererScope as jest.Mock;
+const mockUseSourcererDataView = useSourcererDataView as jest.Mock;
 const mockUseUserPrivileges = useUserPrivileges as jest.Mock;
 const mockUseFetchIndex = useFetchIndex as jest.Mock;
 const mockUseMessagesStorage: jest.Mock = useMessagesStorage as jest.Mock<UseMessagesStorage>;
@@ -141,7 +141,7 @@ describe('Overview', () => {
 
   describe('rendering', () => {
     test('it DOES NOT render the Getting started text when an index is available', () => {
-      mockUseSourcererScope.mockReturnValue({
+      mockUseSourcererDataView.mockReturnValue({
         selectedPatterns: [],
         indicesExist: true,
         indexPattern: {},
@@ -168,7 +168,7 @@ describe('Overview', () => {
           indexExists: false,
         },
       ]);
-      mockUseSourcererScope.mockReturnValue({
+      mockUseSourcererDataView.mockReturnValue({
         selectedPatterns: [],
         indicesExist: true,
         indexPattern: {},
@@ -195,7 +195,7 @@ describe('Overview', () => {
           indexExists: false,
         },
       ]);
-      mockUseSourcererScope.mockReturnValueOnce({
+      mockUseSourcererDataView.mockReturnValueOnce({
         selectedPatterns: [],
         indicesExist: true,
         indexPattern: {},
@@ -216,7 +216,7 @@ describe('Overview', () => {
     });
 
     test('it does NOT render the Endpoint banner when the endpoint index is available AND storage is set', () => {
-      mockUseSourcererScope.mockReturnValue({
+      mockUseSourcererDataView.mockReturnValue({
         selectedPatterns: [],
         indexExists: true,
         indexPattern: {},
@@ -237,7 +237,7 @@ describe('Overview', () => {
     });
 
     test('it does NOT render the Endpoint banner when an index IS available but storage is NOT set', () => {
-      mockUseSourcererScope.mockReturnValue({
+      mockUseSourcererDataView.mockReturnValue({
         selectedPatterns: [],
         indicesExist: true,
         indexPattern: {},
@@ -258,7 +258,7 @@ describe('Overview', () => {
     });
 
     test('it does NOT render the Endpoint banner when Ingest is NOT available', () => {
-      mockUseSourcererScope.mockReturnValue({
+      mockUseSourcererDataView.mockReturnValue({
         selectedPatterns: [],
         indicesExist: true,
         indexPattern: {},
@@ -281,7 +281,7 @@ describe('Overview', () => {
 
     describe('when no index is available', () => {
       beforeEach(() => {
-        mockUseSourcererScope.mockReturnValue({
+        mockUseSourcererDataView.mockReturnValue({
           selectedPatterns: [],
           indicesExist: false,
         });
diff --git a/x-pack/plugins/security_solution/public/overview/pages/overview.tsx b/x-pack/plugins/security_solution/public/overview/pages/overview.tsx
index 10fa4e4c4e925..3a98f062db65d 100644
--- a/x-pack/plugins/security_solution/public/overview/pages/overview.tsx
+++ b/x-pack/plugins/security_solution/public/overview/pages/overview.tsx
@@ -27,7 +27,7 @@ import { SecurityPageName } from '../../app/types';
 import { EndpointNotice } from '../components/endpoint_notice';
 import { useMessagesStorage } from '../../common/containers/local_storage/use_messages_storage';
 import { ENDPOINT_METADATA_INDEX } from '../../../common/constants';
-import { useSourcererScope } from '../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../common/containers/sourcerer';
 import { Sourcerer } from '../../common/components/sourcerer';
 import { SourcererScopeName } from '../../common/store/sourcerer/model';
 import { useDeepEqualSelector } from '../../common/hooks/use_selector';
@@ -56,7 +56,7 @@ const OverviewComponent = () => {
   const filters = useDeepEqualSelector(getGlobalFiltersQuerySelector);
 
   const { from, deleteQuery, setQuery, to } = useGlobalTime();
-  const { indicesExist, indexPattern, selectedPatterns } = useSourcererScope();
+  const { indicesExist, indexPattern, selectedPatterns } = useSourcererDataView();
 
   const endpointMetadataIndex = useMemo<string[]>(() => {
     return [ENDPOINT_METADATA_INDEX];
diff --git a/x-pack/plugins/security_solution/public/overview/pages/summary.tsx b/x-pack/plugins/security_solution/public/overview/pages/summary.tsx
deleted file mode 100644
index e706fcc39bd1e..0000000000000
--- a/x-pack/plugins/security_solution/public/overview/pages/summary.tsx
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import React from 'react';
-import { EuiFlexItem, EuiLink, EuiText } from '@elastic/eui';
-import { FormattedMessage } from '@kbn/i18n/react';
-
-import { ADD_DATA_PATH } from '../../../common/constants';
-
-import { useKibana } from '../../common/lib/kibana';
-
-export const Summary = React.memo(() => {
-  const { docLinks, http } = useKibana().services;
-  const basePath = http.basePath.get();
-  return (
-    <EuiFlexItem>
-      <EuiText>
-        <h2>
-          <FormattedMessage
-            id="xpack.securitySolution.overview.startedTitle"
-            defaultMessage="Getting started"
-          />
-        </h2>
-
-        <p>
-          <FormattedMessage
-            id="xpack.securitySolution.overview.startedText"
-            defaultMessage="Welcome to Security Information &amp; Event Management (SIEM). Get started by reviewing our {docs} or {data}. For information about upcoming features and tutorials, be sure to check out our {siemSolution} page."
-            values={{
-              docs: (
-                <EuiLink href={docLinks.links.siem.guide} target="blank">
-                  <FormattedMessage
-                    id="xpack.securitySolution.overview.startedText.docsLinkText"
-                    defaultMessage="documentation"
-                  />
-                </EuiLink>
-              ),
-              data: (
-                <EuiLink href={`${basePath}${ADD_DATA_PATH}`}>
-                  <FormattedMessage
-                    id="xpack.securitySolution.overview.startedText.dataLinkText"
-                    defaultMessage="ingesting data"
-                  />
-                </EuiLink>
-              ),
-              siemSolution: (
-                <EuiLink href="https://www.elastic.co/solutions/siem" target="blank">
-                  <FormattedMessage
-                    id="xpack.securitySolution.overview.startedText.siemSolutionLinkText"
-                    defaultMessage="SIEM solution"
-                  />
-                </EuiLink>
-              ),
-            }}
-          />
-        </p>
-
-        <h2>
-          <FormattedMessage
-            id="xpack.securitySolution.overview.feedbackTitle"
-            defaultMessage="Feedback"
-          />
-        </h2>
-
-        <p>
-          <FormattedMessage
-            id="xpack.securitySolution.overview.feedbackText"
-            defaultMessage="If you have input or suggestions regarding your experience with Elastic SIEM, please feel free to {feedback}."
-            values={{
-              feedback: (
-                <EuiLink href="https://discuss.elastic.co/c/security" target="blank">
-                  <FormattedMessage
-                    id="xpack.securitySolution.overview.feedbackText.feedbackLinkText"
-                    defaultMessage="submit feedback online"
-                  />
-                </EuiLink>
-              ),
-            }}
-          />
-        </p>
-      </EuiText>
-    </EuiFlexItem>
-  );
-});
-
-Summary.displayName = 'Summary';
diff --git a/x-pack/plugins/security_solution/public/plugin.tsx b/x-pack/plugins/security_solution/public/plugin.tsx
index 6167aa72a47b4..1d60175d56f60 100644
--- a/x-pack/plugins/security_solution/public/plugin.tsx
+++ b/x-pack/plugins/security_solution/public/plugin.tsx
@@ -43,14 +43,11 @@ import {
   APP_ICON_SOLUTION,
   DETECTION_ENGINE_INDEX_URL,
   SERVER_APP_ID,
+  SOURCERER_API_URL,
 } from '../common/constants';
 
 import { getDeepLinks } from './app/deep_links';
 import { getSubPluginRoutesByCapabilities, manageOldSiemRoutes } from './helpers';
-import {
-  IndexFieldsStrategyRequest,
-  IndexFieldsStrategyResponse,
-} from '../common/search_strategy/index_fields';
 import { SecurityAppStore } from './common/store/store';
 import { licenseService } from './common/hooks/use_license';
 import { SecuritySolutionUiConfigType } from './common/types';
@@ -65,6 +62,8 @@ import {
 } from '../common/experimental_features';
 import type { TimelineState } from '../../timelines/public';
 import { LazyEndpointCustomAssetsExtension } from './management/pages/policy/view/ingest_manager_integration/lazy_endpoint_custom_assets_extension';
+import { initDataView, SourcererModel, KibanaDataView } from './common/store/sourcerer/model';
+import { SecurityDataView } from './common/containers/sourcerer/api';
 
 export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, StartPlugins> {
   readonly kibanaVersion: string;
@@ -328,7 +327,6 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
       management: subPlugins.management.start(core, plugins),
     };
   }
-
   /**
    * Lazily instantiate a `SecurityAppStore`. We lazily instantiate this because it requests large dynamic imports. We instantiate it once because each subPlugin needs to share the same reference.
    */
@@ -338,32 +336,9 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
     subPlugins: StartedSubPlugins
   ): Promise<SecurityAppStore> {
     if (!this._store) {
-      const defaultIndicesName = coreStart.uiSettings.get(DEFAULT_INDEX_KEY);
-      const [{ createStore, createInitialState }, kibanaIndexPatterns, configIndexPatterns] =
-        await Promise.all([
-          this.lazyApplicationDependencies(),
-          startPlugins.data.indexPatterns.getIdsWithTitle(),
-          startPlugins.data.search
-            .search<IndexFieldsStrategyRequest, IndexFieldsStrategyResponse>(
-              { indices: defaultIndicesName, onlyCheckIfIndicesExist: true },
-              {
-                strategy: 'indexFields',
-              }
-            )
-            .toPromise(),
-        ]);
-
       let signal: { name: string | null } = { name: null };
       try {
-        // const { index_name: indexName } = await coreStart.http.fetch(
-        //   `${BASE_RAC_ALERTS_API_PATH}/index`,
-        //   {
-        //     method: 'GET',
-        //     query: { features: SERVER_APP_ID },
-        //   }
-        // );
-        // signal = { name: indexName[0] };
-        if (coreStart.application.capabilities[SERVER_APP_ID].read === true) {
+        if (coreStart.application.capabilities[SERVER_APP_ID].show === true) {
           signal = await coreStart.http.fetch(DETECTION_ENGINE_INDEX_URL, {
             method: 'GET',
           });
@@ -372,6 +347,28 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
         signal = { name: null };
       }
 
+      const configPatternList = coreStart.uiSettings.get(DEFAULT_INDEX_KEY);
+      let defaultDataView: SourcererModel['defaultDataView'];
+      let kibanaDataViews: SourcererModel['kibanaDataViews'];
+      try {
+        // check for/generate default Security Solution Kibana data view
+        const sourcererDataViews: SecurityDataView = await coreStart.http.fetch(SOURCERER_API_URL, {
+          method: 'POST',
+          body: JSON.stringify({
+            patternList: [...configPatternList, ...(signal.name != null ? [signal.name] : [])],
+          }),
+        });
+        defaultDataView = { ...initDataView, ...sourcererDataViews.defaultDataView };
+        kibanaDataViews = sourcererDataViews.kibanaDataViews.map((dataView: KibanaDataView) => ({
+          ...initDataView,
+          ...dataView,
+        }));
+      } catch (error) {
+        defaultDataView = { ...initDataView, error };
+        kibanaDataViews = [];
+      }
+      const { createStore, createInitialState } = await this.lazyApplicationDependencies();
+
       const appLibs: AppObservableLibs = { kibana: coreStart };
       const libs$ = new BehaviorSubject(appLibs);
 
@@ -414,8 +411,8 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
             ...subPlugins.management.store.initialState,
           },
           {
-            kibanaIndexPatterns,
-            configIndexPatterns: configIndexPatterns.indicesExist,
+            defaultDataView,
+            kibanaDataViews,
             signalIndexName: signal.name,
             enableExperimental: this.experimentalFeatures,
           }
diff --git a/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.test.tsx
index 206fcb2dc087c..7b103fae483b1 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.test.tsx
@@ -12,12 +12,12 @@ import { TestProviders, mockIndexNames, mockIndexPattern } from '../../../../com
 import { TimelineId } from '../../../../../common/types/timeline';
 import { useTimelineKpis } from '../../../containers/kpis';
 import { FlyoutHeader } from '.';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { mockBrowserFields, mockDocValueFields } from '../../../../common/containers/source/mock';
 import { useMountAppended } from '../../../../common/utils/use_mount_appended';
 import { getEmptyValue } from '../../../../common/components/empty_value';
 
-const mockUseSourcererScope: jest.Mock = useSourcererScope as jest.Mock;
+const mockUseSourcererDataView: jest.Mock = useSourcererDataView as jest.Mock;
 jest.mock('../../../../common/containers/sourcerer');
 
 const mockUseTimelineKpis: jest.Mock = useTimelineKpis as jest.Mock;
@@ -62,7 +62,7 @@ describe('header', () => {
 
   beforeEach(() => {
     // Mocking these services is required for the header component to render.
-    mockUseSourcererScope.mockImplementation(() => defaultMocks);
+    mockUseSourcererDataView.mockImplementation(() => defaultMocks);
     useKibanaMock().services.application.capabilities = {
       navLinks: {},
       management: {},
diff --git a/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
index 1fdfb744f3071..2f54cd6ce2962 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
@@ -40,7 +40,7 @@ import { useGetUserCasesPermissions, useKibana } from '../../../../common/lib/ki
 import { InspectButton } from '../../../../common/components/inspect';
 import { useTimelineKpis } from '../../../containers/kpis';
 import { esQuery } from '../../../../../../../../src/plugins/data/public';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { TimelineModel } from '../../../../timelines/store/timeline/model';
 import {
   startSelector,
@@ -76,7 +76,7 @@ const ActiveTimelinesContainer = styled(EuiFlexItem)`
 
 const FlyoutHeaderPanelComponent: React.FC<FlyoutHeaderPanelProps> = ({ timelineId }) => {
   const dispatch = useDispatch();
-  const { indexPattern, browserFields } = useSourcererScope(SourcererScopeName.timeline);
+  const { browserFields, indexPattern } = useSourcererDataView(SourcererScopeName.timeline);
   const { uiSettings } = useKibana().services;
   const esQueryConfig = useMemo(() => esQuery.getEsQueryConfig(uiSettings), [uiSettings]);
   const getTimeline = useMemo(() => timelineSelectors.getTimelineByIdSelector(), []);
@@ -345,7 +345,7 @@ const TimelineStatusInfoComponent: React.FC<FlyoutHeaderProps> = ({ timelineId }
 const TimelineStatusInfo = React.memo(TimelineStatusInfoComponent);
 
 const FlyoutHeaderComponent: React.FC<FlyoutHeaderProps> = ({ timelineId }) => {
-  const { selectedPatterns, indexPattern, docValueFields, browserFields } = useSourcererScope(
+  const { selectedPatterns, indexPattern, docValueFields, browserFields } = useSourcererDataView(
     SourcererScopeName.timeline
   );
   const getStartSelector = useMemo(() => startSelector(), []);
diff --git a/x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.test.tsx
index d672a3c699707..c16da16002265 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.test.tsx
@@ -13,15 +13,10 @@ import {
   useGlobalFullScreen,
   useTimelineFullScreen,
 } from '../../../common/containers/use_full_screen';
-import { mockTimelineModel, TestProviders } from '../../../common/mock';
+import { TestProviders } from '../../../common/mock';
 import { TimelineId } from '../../../../common/types/timeline';
 import { GraphOverlay } from '.';
 
-jest.mock('../../../common/hooks/use_selector', () => ({
-  useShallowEqualSelector: jest.fn().mockReturnValue(mockTimelineModel.savedObjectId),
-  useDeepEqualSelector: jest.fn().mockReturnValue(mockTimelineModel),
-}));
-
 jest.mock('../../../common/containers/use_full_screen', () => ({
   useGlobalFullScreen: jest.fn(),
   useTimelineFullScreen: jest.fn(),
diff --git a/x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.tsx
index 16459381a8431..31a40c46fc0bf 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.tsx
@@ -30,7 +30,6 @@ import { TimelineId } from '../../../../common/types/timeline';
 import { timelineSelectors } from '../../store/timeline';
 import { timelineDefaults } from '../../store/timeline/defaults';
 import { isFullScreen } from '../timeline/body/column_headers';
-import { sourcererSelectors } from '../../../common/store';
 import { updateTimelineGraphEventId } from '../../../timelines/store/timeline/actions';
 import { Resolver } from '../../../resolver/view';
 import {
@@ -39,6 +38,8 @@ import {
   endSelector,
 } from '../../../common/components/super_date_picker/selectors';
 import * as i18n from './translations';
+import { SourcererScopeName } from '../../../common/store/sourcerer/model';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 
 const OverlayContainer = styled.div`
   display: flex;
@@ -180,11 +181,8 @@ const GraphOverlayComponent: React.FC<OwnProps> = ({ timelineId }) => {
     globalFullScreen,
   ]);
 
-  const existingIndexNamesSelector = useMemo(
-    () => sourcererSelectors.getAllExistingIndexNamesSelector(),
-    []
-  );
-  const existingIndexNames = useDeepEqualSelector<string[]>(existingIndexNamesSelector);
+  const { selectedPatterns } = useSourcererDataView(SourcererScopeName.timeline);
+
   if (fullScreen && !isInTimeline) {
     return (
       <FullScreenOverlayContainer data-test-subj="overlayContainer">
@@ -206,7 +204,7 @@ const GraphOverlayComponent: React.FC<OwnProps> = ({ timelineId }) => {
           <StyledResolver
             databaseDocumentID={graphEventId}
             resolverComponentInstanceID={timelineId}
-            indices={existingIndexNames}
+            indices={selectedPatterns}
             shouldUpdate={shouldUpdate}
             filters={{ from, to }}
           />
@@ -238,7 +236,7 @@ const GraphOverlayComponent: React.FC<OwnProps> = ({ timelineId }) => {
           <StyledResolver
             databaseDocumentID={graphEventId}
             resolverComponentInstanceID={timelineId}
-            indices={existingIndexNames}
+            indices={selectedPatterns}
             shouldUpdate={shouldUpdate}
             filters={{ from, to }}
           />
diff --git a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.test.ts b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.test.ts
index 1b93f1556a95c..225158061ad21 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.test.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.test.ts
@@ -43,7 +43,6 @@ import {
   TimelineId,
   TimelineType,
   TimelineStatus,
-  TimelineTabs,
   KueryFilterQueryKind,
 } from '../../../../common/types/timeline';
 import {
@@ -51,7 +50,6 @@ import {
   mockTemplate as mockSelectedTemplate,
 } from './__mocks__';
 import { resolveTimeline } from '../../containers/api';
-import { defaultHeaders } from '../timeline/body/column_headers/default_headers';
 
 jest.mock('../../../common/store/inputs/actions');
 jest.mock('../../../common/components/url_state/normalize_time_range.ts');
@@ -75,6 +73,57 @@ jest.mock('../../../common/utils/default_date_settings', () => {
 
 jest.mock('../../containers/api');
 
+const columns = [
+  {
+    columnHeaderType: 'not-filtered',
+    id: '@timestamp',
+    type: 'number',
+    initialWidth: 190,
+  },
+  {
+    columnHeaderType: 'not-filtered',
+    id: 'message',
+    initialWidth: 180,
+  },
+  {
+    columnHeaderType: 'not-filtered',
+    id: 'event.category',
+    initialWidth: 180,
+  },
+  {
+    columnHeaderType: 'not-filtered',
+    id: 'event.action',
+    initialWidth: 180,
+  },
+  {
+    columnHeaderType: 'not-filtered',
+    id: 'host.name',
+    initialWidth: 180,
+  },
+  {
+    columnHeaderType: 'not-filtered',
+    id: 'source.ip',
+    initialWidth: 180,
+  },
+  {
+    columnHeaderType: 'not-filtered',
+    id: 'destination.ip',
+    initialWidth: 180,
+  },
+  {
+    columnHeaderType: 'not-filtered',
+    id: 'user.name',
+    initialWidth: 180,
+  },
+];
+const defaultTimeline = {
+  ...timelineDefaults,
+  columns,
+  version: '1',
+  savedObjectId: 'savedObject-1',
+  id: 'savedObject-1',
+};
+
 describe('helpers', () => {
   let mockResults: OpenTimelineResult[];
 
@@ -237,49 +286,6 @@ describe('helpers', () => {
   });
 
   describe('#defaultTimelineToTimelineModel', () => {
-    const columns = [
-      {
-        columnHeaderType: 'not-filtered',
-        id: '@timestamp',
-        type: 'number',
-        initialWidth: 190,
-      },
-      {
-        columnHeaderType: 'not-filtered',
-        id: 'message',
-        initialWidth: 180,
-      },
-      {
-        columnHeaderType: 'not-filtered',
-        id: 'event.category',
-        initialWidth: 180,
-      },
-      {
-        columnHeaderType: 'not-filtered',
-        id: 'event.action',
-        initialWidth: 180,
-      },
-      {
-        columnHeaderType: 'not-filtered',
-        id: 'host.name',
-        initialWidth: 180,
-      },
-      {
-        columnHeaderType: 'not-filtered',
-        id: 'source.ip',
-        initialWidth: 180,
-      },
-      {
-        columnHeaderType: 'not-filtered',
-        id: 'destination.ip',
-        initialWidth: 180,
-      },
-      {
-        columnHeaderType: 'not-filtered',
-        id: 'user.name',
-        initialWidth: 180,
-      },
-    ];
     test('if title is null, we should get the default title', () => {
       const timeline = {
         savedObjectId: 'savedObject-1',
@@ -289,65 +295,7 @@ describe('helpers', () => {
 
       const newTimeline = defaultTimelineToTimelineModel(timeline, false);
       expect(newTimeline).toEqual({
-        activeTab: TimelineTabs.query,
-        prevActiveTab: TimelineTabs.query,
-        columns,
-        defaultColumns: defaultHeaders,
-        dataProviders: [],
-        dateRange: { start: '2020-07-07T08:20:18.966Z', end: '2020-07-08T08:20:18.966Z' },
-        description: '',
-        documentType: '',
-        deletedEventIds: [],
-        eqlOptions: {
-          eventCategoryField: 'event.category',
-          tiebreakerField: '',
-          timestampField: '@timestamp',
-          query: '',
-          size: 100,
-        },
-        eventIdToNoteIds: {},
-        eventType: 'all',
-        excludedRowRendererIds: [],
-        expandedDetail: {},
-        filters: [],
-        highlightedDropAndProviderId: '',
-        historyIds: [],
-        id: 'savedObject-1',
-        indexNames: [],
-        isFavorite: false,
-        isLive: false,
-        isSelectAllChecked: false,
-        isLoading: false,
-        isSaving: false,
-        itemsPerPage: 25,
-        itemsPerPageOptions: [10, 25, 50, 100],
-        kqlMode: 'filter',
-        kqlQuery: {
-          filterQuery: null,
-        },
-        loadingEventIds: [],
-        noteIds: [],
-        pinnedEventIds: {},
-        pinnedEventsSaveObject: {},
-        queryFields: [],
-        savedObjectId: 'savedObject-1',
-        selectAll: false,
-        selectedEventIds: {},
-        show: false,
-        showCheckboxes: false,
-        sort: [
-          {
-            columnId: '@timestamp',
-            columnType: 'number',
-            sortDirection: 'desc',
-          },
-        ],
-        status: TimelineStatus.draft,
-        title: '',
-        timelineType: TimelineType.default,
-        templateTimelineId: null,
-        templateTimelineVersion: null,
-        version: '1',
+        ...defaultTimeline,
       });
     });
 
@@ -362,65 +310,8 @@ describe('helpers', () => {
 
       const newTimeline = defaultTimelineToTimelineModel(timeline, false, TimelineType.template);
       expect(newTimeline).toEqual({
-        activeTab: TimelineTabs.query,
-        prevActiveTab: TimelineTabs.query,
-        columns,
-        defaultColumns: defaultHeaders,
-        dataProviders: [],
-        dateRange: { start: '2020-07-07T08:20:18.966Z', end: '2020-07-08T08:20:18.966Z' },
-        description: '',
-        documentType: '',
-        deletedEventIds: [],
-        eqlOptions: {
-          eventCategoryField: 'event.category',
-          tiebreakerField: '',
-          timestampField: '@timestamp',
-          query: '',
-          size: 100,
-        },
-        eventIdToNoteIds: {},
-        eventType: 'all',
-        excludedRowRendererIds: [],
-        expandedDetail: {},
-        filters: [],
-        highlightedDropAndProviderId: '',
-        historyIds: [],
-        id: 'savedObject-1',
-        indexNames: [],
-        isFavorite: false,
-        isLive: false,
-        isSelectAllChecked: false,
-        isLoading: false,
-        isSaving: false,
-        itemsPerPage: 25,
-        itemsPerPageOptions: [10, 25, 50, 100],
-        kqlMode: 'filter',
-        kqlQuery: {
-          filterQuery: null,
-        },
-        loadingEventIds: [],
-        noteIds: [],
-        pinnedEventIds: {},
-        pinnedEventsSaveObject: {},
-        queryFields: [],
-        savedObjectId: 'savedObject-1',
-        selectAll: false,
-        selectedEventIds: {},
-        show: false,
-        showCheckboxes: false,
-        sort: [
-          {
-            columnId: '@timestamp',
-            columnType: 'number',
-            sortDirection: 'desc',
-          },
-        ],
-        status: TimelineStatus.draft,
-        title: '',
+        ...defaultTimeline,
         timelineType: TimelineType.template,
-        templateTimelineId: null,
-        templateTimelineVersion: null,
-        version: '1',
       });
     });
 
@@ -435,65 +326,7 @@ describe('helpers', () => {
 
       const newTimeline = defaultTimelineToTimelineModel(timeline, false, TimelineType.default);
       expect(newTimeline).toEqual({
-        activeTab: TimelineTabs.query,
-        prevActiveTab: TimelineTabs.query,
-        columns,
-        defaultColumns: defaultHeaders,
-        dataProviders: [],
-        dateRange: { start: '2020-07-07T08:20:18.966Z', end: '2020-07-08T08:20:18.966Z' },
-        description: '',
-        documentType: '',
-        deletedEventIds: [],
-        eqlOptions: {
-          eventCategoryField: 'event.category',
-          tiebreakerField: '',
-          timestampField: '@timestamp',
-          query: '',
-          size: 100,
-        },
-        eventIdToNoteIds: {},
-        eventType: 'all',
-        excludedRowRendererIds: [],
-        expandedDetail: {},
-        filters: [],
-        highlightedDropAndProviderId: '',
-        historyIds: [],
-        id: 'savedObject-1',
-        indexNames: [],
-        isFavorite: false,
-        isLive: false,
-        isSelectAllChecked: false,
-        isLoading: false,
-        isSaving: false,
-        itemsPerPage: 25,
-        itemsPerPageOptions: [10, 25, 50, 100],
-        kqlMode: 'filter',
-        kqlQuery: {
-          filterQuery: null,
-        },
-        loadingEventIds: [],
-        noteIds: [],
-        pinnedEventIds: {},
-        pinnedEventsSaveObject: {},
-        queryFields: [],
-        savedObjectId: 'savedObject-1',
-        selectAll: false,
-        selectedEventIds: {},
-        show: false,
-        showCheckboxes: false,
-        sort: [
-          {
-            columnId: '@timestamp',
-            columnType: 'number',
-            sortDirection: 'desc',
-          },
-        ],
-        status: TimelineStatus.draft,
-        title: '',
-        timelineType: TimelineType.default,
-        templateTimelineId: null,
-        templateTimelineVersion: null,
-        version: '1',
+        ...defaultTimeline,
       });
     });
 
@@ -506,65 +339,7 @@ describe('helpers', () => {
 
       const newTimeline = defaultTimelineToTimelineModel(timeline, false);
       expect(newTimeline).toEqual({
-        activeTab: TimelineTabs.query,
-        prevActiveTab: TimelineTabs.query,
-        columns,
-        defaultColumns: defaultHeaders,
-        dataProviders: [],
-        dateRange: { start: '2020-07-07T08:20:18.966Z', end: '2020-07-08T08:20:18.966Z' },
-        description: '',
-        documentType: '',
-        deletedEventIds: [],
-        eqlOptions: {
-          eventCategoryField: 'event.category',
-          tiebreakerField: '',
-          timestampField: '@timestamp',
-          query: '',
-          size: 100,
-        },
-        eventIdToNoteIds: {},
-        eventType: 'all',
-        excludedRowRendererIds: [],
-        expandedDetail: {},
-        filters: [],
-        highlightedDropAndProviderId: '',
-        historyIds: [],
-        indexNames: [],
-        id: 'savedObject-1',
-        isFavorite: false,
-        isLive: false,
-        isSelectAllChecked: false,
-        isLoading: false,
-        isSaving: false,
-        itemsPerPage: 25,
-        itemsPerPageOptions: [10, 25, 50, 100],
-        kqlMode: 'filter',
-        kqlQuery: {
-          filterQuery: null,
-        },
-        loadingEventIds: [],
-        noteIds: [],
-        pinnedEventIds: {},
-        pinnedEventsSaveObject: {},
-        queryFields: [],
-        savedObjectId: 'savedObject-1',
-        selectAll: false,
-        selectedEventIds: {},
-        show: false,
-        showCheckboxes: false,
-        sort: [
-          {
-            columnId: '@timestamp',
-            columnType: 'number',
-            sortDirection: 'desc',
-          },
-        ],
-        status: TimelineStatus.draft,
-        title: '',
-        timelineType: TimelineType.default,
-        templateTimelineId: null,
-        templateTimelineVersion: null,
-        version: '1',
+        ...defaultTimeline,
       });
     });
 
@@ -580,65 +355,8 @@ describe('helpers', () => {
 
       const newTimeline = defaultTimelineToTimelineModel(timeline, false);
       expect(newTimeline).toEqual({
-        activeTab: TimelineTabs.query,
-        prevActiveTab: TimelineTabs.query,
-        savedObjectId: 'savedObject-1',
+        ...defaultTimeline,
         columns: columnsWithoutEventAction,
-        defaultColumns: defaultHeaders,
-        version: '1',
-        dataProviders: [],
-        dateRange: { start: '2020-07-07T08:20:18.966Z', end: '2020-07-08T08:20:18.966Z' },
-        description: '',
-        documentType: '',
-        deletedEventIds: [],
-        eqlOptions: {
-          eventCategoryField: 'event.category',
-          tiebreakerField: '',
-          timestampField: '@timestamp',
-          query: '',
-          size: 100,
-        },
-        eventIdToNoteIds: {},
-        eventType: 'all',
-        excludedRowRendererIds: [],
-        expandedDetail: {},
-        filters: [],
-        highlightedDropAndProviderId: '',
-        historyIds: [],
-        indexNames: [],
-        isFavorite: false,
-        isLive: false,
-        isSelectAllChecked: false,
-        isLoading: false,
-        isSaving: false,
-        itemsPerPage: 25,
-        itemsPerPageOptions: [10, 25, 50, 100],
-        kqlMode: 'filter',
-        kqlQuery: {
-          filterQuery: null,
-        },
-        loadingEventIds: [],
-        title: '',
-        timelineType: TimelineType.default,
-        templateTimelineId: null,
-        templateTimelineVersion: null,
-        noteIds: [],
-        pinnedEventIds: {},
-        pinnedEventsSaveObject: {},
-        queryFields: [],
-        selectAll: false,
-        selectedEventIds: {},
-        show: false,
-        showCheckboxes: false,
-        sort: [
-          {
-            columnId: '@timestamp',
-            columnType: 'number',
-            sortDirection: 'desc',
-          },
-        ],
-        status: TimelineStatus.draft,
-        id: 'savedObject-1',
       });
     });
 
@@ -685,29 +403,10 @@ describe('helpers', () => {
       };
 
       const newTimeline = defaultTimelineToTimelineModel(timeline, false);
+
       expect(newTimeline).toEqual({
-        activeTab: TimelineTabs.query,
-        prevActiveTab: TimelineTabs.query,
-        savedObjectId: 'savedObject-1',
+        ...defaultTimeline,
         columns: columnsWithoutEventAction,
-        defaultColumns: defaultHeaders,
-        version: '1',
-        dateRange: { start: '2020-07-07T08:20:18.966Z', end: '2020-07-08T08:20:18.966Z' },
-        dataProviders: [],
-        description: '',
-        documentType: '',
-        deletedEventIds: [],
-        eqlOptions: {
-          eventCategoryField: 'event.category',
-          tiebreakerField: '',
-          timestampField: '@timestamp',
-          query: '',
-          size: 100,
-        },
-        eventIdToNoteIds: {},
-        eventType: 'all',
-        excludedRowRendererIds: [],
-        expandedDetail: {},
         filters: [
           {
             $state: {
@@ -752,42 +451,6 @@ describe('helpers', () => {
             },
           },
         ],
-        highlightedDropAndProviderId: '',
-        historyIds: [],
-        indexNames: [],
-        isFavorite: false,
-        isLive: false,
-        isSelectAllChecked: false,
-        isLoading: false,
-        isSaving: false,
-        itemsPerPage: 25,
-        itemsPerPageOptions: [10, 25, 50, 100],
-        kqlMode: 'filter',
-        kqlQuery: {
-          filterQuery: null,
-        },
-        loadingEventIds: [],
-        title: '',
-        timelineType: TimelineType.default,
-        templateTimelineId: null,
-        templateTimelineVersion: null,
-        noteIds: [],
-        pinnedEventIds: {},
-        pinnedEventsSaveObject: {},
-        queryFields: [],
-        selectAll: false,
-        selectedEventIds: {},
-        show: false,
-        showCheckboxes: false,
-        sort: [
-          {
-            columnId: '@timestamp',
-            columnType: 'number',
-            sortDirection: 'desc',
-          },
-        ],
-        status: TimelineStatus.draft,
-        id: 'savedObject-1',
       });
     });
 
@@ -802,65 +465,11 @@ describe('helpers', () => {
 
       const newTimeline = defaultTimelineToTimelineModel(timeline, false, TimelineType.template);
       expect(newTimeline).toEqual({
-        activeTab: TimelineTabs.query,
-        prevActiveTab: TimelineTabs.query,
-        columns,
-        defaultColumns: defaultHeaders,
-        dataProviders: [],
+        ...defaultTimeline,
         dateRange: { end: '2020-10-28T11:37:31.655Z', start: '2020-10-27T11:37:31.655Z' },
-        description: '',
-        documentType: '',
-        deletedEventIds: [],
-        eqlOptions: {
-          eventCategoryField: 'event.category',
-          tiebreakerField: '',
-          timestampField: '@timestamp',
-          query: '',
-          size: 100,
-        },
-        eventIdToNoteIds: {},
-        eventType: 'all',
-        excludedRowRendererIds: [],
-        expandedDetail: {},
-        filters: [],
-        highlightedDropAndProviderId: '',
-        historyIds: [],
-        id: 'savedObject-1',
-        indexNames: [],
-        isFavorite: false,
-        isLive: false,
-        isSelectAllChecked: false,
-        isLoading: false,
-        isSaving: false,
-        itemsPerPage: 25,
-        itemsPerPageOptions: [10, 25, 50, 100],
-        kqlMode: 'filter',
-        kqlQuery: {
-          filterQuery: null,
-        },
-        loadingEventIds: [],
-        noteIds: [],
-        pinnedEventIds: {},
-        pinnedEventsSaveObject: {},
-        queryFields: [],
-        savedObjectId: 'savedObject-1',
-        selectAll: false,
-        selectedEventIds: {},
-        show: false,
-        showCheckboxes: false,
-        sort: [
-          {
-            columnId: '@timestamp',
-            columnType: 'number',
-            sortDirection: 'desc',
-          },
-        ],
         status: TimelineStatus.immutable,
-        title: 'Awesome Timeline',
         timelineType: TimelineType.template,
-        templateTimelineId: null,
-        templateTimelineVersion: null,
-        version: '1',
+        title: 'Awesome Timeline',
       });
     });
 
@@ -875,65 +484,10 @@ describe('helpers', () => {
 
       const newTimeline = defaultTimelineToTimelineModel(timeline, false, TimelineType.default);
       expect(newTimeline).toEqual({
-        activeTab: TimelineTabs.query,
-        prevActiveTab: TimelineTabs.query,
-        columns,
-        defaultColumns: defaultHeaders,
-        dataProviders: [],
+        ...defaultTimeline,
         dateRange: { end: '2020-07-08T08:20:18.966Z', start: '2020-07-07T08:20:18.966Z' },
-        description: '',
-        documentType: '',
-        deletedEventIds: [],
-        eqlOptions: {
-          eventCategoryField: 'event.category',
-          tiebreakerField: '',
-          timestampField: '@timestamp',
-          query: '',
-          size: 100,
-        },
-        eventIdToNoteIds: {},
-        eventType: 'all',
-        excludedRowRendererIds: [],
-        expandedDetail: {},
-        filters: [],
-        highlightedDropAndProviderId: '',
-        historyIds: [],
-        id: 'savedObject-1',
-        indexNames: [],
-        isFavorite: false,
-        isLive: false,
-        isSelectAllChecked: false,
-        isLoading: false,
-        isSaving: false,
-        itemsPerPage: 25,
-        itemsPerPageOptions: [10, 25, 50, 100],
-        kqlMode: 'filter',
-        kqlQuery: {
-          filterQuery: null,
-        },
-        loadingEventIds: [],
-        noteIds: [],
-        pinnedEventIds: {},
-        pinnedEventsSaveObject: {},
-        queryFields: [],
-        savedObjectId: 'savedObject-1',
-        selectAll: false,
-        selectedEventIds: {},
-        show: false,
-        showCheckboxes: false,
-        sort: [
-          {
-            columnId: '@timestamp',
-            columnType: 'number',
-            sortDirection: 'desc',
-          },
-        ],
         status: TimelineStatus.active,
         title: 'Awesome Timeline',
-        timelineType: TimelineType.default,
-        templateTimelineId: null,
-        templateTimelineVersion: null,
-        version: '1',
       });
     });
   });
@@ -1189,6 +743,15 @@ describe('helpers', () => {
     let clock: sinon.SinonFakeTimers;
     let timelineDispatch: DispatchUpdateTimeline;
 
+    const defaultArgs = {
+      duplicate: true,
+      id: TimelineId.active,
+      from: '2020-03-26T14:35:56.356Z',
+      to: '2020-03-26T14:41:56.356Z',
+      notes: [],
+      timeline: mockTimelineModel,
+    };
+
     beforeEach(() => {
       jest.clearAllMocks();
 
@@ -1201,14 +764,7 @@ describe('helpers', () => {
     });
 
     test('it invokes date range picker dispatch', () => {
-      timelineDispatch({
-        duplicate: true,
-        id: TimelineId.active,
-        from: '2020-03-26T14:35:56.356Z',
-        to: '2020-03-26T14:41:56.356Z',
-        notes: [],
-        timeline: mockTimelineModel,
-      })();
+      timelineDispatch(defaultArgs)();
 
       expect(dispatchSetTimelineRangeDatePicker).toHaveBeenCalledWith({
         from: '2020-03-26T14:35:56.356Z',
@@ -1217,14 +773,7 @@ describe('helpers', () => {
     });
 
     test('it invokes add timeline dispatch', () => {
-      timelineDispatch({
-        duplicate: true,
-        id: TimelineId.active,
-        from: '2020-03-26T14:35:56.356Z',
-        to: '2020-03-26T14:41:56.356Z',
-        notes: [],
-        timeline: mockTimelineModel,
-      })();
+      timelineDispatch(defaultArgs)();
 
       expect(dispatchAddTimeline).toHaveBeenCalledWith({
         id: TimelineId.active,
@@ -1234,27 +783,13 @@ describe('helpers', () => {
     });
 
     test('it does not invoke kql filter query dispatches if timeline.kqlQuery.filterQuery is null', () => {
-      timelineDispatch({
-        duplicate: true,
-        id: TimelineId.active,
-        from: '2020-03-26T14:35:56.356Z',
-        to: '2020-03-26T14:41:56.356Z',
-        notes: [],
-        timeline: mockTimelineModel,
-      })();
+      timelineDispatch(defaultArgs)();
 
       expect(dispatchApplyKqlFilterQuery).not.toHaveBeenCalled();
     });
 
     test('it does not invoke notes dispatch if duplicate is true', () => {
-      timelineDispatch({
-        duplicate: true,
-        id: TimelineId.active,
-        from: '2020-03-26T14:35:56.356Z',
-        to: '2020-03-26T14:41:56.356Z',
-        notes: [],
-        timeline: mockTimelineModel,
-      })();
+      timelineDispatch(defaultArgs)();
 
       expect(dispatchAddNotes).not.toHaveBeenCalled();
     });
@@ -1270,11 +805,7 @@ describe('helpers', () => {
         },
       };
       timelineDispatch({
-        duplicate: true,
-        id: TimelineId.active,
-        from: '2020-03-26T14:35:56.356Z',
-        to: '2020-03-26T14:41:56.356Z',
-        notes: [],
+        ...defaultArgs,
         timeline: mockTimeline,
       })();
 
@@ -1292,11 +823,7 @@ describe('helpers', () => {
         },
       };
       timelineDispatch({
-        duplicate: true,
-        id: TimelineId.active,
-        from: '2020-03-26T14:35:56.356Z',
-        to: '2020-03-26T14:41:56.356Z',
-        notes: [],
+        ...defaultArgs,
         timeline: mockTimeline,
       })();
 
@@ -1314,10 +841,8 @@ describe('helpers', () => {
 
     test('it invokes dispatchAddNotes if duplicate is false', () => {
       timelineDispatch({
+        ...defaultArgs,
         duplicate: false,
-        id: TimelineId.active,
-        from: '2020-03-26T14:35:56.356Z',
-        to: '2020-03-26T14:41:56.356Z',
         notes: [
           {
             created: 1585233356356,
@@ -1326,7 +851,6 @@ describe('helpers', () => {
             note: 'I am a note',
           },
         ],
-        timeline: mockTimelineModel,
       })();
 
       expect(dispatchAddGlobalTimelineNote).not.toHaveBeenCalled();
@@ -1350,12 +874,7 @@ describe('helpers', () => {
 
     test('it invokes dispatch to create a timeline note if duplicate is true and ruleNote exists', () => {
       timelineDispatch({
-        duplicate: true,
-        id: TimelineId.active,
-        from: '2020-03-26T14:35:56.356Z',
-        to: '2020-03-26T14:41:56.356Z',
-        notes: [],
-        timeline: mockTimelineModel,
+        ...defaultArgs,
         ruleNote: '# this would be some markdown',
       })();
       const expectedNote: Note = {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts
index f325ab34e88d5..12f0b373d24f9 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.ts
@@ -413,8 +413,9 @@ export const dispatchUpdateTimeline =
   () => {
     if (!isEmpty(timeline.indexNames)) {
       dispatch(
-        sourcererActions.initTimelineIndexPatterns({
+        sourcererActions.setSelectedDataView({
           id: SourcererScopeName.timeline,
+          selectedDataViewId: timeline.dataViewId,
           selectedPatterns: timeline.indexNames,
           eventType: timeline.eventType,
         })
diff --git a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/index.tsx
index 25dcdb887d336..f12731396c053 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/index.tsx
@@ -8,8 +8,7 @@
 import React, { useEffect, useState, useCallback, useMemo } from 'react';
 import { useDispatch } from 'react-redux';
 
-import { sourcererSelectors } from '../../../common/store';
-import { useShallowEqualSelector, useDeepEqualSelector } from '../../../common/hooks/use_selector';
+import { useShallowEqualSelector } from '../../../common/hooks/use_selector';
 import { SortFieldTimeline, TimelineId } from '../../../../common/types/timeline';
 import { TimelineModel } from '../../../timelines/store/timeline/model';
 import { timelineSelectors } from '../../../timelines/store/timeline';
@@ -46,6 +45,8 @@ import { useTimelineTypes } from './use_timeline_types';
 import { useTimelineStatus } from './use_timeline_status';
 import { deleteTimelinesByIds } from '../../containers/api';
 import { Direction } from '../../../../common/search_strategy';
+import { SourcererScopeName } from '../../../common/store/sourcerer/model';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 
 interface OwnProps<TCache = object> {
   /** Displays open timeline in modal */
@@ -108,11 +109,7 @@ export const StatefulOpenTimelineComponent = React.memo<OpenTimelineOwnProps>(
       (state) => getTimeline(state, TimelineId.active)?.savedObjectId ?? ''
     );
 
-    const existingIndexNamesSelector = useMemo(
-      () => sourcererSelectors.getAllExistingIndexNamesSelector(),
-      []
-    );
-    const existingIndexNames = useDeepEqualSelector<string[]>(existingIndexNamesSelector);
+    const { dataViewId, selectedPatterns } = useSourcererDataView(SourcererScopeName.timeline);
 
     const updateTimeline = useMemo(() => dispatchUpdateTimeline(dispatch), [dispatch]);
     const updateIsLoading = useCallback(
@@ -204,7 +201,8 @@ export const StatefulOpenTimelineComponent = React.memo<OpenTimelineOwnProps>(
             dispatchCreateNewTimeline({
               id: TimelineId.active,
               columns: defaultHeaders,
-              indexNames: existingIndexNames,
+              dataViewId,
+              indexNames: selectedPatterns,
               show: false,
             })
           );
@@ -213,7 +211,7 @@ export const StatefulOpenTimelineComponent = React.memo<OpenTimelineOwnProps>(
         await deleteTimelinesByIds(timelineIds);
         refetch();
       },
-      [dispatch, existingIndexNames, refetch, timelineSavedObjectId]
+      [timelineSavedObjectId, refetch, dispatch, dataViewId, selectedPatterns]
     );
 
     const onDeleteOneTimeline: OnDeleteOneTimeline = useCallback(
diff --git a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/note_previews/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/note_previews/index.tsx
index aff12b74fbfbf..1016a430807be 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/note_previews/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/note_previews/index.tsx
@@ -26,8 +26,9 @@ import { NOTE_CONTENT_CLASS_NAME } from '../../timeline/body/helpers';
 import * as i18n from './translations';
 import { TimelineTabs } from '../../../../../common/types/timeline';
 import { useDeepEqualSelector } from '../../../../common/hooks/use_selector';
-import { sourcererSelectors } from '../../../../common/store';
 import { SaveTimelineButton } from '../../timeline/header/save_timeline_button';
+import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 
 export const NotePreviewsContainer = styled.section`
   padding-top: ${({ theme }) => `${theme.eui.euiSizeS}`};
@@ -45,11 +46,7 @@ const ToggleEventDetailsButtonComponent: React.FC<ToggleEventDetailsButtonProps>
   timelineId,
 }) => {
   const dispatch = useDispatch();
-  const existingIndexNamesSelector = useMemo(
-    () => sourcererSelectors.getAllExistingIndexNamesSelector(),
-    []
-  );
-  const existingIndexNames = useDeepEqualSelector<string[]>(existingIndexNamesSelector);
+  const { selectedPatterns } = useSourcererDataView(SourcererScopeName.timeline);
 
   const handleClick = useCallback(() => {
     dispatch(
@@ -59,11 +56,11 @@ const ToggleEventDetailsButtonComponent: React.FC<ToggleEventDetailsButtonProps>
         timelineId,
         params: {
           eventId,
-          indexName: existingIndexNames.join(','),
+          indexName: selectedPatterns.join(','),
         },
       })
     );
-  }, [dispatch, eventId, existingIndexNames, timelineId]);
+  }, [dispatch, eventId, selectedPatterns, timelineId]);
 
   return (
     <EuiButtonIcon
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap
index 2bb9da12e44ea..06dc3ea3ed967 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap
@@ -6,6 +6,7 @@ exports[`Details Panel Component DetailsPanel: rendering it should not render th
   docValueFields={Array []}
   handleOnPanelClosed={[MockFunction]}
   isFlyoutView={false}
+  runtimeMappings={Object {}}
   tabType="query"
   timelineId="test"
 />
@@ -17,6 +18,7 @@ exports[`Details Panel Component DetailsPanel: rendering it should not render th
   docValueFields={Array []}
   handleOnPanelClosed={[MockFunction]}
   isFlyoutView={false}
+  runtimeMappings={Object {}}
   tabType="query"
   timelineId="test"
 />
@@ -35,6 +37,7 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should
   docValueFields={Array []}
   handleOnPanelClosed={[MockFunction]}
   isFlyoutView={false}
+  runtimeMappings={Object {}}
   tabType="query"
   timelineId="test"
 >
@@ -199,6 +202,7 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should
     handleOnEventClosed={[Function]}
     isDraggable={false}
     isFlyoutView={false}
+    runtimeMappings={Object {}}
     tabType="query"
     timelineId="test"
   >
@@ -742,6 +746,7 @@ Array [
         handleOnEventClosed={[Function]}
         isDraggable={false}
         isFlyoutView={true}
+        runtimeMappings={Object {}}
         tabType="query"
         timelineId="test"
       >
@@ -1781,6 +1786,7 @@ Array [
       handleOnEventClosed={[Function]}
       isDraggable={false}
       isFlyoutView={true}
+      runtimeMappings={Object {}}
       tabType="query"
       timelineId="test"
     >
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx
index 07a0aeabcb998..947786695ded3 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx
@@ -17,6 +17,7 @@ import {
 import React, { useState, useCallback, useMemo } from 'react';
 import styled from 'styled-components';
 import deepEqual from 'fast-deep-equal';
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { BrowserFields, DocValueFields } from '../../../../common/containers/source';
 import { ExpandableEvent, ExpandableEventTitle } from './expandable_event';
 import { useTimelineEventsDetails } from '../../../containers/details';
@@ -64,6 +65,7 @@ interface EventDetailsPanelProps {
   handleOnEventClosed: () => void;
   isDraggable?: boolean;
   isFlyoutView?: boolean;
+  runtimeMappings: MappingRuntimeFields;
   tabType: TimelineTabs;
   timelineId: string;
 }
@@ -76,6 +78,7 @@ const EventDetailsPanelComponent: React.FC<EventDetailsPanelProps> = ({
   handleOnEventClosed,
   isDraggable,
   isFlyoutView,
+  runtimeMappings,
   tabType,
   timelineId,
 }) => {
@@ -84,6 +87,7 @@ const EventDetailsPanelComponent: React.FC<EventDetailsPanelProps> = ({
     entityType,
     indexName: expandedEvent.indexName ?? '',
     eventId: expandedEvent.eventId ?? '',
+    runtimeMappings,
     skip: !expandedEvent.eventId,
   });
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/__snapshots__/expandable_host.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/__snapshots__/expandable_host.test.tsx.snap
index ad149cbcd63d0..43efd8cd824e6 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/__snapshots__/expandable_host.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/__snapshots__/expandable_host.test.tsx.snap
@@ -105,7 +105,15 @@ exports[`Expandable Host Component ExpandableHostDetails: rendering it should re
       id="hostsDetailsQuery"
       indexNames={
         Array [
-          "IShouldBeUsed",
+          "-*elastic-cloud-logs-*",
+          "apm-*-transaction*",
+          "auditbeat-*",
+          "endgame-*",
+          "filebeat-*",
+          "logs-*",
+          "packetbeat-*",
+          "traces-apm*",
+          "winlogbeat-*",
         ]
       }
       isDraggable={false}
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/expandable_host.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/expandable_host.test.tsx
index c2df8959c8c94..5efeacee15a37 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/expandable_host.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/expandable_host.test.tsx
@@ -9,28 +9,11 @@ import { mount } from 'enzyme';
 import React from 'react';
 
 import '../../../../common/mock/match_media';
-import {
-  mockGlobalState,
-  TestProviders,
-  SUB_PLUGINS_REDUCER,
-  kibanaObservable,
-  createSecuritySolutionStorageMock,
-} from '../../../../common/mock';
-import { createStore, State } from '../../../../common/store';
+import { mockGlobalState, TestProviders } from '../../../../common/mock';
 import { ExpandableHostDetails } from './expandable_host';
+import { EXCLUDE_ELASTIC_CLOUD_INDEX } from '../../../../common/containers/sourcerer';
 
 describe('Expandable Host Component', () => {
-  const state: State = {
-    ...mockGlobalState,
-    sourcerer: {
-      ...mockGlobalState.sourcerer,
-      configIndexPatterns: ['IShouldBeUsed'],
-    },
-  };
-
-  const { storage } = createSecuritySolutionStorageMock();
-  const store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
-
   const mockProps = {
     contextID: 'text-context',
     hostName: 'testHostName',
@@ -39,7 +22,7 @@ describe('Expandable Host Component', () => {
   describe('ExpandableHostDetails: rendering', () => {
     test('it should render the HostOverview of the ExpandableHostDetails', () => {
       const wrapper = mount(
-        <TestProviders store={store}>
+        <TestProviders>
           <ExpandableHostDetails {...mockProps} />
         </TestProviders>
       );
@@ -49,12 +32,15 @@ describe('Expandable Host Component', () => {
 
     test('it should render the HostOverview of the ExpandableHostDetails with the correct indices', () => {
       const wrapper = mount(
-        <TestProviders store={store}>
+        <TestProviders>
           <ExpandableHostDetails {...mockProps} />
         </TestProviders>
       );
 
-      expect(wrapper.find('HostOverview').prop('indexNames')).toStrictEqual(['IShouldBeUsed']);
+      expect(wrapper.find('HostOverview').prop('indexNames')).toStrictEqual([
+        EXCLUDE_ELASTIC_CLOUD_INDEX,
+        ...mockGlobalState.sourcerer.sourcererScopes.default.selectedPatterns,
+      ]);
     });
   });
 });
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/expandable_host.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/expandable_host.tsx
index 3fe8c2dcc8e08..dae1f7add11e3 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/expandable_host.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/host_details/expandable_host.tsx
@@ -5,14 +5,13 @@
  * 2.0.
  */
 
-import React, { useMemo } from 'react';
+import React from 'react';
 import styled from 'styled-components';
 import { i18n } from '@kbn/i18n';
 import { EuiTitle } from '@elastic/eui';
-import { sourcererSelectors } from '../../../../common/store/sourcerer';
 import { HostDetailsLink } from '../../../../common/components/links';
 import { useGlobalTime } from '../../../../common/containers/use_global_time';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { HostOverview } from '../../../../overview/components/host_overview';
 import { setAbsoluteRangeDatePicker } from '../../../../common/store/inputs/actions';
 import { HostItem } from '../../../../../common/search_strategy';
@@ -20,7 +19,6 @@ import { AnomalyTableProvider } from '../../../../common/components/ml/anomaly/a
 import { hostToCriteria } from '../../../../common/components/ml/criteria/host_to_criteria';
 import { scoreIntervalToDateTime } from '../../../../common/components/ml/score/score_interval_to_datetime';
 import { useHostDetails, ID } from '../../../../hosts/containers/hosts/details';
-import { useDeepEqualSelector } from '../../../../common/hooks/use_selector';
 
 interface ExpandableHostProps {
   hostName: string;
@@ -57,9 +55,8 @@ export const ExpandableHostDetails = ({
   isDraggable = false,
 }: ExpandableHostProps & { contextID: string; isDraggable?: boolean }) => {
   const { to, from, isInitializing } = useGlobalTime();
-  const { docValueFields } = useSourcererScope();
   /*
-    Normally `selectedPatterns` from useSourcerScope would be where we obtain the indices,
+    Normally `selectedPatterns` from useSourcererDataView would be where we obtain the indices,
     but those indices are only loaded when viewing the pages where the sourcerer is initialized (i.e. Hosts and Overview)
     When a user goes directly to the detections page, the patterns have not been loaded yet
     as that information isn't used for the detections page. With this details component being accessible
@@ -67,15 +64,12 @@ export const ExpandableHostDetails = ({
     Otherwise, an empty array is defaulted for the `indexNames` in the query which leads to inconsistencies in the data returned
     (i.e. extraneous endpoint data is retrieved from the backend leading to endpoint data not being returned)
   */
-  const allExistingIndexNamesSelector = useMemo(
-    () => sourcererSelectors.getAllExistingIndexNamesSelector(),
-    []
-  );
-  const allPatterns = useDeepEqualSelector<string[]>(allExistingIndexNamesSelector);
+  const { docValueFields, selectedPatterns } = useSourcererDataView();
+
   const [loading, { hostDetails: hostOverview }] = useHostDetails({
     endDate: to,
     hostName,
-    indexNames: allPatterns,
+    indexNames: selectedPatterns,
     startDate: from,
   });
   return (
@@ -95,7 +89,7 @@ export const ExpandableHostDetails = ({
           anomaliesData={anomaliesData}
           isDraggable={isDraggable}
           isLoadingAnomaliesData={isLoadingAnomaliesData}
-          indexNames={allPatterns}
+          indexNames={selectedPatterns}
           loading={loading}
           startDate={from}
           endDate={to}
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.test.tsx
index 7e530da542bf8..5870ba42405fe 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.test.tsx
@@ -97,6 +97,7 @@ describe('Details Panel Component', () => {
     docValueFields: [],
     handleOnPanelClosed: jest.fn(),
     isFlyoutView: false,
+    runtimeMappings: {},
     tabType: TimelineTabs.query,
     timelineId: 'test',
   };
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx
index a9b1126edcaeb..1723f3f7f91af 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx
@@ -9,6 +9,7 @@ import React, { useCallback, useMemo } from 'react';
 import { useDispatch } from 'react-redux';
 import { EuiFlyout, EuiFlyoutProps } from '@elastic/eui';
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { timelineActions, timelineSelectors } from '../../store/timeline';
 import { timelineDefaults } from '../../store/timeline/defaults';
 import { BrowserFields, DocValueFields } from '../../../common/containers/source';
@@ -25,6 +26,7 @@ interface DetailsPanelProps {
   entityType?: EntityType;
   handleOnPanelClosed?: () => void;
   isFlyoutView?: boolean;
+  runtimeMappings: MappingRuntimeFields;
   tabType?: TimelineTabs;
   timelineId: string;
 }
@@ -41,6 +43,7 @@ export const DetailsPanel = React.memo(
     entityType,
     handleOnPanelClosed,
     isFlyoutView,
+    runtimeMappings,
     tabType,
     timelineId,
   }: DetailsPanelProps) => {
@@ -82,6 +85,7 @@ export const DetailsPanel = React.memo(
           handleOnEventClosed={closePanel}
           isDraggable={isDraggable}
           isFlyoutView={isFlyoutView}
+          runtimeMappings={runtimeMappings}
           tabType={activeTab}
           timelineId={timelineId}
         />
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/network_details/expandable_network.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/network_details/expandable_network.tsx
index 184379cd366b1..5b13f3f2a3b1b 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/network_details/expandable_network.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/network_details/expandable_network.tsx
@@ -24,7 +24,7 @@ import { inputsSelectors } from '../../../../common/store';
 import { setAbsoluteRangeDatePicker } from '../../../../common/store/inputs/actions';
 import { OverviewEmpty } from '../../../../overview/components/overview_empty';
 import { esQuery } from '../../../../../../../../src/plugins/data/public';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { useNetworkDetails } from '../../../../network/containers/details';
 import { networkModel } from '../../../../network/store';
 import { useAnomaliesTableData } from '../../../../common/components/ml/anomaly/use_anomalies_table_data';
@@ -98,7 +98,7 @@ export const ExpandableNetworkDetails = ({
     services: { uiSettings },
   } = useKibana();
 
-  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererScope();
+  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererDataView();
   const [filterQuery, kqlError] = convertToBuildEsQuery({
     config: esQuery.getEsQueryConfig(uiSettings),
     indexPattern,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap
index 25d5104a98d95..11f3d6d795d75 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/__snapshots__/index.test.tsx.snap
@@ -126,6 +126,7 @@ exports[`ColumnHeaders rendering renders correctly against snapshot 1`] = `
               "packetbeat",
             ],
             "name": "@timestamp",
+            "readFromDocValues": true,
             "searchable": true,
             "type": "date",
           },
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/helpers.test.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/helpers.test.ts
index 85e884703c592..c59a80ae078b2 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/helpers.test.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/helpers.test.ts
@@ -64,6 +64,7 @@ describe('helpers', () => {
           id: '@timestamp',
           indexes: ['auditbeat', 'filebeat', 'packetbeat'],
           name: '@timestamp',
+          readFromDocValues: true,
           searchable: true,
           type: 'date',
           initialWidth: 190,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/__snapshots__/suricata_row_renderer.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/__snapshots__/suricata_row_renderer.test.tsx.snap
index eeb8786b2cfa3..990f3a0af87c0 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/__snapshots__/suricata_row_renderer.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/__snapshots__/suricata_row_renderer.test.tsx.snap
@@ -127,6 +127,7 @@ exports[`suricata_row_renderer renders correctly against snapshot 1`] = `
                   "packetbeat",
                 ],
                 "name": "@timestamp",
+                "readFromDocValues": true,
                 "searchable": true,
                 "type": "date",
               },
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/__snapshots__/zeek_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/__snapshots__/zeek_details.test.tsx.snap
index 64ca766e4dee6..546b9a31843ac 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/__snapshots__/zeek_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/__snapshots__/zeek_details.test.tsx.snap
@@ -125,6 +125,7 @@ exports[`ZeekDetails rendering it renders the default ZeekDetails 1`] = `
               "packetbeat",
             ],
             "name": "@timestamp",
+            "readFromDocValues": true,
             "searchable": true,
             "type": "date",
           },
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/__snapshots__/zeek_row_renderer.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/__snapshots__/zeek_row_renderer.test.tsx.snap
index 94cbe43e93d2d..e20f63a7b9e79 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/__snapshots__/zeek_row_renderer.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/__snapshots__/zeek_row_renderer.test.tsx.snap
@@ -127,6 +127,7 @@ exports[`zeek_row_renderer renders correctly against snapshot 1`] = `
                   "packetbeat",
                 ],
                 "name": "@timestamp",
+                "readFromDocValues": true,
                 "searchable": true,
                 "type": "date",
               },
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/index.test.tsx
index ef04c1177dcd6..ddcc2df231a00 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/index.test.tsx
@@ -12,14 +12,6 @@ import { useMountAppended } from '../../../../common/utils/use_mount_appended';
 
 import { DataProviders } from '.';
 
-jest.mock('../../../../common/hooks/use_selector', () => {
-  const actual = jest.requireActual('../../../../common/hooks/use_selector');
-  return {
-    ...actual,
-    useDeepEqualSelector: jest.fn().mockReturnValue([]),
-  };
-});
-
 describe('DataProviders', () => {
   const mount = useMountAppended();
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/index.tsx
index f642ec35d4306..0a3a40d8f6f06 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/data_providers/index.tsx
@@ -12,7 +12,7 @@ import uuid from 'uuid';
 import { IS_DRAGGING_CLASS_NAME } from '@kbn/securitysolution-t-grid';
 
 import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { useDeepEqualSelector } from '../../../../common/hooks/use_selector';
 import { DroppableWrapper } from '../../../../common/components/drag_and_drop/droppable_wrapper';
 import { droppableTimelineProvidersPrefix } from '../../../../common/components/drag_and_drop/helpers';
@@ -85,7 +85,7 @@ const getDroppableId = (id: string): string =>
  * the data pro section.
  */
 export const DataProviders = React.memo<Props>(({ timelineId }) => {
-  const { browserFields } = useSourcererScope(SourcererScopeName.timeline);
+  const { browserFields } = useSourcererDataView(SourcererScopeName.timeline);
   const getManageTimeline = useMemo(() => timelineSelectors.getManageTimelineById(), []);
   const { isLoading } = useDeepEqualSelector((state) => getManageTimeline(state, timelineId));
   const getTimeline = useMemo(() => timelineSelectors.getTimelineByIdSelector(), []);
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.test.tsx
index ad141829858ae..553a3d0e82d29 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.test.tsx
@@ -20,7 +20,7 @@ import { useMountAppended } from '../../../../common/utils/use_mount_appended';
 import { TimelineId, TimelineTabs } from '../../../../../common/types/timeline';
 import { useTimelineEvents } from '../../../containers/index';
 import { useTimelineEventsDetails } from '../../../containers/details/index';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { mockSourcererScope } from '../../../../common/containers/sourcerer/mocks';
 import { useDraggableKeyboardWrapper as mockUseDraggableKeyboardWrapper } from '../../../../../../timelines/public/components';
 
@@ -88,7 +88,7 @@ describe('Timeline', () => {
     ]);
     (useTimelineEventsDetails as jest.Mock).mockReturnValue([false, {}]);
 
-    (useSourcererScope as jest.Mock).mockReturnValue(mockSourcererScope);
+    (useSourcererDataView as jest.Mock).mockReturnValue(mockSourcererScope);
 
     props = {
       columns: defaultHeaders,
@@ -176,7 +176,7 @@ describe('Timeline', () => {
     });
 
     test('it does render the timeline table when the source is loading with no events', () => {
-      (useSourcererScope as jest.Mock).mockReturnValue({
+      (useSourcererDataView as jest.Mock).mockReturnValue({
         browserFields: {},
         docValueFields: [],
         loading: true,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.tsx
index 737c6b99cea75..6cb0e6f2e7982 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.tsx
@@ -47,7 +47,7 @@ import { inputsModel, inputsSelectors, State } from '../../../../common/store';
 import { sourcererActions } from '../../../../common/store/sourcerer';
 import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
 import { timelineDefaults } from '../../../../timelines/store/timeline/defaults';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { useEqlEventsCountPortal } from '../../../../common/hooks/use_timeline_events_count';
 import { TimelineModel } from '../../../../timelines/store/timeline/model';
 import { TimelineDatePickerLock } from '../date_picker_lock';
@@ -178,8 +178,9 @@ export const EqlTabContentComponent: React.FC<Props> = ({
     browserFields,
     docValueFields,
     loading: loadingSourcerer,
+    runtimeMappings,
     selectedPatterns,
-  } = useSourcererScope(SourcererScopeName.timeline);
+  } = useSourcererDataView(SourcererScopeName.timeline);
 
   const isBlankTimeline: boolean = isEmpty(eqlQuery);
 
@@ -216,6 +217,7 @@ export const EqlTabContentComponent: React.FC<Props> = ({
       language: 'eql',
       limit: itemsPerPage,
       filterQuery: eqlQuery ?? '',
+      runtimeMappings,
       startDate: start,
       skip: !canQueryTimeline(),
       timerangeKind,
@@ -346,6 +348,7 @@ export const EqlTabContentComponent: React.FC<Props> = ({
               <DetailsPanel
                 browserFields={browserFields}
                 docValueFields={docValueFields}
+                runtimeMappings={runtimeMappings}
                 tabType={TimelineTabs.eql}
                 timelineId={timelineId}
                 handleOnPanelClosed={handleOnPanelClosed}
@@ -395,12 +398,23 @@ const makeMapStateToProps = () => {
   return mapStateToProps;
 };
 const mapDispatchToProps = (dispatch: Dispatch, { timelineId }: OwnProps) => ({
-  updateEventTypeAndIndexesName: (newEventType: TimelineEventsType, newIndexNames: string[]) => {
+  updateEventTypeAndIndexesName: (
+    newEventType: TimelineEventsType,
+    newIndexNames: string[],
+    newDataViewId: string
+  ) => {
     dispatch(timelineActions.updateEventType({ id: timelineId, eventType: newEventType }));
-    dispatch(timelineActions.updateIndexNames({ id: timelineId, indexNames: newIndexNames }));
     dispatch(
-      sourcererActions.setSelectedIndexPatterns({
+      timelineActions.updateDataView({
+        dataViewId: newDataViewId,
+        id: timelineId,
+        indexNames: newIndexNames,
+      })
+    );
+    dispatch(
+      sourcererActions.setSelectedDataView({
         id: SourcererScopeName.timeline,
+        selectedDataViewId: newDataViewId,
         selectedPatterns: newIndexNames,
       })
     );
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx
index 2c85f1547dbeb..547f005ab61ab 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/helpers.tsx
@@ -8,7 +8,7 @@
 import { isEmpty, get } from 'lodash/fp';
 import memoizeOne from 'memoize-one';
 
-import { EsQueryConfig, Filter, Query } from '@kbn/es-query';
+import { DataViewBase, EsQueryConfig, Filter, Query } from '@kbn/es-query';
 import {
   handleSkipFocus,
   elementOrChildrenHasFocus,
@@ -25,7 +25,6 @@ import {
   EXISTS_OPERATOR,
 } from './data_providers/data_provider';
 import { BrowserFields } from '../../../common/containers/source';
-import { IIndexPattern } from '../../../../../../../src/plugins/data/public';
 
 import { EVENTS_TABLE_CLASS_NAME } from './styles';
 
@@ -151,7 +150,7 @@ export const combineQueries = ({
 }: {
   config: EsQueryConfig;
   dataProviders: DataProvider[];
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   browserFields: BrowserFields;
   filters: Filter[];
   kqlQuery: Query;
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
index c91673e5f931c..bb1281c0eff2e 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
@@ -59,7 +59,7 @@ jest.mock('../../../common/containers/sourcerer', () => {
 
   return {
     ...originalModule,
-    useSourcererScope: jest.fn().mockReturnValue({
+    useSourcererDataView: jest.fn().mockReturnValue({
       browserFields: mockBrowserFields,
       docValueFields: mockDocValueFields,
       loading: false,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/index.tsx
index ca883529b5ce6..48f9274fa563f 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/index.tsx
@@ -16,7 +16,7 @@ import { timelineActions, timelineSelectors } from '../../store/timeline';
 import { timelineDefaults } from '../../../timelines/store/timeline/defaults';
 import { defaultHeaders } from './body/column_headers/default_headers';
 import { CellValueElementProps } from './cell_rendering';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 import { SourcererScopeName } from '../../../common/store/sourcerer/model';
 import { FlyoutHeader, FlyoutHeaderPanel } from '../flyout/header';
 import { TimelineType, TimelineId, RowRenderer } from '../../../../common/types/timeline';
@@ -62,7 +62,8 @@ const StatefulTimelineComponent: React.FC<Props> = ({
   const dispatch = useDispatch();
   const containerElement = useRef<HTMLDivElement | null>(null);
   const getTimeline = useMemo(() => timelineSelectors.getTimelineByIdSelector(), []);
-  const { selectedPatterns } = useSourcererScope(SourcererScopeName.timeline);
+  const { dataViewId, selectedPatterns } = useSourcererDataView(SourcererScopeName.timeline);
+
   const { graphEventId, savedObjectId, timelineType, description } = useDeepEqualSelector((state) =>
     pick(
       ['graphEventId', 'savedObjectId', 'timelineType', 'description'],
@@ -77,6 +78,7 @@ const StatefulTimelineComponent: React.FC<Props> = ({
         timelineActions.createTimeline({
           id: timelineId,
           columns: defaultHeaders,
+          dataViewId,
           indexNames: selectedPatterns,
           expandedDetail: activeTimeline.getExpandedDetail(),
           show: false,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/notes_tab_content/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/notes_tab_content/index.tsx
index 726071b2caf74..e4d97abc0433a 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/notes_tab_content/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/notes_tab_content/index.tsx
@@ -21,7 +21,7 @@ import React, { Fragment, useCallback, useMemo, useState } from 'react';
 import { useDispatch } from 'react-redux';
 import styled from 'styled-components';
 
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
 import { timelineActions } from '../../../store/timeline';
 import {
@@ -145,8 +145,9 @@ const NotesTabContentComponent: React.FC<NotesTabContentProps> = ({ timelineId }
     noteIds,
     status: timelineStatus,
   } = useDeepEqualSelector((state) => getTimelineNotes(state, timelineId));
-
-  const { browserFields, docValueFields } = useSourcererScope(SourcererScopeName.timeline);
+  const { browserFields, docValueFields, runtimeMappings } = useSourcererDataView(
+    SourcererScopeName.timeline
+  );
 
   const getNotesAsCommentsList = useMemo(
     () => appSelectors.selectNotesAsCommentsListSelector(),
@@ -188,11 +189,19 @@ const NotesTabContentComponent: React.FC<NotesTabContentProps> = ({ timelineId }
           browserFields={browserFields}
           docValueFields={docValueFields}
           handleOnPanelClosed={handleOnPanelClosed}
+          runtimeMappings={runtimeMappings}
           tabType={TimelineTabs.notes}
           timelineId={timelineId}
         />
       ) : null,
-    [browserFields, docValueFields, expandedDetail, handleOnPanelClosed, timelineId]
+    [
+      browserFields,
+      docValueFields,
+      expandedDetail,
+      handleOnPanelClosed,
+      runtimeMappings,
+      timelineId,
+    ]
   );
 
   const SidebarContent = useMemo(
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.test.tsx
index cb41d0c69bc97..8707bb33da08c 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.test.tsx
@@ -19,7 +19,7 @@ import { useMountAppended } from '../../../../common/utils/use_mount_appended';
 import { TimelineId, TimelineTabs } from '../../../../../common/types/timeline';
 import { useTimelineEvents } from '../../../containers/index';
 import { useTimelineEventsDetails } from '../../../containers/details/index';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { mockSourcererScope } from '../../../../common/containers/sourcerer/mocks';
 import { PinnedTabContentComponent, Props as PinnedTabContentComponentProps } from '.';
 import { Direction } from '../../../../../common/search_strategy';
@@ -93,7 +93,7 @@ describe('PinnedTabContent', () => {
     ]);
     (useTimelineEventsDetails as jest.Mock).mockReturnValue([false, {}]);
 
-    (useSourcererScope as jest.Mock).mockReturnValue(mockSourcererScope);
+    (useSourcererDataView as jest.Mock).mockReturnValue(mockSourcererScope);
 
     props = {
       columns: defaultHeaders,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.tsx
index 2051f95b75ae8..fbb1269b05b27 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.tsx
@@ -22,10 +22,9 @@ import { StatefulBody } from '../body';
 import { Footer, footerHeight } from '../footer';
 import { requiredFieldsForActions } from '../../../../detections/components/alerts_table/default_config';
 import { EventDetailsWidthProvider } from '../../../../common/components/events_viewer/event_details_width_context';
-import { sourcererSelectors } from '../../../../common/store/sourcerer';
 import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
 import { timelineDefaults } from '../../../store/timeline/defaults';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { useTimelineFullScreen } from '../../../../common/containers/use_full_screen';
 import { TimelineModel } from '../../../store/timeline/model';
 import { State } from '../../../../common/store';
@@ -37,7 +36,6 @@ import {
   ToggleDetailPanel,
 } from '../../../../../common/types/timeline';
 import { DetailsPanel } from '../../side_panel';
-import { useDeepEqualSelector } from '../../../../common/hooks/use_selector';
 import { ExitFullScreen } from '../../../../common/components/exit_full_screen';
 import { defaultControlColumn } from '../body/control_columns';
 
@@ -119,15 +117,11 @@ export const PinnedTabContentComponent: React.FC<Props> = ({
     browserFields,
     docValueFields,
     loading: loadingSourcerer,
-  } = useSourcererScope(SourcererScopeName.timeline);
+    runtimeMappings,
+    selectedPatterns,
+  } = useSourcererDataView(SourcererScopeName.timeline);
   const { setTimelineFullScreen, timelineFullScreen } = useTimelineFullScreen();
 
-  const existingIndexNamesSelector = useMemo(
-    () => sourcererSelectors.getAllExistingIndexNamesSelector(),
-    []
-  );
-  const existingIndexNames = useDeepEqualSelector<string[]>(existingIndexNamesSelector);
-
   const filterQuery = useMemo(() => {
     if (isEmpty(pinnedEventIds)) {
       return '';
@@ -188,10 +182,11 @@ export const PinnedTabContentComponent: React.FC<Props> = ({
       docValueFields,
       endDate: '',
       id: `pinned-${timelineId}`,
-      indexNames: existingIndexNames,
+      indexNames: selectedPatterns,
       fields: timelineQueryFields,
       limit: itemsPerPage,
       filterQuery,
+      runtimeMappings,
       skip: filterQuery === '',
       startDate: '',
       sort: timelineQuerySortField,
@@ -269,6 +264,7 @@ export const PinnedTabContentComponent: React.FC<Props> = ({
                 browserFields={browserFields}
                 docValueFields={docValueFields}
                 handleOnPanelClosed={handleOnPanelClosed}
+                runtimeMappings={runtimeMappings}
                 tabType={TimelineTabs.pinned}
                 timelineId={timelineId}
               />
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/properties/use_create_timeline.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/properties/use_create_timeline.test.tsx
index 1fea015de772f..a4dd57768372e 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/properties/use_create_timeline.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/properties/use_create_timeline.test.tsx
@@ -22,13 +22,6 @@ jest.mock('react-redux', () => {
   return {
     ...actual,
     useDispatch: () => mockDispatch,
-    useSelector: () => ({
-      kind: 'relative',
-      fromStr: 'now-24h',
-      toStr: 'now',
-      from: '2020-07-07T08:20:18.966Z',
-      to: '2020-07-08T08:20:18.966Z',
-    }),
   };
 });
 
@@ -135,7 +128,7 @@ describe('useCreateTimelineButton', () => {
         wrapper.find('[data-test-subj="timeline-new"]').first().simulate('click');
 
         expect(mockDispatch.mock.calls[0][0].type).toEqual(
-          'x-pack/security_solution/local/sourcerer/SET_SELECTED_INDEX_PATTERNS'
+          'x-pack/security_solution/local/sourcerer/SET_SELECTED_DATA_VIEW'
         );
         expect(mockDispatch.mock.calls[1][0].type).toEqual(
           'x-pack/security_solution/local/timeline/CREATE_TIMELINE'
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/properties/use_create_timeline.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/properties/use_create_timeline.tsx
index 32d05202f1d12..6b10ff20008dc 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/properties/use_create_timeline.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/properties/use_create_timeline.tsx
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import React, { useCallback, useMemo } from 'react';
+import React, { useCallback } from 'react';
 import { useDispatch } from 'react-redux';
 import { EuiButton, EuiButtonEmpty } from '@elastic/eui';
 
@@ -19,9 +19,10 @@ import {
 } from '../../../../../common/types/timeline';
 import { useDeepEqualSelector } from '../../../../common/hooks/use_selector';
 import { inputsActions, inputsSelectors } from '../../../../common/store/inputs';
-import { sourcererActions, sourcererSelectors } from '../../../../common/store/sourcerer';
+import { sourcererActions } from '../../../../common/store/sourcerer';
 import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
 import { appActions } from '../../../../common/store/app';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 
 interface Props {
   timelineId?: string;
@@ -31,11 +32,8 @@ interface Props {
 
 export const useCreateTimeline = ({ timelineId, timelineType, closeGearMenu }: Props) => {
   const dispatch = useDispatch();
-  const existingIndexNamesSelector = useMemo(
-    () => sourcererSelectors.getAllExistingIndexNamesSelector(),
-    []
-  );
-  const existingIndexNames = useDeepEqualSelector<string[]>(existingIndexNamesSelector);
+  const { dataViewId, selectedPatterns } = useSourcererDataView(SourcererScopeName.timeline);
+
   const { timelineFullScreen, setTimelineFullScreen } = useTimelineFullScreen();
   const globalTimeRange = useDeepEqualSelector(inputsSelectors.globalTimeRangeSelector);
   const createTimeline = useCallback(
@@ -44,18 +42,20 @@ export const useCreateTimeline = ({ timelineId, timelineType, closeGearMenu }: P
         setTimelineFullScreen(false);
       }
       dispatch(
-        sourcererActions.setSelectedIndexPatterns({
+        sourcererActions.setSelectedDataView({
           id: SourcererScopeName.timeline,
-          selectedPatterns: existingIndexNames,
+          selectedDataViewId: dataViewId,
+          selectedPatterns,
         })
       );
       dispatch(
         timelineActions.createTimeline({
-          id,
           columns: defaultHeaders,
+          dataViewId,
+          id,
+          indexNames: selectedPatterns,
           show,
           timelineType,
-          indexNames: existingIndexNames,
         })
       );
       dispatch(inputsActions.addGlobalLinkTo({ linkToId: 'timeline' }));
@@ -78,9 +78,10 @@ export const useCreateTimeline = ({ timelineId, timelineType, closeGearMenu }: P
       }
     },
     [
-      existingIndexNames,
       dispatch,
       globalTimeRange,
+      dataViewId,
+      selectedPatterns,
       setTimelineFullScreen,
       timelineFullScreen,
       timelineType,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/eql/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/eql/index.tsx
index b65e432126283..f045f735ae168 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/eql/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/eql/index.tsx
@@ -11,7 +11,7 @@ import { useDispatch } from 'react-redux';
 import styled from 'styled-components';
 
 import { FieldsEqlOptions } from '../../../../../../common/search_strategy';
-import { useSourcererScope } from '../../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../../common/containers/sourcerer';
 import { useDeepEqualSelector } from '../../../../../common/hooks/use_selector';
 import { SourcererScopeName } from '../../../../../common/store/sourcerer/model';
 import { EqlQueryBar } from '../../../../../detections/components/rules/eql_query_bar';
@@ -71,7 +71,7 @@ export const EqlQueryBarTimeline = memo(({ timelineId }: { timelineId: string })
     loading: indexPatternsLoading,
     indexPattern,
     selectedPatterns,
-  } = useSourcererScope(SourcererScopeName.timeline);
+  } = useSourcererDataView(SourcererScopeName.timeline);
 
   const initialState = {
     ...defaultValues,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/index.tsx
index daafec3005eb8..450a43b43ef5f 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/index.tsx
@@ -11,7 +11,7 @@ import { useDispatch } from 'react-redux';
 import { Subscription } from 'rxjs';
 import deepEqual from 'fast-deep-equal';
 
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
 import {
   Query,
@@ -81,8 +81,7 @@ export const QueryBarTimeline = memo<QueryBarTimelineComponentProps>(
     const [dateRangeTo, setDateRangTo] = useState<string>(
       toStr != null ? toStr : new Date(to).toISOString()
     );
-    const { browserFields, indexPattern } = useSourcererScope(SourcererScopeName.timeline);
-
+    const { browserFields, indexPattern } = useSourcererDataView(SourcererScopeName.timeline);
     const [savedQuery, setSavedQuery] = useState<SavedQuery | undefined>(undefined);
     const [filterQueryConverted, setFilterQueryConverted] = useState<Query>({
       query: filterQuery != null ? filterQuery.expression : '',
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.test.tsx
index c9bb14dfc0c67..23f0fa0b9f289 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.test.tsx
@@ -22,7 +22,7 @@ import { useMountAppended } from '../../../../common/utils/use_mount_appended';
 import { TimelineId, TimelineStatus, TimelineTabs } from '../../../../../common/types/timeline';
 import { useTimelineEvents } from '../../../containers/index';
 import { useTimelineEventsDetails } from '../../../containers/details/index';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { mockSourcererScope } from '../../../../common/containers/sourcerer/mocks';
 import { Direction } from '../../../../../common/search_strategy';
 import * as helpers from '../helpers';
@@ -102,7 +102,7 @@ describe('Timeline', () => {
     ]);
     (useTimelineEventsDetails as jest.Mock).mockReturnValue([false, {}]);
 
-    (useSourcererScope as jest.Mock).mockReturnValue(mockSourcererScope);
+    (useSourcererDataView as jest.Mock).mockReturnValue(mockSourcererScope);
 
     props = {
       columns: defaultHeaders,
@@ -187,7 +187,7 @@ describe('Timeline', () => {
     });
 
     test('it does render the timeline table when the source is loading with no events', () => {
-      (useSourcererScope as jest.Mock).mockReturnValue({
+      (useSourcererDataView as jest.Mock).mockReturnValue({
         browserFields: {},
         docValueFields: [],
         loading: true,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.tsx
index 2082e7f5b69bb..5f6f2796d4ba9 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.tsx
@@ -51,7 +51,7 @@ import { inputsModel, inputsSelectors, State } from '../../../../common/store';
 import { sourcererActions } from '../../../../common/store/sourcerer';
 import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
 import { timelineDefaults } from '../../../../timelines/store/timeline/defaults';
-import { useSourcererScope } from '../../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../../common/containers/sourcerer';
 import { useTimelineEventsCountPortal } from '../../../../common/hooks/use_timeline_events_count';
 import { TimelineModel } from '../../../../timelines/store/timeline/model';
 import { TimelineDatePickerLock } from '../date_picker_lock';
@@ -190,9 +190,9 @@ export const QueryTabContentComponent: React.FC<Props> = ({
     docValueFields,
     loading: loadingSourcerer,
     indexPattern,
+    runtimeMappings,
     selectedPatterns,
-  } = useSourcererScope(SourcererScopeName.timeline);
-
+  } = useSourcererDataView(SourcererScopeName.timeline);
   const { uiSettings } = useKibana().services;
 
   const getManageTimeline = useMemo(() => timelineSelectors.getManageTimelineById(), []);
@@ -282,6 +282,7 @@ export const QueryTabContentComponent: React.FC<Props> = ({
       language: kqlQuery.language,
       limit: itemsPerPage,
       filterQuery: combinedQueries?.filterQuery,
+      runtimeMappings,
       startDate: start,
       skip: !canQueryTimeline,
       sort: timelineQuerySortField,
@@ -429,6 +430,7 @@ export const QueryTabContentComponent: React.FC<Props> = ({
                 browserFields={browserFields}
                 docValueFields={docValueFields}
                 handleOnPanelClosed={handleOnPanelClosed}
+                runtimeMappings={runtimeMappings}
                 tabType={TimelineTabs.query}
                 timelineId={timelineId}
               />
@@ -502,13 +504,24 @@ const makeMapStateToProps = () => {
 };
 
 const mapDispatchToProps = (dispatch: Dispatch, { timelineId }: OwnProps) => ({
-  updateEventTypeAndIndexesName: (newEventType: TimelineEventsType, newIndexNames: string[]) => {
+  updateEventTypeAndIndexesName: (
+    newEventType: TimelineEventsType,
+    newIndexNames: string[],
+    newDataViewId: string
+  ) => {
     dispatch(timelineActions.updateEventType({ id: timelineId, eventType: newEventType }));
-    dispatch(timelineActions.updateIndexNames({ id: timelineId, indexNames: newIndexNames }));
     dispatch(
-      sourcererActions.setSelectedIndexPatterns({
+      timelineActions.updateDataView({
+        dataViewId: newDataViewId,
+        id: timelineId,
+        indexNames: newIndexNames,
+      })
+    );
+    dispatch(
+      sourcererActions.setSelectedDataView({
         id: SourcererScopeName.timeline,
         selectedPatterns: newIndexNames,
+        selectedDataViewId: newDataViewId,
       })
     );
   },
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/pick_events.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/pick_events.test.tsx
index e519cfcd204a7..47ea0f781f7c3 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/pick_events.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/pick_events.test.tsx
@@ -14,6 +14,7 @@ import {
   createSecuritySolutionStorageMock,
   kibanaObservable,
   mockGlobalState,
+  mockSourcererState,
   SUB_PLUGINS_REDUCER,
   TestProviders,
 } from '../../../../common/mock';
@@ -29,41 +30,59 @@ jest.mock('@elastic/eui', () => {
   };
 });
 
-describe('pick_events', () => {
+describe('Pick Events/Timeline Sourcerer', () => {
   const defaultProps = {
     eventType: 'all' as TimelineEventsType,
     onChangeEventTypeAndIndexesName: jest.fn(),
   };
   const initialPatterns = [
-    ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline].selectedPatterns,
-    mockGlobalState.sourcerer.signalIndexName,
+    ...mockSourcererState.defaultDataView.patternList.filter(
+      (p) => p !== mockSourcererState.signalIndexName
+    ),
+    mockSourcererState.signalIndexName,
   ];
   const { storage } = createSecuritySolutionStorageMock();
+
+  // const state = {
+  //   ...mockGlobalState,
+  //   sourcerer: {
+  //     ...mockGlobalState.sourcerer,
+  //     kibanaIndexPatterns: [
+  //       { id: '1234', title: 'auditbeat-*' },
+  //       { id: '9100', title: 'filebeat-*' },
+  //       { id: '9100', title: 'auditbeat-*,filebeat-*' },
+  //       { id: '5678', title: 'auditbeat-*,.siem-signals-default' },
+  //     ],
+  //     configIndexPatterns:
+  //       mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline].selectedPatterns,
+  //     signalIndexName: mockGlobalState.sourcerer.signalIndexName,
+  //     sourcererScopes: {
+  //       ...mockGlobalState.sourcerer.sourcererScopes,
+  //       [SourcererScopeName.timeline]: {
+  //         ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
+  //         loading: false,
+  //         selectedPatterns: ['filebeat-*'],
+  //       },
+  //     },
+  //   },
+  // };
+  // const store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
   const state = {
     ...mockGlobalState,
     sourcerer: {
       ...mockGlobalState.sourcerer,
-      kibanaIndexPatterns: [
-        { id: '1234', title: 'auditbeat-*' },
-        { id: '9100', title: 'filebeat-*' },
-        { id: '9100', title: 'auditbeat-*,filebeat-*' },
-        { id: '5678', title: 'auditbeat-*,.siem-signals-default' },
-      ],
-      configIndexPatterns:
-        mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline].selectedPatterns,
-      signalIndexName: mockGlobalState.sourcerer.signalIndexName,
       sourcererScopes: {
         ...mockGlobalState.sourcerer.sourcererScopes,
         [SourcererScopeName.timeline]: {
           ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
           loading: false,
+          selectedDataViewId: mockGlobalState.sourcerer.defaultDataView.id,
           selectedPatterns: ['filebeat-*'],
         },
       },
     },
   };
   const store = createStore(state, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
-
   const mockTooltip = ({
     tooltipContent,
     children,
@@ -94,6 +113,57 @@ describe('pick_events', () => {
     expect(wrapper.getByTestId('timeline-sourcerer').textContent).toEqual(
       initialPatterns.sort().join('')
     );
+    fireEvent.click(wrapper.getByTestId(`sourcerer-accordion`));
+    fireEvent.click(wrapper.getByTestId('comboBoxToggleListButton'));
+    const optionNodes = wrapper.getAllByTestId('sourcerer-option');
+    expect(optionNodes.length).toBe(1);
+  });
+  it('Removes duplicate options from options list', () => {
+    const store2 = createStore(
+      {
+        ...mockGlobalState,
+        sourcerer: {
+          ...mockGlobalState.sourcerer,
+          defaultDataView: {
+            ...mockGlobalState.sourcerer.defaultDataView,
+            id: '1234',
+            title: 'filebeat-*,auditbeat-*,auditbeat-*,auditbeat-*,auditbeat-*',
+            patternList: ['filebeat-*', 'auditbeat-*'],
+          },
+          kibanaDataViews: [
+            {
+              ...mockGlobalState.sourcerer.defaultDataView,
+              id: '1234',
+              title: 'filebeat-*,auditbeat-*,auditbeat-*,auditbeat-*,auditbeat-*',
+              patternList: ['filebeat-*', 'auditbeat-*'],
+            },
+          ],
+          sourcererScopes: {
+            ...mockGlobalState.sourcerer.sourcererScopes,
+            [SourcererScopeName.timeline]: {
+              ...mockGlobalState.sourcerer.sourcererScopes[SourcererScopeName.timeline],
+              loading: false,
+              selectedDataViewId: '1234',
+              selectedPatterns: ['filebeat-*'],
+            },
+          },
+        },
+      },
+      SUB_PLUGINS_REDUCER,
+      kibanaObservable,
+      storage
+    );
+    const wrapper = render(
+      <TestProviders store={store2}>
+        <PickEventType {...defaultProps} />
+      </TestProviders>
+    );
+    fireEvent.click(wrapper.getByTestId(`sourcerer-timeline-trigger`));
+    fireEvent.click(wrapper.getByTestId(`sourcerer-accordion`));
+    fireEvent.click(wrapper.getByTestId(`comboBoxToggleListButton`));
+    expect(
+      wrapper.getByTestId('comboBoxOptionsList timeline-sourcerer-optionsList').textContent
+    ).toEqual('auditbeat-*');
   });
 
   it('renders tooltip', () => {
@@ -129,6 +199,7 @@ describe('pick_events', () => {
     );
     fireEvent.click(wrapper.getByTestId('sourcerer-timeline-trigger'));
     fireEvent.click(wrapper.getByTestId('comboBoxToggleListButton'));
+    fireEvent.click(wrapper.getByTestId('sourcerer-accordion'));
     const optionNodes = wrapper.getAllByTestId('sourcerer-option');
     expect(optionNodes.length).toBe(9);
   });
@@ -145,8 +216,5 @@ describe('pick_events', () => {
     expect(wrapper.getByTestId('timeline-sourcerer').textContent).toEqual(
       initialPatterns.sort().join('')
     );
-    fireEvent.click(wrapper.getByTestId('comboBoxToggleListButton'));
-    const optionNodes = wrapper.getAllByTestId('sourcerer-option');
-    expect(optionNodes.length).toBe(2);
   });
 });
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/pick_events.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/pick_events.tsx
index 6d86d7c0f1330..791993d67135d 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/pick_events.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/pick_events.tsx
@@ -21,17 +21,19 @@ import {
   EuiSpacer,
   EuiText,
   EuiToolTip,
+  EuiSuperSelect,
 } from '@elastic/eui';
 import deepEqual from 'fast-deep-equal';
 import React, { memo, useCallback, useEffect, useMemo, useState } from 'react';
-import { useSelector } from 'react-redux';
 import styled from 'styled-components';
 
-import { State } from '../../../../common/store';
+import { sourcererSelectors } from '../../../../common/store';
 import { SourcererScopeName } from '../../../../common/store/sourcerer/model';
-import { TimelineEventsType } from '../../../../../common/types/timeline';
-import { getSourcererScopeSelector, SourcererScopeSelector } from './selectors';
+import { TimelineEventsType } from '../../../../../common';
 import * as i18n from './translations';
+import { getScopePatternListSelection } from '../../../../common/store/sourcerer/helpers';
+import { SIEM_DATA_VIEW_LABEL } from '../../../../common/components/sourcerer/translations';
+import { useDeepEqualSelector } from '../../../../common/hooks/use_selector';
 
 const PopoverContent = styled.div`
   width: 600px;
@@ -89,7 +91,7 @@ const PickEventContainer = styled.div`
   }
 `;
 
-const getEventTypeOptions = (isCustomDisabled: boolean = true) => [
+const getEventTypeOptions = (isCustomDisabled: boolean = true, isDefaultPattern: boolean) => [
   {
     id: 'all',
     label: (
@@ -101,10 +103,12 @@ const getEventTypeOptions = (isCustomDisabled: boolean = true) => [
   {
     id: 'raw',
     label: <EuiHealth color="subdued"> {i18n.RAW_EVENT}</EuiHealth>,
+    disabled: !isDefaultPattern,
   },
   {
     id: 'alert',
     label: <EuiHealth color="warning"> {i18n.DETECTION_ALERTS_EVENT}</EuiHealth>,
+    disabled: !isDefaultPattern,
   },
   {
     id: 'custom',
@@ -115,9 +119,14 @@ const getEventTypeOptions = (isCustomDisabled: boolean = true) => [
 
 interface PickEventTypeProps {
   eventType: TimelineEventsType;
-  onChangeEventTypeAndIndexesName: (value: TimelineEventsType, indexNames: string[]) => void;
+  onChangeEventTypeAndIndexesName: (
+    value: TimelineEventsType,
+    indexNames: string[],
+    dataViewId: string
+  ) => void;
 }
 
+// AKA TimelineSourcerer
 const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
   eventType = 'all',
   onChangeEventTypeAndIndexesName,
@@ -125,81 +134,63 @@ const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
   const [isPopoverOpen, setPopover] = useState(false);
   const [showAdvanceSettings, setAdvanceSettings] = useState(eventType === 'custom');
   const [filterEventType, setFilterEventType] = useState<TimelineEventsType>(eventType);
-  const sourcererScopeSelector = useMemo(getSourcererScopeSelector, []);
-  const { configIndexPatterns, kibanaIndexPatterns, signalIndexName, sourcererScope } = useSelector<
-    State,
-    SourcererScopeSelector
-  >((state) => sourcererScopeSelector(state, SourcererScopeName.timeline), deepEqual);
-  const [selectedOptions, setSelectedOptions] = useState<Array<EuiComboBoxOptionOption<string>>>(
-    sourcererScope.selectedPatterns.map((indexSelected) => ({
-      label: indexSelected,
-      value: indexSelected,
-    }))
+  const sourcererScopeSelector = useMemo(() => sourcererSelectors.getSourcererScopeSelector(), []);
+  const {
+    defaultDataView,
+    kibanaDataViews,
+    signalIndexName,
+    sourcererScope: { loading, selectedPatterns, selectedDataViewId },
+  }: sourcererSelectors.SourcererScopeSelector = useDeepEqualSelector((state) =>
+    sourcererScopeSelector(state, SourcererScopeName.timeline)
   );
 
-  const indexesPatternOptions = useMemo(
-    () =>
-      [
-        ...configIndexPatterns,
-        ...kibanaIndexPatterns.map((kip) => kip.title),
-        signalIndexName,
-      ].reduce<Array<EuiComboBoxOptionOption<string>>>((acc, index) => {
-        if (index != null && !acc.some((o) => o.label === index)) {
-          return [...acc, { label: index, value: index }];
+  const [dataViewId, setDataViewId] = useState<string>(selectedDataViewId ?? '');
+  const { patternList, selectablePatterns } = useMemo(() => {
+    const theDataView = kibanaDataViews.find((dataView) => dataView.id === dataViewId);
+    return theDataView != null
+      ? {
+          patternList: theDataView.title
+            .split(',')
+            // remove duplicates patterns from selector
+            .filter((pattern, i, self) => self.indexOf(pattern) === i),
+          selectablePatterns: theDataView.patternList,
         }
-        return acc;
-      }, []),
-    [configIndexPatterns, kibanaIndexPatterns, signalIndexName]
-  );
-
-  const renderOption = useCallback(
-    ({ value }) => {
-      if (kibanaIndexPatterns.some((kip) => kip.title === value)) {
-        return (
-          <span data-test-subj="sourcerer-option">
-            <EuiIcon type="logoKibana" size="s" /> {value}
-          </span>
-        );
-      }
-      return <span data-test-subj="sourcerer-option">{value}</span>;
-    },
-    [kibanaIndexPatterns]
+      : { patternList: [], selectablePatterns: [] };
+  }, [kibanaDataViews, dataViewId]);
+  const [selectedOptions, setSelectedOptions] = useState<Array<EuiComboBoxOptionOption<string>>>(
+    selectedPatterns.map((indexName) => ({
+      label: indexName,
+      value: indexName,
+    }))
   );
-
-  const onChangeCombo = useCallback(
-    (newSelectedOptions: Array<EuiComboBoxOptionOption<string>>) => {
-      const localSelectedPatterns = newSelectedOptions.map((nso) => nso.label);
-      if (
-        localSelectedPatterns.sort().join() ===
-        [...configIndexPatterns, signalIndexName].sort().join()
-      ) {
-        setFilterEventType('all');
-      } else if (localSelectedPatterns.sort().join() === configIndexPatterns.sort().join()) {
-        setFilterEventType('raw');
-      } else if (localSelectedPatterns.sort().join() === signalIndexName) {
-        setFilterEventType('alert');
-      } else {
-        setFilterEventType('custom');
-      }
-
-      setSelectedOptions(newSelectedOptions);
-    },
-    [configIndexPatterns, signalIndexName]
+  const isSavingDisabled = useMemo(() => selectedOptions.length === 0, [selectedOptions]);
+  const selectableOptions = useMemo(
+    () =>
+      patternList.map((indexName) => ({
+        label: indexName,
+        value: indexName,
+        'data-test-subj': 'sourcerer-option',
+        disabled: !selectablePatterns.includes(indexName),
+      })),
+    [selectablePatterns, patternList]
   );
 
   const onChangeFilter = useCallback(
     (filter) => {
       setFilterEventType(filter);
-      if (filter === 'all') {
+      if (filter === 'all' || filter === 'kibana') {
         setSelectedOptions(
-          [...configIndexPatterns.sort(), signalIndexName ?? ''].map((indexSelected) => ({
+          selectablePatterns.map((indexSelected) => ({
             label: indexSelected,
             value: indexSelected,
           }))
         );
       } else if (filter === 'raw') {
         setSelectedOptions(
-          configIndexPatterns.sort().map((indexSelected) => ({
+          (signalIndexName == null
+            ? selectablePatterns
+            : selectablePatterns.filter((index) => index !== signalIndexName)
+          ).map((indexSelected) => ({
             label: indexSelected,
             value: indexSelected,
           }))
@@ -211,16 +202,56 @@ const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
             value: signalIndexName ?? '',
           },
         ]);
-      } else if (filter === 'kibana') {
-        setSelectedOptions(
-          kibanaIndexPatterns.map((kip) => ({
-            label: kip.title,
-            value: kip.title,
-          }))
-        );
       }
     },
-    [configIndexPatterns, kibanaIndexPatterns, signalIndexName]
+    [selectablePatterns, signalIndexName]
+  );
+
+  const onChangeCombo = useCallback(
+    (newSelectedOptions: Array<EuiComboBoxOptionOption<string>>) => {
+      const localSelectedPatterns = newSelectedOptions
+        .map((nso) => nso.label)
+        .sort()
+        .join();
+      if (localSelectedPatterns === selectablePatterns.sort().join()) {
+        setFilterEventType('all');
+      } else if (
+        dataViewId === defaultDataView.id &&
+        localSelectedPatterns ===
+          selectablePatterns
+            .filter((index) => index !== signalIndexName)
+            .sort()
+            .join()
+      ) {
+        setFilterEventType('raw');
+      } else if (dataViewId === defaultDataView.id && localSelectedPatterns === signalIndexName) {
+        setFilterEventType('alert');
+      } else {
+        setFilterEventType('custom');
+      }
+
+      setSelectedOptions(newSelectedOptions);
+    },
+    [defaultDataView.id, dataViewId, selectablePatterns, signalIndexName]
+  );
+
+  const onChangeSuper = useCallback(
+    (newSelectedOption) => {
+      setFilterEventType('all');
+      setDataViewId(newSelectedOption);
+      setSelectedOptions(
+        getScopePatternListSelection(
+          kibanaDataViews.find((dataView) => dataView.id === newSelectedOption),
+          SourcererScopeName.timeline,
+          signalIndexName,
+          newSelectedOption === defaultDataView.id
+        ).map((indexSelected: string) => ({
+          label: indexSelected,
+          value: indexSelected,
+        }))
+      );
+    },
+    [defaultDataView.id, kibanaDataViews, signalIndexName]
   );
 
   const togglePopover = useCallback(
@@ -233,66 +264,69 @@ const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
   const handleSaveIndices = useCallback(() => {
     onChangeEventTypeAndIndexesName(
       filterEventType,
-      selectedOptions.map((so) => so.label)
+      selectedOptions.map((so) => so.label),
+      dataViewId
     );
     setPopover(false);
-  }, [filterEventType, onChangeEventTypeAndIndexesName, selectedOptions]);
+  }, [dataViewId, filterEventType, onChangeEventTypeAndIndexesName, selectedOptions]);
 
   const resetDataSources = useCallback(() => {
-    onChangeFilter('all');
-  }, [onChangeFilter]);
+    setDataViewId(defaultDataView.id);
+    setSelectedOptions(
+      getScopePatternListSelection(
+        defaultDataView,
+        SourcererScopeName.timeline,
+        signalIndexName,
+        true
+      ).map((indexSelected: string) => ({
+        label: indexSelected,
+        value: indexSelected,
+      }))
+    );
+    setFilterEventType(eventType);
+  }, [defaultDataView, eventType, signalIndexName]);
 
-  const comboBox = useMemo(
-    () => (
-      <EuiComboBox
-        data-test-subj="timeline-sourcerer"
-        fullWidth
-        onChange={onChangeCombo}
-        options={indexesPatternOptions}
-        placeholder={i18n.PICK_INDEX_PATTERNS}
-        renderOption={renderOption}
-        selectedOptions={selectedOptions}
-      />
-    ),
-    [onChangeCombo, indexesPatternOptions, renderOption, selectedOptions]
+  const dataViewSelectOptions = useMemo(
+    () =>
+      kibanaDataViews.map(({ title, id }) => ({
+        inputDisplay:
+          id === defaultDataView.id ? (
+            <span data-test-subj="dataView-option-super">
+              <EuiIcon type="logoSecurity" size="s" /> {SIEM_DATA_VIEW_LABEL}
+            </span>
+          ) : (
+            <span data-test-subj="dataView-option-super">
+              <EuiIcon type="logoKibana" size="s" /> {title}
+            </span>
+          ),
+        value: id,
+      })),
+    [defaultDataView.id, kibanaDataViews]
   );
 
   const filterOptions = useMemo(
-    () => getEventTypeOptions(filterEventType !== 'custom'),
-    [filterEventType]
-  );
-
-  const filter = useMemo(
-    () => (
-      <Filter
-        data-test-subj="timeline-sourcerer-radio"
-        options={filterOptions}
-        idSelected={filterEventType}
-        onChange={onChangeFilter}
-        name={i18n.SELECT_INDEX_PATTERNS}
-      />
-    ),
-    [filterEventType, filterOptions, onChangeFilter]
+    () => getEventTypeOptions(filterEventType !== 'custom', dataViewId === defaultDataView.id),
+    [defaultDataView.id, filterEventType, dataViewId]
   );
 
   const button = useMemo(() => {
-    const options = getEventTypeOptions();
+    const options = getEventTypeOptions(true, dataViewId === defaultDataView.id);
     return (
       <MyEuiButton
         data-test-subj="sourcerer-timeline-trigger"
         iconType="arrowDown"
         iconSide="right"
-        isLoading={sourcererScope.loading}
+        isLoading={loading}
         onClick={togglePopover}
       >
         {options.find((opt) => opt.id === eventType)?.label}
       </MyEuiButton>
     );
-  }, [eventType, sourcererScope.loading, togglePopover]);
+  }, [defaultDataView.id, eventType, dataViewId, loading, togglePopover]);
 
   const tooltipContent = useMemo(
-    () => (isPopoverOpen ? null : sourcererScope.selectedPatterns.sort().join(', ')),
-    [isPopoverOpen, sourcererScope.selectedPatterns]
+    () => (isPopoverOpen ? null : selectedPatterns.sort().join(', ')),
+    [isPopoverOpen, selectedPatterns]
   );
 
   const buttonWithTooptip = useMemo(() => {
@@ -321,7 +355,7 @@ const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
   );
 
   useEffect(() => {
-    const newSelectedOptions = sourcererScope.selectedPatterns.map((indexSelected) => ({
+    const newSelectedOptions = selectedPatterns.map((indexSelected) => ({
       label: indexSelected,
       value: indexSelected,
     }));
@@ -331,7 +365,7 @@ const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
       }
       return prevSelectedOptions;
     });
-  }, [sourcererScope.selectedPatterns]);
+  }, [selectedPatterns]);
 
   useEffect(() => {
     setFilterEventType((prevFilter) => (prevFilter !== eventType ? eventType : prevFilter));
@@ -352,9 +386,16 @@ const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
             <>{i18n.SELECT_INDEX_PATTERNS}</>
           </EuiPopoverTitle>
           <EuiSpacer size="s" />
-          {filter}
+          <Filter
+            data-test-subj="timeline-sourcerer-radio"
+            options={filterOptions}
+            idSelected={filterEventType}
+            onChange={onChangeFilter}
+            name={i18n.SELECT_INDEX_PATTERNS}
+          />
           <EuiSpacer size="m" />
           <EuiAccordion
+            data-test-subj="sourcerer-accordion"
             id="accordion1"
             forceState={showAdvanceSettings ? 'open' : 'closed'}
             buttonContent={ButtonContent}
@@ -362,7 +403,23 @@ const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
           >
             <>
               <EuiSpacer size="s" />
-              {comboBox}
+              <EuiSuperSelect
+                data-test-subj="sourcerer-select"
+                placeholder={i18n.PICK_INDEX_PATTERNS}
+                fullWidth
+                options={dataViewSelectOptions}
+                valueOfSelected={dataViewId}
+                onChange={onChangeSuper}
+              />
+              <EuiSpacer size="xs" />
+              <EuiComboBox
+                data-test-subj="timeline-sourcerer"
+                fullWidth
+                onChange={onChangeCombo}
+                options={selectableOptions}
+                placeholder={i18n.PICK_INDEX_PATTERNS}
+                selectedOptions={selectedOptions}
+              />
             </>
           </EuiAccordion>
           {!showAdvanceSettings && (
@@ -389,7 +446,8 @@ const PickEventTypeComponents: React.FC<PickEventTypeProps> = ({
             <EuiFlexItem grow={false}>
               <EuiButton
                 onClick={handleSaveIndices}
-                data-test-subj="add-index"
+                data-test-subj="sourcerer-save"
+                disabled={isSavingDisabled}
                 fill
                 fullWidth
                 size="s"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/selectors.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/selectors.tsx
deleted file mode 100644
index 529d298cc7443..0000000000000
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/search_or_filter/selectors.tsx
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import { State } from '../../../../common/store';
-import { sourcererSelectors } from '../../../../common/store/selectors';
-import {
-  KibanaIndexPatterns,
-  ManageScope,
-  SourcererScopeName,
-} from '../../../../common/store/sourcerer/model';
-
-export interface SourcererScopeSelector {
-  configIndexPatterns: string[];
-  kibanaIndexPatterns: KibanaIndexPatterns;
-  signalIndexName: string | null;
-  sourcererScope: ManageScope;
-}
-
-export const getSourcererScopeSelector = () => {
-  const getkibanaIndexPatternsSelector = sourcererSelectors.kibanaIndexPatternsSelector();
-  const getScopeIdSelector = sourcererSelectors.scopeIdSelector();
-  const getConfigIndexPatternsSelector = sourcererSelectors.configIndexPatternsSelector();
-  const getSignalIndexNameSelector = sourcererSelectors.signalIndexNameSelector();
-
-  const mapStateToProps = (state: State, scopeId: SourcererScopeName): SourcererScopeSelector => {
-    const kibanaIndexPatterns = getkibanaIndexPatternsSelector(state);
-    const scope = getScopeIdSelector(state, scopeId);
-    const configIndexPatterns = getConfigIndexPatternsSelector(state);
-    const signalIndexName = getSignalIndexNameSelector(state);
-
-    return {
-      kibanaIndexPatterns,
-      configIndexPatterns,
-      signalIndexName,
-      sourcererScope: scope,
-    };
-  };
-
-  return mapStateToProps;
-};
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
index f05966bd97870..ac96cc334f795 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
@@ -10,6 +10,7 @@ import { useCallback, useEffect, useRef, useState } from 'react';
 import deepEqual from 'fast-deep-equal';
 import { Subscription } from 'rxjs';
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { inputsModel } from '../../../common/store';
 import { useKibana } from '../../../common/lib/kibana';
 import {
@@ -33,6 +34,7 @@ export interface UseTimelineEventsDetailsProps {
   docValueFields: DocValueFields[];
   indexName: string;
   eventId: string;
+  runtimeMappings: MappingRuntimeFields;
   skip: boolean;
 }
 
@@ -41,6 +43,7 @@ export const useTimelineEventsDetails = ({
   docValueFields,
   indexName,
   eventId,
+  runtimeMappings,
   skip,
 }: UseTimelineEventsDetailsProps): [boolean, EventsArgs['detailsData'], object | undefined] => {
   const { data } = useKibana().services;
@@ -112,13 +115,14 @@ export const useTimelineEventsDetails = ({
         indexName,
         eventId,
         factoryQueryType: TimelineEventsQueries.details,
+        runtimeMappings,
       };
       if (!deepEqual(prevRequest, myRequest)) {
         return myRequest;
       }
       return prevRequest;
     });
-  }, [docValueFields, entityType, eventId, indexName]);
+  }, [docValueFields, entityType, eventId, indexName, runtimeMappings]);
 
   useEffect(() => {
     timelineDetailsSearch(timelineDetailsRequest);
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/containers/index.test.tsx
index 62846eb01e60f..c6ae5d50abd37 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/index.test.tsx
@@ -113,6 +113,7 @@ describe('useTimelineEvents', () => {
     filterQuery: '',
     startDate: '',
     limit: 25,
+    runtimeMappings: {},
     sort: initSortDefault,
     skip: false,
   };
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
index 4ccb90b0ee5ae..c755159dd6b10 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
@@ -11,6 +11,7 @@ import { useCallback, useEffect, useRef, useState } from 'react';
 import { useDispatch } from 'react-redux';
 import { Subscription } from 'rxjs';
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { ESQuery } from '../../../common/typed_json';
 import { isCompleteResponse, isErrorResponse } from '../../../../../../src/plugins/data/public';
 import { useIsExperimentalFeatureEnabled } from '../../common/hooks/use_experimental_features';
@@ -74,15 +75,16 @@ type TimelineResponse<T extends KueryFilterQueryKind> = T extends 'kuery'
 
 export interface UseTimelineEventsProps {
   docValueFields?: DocValueFields[];
-  filterQuery?: ESQuery | string;
-  skip?: boolean;
   endDate: string;
   eqlOptions?: EqlOptionsSelected;
-  id: string;
   fields: string[];
+  filterQuery?: ESQuery | string;
+  id: string;
   indexNames: string[];
   language?: KueryFilterQueryKind;
   limit: number;
+  runtimeMappings: MappingRuntimeFields;
+  skip?: boolean;
   sort?: TimelineRequestSortField[];
   startDate: string;
   timerangeKind?: 'absolute' | 'relative';
@@ -131,6 +133,7 @@ export const useTimelineEvents = ({
   indexNames,
   fields,
   filterQuery,
+  runtimeMappings,
   startDate,
   language = 'kuery',
   limit,
@@ -341,6 +344,7 @@ export const useTimelineEvents = ({
         querySize: prevRequest?.pagination.querySize ?? 0,
         sort: prevRequest?.sort ?? initSortDefault,
         timerange: prevRequest?.timerange ?? {},
+        runtimeMappings: prevRequest?.runtimeMappings ?? {},
         ...deStructureEqlOptions(prevEqlRequest),
       };
 
@@ -354,6 +358,7 @@ export const useTimelineEvents = ({
           from: startDate,
           to: endDate,
         },
+        runtimeMappings,
         ...deStructureEqlOptions(eqlOptions),
       };
 
@@ -373,6 +378,7 @@ export const useTimelineEvents = ({
           querySize: limit,
         },
         language,
+        runtimeMappings,
         sort,
         timerange: {
           interval: '12h',
@@ -411,6 +417,7 @@ export const useTimelineEvents = ({
     startDate,
     sort,
     fields,
+    runtimeMappings,
   ]);
 
   useEffect(() => {
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/kpis/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/kpis/index.tsx
index f32b4df2c4684..3b13c261f970c 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/kpis/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/kpis/index.tsx
@@ -15,7 +15,7 @@ import { useKibana } from '../../../common/lib/kibana';
 import {
   DocValueFields,
   TimelineEventsQueries,
-  TimelineRequestBasicOptions,
+  TimelineKpiStrategyRequest,
   TimelineKpiStrategyResponse,
   TimerangeInput,
 } from '../../../../common/search_strategy';
@@ -44,7 +44,7 @@ export const useTimelineKpis = ({
   const abortCtrl = useRef(new AbortController());
   const searchSubscription$ = useRef(new Subscription());
   const [loading, setLoading] = useState(false);
-  const [timelineKpiRequest, setTimelineKpiRequest] = useState<TimelineRequestBasicOptions | null>(
+  const [timelineKpiRequest, setTimelineKpiRequest] = useState<TimelineKpiStrategyRequest | null>(
     null
   );
   const [timelineKpiResponse, setTimelineKpiResponse] =
@@ -52,7 +52,7 @@ export const useTimelineKpis = ({
   const { addError, addWarning } = useAppToasts();
 
   const timelineKpiSearch = useCallback(
-    (request: TimelineRequestBasicOptions | null) => {
+    (request: TimelineKpiStrategyRequest | null) => {
       if (request == null) {
         return;
       }
@@ -61,7 +61,7 @@ export const useTimelineKpis = ({
         setLoading(true);
 
         searchSubscription$.current = data.search
-          .search<TimelineRequestBasicOptions, TimelineKpiStrategyResponse>(request, {
+          .search<TimelineKpiStrategyRequest, TimelineKpiStrategyResponse>(request, {
             strategy: 'timelineSearchStrategy',
             abortSignal: abortCtrl.current.signal,
           })
diff --git a/x-pack/plugins/security_solution/public/timelines/pages/timelines_page.test.tsx b/x-pack/plugins/security_solution/public/timelines/pages/timelines_page.test.tsx
index 597ff25246d94..7a36f7296eff3 100644
--- a/x-pack/plugins/security_solution/public/timelines/pages/timelines_page.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/pages/timelines_page.test.tsx
@@ -27,7 +27,7 @@ jest.mock('../../common/containers/sourcerer', () => {
 
   return {
     ...originalModule,
-    useSourcererScope: jest.fn().mockReturnValue({
+    useSourcererDataView: jest.fn().mockReturnValue({
       indicesExist: true,
     }),
   };
diff --git a/x-pack/plugins/security_solution/public/timelines/pages/timelines_page.tsx b/x-pack/plugins/security_solution/public/timelines/pages/timelines_page.tsx
index f79d513380349..3a9b9b0d2693e 100644
--- a/x-pack/plugins/security_solution/public/timelines/pages/timelines_page.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/pages/timelines_page.tsx
@@ -22,7 +22,7 @@ import { NewTemplateTimeline } from '../components/timeline/properties/new_templ
 import { NewTimeline } from '../components/timeline/properties/helpers';
 import * as i18n from './translations';
 import { SecurityPageName } from '../../app/types';
-import { useSourcererScope } from '../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../common/containers/sourcerer';
 
 const TimelinesContainer = styled.div`
   width: 100%;
@@ -36,7 +36,7 @@ export const TimelinesPageComponent: React.FC = () => {
   const onImportTimelineBtnClick = useCallback(() => {
     setImportDataModalToggle(true);
   }, [setImportDataModalToggle]);
-  const { indicesExist } = useSourcererScope();
+  const { indicesExist } = useSourcererDataView();
 
   const capabilitiesCanUserCRUD: boolean =
     !!useKibana().services.application.capabilities.siem.crud;
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
index f3a70bd1390ae..6002a7b2cf398 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
@@ -193,10 +193,11 @@ export const setExcludedRowRendererIds = actionCreator<{
   excludedRowRendererIds: RowRendererId[];
 }>('SET_TIMELINE_EXCLUDED_ROW_RENDERER_IDS');
 
-export const updateIndexNames = actionCreator<{
+export const updateDataView = actionCreator<{
   id: string;
+  dataViewId: string;
   indexNames: string[];
-}>('UPDATE_INDEXES_NAME');
+}>('UPDATE_DATA_VIEW');
 
 export const setActiveTabTimeline = actionCreator<{
   id: string;
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/defaults.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/defaults.ts
index 4c2b8d2992d3d..a7d87bc98c048 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/defaults.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/defaults.ts
@@ -22,6 +22,7 @@ export const timelineDefaults: SubsetTimelineModel &
   documentType: '',
   defaultColumns: defaultHeaders,
   dataProviders: [],
+  dataViewId: '',
   dateRange: { start, end },
   deletedEventIds: [],
   description: '',
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/epic.test.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/epic.test.ts
index d45ba26c0e12a..175e6804c04a1 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/epic.test.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/epic.test.ts
@@ -89,6 +89,7 @@ describe('Epic Timeline', () => {
             ],
           },
         ],
+        dataViewId: '',
         deletedEventIds: [],
         description: '',
         documentType: '',
@@ -238,6 +239,7 @@ describe('Epic Timeline', () => {
             },
           },
         ],
+        dataViewId: '',
         dateRange: {
           end: '2019-10-31T21:06:27.644Z',
           start: '2019-10-30T21:06:27.644Z',
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/epic.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/epic.ts
index 164f293edee65..c973cf9a5bbbf 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/epic.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/epic.ts
@@ -65,7 +65,7 @@ import {
   updateRange,
   updateSort,
   upsertColumn,
-  updateIndexNames,
+  updateDataView,
   updateTimeline,
   updateTitleAndDescription,
   updateAutoSaveMsg,
@@ -109,7 +109,7 @@ const timelineActionsType = [
   updateProviders.type,
   updateTitleAndDescription.type,
 
-  updateIndexNames.type,
+  updateDataView.type,
   removeColumn.type,
   updateColumns.type,
   updateSort.type,
@@ -326,6 +326,7 @@ export const createTimelineEpic =
 const timelineInput: TimelineInput = {
   columns: null,
   dataProviders: null,
+  dataViewId: null,
   description: null,
   eqlOptions: null,
   eventType: null,
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
index 29b49197ef797..18b6566b13b6c 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
@@ -85,6 +85,7 @@ export type SubsetTimelineModel = Readonly<
     | 'columns'
     | 'defaultColumns'
     | 'dataProviders'
+    | 'dataViewId'
     | 'deletedEventIds'
     | 'description'
     | 'documentType'
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/reducer.test.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/reducer.test.ts
index 639d1b1e4f489..50992cf7b21de 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/reducer.test.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/reducer.test.ts
@@ -85,6 +85,7 @@ const basicTimeline: TimelineModel = {
   columns: [],
   defaultColumns: [],
   dataProviders: [{ ...basicDataProvider }],
+  dataViewId: '',
   dateRange: {
     start: '2020-07-07T08:20:18.966Z',
     end: '2020-07-08T08:20:18.966Z',
@@ -219,6 +220,7 @@ describe('Timeline', () => {
       const update = addNewTimeline({
         id: 'bar',
         columns: defaultHeaders,
+        dataViewId: '',
         indexNames: [],
         timelineById: timelineByIdMock,
         timelineType: TimelineType.default,
@@ -230,6 +232,7 @@ describe('Timeline', () => {
       const update = addNewTimeline({
         id: 'bar',
         columns: timelineDefaults.columns,
+        dataViewId: '',
         indexNames: [],
         timelineById: timelineByIdMock,
         timelineType: TimelineType.default,
@@ -247,6 +250,7 @@ describe('Timeline', () => {
       const update = addNewTimeline({
         id: 'bar',
         columns: defaultHeaders,
+        dataViewId: '',
         indexNames: [],
         timelineById: timelineByIdMock,
         timelineType: TimelineType.default,
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/reducer.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/reducer.ts
index e997bbd848d50..6a3aa68908bb5 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/reducer.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/reducer.ts
@@ -34,7 +34,7 @@ import {
   updateDataProviderKqlQuery,
   updateDataProviderType,
   updateEventType,
-  updateIndexNames,
+  updateDataView,
   updateIsFavorite,
   updateIsLive,
   updateKqlMode,
@@ -326,12 +326,13 @@ export const timelineReducer = reducerWithInitialState(initialTimelineState)
     ...state,
     insertTimeline,
   }))
-  .case(updateIndexNames, (state, { id, indexNames }) => ({
+  .case(updateDataView, (state, { id, dataViewId, indexNames }) => ({
     ...state,
     timelineById: {
       ...state.timelineById,
       [id]: {
         ...state.timelineById[id],
+        dataViewId,
         indexNames,
       },
     },
diff --git a/x-pack/plugins/security_solution/public/ueba/pages/details/index.tsx b/x-pack/plugins/security_solution/public/ueba/pages/details/index.tsx
index b7a994ffa7ca8..72122aba3c4aa 100644
--- a/x-pack/plugins/security_solution/public/ueba/pages/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/ueba/pages/details/index.tsx
@@ -39,7 +39,7 @@ import { Display } from '../display';
 import { timelineSelectors } from '../../../timelines/store/timeline';
 import { TimelineId } from '../../../../common/types/timeline';
 import { timelineDefaults } from '../../../timelines/store/timeline/defaults';
-import { useSourcererScope } from '../../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../../common/containers/sourcerer';
 import { useDeepEqualSelector, useShallowEqualSelector } from '../../../common/hooks/use_selector';
 import { useInvalidFilterQuery } from '../../../common/hooks/use_invalid_filter_query';
 import { SourcererScopeName } from '../../../common/store/sourcerer/model';
@@ -69,7 +69,7 @@ const UebaDetailsComponent: React.FC<UebaDetailsProps> = ({ detailName, uebaDeta
   );
   const getFilters = () => [...uebaDetailsPageFilters, ...filters];
 
-  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererScope(
+  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererDataView(
     SourcererScopeName.detections
   );
 
diff --git a/x-pack/plugins/security_solution/public/ueba/pages/details/types.ts b/x-pack/plugins/security_solution/public/ueba/pages/details/types.ts
index 976b033db5f5a..e46a128e15f85 100644
--- a/x-pack/plugins/security_solution/public/ueba/pages/details/types.ts
+++ b/x-pack/plugins/security_solution/public/ueba/pages/details/types.ts
@@ -6,7 +6,7 @@
  */
 
 import { ActionCreator } from 'typescript-fsa';
-import { Query, IIndexPattern, Filter } from 'src/plugins/data/public';
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import { InputsModelId } from '../../../common/store/inputs/constants';
 import { UebaTableType } from '../../store/model';
 import { UebaQueryProps } from '../types';
@@ -54,7 +54,7 @@ export type UebaDetailsTabsProps = HostBodyComponentDispatchProps &
     indexNames: string[];
     pageFilters?: Filter[];
     filterQuery?: string;
-    indexPattern: IIndexPattern;
+    indexPattern: DataViewBase;
     type: uebaModel.UebaType;
   };
 
diff --git a/x-pack/plugins/security_solution/public/ueba/pages/ueba.tsx b/x-pack/plugins/security_solution/public/ueba/pages/ueba.tsx
index 4e0041a98454c..93e22efdba3dd 100644
--- a/x-pack/plugins/security_solution/public/ueba/pages/ueba.tsx
+++ b/x-pack/plugins/security_solution/public/ueba/pages/ueba.tsx
@@ -43,7 +43,7 @@ import {
 } from '../../timelines/components/timeline/helpers';
 import { timelineSelectors } from '../../timelines/store/timeline';
 import { timelineDefaults } from '../../timelines/store/timeline/defaults';
-import { useSourcererScope } from '../../common/containers/sourcerer';
+import { useSourcererDataView } from '../../common/containers/sourcerer';
 import { useDeepEqualSelector, useShallowEqualSelector } from '../../common/hooks/use_selector';
 import { useInvalidFilterQuery } from '../../common/hooks/use_invalid_filter_query';
 
@@ -78,7 +78,7 @@ const UebaComponent = () => {
   const { uiSettings } = useKibana().services;
   const tabsFilters = filters;
 
-  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererScope();
+  const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererDataView();
   const [filterQuery, kqlError] = useMemo(
     () =>
       convertToBuildEsQuery({
diff --git a/x-pack/plugins/security_solution/server/client/client.ts b/x-pack/plugins/security_solution/server/client/client.ts
index 12a13e06c2ffe..e697331944012 100644
--- a/x-pack/plugins/security_solution/server/client/client.ts
+++ b/x-pack/plugins/security_solution/server/client/client.ts
@@ -6,22 +6,25 @@
  */
 
 import { ConfigType } from '../config';
-import { DEFAULT_PREVIEW_INDEX } from '../../common/constants';
+import { DEFAULT_DATA_VIEW_ID, DEFAULT_PREVIEW_INDEX } from '../../common/constants';
 
 export class AppClient {
   private readonly signalsIndex: string;
   private readonly spaceId: string;
   private readonly previewIndex: string;
+  private readonly sourcererDataViewId: string;
 
   constructor(_spaceId: string, private config: ConfigType) {
     const configuredSignalsIndex = this.config.signalsIndex;
 
     this.signalsIndex = `${configuredSignalsIndex}-${_spaceId}`;
     this.previewIndex = `${DEFAULT_PREVIEW_INDEX}-${_spaceId}`;
+    this.sourcererDataViewId = `${DEFAULT_DATA_VIEW_ID}-${_spaceId}`;
     this.spaceId = _spaceId;
   }
 
   public getSignalsIndex = (): string => this.signalsIndex;
   public getPreviewIndex = (): string => this.previewIndex;
+  public getSourcererDataViewId = (): string => this.sourcererDataViewId;
   public getSpaceId = (): string => this.spaceId;
 }
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/index.ndjson b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/index.ndjson
index a02951e55580c..6922cacd17b68 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/index.ndjson
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/index.ndjson
@@ -11,4 +11,4 @@
 {"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"","queryMatch":{"displayValue":"endpoint","field":"agent.type","displayField":"agent.type","value":"endpoint","operator":":"},"id":"timeline-1-4685da24-35c1-43f3-892d-1f926dbf5568","type":"default","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Endpoint Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"db366523-f1c6-4c1f-8731-6ce5ed9e5717","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735857110,"createdBy":"Elastic","updated":1611609999115,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"}
 {"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","searchable":null,"example":"user-password-change"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"destination.port","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"host.name","searchable":null}],"dataProviders":[{"and":[{"enabled":true,"excluded":false,"id":"timeline-1-e37e37c5-a6e7-4338-af30-47bfbc3c0e1e","kqlQuery":"","name":"{destination.ip}","queryMatch":{"displayField":"destination.ip","displayValue":"{destination.ip}","field":"destination.ip","operator":":","value":"{destination.ip}"},"type":"template"}],"enabled":true,"excluded":false,"id":"timeline-1-ec778f01-1802-40f0-9dfb-ed8de1f656cb","kqlQuery":"","name":"{source.ip}","queryMatch":{"displayField":"source.ip","displayValue":"{source.ip}","field":"source.ip","operator":":","value":"{source.ip}"},"type":"template"}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Network Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"91832785-286d-4ebe-b884-1a208d111a70","dateRange":{"start":1588255858373,"end":1588256218373},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735573866,"createdBy":"Elastic","updated":1611609960850,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"}
 {"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"{process.name}","queryMatch":{"displayValue":null,"field":"process.name","displayField":null,"value":"{process.name}","operator":":"},"id":"timeline-1-8622010a-61fb-490d-b162-beac9c36a853","type":"template","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Process Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"76e52245-7519-4251-91ab-262fb1a1728c","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735629389,"createdBy":"Elastic","updated":1611609848602,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"}
-{"savedObjectId":null,"version":null,"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"signal.rule.description"},{"aggregatable":true,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","example":"user-password-change"},{"aggregatable":true,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"columnHeaderType":"not-filtered","id":"process.pid"},{"aggregatable":true,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip"},{"aggregatable":true,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number"},{"aggregatable":true,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip"},{"columnHeaderType":"not-filtered","id":"destination.port"},{"aggregatable":true,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","example":"albert"},{"columnHeaderType":"not-filtered","id":"host.name"}],"dataProviders":[{"excluded":false,"and":[{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.type}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.type","displayField":null,"value":"{threat.enrichments.matched.type}","operator":":"},"id":"timeline-1-ae18ef4b-f690-4122-a24d-e13b6818fba8","type":"template","enabled":true},{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.field}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.field","displayField":null,"value":"{threat.enrichments.matched.field}","operator":":"},"id":"timeline-1-7b4cf27e-6788-4d8e-9188-7687f0eba0f2","type":"template","enabled":true}],"kqlQuery":"","name":"{threat.enrichments.matched.atomic}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.atomic","displayField":null,"value":"{threat.enrichments.matched.atomic}","operator":":"},"id":"timeline-1-7db7d278-a80a-4853-971a-904319c50777","type":"template","enabled":true}],"description":"This Timeline template is for alerts generated by Indicator Match detection rules.","eqlOptions":{"eventCategoryField":"event.category","tiebreakerField":"","timestampField":"@timestamp","query":"","size":100},"eventType":"alert","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"indexNames":[".siem-signals-default"],"title":"Generic Threat Match Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"495ad7a7-316e-4544-8a0f-9c098daee76e","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":[{"sortDirection":"desc","columnId":"@timestamp"}],"created":1616696609311,"createdBy":"elastic","updated":1616788372794,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"}
+{"savedObjectId":null,"version":null,"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"signal.rule.description"},{"aggregatable":true,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","example":"user-password-change"},{"aggregatable":true,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"columnHeaderType":"not-filtered","id":"process.pid"},{"aggregatable":true,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip"},{"aggregatable":true,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number"},{"aggregatable":true,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip"},{"columnHeaderType":"not-filtered","id":"destination.port"},{"aggregatable":true,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","example":"albert"},{"columnHeaderType":"not-filtered","id":"host.name"}],"dataProviders":[{"excluded":false,"and":[{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.type}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.type","displayField":null,"value":"{threat.enrichments.matched.type}","operator":":"},"id":"timeline-1-ae18ef4b-f690-4122-a24d-e13b6818fba8","type":"template","enabled":true},{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.field}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.field","displayField":null,"value":"{threat.enrichments.matched.field}","operator":":"},"id":"timeline-1-7b4cf27e-6788-4d8e-9188-7687f0eba0f2","type":"template","enabled":true}],"kqlQuery":"","name":"{threat.enrichments.matched.atomic}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.atomic","displayField":null,"value":"{threat.enrichments.matched.atomic}","operator":":"},"id":"timeline-1-7db7d278-a80a-4853-971a-904319c50777","type":"template","enabled":true}],"description":"This Timeline template is for alerts generated by Indicator Match detection rules.","eqlOptions":{"eventCategoryField":"event.category","tiebreakerField":"","timestampField":"@timestamp","query":"","size":100},"eventType":"alert","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"dataViewId": "security-solution","indexNames":[".siem-signals-default"],"title":"Generic Threat Match Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"495ad7a7-316e-4544-8a0f-9c098daee76e","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":[{"sortDirection":"desc","columnId":"@timestamp"}],"created":1616696609311,"createdBy":"elastic","updated":1616788372794,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"}
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json
index d777fdf17d657..0d74cc6e43619 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json
@@ -1 +1 @@
-{"savedObjectId":null,"version":null,"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"signal.rule.description"},{"aggregatable":true,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","example":"user-password-change"},{"aggregatable":true,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"columnHeaderType":"not-filtered","id":"process.pid"},{"aggregatable":true,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip"},{"aggregatable":true,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number"},{"aggregatable":true,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip"},{"columnHeaderType":"not-filtered","id":"destination.port"},{"aggregatable":true,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","example":"albert"},{"columnHeaderType":"not-filtered","id":"host.name"}],"dataProviders":[{"excluded":false,"and":[{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.type}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.type","displayField":null,"value":"{threat.enrichments.matched.type}","operator":":"},"id":"timeline-1-ae18ef4b-f690-4122-a24d-e13b6818fba8","type":"template","enabled":true},{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.field}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.field","displayField":null,"value":"{threat.enrichments.matched.field}","operator":":"},"id":"timeline-1-7b4cf27e-6788-4d8e-9188-7687f0eba0f2","type":"template","enabled":true}],"kqlQuery":"","name":"{threat.enrichments.matched.atomic}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.atomic","displayField":null,"value":"{threat.enrichments.matched.atomic}","operator":":"},"id":"timeline-1-7db7d278-a80a-4853-971a-904319c50777","type":"template","enabled":true}],"description":"This Timeline template is for alerts generated by Indicator Match detection rules.","eqlOptions":{"eventCategoryField":"event.category","tiebreakerField":"","timestampField":"@timestamp","query":"","size":100},"eventType":"alert","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"indexNames":[".siem-signals-default"],"title":"Generic Threat Match Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"495ad7a7-316e-4544-8a0f-9c098daee76e","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":[{"sortDirection":"desc","columnId":"@timestamp"}],"created":1616696609311,"createdBy":"elastic","updated":1616788372794,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"}
+{"savedObjectId":null,"version":null,"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"signal.rule.description"},{"aggregatable":true,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","example":"user-password-change"},{"aggregatable":true,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"columnHeaderType":"not-filtered","id":"process.pid"},{"aggregatable":true,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip"},{"aggregatable":true,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number"},{"aggregatable":true,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip"},{"columnHeaderType":"not-filtered","id":"destination.port"},{"aggregatable":true,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","example":"albert"},{"columnHeaderType":"not-filtered","id":"host.name"}],"dataProviders":[{"excluded":false,"and":[{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.type}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.type","displayField":null,"value":"{threat.enrichments.matched.type}","operator":":"},"id":"timeline-1-ae18ef4b-f690-4122-a24d-e13b6818fba8","type":"template","enabled":true},{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.field}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.field","displayField":null,"value":"{threat.enrichments.matched.field}","operator":":"},"id":"timeline-1-7b4cf27e-6788-4d8e-9188-7687f0eba0f2","type":"template","enabled":true}],"kqlQuery":"","name":"{threat.enrichments.matched.atomic}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.atomic","displayField":null,"value":"{threat.enrichments.matched.atomic}","operator":":"},"id":"timeline-1-7db7d278-a80a-4853-971a-904319c50777","type":"template","enabled":true}],"description":"This Timeline template is for alerts generated by Indicator Match detection rules.","eqlOptions":{"eventCategoryField":"event.category","tiebreakerField":"","timestampField":"@timestamp","query":"","size":100},"eventType":"alert","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"dataViewId": "security-solution","indexNames":[".siem-signals-default"],"title":"Generic Threat Match Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"495ad7a7-316e-4544-8a0f-9c098daee76e","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":[{"sortDirection":"desc","columnId":"@timestamp"}],"created":1616696609311,"createdBy":"elastic","updated":1616788372794,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"}
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json
index 7d81897708422..e6fbef08d25ee 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json
@@ -34,6 +34,8 @@
         "ml": ["all"],
         "siem": ["all", "read_alerts", "crud_alerts"],
         "securitySolutionCases": ["all"],
+        "indexPatterns": ["all"],
+        "savedObjectsManagement": ["all"],
         "actions": ["read"],
         "builtInAlerts": ["all"],
         "dev_tools": ["all"]
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json
index 34d8b7b4d4446..af12a2cb674d5 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json
@@ -39,6 +39,8 @@
         "ml": ["read"],
         "siem": ["all", "read_alerts", "crud_alerts"],
         "securitySolutionCases": ["all"],
+        "indexPatterns": ["read"],
+        "savedObjectsManagement": ["read"],
         "actions": ["read"],
         "builtInAlerts": ["all"]
       },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts
index bcdc472477531..c18e23b7a3cdf 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts
@@ -13,3 +13,8 @@ export * from './rule_author';
 export * from './soc_manager';
 export * from './t1_analyst';
 export * from './t2_analyst';
+
+// TODO: Steph/sourcerer remove from detections_role.json once we have our internal saved object client
+// https://github.com/elastic/security-team/issues/1978
+// "indexPatterns": ["read"],
+// "savedObjectsManagement": ["read"],
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json
index f6b31d4b3ed81..18effae645c42 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json
@@ -34,6 +34,8 @@
         "ml": ["all"],
         "siem": ["all", "read_alerts", "crud_alerts"],
         "securitySolutionCases": ["all"],
+        "indexPatterns": ["all"],
+        "savedObjectsManagement": ["all"],
         "actions": ["all"],
         "builtInAlerts": ["all"]
       },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json
index 4cfc6a3ec80ed..8f9434d9a3623 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json
@@ -27,6 +27,8 @@
         "ml": ["read"],
         "siem": ["read", "read_alerts"],
         "securitySolutionCases": ["read"],
+        "indexPatterns": ["read"],
+        "savedObjectsManagement": ["read"],
         "actions": ["read"],
         "builtInAlerts": ["read"]
       },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json
index a23aec6d6e403..d6bee8ce9dc16 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json
@@ -37,6 +37,8 @@
         "ml": ["read"],
         "siem": ["all", "read_alerts", "crud_alerts"],
         "securitySolutionCases": ["all"],
+        "indexPatterns": ["read"],
+        "savedObjectsManagement": ["read"],
         "actions": ["read"],
         "builtInAlerts": ["all"]
       },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json
index da855c6926438..46f7ca1d0067d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json
@@ -37,6 +37,8 @@
         "ml": ["read"],
         "siem": ["all", "read_alerts", "crud_alerts"],
         "securitySolutionCases": ["all"],
+        "indexPatterns": ["all"],
+        "savedObjectsManagement": ["all"],
         "actions": ["all"],
         "builtInAlerts": ["all"]
       },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json
index a63d0186a2a91..ea3bd7b97e3ca 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json
@@ -27,6 +27,8 @@
         "ml": ["read"],
         "siem": ["read", "read_alerts"],
         "securitySolutionCases": ["read"],
+        "indexPatterns": ["read"],
+        "savedObjectsManagement": ["read"],
         "actions": ["read"],
         "builtInAlerts": ["read"]
       },
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json
index de1ff5af99c1b..209e57eba2cfd 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json
@@ -29,6 +29,8 @@
         "ml": ["read"],
         "siem": ["read", "read_alerts"],
         "securitySolutionCases": ["read"],
+        "indexPatterns": ["read"],
+        "savedObjectsManagement": ["read"],
         "actions": ["read"],
         "builtInAlerts": ["read"]
       },
diff --git a/x-pack/plugins/security_solution/server/lib/sourcerer/routes/helpers.ts b/x-pack/plugins/security_solution/server/lib/sourcerer/routes/helpers.ts
new file mode 100644
index 0000000000000..47218f2731e78
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/sourcerer/routes/helpers.ts
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ElasticsearchClient } from 'kibana/server';
+
+export const findExistingIndices = async (
+  indices: string[],
+  esClient: ElasticsearchClient
+): Promise<boolean[]> =>
+  Promise.all(
+    indices
+      .map(async (index) => {
+        const searchResponse = await esClient.fieldCaps({
+          index,
+          fields: '_id',
+          ignore_unavailable: true,
+          allow_no_indices: false,
+        });
+        return searchResponse.body.indices.length > 0;
+      })
+      .map((p) => p.catch((e) => false))
+  );
diff --git a/x-pack/plugins/security_solution/server/lib/sourcerer/routes/index.test.ts b/x-pack/plugins/security_solution/server/lib/sourcerer/routes/index.test.ts
new file mode 100644
index 0000000000000..99b4f05abb1b1
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/sourcerer/routes/index.test.ts
@@ -0,0 +1,169 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createSourcererDataViewRoute } from './';
+import {
+  requestMock,
+  serverMock,
+  requestContextMock,
+} from '../../detection_engine/routes/__mocks__';
+
+import { SOURCERER_API_URL } from '../../../../common/constants';
+import { StartServicesAccessor } from 'kibana/server';
+import { StartPlugins } from '../../../plugin';
+
+jest.mock('./helpers', () => {
+  const original = jest.requireActual('./helpers');
+
+  return {
+    ...original,
+    findExistingIndices: () => new Promise((resolve) => resolve([true, true])),
+  };
+});
+const mockPattern = {
+  id: 'security-solution',
+  title:
+    'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,ml_host_risk_score_*,.siem-signals-default',
+};
+const mockPatternList = [
+  'apm-*-transaction*',
+  'traces-apm*',
+  'auditbeat-*',
+  'endgame-*',
+  'filebeat-*',
+  'logs-*',
+  'packetbeat-*',
+  'winlogbeat-*',
+  'ml_host_risk_score_*',
+  '.siem-signals-default',
+];
+const mockDataViews = [
+  {
+    id: 'metrics-*',
+    title: 'metrics-*',
+  },
+  {
+    id: 'logs-*',
+    title: 'logs-*',
+  },
+  mockPattern,
+];
+const getStartServices = jest.fn().mockReturnValue([
+  null,
+  {
+    data: {
+      indexPatterns: {
+        indexPatternsServiceFactory: () => ({
+          getIdsWithTitle: () => new Promise((rs) => rs(mockDataViews)),
+          get: () => new Promise((rs) => rs(mockPattern)),
+          createAndSave: () => new Promise((rs) => rs(mockPattern)),
+          updateSavedObject: () => new Promise((rs) => rs(mockPattern)),
+        }),
+      },
+    },
+  },
+] as unknown) as StartServicesAccessor<StartPlugins>;
+
+const getStartServicesNotSiem = jest.fn().mockReturnValue([
+  null,
+  {
+    data: {
+      indexPatterns: {
+        indexPatternsServiceFactory: () => ({
+          getIdsWithTitle: () =>
+            new Promise((rs) => rs(mockDataViews.filter((v) => v.id !== mockPattern.id))),
+          get: () => new Promise((rs) => rs(mockPattern)),
+          createAndSave: () => new Promise((rs) => rs(mockPattern)),
+          updateSavedObject: () => new Promise((rs) => rs(mockPattern)),
+        }),
+      },
+    },
+  },
+] as unknown) as StartServicesAccessor<StartPlugins>;
+
+const mockDataViewsTransformed = {
+  defaultDataView: {
+    id: 'security-solution',
+    patternList: ['apm-*-transaction*', 'traces-apm*'],
+    title:
+      'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,ml_host_risk_score_*,.siem-signals-default',
+  },
+  kibanaDataViews: [
+    {
+      id: 'metrics-*',
+      patternList: ['metrics-*'],
+      title: 'metrics-*',
+    },
+    {
+      id: 'logs-*',
+      patternList: ['logs-*'],
+      title: 'logs-*',
+    },
+    {
+      id: 'security-solution',
+      patternList: ['apm-*-transaction*', 'traces-apm*'],
+      title:
+        'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,ml_host_risk_score_*,.siem-signals-default',
+    },
+  ],
+};
+
+export const getSourcererRequest = (patternList: string[]) =>
+  requestMock.create({
+    method: 'post',
+    path: SOURCERER_API_URL,
+    body: { patternList },
+  });
+
+describe('sourcerer route', () => {
+  let server: ReturnType<typeof serverMock.create>;
+  let { context } = requestContextMock.createTools();
+
+  beforeEach(() => {
+    server = serverMock.create();
+    ({ context } = requestContextMock.createTools());
+  });
+
+  test('returns sourcerer formatted Data Views when SIEM Data View does NOT exist', async () => {
+    createSourcererDataViewRoute(server.router, getStartServicesNotSiem);
+    const response = await server.inject(getSourcererRequest(mockPatternList), context);
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual(mockDataViewsTransformed);
+  });
+
+  test('returns sourcerer formatted Data Views when SIEM Data View exists', async () => {
+    createSourcererDataViewRoute(server.router, getStartServices);
+    const response = await server.inject(getSourcererRequest(mockPatternList), context);
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual(mockDataViewsTransformed);
+  });
+
+  test('returns sourcerer formatted Data Views when SIEM Data View exists and patternList input is changed', async () => {
+    createSourcererDataViewRoute(server.router, getStartServices);
+    mockPatternList.shift();
+    const response = await server.inject(getSourcererRequest(mockPatternList), context);
+    expect(response.status).toEqual(200);
+    expect(response.body).toEqual({
+      defaultDataView: {
+        id: 'security-solution',
+        patternList: ['traces-apm*', 'auditbeat-*'],
+        title:
+          'traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,ml_host_risk_score_*,.siem-signals-default',
+      },
+      kibanaDataViews: [
+        mockDataViewsTransformed.kibanaDataViews[0],
+        mockDataViewsTransformed.kibanaDataViews[1],
+        {
+          id: 'security-solution',
+          patternList: ['traces-apm*', 'auditbeat-*'],
+          title:
+            'traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*,ml_host_risk_score_*,.siem-signals-default',
+        },
+      ],
+    });
+  });
+});
diff --git a/x-pack/plugins/security_solution/server/lib/sourcerer/routes/index.ts b/x-pack/plugins/security_solution/server/lib/sourcerer/routes/index.ts
new file mode 100644
index 0000000000000..cdaaedf364eb6
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/sourcerer/routes/index.ts
@@ -0,0 +1,119 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { transformError } from '@kbn/securitysolution-es-utils';
+import { StartServicesAccessor } from 'kibana/server';
+import type { SecuritySolutionPluginRouter } from '../../../types';
+import { DEFAULT_TIME_FIELD, SOURCERER_API_URL } from '../../../../common/constants';
+import { buildSiemResponse } from '../../detection_engine/routes/utils';
+import { buildRouteValidation } from '../../../utils/build_validation/route_validation';
+import { sourcererSchema } from './schema';
+import { StartPlugins } from '../../../plugin';
+import { findExistingIndices } from './helpers';
+
+export const createSourcererDataViewRoute = (
+  router: SecuritySolutionPluginRouter,
+  getStartServices: StartServicesAccessor<StartPlugins>
+) => {
+  router.post(
+    {
+      path: SOURCERER_API_URL,
+      validate: {
+        body: buildRouteValidation(sourcererSchema),
+      },
+      options: {
+        tags: ['access:securitySolution'],
+      },
+    },
+    async (context, request, response) => {
+      const siemResponse = buildSiemResponse(response);
+      const siemClient = context.securitySolution?.getAppClient();
+      const dataViewId = siemClient.getSourcererDataViewId();
+      try {
+        const [
+          ,
+          {
+            data: { indexPatterns },
+          },
+        ] = await getStartServices();
+        const dataViewService = await indexPatterns.indexPatternsServiceFactory(
+          context.core.savedObjects.client,
+          context.core.elasticsearch.client.asInternalUser
+        );
+
+        let allDataViews = await dataViewService.getIdsWithTitle();
+        const { patternList } = request.body;
+        const siemDataView = allDataViews.find((v) => v.id === dataViewId);
+        const patternListAsTitle = patternList.join();
+
+        if (siemDataView == null) {
+          const defaultDataView = await dataViewService.createAndSave({
+            allowNoIndex: true,
+            id: dataViewId,
+            title: patternListAsTitle,
+            timeFieldName: DEFAULT_TIME_FIELD,
+          });
+          // ?? dataViewId -> type thing here, should never happen
+          allDataViews.push({ ...defaultDataView, id: defaultDataView.id ?? dataViewId });
+        } else if (patternListAsTitle !== siemDataView.title) {
+          const defaultDataView = { ...siemDataView, id: siemDataView.id ?? '' };
+          const wholeDataView = await dataViewService.get(defaultDataView.id);
+          wholeDataView.title = patternListAsTitle;
+          let didUpdate = true;
+          await dataViewService.updateSavedObject(wholeDataView).catch((err) => {
+            const error = transformError(err);
+            if (error.statusCode === 403) {
+              didUpdate = false;
+              // user doesnt have permissions to update, use existing pattern
+              wholeDataView.title = defaultDataView.title;
+              return;
+            }
+            throw err;
+          });
+
+          // update the data view in allDataViews
+          if (didUpdate) {
+            allDataViews = allDataViews.map((v) =>
+              v.id === dataViewId ? { ...v, title: patternListAsTitle } : v
+            );
+          }
+        }
+
+        const patternLists: string[][] = allDataViews.map(({ title }) => title.split(','));
+        const activePatternBools: boolean[][] = await Promise.all(
+          patternLists.map((pl) =>
+            findExistingIndices(pl, context.core.elasticsearch.client.asCurrentUser)
+          )
+        );
+
+        const activePatternLists = patternLists.map((pl, i) =>
+          // also remove duplicates from active
+          pl.filter((pattern, j, self) => self.indexOf(pattern) === j && activePatternBools[i][j])
+        );
+
+        const kibanaDataViews = allDataViews.map((kip, i) => ({
+          ...kip,
+          patternList: activePatternLists[i],
+        }));
+        const body = {
+          defaultDataView: kibanaDataViews.find((p) => p.id === dataViewId) ?? {},
+          kibanaDataViews,
+        };
+        return response.ok({ body });
+      } catch (err) {
+        const error = transformError(err);
+        return siemResponse.error({
+          body:
+            error.statusCode === 403
+              ? 'Users with write permissions need to access the Elastic Security app to initialize the app source data.'
+              : error.message,
+          statusCode: error.statusCode,
+        });
+      }
+    }
+  );
+};
diff --git a/x-pack/plugins/security_solution/server/lib/sourcerer/routes/schema.ts b/x-pack/plugins/security_solution/server/lib/sourcerer/routes/schema.ts
new file mode 100644
index 0000000000000..17f7f36a16341
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/sourcerer/routes/schema.ts
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as t from 'io-ts';
+
+export const sourcererSchema = t.type({
+  patternList: t.array(t.string),
+});
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts
index d03b445da26d0..72a4a0b3782ed 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts
+++ b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts
@@ -163,6 +163,7 @@ export const mockTemplate = {
       and: [],
     },
   ],
+  dataViewId: '',
   description: '',
   eventType: 'all',
   excludedRowRendererIds: [],
@@ -192,6 +193,7 @@ export const mockTimeline = {
     { columnHeaderType: 'not-filtered', id: 'user.name' },
   ],
   dataProviders: [],
+  dataViewId: 'security-solution',
   description: '',
   eventType: 'all',
   excludedRowRendererIds: [],
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/constants.ts b/x-pack/plugins/security_solution/server/lib/timeline/constants.ts
index 916fe726210cd..bd9a827e768dc 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/constants.ts
+++ b/x-pack/plugins/security_solution/server/lib/timeline/constants.ts
@@ -10,6 +10,11 @@
  */
 export const SAVED_QUERY_ID_REF_NAME = 'savedQueryId';
 
+/**
+ * The reference name for the saved query ID field within the timeline saved object definition
+ */
+export const DATA_VIEW_ID_REF_NAME = 'dataViewId';
+
 /**
  * This needs to match the type of the saved query saved object. That type is defined here:
  * https://github.com/elastic/kibana/blob/main/src/plugins/data/public/query/saved_query/saved_query_service.ts#L54
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/routes/README.md b/x-pack/plugins/security_solution/server/lib/timeline/routes/README.md
index defbf8be8b7c3..6878e21e14452 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/routes/README.md
+++ b/x-pack/plugins/security_solution/server/lib/timeline/routes/README.md
@@ -713,6 +713,7 @@ api/timelines?page_size=10&page_index=1&sort_field=updated&sort_order=desc&timel
           "enabled": true
         }
       ],
+      "dataViewId": "security-solution",
       "description": "",
       "eqlOptions": {
         "tiebreakerField": "",
@@ -879,6 +880,7 @@ api/timelines?page_size=10&page_index=1&sort_field=updated&sort_order=desc&timel
           "enabled": true
         }
       ],
+      "dataViewId": "security-solution",
       "description": "",
       "eventType": "all",
       "filters": [],
@@ -1023,6 +1025,7 @@ kbn-version: 8.0.0
           "enabled": true
         }
       ],
+      "dataViewId": "security-solution",
       "description": "",
       "eventType": "all",
       "filters": [],
@@ -1214,6 +1217,7 @@ kbn-version: 8.0.0
           "enabled": true
         }
       ],
+      "dataViewId": "security-solution",
       "description": "",
       "eqlOptions": {
         "eventCategoryField": "event.category",
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/routes/timelines/create_timelines/helpers.test.ts b/x-pack/plugins/security_solution/server/lib/timeline/routes/timelines/create_timelines/helpers.test.ts
index 8bf5213d6a47f..1d4d9b1e0f2ea 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/routes/timelines/create_timelines/helpers.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/timeline/routes/timelines/create_timelines/helpers.test.ts
@@ -9,7 +9,7 @@ import * as module from './helpers';
 import { savePinnedEvents } from '../../../saved_object/pinned_events';
 import { getNote } from '../../../saved_object/notes';
 import { FrameworkRequest } from '../../../../framework';
-import { SavedTimeline } from '../../../../../../common/types/timeline';
+import { SavedTimeline } from '../../../../../../common';
 import { mockTemplate, mockTimeline } from '../../../__mocks__/create_timelines';
 import { buildFrameworkRequest } from '../../../utils/common';
 import { SecurityPluginSetup } from '../../../../../../../security/server';
@@ -32,13 +32,6 @@ const notes = [
 const existingNoteIds = undefined;
 const isImmutable = true;
 
-// System under test uses moment.js under the hood, so we need to mock time.
-// Mocking moment via jest.mock('moment') breaks imports of moment in other files.
-// Instead, we simply mock Date.now() via jest API and moment starts using it.
-// This affects all the tests in this file and doesn't affect tests in other files.
-// https://jestjs.io/docs/timer-mocks
-jest.useFakeTimers('modern').setSystemTime(new Date('2020-11-04T11:37:31.655Z'));
-
 jest.mock('../../../saved_object/timelines', () => ({
   persistTimeline: jest.fn().mockResolvedValue({
     timeline: {
@@ -77,6 +70,7 @@ describe('createTimelines', () => {
     const mockRequest = getCreateTimelinesRequest(createTimelineWithoutTimelineId);
 
     frameworkRequest = await buildFrameworkRequest(context, securitySetup, mockRequest);
+    Date.now = jest.fn().mockReturnValue(new Date('2020-11-04T11:37:31.655Z'));
   });
 
   describe('create timelines', () => {
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/convert_saved_object_to_savedtimeline.ts b/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/convert_saved_object_to_savedtimeline.ts
index b49538a706e39..5ab971adfcb83 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/convert_saved_object_to_savedtimeline.ts
+++ b/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/convert_saved_object_to_savedtimeline.ts
@@ -51,8 +51,8 @@ const getTimelineTypeAndStatus = (
   };
 };
 
-export const convertSavedObjectToSavedTimeline = (savedObject: unknown): TimelineSavedObject => {
-  const timeline = pipe(
+export const convertSavedObjectToSavedTimeline = (savedObject: unknown): TimelineSavedObject =>
+  pipe(
     TimelineSavedObjectWithDraftRuntime.decode(savedObject),
     map((savedTimeline) => {
       const attributes = {
@@ -78,6 +78,3 @@ export const convertSavedObjectToSavedTimeline = (savedObject: unknown): Timelin
       throw new Error(failure(errors).join('\n'));
     }, identity)
   );
-
-  return timeline;
-};
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/field_migrator.ts b/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/field_migrator.ts
index bb6667f81ed8f..87d3aa4c6f908 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/field_migrator.ts
+++ b/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/field_migrator.ts
@@ -5,13 +5,14 @@
  * 2.0.
  */
 
-import { SAVED_QUERY_ID_REF_NAME, SAVED_QUERY_TYPE } from '../../constants';
+import { DATA_VIEW_ID_REF_NAME, SAVED_QUERY_ID_REF_NAME, SAVED_QUERY_TYPE } from '../../constants';
 import { FieldMigrator } from '../../utils/migrator';
-
+import { DATA_VIEW_SAVED_OBJECT_TYPE } from '../../../../../../../../src/plugins/data/common';
 /**
  * A migrator to handle moving specific fields that reference other saved objects to the references field within a saved
  * object.
  */
 export const timelineFieldsMigrator = new FieldMigrator([
   { path: 'savedQueryId', type: SAVED_QUERY_TYPE, name: SAVED_QUERY_ID_REF_NAME },
+  { path: 'dataViewId', type: DATA_VIEW_SAVED_OBJECT_TYPE, name: DATA_VIEW_ID_REF_NAME },
 ]);
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/index.test.ts b/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/index.test.ts
index 112796df527fa..8af3cf7cfb1cf 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/index.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/index.test.ts
@@ -26,6 +26,8 @@ import {
   mockResolvedTimeline,
   mockResolveTimelineResponse,
 } from '../../__mocks__/resolve_timeline';
+import { DATA_VIEW_ID_REF_NAME, SAVED_QUERY_ID_REF_NAME, SAVED_QUERY_TYPE } from '../../constants';
+import { DATA_VIEW_SAVED_OBJECT_TYPE } from '../../../../../../../../src/plugins/data_views/common';
 
 jest.mock('./convert_saved_object_to_savedtimeline', () => ({
   convertSavedObjectToSavedTimeline: jest.fn(),
@@ -309,4 +311,54 @@ describe('saved_object', () => {
       expect(result).toEqual(mockResolveTimelineResponse);
     });
   });
+  describe('field migrator', () => {
+    let mockResolveSavedObject: jest.Mock;
+    const convertSavedObjectToSavedTimelineMock: jest.Mock =
+      convertSavedObjectToSavedTimeline as jest.Mock;
+    let mockRequest: FrameworkRequest;
+    beforeEach(async () => {
+      jest.clearAllMocks();
+      convertSavedObjectToSavedTimelineMock.mockReturnValue(mockResolvedTimeline);
+      mockResolveSavedObject = jest.fn().mockReturnValue({
+        ...mockResolvedSavedObject,
+        saved_object: {
+          ...mockResolvedSavedObject.saved_object,
+          references: [
+            {
+              id: 'boo',
+              name: SAVED_QUERY_ID_REF_NAME,
+              type: SAVED_QUERY_TYPE,
+            },
+            {
+              id: 'also-boo',
+              name: DATA_VIEW_ID_REF_NAME,
+              type: DATA_VIEW_SAVED_OBJECT_TYPE,
+            },
+          ],
+        },
+      });
+      mockRequest = {
+        user: {
+          username: 'username',
+        },
+        context: {
+          core: {
+            savedObjects: {
+              client: {
+                resolve: mockResolveSavedObject,
+              },
+            },
+          },
+        },
+      } as unknown as FrameworkRequest;
+
+      await resolveTimelineOrNull(mockRequest, '760d3d20-2142-11ec-a46f-051cb8e3154c');
+    });
+
+    test('the fields we track in references are converted to attributes when SO is requested', () => {
+      const { attributes } = convertSavedObjectToSavedTimelineMock.mock.calls[0][0];
+      expect(attributes.dataViewId).toEqual('also-boo');
+      expect(attributes.savedQueryId).toEqual('boo');
+    });
+  });
 });
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/pick_saved_timeline.test.ts b/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/pick_saved_timeline.test.ts
index 5aa7dd9c7ad46..39e05b267735d 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/pick_saved_timeline.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/timeline/saved_object/timelines/pick_saved_timeline.test.ts
@@ -38,6 +38,7 @@ describe('pickSavedTimeline', () => {
       { columnHeaderType: 'not-filtered', id: 'destination.ip' },
       { columnHeaderType: 'not-filtered', id: 'user.name' },
     ],
+    dataViewId: 'security-solution',
     indexNames: [
       'auditbeat-*',
       'endgame-*',
diff --git a/x-pack/plugins/security_solution/server/lib/timeline/schemas/timelines/create_timelines_schema.ts b/x-pack/plugins/security_solution/server/lib/timeline/schemas/timelines/create_timelines_schema.ts
index 4cb21a27bacc8..bc959e512a471 100644
--- a/x-pack/plugins/security_solution/server/lib/timeline/schemas/timelines/create_timelines_schema.ts
+++ b/x-pack/plugins/security_solution/server/lib/timeline/schemas/timelines/create_timelines_schema.ts
@@ -27,3 +27,5 @@ export const createTimelineSchema = rt.intersection([
     version: unionWithNullType(rt.string),
   }),
 ]);
+
+export type CreateTimelineSchema = rt.TypeOf<typeof createTimelineSchema>;
diff --git a/x-pack/plugins/security_solution/server/mocks.ts b/x-pack/plugins/security_solution/server/mocks.ts
index cff68527af4b9..bc8183666c7f3 100644
--- a/x-pack/plugins/security_solution/server/mocks.ts
+++ b/x-pack/plugins/security_solution/server/mocks.ts
@@ -11,6 +11,7 @@ type AppClientMock = jest.Mocked<AppClient>;
 const createAppClientMock = (): AppClientMock =>
   ({
     getSignalsIndex: jest.fn(),
+    getSourcererDataViewId: jest.fn().mockReturnValue('security-solution'),
   } as unknown as AppClientMock);
 
 export const siemMock = {
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 307ccf4cfc977..facdbc8be8bec 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -245,7 +245,8 @@ export class Plugin implements ISecuritySolutionPlugin {
       ruleDataService,
       logger,
       ruleDataClient,
-      ruleOptions
+      ruleOptions,
+      core.getStartServices
     );
     registerEndpointRoutes(router, endpointContext);
     registerLimitedConcurrencyRoutes(core);
diff --git a/x-pack/plugins/security_solution/server/routes/index.ts b/x-pack/plugins/security_solution/server/routes/index.ts
index 20fbf44e77a48..dd66a4333ad15 100644
--- a/x-pack/plugins/security_solution/server/routes/index.ts
+++ b/x-pack/plugins/security_solution/server/routes/index.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { StartServicesAccessor } from 'kibana/server';
 import { Logger } from 'src/core/server';
 import { IRuleDataClient, RuleDataPluginService } from '../../../rule_registry/server';
 
@@ -56,7 +57,7 @@ import { persistNoteRoute } from '../lib/timeline/routes/notes';
 
 import { persistPinnedEventRoute } from '../lib/timeline/routes/pinned_events';
 
-import { SetupPlugins } from '../plugin';
+import { SetupPlugins, StartPlugins } from '../plugin';
 import { ConfigType } from '../config';
 import { TelemetryEventsSender } from '../lib/telemetry/sender';
 import { installPrepackedTimelinesRoute } from '../lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines';
@@ -64,6 +65,7 @@ import { previewRulesRoute } from '../lib/detection_engine/routes/rules/preview_
 import { CreateRuleOptions } from '../lib/detection_engine/rule_types/types';
 // eslint-disable-next-line no-restricted-imports
 import { legacyCreateLegacyNotificationRoute } from '../lib/detection_engine/routes/rules/legacy_create_legacy_notification';
+import { createSourcererDataViewRoute } from '../lib/sourcerer/routes';
 import { createPreviewIndexRoute } from '../lib/detection_engine/routes/index/create_preview_index_route';
 
 export const initRoutes = (
@@ -76,7 +78,8 @@ export const initRoutes = (
   ruleDataService: RuleDataPluginService,
   logger: Logger,
   ruleDataClient: IRuleDataClient | null,
-  ruleOptions: CreateRuleOptions
+  ruleOptions: CreateRuleOptions,
+  getStartServices: StartServicesAccessor<StartPlugins>
 ) => {
   const isRuleRegistryEnabled = ruleDataClient != null;
   // Detection Engine Rule routes that have the REST endpoints of /api/detection_engine/rules
@@ -149,4 +152,7 @@ export const initRoutes = (
 
   // Privileges API to get the generic user privileges
   readPrivilegesRoute(router, hasEncryptionKey);
+
+  // Sourcerer API to generate default pattern
+  createSourcererDataViewRoute(router, getStartServices);
 };
diff --git a/x-pack/plugins/timelines/common/constants.ts b/x-pack/plugins/timelines/common/constants.ts
index 262ab841492e3..bc22c761c24e0 100644
--- a/x-pack/plugins/timelines/common/constants.ts
+++ b/x-pack/plugins/timelines/common/constants.ts
@@ -22,3 +22,5 @@ export const FILTER_ACKNOWLEDGED: AlertStatus = 'acknowledged';
 
 export const RAC_ALERTS_BULK_UPDATE_URL = '/internal/rac/alerts/bulk_update';
 export const DETECTION_ENGINE_SIGNALS_STATUS_URL = '/api/detection_engine/signals/status';
+
+export const DELETED_SECURITY_SOLUTION_DATA_VIEW = 'DELETED_SECURITY_SOLUTION_DATA_VIEW';
diff --git a/x-pack/plugins/timelines/common/index.ts b/x-pack/plugins/timelines/common/index.ts
index 2242a6951c750..004742c3ee3d4 100644
--- a/x-pack/plugins/timelines/common/index.ts
+++ b/x-pack/plugins/timelines/common/index.ts
@@ -8,6 +8,8 @@
 // TODO: https://github.com/elastic/kibana/issues/110904
 /* eslint-disable @kbn/eslint/no_export_all */
 
+export { DELETED_SECURITY_SOLUTION_DATA_VIEW } from './constants';
+
 export * from './types';
 export * from './search_strategy';
 export * from './utils/accessibility';
diff --git a/x-pack/plugins/timelines/common/search_strategy/index_fields/index.ts b/x-pack/plugins/timelines/common/search_strategy/index_fields/index.ts
index d207cf21fcb36..3579a45d2fcbb 100644
--- a/x-pack/plugins/timelines/common/search_strategy/index_fields/index.ts
+++ b/x-pack/plugins/timelines/common/search_strategy/index_fields/index.ts
@@ -5,13 +5,18 @@
  * 2.0.
  */
 
-import { IFieldSubType, IndexPatternBase } from '@kbn/es-query';
-import { IEsSearchRequest, IEsSearchResponse } from '../../../../../../src/plugins/data/common';
-import { DocValueFields, Maybe } from '../common';
+import type { IFieldSubType } from '@kbn/es-query';
+import type { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import type {
+  IEsSearchRequest,
+  IEsSearchResponse,
+} from '../../../../../../src/plugins/data/common';
+import type { DocValueFields, Maybe } from '../common';
+import { FieldSpec } from '../../../../../../src/plugins/data/common';
 
 export type BeatFieldsFactoryQueryType = 'beatFields';
 
-interface FieldInfo {
+export interface FieldInfo {
   category: string;
   description?: string;
   example?: string | number;
@@ -20,40 +25,37 @@ interface FieldInfo {
   type?: string;
 }
 
-export interface IndexField {
+export interface IndexField extends Omit<FieldSpec, 'format'> {
   /** Where the field belong */
   category: string;
   /** Example of field's value */
   example?: Maybe<string | number>;
   /** whether the field's belong to an alias index */
   indexes: Array<Maybe<string>>;
-  /** The name of the field */
-  name: string;
-  /** The type of the field's values as recognized by Kibana */
-  type: string;
-  /** Whether the field's values can be efficiently searched for */
-  searchable: boolean;
-  /** Whether the field's values can be aggregated */
-  aggregatable: boolean;
   /** Description of the field */
   description?: Maybe<string>;
   format?: Maybe<string>;
-  /** the elastic type as mapped in the index */
-  esTypes?: string[];
-  subType?: IFieldSubType;
-  readFromDocValues: boolean;
 }
 
 export type BeatFields = Record<string, FieldInfo>;
 
-export interface IndexFieldsStrategyRequest extends IEsSearchRequest {
+export interface IndexFieldsStrategyRequestByIndices extends IEsSearchRequest {
   indices: string[];
   onlyCheckIfIndicesExist: boolean;
 }
+export interface IndexFieldsStrategyRequestById extends IEsSearchRequest {
+  dataViewId: string;
+  onlyCheckIfIndicesExist: boolean;
+}
+
+export type IndexFieldsStrategyRequest<T extends 'indices' | 'dataView'> = T extends 'dataView'
+  ? IndexFieldsStrategyRequestById
+  : IndexFieldsStrategyRequestByIndices;
 
 export interface IndexFieldsStrategyResponse extends IEsSearchResponse {
   indexFields: IndexField[];
   indicesExist: string[];
+  runtimeMappings: MappingRuntimeFields;
 }
 
 export interface BrowserField {
@@ -68,13 +70,11 @@ export interface BrowserField {
   searchable: boolean;
   type: string;
   subType?: IFieldSubType;
+  readFromDocValues: boolean;
 }
 
 export type BrowserFields = Readonly<Record<string, Partial<BrowserField>>>;
 
 export const EMPTY_BROWSER_FIELDS = {};
 export const EMPTY_DOCVALUE_FIELD: DocValueFields[] = [];
-export const EMPTY_INDEX_PATTERN: IndexPatternBase = {
-  fields: [],
-  title: '',
-};
+export const EMPTY_INDEX_FIELDS: FieldSpec[] = [];
diff --git a/x-pack/plugins/timelines/common/search_strategy/timeline/events/all/index.ts b/x-pack/plugins/timelines/common/search_strategy/timeline/events/all/index.ts
index 4bb9928aa6b97..9ff370482ef08 100644
--- a/x-pack/plugins/timelines/common/search_strategy/timeline/events/all/index.ts
+++ b/x-pack/plugins/timelines/common/search_strategy/timeline/events/all/index.ts
@@ -7,6 +7,7 @@
 
 import { JsonObject } from '@kbn/utility-types';
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import type { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
 import type { Ecs } from '../../../../ecs';
 import type { CursorType, Inspect, Maybe, PaginationInputPaginated } from '../../../common';
@@ -38,9 +39,10 @@ export interface TimelineEventsAllStrategyResponse extends IEsSearchResponse {
 }
 
 export interface TimelineEventsAllRequestOptions extends TimelineRequestOptionsPaginated {
-  fields: string[] | Array<{ field: string; include_unmapped: boolean }>;
+  authFilter?: JsonObject;
+  excludeEcsData?: boolean;
   fieldRequested: string[];
+  fields: string[] | Array<{ field: string; include_unmapped: boolean }>;
   language: 'eql' | 'kuery' | 'lucene';
-  excludeEcsData?: boolean;
-  authFilter?: JsonObject;
+  runtimeMappings: MappingRuntimeFields;
 }
diff --git a/x-pack/plugins/timelines/common/search_strategy/timeline/events/last_event_time/index.ts b/x-pack/plugins/timelines/common/search_strategy/timeline/events/last_event_time/index.ts
index 9a2d884af948f..8673359d230b4 100644
--- a/x-pack/plugins/timelines/common/search_strategy/timeline/events/last_event_time/index.ts
+++ b/x-pack/plugins/timelines/common/search_strategy/timeline/events/last_event_time/index.ts
@@ -26,6 +26,7 @@ export interface TimelineEventsLastEventTimeStrategyResponse extends IEsSearchRe
   lastSeen: Maybe<string>;
   inspect?: Maybe<Inspect>;
 }
+export type TimelineKpiStrategyRequest = Omit<TimelineRequestBasicOptions, 'runtimeMappings'>;
 
 export interface TimelineKpiStrategyResponse extends IEsSearchResponse {
   destinationIpCount: number;
@@ -37,7 +38,7 @@ export interface TimelineKpiStrategyResponse extends IEsSearchResponse {
 }
 
 export interface TimelineEventsLastEventTimeRequestOptions
-  extends Omit<TimelineRequestBasicOptions, 'filterQuery' | 'timerange'> {
+  extends Omit<TimelineRequestBasicOptions, 'filterQuery' | 'timerange' | 'runtimeMappings'> {
   indexKey: LastEventIndexKey;
   details: LastTimeDetails;
 }
diff --git a/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts
index 7cf5b6b22d163..f576392910495 100644
--- a/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts
+++ b/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { IEsSearchRequest } from '../../../../../../src/plugins/data/common';
 import { ESQuery } from '../../typed_json';
 import {
@@ -43,6 +44,7 @@ export interface TimelineRequestBasicOptions extends IEsSearchRequest {
   docValueFields?: DocValueFields[];
   factoryQueryType?: TimelineFactoryQueryTypes;
   entityType?: EntityType;
+  runtimeMappings: MappingRuntimeFields;
 }
 
 export interface TimelineRequestSortField<Field = string> extends SortField<Field> {
diff --git a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
index e2eb1d4d04547..617c166c37384 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx
@@ -6,7 +6,7 @@
  */
 
 import type { Filter, EsQueryConfig, Query } from '@kbn/es-query';
-import { FilterStateStore } from '@kbn/es-query';
+import { DataViewBase, FilterStateStore } from '@kbn/es-query';
 import { isEmpty, get } from 'lodash/fp';
 import memoizeOne from 'memoize-one';
 import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils';
@@ -17,7 +17,6 @@ import {
   handleSkipFocus,
   stopPropagationAndPreventDefault,
 } from '../../../common';
-import { IIndexPattern } from '../../../../../../src/plugins/data/public';
 import type { BrowserFields } from '../../../common/search_strategy/index_fields';
 import { DataProviderType, EXISTS_OPERATOR } from '../../../common/types/timeline';
 import type { DataProvider, DataProvidersAnd } from '../../../common/types/timeline';
@@ -138,7 +137,7 @@ export const buildGlobalQuery = (dataProviders: DataProvider[], browserFields: B
 interface CombineQueries {
   config: EsQueryConfig;
   dataProviders: DataProvider[];
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   browserFields: BrowserFields;
   filters: Filter[];
   kqlQuery: Query;
diff --git a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
index e363297d04be5..614857c26cbb1 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
@@ -14,6 +14,8 @@ import React, { useEffect, useMemo, useRef, useState } from 'react';
 import styled from 'styled-components';
 import { useDispatch } from 'react-redux';
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import { DataViewBase, Filter, Query } from '@kbn/es-query';
 import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
 import { Direction, EntityType } from '../../../../common/search_strategy';
 import type { DocValueFields } from '../../../../common/search_strategy';
@@ -34,13 +36,7 @@ import type {
   RowRenderer,
   AlertStatus,
 } from '../../../../common/types/timeline';
-import {
-  esQuery,
-  Filter,
-  IIndexPattern,
-  Query,
-  DataPublicPluginStart,
-} from '../../../../../../../src/plugins/data/public';
+import { esQuery, DataPublicPluginStart } from '../../../../../../../src/plugins/data/public';
 import { useDeepEqualSelector } from '../../../hooks/use_selector';
 import { defaultHeaders } from '../body/column_headers/default_headers';
 import { buildCombinedQuery, getCombinedFilterQuery, resolverIsShowing } from '../helpers';
@@ -119,7 +115,7 @@ export interface TGridIntegratedProps {
   height?: number;
   id: TimelineId;
   indexNames: string[];
-  indexPattern: IIndexPattern;
+  indexPattern: DataViewBase;
   isLive: boolean;
   isLoadingIndexPattern: boolean;
   itemsPerPage: number;
@@ -130,6 +126,7 @@ export interface TGridIntegratedProps {
   query: Query;
   renderCellValue: (props: CellValueElementProps) => React.ReactNode;
   rowRenderers: RowRenderer[];
+  runtimeMappings: MappingRuntimeFields;
   setQuery: (inspect: InspectResponse, loading: boolean, refetch: Refetch) => void;
   sort: Sort[];
   start: string;
@@ -168,6 +165,7 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
   query,
   renderCellValue,
   rowRenderers,
+  runtimeMappings,
   setQuery,
   sort,
   start,
@@ -241,6 +239,7 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
       id,
       indexNames,
       limit: itemsPerPage,
+      runtimeMappings,
       skip: !canQueryTimeline,
       sort: sortField,
       startDate: start,
diff --git a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
index ae092d8634bb7..4ae8e1e191d80 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
@@ -9,6 +9,7 @@ import { isEmpty } from 'lodash/fp';
 import React, { useEffect, useMemo, useState, useRef } from 'react';
 import styled from 'styled-components';
 import { useDispatch, useSelector } from 'react-redux';
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
 import { Direction, EntityType } from '../../../../common/search_strategy';
 import type { CoreStart } from '../../../../../../../src/core/public';
@@ -107,6 +108,7 @@ export interface TGridStandaloneProps {
   onRuleChange?: () => void;
   renderCellValue: (props: CellValueElementProps) => React.ReactNode;
   rowRenderers: RowRenderer[];
+  runtimeMappings: MappingRuntimeFields;
   setRefetch: (ref: () => void) => void;
   start: string;
   sort: SortColumnTimeline[];
@@ -138,6 +140,7 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
   query,
   renderCellValue,
   rowRenderers,
+  runtimeMappings,
   setRefetch,
   start,
   sort,
@@ -221,6 +224,7 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
     id: STANDALONE_ID,
     indexNames,
     limit: itemsPerPageStore,
+    runtimeMappings,
     sort: sortField,
     startDate: start,
     endDate: end,
diff --git a/x-pack/plugins/timelines/public/components/utils/keury/index.ts b/x-pack/plugins/timelines/public/components/utils/keury/index.ts
index 3eb03cc63543e..776f5883a57d5 100644
--- a/x-pack/plugins/timelines/public/components/utils/keury/index.ts
+++ b/x-pack/plugins/timelines/public/components/utils/keury/index.ts
@@ -11,14 +11,14 @@ import {
   EsQueryConfig,
   Filter,
   fromKueryExpression,
-  IndexPatternBase,
+  DataViewBase,
   Query,
   toElasticsearchQuery,
 } from '@kbn/es-query';
 
 export const convertKueryToElasticSearchQuery = (
   kueryExpression: string,
-  indexPattern?: IndexPatternBase
+  indexPattern?: DataViewBase
 ) => {
   try {
     return kueryExpression
@@ -29,10 +29,7 @@ export const convertKueryToElasticSearchQuery = (
   }
 };
 
-export const convertKueryToDslFilter = (
-  kueryExpression: string,
-  indexPattern: IndexPatternBase
-) => {
+export const convertKueryToDslFilter = (kueryExpression: string, indexPattern: DataViewBase) => {
   try {
     return kueryExpression
       ? toElasticsearchQuery(fromKueryExpression(kueryExpression), indexPattern)
@@ -74,7 +71,7 @@ export const convertToBuildEsQuery = ({
   filters,
 }: {
   config: EsQueryConfig;
-  indexPattern: IndexPatternBase;
+  indexPattern: DataViewBase;
   queries: Query[];
   filters: Filter[];
 }) => {
diff --git a/x-pack/plugins/timelines/public/container/index.tsx b/x-pack/plugins/timelines/public/container/index.tsx
index 30245ea9f17af..fa27b8264a38e 100644
--- a/x-pack/plugins/timelines/public/container/index.tsx
+++ b/x-pack/plugins/timelines/public/container/index.tsx
@@ -11,6 +11,7 @@ import { isEmpty, isString, noop } from 'lodash/fp';
 import { useCallback, useEffect, useRef, useState } from 'react';
 import { useDispatch } from 'react-redux';
 import { Subscription } from 'rxjs';
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { tGridActions } from '..';
 
 import {
@@ -69,22 +70,23 @@ type TimelineRequest<T extends KueryFilterQueryKind> = TimelineEventsAllRequestO
 type TimelineResponse<T extends KueryFilterQueryKind> = TimelineEventsAllStrategyResponse;
 
 export interface UseTimelineEventsProps {
+  alertConsumers?: AlertConsumers[];
+  data?: DataPublicPluginStart;
   docValueFields?: DocValueFields[];
-  filterQuery?: ESQuery | string;
-  skip?: boolean;
   endDate: string;
   entityType: EntityType;
   excludeEcsData?: boolean;
-  id: string;
   fields: string[];
+  filterQuery?: ESQuery | string;
+  id: string;
   indexNames: string[];
   language?: KueryFilterQueryKind;
   limit: number;
+  runtimeMappings: MappingRuntimeFields;
+  skip?: boolean;
   sort?: TimelineRequestSortField[];
   startDate: string;
   timerangeKind?: 'absolute' | 'relative';
-  data?: DataPublicPluginStart;
-  alertConsumers?: AlertConsumers[];
 }
 
 const createFilter = (filterQuery: ESQuery | string | undefined) =>
@@ -125,6 +127,7 @@ export const useTimelineEvents = ({
   startDate,
   language = 'kuery',
   limit,
+  runtimeMappings,
   sort = initSortDefault,
   skip = false,
   timerangeKind,
@@ -267,6 +270,7 @@ export const useTimelineEvents = ({
         querySize: prevRequest?.pagination.querySize ?? 0,
         sort: prevRequest?.sort ?? initSortDefault,
         timerange: prevRequest?.timerange ?? {},
+        runtimeMappings: prevRequest?.runtimeMappings ?? {},
       };
 
       const currentSearchParameters = {
@@ -299,6 +303,7 @@ export const useTimelineEvents = ({
           querySize: limit,
         },
         language,
+        runtimeMappings,
         sort,
         timerange: {
           interval: '12h',
@@ -330,6 +335,7 @@ export const useTimelineEvents = ({
     startDate,
     sort,
     fields,
+    runtimeMappings,
   ]);
 
   useEffect(() => {
diff --git a/x-pack/plugins/timelines/public/container/source/index.tsx b/x-pack/plugins/timelines/public/container/source/index.tsx
index 1948da0974438..f66eedb94f881 100644
--- a/x-pack/plugins/timelines/public/container/source/index.tsx
+++ b/x-pack/plugins/timelines/public/container/source/index.tsx
@@ -10,6 +10,7 @@ import { isEmpty, isEqual, pick } from 'lodash/fp';
 import { Subscription } from 'rxjs/internal/Subscription';
 
 import memoizeOne from 'memoize-one';
+import { DataViewBase } from '@kbn/es-query';
 import {
   BrowserField,
   BrowserFields,
@@ -21,7 +22,6 @@ import {
 import * as i18n from './translations';
 
 import {
-  IIndexPattern,
   DataPublicPluginStart,
   isCompleteResponse,
   isErrorResponse,
@@ -37,7 +37,7 @@ interface FetchIndexReturn {
   docValueFields: DocValueFields[];
   indexes: string[];
   indexExists: boolean;
-  indexPatterns: IIndexPattern;
+  indexPatterns: DataViewBase;
 }
 
 /**
@@ -90,7 +90,7 @@ export const getDocValueFields = memoizeOne(
 );
 
 export const getIndexFields = memoizeOne(
-  (title: string, fields: IndexField[]): IIndexPattern =>
+  (title: string, fields: IndexField[]): DataViewBase =>
     fields && fields.length > 0
       ? {
           fields: fields.map((field) =>
@@ -127,7 +127,7 @@ export const useFetchIndex = (
         abortCtrl.current = new AbortController();
         setLoading(true);
         searchSubscription$.current = data.search
-          .search<IndexFieldsStrategyRequest, IndexFieldsStrategyResponse>(
+          .search<IndexFieldsStrategyRequest<'indices'>, IndexFieldsStrategyResponse>(
             { indices: iNames, onlyCheckIfIndicesExist },
             {
               abortSignal: abortCtrl.current.signal,
diff --git a/x-pack/plugins/timelines/public/mock/browser_fields.ts b/x-pack/plugins/timelines/public/mock/browser_fields.ts
index 6ab06e1be018a..dd7d211058bad 100644
--- a/x-pack/plugins/timelines/public/mock/browser_fields.ts
+++ b/x-pack/plugins/timelines/public/mock/browser_fields.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import type { DocValueFields } from '../../common/search_strategy';
 import type { BrowserFields } from '../../common/search_strategy/index_fields';
 
@@ -736,3 +737,12 @@ export const mockDocValueFields: DocValueFields[] = [
     format: 'date_time',
   },
 ];
+
+export const mockRuntimeMappings: MappingRuntimeFields = {
+  '@a.runtime.field': {
+    script: {
+      source: 'emit("Radical dude: " + doc[\'host.name\'].value)',
+    },
+    type: 'keyword',
+  },
+};
diff --git a/x-pack/plugins/timelines/public/mock/global_state.ts b/x-pack/plugins/timelines/public/mock/global_state.ts
index f83110eeb3135..8bdd190cc8519 100644
--- a/x-pack/plugins/timelines/public/mock/global_state.ts
+++ b/x-pack/plugins/timelines/public/mock/global_state.ts
@@ -18,6 +18,7 @@ export const mockGlobalState: TimelineState = {
         end: '2020-07-08T08:20:18.966Z',
       },
       dataProviders: [],
+      dataViewId: '',
       deletedEventIds: [],
       excludedRowRendererIds: [],
       expandedDetail: {},
diff --git a/x-pack/plugins/timelines/public/mock/index_pattern.ts b/x-pack/plugins/timelines/public/mock/index_pattern.ts
index 361dbf71bd6f4..893ed1e889925 100644
--- a/x-pack/plugins/timelines/public/mock/index_pattern.ts
+++ b/x-pack/plugins/timelines/public/mock/index_pattern.ts
@@ -5,105 +5,73 @@
  * 2.0.
  */
 
-import { IIndexPattern } from '../../../../../src/plugins/data/public';
+import { DataViewBase } from '@kbn/es-query';
 
-export const mockIndexPattern: IIndexPattern = {
+export const mockIndexPattern: DataViewBase = {
   fields: [
     {
       name: '@timestamp',
-      searchable: true,
       type: 'date',
-      aggregatable: true,
     },
     {
       name: '@version',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.ephemeral_id',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.hostname',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.id',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.test1',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.test2',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.test3',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.test4',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.test5',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.test6',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.test7',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'agent.test8',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'host.name',
-      searchable: true,
       type: 'string',
-      aggregatable: true,
     },
     {
       name: 'nestedField.firstAttributes',
-      searchable: true,
       type: 'string',
-      aggregatable: false,
     },
     {
       name: 'nestedField.secondAttributes',
-      searchable: true,
       type: 'string',
-      aggregatable: false,
     },
   ],
   title: 'filebeat-*,auditbeat-*,packetbeat-*',
diff --git a/x-pack/plugins/timelines/public/mock/mock_timeline_data.ts b/x-pack/plugins/timelines/public/mock/mock_timeline_data.ts
index c6f13f83812c5..e24d9d5c45768 100644
--- a/x-pack/plugins/timelines/public/mock/mock_timeline_data.ts
+++ b/x-pack/plugins/timelines/public/mock/mock_timeline_data.ts
@@ -1549,6 +1549,7 @@ export const mockTgridModel: TGridModel = {
     },
   ],
   dataProviders: [],
+  dataViewId: '',
   defaultColumns: [],
   queryFields: [],
   dateRange: {
diff --git a/x-pack/plugins/timelines/public/mock/t_grid.tsx b/x-pack/plugins/timelines/public/mock/t_grid.tsx
index 3ae1a1d53c207..c79d0f406ec62 100644
--- a/x-pack/plugins/timelines/public/mock/t_grid.tsx
+++ b/x-pack/plugins/timelines/public/mock/t_grid.tsx
@@ -8,7 +8,7 @@
 import React from 'react';
 import { ALERT_START, ALERT_STATUS } from '@kbn/rule-data-utils';
 import { TGridIntegratedProps } from '../components/t_grid/integrated';
-import { mockBrowserFields, mockDocValueFields } from './browser_fields';
+import { mockBrowserFields, mockDocValueFields, mockRuntimeMappings } from './browser_fields';
 import { mockDataProviders } from './mock_data_providers';
 import { mockTimelineData } from './mock_timeline_data';
 import { ColumnHeaderOptions, TimelineId } from '../../common';
@@ -114,6 +114,7 @@ export const tGridIntegratedProps: TGridIntegratedProps = {
   },
   renderCellValue: () => null,
   rowRenderers: [],
+  runtimeMappings: mockRuntimeMappings,
   setQuery: () => null,
   sort: [
     {
diff --git a/x-pack/plugins/timelines/public/store/t_grid/defaults.ts b/x-pack/plugins/timelines/public/store/t_grid/defaults.ts
index efb8a8c9b3b72..87a129afbd499 100644
--- a/x-pack/plugins/timelines/public/store/t_grid/defaults.ts
+++ b/x-pack/plugins/timelines/public/store/t_grid/defaults.ts
@@ -63,6 +63,7 @@ export const defaultHeaders: ColumnHeaderOptions[] = [
 export const tGridDefaults: SubsetTGridModel = {
   columns: defaultHeaders,
   defaultColumns: defaultHeaders,
+  dataViewId: '',
   dateRange: { start: '', end: '' },
   deletedEventIds: [],
   excludedRowRendererIds: [],
diff --git a/x-pack/plugins/timelines/public/store/t_grid/model.ts b/x-pack/plugins/timelines/public/store/t_grid/model.ts
index dc6945d3fe3ad..739bcbef3e20c 100644
--- a/x-pack/plugins/timelines/public/store/t_grid/model.ts
+++ b/x-pack/plugins/timelines/public/store/t_grid/model.ts
@@ -48,6 +48,8 @@ export interface TGridModel extends TGridModelSettings {
     start: string;
     end: string;
   };
+  /** Kibana data view id **/
+  dataViewId: string;
   /** Events to not be rendered **/
   deletedEventIds: string[];
   /** This holds the view information for the flyout when viewing timeline in a consuming view (i.e. hosts page) or the side panel in the primary timeline view */
@@ -91,6 +93,7 @@ export type TGridModelForTimeline = Pick<
   | 'defaultColumns'
   | 'dataProviders'
   | 'dateRange'
+  | 'dataViewId'
   | 'deletedEventIds'
   | 'documentType'
   | 'excludedRowRendererIds'
@@ -124,6 +127,7 @@ export type SubsetTGridModel = Readonly<
     TGridModel,
     | 'columns'
     | 'defaultColumns'
+    | 'dataViewId'
     | 'dateRange'
     | 'deletedEventIds'
     | 'excludedRowRendererIds'
diff --git a/x-pack/plugins/timelines/server/plugin.ts b/x-pack/plugins/timelines/server/plugin.ts
index 79d35e53fada1..1b9cadafde27e 100644
--- a/x-pack/plugins/timelines/server/plugin.ts
+++ b/x-pack/plugins/timelines/server/plugin.ts
@@ -35,6 +35,7 @@ export class TimelinesPlugin
     // Register server side APIs
     defineRoutes(router);
 
+    const IndexFields = indexFieldsProvider(core.getStartServices);
     // Register search strategy
     core.getStartServices().then(([_, depsStart]) => {
       const TimelineSearchStrategy = timelineSearchStrategyProvider(
@@ -42,7 +43,6 @@ export class TimelinesPlugin
         depsStart.alerting
       );
       const TimelineEqlSearchStrategy = timelineEqlSearchStrategyProvider(depsStart.data);
-      const IndexFields = indexFieldsProvider();
 
       plugins.data.search.registerSearchStrategy('indexFields', IndexFields);
       plugins.data.search.registerSearchStrategy('timelineSearchStrategy', TimelineSearchStrategy);
diff --git a/x-pack/plugins/timelines/server/search_strategy/index_fields/index.test.ts b/x-pack/plugins/timelines/server/search_strategy/index_fields/index.test.ts
index e8df6200351ea..be5bff2e30ddf 100644
--- a/x-pack/plugins/timelines/server/search_strategy/index_fields/index.test.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/index_fields/index.test.ts
@@ -795,19 +795,56 @@ describe('Fields Provider', () => {
   describe('search', () => {
     const getFieldsForWildcardMock = jest.fn();
     const esClientSearchMock = jest.fn();
+    const esClientFieldCapsMock = jest.fn();
+    const mockPattern = {
+      title: 'coolbro',
+      fields: {
+        toSpec: () => ({
+          coolio: {
+            name: 'nameio',
+            type: 'typeio',
+            searchable: true,
+            aggregatable: true,
+          },
+        }),
+      },
+      toSpec: () => ({
+        runtimeFieldMap: { runtimeField: { type: 'keyword' } },
+      }),
+    };
+    const getStartServices = jest.fn().mockReturnValue([
+      null,
+      {
+        data: {
+          indexPatterns: {
+            indexPatternsServiceFactory: () => ({
+              get: jest.fn().mockReturnValue(mockPattern),
+            }),
+          },
+        },
+      },
+    ]);
 
     const deps = {
-      esClient: { asCurrentUser: { search: esClientSearchMock } },
+      esClient: { asCurrentUser: { search: esClientSearchMock, fieldCaps: esClientFieldCapsMock } },
     } as unknown as SearchStrategyDependencies;
 
     beforeAll(() => {
       getFieldsForWildcardMock.mockResolvedValue([]);
+
+      esClientSearchMock.mockResolvedValue({
+        body: { hits: { total: { value: 123 } } },
+      });
+      esClientFieldCapsMock.mockResolvedValue({
+        body: { indices: ['value'] },
+      });
       IndexPatternsFetcher.prototype.getFieldsForWildcard = getFieldsForWildcardMock;
     });
 
     beforeEach(() => {
       getFieldsForWildcardMock.mockClear();
       esClientSearchMock.mockClear();
+      esClientFieldCapsMock.mockClear();
     });
 
     afterAll(() => {
@@ -821,10 +858,7 @@ describe('Fields Provider', () => {
         onlyCheckIfIndicesExist: true,
       };
 
-      const response = await requestIndexFieldSearch(request, deps, beatFields);
-
-      expect(getFieldsForWildcardMock).toHaveBeenCalledWith({ pattern: indices[0] });
-
+      const response = await requestIndexFieldSearch(request, deps, beatFields, getStartServices);
       expect(response.indexFields).toHaveLength(0);
       expect(response.indicesExist).toEqual(indices);
     });
@@ -836,7 +870,7 @@ describe('Fields Provider', () => {
         onlyCheckIfIndicesExist: false,
       };
 
-      const response = await requestIndexFieldSearch(request, deps, beatFields);
+      const response = await requestIndexFieldSearch(request, deps, beatFields, getStartServices);
 
       expect(getFieldsForWildcardMock).toHaveBeenCalledWith({ pattern: indices[0] });
 
@@ -844,6 +878,34 @@ describe('Fields Provider', () => {
       expect(response.indicesExist).toEqual(indices);
     });
 
+    it('should search index fields by data view id', async () => {
+      const dataViewId = 'id';
+      const request = {
+        dataViewId,
+        onlyCheckIfIndicesExist: false,
+      };
+
+      const response = await requestIndexFieldSearch(request, deps, beatFields, getStartServices);
+
+      expect(getFieldsForWildcardMock).not.toHaveBeenCalled();
+
+      expect(response.indexFields).not.toHaveLength(0);
+      expect(response.indicesExist).toEqual(['coolbro']);
+    });
+
+    it('onlyCheckIfIndicesExist by data view id', async () => {
+      const dataViewId = 'id';
+      const request = {
+        dataViewId,
+        onlyCheckIfIndicesExist: true,
+      };
+
+      const response = await requestIndexFieldSearch(request, deps, beatFields, getStartServices);
+
+      expect(response.indexFields).toHaveLength(0);
+      expect(response.indicesExist).toEqual(['coolbro']);
+    });
+
     it('should search apm index fields', async () => {
       const indices = ['apm-*-transaction*', 'traces-apm*'];
       const request = {
@@ -851,11 +913,9 @@ describe('Fields Provider', () => {
         onlyCheckIfIndicesExist: false,
       };
 
-      const response = await requestIndexFieldSearch(request, deps, beatFields);
+      const response = await requestIndexFieldSearch(request, deps, beatFields, getStartServices);
 
       expect(getFieldsForWildcardMock).toHaveBeenCalledWith({ pattern: indices[0] });
-      expect(esClientSearchMock).not.toHaveBeenCalled();
-
       expect(response.indexFields).not.toHaveLength(0);
       expect(response.indicesExist).toEqual(indices);
     });
@@ -870,7 +930,7 @@ describe('Fields Provider', () => {
       esClientSearchMock.mockResolvedValue({
         body: { hits: { total: { value: 1 } } },
       });
-      const response = await requestIndexFieldSearch(request, deps, beatFields);
+      const response = await requestIndexFieldSearch(request, deps, beatFields, getStartServices);
 
       expect(esClientSearchMock).toHaveBeenCalledWith({
         index: indices[0],
@@ -897,7 +957,7 @@ describe('Fields Provider', () => {
         body: { hits: { total: { value: 0 } } },
       });
 
-      const response = await requestIndexFieldSearch(request, deps, beatFields);
+      const response = await requestIndexFieldSearch(request, deps, beatFields, getStartServices);
 
       expect(esClientSearchMock).toHaveBeenCalledWith({
         index: indices[0],
diff --git a/x-pack/plugins/timelines/server/search_strategy/index_fields/index.ts b/x-pack/plugins/timelines/server/search_strategy/index_fields/index.ts
index 8670b709494f0..2427ec8bb6071 100644
--- a/x-pack/plugins/timelines/server/search_strategy/index_fields/index.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/index_fields/index.ts
@@ -8,11 +8,11 @@
 import { from } from 'rxjs';
 import isEmpty from 'lodash/isEmpty';
 import get from 'lodash/get';
+import { ElasticsearchClient, StartServicesAccessor } from 'kibana/server';
 import {
   IndexPatternsFetcher,
   ISearchStrategy,
   SearchStrategyDependencies,
-  FieldDescriptor,
 } from '../../../../../../src/plugins/data/server';
 
 // TODO cleanup path
@@ -21,13 +21,18 @@ import {
   IndexField,
   IndexFieldsStrategyRequest,
   BeatFields,
-} from '../../../common/search_strategy/index_fields';
+  DELETED_SECURITY_SOLUTION_DATA_VIEW,
+} from '../../../common';
+import { StartPlugins } from '../../types';
+import { FieldSpec } from '../../../../../../src/plugins/data_views/common';
 
 const apmIndexPattern = 'apm-*-transaction*';
 const apmDataStreamsPattern = 'traces-apm*';
 
-export const indexFieldsProvider = (): ISearchStrategy<
-  IndexFieldsStrategyRequest,
+export const indexFieldsProvider = (
+  getStartServices: StartServicesAccessor<StartPlugins>
+): ISearchStrategy<
+  IndexFieldsStrategyRequest<'indices' | 'dataView'>,
   IndexFieldsStrategyResponse
 > => {
   // require the fields once we actually need them, rather than ahead of time, and pass
@@ -36,61 +41,118 @@ export const indexFieldsProvider = (): ISearchStrategy<
   const beatFields: BeatFields = require('../../utils/beat_schema/fields').fieldsBeat;
 
   return {
-    search: (request, options, deps) => from(requestIndexFieldSearch(request, deps, beatFields)),
+    search: (request, options, deps) =>
+      from(requestIndexFieldSearch(request, deps, beatFields, getStartServices)),
   };
 };
 
-export const requestIndexFieldSearch = async (
-  request: IndexFieldsStrategyRequest,
-  { esClient }: SearchStrategyDependencies,
-  beatFields: BeatFields
-): Promise<IndexFieldsStrategyResponse> => {
-  const indexPatternsFetcherAsCurrentUser = new IndexPatternsFetcher(esClient.asCurrentUser);
-  const indexPatternsFetcherAsInternalUser = new IndexPatternsFetcher(esClient.asInternalUser);
-
-  const dedupeIndices = dedupeIndexName(request.indices);
-
-  const responsesIndexFields = await Promise.all(
-    dedupeIndices
+export const findExistingIndices = async (
+  indices: string[],
+  esClient: ElasticsearchClient
+): Promise<boolean[]> =>
+  Promise.all(
+    indices
       .map(async (index) => {
-        if (
-          request.onlyCheckIfIndicesExist &&
-          (index.includes(apmIndexPattern) || index.includes(apmDataStreamsPattern))
-        ) {
-          // for apm index pattern check also if there's data https://github.com/elastic/kibana/issues/90661
-          const searchResponse = await esClient.asCurrentUser.search({
+        if ([apmIndexPattern, apmDataStreamsPattern].includes(index)) {
+          const searchResponse = await esClient.search({
             index,
             body: { query: { match_all: {} }, size: 0 },
           });
           return get(searchResponse, 'body.hits.total.value', 0) > 0;
-        } else {
-          if (index.startsWith('.alerts-observability')) {
-            return indexPatternsFetcherAsInternalUser.getFieldsForWildcard({
-              pattern: index,
-            });
-          } else {
-            return indexPatternsFetcherAsCurrentUser.getFieldsForWildcard({
-              pattern: index,
-            });
-          }
         }
+        const searchResponse = await esClient.fieldCaps({
+          index,
+          fields: '_id',
+          ignore_unavailable: true,
+          allow_no_indices: false,
+        });
+        return searchResponse.body.indices.length > 0;
       })
       .map((p) => p.catch((e) => false))
   );
 
+export const requestIndexFieldSearch = async (
+  request: IndexFieldsStrategyRequest<'indices' | 'dataView'>,
+  { savedObjectsClient, esClient }: SearchStrategyDependencies,
+  beatFields: BeatFields,
+  getStartServices: StartServicesAccessor<StartPlugins>
+): Promise<IndexFieldsStrategyResponse> => {
+  const indexPatternsFetcherAsCurrentUser = new IndexPatternsFetcher(esClient.asCurrentUser);
+  const indexPatternsFetcherAsInternalUser = new IndexPatternsFetcher(esClient.asInternalUser);
+  if ('dataViewId' in request && 'indices' in request) {
+    throw new Error('Provide index field search with either `dataViewId` or `indices`, not both');
+  }
+  const [
+    ,
+    {
+      data: { indexPatterns },
+    },
+  ] = await getStartServices();
+  const dataViewService = await indexPatterns.indexPatternsServiceFactory(
+    savedObjectsClient,
+    esClient.asCurrentUser
+  );
+
+  let indicesExist: string[] = [];
   let indexFields: IndexField[] = [];
+  let runtimeMappings = {};
 
-  if (!request.onlyCheckIfIndicesExist) {
-    indexFields = await formatIndexFields(
-      beatFields,
-      responsesIndexFields.filter((rif) => rif !== false) as FieldDescriptor[][],
-      dedupeIndices
+  // if dataViewId is provided, get fields and indices from the Kibana Data View
+  if ('dataViewId' in request) {
+    let dataView;
+    try {
+      dataView = await dataViewService.get(request.dataViewId);
+    } catch (r) {
+      if (
+        r.output.payload.statusCode === 404 &&
+        // this is the only place this id is hard coded as there are no security_solution dependencies in timeline
+        // needs to match value in DEFAULT_DATA_VIEW_ID security_solution/common/constants.ts
+        r.output.payload.message.indexOf('security-solution') > -1
+      ) {
+        throw new Error(DELETED_SECURITY_SOLUTION_DATA_VIEW);
+      } else {
+        throw r;
+      }
+    }
+
+    const patternList = dataView.title.split(',');
+    indicesExist = (await findExistingIndices(patternList, esClient.asCurrentUser)).reduce(
+      (acc: string[], doesIndexExist, i) => (doesIndexExist ? [...acc, patternList[i]] : acc),
+      []
+    );
+    if (!request.onlyCheckIfIndicesExist) {
+      const dataViewSpec = dataView.toSpec();
+      const fieldDescriptor = [Object.values(dataViewSpec.fields ?? {})];
+      runtimeMappings = dataViewSpec.runtimeFieldMap ?? {};
+      indexFields = await formatIndexFields(beatFields, fieldDescriptor, patternList);
+    }
+  } else if ('indices' in request) {
+    const patternList = dedupeIndexName(request.indices);
+    indicesExist = (await findExistingIndices(patternList, esClient.asCurrentUser)).reduce(
+      (acc: string[], doesIndexExist, i) => (doesIndexExist ? [...acc, patternList[i]] : acc),
+      []
     );
+    if (!request.onlyCheckIfIndicesExist) {
+      const fieldDescriptor = await Promise.all(
+        indicesExist.map(async (index, n) => {
+          if (index.startsWith('.alerts-observability')) {
+            return indexPatternsFetcherAsInternalUser.getFieldsForWildcard({
+              pattern: index,
+            });
+          }
+          return indexPatternsFetcherAsCurrentUser.getFieldsForWildcard({
+            pattern: index,
+          });
+        })
+      );
+      indexFields = await formatIndexFields(beatFields, fieldDescriptor, patternList);
+    }
   }
 
   return {
     indexFields,
-    indicesExist: dedupeIndices.filter((index, i) => responsesIndexFields[i] !== false),
+    runtimeMappings,
+    indicesExist,
     rawResponse: {
       timed_out: false,
       took: -1,
@@ -125,7 +187,7 @@ export const dedupeIndexName = (indices: string[]) =>
     return acc;
   }, []);
 
-const missingFields: FieldDescriptor[] = [
+const missingFields: FieldSpec[] = [
   {
     name: '_id',
     type: 'string',
@@ -158,7 +220,7 @@ const missingFields: FieldDescriptor[] = [
 export const createFieldItem = (
   beatFields: BeatFields,
   indexesAlias: string[],
-  index: FieldDescriptor,
+  index: FieldSpec,
   indexesAliasIdx: number
 ): IndexField => {
   const alias = indexesAlias[indexesAliasIdx];
@@ -174,6 +236,9 @@ export const createFieldItem = (
   return {
     ...beatIndex,
     ...index,
+    // the format type on FieldSpec is SerializedFieldFormat
+    // and is a string on beatIndex
+    format: index.format?.id ?? beatIndex.format,
     indexes: [alias],
   };
 };
@@ -188,24 +253,24 @@ export const createFieldItem = (
  * This intentionally waits for the next tick on the event loop to process as the large 4.7 megs
  * has already consumed a lot of the event loop processing up to this function and we want to give
  * I/O opportunity to occur by scheduling this on the next loop.
- * @param responsesIndexFields The response index fields to loop over
+ * @param responsesFieldSpec The response index fields to loop over
  * @param indexesAlias The index aliases such as filebeat-*
  */
 export const formatFirstFields = async (
   beatFields: BeatFields,
-  responsesIndexFields: FieldDescriptor[][],
+  responsesFieldSpec: FieldSpec[][],
   indexesAlias: string[]
 ): Promise<IndexField[]> => {
   return new Promise((resolve) => {
     setTimeout(() => {
       resolve(
-        responsesIndexFields.reduce(
-          (accumulator: IndexField[], indexFields: FieldDescriptor[], indexesAliasIdx: number) => {
+        responsesFieldSpec.reduce(
+          (accumulator: IndexField[], fieldSpec: FieldSpec[], indexesAliasIdx: number) => {
             missingFields.forEach((index) => {
               const item = createFieldItem(beatFields, indexesAlias, index, indexesAliasIdx);
               accumulator.push(item);
             });
-            indexFields.forEach((index) => {
+            fieldSpec.forEach((index) => {
               const item = createFieldItem(beatFields, indexesAlias, index, indexesAliasIdx);
               accumulator.push(item);
             });
@@ -262,15 +327,15 @@ export const formatSecondFields = async (fields: IndexField[]): Promise<IndexFie
  * NOTE: This will have array sizes up to 4.7 megs in size at a time when being called.
  * This function should be as optimized as possible and should avoid any and all creation
  * of new arrays, iterating over the arrays or performing any n^2 operations.
- * @param responsesIndexFields  The response index fields to format
+ * @param responsesFieldSpec  The response index fields to format
  * @param indexesAlias The index alias
  */
 export const formatIndexFields = async (
   beatFields: BeatFields,
-  responsesIndexFields: FieldDescriptor[][],
+  responsesFieldSpec: FieldSpec[][],
   indexesAlias: string[]
 ): Promise<IndexField[]> => {
-  const fields = await formatFirstFields(beatFields, responsesIndexFields, indexesAlias);
+  const fields = await formatFirstFields(beatFields, responsesFieldSpec, indexesAlias);
   const secondFields = await formatSecondFields(fields);
   return secondFields;
 };
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.test.ts
index 5e56af40aebae..1b58e63ec8752 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.test.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.test.ts
@@ -5,30 +5,33 @@
  * 2.0.
  */
 
-import { Direction } from '../../../../common/search_strategy';
+import { Direction, TimelineEqlRequestOptions } from '../../../../common/search_strategy';
 import { buildEqlDsl, parseEqlResponse } from './helpers';
 import { eventsResponse, sequenceResponse } from './__mocks__';
-
+const defaultArgs = {
+  defaultIndex: ['logs-endpoint.events*'],
+  docValueFields: [],
+  runtimeMappings: {},
+  fieldRequested: [
+    '@timestamp',
+    'message',
+    'event.category',
+    'event.action',
+    'host.name',
+    'source.ip',
+    'destination.ip',
+  ],
+  fields: [],
+  filterQuery: 'sequence by host.name↵[any where true]↵[any where true]↵[any where true]',
+  id: 'FkgzdTM3YXEtUmN1cVI3VS1wZ1lrdkEgVW1GSWZEX2lRZmVwQmw2c1V5RWsyZzoyMzA1MjAzMDM=',
+  language: 'eql' as TimelineEqlRequestOptions['language'],
+};
 describe('Search Strategy EQL helper', () => {
   describe('#buildEqlDsl', () => {
     it('happy path with no options', () => {
       expect(
         buildEqlDsl({
-          defaultIndex: ['logs-endpoint.events*'],
-          docValueFields: [],
-          fieldRequested: [
-            '@timestamp',
-            'message',
-            'event.category',
-            'event.action',
-            'host.name',
-            'source.ip',
-            'destination.ip',
-          ],
-          fields: [],
-          filterQuery: 'sequence by host.name↵[any where true]↵[any where true]↵[any where true]',
-          id: 'FkgzdTM3YXEtUmN1cVI3VS1wZ1lrdkEgVW1GSWZEX2lRZmVwQmw2c1V5RWsyZzoyMzA1MjAzMDM=',
-          language: 'eql',
+          ...defaultArgs,
           pagination: { activePage: 0, querySize: 25 },
           sort: [
             {
@@ -78,21 +81,7 @@ describe('Search Strategy EQL helper', () => {
     it('happy path with EQL options', () => {
       expect(
         buildEqlDsl({
-          defaultIndex: ['logs-endpoint.events*'],
-          docValueFields: [],
-          fieldRequested: [
-            '@timestamp',
-            'message',
-            'event.category',
-            'event.action',
-            'host.name',
-            'source.ip',
-            'destination.ip',
-          ],
-          fields: [],
-          filterQuery: 'sequence by host.name↵[any where true]↵[any where true]↵[any where true]',
-          id: 'FkgzdTM3YXEtUmN1cVI3VS1wZ1lrdkEgVW1GSWZEX2lRZmVwQmw2c1V5RWsyZzoyMzA1MjAzMDM=',
-          language: 'eql',
+          ...defaultArgs,
           pagination: { activePage: 1, querySize: 2 },
           sort: [
             {
@@ -148,21 +137,7 @@ describe('Search Strategy EQL helper', () => {
     it('format events', async () => {
       const result = await parseEqlResponse(
         {
-          defaultIndex: ['logs-endpoint.events*'],
-          docValueFields: [],
-          fieldRequested: [
-            '@timestamp',
-            'message',
-            'event.category',
-            'event.action',
-            'host.name',
-            'source.ip',
-            'destination.ip',
-          ],
-          fields: [],
-          filterQuery: 'sequence by host.name↵[any where true]↵[any where true]↵[any where true]',
-          id: 'FkgzdTM3YXEtUmN1cVI3VS1wZ1lrdkEgVW1GSWZEX2lRZmVwQmw2c1V5RWsyZzoyMzA1MjAzMDM=',
-          language: 'eql',
+          ...defaultArgs,
           pagination: { activePage: 0, querySize: 2 },
           sort: [
             {
@@ -439,21 +414,7 @@ describe('Search Strategy EQL helper', () => {
     it('sequence events', async () => {
       const result = await parseEqlResponse(
         {
-          defaultIndex: ['logs-endpoint.events*'],
-          docValueFields: [],
-          fieldRequested: [
-            '@timestamp',
-            'message',
-            'event.category',
-            'event.action',
-            'host.name',
-            'source.ip',
-            'destination.ip',
-          ],
-          fields: [],
-          filterQuery: 'sequence by host.name↵[any where true]↵[any where true]↵[any where true]',
-          id: 'FkgzdTM3YXEtUmN1cVI3VS1wZ1lrdkEgVW1GSWZEX2lRZmVwQmw2c1V5RWsyZzoyMzA1MjAzMDM=',
-          language: 'eql',
+          ...defaultArgs,
           pagination: { activePage: 3, querySize: 2 },
           sort: [
             {
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
index 3653cb60d3653..8c4f34e930f8d 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
@@ -17,14 +17,15 @@ import {
 import { createQueryFilterClauses } from '../../../../../../server/utils/build_query';
 
 export const buildTimelineEventsAllQuery = ({
+  authFilter,
   defaultIndex,
   docValueFields,
   fields,
   filterQuery,
   pagination: { activePage, querySize },
+  runtimeMappings,
   sort,
   timerange,
-  authFilter,
 }: Omit<TimelineEventsAllRequestOptions, 'fieldRequested'>) => {
   const filterClause = [...createQueryFilterClauses(filterQuery)];
 
@@ -78,6 +79,7 @@ export const buildTimelineEventsAllQuery = ({
           filter,
         },
       },
+      runtime_mappings: runtimeMappings,
       from: activePage * querySize,
       size: querySize,
       track_total_hits: true,
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts
index b60add2515ec9..e2491c403945e 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts
@@ -27,17 +27,27 @@ import {
 
 export const timelineEventsDetails: TimelineFactory<TimelineEventsQueries.details> = {
   buildDsl: ({ authFilter, ...options }: TimelineEventsDetailsRequestOptions) => {
-    const { indexName, eventId, docValueFields = [] } = options;
-    return buildTimelineDetailsQuery(indexName, eventId, docValueFields, authFilter);
+    const { indexName, eventId, docValueFields = [], runtimeMappings = {} } = options;
+    return buildTimelineDetailsQuery({
+      indexName,
+      id: eventId,
+      docValueFields,
+      runtimeMappings,
+      authFilter,
+    });
   },
   parse: async (
     options: TimelineEventsDetailsRequestOptions,
     response: IEsSearchResponse<EventHit>
   ): Promise<TimelineEventsDetailsStrategyResponse> => {
-    const { indexName, eventId, docValueFields = [] } = options;
+    const { indexName, eventId, docValueFields = [], runtimeMappings = {} } = options;
     const { _source, fields, ...hitsData } = cloneDeep(response.rawResponse.hits.hits[0] ?? {});
     const inspect = {
-      dsl: [inspectStringifyObject(buildTimelineDetailsQuery(indexName, eventId, docValueFields))],
+      dsl: [
+        inspectStringifyObject(
+          buildTimelineDetailsQuery({ indexName, id: eventId, docValueFields, runtimeMappings })
+        ),
+      ],
     };
     if (response.isRunning) {
       return {
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts
index 9066861cdb818..f34b54f3029a5 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts
@@ -18,7 +18,12 @@ describe('buildTimelineDetailsQuery', () => {
       { field: 'agent.name' },
     ];
 
-    const query = buildTimelineDetailsQuery(indexName, eventId, docValueFields);
+    const query = buildTimelineDetailsQuery({
+      indexName,
+      id: eventId,
+      docValueFields,
+      runtimeMappings: {},
+    });
 
     expect(query).toMatchInlineSnapshot(`
       Object {
@@ -52,6 +57,7 @@ describe('buildTimelineDetailsQuery', () => {
               ],
             },
           },
+          "runtime_mappings": Object {},
         },
         "ignore_unavailable": true,
         "index": ".siem-signals-default",
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
index 70b592440468e..5baa471e5c526 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
@@ -6,14 +6,22 @@
  */
 
 import { JsonObject } from '@kbn/utility-types';
+import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { DocValueFields } from '../../../../../../common/search_strategy';
 
-export const buildTimelineDetailsQuery = (
-  indexName: string,
-  id: string,
-  docValueFields: DocValueFields[],
-  authFilter?: JsonObject
-) => {
+export const buildTimelineDetailsQuery = ({
+  authFilter,
+  docValueFields,
+  id,
+  indexName,
+  runtimeMappings,
+}: {
+  authFilter?: JsonObject;
+  docValueFields: DocValueFields[];
+  id: string;
+  indexName: string;
+  runtimeMappings: MappingRuntimeFields;
+}) => {
   const basicFilter = {
     terms: {
       _id: [id],
@@ -40,6 +48,8 @@ export const buildTimelineDetailsQuery = (
       docvalue_fields: docValueFields,
       query,
       fields: [{ field: '*', include_unmapped: true }],
+      // Remove and instead pass index_pattern.id once issue resolved: https://github.com/elastic/kibana/issues/111762
+      runtime_mappings: runtimeMappings,
       _source: true,
     },
     size: 1,
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
index b2e073d3ecf59..9e09911a82816 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
@@ -39,7 +39,6 @@ export const timelineSearchStrategyProvider = <T extends TimelineFactoryQueryTyp
 ): ISearchStrategy<TimelineStrategyRequestType<T>, TimelineStrategyResponseType<T>> => {
   const esAsInternal = data.search.searchAsInternalUser;
   const es = data.search.getSearchStrategy(ENHANCED_ES_SEARCH_STRATEGY);
-
   return {
     search: (request, options, deps) => {
       const factoryQueryType = request.factoryQueryType;
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index ca2acee8d09c5..45b9169d9de14 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -20620,8 +20620,6 @@
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdLabel": "しきい値",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.importTimelineModalTitle": "保存されたタイムラインからクエリをインポート",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.importTimelineQueryButton": "保存されたタイムラインからクエリをインポート",
-    "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesCustomDescription": "インデックスのカスタムリストを入力します",
-    "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesFromConfigDescription": "セキュリティソリューション詳細設定からElasticsearchインデックスを使用します",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesHelperDescription": "このルールを実行するElasticsearchインデックスのパターンを入力します。デフォルトでは、セキュリティソリューション詳細設定で定義されたインデックスパターンが含まれます。",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdHelpText": "手始めに使えるように、一般的なジョブがいくつか提供されています。独自のカスタムジョブを追加するには、{machineLearning} アプリケーションでジョブに「security」のグループを割り当て、ここに表示されるようにします。",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdRequired": "機械学習ジョブが必要です。",
@@ -22102,7 +22100,6 @@
     "xpack.securitySolution.hostsTable.osTitle": "オペレーティングシステム",
     "xpack.securitySolution.hostsTable.versionTitle": "バージョン",
     "xpack.securitySolution.hoverActions.showTopTooltip": "上位の{fieldName}を表示",
-    "xpack.securitySolution.indexPatterns.allDefault": "すべてのデフォルト",
     "xpack.securitySolution.indexPatterns.dataSourcesLabel": "データソース",
     "xpack.securitySolution.indexPatterns.disabled": "このページでは無効なインデックスパターンが推奨されますが、最初にKibanaインデックスパターン設定で構成する必要があります。",
     "xpack.securitySolution.indexPatterns.help": "データソース選択",
@@ -22411,9 +22408,6 @@
     "xpack.securitySolution.overview.endpointNotice.tryButton": "Endpoint Securityを試す",
     "xpack.securitySolution.overview.errorFetchingEvents": "イベントの取得エラー",
     "xpack.securitySolution.overview.eventsTitle": "イベント数",
-    "xpack.securitySolution.overview.feedbackText": "Elastic SIEM に関するご意見やご提案は、お気軽に {feedback}",
-    "xpack.securitySolution.overview.feedbackText.feedbackLinkText": "フィードバックをオンラインで送信",
-    "xpack.securitySolution.overview.feedbackTitle": "フィードバック",
     "xpack.securitySolution.overview.filebeatCiscoTitle": "Cisco",
     "xpack.securitySolution.overview.filebeatNetflowTitle": "Netflow",
     "xpack.securitySolution.overview.filebeatPanwTitle": "Palo Alto Networks",
@@ -22440,11 +22434,6 @@
     "xpack.securitySolution.overview.recentTimelinesSidebarTitle": "最近のタイムライン",
     "xpack.securitySolution.overview.showTopTooltip": "上位の{fieldName}を表示",
     "xpack.securitySolution.overview.signalCountTitle": "検出アラート傾向",
-    "xpack.securitySolution.overview.startedText": "セキュリティ情報およびイベント管理（SIEM）へようこそ。はじめに{docs}や{data}をご参照ください。今後の機能に関する情報やチュートリアルは、{siemSolution}ページをご覧ください。",
-    "xpack.securitySolution.overview.startedText.dataLinkText": "投入データ",
-    "xpack.securitySolution.overview.startedText.docsLinkText": "ドキュメンテーション",
-    "xpack.securitySolution.overview.startedText.siemSolutionLinkText": "SIEM ソリューション",
-    "xpack.securitySolution.overview.startedTitle": "はじめて使う",
     "xpack.securitySolution.overview.topNLabel": "トップ{fieldName}",
     "xpack.securitySolution.overview.viewAlertsButtonLabel": "アラートを表示",
     "xpack.securitySolution.overview.viewEventsButtonLabel": "イベントを表示",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index a1cb499b6042c..0c42980fa6c80 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -20936,8 +20936,6 @@
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.fieldThresholdLabel": "阈值",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.importTimelineModalTitle": "从已保存时间线导入查询",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.importTimelineQueryButton": "从已保存时间线导入查询",
-    "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesCustomDescription": "提供定制的索引列表",
-    "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesFromConfigDescription": "使用 Security Solution 高级设置中的 Elasticsearch 索引",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.indicesHelperDescription": "输入要运行此规则的 Elasticsearch 索引的模式。默认情况下，将包括 Security Solution 高级设置中定义的索引模式。",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdHelpText": "我们提供了一些常见作业来帮助您入门。要添加自己的定制作业，请在 {machineLearning} 应用程序中将一个“security”组分配给这些作业，以使它们显示在此处。",
     "xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdRequired": "Machine Learning 作业必填。",
@@ -22452,7 +22450,6 @@
     "xpack.securitySolution.hostsTable.unit": "{totalCount, plural, other {个主机}}",
     "xpack.securitySolution.hostsTable.versionTitle": "版本",
     "xpack.securitySolution.hoverActions.showTopTooltip": "显示排名靠前的{fieldName}",
-    "xpack.securitySolution.indexPatterns.allDefault": "所有默认值",
     "xpack.securitySolution.indexPatterns.dataSourcesLabel": "数据源",
     "xpack.securitySolution.indexPatterns.disabled": "在此页面上建议使用已禁用的索引模式，但是首先需要在 Kibana 索引模式设置中配置这些模式",
     "xpack.securitySolution.indexPatterns.help": "数据源的选择",
@@ -22779,9 +22776,6 @@
     "xpack.securitySolution.overview.endpointNotice.tryButton": "试用 Endpoint Security",
     "xpack.securitySolution.overview.errorFetchingEvents": "提取事件时出错",
     "xpack.securitySolution.overview.eventsTitle": "事件计数",
-    "xpack.securitySolution.overview.feedbackText": "如果您对 Elastic SIEM 体验有任何建议，请随时{feedback}。",
-    "xpack.securitySolution.overview.feedbackText.feedbackLinkText": "在线提交反馈",
-    "xpack.securitySolution.overview.feedbackTitle": "反馈",
     "xpack.securitySolution.overview.filebeatCiscoTitle": "Cisco",
     "xpack.securitySolution.overview.filebeatNetflowTitle": "NetFlow",
     "xpack.securitySolution.overview.filebeatPanwTitle": "Palo Alto Networks",
@@ -22810,11 +22804,6 @@
     "xpack.securitySolution.overview.recentTimelinesSidebarTitle": "最近的时间线",
     "xpack.securitySolution.overview.showTopTooltip": "显示排名靠前的{fieldName}",
     "xpack.securitySolution.overview.signalCountTitle": "检测告警趋势",
-    "xpack.securitySolution.overview.startedText": "欢迎使用安全信息和事件管理 (SIEM)。首先阅读我们的{docs}或{data}。要了解即将推出的功能和教程，请访问我们的 {siemSolution}页面。",
-    "xpack.securitySolution.overview.startedText.dataLinkText": "正在采集数据",
-    "xpack.securitySolution.overview.startedText.docsLinkText": "文档",
-    "xpack.securitySolution.overview.startedText.siemSolutionLinkText": "SIEM 解决方案",
-    "xpack.securitySolution.overview.startedTitle": "入门",
     "xpack.securitySolution.overview.topNLabel": "排名靠前的{fieldName}",
     "xpack.securitySolution.overview.viewAlertsButtonLabel": "查看告警",
     "xpack.securitySolution.overview.viewEventsButtonLabel": "查看事件",
diff --git a/x-pack/test/api_integration/apis/security_solution/timeline_migrations.ts b/x-pack/test/api_integration/apis/security_solution/timeline_migrations.ts
index 72607cbe8bf79..c5ea6e2aeaa63 100644
--- a/x-pack/test/api_integration/apis/security_solution/timeline_migrations.ts
+++ b/x-pack/test/api_integration/apis/security_solution/timeline_migrations.ts
@@ -199,7 +199,6 @@ export default function ({ getService }: FtrProviderContext) {
           expect(resp.body.data.getOneTimeline.savedQueryId).to.be("It's me");
         });
       });
-
       describe('pinned events timelineId', () => {
         it('removes the timelineId in the saved object', async () => {
           const timelines = await getSavedObjectFromES<PinnedEventWithoutTimelineId>(
diff --git a/x-pack/test/plugin_functional/plugins/timelines_test/public/applications/timelines_test/index.tsx b/x-pack/test/plugin_functional/plugins/timelines_test/public/applications/timelines_test/index.tsx
index a37c00144504d..48a17dc985003 100644
--- a/x-pack/test/plugin_functional/plugins/timelines_test/public/applications/timelines_test/index.tsx
+++ b/x-pack/test/plugin_functional/plugins/timelines_test/public/applications/timelines_test/index.tsx
@@ -91,6 +91,7 @@ const AppRoot = React.memo(
                   setRefetch,
                   start: '',
                   rowRenderers: [],
+                  runtimeMappings: {},
                   filterStatus: 'open',
                   unit: (n: number) => `${n}`,
                 })) ??