[RAC][Timeline] - Add audit log to RBAC wrapped search strategy

[yctercero]

Summary

Went back to add audit logging to the alerts table search strategy used to query RAC alerts. This PR also includes tests for the logging.

To Do

• Unskip RBAC tests - saw that the RBAC tests, including those for timeline search strategy
  • https:/elastic/kibana/blob/master/x-pack/test/rule_registry/security_and_spaces/tests/trial/index.ts#L41
  • Failing test: X-Pack Rule Registry Alerts Client API Integration Tests.x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alerts_index·ts - rules security and spaces enabled: basic Alert - Get Index - RBAC - spaces Users: obs_only_all_spaces_all should be able to access the APM alert in space1 #110153

Checklist

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for breaking API changes and was labeled appropriately

[yctercero]

@elasticmachine merge upstream

[kibanamachine]

⏳ Build in-progress, with failures

• continuous-integration/kibana-ci/pull-request
• Commit: 17f6cdd
• Storybooks Preview
• This comment will update when the build is complete

History

• 💔 Build #156091 failed 5a4a023
• 💔 Build #155440 failed 151514d
• 💔 Build #154807 failed f861b5c
• 💔 Build #153069 failed ef26e9c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @yctercero

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[yctercero]

@dhurley14 @marshallmain @michaelolo24 - wasn't sure exactly who to ask, but as I've been away from RAC this cycle, wondering did anything change recently with giving users with minimal read access? These tests are now failing (they'd been removed sometime so weren't running for months now) but I know they were good back in August-ish about?

[jportner]

Auditing LGTM. Nice catch on the missing bits in the dev docs.

[weltenwort]

This is not a code review, but I tested this PR a bit on the observability alerts table. I couldn't change the workflow status of an alert that I created with the same account even though it has the "logs" consumer:

[yctercero]

@elasticmachine merge upstream

[yctercero]

@elasticmachine merge upstream

[kibanamachine]

expected head sha didn’t match current head ref.

[yctercero]

@elasticmachine merge upstream

[yctercero]

@elasticmachine merge upstream

[yctercero]

@elasticmachine merge upstream

[yctercero]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• Buildkite Build
• Commit: e22fc9b
• Storybooks Preview

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
ruleRegistry	127	139	+12

Unknown metric groups

API count

id	before	after	diff
ruleRegistry	153	165	+12

History

• 💔 Build #4020 failed e47df03
• 💔 Build #3485 failed ad4db59
• 💔 Build #3411 failed 4f8e967
• 💔 Build #2868 failed a92dc54
• 💔 Build #2791 failed 9838392

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @yctercero

[kibanamachine]

The following labels were identified as gaps in your version labels and will be added automatically:

• v8.1.0

If any of these should not be on your pull request, please manually remove them.

[kibanamachine]

💔 Backport failed

Status	Branch	Result
✅	8.0
❌	7.16	Commit could not be cherrypicked due to conflicts

Successful backport PRs will be merged automatically after passing CI.

To backport manually run:
node scripts/backport --pr 112040