[Investigations] - Show detection alerts only guidance (#239975)

## Summary

With the removal of the show detection alerts only feature, we want to
provide guidance to users on how to update their timelines. The UI looks
like this

<img width="1197" height="955" alt="Screenshot 2025-11-12 at 10 55
14 PM"
src="https://github.com/user-attachments/assets/9a5de15e-10cd-458a-a06c-2b17973bcb14"
/>

The callout here only displays when the saved index patterns are just
the alerts index `.alerts-security.alerts-{space}`, but the data view is
the default data view.
The user can either
- add an `Alerts only` filter (`_index:
.alerts-security.alerts-{space}`)
- filter for the `Security solution alerts` data view

These 2 paths are shown in the following video


https://github.com/user-attachments/assets/910fd069-a31c-4e4d-8e45-a88e7fd6e102

For Timelines that were not saved with the `Show detection alerts only`
option, the callout is not displayed.

## How to test

- start with the `newDataViewPickerEnabled` feature flag turned off
- save a Timeline after making sure that you select the `Show detection
alerts only` checbox and save the dataview
- turn the `newDataViewPickerEnabled` feature flag back on
- open the saved Timeline

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

---------

Co-authored-by: PhilippeOberti <[email protected]>

Author: michaelolo24

x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/index.tsx

@@ -12,6 +12,8 @@ import { useDispatch, useSelector } from 'react-redux';
 import styled from 'styled-components';
 
 import { isTab } from '@kbn/timelines-plugin/public';
+import { useSpaceId } from '../../../common/hooks/use_space_id';
+import { DEFAULT_ALERTS_INDEX, DEFAULT_DATA_VIEW_ID } from '../../../../common/constants';
 import { useIsExperimentalFeatureEnabled } from '../../../common/hooks/use_experimental_features';
 import { timelineActions, timelineSelectors } from '../../store';
 import { timelineDefaults } from '../../store/defaults';
@@ -101,6 +103,7 @@ const StatefulTimelineComponent: React.FC<Props> = ({
   const { timelineFullScreen } = useTimelineFullScreen();
 
   const newDataViewPickerEnabled = useIsExperimentalFeatureEnabled('newDataViewPickerEnabled');
+  const spaceId = useSpaceId();
   const experimentalSelectedPatterns = useSelectedPatterns(SourcererScopeName.timeline);
   const { dataView: experimentalDataView, status } = useDataView(SourcererScopeName.timeline);
 
@@ -143,6 +146,15 @@ const StatefulTimelineComponent: React.FC<Props> = ({
     ) {
       return;
     }
+    // TODO: newDataViewPickerEnabled: With the new data view picker, we should not update the selected patterns
+    // on timeline, as that prevents us from guiding the user to duplicate the data view or using the new alerts only dv
+    if (
+      selectedDataViewIdTimeline === `${DEFAULT_DATA_VIEW_ID}-${spaceId}` &&
+      selectedPatternsTimeline.length === 1 &&
+      selectedPatternsTimeline[0].includes(DEFAULT_ALERTS_INDEX)
+    ) {
+      return;
+    }
     dispatch(
       timelineActions.updateDataView({
         dataViewId: selectedDataViewId,
@@ -157,6 +169,7 @@ const StatefulTimelineComponent: React.FC<Props> = ({
     selectedDataViewIdTimeline,
     selectedPatterns,
     selectedPatternsTimeline,
+    spaceId,
     timelineId,
   ]);
 

x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/query/header/index.test.tsx

@@ -6,22 +6,23 @@
  */
 
 import React from 'react';
-
 import { coreMock } from '@kbn/core/public/mocks';
 import { mockIndexPattern } from '../../../../../../common/mock';
 import { TestProviders } from '../../../../../../common/mock/test_providers';
 import { FilterManager } from '@kbn/data-plugin/public';
 import { mockDataProviders } from '../../../data_providers/mock/mock_data_providers';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
-
 import { QueryTabHeader } from '.';
 import { TimelineStatusEnum, TimelineTypeEnum } from '../../../../../../../common/api/timeline';
 import { waitFor } from '@testing-library/react';
 import { TimelineId, TimelineTabs } from '../../../../../../../common/types';
+import { useShouldShowAlertsOnlyMigrationMessage } from '../hooks/use_show_alerts_only_migration_message';
+import { CALLOUT_TEST_ID } from './migration_message_callout';
 
 const mockUiSettingsForFilterManager = coreMock.createStart().uiSettings;
 
 jest.mock('../../../../../../common/lib/kibana');
+jest.mock('../hooks/use_show_alerts_only_migration_message');
 
 describe('Header', () => {
   const indexPattern = mockIndexPattern;
@@ -33,6 +34,8 @@ describe('Header', () => {
   };
   const props = {
     activeTab: TimelineTabs.query,
+    currentIndices: ['index-1', 'index-2'],
+    dataViewId: '',
     showEventsCountBadge: true,
     totalCount: 1,
     browserFields: {},
@@ -51,8 +54,8 @@ describe('Header', () => {
     timelineType: TimelineTypeEnum.default,
   };
 
-  describe('rendering', () => {
-    test('it renders the data providers when show is true', async () => {
+  describe('QueryTabHeader', () => {
+    test('should render the data providers when show is true', async () => {
       const testProps = { ...props, show: true };
       const wrapper = await getWrapper(
         <TestProviders>
@@ -63,7 +66,7 @@ describe('Header', () => {
       expect(wrapper.find('[data-test-subj="dataProviders"]').exists()).toEqual(true);
     });
 
-    test('it renders the unauthorized call out providers', async () => {
+    test('should render the unauthorized call out providers', async () => {
       const testProps = {
         ...props,
         filterManager: new FilterManager(mockUiSettingsForFilterManager),
@@ -79,7 +82,7 @@ describe('Header', () => {
       expect(wrapper.find('[data-test-subj="timelineCallOutUnauthorized"]').exists()).toEqual(true);
     });
 
-    test('it renders the unauthorized call out with correct icon', async () => {
+    test('should render the unauthorized call out with correct icon', async () => {
       const testProps = {
         ...props,
         filterManager: new FilterManager(mockUiSettingsForFilterManager),
@@ -97,7 +100,7 @@ describe('Header', () => {
       ).toEqual('warning');
     });
 
-    test('it renders the unauthorized call out with correct message', async () => {
+    test('should render the unauthorized call out with correct message', async () => {
       const testProps = {
         ...props,
         filterManager: new FilterManager(mockUiSettingsForFilterManager),
@@ -117,7 +120,7 @@ describe('Header', () => {
       );
     });
 
-    test('it renders the immutable timeline call out providers', async () => {
+    test('should render the immutable timeline call out providers', async () => {
       const testProps = {
         ...props,
         filterManager: new FilterManager(mockUiSettingsForFilterManager),
@@ -134,7 +137,7 @@ describe('Header', () => {
       expect(wrapper.find('[data-test-subj="timelineImmutableCallOut"]').exists()).toEqual(true);
     });
 
-    test('it renders the immutable timeline call out with correct icon', async () => {
+    test('should render the immutable timeline call out with correct icon', async () => {
       const testProps = {
         ...props,
         filterManager: new FilterManager(mockUiSettingsForFilterManager),
@@ -153,7 +156,7 @@ describe('Header', () => {
       ).toEqual('warning');
     });
 
-    test('it renders the immutable timeline call out with correct message', async () => {
+    test('should render the immutable timeline call out with correct message', async () => {
       const testProps = {
         ...props,
         filterManager: new FilterManager(mockUiSettingsForFilterManager),
@@ -174,4 +177,16 @@ describe('Header', () => {
       );
     });
   });
+
+  test('should render the migration callout', async () => {
+    (useShouldShowAlertsOnlyMigrationMessage as jest.Mock).mockReturnValue(true);
+
+    const wrapper = await getWrapper(
+      <TestProviders>
+        <QueryTabHeader {...props} />
+      </TestProviders>
+    );
+
+    expect(wrapper.find(`[data-test-subj="${CALLOUT_TEST_ID}"]`).exists()).toEqual(true);
+  });
 });

x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/query/header/index.tsx

@@ -11,6 +11,8 @@ import type { FilterManager } from '@kbn/data-plugin/public';
 import { InPortal } from 'react-reverse-portal';
 import { IS_DRAGGING_CLASS_NAME } from '@kbn/securitysolution-t-grid';
 import { css } from '@emotion/react';
+import { MigrationMessageCallout } from './migration_message_callout';
+import { useShouldShowAlertsOnlyMigrationMessage } from '../hooks/use_show_alerts_only_migration_message';
 import { useTimelineEventsCountPortal } from '../../../../../../common/hooks/use_timeline_events_count';
 import {
   type TimelineStatus,
@@ -28,6 +30,14 @@ import { EventsCountBadge, StyledEuiFlyoutHeader, TabHeaderContainer } from '../
 
 interface Props {
   activeTab: TimelineTabs;
+  /**
+   * The currently selected timeline indices
+   */
+  currentIndices: string[];
+  /**
+   * The id of the dataview
+   */
+  dataViewId: string | null;
   filterManager: FilterManager;
   show: boolean;
   showCallOutUnauthorizedMsg: boolean;
@@ -61,6 +71,8 @@ const useStyles = (shouldShowQueryBuilder: boolean) => {
 
 const QueryTabHeaderComponent: React.FC<Props> = ({
   activeTab,
+  currentIndices,
+  dataViewId,
   filterManager,
   show,
   showCallOutUnauthorizedMsg,
@@ -89,6 +101,11 @@ const QueryTabHeaderComponent: React.FC<Props> = ({
   );
   const dataProviderStyles = useStyles(shouldShowQueryBuilder);
 
+  const showAlertsOnlyMigrationMessage = useShouldShowAlertsOnlyMigrationMessage({
+    currentTimelineIndices: currentIndices,
+    dataViewId,
+  });
+
   return (
     <StyledEuiFlyoutHeader data-test-subj={`${activeTab}-tab-flyout-header`} hasBorder={false}>
       <InPortal node={timelineEventsCountPortalNode}>
@@ -103,6 +120,11 @@ const QueryTabHeaderComponent: React.FC<Props> = ({
               <EuiFlexItem>
                 <StatefulSearchOrFilter filterManager={filterManager} timelineId={timelineId} />
               </EuiFlexItem>
+              {showAlertsOnlyMigrationMessage && (
+                <EuiFlexItem>
+                  <MigrationMessageCallout timelineId={timelineId} />
+                </EuiFlexItem>
+              )}
               {showCallOutUnauthorizedMsg && (
                 <EuiFlexItem>
                   <EuiCallOut

x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/query/header/migration_message_callout.test.tsx

@@ -0,0 +1,68 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { render } from '@testing-library/react';
+import {
+  ADD_ALERTS_FILTER_BUTTON_TEST_ID,
+  ALERTS_ONLY_DATA_VIEW_BUTTON_TEST_ID,
+  CALLOUT_TEST_ID,
+  MigrationMessageCallout,
+} from './migration_message_callout';
+import { useTimelineSelectAlertsOnlyDataView } from '../hooks/use_timeline_select_alerts_only_data_view';
+import { useAddAlertsOnlyFilter } from '../hooks/use_add_alerts_only_filter';
+import {
+  CALL_OUT_ALERTS_ONLY_MIGRATION_CONTENT,
+  CALL_OUT_ALERTS_ONLY_MIGRATION_SWITCH_BUTTON,
+  CALL_OUT_FILTER_FOR_ALERTS_BUTTON,
+} from './translations';
+
+jest.mock('../hooks/use_timeline_select_alerts_only_data_view');
+jest.mock('../hooks/use_add_alerts_only_filter');
+
+describe('MigrationMessageCallout', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should render correctly', () => {
+    (useTimelineSelectAlertsOnlyDataView as jest.Mock).mockReturnValue(jest.fn());
+    (useAddAlertsOnlyFilter as jest.Mock).mockReturnValue(jest.fn());
+
+    const { getByTestId } = render(<MigrationMessageCallout timelineId={'test'} />);
+
+    expect(getByTestId(CALLOUT_TEST_ID)).toHaveTextContent(CALL_OUT_ALERTS_ONLY_MIGRATION_CONTENT);
+    expect(getByTestId(ALERTS_ONLY_DATA_VIEW_BUTTON_TEST_ID)).toHaveTextContent(
+      CALL_OUT_ALERTS_ONLY_MIGRATION_SWITCH_BUTTON
+    );
+    expect(getByTestId(ADD_ALERTS_FILTER_BUTTON_TEST_ID)).toHaveTextContent(
+      CALL_OUT_FILTER_FOR_ALERTS_BUTTON
+    );
+  });
+
+  it('should call the selectAlertsDataView callback', () => {
+    const selectAlertsDataView = jest.fn();
+    (useTimelineSelectAlertsOnlyDataView as jest.Mock).mockReturnValue(selectAlertsDataView);
+    (useAddAlertsOnlyFilter as jest.Mock).mockReturnValue(jest.fn());
+
+    const { getByTestId } = render(<MigrationMessageCallout timelineId={'test'} />);
+
+    getByTestId(ALERTS_ONLY_DATA_VIEW_BUTTON_TEST_ID).click();
+    expect(selectAlertsDataView).toHaveBeenCalled();
+  });
+
+  it('should call the addAlertsFilter callback', () => {
+    const addAlertsFilter = jest.fn();
+    (useAddAlertsOnlyFilter as jest.Mock).mockReturnValue(addAlertsFilter);
+    (useTimelineSelectAlertsOnlyDataView as jest.Mock).mockReturnValue(jest.fn());
+
+    const { getByTestId } = render(<MigrationMessageCallout timelineId={'test'} />);
+
+    getByTestId(ADD_ALERTS_FILTER_BUTTON_TEST_ID).click();
+    expect(addAlertsFilter).toHaveBeenCalled();
+  });
+});

x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/query/header/migration_message_callout.tsx

@@ -0,0 +1,87 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+  EuiButton,
+  EuiButtonEmpty,
+  EuiCallOut,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiText,
+} from '@elastic/eui';
+import React, { memo } from 'react';
+import { useTimelineSelectAlertsOnlyDataView } from '../hooks/use_timeline_select_alerts_only_data_view';
+import { useAddAlertsOnlyFilter } from '../hooks/use_add_alerts_only_filter';
+import * as i18n from './translations';
+
+export const CALLOUT_TEST_ID = 'timelineAlertsOnlyCallOut';
+export const ALERTS_ONLY_DATA_VIEW_BUTTON_TEST_ID = 'timelineAlertsOnlyDataViewButton';
+export const ADD_ALERTS_FILTER_BUTTON_TEST_ID = 'timelineAddAlertsFitlerButton';
+
+export interface MigrationMessageProps {
+  /**
+   * Id of the timeline the callout is being displayed in
+   */
+  timelineId: string;
+}
+
+/**
+ * Callout message displayed in timelines to inform users that with the new data view picker
+ * we don't support the "show detection alerts only" option we had with sourcerer.
+ * So their option is to either swithc to use the alerts data view
+ * or use the default data view and add an alerts-only filter.
+ */
+export const MigrationMessageCallout = memo(({ timelineId }: MigrationMessageProps) => {
+  const selectAlertsDataView = useTimelineSelectAlertsOnlyDataView();
+  const addAlertsFilter = useAddAlertsOnlyFilter({ timelineId });
+
+  return (
+    <EuiCallOut
+      announceOnMount={false}
+      color="warning"
+      data-test-subj={CALLOUT_TEST_ID}
+      iconType="warning"
+      size="m"
+      title={i18n.CALL_OUT_ALERTS_ONLY_MIGRATION_TITLE}
+    >
+      <EuiFlexGroup justifyContent="spaceBetween" responsive={false}>
+        <EuiFlexItem>
+          <EuiText size="s">{i18n.CALL_OUT_ALERTS_ONLY_MIGRATION_CONTENT}</EuiText>
+        </EuiFlexItem>
+        <EuiFlexItem grow={false}>
+          <EuiFlexGroup alignItems="center" gutterSize="xs" responsive={false}>
+            <EuiFlexItem grow={false}>
+              <EuiButtonEmpty
+                aria-label={i18n.CALL_OUT_ALERTS_ONLY_MIGRATION_SWITCH_BUTTON}
+                color="text"
+                data-test-subj={ALERTS_ONLY_DATA_VIEW_BUTTON_TEST_ID}
+                onClick={selectAlertsDataView}
+                size="s"
+              >
+                {i18n.CALL_OUT_ALERTS_ONLY_MIGRATION_SWITCH_BUTTON}
+              </EuiButtonEmpty>
+            </EuiFlexItem>
+            <EuiFlexItem grow={false}>
+              <EuiButton
+                aria-label={i18n.CALL_OUT_FILTER_FOR_ALERTS_BUTTON}
+                color="warning"
+                data-test-subj={ADD_ALERTS_FILTER_BUTTON_TEST_ID}
+                fill
+                onClick={addAlertsFilter}
+                size="s"
+              >
+                {i18n.CALL_OUT_FILTER_FOR_ALERTS_BUTTON}
+              </EuiButton>
+            </EuiFlexItem>
+          </EuiFlexGroup>
+        </EuiFlexItem>
+      </EuiFlexGroup>
+    </EuiCallOut>
+  );
+});
+
+MigrationMessageCallout.displayName = 'MigrationMessageCallout';