diff --git a/x-pack/plugins/security_solution/common/ecs/agent/index.ts b/x-pack/plugins/security_solution/common/ecs/agent/index.ts
new file mode 100644
index 0000000000000..6f29a2020c944
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/ecs/agent/index.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface AgentEcs {
+  type?: string[];
+}
diff --git a/x-pack/plugins/security_solution/common/ecs/endgame/index.ts b/x-pack/plugins/security_solution/common/ecs/endgame/index.ts
index f435db4f47810..d2fc5d61527a5 100644
--- a/x-pack/plugins/security_solution/common/ecs/endgame/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/endgame/index.ts
@@ -5,29 +5,17 @@
  */
 
 export interface EndgameEcs {
-  exit_code?: number;
-
-  file_name?: string;
-
-  file_path?: string;
-
-  logon_type?: number;
-
-  parent_process_name?: string;
-
-  pid?: number;
-
-  process_name?: string;
-
-  subject_domain_name?: string;
-
-  subject_logon_id?: string;
-
-  subject_user_name?: string;
-
-  target_domain_name?: string;
-
-  target_logon_id?: string;
-
-  target_user_name?: string;
+  exit_code?: number[];
+  file_name?: string[];
+  file_path?: string[];
+  logon_type?: number[];
+  parent_process_name?: string[];
+  pid?: number[];
+  process_name?: string[];
+  subject_domain_name?: string[];
+  subject_logon_id?: string[];
+  subject_user_name?: string[];
+  target_domain_name?: string[];
+  target_logon_id?: string[];
+  target_user_name?: string[];
 }
diff --git a/x-pack/plugins/security_solution/common/ecs/index.ts b/x-pack/plugins/security_solution/common/ecs/index.ts
index e31d42b02f80b..b8190463f5da5 100644
--- a/x-pack/plugins/security_solution/common/ecs/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/index.ts
@@ -4,11 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { AgentEcs } from './agent';
 import { AuditdEcs } from './auditd';
 import { DestinationEcs } from './destination';
 import { DnsEcs } from './dns';
 import { EndgameEcs } from './endgame';
 import { EventEcs } from './event';
+import { FileEcs } from './file';
 import { GeoEcs } from './geo';
 import { HostEcs } from './host';
 import { NetworkEcs } from './network';
@@ -28,6 +30,7 @@ import { SystemEcs } from './system';
 export interface Ecs {
   _id: string;
   _index?: string;
+  agent?: AgentEcs;
   auditd?: AuditdEcs;
   destination?: DestinationEcs;
   dns?: DnsEcs;
@@ -49,6 +52,6 @@ export interface Ecs {
   user?: UserEcs;
   winlog?: WinlogEcs;
   process?: ProcessEcs;
-  file?: File;
+  file?: FileEcs;
   system?: SystemEcs;
 }
diff --git a/x-pack/plugins/security_solution/common/ecs/process/index.ts b/x-pack/plugins/security_solution/common/ecs/process/index.ts
index 0584d95c8059d..451f1455f55d4 100644
--- a/x-pack/plugins/security_solution/common/ecs/process/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/process/index.ts
@@ -5,35 +5,25 @@
  */
 
 export interface ProcessEcs {
+  entity_id?: string[];
   hash?: ProcessHashData;
-
   pid?: number[];
-
   name?: string[];
-
   ppid?: number[];
-
   args?: string[];
-
   executable?: string[];
-
   title?: string[];
-
   thread?: Thread;
-
   working_directory?: string[];
 }
 
 export interface ProcessHashData {
   md5?: string[];
-
   sha1?: string[];
-
   sha256?: string[];
 }
 
 export interface Thread {
   id?: number[];
-
   start?: string[];
 }
diff --git a/x-pack/plugins/security_solution/common/ecs/rule/index.ts b/x-pack/plugins/security_solution/common/ecs/rule/index.ts
index c1ef1ee17ca0c..47316c7791e4b 100644
--- a/x-pack/plugins/security_solution/common/ecs/rule/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/rule/index.ts
@@ -6,64 +6,38 @@
 
 export interface RuleEcs {
   id?: string[];
-
   rule_id?: string[];
-
   false_positives: string[];
-
   saved_id?: string[];
-
   timeline_id?: string[];
-
   timeline_title?: string[];
-
   max_signals?: number[];
-
   risk_score?: string[];
-
   output_index?: string[];
-
   description?: string[];
-
   from?: string[];
-
   immutable?: boolean[];
-
   index?: string[];
-
   interval?: string[];
-
   language?: string[];
-
   query?: string[];
-
   references?: string[];
-
   severity?: string[];
-
   tags?: string[];
-
   threat?: unknown;
-
+  threshold?: {
+    field: string;
+    value: number;
+  };
   type?: string[];
-
   size?: string[];
-
   to?: string[];
-
   enabled?: boolean[];
-
   filters?: unknown;
-
   created_at?: string[];
-
   updated_at?: string[];
-
   created_by?: string[];
-
   updated_by?: string[];
-
   version?: string[];
-
   note?: string[];
 }
diff --git a/x-pack/plugins/security_solution/common/ecs/signal/index.ts b/x-pack/plugins/security_solution/common/ecs/signal/index.ts
index 66e35e26af341..55a889f3a5dd1 100644
--- a/x-pack/plugins/security_solution/common/ecs/signal/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/signal/index.ts
@@ -8,6 +8,6 @@ import { RuleEcs } from '../rule';
 
 export interface SignalEcs {
   rule?: RuleEcs;
-
   original_time?: string[];
+  status?: string[];
 }
diff --git a/x-pack/plugins/security_solution/common/search_strategy/common/index.ts b/x-pack/plugins/security_solution/common/search_strategy/common/index.ts
index b55226b08b800..48437e12f75a5 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/common/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/common/index.ts
@@ -113,3 +113,13 @@ export interface GenericBuckets {
 }
 
 export type StringOrNumber = string | number;
+
+export interface TimerangeFilter {
+  range: {
+    [timestamp: string]: {
+      gte: string;
+      lte: string;
+      format: string;
+    };
+  };
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/all/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/all/index.ts
new file mode 100644
index 0000000000000..0503a9c327467
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/all/index.ts
@@ -0,0 +1,42 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Ecs } from '../../../../ecs';
+import { CursorType, Inspect, Maybe } from '../../../common';
+import { TimelineRequestOptionsPaginated } from '../..';
+
+export interface TimelineEdges {
+  node: TimelineItem;
+  cursor: CursorType;
+}
+
+export interface TimelineItem {
+  _id: string;
+  _index?: Maybe<string>;
+  data: TimelineNonEcsData[];
+  ecs: Ecs;
+}
+
+export interface TimelineNonEcsData {
+  field: string;
+  value?: Maybe<string[]>;
+}
+
+export interface TimelineEventsAllStrategyResponse extends IEsSearchResponse {
+  edges: TimelineEdges[];
+  totalCount: number;
+  pageInfo: {
+    activePage: number;
+    totalPages: number;
+  };
+  inspect?: Maybe<Inspect>;
+}
+
+export interface TimelineEventsAllRequestOptions extends TimelineRequestOptionsPaginated {
+  fields: string[];
+  fieldRequested: string[];
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/common/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/common/index.ts
new file mode 100644
index 0000000000000..200f400ef6816
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/common/index.ts
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Ecs } from '../../../../ecs';
+import { CursorType, Maybe } from '../../../common';
+
+export interface TimelineEdges {
+  node: TimelineItem;
+  cursor: CursorType;
+}
+
+export interface TimelineItem {
+  _id: string;
+  _index?: Maybe<string>;
+  data: TimelineNonEcsData[];
+  ecs: Ecs;
+}
+
+export interface TimelineNonEcsData {
+  field: string;
+  value?: Maybe<string[] | string>;
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/details/index.ts
similarity index 50%
rename from x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts
rename to x-pack/plugins/security_solution/common/search_strategy/timeline/events/details/index.ts
index e5e1c41f4731a..6f9192be40150 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/details/index.ts
@@ -4,25 +4,25 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { IEsSearchResponse } from '../../../../../../../src/plugins/data/common';
-import { Inspect, Maybe } from '../../common';
-import { TimelineRequestOptionsPaginated } from '..';
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Inspect, Maybe } from '../../../common';
+import { TimelineRequestOptionsPaginated } from '../..';
 
-export interface DetailItem {
+export interface TimelineEventsDetailsItem {
   field: string;
   values?: Maybe<string[]>;
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   originalValue?: Maybe<any>;
 }
 
-export interface TimelineDetailsStrategyResponse extends IEsSearchResponse {
-  data?: Maybe<DetailItem[]>;
+export interface TimelineEventsDetailsStrategyResponse extends IEsSearchResponse {
+  data?: Maybe<TimelineEventsDetailsItem[]>;
   inspect?: Maybe<Inspect>;
 }
 
-export interface TimelineDetailsRequestOptions extends Partial<TimelineRequestOptionsPaginated> {
+export interface TimelineEventsDetailsRequestOptions
+  extends Partial<TimelineRequestOptionsPaginated> {
   defaultIndex: string[];
-  executeQuery: boolean;
   indexName: string;
   eventId: string;
 }
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/index.ts
new file mode 100644
index 0000000000000..6bb9461995974
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/index.ts
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export * from './all';
+export * from './details';
+export * from './last_event_time';
+
+export enum TimelineEventsQueries {
+  all = 'eventsAll',
+  details = 'eventsDetails',
+  lastEventTime = 'eventsLastEventTime',
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts
new file mode 100644
index 0000000000000..10750503fc807
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/events/last_event_time/index.ts
@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { Inspect, Maybe } from '../../../common';
+import { TimelineRequestBasicOptions } from '../..';
+
+export enum LastEventIndexKey {
+  hostDetails = 'hostDetails',
+  hosts = 'hosts',
+  ipDetails = 'ipDetails',
+  network = 'network',
+}
+
+export interface LastTimeDetails {
+  hostName?: Maybe<string>;
+  ip?: Maybe<string>;
+}
+
+export interface TimelineEventsLastEventTimeStrategyResponse extends IEsSearchResponse {
+  lastSeen: Maybe<string>;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface TimelineEventsLastEventTimeRequestOptions
+  extends Omit<TimelineRequestBasicOptions, 'filterQuery' | 'timerange'> {
+  indexKey: LastEventIndexKey;
+  details: LastTimeDetails;
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
index a7bf61c102cd4..773ee60855886 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
@@ -3,45 +3,22 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-
 import { IEsSearchRequest } from '../../../../../../src/plugins/data/common';
 import { ESQuery } from '../../typed_json';
-import { Ecs } from '../../ecs';
 import {
-  CursorType,
-  Maybe,
-  TimerangeInput,
-  DocValueFields,
-  PaginationInput,
-  PaginationInputPaginated,
-  SortField,
-} from '../common';
-import { TimelineDetailsRequestOptions, TimelineDetailsStrategyResponse } from './details';
-
-export * from './details';
+  TimelineEventsQueries,
+  TimelineEventsAllRequestOptions,
+  TimelineEventsAllStrategyResponse,
+  TimelineEventsDetailsRequestOptions,
+  TimelineEventsDetailsStrategyResponse,
+  TimelineEventsLastEventTimeRequestOptions,
+  TimelineEventsLastEventTimeStrategyResponse,
+} from './events';
+import { DocValueFields, TimerangeInput, SortField } from '../common';
 
-export enum TimelineQueries {
-  details = 'details',
-}
+export * from './events';
 
-export type TimelineFactoryQueryTypes = TimelineQueries;
-
-export interface TimelineEdges {
-  node: TimelineItem;
-  cursor: CursorType;
-}
-
-export interface TimelineItem {
-  _id: string;
-  _index?: Maybe<string>;
-  data: TimelineNonEcsData[];
-  ecs: Ecs;
-}
-
-export interface TimelineNonEcsData {
-  field: string;
-  value?: Maybe<string[] | string>;
-}
+export type TimelineFactoryQueryTypes = TimelineEventsQueries;
 
 export interface TimelineRequestBasicOptions extends IEsSearchRequest {
   timerange: TimerangeInput;
@@ -51,20 +28,39 @@ export interface TimelineRequestBasicOptions extends IEsSearchRequest {
   factoryQueryType?: TimelineFactoryQueryTypes;
 }
 
-export interface TimelineRequestOptions extends TimelineRequestBasicOptions {
-  pagination: PaginationInput;
-  sortField?: SortField;
+export interface TimelineRequestOptions<Field = string> extends TimelineRequestBasicOptions {
+  pagination: {
+    activePage: number;
+    querySize: number;
+  };
+  sort: SortField<Field>;
 }
 
-export interface TimelineRequestOptionsPaginated extends TimelineRequestBasicOptions {
-  pagination: PaginationInputPaginated;
-  sortField?: SortField;
+export interface TimelineRequestOptionsPaginated<Field = string>
+  extends TimelineRequestBasicOptions {
+  pagination: {
+    activePage: number;
+    querySize: number;
+  };
+  sort: SortField<Field>;
 }
 
 export type TimelineStrategyResponseType<
   T extends TimelineFactoryQueryTypes
-> = T extends TimelineQueries.details ? TimelineDetailsStrategyResponse : never;
+> = T extends TimelineEventsQueries.all
+  ? TimelineEventsAllStrategyResponse
+  : T extends TimelineEventsQueries.details
+  ? TimelineEventsDetailsStrategyResponse
+  : T extends TimelineEventsQueries.lastEventTime
+  ? TimelineEventsLastEventTimeStrategyResponse
+  : never;
 
 export type TimelineStrategyRequestType<
   T extends TimelineFactoryQueryTypes
-> = T extends TimelineQueries.details ? TimelineDetailsRequestOptions : never;
+> = T extends TimelineEventsQueries.all
+  ? TimelineEventsAllRequestOptions
+  : T extends TimelineEventsQueries.details
+  ? TimelineEventsDetailsRequestOptions
+  : T extends TimelineEventsQueries.lastEventTime
+  ? TimelineEventsLastEventTimeRequestOptions
+  : never;
diff --git a/x-pack/plugins/security_solution/public/common/components/alerts_viewer/translations.ts b/x-pack/plugins/security_solution/public/common/components/alerts_viewer/translations.ts
index b1ab509417fe5..980ec89f524bc 100644
--- a/x-pack/plugins/security_solution/public/common/components/alerts_viewer/translations.ts
+++ b/x-pack/plugins/security_solution/public/common/components/alerts_viewer/translations.ts
@@ -16,7 +16,7 @@ export const ALERTS_DOCUMENT_TYPE = i18n.translate(
 export const TOTAL_COUNT_OF_ALERTS = i18n.translate(
   'xpack.securitySolution.alertsView.totalCountOfAlerts',
   {
-    defaultMessage: 'external alerts match the search criteria',
+    defaultMessage: 'external alerts',
   }
 );
 
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
index 8068d51a80153..074e6faf80c7d 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
@@ -9,7 +9,7 @@ import React, { useMemo } from 'react';
 import styled from 'styled-components';
 
 import { BrowserFields } from '../../containers/source';
-import { DetailItem } from '../../../../common/search_strategy/timeline';
+import { TimelineEventsDetailsItem } from '../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 import { EventFieldsBrowser } from './event_fields_browser';
@@ -28,7 +28,7 @@ CollapseLink.displayName = 'CollapseLink';
 interface Props {
   browserFields: BrowserFields;
   columnHeaders: ColumnHeaderOptions[];
-  data: DetailItem[];
+  data: TimelineEventsDetailsItem[];
   id: string;
   view: View;
   onEventToggled: () => void;
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
index 9737a09c89f49..79250ae9bec52 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
@@ -10,7 +10,7 @@ import React, { useMemo } from 'react';
 
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { BrowserFields, getAllFieldsByName } from '../../containers/source';
-import { DetailItem } from '../../../../common/search_strategy/timeline';
+import { TimelineEventsDetailsItem } from '../../../../common/search_strategy/timeline';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 
 import { getColumns } from './columns';
@@ -19,7 +19,7 @@ import { search } from './helpers';
 interface Props {
   browserFields: BrowserFields;
   columnHeaders: ColumnHeaderOptions[];
-  data: DetailItem[];
+  data: TimelineEventsDetailsItem[];
   eventId: string;
   onUpdateColumns: OnUpdateColumns;
   timelineId: string;
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
index f4028c988acb8..bb74935d5703e 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
@@ -7,7 +7,7 @@
 import React, { useCallback, useState } from 'react';
 
 import { BrowserFields } from '../../containers/source';
-import { DetailItem } from '../../../../common/search_strategy/timeline';
+import { TimelineEventsDetailsItem } from '../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 
@@ -16,7 +16,7 @@ import { EventDetails, View } from './event_details';
 interface Props {
   browserFields: BrowserFields;
   columnHeaders: ColumnHeaderOptions[];
-  data: DetailItem[];
+  data: TimelineEventsDetailsItem[];
   id: string;
   onEventToggled: () => void;
   onUpdateColumns: OnUpdateColumns;
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
index 833688ae57993..037655f594241 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx
@@ -5,7 +5,6 @@
  */
 
 import React from 'react';
-import { MockedProvider } from 'react-apollo/test-utils';
 import useResizeObserver from 'use-resize-observer/polyfilled';
 
 import '../../mock/match_media';
@@ -26,6 +25,11 @@ import { TimelineId } from '../../../../common/types/timeline';
 import { KqlMode } from '../../../timelines/store/timeline/model';
 import { SortDirection } from '../../../timelines/components/timeline/body/sort';
 import { AlertsTableFilterGroup } from '../../../detections/components/alerts_table/alerts_filter_group';
+import { useTimelineEvents } from '../../../timelines/containers';
+
+jest.mock('../../../timelines/containers', () => ({
+  useTimelineEvents: jest.fn(),
+}));
 
 jest.mock('../../components/url_state/normalize_time_range.ts');
 
@@ -83,20 +87,19 @@ describe('EventsViewer', () => {
   const mount = useMountAppended();
 
   beforeEach(() => {
+    (useTimelineEvents as jest.Mock).mockReturnValue([false, mockEventViewerResponse]);
     mockUseFetchIndexPatterns.mockImplementation(() => [{ ...defaultMocks }]);
   });
 
   test('it renders the "Showing..." subtitle with the expected event count', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -114,14 +117,12 @@ describe('EventsViewer', () => {
 
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -139,14 +140,12 @@ describe('EventsViewer', () => {
 
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={''}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={''}
+        />
       </TestProviders>
     );
 
@@ -164,14 +163,12 @@ describe('EventsViewer', () => {
 
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={''}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={''}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -187,14 +184,12 @@ describe('EventsViewer', () => {
   test('it renders the Fields Browser as a settings gear', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -208,21 +203,19 @@ describe('EventsViewer', () => {
   test('it renders the footer containing the Load More button', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
     await waitFor(() => {
       wrapper.update();
 
-      expect(wrapper.find(`[data-test-subj="TimelineMoreButton"]`).first().exists()).toBe(true);
+      expect(wrapper.find(`[data-test-subj="timeline-pagination"]`).first().exists()).toBe(true);
     });
   });
 
@@ -230,14 +223,12 @@ describe('EventsViewer', () => {
     test(`it renders the ${header.id} default EventsViewer column header`, async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <StatefulEventsViewer
-              defaultModel={eventsDefaultModel}
-              end={to}
-              id={'test-stateful-events-viewer'}
-              start={from}
-            />
-          </MockedProvider>
+          <StatefulEventsViewer
+            defaultModel={eventsDefaultModel}
+            end={to}
+            id={'test-stateful-events-viewer'}
+            start={from}
+          />
         </TestProviders>
       );
 
@@ -257,13 +248,11 @@ describe('EventsViewer', () => {
     test('it renders the provided headerFilterGroup', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId={undefined}
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId={undefined}
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -277,13 +266,11 @@ describe('EventsViewer', () => {
     test('it has a visible HeaderFilterGroupWrapper when Resolver is NOT showing, because graphEventId is undefined', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId={undefined}
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId={undefined}
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -299,13 +286,11 @@ describe('EventsViewer', () => {
     test('it has a visible HeaderFilterGroupWrapper when Resolver is NOT showing, because graphEventId is an empty string', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId=""
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId=""
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -321,13 +306,11 @@ describe('EventsViewer', () => {
     test('it does NOT have a visible HeaderFilterGroupWrapper when Resolver is showing, because graphEventId is a valid id', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId="a valid id"
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId="a valid id"
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -343,13 +326,11 @@ describe('EventsViewer', () => {
     test('it (still) renders an invisible headerFilterGroup (to maintain state while hidden) when Resolver is showing, because graphEventId is a valid id', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer
-              {...eventsViewerDefaultProps}
-              graphEventId="a valid id"
-              headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
-            />
-          </MockedProvider>
+          <EventsViewer
+            {...eventsViewerDefaultProps}
+            graphEventId="a valid id"
+            headerFilterGroup={<AlertsTableFilterGroup onFilterGroupChanged={jest.fn()} />}
+          />
         </TestProviders>
       );
 
@@ -365,9 +346,7 @@ describe('EventsViewer', () => {
     test('it renders the provided utilityBar when Resolver is NOT showing, because graphEventId is undefined', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId={undefined} />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId={undefined} />
         </TestProviders>
       );
 
@@ -381,9 +360,7 @@ describe('EventsViewer', () => {
     test('it renders the provided utilityBar when Resolver is NOT showing, because graphEventId is an empty string', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId="" />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId="" />
         </TestProviders>
       );
 
@@ -397,9 +374,7 @@ describe('EventsViewer', () => {
     test('it does NOT render the provided utilityBar when Resolver is showing, because graphEventId is a valid id', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId="a valid id" />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId="a valid id" />
         </TestProviders>
       );
 
@@ -415,9 +390,7 @@ describe('EventsViewer', () => {
     test('it renders the inspect button when Resolver is NOT showing, because graphEventId is undefined', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId={undefined} />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId={undefined} />
         </TestProviders>
       );
 
@@ -431,9 +404,7 @@ describe('EventsViewer', () => {
     test('it renders the inspect button when Resolver is NOT showing, because graphEventId is an empty string', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId="" />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId="" />
         </TestProviders>
       );
 
@@ -447,9 +418,7 @@ describe('EventsViewer', () => {
     test('it does NOT render the inspect button when Resolver is showing, because graphEventId is a valid id', async () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-            <EventsViewer {...eventsViewerDefaultProps} graphEventId="a valid id" />
-          </MockedProvider>
+          <EventsViewer {...eventsViewerDefaultProps} graphEventId="a valid id" />
         </TestProviders>
       );
 
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
index 3d193856a8ae4..2998bd031d674 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx
@@ -10,9 +10,9 @@ import React, { useEffect, useMemo, useState } from 'react';
 import styled from 'styled-components';
 import deepEqual from 'fast-deep-equal';
 
+import { Direction } from '../../../../common/search_strategy';
 import { BrowserFields, DocValueFields } from '../../containers/source';
-import { TimelineQuery } from '../../../timelines/containers';
-import { Direction } from '../../../graphql/types';
+import { useTimelineEvents } from '../../../timelines/containers';
 import { useKibana } from '../../lib/kibana';
 import { ColumnHeaderOptions, KqlMode } from '../../../timelines/store/timeline/model';
 import { HeaderSection } from '../header_section';
@@ -196,14 +196,51 @@ const EventsViewerComponent: React.FC<Props> = ({
       ),
     [columnsHeader, queryFields]
   );
+
   const sortField = useMemo(
     () => ({
-      sortFieldId: sort.columnId,
+      field: sort.columnId,
       direction: sort.sortDirection as Direction,
     }),
     [sort.columnId, sort.sortDirection]
   );
 
+  const [
+    loading,
+    { events, updatedAt, inspect, loadPage, pageInfo, refetch, totalCount = 0 },
+  ] = useTimelineEvents({
+    docValueFields,
+    fields,
+    filterQuery: combinedQueries!.filterQuery,
+    id,
+    indexPattern,
+    limit: itemsPerPage,
+    sort: sortField,
+    startDate: start,
+    endDate: end,
+    skip: !canQueryTimeline,
+  });
+
+  const totalCountMinusDeleted = useMemo(
+    () => (totalCount > 0 ? totalCount - deletedEventIds.length : 0),
+    [deletedEventIds.length, totalCount]
+  );
+
+  const subtitle = useMemo(
+    () =>
+      `${i18n.SHOWING}: ${totalCountMinusDeleted.toLocaleString()} ${unit(totalCountMinusDeleted)}`,
+    [totalCountMinusDeleted, unit]
+  );
+
+  const nonDeletedEvents = useMemo(() => events.filter((e) => !deletedEventIds.includes(e._id)), [
+    deletedEventIds,
+    events,
+  ]);
+
+  useEffect(() => {
+    setIsQueryLoading(loading);
+  }, [loading]);
+
   return (
     <StyledEuiPanel
       data-test-subj="events-viewer-panel"
@@ -211,104 +248,68 @@ const EventsViewerComponent: React.FC<Props> = ({
     >
       {canQueryTimeline ? (
         <EventDetailsWidthProvider>
-          <TimelineQuery
-            docValueFields={docValueFields}
-            fields={fields}
-            filterQuery={combinedQueries!.filterQuery}
-            id={id}
-            indexPattern={indexPattern}
-            limit={itemsPerPage}
-            sortField={sortField}
-            sourceId="default"
-            startDate={start}
-            endDate={end}
-            queryDeduplication="events_viewer"
-          >
-            {({
-              events,
-              getUpdatedAt,
-              inspect,
-              loading,
-              loadMore,
-              pageInfo,
-              refetch,
-              totalCount = 0,
-            }) => {
-              setIsQueryLoading(loading);
-              const totalCountMinusDeleted =
-                totalCount > 0 ? totalCount - deletedEventIds.length : 0;
-
-              const subtitle = `${i18n.SHOWING}: ${totalCountMinusDeleted.toLocaleString()} ${unit(
-                totalCountMinusDeleted
-              )}`;
-
-              return (
-                <>
-                  <HeaderSection
-                    id={!resolverIsShowing(graphEventId) ? id : undefined}
-                    height={headerFilterGroup ? COMPACT_HEADER_HEIGHT : EVENTS_VIEWER_HEADER_HEIGHT}
-                    subtitle={utilityBar ? undefined : subtitle}
-                    title={inspect ? justTitle : titleWithExitFullScreen}
-                  >
-                    {headerFilterGroup && (
-                      <HeaderFilterGroupWrapper
-                        data-test-subj="header-filter-group-wrapper"
-                        show={!resolverIsShowing(graphEventId)}
-                      >
-                        {headerFilterGroup}
-                      </HeaderFilterGroupWrapper>
-                    )}
-                  </HeaderSection>
-                  {utilityBar && !resolverIsShowing(graphEventId) && (
-                    <UtilityBar>{utilityBar?.(refetch, totalCountMinusDeleted)}</UtilityBar>
-                  )}
-                  <EventsContainerLoading data-test-subj={`events-container-loading-${loading}`}>
-                    <TimelineRefetch
-                      id={id}
-                      inputId="global"
-                      inspect={inspect}
-                      loading={loading}
-                      refetch={refetch}
-                    />
+          <>
+            <HeaderSection
+              id={!resolverIsShowing(graphEventId) ? id : undefined}
+              height={headerFilterGroup ? COMPACT_HEADER_HEIGHT : EVENTS_VIEWER_HEADER_HEIGHT}
+              subtitle={utilityBar ? undefined : subtitle}
+              title={inspect ? justTitle : titleWithExitFullScreen}
+            >
+              {headerFilterGroup && (
+                <HeaderFilterGroupWrapper
+                  data-test-subj="header-filter-group-wrapper"
+                  show={!resolverIsShowing(graphEventId)}
+                >
+                  {headerFilterGroup}
+                </HeaderFilterGroupWrapper>
+              )}
+            </HeaderSection>
+            {utilityBar && !resolverIsShowing(graphEventId) && (
+              <UtilityBar>{utilityBar?.(refetch, totalCountMinusDeleted)}</UtilityBar>
+            )}
+            <EventsContainerLoading data-test-subj={`events-container-loading-${loading}`}>
+              <TimelineRefetch
+                id={id}
+                inputId="global"
+                inspect={inspect}
+                loading={loading}
+                refetch={refetch}
+              />
 
-                    <StatefulBody
-                      browserFields={browserFields}
-                      data={events.filter((e) => !deletedEventIds.includes(e._id))}
-                      docValueFields={docValueFields}
-                      id={id}
-                      isEventViewer={true}
-                      refetch={refetch}
-                      sort={sort}
-                      toggleColumn={toggleColumn}
-                    />
+              <StatefulBody
+                browserFields={browserFields}
+                data={nonDeletedEvents}
+                docValueFields={docValueFields}
+                id={id}
+                isEventViewer={true}
+                refetch={refetch}
+                sort={sort}
+                toggleColumn={toggleColumn}
+              />
 
-                    {
-                      /** Hide the footer if Resolver is showing. */
-                      !graphEventId && (
-                        <Footer
-                          data-test-subj="events-viewer-footer"
-                          getUpdatedAt={getUpdatedAt}
-                          hasNextPage={getOr(false, 'hasNextPage', pageInfo)!}
-                          height={footerHeight}
-                          id={id}
-                          isLive={isLive}
-                          isLoading={loading}
-                          itemsCount={events.length}
-                          itemsPerPage={itemsPerPage}
-                          itemsPerPageOptions={itemsPerPageOptions}
-                          onChangeItemsPerPage={onChangeItemsPerPage}
-                          onLoadMore={loadMore}
-                          nextCursor={getOr(null, 'endCursor.value', pageInfo)!}
-                          serverSideEventCount={totalCountMinusDeleted}
-                          tieBreaker={getOr(null, 'endCursor.tiebreaker', pageInfo)}
-                        />
-                      )
-                    }
-                  </EventsContainerLoading>
-                </>
-              );
-            }}
-          </TimelineQuery>
+              {
+                /** Hide the footer if Resolver is showing. */
+                !graphEventId && (
+                  <Footer
+                    activePage={getOr(0, 'activePage', pageInfo)}
+                    data-test-subj="events-viewer-footer"
+                    updatedAt={updatedAt}
+                    height={footerHeight}
+                    id={id}
+                    isLive={isLive}
+                    isLoading={loading}
+                    itemsCount={nonDeletedEvents.length}
+                    itemsPerPage={itemsPerPage}
+                    itemsPerPageOptions={itemsPerPageOptions}
+                    onChangeItemsPerPage={onChangeItemsPerPage}
+                    onChangePage={loadPage}
+                    serverSideEventCount={totalCountMinusDeleted}
+                    totalPages={getOr(0, 'totalPages', pageInfo)}
+                  />
+                )
+              }
+            </EventsContainerLoading>
+          </>
         </EventDetailsWidthProvider>
       ) : null}
     </StyledEuiPanel>
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.test.tsx
index 4509d01e82e25..8c61281422c2a 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.test.tsx
@@ -5,7 +5,6 @@
  */
 
 import React from 'react';
-import { MockedProvider } from 'react-apollo/test-utils';
 import useResizeObserver from 'use-resize-observer/polyfilled';
 
 import '../../mock/match_media';
@@ -19,6 +18,11 @@ import { StatefulEventsViewer } from '.';
 import { useFetchIndexPatterns } from '../../../detections/containers/detection_engine/rules/fetch_index_patterns';
 import { mockBrowserFields } from '../../containers/source/mock';
 import { eventsDefaultModel } from './default_model';
+import { useTimelineEvents } from '../../../timelines/containers';
+
+jest.mock('../../../timelines/containers', () => ({
+  useTimelineEvents: jest.fn(),
+}));
 
 jest.mock('../../components/url_state/normalize_time_range.ts');
 
@@ -41,17 +45,17 @@ const to = '2019-08-26T22:10:56.791Z';
 describe('StatefulEventsViewer', () => {
   const mount = useMountAppended();
 
+  (useTimelineEvents as jest.Mock).mockReturnValue([false, mockEventViewerResponse]);
+
   test('it renders the events viewer', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
@@ -66,14 +70,12 @@ describe('StatefulEventsViewer', () => {
   test('it renders InspectButtonContainer', async () => {
     const wrapper = mount(
       <TestProviders>
-        <MockedProvider mocks={mockEventViewerResponse} addTypename={false}>
-          <StatefulEventsViewer
-            defaultModel={eventsDefaultModel}
-            end={to}
-            id={'test-stateful-events-viewer'}
-            start={from}
-          />
-        </MockedProvider>
+        <StatefulEventsViewer
+          defaultModel={eventsDefaultModel}
+          end={to}
+          id={'test-stateful-events-viewer'}
+          start={from}
+        />
       </TestProviders>
     );
 
diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts b/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts
index 6266e84051901..f6fb01be4371f 100644
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts
@@ -4,65 +4,11 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { noop } from 'lodash/fp';
-import { timelineQuery } from '../../../timelines/containers/index.gql_query';
-
-export const mockEventViewerResponse = [
-  {
-    request: {
-      query: timelineQuery,
-      fetchPolicy: 'network-only',
-      notifyOnNetworkStatusChange: true,
-      variables: {
-        fieldRequested: [
-          '@timestamp',
-          'message',
-          'host.name',
-          'event.module',
-          'event.dataset',
-          'event.action',
-          'user.name',
-          'source.ip',
-          'destination.ip',
-        ],
-        filterQuery: '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
-        sourceId: 'default',
-        timerange: {
-          interval: '12h',
-          from: '2019-08-26T22:10:56.791Z',
-          to: '2019-08-27T22:10:56.794Z',
-        },
-        pagination: { limit: 25, cursor: null, tiebreaker: null },
-        sortField: { sortFieldId: '@timestamp', direction: 'desc' },
-        defaultIndex: ['filebeat-*', 'auditbeat-*', 'packetbeat-*'],
-        docValueFields: [
-          { field: '@timestamp', format: 'date_time' },
-          { field: 'event.end', format: 'date_time' },
-        ],
-        inspect: false,
-        queryDeduplication: 'events_viewer',
-      },
-    },
-    result: {
-      loading: false,
-      fetchMore: noop,
-      refetch: noop,
-      data: {
-        source: {
-          id: 'default',
-          Timeline: {
-            totalCount: 12,
-            pageInfo: {
-              endCursor: null,
-              hasNextPage: true,
-              __typename: 'PageInfo',
-            },
-            edges: [],
-            __typename: 'TimelineData',
-          },
-          __typename: 'Source',
-        },
-      },
-    },
+export const mockEventViewerResponse = {
+  totalCount: 12,
+  pageInfo: {
+    activePage: 0,
+    totalPages: 10,
   },
-];
+  events: [],
+};
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.test.tsx
index cef92ce2a7817..691a7d99d9345 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.test.tsx
@@ -18,7 +18,8 @@ import { stubIndexPattern } from 'src/plugins/data/common/index_patterns/index_p
 import { useAddOrUpdateException } from '../use_add_exception';
 import { useFetchOrCreateRuleExceptionList } from '../use_fetch_or_create_rule_exception_list';
 import { useSignalIndex } from '../../../../detections/containers/detection_engine/alerts/use_signal_index';
-import { TimelineNonEcsData, Ecs } from '../../../../graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import * as builder from '../builder';
 import * as helpers from '../helpers';
 import { getExceptionListItemSchemaMock } from '../../../../../../lists/common/schemas/response/exception_list_item_schema.mock';
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx
index c1befabdd7809..ccefbbd287dae 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx
@@ -29,7 +29,8 @@ import {
 import * as i18nCommon from '../../../translations';
 import * as i18n from './translations';
 import * as sharedI18n from '../translations';
-import { TimelineNonEcsData, Ecs } from '../../../../graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import { useAppToasts } from '../../../hooks/use_app_toasts';
 import { useKibana } from '../../../lib/kibana';
 import { ExceptionBuilderComponent } from '../builder';
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
index 18d2130dd3811..3c3c71a2b33e7 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
@@ -38,7 +38,7 @@ import {
 } from '../../../shared_imports';
 import { IIndexPattern } from '../../../../../../../src/plugins/data/common';
 import { validate } from '../../../../common/validate';
-import { TimelineNonEcsData } from '../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
 import { WithCopyToClipboard } from '../../lib/clipboard/with_copy_to_clipboard';
 
 /**
diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx
index 2f0060c91668b..9473ba67a1c4f 100644
--- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.test.tsx
@@ -11,29 +11,30 @@ import { LastEventIndexKey } from '../../../graphql/types';
 import { mockLastEventTimeQuery } from '../../containers/events/last_event_time/mock';
 
 import { useMountAppended } from '../../utils/use_mount_appended';
-import { useLastEventTimeQuery } from '../../containers/events/last_event_time';
+import { useTimelineLastEventTime } from '../../containers/events/last_event_time';
 import { TestProviders } from '../../mock';
 
 import { LastEventTime } from '.';
 
-const mockUseLastEventTimeQuery: jest.Mock = useLastEventTimeQuery as jest.Mock;
 jest.mock('../../containers/events/last_event_time', () => ({
-  useLastEventTimeQuery: jest.fn(),
+  useTimelineLastEventTime: jest.fn(),
 }));
 
 describe('Last Event Time Stat', () => {
   const mount = useMountAppended();
 
   beforeEach(() => {
-    mockUseLastEventTimeQuery.mockReset();
+    (useTimelineLastEventTime as jest.Mock).mockReset();
   });
 
   test('Loading', async () => {
-    mockUseLastEventTimeQuery.mockImplementation(() => ({
-      loading: true,
-      lastSeen: null,
-      errorMessage: null,
-    }));
+    (useTimelineLastEventTime as jest.Mock).mockReturnValue([
+      true,
+      {
+        lastSeen: null,
+        errorMessage: null,
+      },
+    ]);
     const wrapper = mount(
       <TestProviders>
         <LastEventTime indexKey={LastEventIndexKey.hosts} />
@@ -44,11 +45,13 @@ describe('Last Event Time Stat', () => {
     );
   });
   test('Last seen', async () => {
-    mockUseLastEventTimeQuery.mockImplementation(() => ({
-      loading: false,
-      lastSeen: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.lastSeen,
-      errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
-    }));
+    (useTimelineLastEventTime as jest.Mock).mockReturnValue([
+      false,
+      {
+        lastSeen: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.lastSeen,
+        errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
+      },
+    ]);
     const wrapper = mount(
       <TestProviders>
         <LastEventTime indexKey={LastEventIndexKey.hosts} />
@@ -57,11 +60,13 @@ describe('Last Event Time Stat', () => {
     expect(wrapper.html()).toBe('Last event: <span class="euiToolTipAnchor">12 minutes ago</span>');
   });
   test('Bad date time string', async () => {
-    mockUseLastEventTimeQuery.mockImplementation(() => ({
-      loading: false,
-      lastSeen: 'something-invalid',
-      errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
-    }));
+    (useTimelineLastEventTime as jest.Mock).mockReturnValue([
+      false,
+      {
+        lastSeen: 'something-invalid',
+        errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
+      },
+    ]);
     const wrapper = mount(
       <TestProviders>
         <LastEventTime indexKey={LastEventIndexKey.hosts} />
@@ -71,11 +76,13 @@ describe('Last Event Time Stat', () => {
     expect(wrapper.html()).toBe('something-invalid');
   });
   test('Null time string', async () => {
-    mockUseLastEventTimeQuery.mockImplementation(() => ({
-      loading: false,
-      lastSeen: null,
-      errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
-    }));
+    (useTimelineLastEventTime as jest.Mock).mockReturnValue([
+      false,
+      {
+        lastSeen: null,
+        errorMessage: mockLastEventTimeQuery[0].result.data!.source.LastEventTime.errorMessage,
+      },
+    ]);
     const wrapper = mount(
       <TestProviders>
         <LastEventTime indexKey={LastEventIndexKey.hosts} />
diff --git a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx
index 35a891c21aa8a..e9e8e7a03017c 100644
--- a/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/last_event_time/index.tsx
@@ -9,7 +9,7 @@ import { FormattedMessage } from '@kbn/i18n/react';
 import React, { memo } from 'react';
 
 import { LastEventIndexKey } from '../../../graphql/types';
-import { useLastEventTimeQuery } from '../../containers/events/last_event_time';
+import { useTimelineLastEventTime } from '../../containers/events/last_event_time';
 import { getEmptyTagValue } from '../empty_value';
 import { FormattedRelativePreferenceDate } from '../formatted_date';
 
@@ -20,11 +20,13 @@ export interface LastEventTimeProps {
 }
 
 export const LastEventTime = memo<LastEventTimeProps>(({ hostName, indexKey, ip }) => {
-  const { loading, lastSeen, errorMessage } = useLastEventTimeQuery(
+  const [loading, { lastSeen, errorMessage }] = useTimelineLastEventTime({
     indexKey,
-    { hostName, ip },
-    'default'
-  );
+    details: {
+      hostName,
+      ip,
+    },
+  });
 
   if (errorMessage != null) {
     return (
diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts
index 00b78c3a96550..d70762615818b 100644
--- a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts
+++ b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/index.ts
@@ -4,92 +4,145 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { get } from 'lodash/fp';
-import React, { useEffect, useState } from 'react';
+import deepEqual from 'fast-deep-equal';
+import { noop } from 'lodash/fp';
+import { useCallback, useEffect, useRef, useState } from 'react';
 
 import { DEFAULT_INDEX_KEY } from '../../../../../common/constants';
+import { inputsModel } from '../../../../common/store';
+import { useKibana } from '../../../../common/lib/kibana';
 import {
-  GetLastEventTimeQuery,
-  LastEventIndexKey,
+  TimelineEventsQueries,
+  TimelineEventsLastEventTimeRequestOptions,
+  TimelineEventsLastEventTimeStrategyResponse,
   LastTimeDetails,
-} from '../../../../graphql/types';
-import { inputsModel } from '../../../store';
-import { QueryTemplateProps } from '../../query_template';
-import { useUiSetting$ } from '../../../lib/kibana';
-
-import { LastEventTimeGqlQuery } from './last_event_time.gql_query';
-import { useApolloClient } from '../../../utils/apollo_context';
+  LastEventIndexKey,
+} from '../../../../../common/search_strategy/timeline';
+import { AbortError } from '../../../../../../../../src/plugins/data/common';
 import { useWithSource } from '../../source';
+import * as i18n from './translations';
 
-export interface LastEventTimeArgs {
-  id: string;
-  errorMessage: string;
-  lastSeen: Date;
-  loading: boolean;
+// const ID = 'timelineEventsLastEventTimeQuery';
+
+export interface UseTimelineLastEventTimeArgs {
+  lastSeen: string | null;
   refetch: inputsModel.Refetch;
+  errorMessage?: string;
 }
 
-export interface OwnProps extends QueryTemplateProps {
-  children: (args: LastEventTimeArgs) => React.ReactNode;
+interface UseTimelineLastEventTimeProps {
   indexKey: LastEventIndexKey;
+  details: LastTimeDetails;
 }
 
-export function useLastEventTimeQuery(
-  indexKey: LastEventIndexKey,
-  details: LastTimeDetails,
-  sourceId: string
-) {
-  const [loading, updateLoading] = useState(false);
-  const [lastSeen, updateLastSeen] = useState<number | null>(null);
-  const [errorMessage, updateErrorMessage] = useState<string | null>(null);
-  const [currentIndexKey, updateCurrentIndexKey] = useState<LastEventIndexKey | null>(null);
-  const [defaultIndex] = useUiSetting$<string[]>(DEFAULT_INDEX_KEY);
-  const apolloClient = useApolloClient();
-  const { docValueFields } = useWithSource(sourceId);
+export const useTimelineLastEventTime = ({
+  indexKey,
+  details,
+}: UseTimelineLastEventTimeProps): [boolean, UseTimelineLastEventTimeArgs] => {
+  const { data, notifications, uiSettings } = useKibana().services;
+  const { docValueFields } = useWithSource('default');
+  const refetch = useRef<inputsModel.Refetch>(noop);
+  const abortCtrl = useRef(new AbortController());
+  const defaultIndex = uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
+  const [loading, setLoading] = useState(false);
+  const [TimelineLastEventTimeRequest, setTimelineLastEventTimeRequest] = useState<
+    TimelineEventsLastEventTimeRequestOptions
+  >({
+    defaultIndex,
+    factoryQueryType: TimelineEventsQueries.lastEventTime,
+    docValueFields,
+    indexKey,
+    details,
+  });
+
+  const [TimelineLastEventTimeResponse, setTimelineLastEventTimeResponse] = useState<
+    UseTimelineLastEventTimeArgs
+  >({
+    lastSeen: null,
+    refetch: refetch.current,
+    errorMessage: undefined,
+  });
 
-  async function fetchLastEventTime(signal: AbortSignal) {
-    updateLoading(true);
-    if (apolloClient) {
-      apolloClient
-        .query<GetLastEventTimeQuery.Query, GetLastEventTimeQuery.Variables>({
-          query: LastEventTimeGqlQuery,
-          fetchPolicy: 'cache-first',
-          variables: {
-            docValueFields,
-            sourceId,
-            indexKey,
-            details,
-            defaultIndex,
-          },
-          context: {
-            fetchOptions: {
-              signal,
+  const timelineLastEventTimeSearch = useCallback(
+    (request: TimelineEventsLastEventTimeRequestOptions) => {
+      let didCancel = false;
+      const asyncSearch = async () => {
+        abortCtrl.current = new AbortController();
+        setLoading(true);
+
+        const searchSubscription$ = data.search
+          .search<
+            TimelineEventsLastEventTimeRequestOptions,
+            TimelineEventsLastEventTimeStrategyResponse
+          >(request, {
+            strategy: 'securitySolutionTimelineSearchStrategy',
+            abortSignal: abortCtrl.current.signal,
+          })
+          .subscribe({
+            next: (response) => {
+              if (!response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                  setTimelineLastEventTimeResponse((prevResponse) => ({
+                    ...prevResponse,
+                    errorMessage: undefined,
+                    lastSeen: response.lastSeen,
+                    refetch: refetch.current,
+                  }));
+                }
+                searchSubscription$.unsubscribe();
+              } else if (response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                }
+                // TODO: Make response error status clearer
+                notifications.toasts.addWarning(i18n.ERROR_LAST_EVENT_TIME);
+                searchSubscription$.unsubscribe();
+              }
+            },
+            error: (msg) => {
+              if (!(msg instanceof AbortError)) {
+                notifications.toasts.addDanger({
+                  title: i18n.FAIL_LAST_EVENT_TIME,
+                  text: msg.message,
+                });
+                setTimelineLastEventTimeResponse((prevResponse) => ({
+                  ...prevResponse,
+                  errorMessage: msg.message,
+                }));
+              }
             },
-          },
-        })
-        .then(
-          (result) => {
-            updateLoading(false);
-            updateLastSeen(get('data.source.LastEventTime.lastSeen', result));
-            updateErrorMessage(null);
-            updateCurrentIndexKey(currentIndexKey);
-          },
-          (error) => {
-            updateLoading(false);
-            updateLastSeen(null);
-            updateErrorMessage(error.message);
-          }
-        );
-    }
-  }
+          });
+      };
+      abortCtrl.current.abort();
+      asyncSearch();
+      refetch.current = asyncSearch;
+      return () => {
+        didCancel = true;
+        abortCtrl.current.abort();
+      };
+    },
+    [data.search, notifications.toasts]
+  );
 
   useEffect(() => {
-    const abortCtrl = new AbortController();
-    const signal = abortCtrl.signal;
-    fetchLastEventTime(signal);
-    return () => abortCtrl.abort();
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [apolloClient, indexKey, details.hostName, details.ip]);
+    setTimelineLastEventTimeRequest((prevRequest) => {
+      const myRequest = {
+        ...prevRequest,
+        defaultIndex,
+        indexKey,
+        details,
+      };
+      if (!deepEqual(prevRequest, myRequest)) {
+        return myRequest;
+      }
+      return prevRequest;
+    });
+  }, [defaultIndex, details, indexKey]);
 
-  return { lastSeen, loading, errorMessage };
-}
+  useEffect(() => {
+    timelineLastEventTimeSearch(TimelineLastEventTimeRequest);
+  }, [TimelineLastEventTimeRequest, timelineLastEventTimeSearch]);
+
+  return [loading, TimelineLastEventTimeResponse];
+};
diff --git a/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/translations.ts b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/translations.ts
new file mode 100644
index 0000000000000..1e3cf0d081384
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/containers/events/last_event_time/translations.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const ERROR_LAST_EVENT_TIME = i18n.translate(
+  'xpack.securitySolution.lastEventTime.errorSearchDescription',
+  {
+    defaultMessage: `An error has occurred on last event time search`,
+  }
+);
+
+export const FAIL_LAST_EVENT_TIME = i18n.translate(
+  'xpack.securitySolution.lastEventTime.failSearchDescription',
+  {
+    defaultMessage: `Failed to run search on last event time`,
+  }
+);
diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts b/x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts
index c897da69caba0..168906c6f6193 100644
--- a/x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs } from '../../graphql/types';
+import { Ecs } from '../../../common/ecs';
 
 export const mockEcsData: Ecs[] = [
   {
@@ -438,11 +438,7 @@ export const mockEcsData: Ecs[] = [
     _id: '14',
     timestamp: '2019-03-07T05:06:51.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.connection'],
     },
     host: {
@@ -462,12 +458,9 @@ export const mockEcsData: Ecs[] = [
       region_name: ['New York'],
       country_iso_code: ['US'],
     },
-    suricata: null,
     network: {
       transport: ['tcp'],
     },
-    http: null,
-    url: null,
     zeek: {
       session_id: ['C8DRTq362Fios6hw16'],
       connection: {
@@ -477,22 +470,13 @@ export const mockEcsData: Ecs[] = [
         state: ['REJ'],
         history: ['Sr'],
       },
-      notice: null,
-      dns: null,
-      http: null,
-      files: null,
-      ssl: null,
     },
   },
   {
     _id: '15',
     timestamp: '2019-03-07T00:51:28.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.dns'],
     },
     host: {
@@ -512,43 +496,25 @@ export const mockEcsData: Ecs[] = [
       region_name: ['New York'],
       country_iso_code: ['US'],
     },
-    suricata: null,
     network: {
       transport: ['udp'],
     },
-    http: null,
-    url: null,
     zeek: {
       session_id: ['CyIrMA1L1JtLqdIuol'],
-      connection: null,
-      notice: null,
       dns: {
         AA: [false],
-        qclass_name: null,
         RD: [false],
-        qtype_name: null,
-        rejected: null,
-        qtype: null,
-        query: null,
         trans_id: [65252],
-        qclass: null,
         RA: [false],
         TC: [false],
       },
-      http: null,
-      files: null,
-      ssl: null,
     },
   },
   {
     _id: '16',
     timestamp: '2019-03-05T07:00:20.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.http'],
     },
     host: {
@@ -568,32 +534,22 @@ export const mockEcsData: Ecs[] = [
       region_name: ['New York'],
       country_iso_code: ['US'],
     },
-    suricata: null,
-    network: null,
     http: {
       version: ['1.1'],
       request: {
-        method: null,
         body: {
           bytes: [0],
-          content: null,
         },
-        referrer: null,
       },
       response: {
         status_code: [302],
         body: {
           bytes: [154],
-          content: null,
         },
       },
     },
-    url: null,
     zeek: {
       session_id: ['CZLkpC22NquQJOpkwe'],
-      connection: null,
-      notice: null,
-      dns: null,
       http: {
         resp_mime_types: ['text/html'],
         trans_depth: ['3'],
@@ -601,19 +557,13 @@ export const mockEcsData: Ecs[] = [
         resp_fuids: ['FzeujEPP7GTHmYPsc'],
         tags: [],
       },
-      files: null,
-      ssl: null,
     },
   },
   {
     _id: '17',
     timestamp: '2019-02-28T22:36:28.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.notice'],
     },
     host: {
@@ -623,17 +573,8 @@ export const mockEcsData: Ecs[] = [
     },
     source: {
       ip: ['8.42.77.171'],
-      port: null,
-    },
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
+    },
     zeek: {
-      session_id: null,
-      connection: null,
       notice: {
         suppress_for: [3600],
         msg: ['8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s'],
@@ -643,27 +584,18 @@ export const mockEcsData: Ecs[] = [
         dropped: [false],
         peer_descr: ['bro'],
       },
-      dns: null,
-      http: null,
-      files: null,
-      ssl: null,
     },
   },
   {
     _id: '18',
     timestamp: '2019-02-22T21:12:13.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.ssl'],
     },
     host: {
       id: ['2ce8b1e7d69e4a1d9c6bcddc473da9d9'],
       name: ['zeek-sensor-amsterdam'],
-      ip: null,
     },
     source: {
       ip: ['188.166.66.184'],
@@ -677,17 +609,8 @@ export const mockEcsData: Ecs[] = [
       region_name: ['England'],
       country_iso_code: ['GB'],
     },
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     zeek: {
       session_id: ['CmTxzt2OVXZLkGDaRe'],
-      connection: null,
-      notice: null,
-      dns: null,
-      http: null,
-      files: null,
       ssl: {
         cipher: ['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'],
         established: [false],
@@ -700,11 +623,7 @@ export const mockEcsData: Ecs[] = [
     _id: '19',
     timestamp: '2019-03-03T04:26:38.000Z',
     event: {
-      action: null,
-      severity: null,
       module: ['zeek'],
-      category: null,
-      id: null,
       dataset: ['zeek.files'],
     },
     host: {
@@ -712,19 +631,8 @@ export const mockEcsData: Ecs[] = [
       name: ['suricata-zeek-singapore'],
       ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     zeek: {
       session_id: ['Cu0n232QMyvNtzb75j'],
-      connection: null,
-      notice: null,
-      dns: null,
-      http: null,
       files: {
         session_ids: ['Cu0n232QMyvNtzb75j'],
         timedout: [false],
@@ -745,7 +653,6 @@ export const mockEcsData: Ecs[] = [
         missing_bytes: [0],
         md5: ['f7653f1951693021daa9e6be61226e32'],
       },
-      ssl: null,
     },
   },
   {
@@ -753,24 +660,14 @@ export const mockEcsData: Ecs[] = [
     timestamp: '2019-03-13T05:42:11.815Z',
     event: {
       action: ['executed'],
-      severity: null,
       module: ['auditd'],
       category: ['audit-rule'],
-      id: null,
-      dataset: null,
     },
     host: {
       id: ['f896741c3b3b44bdb8e351a4ab6d2d7c'],
       name: ['zeek-sanfran'],
       ip: ['134.209.63.134', '10.46.0.5', 'fe80::a0d9:16ff:fecf:e70b'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['alice'],
     },
@@ -783,24 +680,19 @@ export const mockEcsData: Ecs[] = [
       title: ['gpgconf --list-dirs agent-socket'],
       working_directory: ['/'],
     },
-    zeek: null,
   },
   {
     _id: '21',
     timestamp: '2019-03-14T22:30:25.527Z',
     event: {
       action: ['logged-in'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
       session: ['14'],
       data: {
-        acct: null,
         terminal: ['/dev/pts/0'],
         op: ['login'],
       },
@@ -815,8 +707,6 @@ export const mockEcsData: Ecs[] = [
           type: ['user-session'],
         },
         how: ['/usr/sbin/sshd'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -826,38 +716,22 @@ export const mockEcsData: Ecs[] = [
     },
     source: {
       ip: ['8.42.77.171'],
-      port: null,
-    },
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
+    },
     user: {
       name: ['root'],
     },
     process: {
       pid: [17471],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/sshd'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '22',
     timestamp: '2019-03-13T03:35:21.614Z',
     event: {
       action: ['disposed-credentials'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
@@ -878,8 +752,6 @@ export const mockEcsData: Ecs[] = [
           type: ['user-session'],
         },
         how: ['/usr/sbin/sshd'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -887,37 +759,21 @@ export const mockEcsData: Ecs[] = [
       name: ['suricata-bangalore'],
       ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['root'],
     },
     process: {
       pid: [21202],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/sshd'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '23',
     timestamp: '2019-03-13T03:35:21.614Z',
     event: {
       action: ['ended-session'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
@@ -938,8 +794,6 @@ export const mockEcsData: Ecs[] = [
           type: ['user-session'],
         },
         how: ['/usr/sbin/sshd'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -947,37 +801,21 @@ export const mockEcsData: Ecs[] = [
       name: ['suricata-bangalore'],
       ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['root'],
     },
     process: {
       pid: [21202],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/sshd'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '24',
     timestamp: '2019-03-18T23:17:01.645Z',
     event: {
       action: ['acquired-credentials'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
@@ -994,12 +832,9 @@ export const mockEcsData: Ecs[] = [
         },
         object: {
           primary: ['cron'],
-          secondary: null,
           type: ['user-session'],
         },
         how: ['/usr/sbin/cron'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -1007,37 +842,21 @@ export const mockEcsData: Ecs[] = [
       name: ['zeek-london'],
       ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['root'],
     },
     process: {
       pid: [9592],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/cron'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '25',
     timestamp: '2019-03-19T01:17:01.336Z',
     event: {
       action: ['started-session'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
@@ -1054,58 +873,36 @@ export const mockEcsData: Ecs[] = [
         },
         object: {
           primary: ['cron'],
-          secondary: null,
           type: ['user-session'],
         },
         how: ['[/usr/sbin/cron'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
       id: ['aa7ca589f1b8220002f2fc61c64cfbf1'],
       name: ['siem-kibana'],
-      ip: null,
-    },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
+    },
     user: {
       name: ['root'],
     },
     process: {
       pid: [725],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/usr/sbin/cron'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '26',
     timestamp: '2019-03-13T03:34:08.890Z',
     event: {
       action: ['was-authorized'],
-      severity: null,
       module: ['auditd'],
       category: ['user-login'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
       session: ['338'],
       data: {
-        acct: null,
         terminal: ['/dev/pts/0'],
-        op: null,
       },
       summary: {
         actor: {
@@ -1114,12 +911,9 @@ export const mockEcsData: Ecs[] = [
         },
         object: {
           primary: ['/dev/pts/0'],
-          secondary: null,
           type: ['user-session'],
         },
         how: ['/sbin/pam_tally2'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -1127,42 +921,25 @@ export const mockEcsData: Ecs[] = [
       name: ['suricata-bangalore'],
       ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['alice'],
     },
     process: {
       pid: [21170],
-      name: null,
-      ppid: null,
-      args: null,
       executable: ['/sbin/pam_tally2'],
-      title: null,
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '27',
     timestamp: '2019-03-22T19:13:11.026Z',
     event: {
       action: ['connected-to'],
-      severity: null,
       module: ['auditd'],
       category: ['audit-rule'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
       session: ['246'],
-      data: null,
       summary: {
         actor: {
           primary: ['alice'],
@@ -1174,8 +951,6 @@ export const mockEcsData: Ecs[] = [
           type: ['socket'],
         },
         how: ['/usr/bin/wget'],
-        message_type: null,
-        sequence: null,
       },
     },
     host: {
@@ -1183,16 +958,10 @@ export const mockEcsData: Ecs[] = [
       name: ['zeek-london'],
       ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
     },
-    source: null,
     destination: {
       ip: ['93.184.216.34'],
       port: [80],
     },
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
     user: {
       name: ['alice'],
     },
@@ -1200,28 +969,21 @@ export const mockEcsData: Ecs[] = [
       pid: [1490],
       name: ['wget'],
       ppid: [1476],
-      args: null,
       executable: ['/usr/bin/wget'],
       title: ['wget www.example.com'],
-      working_directory: null,
     },
-    zeek: null,
   },
   {
     _id: '28',
     timestamp: '2019-03-26T22:12:18.609Z',
     event: {
       action: ['opened-file'],
-      severity: null,
       module: ['auditd'],
       category: ['audit-rule'],
-      id: null,
-      dataset: null,
     },
     auditd: {
       result: ['success'],
       session: ['unset'],
-      data: null,
       summary: {
         actor: {
           primary: ['unset'],
@@ -1229,19 +991,13 @@ export const mockEcsData: Ecs[] = [
         },
         object: {
           primary: ['/proc/15990/attr/current'],
-          secondary: null,
           type: ['file'],
         },
         how: ['/lib/systemd/systemd-journald'],
-        message_type: null,
-        sequence: null,
       },
     },
     file: {
       path: ['/proc/15990/attr/current'],
-      target_path: null,
-      extension: null,
-      type: null,
       device: ['00:00'],
       inode: ['27672309'],
       uid: ['0'],
@@ -1249,22 +1005,13 @@ export const mockEcsData: Ecs[] = [
       gid: ['0'],
       group: ['root'],
       mode: ['0666'],
-      size: null,
-      mtime: null,
-      ctime: null,
     },
     host: {
       id: ['7c21f5ed03b04d0299569d221fe18bbc'],
       name: ['zeek-london'],
       ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
     },
-    source: null,
-    destination: null,
-    geo: null,
-    suricata: null,
-    network: null,
-    http: null,
-    url: null,
+
     user: {
       name: ['root'],
     },
@@ -1272,12 +1019,10 @@ export const mockEcsData: Ecs[] = [
       pid: [27244],
       name: ['systemd-journal'],
       ppid: [1],
-      args: null,
       executable: ['/lib/systemd/systemd-journald'],
       title: ['/lib/systemd/systemd-journald'],
       working_directory: ['/'],
     },
-    zeek: null,
   },
 ];
 
diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts b/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts
index 9b2cd14499db4..4c03a5457eb3f 100644
--- a/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/mock_endgame_ecs_data.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs } from '../../graphql/types';
+import { Ecs } from '../../../common/ecs';
 
 export const mockEndgameDnsRequest: Ecs = {
   _id: 'S8jPcG0BOpWiDweSou3g',
diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts b/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts
index 9974842bff474..322dccdac973e 100644
--- a/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts
@@ -4,7 +4,8 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs, TimelineItem } from '../../graphql/types';
+import { Ecs } from '../../../common/ecs';
+import { TimelineItem } from '../../../common/search_strategy/timeline';
 
 export const mockTimelineData: TimelineItem[] = [
   {
@@ -425,11 +426,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '14',
       timestamp: '2019-03-07T05:06:51.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.connection'],
       },
       host: {
@@ -440,10 +437,7 @@ export const mockTimelineData: TimelineItem[] = [
       source: { ip: ['185.176.26.101'], port: [44059] },
       destination: { ip: ['207.154.238.205'], port: [11568] },
       geo: { region_name: ['New York'], country_iso_code: ['US'] },
-      suricata: null,
       network: { transport: ['tcp'] },
-      http: null,
-      url: null,
       zeek: {
         session_id: ['C8DRTq362Fios6hw16'],
         connection: {
@@ -453,11 +447,6 @@ export const mockTimelineData: TimelineItem[] = [
           state: ['REJ'],
           history: ['Sr'],
         },
-        notice: null,
-        dns: null,
-        http: null,
-        files: null,
-        ssl: null,
       },
     },
   },
@@ -473,11 +462,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '15',
       timestamp: '2019-03-07T00:51:28.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.dns'],
       },
       host: {
@@ -488,30 +473,16 @@ export const mockTimelineData: TimelineItem[] = [
       source: { ip: ['206.189.35.240'], port: [57475] },
       destination: { ip: ['67.207.67.3'], port: [53] },
       geo: { region_name: ['New York'], country_iso_code: ['US'] },
-      suricata: null,
       network: { transport: ['udp'] },
-      http: null,
-      url: null,
       zeek: {
         session_id: ['CyIrMA1L1JtLqdIuol'],
-        connection: null,
-        notice: null,
         dns: {
           AA: [false],
-          qclass_name: null,
           RD: [false],
-          qtype_name: null,
-          rejected: null,
-          qtype: null,
-          query: null,
           trans_id: [65252],
-          qclass: null,
           RA: [false],
           TC: [false],
         },
-        http: null,
-        files: null,
-        ssl: null,
       },
     },
   },
@@ -527,11 +498,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '16',
       timestamp: '2019-03-05T07:00:20.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.http'],
       },
       host: {
@@ -542,19 +509,14 @@ export const mockTimelineData: TimelineItem[] = [
       source: { ip: ['206.189.35.240'], port: [36220] },
       destination: { ip: ['192.241.164.26'], port: [80] },
       geo: { region_name: ['New York'], country_iso_code: ['US'] },
-      suricata: null,
-      network: null,
       http: {
         version: ['1.1'],
-        request: { method: null, body: { bytes: [0], content: null }, referrer: null },
-        response: { status_code: [302], body: { bytes: [154], content: null } },
+        request: { body: { bytes: [0] } },
+        response: { status_code: [302], body: { bytes: [154] } },
       },
-      url: null,
       zeek: {
         session_id: ['CZLkpC22NquQJOpkwe'],
-        connection: null,
-        notice: null,
-        dns: null,
+
         http: {
           resp_mime_types: ['text/html'],
           trans_depth: ['3'],
@@ -562,8 +524,6 @@ export const mockTimelineData: TimelineItem[] = [
           resp_fuids: ['FzeujEPP7GTHmYPsc'],
           tags: [],
         },
-        files: null,
-        ssl: null,
       },
     },
   },
@@ -578,11 +538,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '17',
       timestamp: '2019-02-28T22:36:28.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.notice'],
       },
       host: {
@@ -590,16 +546,8 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['zeek-franfurt'],
         ip: ['207.154.238.205', '10.19.0.5', 'fe80::d82b:9aff:fe0d:1e12'],
       },
-      source: { ip: ['8.42.77.171'], port: null },
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
+      source: { ip: ['8.42.77.171'] },
       zeek: {
-        session_id: null,
-        connection: null,
         notice: {
           suppress_for: [3600],
           msg: ['8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s'],
@@ -609,10 +557,6 @@ export const mockTimelineData: TimelineItem[] = [
           dropped: [false],
           peer_descr: ['bro'],
         },
-        dns: null,
-        http: null,
-        files: null,
-        ssl: null,
       },
     },
   },
@@ -628,28 +572,15 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '18',
       timestamp: '2019-02-22T21:12:13.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.ssl'],
       },
-      host: { id: ['2ce8b1e7d69e4a1d9c6bcddc473da9d9'], name: ['zeek-sensor-amsterdam'], ip: null },
+      host: { id: ['2ce8b1e7d69e4a1d9c6bcddc473da9d9'], name: ['zeek-sensor-amsterdam'] },
       source: { ip: ['188.166.66.184'], port: [34514] },
       destination: { ip: ['91.189.95.15'], port: [443] },
       geo: { region_name: ['England'], country_iso_code: ['GB'] },
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       zeek: {
         session_id: ['CmTxzt2OVXZLkGDaRe'],
-        connection: null,
-        notice: null,
-        dns: null,
-        http: null,
-        files: null,
         ssl: {
           cipher: ['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'],
           established: [false],
@@ -669,11 +600,7 @@ export const mockTimelineData: TimelineItem[] = [
       _id: '19',
       timestamp: '2019-03-03T04:26:38.000Z',
       event: {
-        action: null,
-        severity: null,
         module: ['zeek'],
-        category: null,
-        id: null,
         dataset: ['zeek.files'],
       },
       host: {
@@ -681,19 +608,8 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['suricata-zeek-singapore'],
         ip: ['206.189.35.240', '10.15.0.5', 'fe80::98c7:eff:fe29:4455'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       zeek: {
         session_id: ['Cu0n232QMyvNtzb75j'],
-        connection: null,
-        notice: null,
-        dns: null,
-        http: null,
         files: {
           session_ids: ['Cu0n232QMyvNtzb75j'],
           timedout: [false],
@@ -714,7 +630,6 @@ export const mockTimelineData: TimelineItem[] = [
           missing_bytes: [0],
           md5: ['f7653f1951693021daa9e6be61226e32'],
         },
-        ssl: null,
       },
     },
   },
@@ -730,24 +645,14 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-13T05:42:11.815Z',
       event: {
         action: ['executed'],
-        severity: null,
         module: ['auditd'],
         category: ['audit-rule'],
-        id: null,
-        dataset: null,
       },
       host: {
         id: ['f896741c3b3b44bdb8e351a4ab6d2d7c'],
         name: ['zeek-sanfran'],
         ip: ['134.209.63.134', '10.46.0.5', 'fe80::a0d9:16ff:fecf:e70b'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['alice'] },
       process: {
         pid: [5402],
@@ -758,7 +663,6 @@ export const mockTimelineData: TimelineItem[] = [
         title: ['gpgconf --list-dirs agent-socket'],
         working_directory: ['/'],
       },
-      zeek: null,
     },
   },
   {
@@ -775,22 +679,17 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-14T22:30:25.527Z',
       event: {
         action: ['logged-in'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
         session: ['14'],
-        data: { acct: null, terminal: ['/dev/pts/0'], op: ['login'] },
+        data: { terminal: ['/dev/pts/0'], op: ['login'] },
         summary: {
           actor: { primary: ['alice'], secondary: ['alice'] },
           object: { primary: ['/dev/pts/0'], secondary: ['8.42.77.171'], type: ['user-session'] },
           how: ['/usr/sbin/sshd'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -798,24 +697,12 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
-      source: { ip: ['8.42.77.171'], port: null },
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
+      source: { ip: ['8.42.77.171'] },
       user: { name: ['root'] },
       process: {
         pid: [17471],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/sshd'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -831,11 +718,8 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-13T03:35:21.614Z',
       event: {
         action: ['disposed-credentials'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
@@ -845,8 +729,6 @@ export const mockTimelineData: TimelineItem[] = [
           actor: { primary: ['alice'], secondary: ['alice'] },
           object: { primary: ['ssh'], secondary: ['8.42.77.171'], type: ['user-session'] },
           how: ['/usr/sbin/sshd'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -854,24 +736,11 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['suricata-bangalore'],
         ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['root'] },
       process: {
         pid: [21202],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/sshd'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -887,11 +756,8 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-13T03:35:21.614Z',
       event: {
         action: ['ended-session'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
@@ -901,8 +767,6 @@ export const mockTimelineData: TimelineItem[] = [
           actor: { primary: ['alice'], secondary: ['alice'] },
           object: { primary: ['ssh'], secondary: ['8.42.77.171'], type: ['user-session'] },
           how: ['/usr/sbin/sshd'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -910,24 +774,11 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['suricata-bangalore'],
         ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['root'] },
       process: {
         pid: [21202],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/sshd'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -943,11 +794,8 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-18T23:17:01.645Z',
       event: {
         action: ['acquired-credentials'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
@@ -955,10 +803,8 @@ export const mockTimelineData: TimelineItem[] = [
         data: { acct: ['root'], terminal: ['cron'], op: ['PAM:setcred'] },
         summary: {
           actor: { primary: ['unset'], secondary: ['root'] },
-          object: { primary: ['cron'], secondary: null, type: ['user-session'] },
+          object: { primary: ['cron'], type: ['user-session'] },
           how: ['/usr/sbin/cron'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -966,24 +812,11 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['root'] },
       process: {
         pid: [9592],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/cron'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -999,11 +832,8 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-19T01:17:01.336Z',
       event: {
         action: ['started-session'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
@@ -1011,31 +841,16 @@ export const mockTimelineData: TimelineItem[] = [
         data: { acct: ['root'], terminal: ['cron'], op: ['PAM:session_open'] },
         summary: {
           actor: { primary: ['root'], secondary: ['root'] },
-          object: { primary: ['cron'], secondary: null, type: ['user-session'] },
+          object: { primary: ['cron'], type: ['user-session'] },
           how: ['/usr/sbin/cron'],
-          message_type: null,
-          sequence: null,
         },
       },
-      host: { id: ['aa7ca589f1b8220002f2fc61c64cfbf1'], name: ['siem-kibana'], ip: null },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
+      host: { id: ['aa7ca589f1b8220002f2fc61c64cfbf1'], name: ['siem-kibana'] },
       user: { name: ['root'] },
       process: {
         pid: [725],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/usr/sbin/cron'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -1051,22 +866,17 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-13T03:34:08.890Z',
       event: {
         action: ['was-authorized'],
-        severity: null,
         module: ['auditd'],
         category: ['user-login'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
         session: ['338'],
-        data: { acct: null, terminal: ['/dev/pts/0'], op: null },
+        data: { terminal: ['/dev/pts/0'] },
         summary: {
           actor: { primary: ['root'], secondary: ['alice'] },
-          object: { primary: ['/dev/pts/0'], secondary: null, type: ['user-session'] },
+          object: { primary: ['/dev/pts/0'], type: ['user-session'] },
           how: ['/sbin/pam_tally2'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -1074,24 +884,11 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['suricata-bangalore'],
         ip: ['139.59.11.147', '10.47.0.5', 'fe80::ec0b:1bff:fe29:80bd'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['alice'] },
       process: {
         pid: [21170],
-        name: null,
-        ppid: null,
-        args: null,
         executable: ['/sbin/pam_tally2'],
-        title: null,
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -1109,22 +906,16 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-22T19:13:11.026Z',
       event: {
         action: ['connected-to'],
-        severity: null,
         module: ['auditd'],
         category: ['audit-rule'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
         session: ['246'],
-        data: null,
         summary: {
           actor: { primary: ['alice'], secondary: ['alice'] },
           object: { primary: ['192.168.216.34'], secondary: ['80'], type: ['socket'] },
           how: ['/usr/bin/wget'],
-          message_type: null,
-          sequence: null,
         },
       },
       host: {
@@ -1132,24 +923,15 @@ export const mockTimelineData: TimelineItem[] = [
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
-      source: null,
       destination: { ip: ['192.168.216.34'], port: [80] },
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
       user: { name: ['alice'] },
       process: {
         pid: [1490],
         name: ['wget'],
         ppid: [1476],
-        args: null,
         executable: ['/usr/bin/wget'],
         title: ['wget www.example.com'],
-        working_directory: null,
       },
-      zeek: null,
     },
   },
   {
@@ -1166,29 +948,20 @@ export const mockTimelineData: TimelineItem[] = [
       timestamp: '2019-03-26T22:12:18.609Z',
       event: {
         action: ['opened-file'],
-        severity: null,
         module: ['auditd'],
         category: ['audit-rule'],
-        id: null,
-        dataset: null,
       },
       auditd: {
         result: ['success'],
         session: ['242'],
-        data: null,
         summary: {
           actor: { primary: ['unset'], secondary: ['root'] },
-          object: { primary: ['/proc/15990/attr/current'], secondary: null, type: ['file'] },
+          object: { primary: ['/proc/15990/attr/current'], type: ['file'] },
           how: ['/lib/systemd/systemd-journald'],
-          message_type: null,
-          sequence: null,
         },
       },
       file: {
         path: ['/proc/15990/attr/current'],
-        target_path: null,
-        extension: null,
-        type: null,
         device: ['00:00'],
         inode: ['27672309'],
         uid: ['0'],
@@ -1196,33 +969,22 @@ export const mockTimelineData: TimelineItem[] = [
         gid: ['0'],
         group: ['root'],
         mode: ['0666'],
-        size: null,
-        mtime: null,
-        ctime: null,
       },
       host: {
         id: ['7c21f5ed03b04d0299569d221fe18bbc'],
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
-      source: null,
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      url: null,
+
       user: { name: ['root'] },
       process: {
         pid: [27244],
         name: ['systemd-journal'],
         ppid: [1],
-        args: null,
         executable: ['/lib/systemd/systemd-journald'],
         title: ['/lib/systemd/systemd-journald'],
         working_directory: ['/'],
       },
-      zeek: null,
     },
   },
   {
@@ -1236,61 +998,27 @@ export const mockTimelineData: TimelineItem[] = [
     ],
     ecs: {
       _id: '29',
-      system: null,
       event: {
         action: ['user_login'],
-        category: null,
-        created: null,
         dataset: ['login'],
-        duration: null,
-        end: null,
-        hash: null,
-        id: null,
         kind: ['event'],
         module: ['system'],
-        original: null,
         outcome: ['failure'],
-        risk_score: null,
-        risk_score_norm: null,
-        severity: null,
-        start: null,
-        timezone: null,
-        type: null,
-      },
-      auditd: null,
-      file: null,
+      },
       host: {
         id: ['7c21f5ed03b04d0299569d221fe18bbc'],
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
       source: {
-        bytes: null,
         ip: ['128.199.212.120'],
-        packets: null,
-        port: null,
-        geo: null,
-      },
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      tls: null,
-      url: null,
+      },
       user: {
         name: ['Braden'],
       },
       process: {
         pid: [6278],
-        name: null,
-        ppid: null,
-        args: null,
-        executable: null,
-        title: null,
-        working_directory: null,
-      },
-      zeek: null,
+      },
     },
   },
   {
@@ -1304,61 +1032,27 @@ export const mockTimelineData: TimelineItem[] = [
     ],
     ecs: {
       _id: '30',
-      system: null,
       event: {
         action: ['process_started'],
-        category: null,
-        created: null,
         dataset: ['login'],
-        duration: null,
-        end: null,
-        hash: null,
-        id: null,
         kind: ['event'],
         module: ['system'],
-        original: null,
         outcome: ['failure'],
-        risk_score: null,
-        risk_score_norm: null,
-        severity: null,
-        start: null,
-        timezone: null,
-        type: null,
-      },
-      auditd: null,
-      file: null,
+      },
       host: {
         id: ['7c21f5ed03b04d0299569d221fe18bbc'],
         name: ['zeek-london'],
         ip: ['46.101.3.136', '10.16.0.5', 'fe80::4066:42ff:fe19:b3b9'],
       },
       source: {
-        bytes: null,
         ip: ['128.199.212.120'],
-        packets: null,
-        port: null,
-        geo: null,
-      },
-      destination: null,
-      geo: null,
-      suricata: null,
-      network: null,
-      http: null,
-      tls: null,
-      url: null,
+      },
       user: {
         name: ['Evan'],
       },
       process: {
         pid: [6278],
-        name: null,
-        ppid: null,
-        args: null,
-        executable: null,
-        title: null,
-        working_directory: null,
-      },
-      zeek: null,
+      },
     },
   },
   {
diff --git a/x-pack/plugins/security_solution/public/common/mock/netflow.ts b/x-pack/plugins/security_solution/public/common/mock/netflow.ts
index 4dad794533374..1c384ef9a4f63 100644
--- a/x-pack/plugins/security_solution/public/common/mock/netflow.ts
+++ b/x-pack/plugins/security_solution/public/common/mock/netflow.ts
@@ -5,7 +5,7 @@
  */
 
 import { ONE_MILLISECOND_AS_NANOSECONDS } from '../../timelines/components/formatted_duration/helpers';
-import { Ecs } from '../../graphql/types';
+import { Ecs } from '../../../common/ecs';
 
 /** Returns mock data for testing the Netflow component */
 export const getMockNetflowData = (): Ecs => ({
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
index 3f95fd36b6010..678aaf06e50e4 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
@@ -17,7 +17,7 @@ import {
   mockTimelineDetailsApollo,
 } from '../../../common/mock/';
 import { CreateTimeline, UpdateTimelineLoading } from './types';
-import { Ecs } from '../../../graphql/types';
+import { Ecs } from '../../../../common/ecs';
 import { TimelineId, TimelineType, TimelineStatus } from '../../../../common/types/timeline';
 
 jest.mock('apollo-client');
@@ -336,6 +336,7 @@ describe('alert actions', () => {
           signal: {
             rule: {
               ...mockEcsDataWithAlert.signal?.rule!,
+              // @ts-expect-error
               timeline_id: null,
             },
           },
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
index 972a8aa4b0871..640726bb2e7c8 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
@@ -11,19 +11,15 @@ import { get, getOr, isEmpty, find } from 'lodash/fp';
 import moment from 'moment';
 import { i18n } from '@kbn/i18n';
 
-import { TimelineId } from '../../../../common/types/timeline';
+import { TimelineId, TimelineStatus, TimelineType } from '../../../../common/types/timeline';
 import { updateAlertStatus } from '../../containers/detection_engine/alerts/api';
 import { SendAlertToTimelineActionProps, UpdateAlertStatusActionProps } from './types';
+import { Ecs } from '../../../../common/ecs';
+import { GetOneTimeline, TimelineResult, GetTimelineDetailsQuery } from '../../../graphql/types';
 import {
   TimelineNonEcsData,
-  GetOneTimeline,
-  TimelineResult,
-  Ecs,
-  TimelineStatus,
-  TimelineType,
-  GetTimelineDetailsQuery,
-  DetailItem,
-} from '../../../graphql/types';
+  TimelineEventsDetailsItem,
+} from '../../../../common/search_strategy/timeline';
 import { oneTimelineQuery } from '../../../timelines/containers/one/index.gql_query';
 import { timelineDefaults } from '../../../timelines/store/timeline/defaults';
 import {
@@ -122,7 +118,7 @@ export const getThresholdAggregationDataProvider = (
   ecsData: Ecs,
   nonEcsData: TimelineNonEcsData[]
 ): DataProvider[] => {
-  const aggregationField = ecsData.signal?.rule?.threshold.field;
+  const aggregationField = ecsData.signal?.rule?.threshold?.field!;
   const aggregationValue =
     get(aggregationField, ecsData) ?? find(['field', aggregationField], nonEcsData)?.value;
   const dataProviderValue = Array.isArray(aggregationValue)
@@ -139,7 +135,7 @@ export const getThresholdAggregationDataProvider = (
     {
       and: [],
       id: `send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-${TimelineId.active}-${aggregationFieldId}-${dataProviderValue}`,
-      name: ecsData.signal?.rule?.threshold.field,
+      name: aggregationField,
       enabled: true,
       excluded: false,
       kqlQuery: '',
@@ -189,7 +185,11 @@ export const sendAlertToTimelineAction = async ({
         }),
       ]);
       const resultingTimeline: TimelineResult = getOr({}, 'data.getOneTimeline', responseTimeline);
-      const eventData: DetailItem[] = getOr([], 'data.source.TimelineDetails.data', eventDataResp);
+      const eventData: TimelineEventsDetailsItem[] = getOr(
+        [],
+        'data.source.TimelineDetails.data',
+        eventDataResp
+      );
       if (!isEmpty(resultingTimeline)) {
         const timelineTemplate: TimelineResult = omitTypenameInTimeline(resultingTimeline);
         openAlertInBasicTimeline = false;
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_utility_bar/index.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_utility_bar/index.tsx
index bdad380f59ae9..30fcdc21d61e8 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_utility_bar/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_utility_bar/index.tsx
@@ -24,7 +24,7 @@ import {
 } from '../../../../common/components/utility_bar';
 import * as i18n from './translations';
 import { useUiSetting$ } from '../../../../common/lib/kibana';
-import { TimelineNonEcsData } from '../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import { UpdateAlertsStatus } from '../types';
 import { FILTER_CLOSED, FILTER_IN_PROGRESS, FILTER_OPEN } from '../alerts_filter_group';
 
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
index cbf0e08fef5cd..4559e44b8c3c5 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx
@@ -27,7 +27,8 @@ import { DEFAULT_ICON_BUTTON_WIDTH } from '../../../../timelines/components/time
 import { FILTER_OPEN, FILTER_CLOSED, FILTER_IN_PROGRESS } from '../alerts_filter_group';
 import { updateAlertStatusAction } from '../actions';
 import { SetEventsDeletedProps, SetEventsLoadingProps } from '../types';
-import { Ecs, TimelineNonEcsData } from '../../../../graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import {
   AddExceptionModal as AddExceptionModalComponent,
   AddExceptionModalBaseProps,
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx
index f4080de5b4ba1..4ab5fa5e6012f 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_timeline_action.tsx
@@ -8,7 +8,8 @@ import React, { useCallback } from 'react';
 import { useDispatch } from 'react-redux';
 
 import { TimelineId } from '../../../../../common/types/timeline';
-import { TimelineNonEcsData, Ecs } from '../../../../../public/graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../common/search_strategy/timeline';
 import { timelineActions } from '../../../../timelines/store/timeline';
 import { useApolloClient } from '../../../../common/utils/apollo_context';
 import { sendAlertToTimelineAction } from '../actions';
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
index b4da0267d2ea5..50ac344eb2a2f 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
@@ -48,7 +48,7 @@ export const LOADING_ALERTS = i18n.translate(
 export const TOTAL_COUNT_OF_ALERTS = i18n.translate(
   'xpack.securitySolution.detectionEngine.alerts.totalCountOfAlertsTitle',
   {
-    defaultMessage: 'alerts match the search criteria',
+    defaultMessage: 'alerts',
   }
 );
 
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_table/types.ts
index f8b3cd6af8b8a..3dfdfe4c17e04 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/types.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/types.ts
@@ -7,7 +7,9 @@
 import ApolloClient from 'apollo-client';
 
 import { Status } from '../../../../common/detection_engine/schemas/common/schemas';
-import { Ecs, NoteResult, TimelineNonEcsData } from '../../../graphql/types';
+import { Ecs } from '../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
+import { NoteResult } from '../../../graphql/types';
 import { TimelineModel } from '../../../timelines/store/timeline/model';
 import { inputsModel } from '../../../common/store';
 
diff --git a/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx b/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
index 958d62dfe9b6a..11b853e0ebeb0 100644
--- a/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
+++ b/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
@@ -87,17 +87,14 @@ export const useAllHost = ({
       direction,
       field: sortField,
     },
-    // inspect: isInspected,
   });
 
   const wrappedLoadMore = useCallback(
     (newActivePage: number) => {
-      setHostRequest((prevRequest) => {
-        return {
-          ...prevRequest,
-          pagination: generateTablePaginationOptions(newActivePage, limit),
-        };
-      });
+      setHostRequest((prevRequest) => ({
+        ...prevRequest,
+        pagination: generateTablePaginationOptions(newActivePage, limit),
+      }));
     },
     [limit]
   );
diff --git a/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
index 10f20eeacbcb0..a711e7a1d0442 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/flyout/header/index.tsx
@@ -129,8 +129,6 @@ const mapDispatchToProps = (dispatch: Dispatch, { timelineId }: OwnProps) => ({
     dispatch(timelineActions.updateDescription({ id, description })),
   updateIsFavorite: ({ id, isFavorite }: { id: string; isFavorite: boolean }) =>
     dispatch(timelineActions.updateIsFavorite({ id, isFavorite })),
-  updateIsLive: ({ id, isLive }: { id: string; isLive: boolean }) =>
-    dispatch(timelineActions.updateIsLive({ id, isLive })),
   updateNote: (note: Note) => dispatch(appActions.updateNote({ note })),
   updateTitle: ({ id, title }: { id: string; title: string }) =>
     dispatch(timelineActions.updateTitle({ id, title })),
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/index.tsx
index 120fc12b425f4..ea938be91abd1 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/column_headers/index.tsx
@@ -5,7 +5,6 @@
  */
 
 import { EuiButtonIcon, EuiCheckbox, EuiToolTip } from '@elastic/eui';
-import { noop } from 'lodash/fp';
 import React, { useState, useEffect, useCallback, useMemo } from 'react';
 import { Droppable, DraggableChildrenFn } from 'react-beautiful-dnd';
 import deepEqual from 'fast-deep-equal';
@@ -26,7 +25,6 @@ import {
   OnColumnRemoved,
   OnColumnResized,
   OnColumnSorted,
-  OnFilterChange,
   OnSelectAll,
   OnUpdateColumns,
 } from '../../events';
@@ -57,7 +55,6 @@ interface Props {
   onColumnRemoved: OnColumnRemoved;
   onColumnResized: OnColumnResized;
   onColumnSorted: OnColumnSorted;
-  onFilterChange?: OnFilterChange;
   onSelectAll: OnSelectAll;
   onUpdateColumns: OnUpdateColumns;
   showEventsSelect: boolean;
@@ -111,7 +108,6 @@ export const ColumnHeadersComponent = ({
   onColumnSorted,
   onSelectAll,
   onUpdateColumns,
-  onFilterChange = noop,
   showEventsSelect,
   showSelectAllCheckbox,
   sort,
@@ -186,18 +182,16 @@ export const ColumnHeadersComponent = ({
           isDragging={draggingIndex === draggableIndex}
           onColumnRemoved={onColumnRemoved}
           onColumnSorted={onColumnSorted}
-          onFilterChange={onFilterChange}
           onColumnResized={onColumnResized}
           sort={sort}
         />
       )),
-    // eslint-disable-next-line react-hooks/exhaustive-deps
     [
       columnHeaders,
       timelineId,
       draggingIndex,
       onColumnRemoved,
-      onFilterChange,
+      onColumnSorted,
       onColumnResized,
       sort,
     ]
@@ -312,7 +306,6 @@ export const ColumnHeaders = React.memo(
     prevProps.onColumnSorted === nextProps.onColumnSorted &&
     prevProps.onSelectAll === nextProps.onSelectAll &&
     prevProps.onUpdateColumns === nextProps.onUpdateColumns &&
-    prevProps.onFilterChange === nextProps.onFilterChange &&
     prevProps.showEventsSelect === nextProps.showEventsSelect &&
     prevProps.showSelectAllCheckbox === nextProps.showSelectAllCheckbox &&
     prevProps.sort === nextProps.sort &&
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx
index f4838f90a1e96..0d37f25d66e3f 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx
@@ -7,7 +7,8 @@
 import React from 'react';
 import { getOr } from 'lodash/fp';
 
-import { Ecs, TimelineNonEcsData } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import { OnColumnResized } from '../../events';
 import { EventsTd, EventsTdContent, EventsTdGroupData } from '../../styles';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/event_column_view.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/event_column_view.tsx
index f1d45d5458554..2c84a786d4432 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/event_column_view.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/event_column_view.tsx
@@ -8,7 +8,8 @@ import React, { useCallback, useMemo } from 'react';
 import uuid from 'uuid';
 import { useSelector, shallowEqual } from 'react-redux';
 
-import { TimelineNonEcsData, Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { Note } from '../../../../../common/lib/note';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import { AssociateNote, UpdateNote } from '../../../notes/helpers';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx
index 64d55f8cf6c6a..0fc097de680e8 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx
@@ -8,7 +8,10 @@ import React from 'react';
 
 import { inputsModel } from '../../../../../common/store';
 import { BrowserFields, DocValueFields } from '../../../../../common/containers/source';
-import { TimelineItem, TimelineNonEcsData } from '../../../../../graphql/types';
+import {
+  TimelineItem,
+  TimelineNonEcsData,
+} from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import { Note } from '../../../../../common/lib/note';
 import { AddNoteToEvent, UpdateNote } from '../../../notes/helpers';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
index 9691327f2c988..d8cc8ddd2f15a 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
@@ -9,11 +9,13 @@ import { useSelector } from 'react-redux';
 import uuid from 'uuid';
 import VisibilitySensor from 'react-visibility-sensor';
 
-import { TimelineId } from '../../../../../../common/types/timeline';
 import { BrowserFields, DocValueFields } from '../../../../../common/containers/source';
-import { useTimelineDetails } from '../../../../containers/details';
-import { TimelineItem, TimelineNonEcsData } from '../../../../../graphql/types';
-import { DetailItem } from '../../../../../../common/search_strategy/timeline';
+import { useTimelineEventsDetails } from '../../../../containers/details';
+import {
+  TimelineEventsDetailsItem,
+  TimelineItem,
+  TimelineNonEcsData,
+} from '../../../../../../common/search_strategy/timeline';
 import { Note } from '../../../../../common/lib/note';
 import { ColumnHeaderOptions, TimelineModel } from '../../../../../timelines/store/timeline/model';
 import { AddNoteToEvent, UpdateNote } from '../../../notes/helpers';
@@ -68,7 +70,7 @@ interface Props {
 
 export const getNewNoteId = (): string => uuid.v4();
 
-const emptyDetails: DetailItem[] = [];
+const emptyDetails: TimelineEventsDetailsItem[] = [];
 
 /**
  * This is the default row height whenever it is a plain row renderer and not a custom row height.
@@ -135,14 +137,14 @@ const StatefulEventComponent: React.FC<Props> = ({
   const [expanded, setExpanded] = useState<{ [eventId: string]: boolean }>({});
   const [showNotes, setShowNotes] = useState<{ [eventId: string]: boolean }>({});
   const { status: timelineStatus } = useSelector<StoreState, TimelineModel>(
-    (state) => state.timeline.timelineById[TimelineId.active]
+    (state) => state.timeline.timelineById[timelineId]
   );
   const divElement = useRef<HTMLDivElement | null>(null);
-  const [loading, detailsData] = useTimelineDetails({
+  const [loading, detailsData] = useTimelineEventsDetails({
     docValueFields,
     indexName: event._index!,
     eventId: event._id,
-    executeQuery: !!expanded[event._id],
+    skip: !expanded[event._id],
   });
 
   const onToggleShowNotes = useCallback(() => {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.test.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.test.ts
index f4dc691f3d059..7e438b9ee6ccc 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.test.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.test.ts
@@ -4,8 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs } from '../../../../graphql/types';
-
 import {
   eventHasNotes,
   eventIsPinned,
@@ -14,6 +12,7 @@ import {
   stringifyEvent,
   isInvestigateInResolverActionEnabled,
 } from './helpers';
+import { Ecs } from '../../../../../common/ecs';
 import { TimelineType } from '../../../../../common/types/timeline';
 
 describe('helpers', () => {
@@ -145,11 +144,7 @@ describe('helpers', () => {
       };
       const toStringify: Ecs = {
         _id: '4',
-        timestamp: null,
-        host: {
-          name: null,
-          ip: null,
-        },
+        host: {},
         event: {
           id: ['4'],
           category: ['theory'],
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx
index 5753efa2bf1bb..824a37f72ba59 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx
@@ -8,7 +8,8 @@ import React, { useCallback, useMemo } from 'react';
 import { get, isEmpty } from 'lodash/fp';
 import { useDispatch } from 'react-redux';
 
-import { Ecs, TimelineItem, TimelineNonEcsData } from '../../../../graphql/types';
+import { Ecs } from '../../../../../common/ecs';
+import { TimelineItem, TimelineNonEcsData } from '../../../../../common/search_strategy';
 import { updateTimelineGraphEventId } from '../../../store/timeline/actions';
 import { EventType } from '../../../store/timeline/model';
 import { OnPinEvent, OnUnPinEvent } from '../events';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.test.tsx
index 657e1617e8d24..23a449cca972d 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.test.tsx
@@ -9,7 +9,7 @@ import { useSelector } from 'react-redux';
 
 import '../../../../common/mock/match_media';
 import { mockBrowserFields } from '../../../../common/containers/source/mock';
-import { Direction } from '../../../../graphql/types';
+import { Direction } from '../../../../../common/search_strategy';
 import { defaultHeaders, mockTimelineData, mockTimelineModel } from '../../../../common/mock';
 import { TestProviders } from '../../../../common/mock/test_providers';
 
@@ -70,7 +70,6 @@ describe('Body', () => {
     onColumnRemoved: jest.fn(),
     onColumnResized: jest.fn(),
     onColumnSorted: jest.fn(),
-    onFilterChange: jest.fn(),
     onPinEvent: jest.fn(),
     onRowSelected: jest.fn(),
     onSelectAll: jest.fn(),
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx
index 40cc12afde51d..58c87c086df6e 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx
@@ -8,7 +8,7 @@ import React, { useMemo, useRef } from 'react';
 
 import { inputsModel } from '../../../../common/store';
 import { BrowserFields, DocValueFields } from '../../../../common/containers/source';
-import { TimelineItem, TimelineNonEcsData } from '../../../../graphql/types';
+import { TimelineItem, TimelineNonEcsData } from '../../../../../common/search_strategy';
 import { Note } from '../../../../common/lib/note';
 import { ColumnHeaderOptions, EventType } from '../../../../timelines/store/timeline/model';
 import { AddNoteToEvent, UpdateNote } from '../../notes/helpers';
@@ -16,7 +16,6 @@ import {
   OnColumnRemoved,
   OnColumnResized,
   OnColumnSorted,
-  OnFilterChange,
   OnPinEvent,
   OnRowSelected,
   OnSelectAll,
@@ -53,7 +52,6 @@ export interface BodyProps {
   onColumnSorted: OnColumnSorted;
   onRowSelected: OnRowSelected;
   onSelectAll: OnSelectAll;
-  onFilterChange: OnFilterChange;
   onPinEvent: OnPinEvent;
   onUpdateColumns: OnUpdateColumns;
   onUnPinEvent: OnUnPinEvent;
@@ -99,7 +97,6 @@ export const Body = React.memo<BodyProps>(
     onColumnSorted,
     onRowSelected,
     onSelectAll,
-    onFilterChange,
     onPinEvent,
     onUpdateColumns,
     onUnPinEvent,
@@ -157,7 +154,6 @@ export const Body = React.memo<BodyProps>(
               onColumnRemoved={onColumnRemoved}
               onColumnResized={onColumnResized}
               onColumnSorted={onColumnSorted}
-              onFilterChange={onFilterChange}
               onSelectAll={onSelectAll}
               onUpdateColumns={onUpdateColumns}
               showEventsSelect={false}
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_details.test.tsx.snap
index cf953ccef8f8e..8dd7452b5d900 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_details.test.tsx.snap
@@ -3,7 +3,6 @@
 exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetails 1`] = `
 <Details>
   <AuditdGenericLine
-    args={null}
     contextId="contextid-123"
     hostName="suricata-bangalore"
     id="22"
@@ -53,7 +52,6 @@ exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetai
             "how": Array [
               "/usr/sbin/sshd",
             ],
-            "message_type": null,
             "object": Object {
               "primary": Array [
                 "ssh",
@@ -65,10 +63,8 @@ exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetai
                 "user-session",
               ],
             },
-            "sequence": null,
           },
         },
-        "destination": null,
         "event": Object {
           "action": Array [
             "disposed-credentials",
@@ -76,14 +72,10 @@ exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetai
           "category": Array [
             "user-login",
           ],
-          "dataset": null,
-          "id": null,
           "module": Array [
             "auditd",
           ],
-          "severity": null,
         },
-        "geo": null,
         "host": Object {
           "id": Array [
             "0a63559c1acf4c419d979c4b4d8b83ff",
@@ -97,31 +89,20 @@ exports[`GenericDetails rendering it renders the default AuditAcquiredCredsDetai
             "suricata-bangalore",
           ],
         },
-        "http": null,
-        "network": null,
         "process": Object {
-          "args": null,
           "executable": Array [
             "/usr/sbin/sshd",
           ],
-          "name": null,
           "pid": Array [
             21202,
           ],
-          "ppid": null,
-          "title": null,
-          "working_directory": null,
         },
-        "source": null,
-        "suricata": null,
         "timestamp": "2019-03-13T03:35:21.614Z",
-        "url": null,
         "user": Object {
           "name": Array [
             "root",
           ],
         },
-        "zeek": null,
       }
     }
     timelineId="test"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_file_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_file_details.test.tsx.snap
index f6fbc771c954a..c811d0d7efece 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_file_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_file_details.test.tsx.snap
@@ -3,7 +3,6 @@
 exports[`GenericFileDetails rendering it renders the default GenericFileDetails 1`] = `
 <Details>
   <AuditdGenericFileLine
-    args={null}
     contextId="contextid-123"
     fileIcon="document"
     filePath="/proc/15990/attr/current"
@@ -29,7 +28,6 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
       Object {
         "_id": "28",
         "auditd": Object {
-          "data": null,
           "result": Array [
             "success",
           ],
@@ -48,20 +46,16 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
             "how": Array [
               "/lib/systemd/systemd-journald",
             ],
-            "message_type": null,
             "object": Object {
               "primary": Array [
                 "/proc/15990/attr/current",
               ],
-              "secondary": null,
               "type": Array [
                 "file",
               ],
             },
-            "sequence": null,
           },
         },
-        "destination": null,
         "event": Object {
           "action": Array [
             "opened-file",
@@ -69,19 +63,14 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
           "category": Array [
             "audit-rule",
           ],
-          "dataset": null,
-          "id": null,
           "module": Array [
             "auditd",
           ],
-          "severity": null,
         },
         "file": Object {
-          "ctime": null,
           "device": Array [
             "00:00",
           ],
-          "extension": null,
           "gid": Array [
             "0",
           ],
@@ -94,21 +83,16 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
           "mode": Array [
             "0666",
           ],
-          "mtime": null,
           "owner": Array [
             "root",
           ],
           "path": Array [
             "/proc/15990/attr/current",
           ],
-          "size": null,
-          "target_path": null,
-          "type": null,
           "uid": Array [
             "0",
           ],
         },
-        "geo": null,
         "host": Object {
           "id": Array [
             "7c21f5ed03b04d0299569d221fe18bbc",
@@ -122,10 +106,7 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
             "zeek-london",
           ],
         },
-        "http": null,
-        "network": null,
         "process": Object {
-          "args": null,
           "executable": Array [
             "/lib/systemd/systemd-journald",
           ],
@@ -145,16 +126,12 @@ exports[`GenericFileDetails rendering it renders the default GenericFileDetails
             "/",
           ],
         },
-        "source": null,
-        "suricata": null,
         "timestamp": "2019-03-26T22:12:18.609Z",
-        "url": null,
         "user": Object {
           "name": Array [
             "root",
           ],
         },
-        "zeek": null,
       }
     }
     timelineId="test"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_row_renderer.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_row_renderer.test.tsx.snap
index 784924e896673..63b65d3cf36be 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_row_renderer.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/__snapshots__/generic_row_renderer.test.tsx.snap
@@ -10,7 +10,6 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
         Object {
           "_id": "27",
           "auditd": Object {
-            "data": null,
             "result": Array [
               "success",
             ],
@@ -29,7 +28,6 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
               "how": Array [
                 "/usr/bin/wget",
               ],
-              "message_type": null,
               "object": Object {
                 "primary": Array [
                   "192.168.216.34",
@@ -41,7 +39,6 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
                   "socket",
                 ],
               },
-              "sequence": null,
             },
           },
           "destination": Object {
@@ -59,14 +56,10 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
             "category": Array [
               "audit-rule",
             ],
-            "dataset": null,
-            "id": null,
             "module": Array [
               "auditd",
             ],
-            "severity": null,
           },
-          "geo": null,
           "host": Object {
             "id": Array [
               "7c21f5ed03b04d0299569d221fe18bbc",
@@ -80,10 +73,7 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
               "zeek-london",
             ],
           },
-          "http": null,
-          "network": null,
           "process": Object {
-            "args": null,
             "executable": Array [
               "/usr/bin/wget",
             ],
@@ -99,18 +89,13 @@ exports[`GenericRowRenderer #createGenericAuditRowRenderer renders correctly aga
             "title": Array [
               "wget www.example.com",
             ],
-            "working_directory": null,
           },
-          "source": null,
-          "suricata": null,
           "timestamp": "2019-03-22T19:13:11.026Z",
-          "url": null,
           "user": Object {
             "name": Array [
               "alice",
             ],
           },
-          "zeek": null,
         }
       }
       text="connected using"
@@ -130,7 +115,6 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
         Object {
           "_id": "28",
           "auditd": Object {
-            "data": null,
             "result": Array [
               "success",
             ],
@@ -149,20 +133,16 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
               "how": Array [
                 "/lib/systemd/systemd-journald",
               ],
-              "message_type": null,
               "object": Object {
                 "primary": Array [
                   "/proc/15990/attr/current",
                 ],
-                "secondary": null,
                 "type": Array [
                   "file",
                 ],
               },
-              "sequence": null,
             },
           },
-          "destination": null,
           "event": Object {
             "action": Array [
               "opened-file",
@@ -170,19 +150,14 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
             "category": Array [
               "audit-rule",
             ],
-            "dataset": null,
-            "id": null,
             "module": Array [
               "auditd",
             ],
-            "severity": null,
           },
           "file": Object {
-            "ctime": null,
             "device": Array [
               "00:00",
             ],
-            "extension": null,
             "gid": Array [
               "0",
             ],
@@ -195,21 +170,16 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
             "mode": Array [
               "0666",
             ],
-            "mtime": null,
             "owner": Array [
               "root",
             ],
             "path": Array [
               "/proc/15990/attr/current",
             ],
-            "size": null,
-            "target_path": null,
-            "type": null,
             "uid": Array [
               "0",
             ],
           },
-          "geo": null,
           "host": Object {
             "id": Array [
               "7c21f5ed03b04d0299569d221fe18bbc",
@@ -223,10 +193,7 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
               "zeek-london",
             ],
           },
-          "http": null,
-          "network": null,
           "process": Object {
-            "args": null,
             "executable": Array [
               "/lib/systemd/systemd-journald",
             ],
@@ -246,16 +213,12 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
               "/",
             ],
           },
-          "source": null,
-          "suricata": null,
           "timestamp": "2019-03-26T22:12:18.609Z",
-          "url": null,
           "user": Object {
             "name": Array [
               "root",
             ],
           },
-          "zeek": null,
         }
       }
       fileIcon="document"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx
index 1e82519285da3..f1e8a5aafee7d 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { DraggableBadge } from '../../../../../../common/components/draggables';
 
 import * as i18n from './translations';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_file_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_file_details.tsx
index d9149bae89190..ea3f20c2816db 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_file_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_file_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { DraggableBadge } from '../../../../../../common/components/draggables';
 
 import * as i18n from './translations';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_row_renderer.test.tsx
index 1e314c0ebd281..415124d400446 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/auditd/generic_row_renderer.test.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { mockTimelineData, TestProviders } from '../../../../../../common/mock';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
 import { RowRenderer } from '../row_renderer';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/column_renderer.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/column_renderer.ts
index 4a89fea8c5106..c462841f7ea38 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/column_renderer.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/column_renderer.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 
 export interface ColumnRenderer {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/dns/dns_request_event_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/dns/dns_request_event_details.tsx
index 74ed5b2a6587f..7b89626467c11 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/dns/dns_request_event_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/dns/dns_request_event_details.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
 import { Details } from '../helpers';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { NetflowRenderer } from '../netflow';
 
 import { DnsRequestEventDetailsLine } from './dns_request_event_details_line';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.test.tsx
index 6c9dd5092e7c1..b614f93f6c02d 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.test.tsx
@@ -8,7 +8,7 @@ import { shallow } from 'enzyme';
 import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../../common/mock';
 import '../../../../../common/mock/match_media';
 import { useMountAppended } from '../../../../../common/utils/use_mount_appended';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.tsx
index 5ffaa2898f63a..59eedd0cc9ffe 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/empty_column_renderer.tsx
@@ -8,7 +8,7 @@
 
 import React from 'react';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import {
   DraggableWrapper,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/endgame/endgame_security_event_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/endgame/endgame_security_event_details.tsx
index 11580e2536ff7..00846e7cc34af 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/endgame/endgame_security_event_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/endgame/endgame_security_event_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { NetflowRenderer } from '../netflow';
 
 import { EndgameSecurityEventDetailsLine } from './endgame_security_event_details_line';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.test.tsx
index d1ed5e86e72e5..2a8f72aeaf2a4 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import '../../../../../common/mock/match_media';
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { mockTimelineData } from '../../../../../common/mock';
 import { TestProviders } from '../../../../../common/mock/test_providers';
 import { getEmptyValue } from '../../../../../common/components/empty_value';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.ts
index e456e8c9f02f6..9bba170a34405 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_column_renderer.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnRenderer } from './column_renderer';
 
 const unhandledColumnRenderer = (): never => {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.test.tsx
index 0c7fbd08ba98c..52b9b9a31fc99 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.test.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 
 import '../../../../../common/mock/match_media';
 import { mockBrowserFields } from '../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { mockTimelineData } from '../../../../../common/mock';
 import { TestProviders } from '../../../../../common/mock/test_providers';
 import { useMountAppended } from '../../../../../common/utils/use_mount_appended';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.ts
index 778246aeb1815..779d54216e26c 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/get_row_renderer.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { RowRenderer } from './row_renderer';
 
 const unhandledRowRenderer = (): never => {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.test.tsx
index 162db69416b53..7cccae2f474c2 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.test.tsx
@@ -6,7 +6,7 @@
 
 import { cloneDeep } from 'lodash/fp';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { mockTimelineData } from '../../../../../common/mock';
 import {
   deleteItemIdx,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.tsx
index 16c2f989a8107..8042a66cd5428 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/helpers.tsx
@@ -8,7 +8,7 @@ import { EuiFlexItem } from '@elastic/eui';
 import { isNumber, isEmpty } from 'lodash/fp';
 import styled from 'styled-components';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 
 export const deleteItemIdx = (data: TimelineNonEcsData[], idx: number) => [
   ...data.slice(0, idx),
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow.tsx
index 0492450df5134..ddd427bf9ca06 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow.tsx
@@ -7,7 +7,7 @@
 import { get } from 'lodash/fp';
 import React from 'react';
 
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { asArrayIfExists } from '../../../../../common/lib/helpers';
 import {
   TLS_CLIENT_CERTIFICATE_FINGERPRINT_SHA1_FIELD_NAME,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow/netflow_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow/netflow_row_renderer.test.tsx
index 8a8b40198bdba..3528081a20f6b 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow/netflow_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/netflow/netflow_row_renderer.test.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 import '../../../../../../common/mock/match_media';
 import { BrowserFields } from '../../../../../../common/containers/source';
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { getMockNetflowData, TestProviders } from '../../../../../../common/mock';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.test.tsx
index 9199278c57f7a..0d0b011c0b438 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import '../../../../../common/mock/match_media';
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../../common/mock';
 import { getEmptyValue } from '../../../../../common/components/empty_value';
 import { useMountAppended } from '../../../../../common/utils/use_mount_appended';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.tsx
index 989c8015b796d..013ea1d6abb83 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_column_renderer.tsx
@@ -7,7 +7,7 @@
 import { head } from 'lodash/fp';
 import React from 'react';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../../../timelines/store/timeline/model';
 import { getEmptyTagValue } from '../../../../../common/components/empty_value';
 import { ColumnRenderer } from './column_renderer';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_row_renderer.test.tsx
index 82d42988ef34f..a914d31ff93c5 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/plain_row_renderer.test.tsx
@@ -11,7 +11,7 @@ import React from 'react';
 import { ThemeProvider } from 'styled-components';
 
 import { mockBrowserFields } from '../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { mockTimelineData } from '../../../../../common/mock';
 import { plainRowRenderer } from './plain_row_renderer';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/row_renderer.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/row_renderer.tsx
index 609e9dba1a46e..c4f8d35a5544f 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/row_renderer.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/row_renderer.tsx
@@ -8,7 +8,7 @@ import React from 'react';
 
 import { BrowserFields } from '../../../../../common/containers/source';
 import type { RowRendererId } from '../../../../../../common/types/timeline';
-import { Ecs } from '../../../../../graphql/types';
+import { Ecs } from '../../../../../../common/ecs';
 import { EventsTrSupplement } from '../../styles';
 
 interface RowRendererContainerProps {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_details.tsx
index c21b609a0f91e..891780d7df520 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_details.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 import styled from 'styled-components';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 
 import { NetflowRenderer } from '../netflow';
 import { SuricataSignature } from './suricata_signature';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_row_renderer.test.tsx
index 7d700732a6409..bed2171715380 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/suricata/suricata_row_renderer.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { mockTimelineData } from '../../../../../../common/mock';
 import '../../../../../../common/mock/match_media';
 import { TestProviders } from '../../../../../../common/mock/test_providers';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_details.test.tsx.snap
index 177a3531e5d7b..3952f05d34d25 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_details.test.tsx.snap
@@ -19,40 +19,23 @@ exports[`SystemGenericDetails rendering it renders the default SystemGenericDeta
     data={
       Object {
         "_id": "29",
-        "auditd": null,
-        "destination": null,
         "event": Object {
           "action": Array [
             "user_login",
           ],
-          "category": null,
-          "created": null,
           "dataset": Array [
             "login",
           ],
-          "duration": null,
-          "end": null,
-          "hash": null,
-          "id": null,
           "kind": Array [
             "event",
           ],
           "module": Array [
             "system",
           ],
-          "original": null,
           "outcome": Array [
             "failure",
           ],
-          "risk_score": null,
-          "risk_score_norm": null,
-          "severity": null,
-          "start": null,
-          "timezone": null,
-          "type": null,
         },
-        "file": null,
-        "geo": null,
         "host": Object {
           "id": Array [
             "7c21f5ed03b04d0299569d221fe18bbc",
@@ -66,38 +49,21 @@ exports[`SystemGenericDetails rendering it renders the default SystemGenericDeta
             "zeek-london",
           ],
         },
-        "http": null,
-        "network": null,
         "process": Object {
-          "args": null,
-          "executable": null,
-          "name": null,
           "pid": Array [
             6278,
           ],
-          "ppid": null,
-          "title": null,
-          "working_directory": null,
         },
         "source": Object {
-          "bytes": null,
-          "geo": null,
           "ip": Array [
             "128.199.212.120",
           ],
-          "packets": null,
-          "port": null,
         },
-        "suricata": null,
-        "system": null,
-        "tls": null,
-        "url": null,
         "user": Object {
           "name": Array [
             "Braden",
           ],
         },
-        "zeek": null,
       }
     }
     timelineId="test"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_file_details.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_file_details.test.tsx.snap
index 19b7f8b6f77c6..8045ce95ca272 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_file_details.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_file_details.test.tsx.snap
@@ -3,7 +3,6 @@
 exports[`SystemGenericFileDetails rendering it renders the default SystemGenericDetails 1`] = `
 <Details>
   <SystemGenericFileLine
-    args={null}
     contextId="[contextid-123]"
     eventAction="process_started"
     hostName="zeek-london"
@@ -22,40 +21,23 @@ exports[`SystemGenericFileDetails rendering it renders the default SystemGeneric
     data={
       Object {
         "_id": "30",
-        "auditd": null,
-        "destination": null,
         "event": Object {
           "action": Array [
             "process_started",
           ],
-          "category": null,
-          "created": null,
           "dataset": Array [
             "login",
           ],
-          "duration": null,
-          "end": null,
-          "hash": null,
-          "id": null,
           "kind": Array [
             "event",
           ],
           "module": Array [
             "system",
           ],
-          "original": null,
           "outcome": Array [
             "failure",
           ],
-          "risk_score": null,
-          "risk_score_norm": null,
-          "severity": null,
-          "start": null,
-          "timezone": null,
-          "type": null,
         },
-        "file": null,
-        "geo": null,
         "host": Object {
           "id": Array [
             "7c21f5ed03b04d0299569d221fe18bbc",
@@ -69,38 +51,21 @@ exports[`SystemGenericFileDetails rendering it renders the default SystemGeneric
             "zeek-london",
           ],
         },
-        "http": null,
-        "network": null,
         "process": Object {
-          "args": null,
-          "executable": null,
-          "name": null,
           "pid": Array [
             6278,
           ],
-          "ppid": null,
-          "title": null,
-          "working_directory": null,
         },
         "source": Object {
-          "bytes": null,
-          "geo": null,
           "ip": Array [
             "128.199.212.120",
           ],
-          "packets": null,
-          "port": null,
         },
-        "suricata": null,
-        "system": null,
-        "tls": null,
-        "url": null,
         "user": Object {
           "name": Array [
             "Evan",
           ],
         },
-        "zeek": null,
       }
     }
     timelineId="test"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_row_renderer.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_row_renderer.test.tsx.snap
index 6fff32925abf3..d2c405a46acf8 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_row_renderer.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/__snapshots__/generic_row_renderer.test.tsx.snap
@@ -9,40 +9,23 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
       data={
         Object {
           "_id": "29",
-          "auditd": null,
-          "destination": null,
           "event": Object {
             "action": Array [
               "user_login",
             ],
-            "category": null,
-            "created": null,
             "dataset": Array [
               "login",
             ],
-            "duration": null,
-            "end": null,
-            "hash": null,
-            "id": null,
             "kind": Array [
               "event",
             ],
             "module": Array [
               "system",
             ],
-            "original": null,
             "outcome": Array [
               "failure",
             ],
-            "risk_score": null,
-            "risk_score_norm": null,
-            "severity": null,
-            "start": null,
-            "timezone": null,
-            "type": null,
           },
-          "file": null,
-          "geo": null,
           "host": Object {
             "id": Array [
               "7c21f5ed03b04d0299569d221fe18bbc",
@@ -56,38 +39,21 @@ exports[`GenericRowRenderer #createGenericFileRowRenderer renders correctly agai
               "zeek-london",
             ],
           },
-          "http": null,
-          "network": null,
           "process": Object {
-            "args": null,
-            "executable": null,
-            "name": null,
             "pid": Array [
               6278,
             ],
-            "ppid": null,
-            "title": null,
-            "working_directory": null,
           },
           "source": Object {
-            "bytes": null,
-            "geo": null,
             "ip": Array [
               "128.199.212.120",
             ],
-            "packets": null,
-            "port": null,
           },
-          "suricata": null,
-          "system": null,
-          "tls": null,
-          "url": null,
           "user": Object {
             "name": Array [
               "Braden",
             ],
           },
-          "zeek": null,
         }
       }
       text="some text"
@@ -106,40 +72,23 @@ exports[`GenericRowRenderer #createGenericSystemRowRenderer renders correctly ag
       data={
         Object {
           "_id": "30",
-          "auditd": null,
-          "destination": null,
           "event": Object {
             "action": Array [
               "process_started",
             ],
-            "category": null,
-            "created": null,
             "dataset": Array [
               "login",
             ],
-            "duration": null,
-            "end": null,
-            "hash": null,
-            "id": null,
             "kind": Array [
               "event",
             ],
             "module": Array [
               "system",
             ],
-            "original": null,
             "outcome": Array [
               "failure",
             ],
-            "risk_score": null,
-            "risk_score_norm": null,
-            "severity": null,
-            "start": null,
-            "timezone": null,
-            "type": null,
           },
-          "file": null,
-          "geo": null,
           "host": Object {
             "id": Array [
               "7c21f5ed03b04d0299569d221fe18bbc",
@@ -153,38 +102,21 @@ exports[`GenericRowRenderer #createGenericSystemRowRenderer renders correctly ag
               "zeek-london",
             ],
           },
-          "http": null,
-          "network": null,
           "process": Object {
-            "args": null,
-            "executable": null,
-            "name": null,
             "pid": Array [
               6278,
             ],
-            "ppid": null,
-            "title": null,
-            "working_directory": null,
           },
           "source": Object {
-            "bytes": null,
-            "geo": null,
             "ip": Array [
               "128.199.212.120",
             ],
-            "packets": null,
-            "port": null,
           },
-          "suricata": null,
-          "system": null,
-          "tls": null,
-          "url": null,
           "user": Object {
             "name": Array [
               "Evan",
             ],
           },
-          "zeek": null,
         }
       }
       text="some text"
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_details.tsx
index e849732d07f6f..2c7920ce4f1aa 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { DraggableBadge } from '../../../../../../common/components/draggables';
 import { OverflowField } from '../../../../../../common/components/tables/helpers';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_file_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_file_details.tsx
index 3a95c0ea927c8..56c48d4ad9a18 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_file_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_file_details.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { DraggableBadge } from '../../../../../../common/components/draggables';
 import { OverflowField } from '../../../../../../common/components/tables/helpers';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_row_renderer.test.tsx
index bb997b9689270..6c2e9ad7535a1 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/system/generic_row_renderer.test.tsx
@@ -10,7 +10,7 @@ import React from 'react';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import {
   mockDnsEvent,
   mockFimFileCreatedEvent,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/unknown_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/unknown_column_renderer.test.tsx
index 856b7ca570f3c..0f4f8d1539a9e 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/unknown_column_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/unknown_column_renderer.test.tsx
@@ -10,7 +10,7 @@ import { cloneDeep } from 'lodash';
 import React from 'react';
 import { ThemeProvider } from 'styled-components';
 
-import { TimelineNonEcsData } from '../../../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../../../common/search_strategy/timeline';
 import { defaultHeaders, mockTimelineData } from '../../../../../common/mock';
 import { getEmptyValue } from '../../../../../common/components/empty_value';
 import { unknownColumnRenderer } from './unknown_column_renderer';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_details.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_details.tsx
index 4f991429d6a4d..8b691ad557d89 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_details.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_details.tsx
@@ -9,7 +9,7 @@ import React from 'react';
 import styled from 'styled-components';
 
 import { BrowserFields } from '../../../../../../common/containers/source';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 
 import { NetflowRenderer } from '../netflow';
 import { ZeekSignature } from './zeek_signature';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_row_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_row_renderer.test.tsx
index 23c38f83b89d4..9c08fbacafcdc 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_row_renderer.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_row_renderer.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import { mockBrowserFields } from '../../../../../../common/containers/source/mock';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { mockTimelineData, TestProviders } from '../../../../../../common/mock';
 import '../../../../../../common/mock/match_media';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.test.tsx
index 3b1ce431bfc87..efa22cb2c5617 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.test.tsx
@@ -9,7 +9,7 @@ import { cloneDeep } from 'lodash/fp';
 import React from 'react';
 
 import '../../../../../../common/mock/match_media';
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import { mockTimelineData, TestProviders } from '../../../../../../common/mock';
 import { useMountAppended } from '../../../../../../common/utils/use_mount_appended';
 import {
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.tsx
index 74f75a0a73386..07e32a9a4e5d1 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/zeek/zeek_signature.tsx
@@ -9,7 +9,7 @@ import { get } from 'lodash/fp';
 import React from 'react';
 import styled from 'styled-components';
 
-import { Ecs } from '../../../../../../graphql/types';
+import { Ecs } from '../../../../../../../common/ecs';
 import {
   DragEffects,
   DraggableWrapper,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/stateful_body.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/stateful_body.tsx
index 9b7b896a2ec69..ef5689f494cd0 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/stateful_body.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/stateful_body.tsx
@@ -4,7 +4,6 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { noop } from 'lodash/fp';
 import memoizeOne from 'memoize-one';
 import React, { useCallback, useEffect, useMemo } from 'react';
 import { connect, ConnectedProps } from 'react-redux';
@@ -12,7 +11,7 @@ import deepEqual from 'fast-deep-equal';
 
 import { RowRendererId, TimelineId } from '../../../../../common/types/timeline';
 import { BrowserFields, DocValueFields } from '../../../../common/containers/source';
-import { TimelineItem } from '../../../../graphql/types';
+import { TimelineItem } from '../../../../../common/search_strategy/timeline';
 import { Note } from '../../../../common/lib/note';
 import { appSelectors, inputsModel, State } from '../../../../common/store';
 import { appActions } from '../../../../common/store/actions';
@@ -209,7 +208,6 @@ const StatefulBodyComponent = React.memo<StatefulBodyComponentProps>(
         onColumnSorted={onColumnSorted}
         onRowSelected={onRowSelected}
         onSelectAll={onSelectAll}
-        onFilterChange={noop} // TODO: this is the callback for column filters, which is out scope for this phase of delivery
         onPinEvent={onPinEvent}
         onUnPinEvent={onUnPinEvent}
         onUpdateColumns={onUpdateColumns}
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts
index 4653880739c6d..f894ac4e73939 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/events.ts
@@ -74,7 +74,7 @@ export type OnColumnResized = ({ columnId, delta }: { columnId: ColumnId; delta:
 export type OnChangeItemsPerPage = (itemsPerPage: number) => void;
 
 /** Invoked when a user clicks to load more item */
-export type OnLoadMore = (cursor: string, tieBreaker: string) => void;
+export type OnChangePage = (nextPage: number) => void;
 
 export type OnChangeDroppableAndProvider = (providerId: string) => void;
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
index 49f17db242f75..b1f48608346c7 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
@@ -9,7 +9,7 @@ import styled from 'styled-components';
 
 import { BrowserFields } from '../../../../common/containers/source';
 import { ColumnHeaderOptions } from '../../../../timelines/store/timeline/model';
-import { DetailItem } from '../../../../../common/search_strategy/timeline';
+import { TimelineEventsDetailsItem } from '../../../../../common/search_strategy/timeline';
 import { StatefulEventDetails } from '../../../../common/components/event_details/stateful_event_details';
 import { LazyAccordion } from '../../lazy_accordion';
 import { OnUpdateColumns } from '../events';
@@ -31,7 +31,7 @@ interface Props {
   browserFields: BrowserFields;
   columnHeaders: ColumnHeaderOptions[];
   id: string;
-  event: DetailItem[];
+  event: TimelineEventsDetailsItem[];
   forceExpand?: boolean;
   hideExpandButton?: boolean;
   onEventToggled: () => void;
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/__snapshots__/index.test.tsx.snap
index f155b379227f0..f81934f9a1d91 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/__snapshots__/index.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/__snapshots__/index.test.tsx.snap
@@ -27,8 +27,8 @@ exports[`Footer Timeline Component rendering it renders the default timeline foo
       >
         <EventsCount
           closePopover={[Function]}
-          documentType="events match the search criteria"
-          footerText="events match the search criteria"
+          documentType="events"
+          footerText="events"
           isOpen={false}
           items={
             Array [
@@ -73,10 +73,11 @@ exports[`Footer Timeline Component rendering it renders the default timeline foo
       grow={false}
     >
       <PagingControl
+        activePage={0}
         data-test-subj="paging-control"
-        hasNextPage={true}
         isLoading={false}
-        loadMore={[Function]}
+        onPageClick={[Function]}
+        totalPages={2}
       />
     </EuiFlexItem>
     <EuiFlexItem
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx
index 6675ff493d563..01e5202d03332 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.test.tsx
@@ -5,7 +5,6 @@
  */
 
 import { mount, shallow } from 'enzyme';
-import { getOr } from 'lodash/fp';
 import React from 'react';
 
 import { TestProviders } from '../../../../common/mock/test_providers';
@@ -16,14 +15,14 @@ import { mockData } from './mock';
 describe('Footer Timeline Component', () => {
   const loadMore = jest.fn();
   const onChangeItemsPerPage = jest.fn();
-  const getUpdatedAt = () => 1546878704036;
+  const updatedAt = 1546878704036;
 
   describe('rendering', () => {
     test('it renders the default timeline footer', () => {
       const wrapper = shallow(
         <FooterComponent
-          getUpdatedAt={getUpdatedAt}
-          hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+          activePage={0}
+          updatedAt={updatedAt}
           height={100}
           id={'timeline-id'}
           isLive={false}
@@ -31,11 +30,10 @@ describe('Footer Timeline Component', () => {
           itemsCount={mockData.Events.edges.length}
           itemsPerPage={2}
           itemsPerPageOptions={[1, 5, 10, 20]}
-          nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
           onChangeItemsPerPage={onChangeItemsPerPage}
-          onLoadMore={loadMore}
+          onChangePage={loadMore}
           serverSideEventCount={mockData.Events.totalCount}
-          tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+          totalPages={2}
         />
       );
 
@@ -45,8 +43,8 @@ describe('Footer Timeline Component', () => {
     test('it renders the loading panel at the beginning ', () => {
       const wrapper = mount(
         <FooterComponent
-          getUpdatedAt={getUpdatedAt}
-          hasNextPage={false}
+          activePage={0}
+          updatedAt={updatedAt}
           height={100}
           id={'timeline-id'}
           isLive={false}
@@ -54,11 +52,10 @@ describe('Footer Timeline Component', () => {
           itemsCount={mockData.Events.edges.length}
           itemsPerPage={2}
           itemsPerPageOptions={[1, 5, 10, 20]}
-          nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
           onChangeItemsPerPage={onChangeItemsPerPage}
-          onLoadMore={loadMore}
+          onChangePage={loadMore}
           serverSideEventCount={mockData.Events.totalCount}
-          tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+          totalPages={2}
         />
       );
 
@@ -69,8 +66,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -78,50 +75,50 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={2}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
 
-      expect(wrapper.find('[data-test-subj="TimelineMoreButton"]').exists()).toBeTruthy();
+      expect(wrapper.find('[data-test-subj="timeline-pagination"]').exists()).toBeTruthy();
     });
 
     test('it renders the Loading... in the more load button when fetching new data', () => {
       const wrapper = shallow(
         <PagingControlComponent
-          hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
-          loadMore={loadMore}
+          activePage={0}
+          totalPages={3}
+          onPageClick={loadMore}
           isLoading={true}
         />
       );
 
-      const loadButton = wrapper.find('[data-test-subj="TimelineMoreButton"]').dive().text();
+      const loadButton = wrapper.text();
       expect(wrapper.find('[data-test-subj="LoadingPanelTimeline"]').exists()).toBeFalsy();
       expect(loadButton).toContain('Loading...');
     });
 
-    test('it renders the Load More in the more load button when fetching new data', () => {
+    test('it renders the Pagination in the more load button when fetching new data', () => {
       const wrapper = shallow(
         <PagingControlComponent
-          hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
-          loadMore={loadMore}
+          activePage={0}
+          totalPages={3}
+          onPageClick={loadMore}
           isLoading={false}
         />
       );
 
-      const loadButton = wrapper.find('[data-test-subj="TimelineMoreButton"]').dive().text();
-      expect(loadButton).toContain('Load more');
+      expect(wrapper.find('[data-test-subj="timeline-pagination"]').exists()).toBeTruthy();
     });
 
     test('it does NOT render the loadMore button because there is nothing else to fetch', () => {
       const wrapper = mount(
         <FooterComponent
-          getUpdatedAt={getUpdatedAt}
-          hasNextPage={false}
+          activePage={0}
+          updatedAt={updatedAt}
           height={100}
           id={'timeline-id'}
           isLive={false}
@@ -129,23 +126,22 @@ describe('Footer Timeline Component', () => {
           itemsCount={mockData.Events.edges.length}
           itemsPerPage={2}
           itemsPerPageOptions={[1, 5, 10, 20]}
-          nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
           onChangeItemsPerPage={onChangeItemsPerPage}
-          onLoadMore={loadMore}
+          onChangePage={loadMore}
           serverSideEventCount={mockData.Events.totalCount}
-          tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+          totalPages={2}
         />
       );
 
-      expect(wrapper.find('[data-test-subj="TimelineMoreButton"]').exists()).toBeFalsy();
+      expect(wrapper.find('[data-test-subj="timeline-pagination"]').exists()).toBeFalsy();
     });
 
     test('it render popover to select new itemsPerPage in timeline', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -153,11 +149,10 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={1}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
@@ -172,8 +167,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -181,17 +176,15 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={2}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
 
-      wrapper.find('[data-test-subj="TimelineMoreButton"]').first().simulate('click');
-
+      wrapper.find('[data-test-subj="pagination-button-next"]').first().simulate('click');
       expect(loadMore).toBeCalled();
     });
 
@@ -199,8 +192,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -208,11 +201,10 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={1}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
@@ -227,8 +219,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={true}
@@ -236,11 +228,10 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={2}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
@@ -253,8 +244,8 @@ describe('Footer Timeline Component', () => {
       const wrapper = mount(
         <TestProviders>
           <FooterComponent
-            getUpdatedAt={getUpdatedAt}
-            hasNextPage={getOr(false, 'hasNextPage', mockData.Events.pageInfo)!}
+            activePage={0}
+            updatedAt={updatedAt}
             height={100}
             id={'timeline-id'}
             isLive={false}
@@ -262,11 +253,10 @@ describe('Footer Timeline Component', () => {
             itemsCount={mockData.Events.edges.length}
             itemsPerPage={2}
             itemsPerPageOptions={[1, 5, 10, 20]}
-            nextCursor={getOr(null, 'endCursor.value', mockData.Events.pageInfo)!}
             onChangeItemsPerPage={onChangeItemsPerPage}
-            onLoadMore={loadMore}
+            onChangePage={loadMore}
             serverSideEventCount={mockData.Events.totalCount}
-            tieBreaker={getOr(null, 'endCursor.tiebreaker', mockData.Events.pageInfo)}
+            totalPages={2}
           />
         </TestProviders>
       );
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.tsx
index 3169201b12c7b..7174e9b2121e5 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/index.tsx
@@ -6,7 +6,6 @@
 
 import {
   EuiBadge,
-  EuiButton,
   EuiButtonEmpty,
   EuiContextMenuItem,
   EuiContextMenuPanel,
@@ -17,13 +16,14 @@ import {
   EuiText,
   EuiToolTip,
   EuiPopoverProps,
+  EuiPagination,
 } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
 import React, { FC, useCallback, useEffect, useState, useMemo } from 'react';
 import styled from 'styled-components';
 
 import { LoadingPanel } from '../../loading';
-import { OnChangeItemsPerPage, OnLoadMore } from '../events';
+import { OnChangeItemsPerPage, OnChangePage } from '../events';
 
 import { LastUpdatedAt } from './last_updated';
 import * as i18n from './translations';
@@ -175,24 +175,26 @@ export const EventsCount = React.memo(EventsCountComponent);
 EventsCount.displayName = 'EventsCount';
 
 export const PagingControlComponent = ({
-  hasNextPage,
+  activePage,
   isLoading,
-  loadMore,
+  onPageClick,
+  totalPages,
 }: {
-  hasNextPage: boolean;
+  activePage: number;
   isLoading: boolean;
-  loadMore: () => void;
+  onPageClick: OnChangePage;
+  totalPages: number;
 }) => (
   <>
-    {hasNextPage && (
-      <EuiButton
-        data-test-subj="TimelineMoreButton"
-        isLoading={isLoading}
-        onClick={loadMore}
-        size="s"
-      >
-        {isLoading ? `${i18n.LOADING}...` : i18n.LOAD_MORE}
-      </EuiButton>
+    {isLoading ? (
+      `${i18n.LOADING}...`
+    ) : (
+      <EuiPagination
+        data-test-subj="timeline-pagination"
+        pageCount={totalPages}
+        activePage={activePage}
+        onPageClick={onPageClick}
+      />
     )}
   </>
 );
@@ -202,10 +204,9 @@ PagingControlComponent.displayName = 'PagingControlComponent';
 export const PagingControl = React.memo(PagingControlComponent);
 
 PagingControl.displayName = 'PagingControl';
-
 interface FooterProps {
-  getUpdatedAt: () => number;
-  hasNextPage: boolean;
+  updatedAt: number;
+  activePage: number;
   height: number;
   id: string;
   isLive: boolean;
@@ -213,17 +214,16 @@ interface FooterProps {
   itemsCount: number;
   itemsPerPage: number;
   itemsPerPageOptions: number[];
-  nextCursor: string;
   onChangeItemsPerPage: OnChangeItemsPerPage;
-  onLoadMore: OnLoadMore;
+  onChangePage: OnChangePage;
   serverSideEventCount: number;
-  tieBreaker: string;
+  totalPages: number;
 }
 
 /** Renders a loading indicator and paging controls */
 export const FooterComponent = ({
-  getUpdatedAt,
-  hasNextPage,
+  activePage,
+  updatedAt,
   height,
   id,
   isLive,
@@ -231,15 +231,13 @@ export const FooterComponent = ({
   itemsCount,
   itemsPerPage,
   itemsPerPageOptions,
-  nextCursor,
   onChangeItemsPerPage,
-  onLoadMore,
+  onChangePage,
   serverSideEventCount,
-  tieBreaker,
+  totalPages,
 }: FooterProps) => {
   const [isPopoverOpen, setIsPopoverOpen] = useState(false);
   const [paginationLoading, setPaginationLoading] = useState(false);
-  const [updatedAt, setUpdatedAt] = useState<number | null>(null);
 
   const { getManageTimelineById } = useManageTimeline();
   const { documentType, loadingText, footerText } = useMemo(() => getManageTimelineById(id), [
@@ -247,10 +245,13 @@ export const FooterComponent = ({
     id,
   ]);
 
-  const loadMore = useCallback(() => {
-    setPaginationLoading(true);
-    onLoadMore(nextCursor, tieBreaker);
-  }, [nextCursor, tieBreaker, onLoadMore, setPaginationLoading]);
+  const handleChangePageClick = useCallback(
+    (nextPage: number) => {
+      setPaginationLoading(true);
+      onChangePage(nextPage);
+    },
+    [onChangePage]
+  );
 
   const onButtonClick = useCallback(() => setIsPopoverOpen(!isPopoverOpen), [
     isPopoverOpen,
@@ -261,14 +262,8 @@ export const FooterComponent = ({
   useEffect(() => {
     if (paginationLoading && !isLoading) {
       setPaginationLoading(false);
-      setUpdatedAt(getUpdatedAt());
-    }
-
-    if (updatedAt === null || !isLoading) {
-      setUpdatedAt(getUpdatedAt());
     }
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [isLoading]);
+  }, [isLoading, paginationLoading]);
 
   if (isLoading && !paginationLoading) {
     return (
@@ -358,15 +353,16 @@ export const FooterComponent = ({
           ) : (
             <PagingControl
               data-test-subj="paging-control"
-              hasNextPage={hasNextPage}
+              totalPages={totalPages}
+              activePage={activePage}
+              onPageClick={handleChangePageClick}
               isLoading={isLoading}
-              loadMore={loadMore}
             />
           )}
         </EuiFlexItem>
 
         <EuiFlexItem data-test-subj="last-updated-container" grow={false}>
-          <FixedWidthLastUpdatedContainer updatedAt={updatedAt || getUpdatedAt()} />
+          <FixedWidthLastUpdatedContainer updatedAt={updatedAt} />
         </EuiFlexItem>
       </FooterFlexGroup>
     </FooterContainer>
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/translations.ts b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/translations.ts
index e0254d0f4a62f..f581d0757bc3c 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/translations.ts
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/footer/translations.ts
@@ -29,14 +29,10 @@ export const LOADING = i18n.translate('xpack.securitySolution.footer.loadingLabe
   defaultMessage: 'Loading',
 });
 
-export const LOAD_MORE = i18n.translate('xpack.securitySolution.footer.loadMoreLabel', {
-  defaultMessage: 'Load more',
-});
-
 export const TOTAL_COUNT_OF_EVENTS = i18n.translate(
   'xpack.securitySolution.footer.totalCountOfEvents',
   {
-    defaultMessage: 'events match the search criteria',
+    defaultMessage: 'events',
   }
 );
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
index 51edf7336c4e7..f1bfdd5d33606 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/index.test.tsx
@@ -20,7 +20,6 @@ import { mocksSource } from '../../../common/containers/source/mock';
 import { wait as waitFor } from '@testing-library/react';
 import { defaultHeaders, mockTimelineData, TestProviders } from '../../../common/mock';
 import { Direction } from '../../../graphql/types';
-import { timelineQuery } from '../../containers/index.gql_query';
 import { timelineActions } from '../../store/timeline';
 
 import { Sort } from './body/sort';
@@ -28,6 +27,11 @@ import { mockDataProviders } from './data_providers/mock/mock_data_providers';
 import { StatefulTimeline, Props as StatefulTimelineProps } from './index';
 import { Timeline } from './timeline';
 import { TimelineType, TimelineStatus } from '../../../../common/types/timeline';
+import { useTimelineEvents } from '../../containers/index';
+
+jest.mock('../../containers/index', () => ({
+  useTimelineEvents: jest.fn(),
+}));
 
 jest.mock('../../../common/lib/kibana', () => {
   const originalModule = jest.requireActual('../../../common/lib/kibana');
@@ -63,12 +67,10 @@ describe('StatefulTimeline', () => {
   const startDate = '2018-03-23T18:49:23.132Z';
   const endDate = '2018-03-24T03:33:52.253Z';
 
-  const mocks = [
-    { request: { query: timelineQuery }, result: { data: { events: mockTimelineData } } },
-    ...mocksSource,
-  ];
+  const mocks = mocksSource;
 
   beforeEach(() => {
+    (useTimelineEvents as jest.Mock).mockReturnValue([false, { events: mockTimelineData }]);
     props = {
       addProvider: timelineActions.addProvider,
       columns: defaultHeaders,
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.test.tsx
index 555b22eff0c91..887a6a546d2b7 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.test.tsx
@@ -6,10 +6,8 @@
 
 import { shallow } from 'enzyme';
 import React from 'react';
-import { MockedProvider } from 'react-apollo/test-utils';
 import useResizeObserver from 'use-resize-observer/polyfilled';
 
-import { timelineQuery } from '../../containers/index.gql_query';
 import { mockBrowserFields } from '../../../common/containers/source/mock';
 import { Direction } from '../../../graphql/types';
 import { defaultHeaders, mockTimelineData, mockIndexPattern } from '../../../common/mock';
@@ -26,7 +24,19 @@ import { Sort } from './body/sort';
 import { mockDataProviders } from './data_providers/mock/mock_data_providers';
 import { useMountAppended } from '../../../common/utils/use_mount_appended';
 import { TimelineStatus, TimelineType } from '../../../../common/types/timeline';
-
+import { useTimelineEvents } from '../../containers/index';
+import { useTimelineEventsDetails } from '../../containers/details/index';
+
+jest.mock('../../containers/index', () => ({
+  useTimelineEvents: jest.fn(),
+}));
+jest.mock('../../containers/details/index', () => ({
+  useTimelineEventsDetails: jest.fn(),
+}));
+jest.mock('./body/events/index', () => ({
+  // eslint-disable-next-line react/display-name
+  Events: () => <></>,
+}));
 jest.mock('../../../common/lib/kibana');
 jest.mock('./properties/properties_right');
 const mockUseResizeObserver: jest.Mock = useResizeObserver as jest.Mock;
@@ -42,6 +52,7 @@ jest.mock('../../../common/lib/kibana', () => {
       services: {
         application: {
           navigateToApp: jest.fn(),
+          getUrlForApp: jest.fn(),
         },
         uiSettings: {
           get: jest.fn(),
@@ -65,13 +76,21 @@ describe('Timeline', () => {
 
   const indexPattern = mockIndexPattern;
 
-  const mocks = [
-    { request: { query: timelineQuery }, result: { data: { events: mockTimelineData } } },
-  ];
-
   const mount = useMountAppended();
 
   beforeEach(() => {
+    (useTimelineEvents as jest.Mock).mockReturnValue([
+      false,
+      {
+        events: mockTimelineData,
+        pageInfo: {
+          activePage: 0,
+          totalPages: 10,
+        },
+      },
+    ]);
+    (useTimelineEventsDetails as jest.Mock).mockReturnValue([false, {}]);
+
     props = {
       browserFields: mockBrowserFields,
       columns: defaultHeaders,
@@ -123,9 +142,7 @@ describe('Timeline', () => {
     test('it renders the timeline header', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -135,9 +152,7 @@ describe('Timeline', () => {
     test('it renders the title field', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -149,9 +164,7 @@ describe('Timeline', () => {
     test('it renders the timeline table', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -161,9 +174,7 @@ describe('Timeline', () => {
     test('it does NOT render the timeline table when the source is loading', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} isLoadingSource={true} />
-          </MockedProvider>
+          <TimelineComponent {...props} isLoadingSource={true} />
         </TestProviders>
       );
 
@@ -173,9 +184,7 @@ describe('Timeline', () => {
     test('it does NOT render the timeline table when start is empty', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} start={''} />
-          </MockedProvider>
+          <TimelineComponent {...props} start={''} />
         </TestProviders>
       );
 
@@ -185,9 +194,7 @@ describe('Timeline', () => {
     test('it does NOT render the timeline table when end is empty', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} end={''} />
-          </MockedProvider>
+          <TimelineComponent {...props} end={''} />
         </TestProviders>
       );
 
@@ -197,9 +204,7 @@ describe('Timeline', () => {
     test('it does NOT render the paging footer when you do NOT have any data providers', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -209,9 +214,7 @@ describe('Timeline', () => {
     test('it defaults to showing `All`', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -221,9 +224,7 @@ describe('Timeline', () => {
     it('it shows the timeline footer', () => {
       const wrapper = mount(
         <TestProviders>
-          <MockedProvider mocks={mocks}>
-            <TimelineComponent {...props} />
-          </MockedProvider>
+          <TimelineComponent {...props} />
         </TestProviders>
       );
 
@@ -236,9 +237,7 @@ describe('Timeline', () => {
       it('should not show the timeline footer', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
 
@@ -252,9 +251,7 @@ describe('Timeline', () => {
       test('it invokes the onDataProviderRemoved callback when the delete button on a provider is clicked', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
 
@@ -271,9 +268,7 @@ describe('Timeline', () => {
       test('it invokes the onDataProviderRemoved callback when you click on the option "Delete" in the provider menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
         wrapper.find('button[data-test-subj="providerBadge"]').first().simulate('click');
@@ -295,9 +290,7 @@ describe('Timeline', () => {
       test('it invokes the onToggleDataProviderEnabled callback when you click on the option "Temporary disable" in the provider menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
 
@@ -321,9 +314,7 @@ describe('Timeline', () => {
       test('it invokes the onToggleDataProviderExcluded callback when you click on the option "Exclude results" in the provider menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} />
-            </MockedProvider>
+            <TimelineComponent {...props} />
           </TestProviders>
         );
 
@@ -355,9 +346,7 @@ describe('Timeline', () => {
       test('Rendering And Provider', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} dataProviders={dataProviders} />
-            </MockedProvider>
+            <TimelineComponent {...props} dataProviders={dataProviders} />
           </TestProviders>
         );
 
@@ -375,9 +364,7 @@ describe('Timeline', () => {
       test('it invokes the onDataProviderRemoved callback when you click on the option "Delete" in the accordion menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} dataProviders={dataProviders} />
-            </MockedProvider>
+            <TimelineComponent {...props} dataProviders={dataProviders} />
           </TestProviders>
         );
 
@@ -404,9 +391,7 @@ describe('Timeline', () => {
       test('it invokes the onToggleDataProviderEnabled callback when you click on the option "Temporary disable" in the accordion menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} dataProviders={dataProviders} />
-            </MockedProvider>
+            <TimelineComponent {...props} dataProviders={dataProviders} />
           </TestProviders>
         );
 
@@ -434,9 +419,7 @@ describe('Timeline', () => {
       test('it invokes the onToggleDataProviderExcluded callback when you click on the option "Exclude results" in the accordion menu', () => {
         const wrapper = mount(
           <TestProviders>
-            <MockedProvider mocks={mocks}>
-              <TimelineComponent {...props} dataProviders={dataProviders} />
-            </MockedProvider>
+            <TimelineComponent {...props} dataProviders={dataProviders} />
           </TestProviders>
         );
 
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx
index 7b1c1bd2119cd..434c7075a9470 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx
@@ -5,14 +5,14 @@
  */
 
 import { EuiFlyoutHeader, EuiFlyoutBody, EuiFlyoutFooter, EuiProgress } from '@elastic/eui';
-import { getOr, isEmpty } from 'lodash/fp';
+import { isEmpty } from 'lodash/fp';
 import React, { useState, useMemo, useEffect } from 'react';
 import styled from 'styled-components';
 
 import { FlyoutHeaderWithCloseButton } from '../flyout/header_with_close_button';
 import { BrowserFields, DocValueFields } from '../../../common/containers/source';
-import { TimelineQuery } from '../../containers/index';
-import { Direction } from '../../../graphql/types';
+import { Direction } from '../../../../common/search_strategy';
+import { useTimelineEvents } from '../../containers/index';
 import { useKibana } from '../../../common/lib/kibana';
 import { ColumnHeaderOptions, KqlMode, EventType } from '../../../timelines/store/timeline/model';
 import { defaultHeaders } from './body/column_headers/default_headers';
@@ -217,13 +217,14 @@ export const TimelineComponent: React.FC<Props> = ({
   }, [columnsHeader]);
   const timelineQuerySortField = useMemo(
     () => ({
-      sortFieldId: sort.columnId,
+      field: sort.columnId,
       direction: sort.sortDirection as Direction,
     }),
     [sort.columnId, sort.sortDirection]
   );
   const [isQueryLoading, setIsQueryLoading] = useState(false);
   const { initializeTimeline, setIndexToAdd, setIsTimelineLoading } = useManageTimeline();
+
   useEffect(() => {
     initializeTimeline({
       filterManager,
@@ -233,6 +234,23 @@ export const TimelineComponent: React.FC<Props> = ({
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, []);
 
+  const [
+    loading,
+    { events, inspect, totalCount, pageInfo, loadPage, updatedAt, refetch },
+  ] = useTimelineEvents({
+    docValueFields,
+    endDate: end,
+    eventType,
+    id,
+    indexToAdd,
+    fields: timelineQueryFields,
+    limit: itemsPerPage,
+    filterQuery: combinedQueries?.filterQuery ?? '',
+    startDate: start,
+    skip: canQueryTimeline,
+    sort: timelineQuerySortField,
+  });
+
   useEffect(() => {
     setIsTimelineLoading({ id, isLoading: isQueryLoading || loadingIndexName });
   }, [loadingIndexName, id, isQueryLoading, setIsTimelineLoading]);
@@ -241,6 +259,10 @@ export const TimelineComponent: React.FC<Props> = ({
     setIndexToAdd({ id, indexToAdd });
   }, [id, indexToAdd, setIndexToAdd]);
 
+  useEffect(() => {
+    setIsQueryLoading(loading);
+  }, [loading]);
+
   return (
     <TimelineContainer data-test-subj="timeline">
       {isSaving && <EuiProgress size="s" color="primary" position="absolute" />}
@@ -274,85 +296,52 @@ export const TimelineComponent: React.FC<Props> = ({
       </StyledEuiFlyoutHeader>
       <TimelineKqlFetch id={id} indexPattern={indexPattern} inputId="timeline" />
       {canQueryTimeline ? (
-        <TimelineQuery
-          docValueFields={docValueFields}
-          endDate={end}
-          eventType={eventType}
-          id={id}
-          indexToAdd={indexToAdd}
-          fields={timelineQueryFields}
-          sourceId="default"
-          limit={itemsPerPage}
-          filterQuery={combinedQueries!.filterQuery}
-          sortField={timelineQuerySortField}
-          startDate={start}
-          queryDeduplication="timeline"
-        >
-          {({
-            events,
-            inspect,
-            loading,
-            totalCount,
-            pageInfo,
-            loadMore,
-            getUpdatedAt,
-            refetch,
-          }) => {
-            setIsQueryLoading(loading);
-            return (
-              <>
-                <TimelineRefetch
+        <>
+          <TimelineRefetch
+            id={id}
+            inputId="timeline"
+            inspect={inspect}
+            loading={loading}
+            refetch={refetch}
+          />
+          <StyledEuiFlyoutBody data-test-subj="eui-flyout-body" className="timeline-flyout-body">
+            <StatefulBody
+              browserFields={browserFields}
+              data={events}
+              docValueFields={docValueFields}
+              id={id}
+              refetch={refetch}
+              sort={sort}
+              toggleColumn={toggleColumn}
+            />
+          </StyledEuiFlyoutBody>
+          {
+            /** Hide the footer if Resolver is showing. */
+            !graphEventId && (
+              <StyledEuiFlyoutFooter
+                data-test-subj="eui-flyout-footer"
+                className="timeline-flyout-footer"
+              >
+                <Footer
+                  activePage={pageInfo.activePage}
+                  data-test-subj="timeline-footer"
+                  updatedAt={updatedAt}
+                  height={footerHeight}
                   id={id}
-                  inputId="timeline"
-                  inspect={inspect}
-                  loading={loading}
-                  refetch={refetch}
+                  isLive={isLive}
+                  isLoading={loading || loadingIndexName}
+                  itemsCount={events.length}
+                  itemsPerPage={itemsPerPage}
+                  itemsPerPageOptions={itemsPerPageOptions}
+                  onChangeItemsPerPage={onChangeItemsPerPage}
+                  onChangePage={loadPage}
+                  serverSideEventCount={totalCount}
+                  totalPages={pageInfo.totalPages}
                 />
-                <StyledEuiFlyoutBody
-                  data-test-subj="eui-flyout-body"
-                  className="timeline-flyout-body"
-                >
-                  <StatefulBody
-                    browserFields={browserFields}
-                    data={events}
-                    docValueFields={docValueFields}
-                    id={id}
-                    refetch={refetch}
-                    sort={sort}
-                    toggleColumn={toggleColumn}
-                  />
-                </StyledEuiFlyoutBody>
-                {
-                  /** Hide the footer if Resolver is showing. */
-                  !graphEventId && (
-                    <StyledEuiFlyoutFooter
-                      data-test-subj="eui-flyout-footer"
-                      className="timeline-flyout-footer"
-                    >
-                      <Footer
-                        data-test-subj="timeline-footer"
-                        getUpdatedAt={getUpdatedAt}
-                        hasNextPage={getOr(false, 'hasNextPage', pageInfo)!}
-                        height={footerHeight}
-                        id={id}
-                        isLive={isLive}
-                        isLoading={loading || loadingIndexName}
-                        itemsCount={events.length}
-                        itemsPerPage={itemsPerPage}
-                        itemsPerPageOptions={itemsPerPageOptions}
-                        nextCursor={getOr(null, 'endCursor.value', pageInfo)!}
-                        onChangeItemsPerPage={onChangeItemsPerPage}
-                        onLoadMore={loadMore}
-                        serverSideEventCount={totalCount}
-                        tieBreaker={getOr(null, 'endCursor.tiebreaker', pageInfo)}
-                      />
-                    </StyledEuiFlyoutFooter>
-                  )
-                }
-              </>
-            );
-          }}
-        </TimelineQuery>
+              </StyledEuiFlyoutFooter>
+            )
+          }
+        </>
       ) : null}
     </TimelineContainer>
   );
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
index 35f8c7ae90e6e..af99c75ae701a 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
@@ -5,7 +5,6 @@
  */
 
 import { noop } from 'lodash/fp';
-import memoizeOne from 'memoize-one';
 import { useCallback, useEffect, useRef, useState } from 'react';
 import deepEqual from 'fast-deep-equal';
 
@@ -14,73 +13,63 @@ import { DEFAULT_INDEX_KEY } from '../../../../common/constants';
 import { useKibana } from '../../../common/lib/kibana';
 import {
   DocValueFields,
-  DetailItem,
-  TimelineQueries,
-  TimelineDetailsRequestOptions,
-  TimelineDetailsStrategyResponse,
+  TimelineEventsDetailsItem,
+  TimelineEventsQueries,
+  TimelineEventsDetailsRequestOptions,
+  TimelineEventsDetailsStrategyResponse,
 } from '../../../../common/search_strategy';
 export interface EventsArgs {
-  detailsData: DetailItem[] | null;
-  loading: boolean;
+  detailsData: TimelineEventsDetailsItem[] | null;
 }
 
-export interface TimelineDetailsProps {
+export interface UseTimelineEventsDetailsProps {
   docValueFields: DocValueFields[];
   indexName: string;
   eventId: string;
-  executeQuery: boolean;
+  skip: boolean;
 }
 
-const getDetailsEvent = memoizeOne(
-  (variables: string, detail: DetailItem[]): DetailItem[] => detail
-);
-
-export const useTimelineDetails = ({
+export const useTimelineEventsDetails = ({
   docValueFields,
   indexName,
   eventId,
-  executeQuery,
-}: TimelineDetailsProps): [boolean, EventsArgs['detailsData']] => {
+  skip,
+}: UseTimelineEventsDetailsProps): [boolean, EventsArgs['detailsData']] => {
   const { data, notifications, uiSettings } = useKibana().services;
   const refetch = useRef<inputsModel.Refetch>(noop);
   const abortCtrl = useRef(new AbortController());
   const defaultIndex = uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
   const [loading, setLoading] = useState(false);
-  const [timelineDetailsRequest, setTimelineDetailsRequest] = useState<
-    TimelineDetailsRequestOptions
-  >({
-    defaultIndex,
-    docValueFields,
-    executeQuery,
-    indexName,
-    eventId,
-    factoryQueryType: TimelineQueries.details,
-  });
+  const [
+    timelineDetailsRequest,
+    setTimelineDetailsRequest,
+  ] = useState<TimelineEventsDetailsRequestOptions | null>(null);
 
   const [timelineDetailsResponse, setTimelineDetailsResponse] = useState<EventsArgs['detailsData']>(
     null
   );
 
   const timelineDetailsSearch = useCallback(
-    (request: TimelineDetailsRequestOptions) => {
+    (request: TimelineEventsDetailsRequestOptions) => {
       let didCancel = false;
       const asyncSearch = async () => {
         abortCtrl.current = new AbortController();
         setLoading(true);
 
         const searchSubscription$ = data.search
-          .search<TimelineDetailsRequestOptions, TimelineDetailsStrategyResponse>(request, {
-            strategy: 'securitySolutionTimelineSearchStrategy',
-            abortSignal: abortCtrl.current.signal,
-          })
+          .search<TimelineEventsDetailsRequestOptions, TimelineEventsDetailsStrategyResponse>(
+            request,
+            {
+              strategy: 'securitySolutionTimelineSearchStrategy',
+              abortSignal: abortCtrl.current.signal,
+            }
+          )
           .subscribe({
             next: (response) => {
               if (!response.isPartial && !response.isRunning) {
                 if (!didCancel) {
                   setLoading(false);
-                  setTimelineDetailsResponse(
-                    getDetailsEvent(JSON.stringify(timelineDetailsRequest), response.data || [])
-                  );
+                  setTimelineDetailsResponse(response.data || []);
                 }
                 searchSubscription$.unsubscribe();
               } else if (response.isPartial && !response.isRunning) {
@@ -105,28 +94,31 @@ export const useTimelineDetails = ({
         abortCtrl.current.abort();
       };
     },
-    [data.search, notifications.toasts, timelineDetailsRequest]
+    [data.search, notifications.toasts]
   );
 
   useEffect(() => {
     setTimelineDetailsRequest((prevRequest) => {
       const myRequest = {
-        ...prevRequest,
+        ...(prevRequest ?? {}),
         defaultIndex,
         docValueFields,
         indexName,
         eventId,
+        factoryQueryType: TimelineEventsQueries.details,
       };
-      if (!deepEqual(prevRequest, myRequest)) {
+      if (!skip && !deepEqual(prevRequest, myRequest)) {
         return myRequest;
       }
       return prevRequest;
     });
-  }, [defaultIndex, docValueFields, eventId, indexName]);
+  }, [defaultIndex, docValueFields, eventId, indexName, skip]);
 
   useEffect(() => {
-    if (executeQuery) timelineDetailsSearch(timelineDetailsRequest);
-  }, [executeQuery, timelineDetailsRequest, timelineDetailsSearch]);
+    if (timelineDetailsRequest) {
+      timelineDetailsSearch(timelineDetailsRequest);
+    }
+  }, [timelineDetailsRequest, timelineDetailsSearch]);
 
   return [loading, timelineDetailsResponse];
 };
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
index de7175f0a7f97..f340096c75f2b 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
@@ -4,215 +4,259 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { getOr, uniqBy } from 'lodash/fp';
-import memoizeOne from 'memoize-one';
-import React from 'react';
-import { Query } from 'react-apollo';
-import { compose, Dispatch } from 'redux';
-import { connect, ConnectedProps } from 'react-redux';
+import deepEqual from 'fast-deep-equal';
+import { noop } from 'lodash/fp';
+import { useCallback, useEffect, useRef, useState } from 'react';
+import { useDispatch } from 'react-redux';
+
+import { ESQuery } from '../../../common/typed_json';
+import { IIndexPattern } from '../../../../../../src/plugins/data/public';
 
 import { DEFAULT_INDEX_KEY } from '../../../common/constants';
-import { IIndexPattern } from '../../../../../../src/plugins/data/common/index_patterns';
-import {
-  GetTimelineQuery,
-  PageInfo,
-  SortField,
-  TimelineEdges,
-  TimelineItem,
-} from '../../graphql/types';
-import { inputsModel, inputsSelectors, State } from '../../common/store';
-import { withKibana, WithKibanaProps } from '../../common/lib/kibana';
+import { inputsModel } from '../../common/store';
+import { useKibana } from '../../common/lib/kibana';
 import { createFilter } from '../../common/containers/helpers';
-import { QueryTemplate, QueryTemplateProps } from '../../common/containers/query_template';
+import { DocValueFields } from '../../common/containers/query_template';
 import { EventType } from '../../timelines/store/timeline/model';
-import { timelineQuery } from './index.gql_query';
 import { timelineActions } from '../../timelines/store/timeline';
 import { detectionsTimelineIds, skipQueryForDetectionsPage } from './helpers';
+import { getInspectResponse } from '../../helpers';
+import {
+  Direction,
+  TimelineEventsQueries,
+  TimelineEventsAllStrategyResponse,
+  TimelineEventsAllRequestOptions,
+  TimelineEdges,
+  TimelineItem,
+  SortField,
+} from '../../../common/search_strategy';
+import { InspectResponse } from '../../types';
+import * as i18n from './translations';
 
 export interface TimelineArgs {
   events: TimelineItem[];
   id: string;
-  inspect: inputsModel.InspectQuery;
-  loading: boolean;
-  loadMore: (cursor: string, tieBreaker: string) => void;
-  pageInfo: PageInfo;
+  inspect: InspectResponse;
+  loadPage: LoadPage;
+  pageInfo: {
+    activePage: number;
+    totalPages: number;
+  };
   refetch: inputsModel.Refetch;
   totalCount: number;
-  getUpdatedAt: () => number;
+  updatedAt: number;
 }
 
-export interface CustomReduxProps {
-  clearSignalsState: ({ id }: { id?: string }) => void;
-}
+type LoadPage = (newActivePage: number) => void;
 
-export interface OwnProps extends QueryTemplateProps {
-  children?: (args: TimelineArgs) => React.ReactNode;
+interface UseTimelineEventsProps {
+  docValueFields?: DocValueFields[];
+  filterQuery?: ESQuery | string;
+  skip?: boolean;
   endDate: string;
   eventType?: EventType;
   id: string;
+  fields: string[];
   indexPattern?: IIndexPattern;
   indexToAdd?: string[];
   limit: number;
-  sortField: SortField;
-  fields: string[];
+  sort: SortField;
   startDate: string;
-  queryDeduplication: string;
+  canQueryTimeline?: boolean;
 }
 
-type TimelineQueryProps = OwnProps & PropsFromRedux & WithKibanaProps & CustomReduxProps;
-
-class TimelineQueryComponent extends QueryTemplate<
-  TimelineQueryProps,
-  GetTimelineQuery.Query,
-  GetTimelineQuery.Variables
-> {
-  private updatedDate: number = Date.now();
-  private memoizedTimelineEvents: (variables: string, events: TimelineEdges[]) => TimelineItem[];
-
-  constructor(props: TimelineQueryProps) {
-    super(props);
-    this.memoizedTimelineEvents = memoizeOne(this.getTimelineEvents);
-  }
-
-  public render() {
-    const {
-      children,
-      clearSignalsState,
-      docValueFields,
-      endDate,
-      eventType = 'raw',
-      id,
-      indexPattern,
-      indexToAdd = [],
-      isInspected,
-      kibana,
-      limit,
-      fields,
-      filterQuery,
-      sourceId,
-      sortField,
-      startDate,
-      queryDeduplication,
-    } = this.props;
-    const defaultKibanaIndex = kibana.services.uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
-    const defaultIndex =
-      indexPattern == null || (indexPattern != null && indexPattern.title === '')
-        ? [
-            ...(['all', 'raw'].includes(eventType) ? defaultKibanaIndex : []),
-            ...(['all', 'alert', 'signal'].includes(eventType) ? indexToAdd : []),
-          ]
-        : indexPattern?.title.split(',') ?? [];
-    // Fun fact: When using this hook multiple times within a component (e.g. add_exception_modal & edit_exception_modal),
-    // the apolloClient will perform queryDeduplication and prevent the first query from executing. A deep compare is not
-    // performed on `indices`, so another field must be passed to circumvent this.
-    // For details, see https://github.com/apollographql/react-apollo/issues/2202
-    const variables: GetTimelineQuery.Variables & { queryDeduplication: string } = {
-      fieldRequested: fields,
-      filterQuery: createFilter(filterQuery),
-      sourceId,
-      timerange: {
-        interval: '12h',
-        from: startDate,
-        to: endDate,
-      },
-      pagination: { limit, cursor: null, tiebreaker: null },
-      sortField,
-      defaultIndex,
-      docValueFields: docValueFields ?? [],
-      inspect: isInspected,
-      queryDeduplication,
-    };
-
-    return (
-      <Query<GetTimelineQuery.Query, GetTimelineQuery.Variables>
-        query={timelineQuery}
-        fetchPolicy="network-only"
-        notifyOnNetworkStatusChange
-        skip={skipQueryForDetectionsPage(id, defaultIndex)}
-        variables={variables}
-      >
-        {({ data, loading, fetchMore, refetch }) => {
-          this.setRefetch(refetch);
-          this.setExecuteBeforeRefetch(clearSignalsState);
-          this.setExecuteBeforeFetchMore(clearSignalsState);
-
-          const timelineEdges = getOr([], 'source.Timeline.edges', data);
-          this.setFetchMore(fetchMore);
-          this.setFetchMoreOptions((newCursor: string, tiebreaker?: string) => ({
-            variables: {
-              pagination: {
-                cursor: newCursor,
-                tiebreaker,
-                limit,
-              },
-            },
-            updateQuery: (prev, { fetchMoreResult }) => {
-              if (!fetchMoreResult) {
-                return prev;
-              }
-              return {
-                ...fetchMoreResult,
-                source: {
-                  ...fetchMoreResult.source,
-                  Timeline: {
-                    ...fetchMoreResult.source.Timeline,
-                    edges: uniqBy('node._id', [
-                      ...prev.source.Timeline.edges,
-                      ...fetchMoreResult.source.Timeline.edges,
-                    ]),
-                  },
-                },
-              };
-            },
-          }));
-          this.updatedDate = Date.now();
-          return children!({
-            id,
-            inspect: getOr(null, 'source.Timeline.inspect', data),
-            refetch: this.wrappedRefetch,
-            loading,
-            totalCount: getOr(0, 'source.Timeline.totalCount', data),
-            pageInfo: getOr({}, 'source.Timeline.pageInfo', data),
-            events: this.memoizedTimelineEvents(JSON.stringify(variables), timelineEdges),
-            loadMore: this.wrappedLoadMore,
-            getUpdatedAt: this.getUpdatedAt,
-          });
-        }}
-      </Query>
-    );
-  }
+const getTimelineEvents = (timelineEdges: TimelineEdges[]): TimelineItem[] =>
+  timelineEdges.map((e: TimelineEdges) => e.node);
 
-  private getUpdatedAt = () => this.updatedDate;
+const ID = 'timelineEventsQuery';
 
-  private getTimelineEvents = (variables: string, timelineEdges: TimelineEdges[]): TimelineItem[] =>
-    timelineEdges.map((e: TimelineEdges) => e.node);
-}
-
-const makeMapStateToProps = () => {
-  const getQuery = inputsSelectors.timelineQueryByIdSelector();
-  const mapStateToProps = (state: State, { id }: OwnProps) => {
-    const { isInspected } = getQuery(state, id);
-    return {
-      isInspected,
-    };
-  };
-  return mapStateToProps;
-};
+export const useTimelineEvents = ({
+  docValueFields,
+  endDate,
+  eventType = 'raw',
+  id = ID,
+  indexPattern,
+  indexToAdd = [],
+  fields,
+  filterQuery,
+  startDate,
+  limit,
+  sort = {
+    field: '@timestamp',
+    direction: Direction.asc,
+  },
+  canQueryTimeline = true,
+}: UseTimelineEventsProps): [boolean, TimelineArgs] => {
+  const dispatch = useDispatch();
+  const { data, notifications, uiSettings } = useKibana().services;
+  const refetch = useRef<inputsModel.Refetch>(noop);
+  const abortCtrl = useRef(new AbortController());
+  const defaultKibanaIndex = uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
+  const defaultIndex =
+    indexPattern == null || (indexPattern != null && indexPattern.title === '')
+      ? [
+          ...(['all', 'raw'].includes(eventType) ? defaultKibanaIndex : []),
+          ...(['all', 'alert', 'signal'].includes(eventType) ? indexToAdd : []),
+        ]
+      : indexPattern?.title.split(',') ?? [];
+  const [loading, setLoading] = useState(false);
+  const [activePage, setActivePage] = useState(0);
+  const [timelineRequest, setTimelineRequest] = useState<TimelineEventsAllRequestOptions>({
+    fields,
+    fieldRequested: fields,
+    filterQuery: createFilter(filterQuery),
+    id,
+    timerange: {
+      interval: '12h',
+      from: startDate,
+      to: endDate,
+    },
+    pagination: {
+      activePage,
+      querySize: limit,
+    },
+    sort,
+    defaultIndex,
+    docValueFields: docValueFields ?? [],
+    factoryQueryType: TimelineEventsQueries.all,
+  });
 
-const mapDispatchToProps = (dispatch: Dispatch) => ({
-  clearSignalsState: ({ id }: { id?: string }) => {
+  const clearSignalsState = useCallback(() => {
     if (id != null && detectionsTimelineIds.some((timelineId) => timelineId === id)) {
       dispatch(timelineActions.clearEventsLoading({ id }));
       dispatch(timelineActions.clearEventsDeleted({ id }));
     }
-  },
-});
+  }, [dispatch, id]);
 
-const connector = connect(makeMapStateToProps, mapDispatchToProps);
+  const wrappedLoadPage = useCallback(
+    (newActivePage: number) => {
+      clearSignalsState();
+      setActivePage(newActivePage);
+    },
+    [clearSignalsState]
+  );
 
-type PropsFromRedux = ConnectedProps<typeof connector>;
+  const [timelineResponse, setTimelineResponse] = useState<TimelineArgs>({
+    id: ID,
+    inspect: {
+      dsl: [],
+      response: [],
+    },
+    refetch: refetch.current,
+    totalCount: -1,
+    pageInfo: {
+      activePage: 0,
+      totalPages: 0,
+    },
+    events: [],
+    loadPage: wrappedLoadPage,
+    updatedAt: 0,
+  });
 
-export const TimelineQuery = compose<React.ComponentClass<OwnProps>>(
-  connector,
-  withKibana
-)(TimelineQueryComponent);
+  const timelineSearch = useCallback(
+    (request: TimelineEventsAllRequestOptions) => {
+      let didCancel = false;
+      const asyncSearch = async () => {
+        abortCtrl.current = new AbortController();
+        setLoading(true);
+
+        const searchSubscription$ = data.search
+          .search<TimelineEventsAllRequestOptions, TimelineEventsAllStrategyResponse>(request, {
+            strategy: 'securitySolutionTimelineSearchStrategy',
+            abortSignal: abortCtrl.current.signal,
+          })
+          .subscribe({
+            next: (response) => {
+              if (!response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                  setTimelineResponse((prevResponse) => ({
+                    ...prevResponse,
+                    events: getTimelineEvents(response.edges),
+                    inspect: getInspectResponse(response, prevResponse.inspect),
+                    pageInfo: response.pageInfo,
+                    refetch: refetch.current,
+                    totalCount: response.totalCount,
+                    updatedAt: Date.now(),
+                  }));
+                }
+                searchSubscription$.unsubscribe();
+              } else if (response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                }
+                notifications.toasts.addWarning(i18n.ERROR_TIMELINE_EVENTS);
+                searchSubscription$.unsubscribe();
+              }
+            },
+            error: (msg) => {
+              if (msg.message !== 'Aborted') {
+                notifications.toasts.addDanger({
+                  title: i18n.FAIL_TIMELINE_EVENTS,
+                  text: msg.message,
+                });
+              }
+            },
+          });
+      };
+      abortCtrl.current.abort();
+      asyncSearch();
+      refetch.current = asyncSearch;
+      return () => {
+        didCancel = true;
+        abortCtrl.current.abort();
+      };
+    },
+    [data.search, notifications.toasts]
+  );
+
+  useEffect(() => {
+    if (!canQueryTimeline || skipQueryForDetectionsPage(id, defaultIndex)) {
+      return;
+    }
+
+    setTimelineRequest((prevRequest) => {
+      const myRequest = {
+        ...prevRequest,
+        defaultIndex,
+        docValueFields: docValueFields ?? [],
+        filterQuery: createFilter(filterQuery),
+        pagination: {
+          activePage,
+          querySize: limit,
+        },
+        timerange: {
+          interval: '12h',
+          from: startDate,
+          to: endDate,
+        },
+        sort,
+      };
+      if (
+        canQueryTimeline &&
+        !skipQueryForDetectionsPage(id, defaultIndex) &&
+        !deepEqual(prevRequest, myRequest)
+      ) {
+        return myRequest;
+      }
+      return prevRequest;
+    });
+  }, [
+    defaultIndex,
+    docValueFields,
+    endDate,
+    filterQuery,
+    startDate,
+    canQueryTimeline,
+    id,
+    activePage,
+    limit,
+    sort,
+  ]);
+
+  useEffect(() => {
+    timelineSearch(timelineRequest);
+  }, [timelineRequest, timelineSearch]);
+
+  return [loading, timelineResponse];
+};
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/translations.ts b/x-pack/plugins/security_solution/public/timelines/containers/translations.ts
new file mode 100644
index 0000000000000..ba3cc3c84b92d
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/timelines/containers/translations.ts
@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const ERROR_TIMELINE_EVENTS = i18n.translate(
+  'xpack.securitySolution.timelineEvents.errorSearchDescription',
+  {
+    defaultMessage: `An error has occurred on timeline events search`,
+  }
+);
+
+export const FAIL_TIMELINE_EVENTS = i18n.translate(
+  'xpack.securitySolution.timelineEvents.failSearchDescription',
+  {
+    defaultMessage: `Failed to run search on timeline events`,
+  }
+);
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
index ebee0f5cae9a6..da9c363703d16 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/actions.ts
@@ -16,7 +16,7 @@ import {
 import { KueryFilterQuery, SerializedFilterQuery } from '../../../common/store/types';
 
 import { EventType, KqlMode, TimelineModel, ColumnHeaderOptions } from './model';
-import { TimelineNonEcsData } from '../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
 import { TimelineTypeLiteral, RowRendererId } from '../../../../common/types/timeline';
 import { InsertTimeline } from './types';
 
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts
index a6b78269cff2f..1432e133244d0 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts
@@ -20,7 +20,7 @@ import {
   EXISTS_OPERATOR,
 } from '../../../timelines/components/timeline/data_providers/data_provider';
 import { KueryFilterQuery, SerializedFilterQuery } from '../../../common/store/model';
-import { TimelineNonEcsData } from '../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
 import {
   TimelineTypeLiteral,
   TimelineType,
diff --git a/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts b/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
index 9a8399d366967..88ec9da1e0c4e 100644
--- a/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
+++ b/x-pack/plugins/security_solution/public/timelines/store/timeline/model.ts
@@ -8,14 +8,14 @@ import { Filter } from '../../../../../../../src/plugins/data/public';
 
 import { DataProvider } from '../../components/timeline/data_providers/data_provider';
 import { Sort } from '../../components/timeline/body/sort';
-import {
-  PinnedEvent,
-  TimelineNonEcsData,
+import { PinnedEvent } from '../../../graphql/types';
+import { TimelineNonEcsData } from '../../../../common/search_strategy/timeline';
+import { KueryFilterQuery, SerializedFilterQuery } from '../../../common/store/types';
+import type {
   TimelineType,
   TimelineStatus,
-} from '../../../graphql/types';
-import { KueryFilterQuery, SerializedFilterQuery } from '../../../common/store/types';
-import type { RowRendererId } from '../../../../common/types/timeline';
+  RowRendererId,
+} from '../../../../common/types/timeline';
 
 export const DEFAULT_PAGE_COUNT = 2; // Eui Pager will not render unless this is a minimum of 2 pages
 export type KqlMode = 'filter' | 'search';
diff --git a/x-pack/plugins/security_solution/server/search_strategy/helpers/to_array.ts b/x-pack/plugins/security_solution/server/search_strategy/helpers/to_array.ts
index 4da319d5b1e42..f7d9f408c5e2d 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/helpers/to_array.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/helpers/to_array.ts
@@ -5,4 +5,4 @@
  */
 
 export const toArray = <T = string>(value: T | T[] | null) =>
-  Array.isArray(value) ? value : value == null ? [] : [value];
+  Array.isArray(value) ? value : value == null ? [] : [`${value}`];
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/index.ts
index aacfc227a36ad..7967ef2af4132 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/index.ts
@@ -52,7 +52,7 @@ export const allHosts: SecuritySolutionFactory<HostsQueries.hosts> = {
       edges,
       totalCount,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
index 93390c314a637..b257d9cfee418 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { isEmpty, isString } from 'lodash/fp';
+import { isEmpty } from 'lodash/fp';
 import { ISearchRequestParams } from '../../../../../../../../../src/plugins/data/common';
 import {
   Direction,
@@ -24,7 +24,7 @@ export const buildHostsQuery = ({
   timerange: { from, to },
 }: HostsRequestOptions): ISearchRequestParams => {
   const filter = [
-    ...createQueryFilterClauses(isString(filterQuery) ? JSON.parse(filterQuery) : filterQuery),
+    ...createQueryFilterClauses(filterQuery),
     {
       range: {
         '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/__mocks__/index.ts
index 65343dc721fd7..d1c63651997c7 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/__mocks__/index.ts
@@ -3,12 +3,14 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+
 import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/data/common';
+
 import {
   AuthenticationHit,
   Direction,
-  HostsQueries,
   HostAuthenticationsRequestOptions,
+  HostsQueries,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: HostAuthenticationsRequestOptions = {
@@ -2143,7 +2145,80 @@ export const formattedSearchStrategyResponse = {
   loaded: 21,
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "user_count": {\n        "cardinality": {\n          "field": "user.name"\n        }\n      },\n      "group_by_users": {\n        "terms": {\n          "size": 10,\n          "field": "user.name",\n          "order": [\n            {\n              "successes.doc_count": "desc"\n            },\n            {\n              "failures.doc_count": "desc"\n            }\n          ]\n        },\n        "aggs": {\n          "failures": {\n            "filter": {\n              "term": {\n                "event.outcome": "failure"\n              }\n            },\n            "aggs": {\n              "lastFailure": {\n                "top_hits": {\n                  "size": 1,\n                  "_source": [],\n                  "sort": [\n                    {\n                      "@timestamp": {\n                        "order": "desc"\n                      }\n                    }\n                  ]\n                }\n              }\n            }\n          },\n          "successes": {\n            "filter": {\n              "term": {\n                "event.outcome": "success"\n              }\n            },\n            "aggs": {\n              "lastSuccess": {\n                "top_hits": {\n                  "size": 1,\n                  "_source": [],\n                  "sort": [\n                    {\n                      "@timestamp": {\n                        "order": "desc"\n                      }\n                    }\n                  ]\n                }\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "term": {\n              "event.category": "authentication"\n            }\n          },\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-02T15:17:13.678Z",\n                "lte": "2020-09-03T15:17:13.678Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0\n  },\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              user_count: { cardinality: { field: 'user.name' } },
+              group_by_users: {
+                terms: {
+                  size: 10,
+                  field: 'user.name',
+                  order: [{ 'successes.doc_count': 'desc' }, { 'failures.doc_count': 'desc' }],
+                },
+                aggs: {
+                  failures: {
+                    filter: { term: { 'event.outcome': 'failure' } },
+                    aggs: {
+                      lastFailure: {
+                        top_hits: {
+                          size: 1,
+                          _source: [],
+                          sort: [{ '@timestamp': { order: 'desc' } }],
+                        },
+                      },
+                    },
+                  },
+                  successes: {
+                    filter: { term: { 'event.outcome': 'success' } },
+                    aggs: {
+                      lastSuccess: {
+                        top_hits: {
+                          size: 1,
+                          _source: [],
+                          sort: [{ '@timestamp': { order: 'desc' } }],
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  { term: { 'event.category': 'authentication' } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-02T15:17:13.678Z',
+                        lte: '2020-09-03T15:17:13.678Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+          },
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   edges: [
@@ -2335,7 +2410,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           { term: { 'event.category': 'authentication' } },
           {
             range: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
index d5bdeac38cee5..a43f53880587a 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
@@ -55,7 +55,7 @@ export const authentications: SecuritySolutionFactory<HostsQueries.authenticatio
       edges,
       totalCount,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/overview/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/overview/__mocks__/index.ts
index c017f39842ba1..b1f9b04daa1c1 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/overview/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/overview/__mocks__/index.ts
@@ -3,10 +3,12 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+
 import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/data/common';
+
 import {
-  HostsQueries,
   HostOverviewRequestOptions,
+  HostsQueries,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: HostOverviewRequestOptions = {
@@ -111,7 +113,197 @@ export const formattedSearchStrategyResponse = {
   loaded: 21,
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "auditd_count": {\n        "filter": {\n          "term": {\n            "event.module": "auditd"\n          }\n        }\n      },\n      "endgame_module": {\n        "filter": {\n          "bool": {\n            "should": [\n              {\n                "term": {\n                  "event.module": "endpoint"\n                }\n              },\n              {\n                "term": {\n                  "event.module": "endgame"\n                }\n              }\n            ]\n          }\n        },\n        "aggs": {\n          "dns_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "bool": {\n                      "filter": [\n                        {\n                          "term": {\n                            "network.protocol": "dns"\n                          }\n                        },\n                        {\n                          "term": {\n                            "event.category": "network"\n                          }\n                        }\n                      ]\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "dns_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "file_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "term": {\n                      "event.category": "file"\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "file_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "image_load_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "bool": {\n                      "should": [\n                        {\n                          "term": {\n                            "event.category": "library"\n                          }\n                        },\n                        {\n                          "term": {\n                            "event.category": "driver"\n                          }\n                        }\n                      ]\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "image_load_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "network_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "bool": {\n                      "filter": [\n                        {\n                          "bool": {\n                            "must_not": {\n                              "term": {\n                                "network.protocol": "dns"\n                              }\n                            }\n                          }\n                        },\n                        {\n                          "term": {\n                            "event.category": "network"\n                          }\n                        }\n                      ]\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "network_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "process_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "term": {\n                      "event.category": "process"\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "process_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "registry_event": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "term": {\n                      "event.category": "registry"\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "registry_event"\n                    }\n                  }\n                ]\n              }\n            }\n          },\n          "security_event_count": {\n            "filter": {\n              "bool": {\n                "should": [\n                  {\n                    "bool": {\n                      "filter": [\n                        {\n                          "term": {\n                            "event.category": "session"\n                          }\n                        },\n                        {\n                          "term": {\n                            "event.category": "authentication"\n                          }\n                        }\n                      ]\n                    }\n                  },\n                  {\n                    "term": {\n                      "endgame.event_type_full": "security_event"\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      },\n      "fim_count": {\n        "filter": {\n          "term": {\n            "event.module": "file_integrity"\n          }\n        }\n      },\n      "winlog_module": {\n        "filter": {\n          "term": {\n            "agent.type": "winlogbeat"\n          }\n        },\n        "aggs": {\n          "mwsysmon_operational_event_count": {\n            "filter": {\n              "term": {\n                "winlog.channel": "Microsoft-Windows-Sysmon/Operational"\n              }\n            }\n          },\n          "security_event_count": {\n            "filter": {\n              "term": {\n                "winlog.channel": "Security"\n              }\n            }\n          }\n        }\n      },\n      "system_module": {\n        "filter": {\n          "term": {\n            "event.module": "system"\n          }\n        },\n        "aggs": {\n          "login_count": {\n            "filter": {\n              "term": {\n                "event.dataset": "login"\n              }\n            }\n          },\n          "package_count": {\n            "filter": {\n              "term": {\n                "event.dataset": "package"\n              }\n            }\n          },\n          "process_count": {\n            "filter": {\n              "term": {\n                "event.dataset": "process"\n              }\n            }\n          },\n          "user_count": {\n            "filter": {\n              "term": {\n                "event.dataset": "user"\n              }\n            }\n          },\n          "filebeat_count": {\n            "filter": {\n              "term": {\n                "agent.type": "filebeat"\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"filter\\":[{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"host.name\\"}}],\\"minimum_should_match\\":1}}]}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-07T09:47:28.606Z",\n                "lte": "2020-09-08T09:47:28.606Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": false\n  }\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              auditd_count: { filter: { term: { 'event.module': 'auditd' } } },
+              endgame_module: {
+                filter: {
+                  bool: {
+                    should: [
+                      { term: { 'event.module': 'endpoint' } },
+                      { term: { 'event.module': 'endgame' } },
+                    ],
+                  },
+                },
+                aggs: {
+                  dns_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              filter: [
+                                { term: { 'network.protocol': 'dns' } },
+                                { term: { 'event.category': 'network' } },
+                              ],
+                            },
+                          },
+                          { term: { 'endgame.event_type_full': 'dns_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  file_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          { term: { 'event.category': 'file' } },
+                          { term: { 'endgame.event_type_full': 'file_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  image_load_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              should: [
+                                { term: { 'event.category': 'library' } },
+                                { term: { 'event.category': 'driver' } },
+                              ],
+                            },
+                          },
+                          { term: { 'endgame.event_type_full': 'image_load_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  network_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              filter: [
+                                { bool: { must_not: { term: { 'network.protocol': 'dns' } } } },
+                                { term: { 'event.category': 'network' } },
+                              ],
+                            },
+                          },
+                          { term: { 'endgame.event_type_full': 'network_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  process_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          { term: { 'event.category': 'process' } },
+                          { term: { 'endgame.event_type_full': 'process_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  registry_event: {
+                    filter: {
+                      bool: {
+                        should: [
+                          { term: { 'event.category': 'registry' } },
+                          { term: { 'endgame.event_type_full': 'registry_event' } },
+                        ],
+                      },
+                    },
+                  },
+                  security_event_count: {
+                    filter: {
+                      bool: {
+                        should: [
+                          {
+                            bool: {
+                              filter: [
+                                { term: { 'event.category': 'session' } },
+                                { term: { 'event.category': 'authentication' } },
+                              ],
+                            },
+                          },
+                          { term: { 'endgame.event_type_full': 'security_event' } },
+                        ],
+                      },
+                    },
+                  },
+                },
+              },
+              fim_count: { filter: { term: { 'event.module': 'file_integrity' } } },
+              winlog_module: {
+                filter: { term: { 'agent.type': 'winlogbeat' } },
+                aggs: {
+                  mwsysmon_operational_event_count: {
+                    filter: { term: { 'winlog.channel': 'Microsoft-Windows-Sysmon/Operational' } },
+                  },
+                  security_event_count: { filter: { term: { 'winlog.channel': 'Security' } } },
+                },
+              },
+              system_module: {
+                filter: { term: { 'event.module': 'system' } },
+                aggs: {
+                  login_count: { filter: { term: { 'event.dataset': 'login' } } },
+                  package_count: { filter: { term: { 'event.dataset': 'package' } } },
+                  process_count: { filter: { term: { 'event.dataset': 'process' } } },
+                  user_count: { filter: { term: { 'event.dataset': 'user' } } },
+                  filebeat_count: { filter: { term: { 'agent.type': 'filebeat' } } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        {
+                          bool: {
+                            filter: [
+                              {
+                                bool: {
+                                  should: [{ exists: { field: 'host.name' } }],
+                                  minimum_should_match: 1,
+                                },
+                              },
+                            ],
+                          },
+                        },
+                      ],
+                      should: [],
+                      must_not: [],
+                    },
+                  },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-07T09:47:28.606Z',
+                        lte: '2020-09-08T09:47:28.606Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: false,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   overviewHost: {
@@ -283,7 +475,28 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"filter":[{"bool":{"should":[{"exists":{"field":"host.name"}}],"minimum_should_match":1}}]}}],"should":[],"must_not":[]}}',
+          {
+            bool: {
+              must: [],
+              filter: [
+                { match_all: {} },
+                {
+                  bool: {
+                    filter: [
+                      {
+                        bool: {
+                          should: [{ exists: { field: 'host.name' } }],
+                          minimum_should_match: 1,
+                        },
+                      },
+                    ],
+                  },
+                },
+              ],
+              should: [],
+              must_not: [],
+            },
+          },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/__mocks__/index.ts
index 5f0e2af8ae921..1c0b44bdfc4f6 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/__mocks__/index.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { SortField, HostsQueries } from '../../../../../../../common/search_strategy';
+import { HostsQueries, SortField } from '../../../../../../../common/search_strategy';
 
 export const mockOptions = {
   defaultIndex: [
@@ -4260,7 +4260,7 @@ export const formattedSearchStrategyResponse = {
           },
         ],
         user: {
-          id: [0],
+          id: ['0'],
           name: ['root'],
         },
       },
@@ -4284,7 +4284,7 @@ export const formattedSearchStrategyResponse = {
           },
         ],
         user: {
-          id: [0],
+          id: ['0'],
           name: ['root'],
         },
       },
@@ -4296,7 +4296,131 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "process_count": {\n        "cardinality": {\n          "field": "process.name"\n        }\n      },\n      "group_by_process": {\n        "terms": {\n          "size": 10,\n          "field": "process.name",\n          "order": [\n            {\n              "host_count": "asc"\n            },\n            {\n              "_count": "asc"\n            },\n            {\n              "_key": "asc"\n            }\n          ]\n        },\n        "aggregations": {\n          "process": {\n            "top_hits": {\n              "size": 1,\n              "sort": [\n                {\n                  "@timestamp": {\n                    "order": "desc"\n                  }\n                }\n              ],\n              "_source": [\n                "process.args",\n                "process.name",\n                "user.id",\n                "user.name"\n              ]\n            }\n          },\n          "host_count": {\n            "cardinality": {\n              "field": "host.name"\n            }\n          },\n          "hosts": {\n            "terms": {\n              "field": "host.name"\n            },\n            "aggregations": {\n              "host": {\n                "top_hits": {\n                  "size": 1,\n                  "_source": []\n                }\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "should": [\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "agent.type": "auditbeat"\n                  }\n                },\n                {\n                  "term": {\n                    "event.module": "auditd"\n                  }\n                },\n                {\n                  "term": {\n                    "event.action": "executed"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "agent.type": "auditbeat"\n                  }\n                },\n                {\n                  "term": {\n                    "event.module": "system"\n                  }\n                },\n                {\n                  "term": {\n                    "event.dataset": "process"\n                  }\n                },\n                {\n                  "term": {\n                    "event.action": "process_started"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "agent.type": "winlogbeat"\n                  }\n                },\n                {\n                  "term": {\n                    "event.code": "4688"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "winlog.event_id": 1\n                  }\n                },\n                {\n                  "term": {\n                    "winlog.channel": "Microsoft-Windows-Sysmon/Operational"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "event.type": "process_start"\n                  }\n                },\n                {\n                  "term": {\n                    "event.category": "process"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "bool": {\n              "filter": [\n                {\n                  "term": {\n                    "event.category": "process"\n                  }\n                },\n                {\n                  "term": {\n                    "event.type": "start"\n                  }\n                }\n              ]\n            }\n          }\n        ],\n        "minimum_should_match": 1,\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"match_phrase\\":{\\"host.name\\":{\\"query\\":\\"siem-kibana\\"}}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-06T15:23:52.757Z",\n                "lte": "2020-09-07T15:23:52.757Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              process_count: { cardinality: { field: 'process.name' } },
+              group_by_process: {
+                terms: {
+                  size: 10,
+                  field: 'process.name',
+                  order: [{ host_count: 'asc' }, { _count: 'asc' }, { _key: 'asc' }],
+                },
+                aggregations: {
+                  process: {
+                    top_hits: {
+                      size: 1,
+                      sort: [{ '@timestamp': { order: 'desc' } }],
+                      _source: ['process.args', 'process.name', 'user.id', 'user.name'],
+                    },
+                  },
+                  host_count: { cardinality: { field: 'host.name' } },
+                  hosts: {
+                    terms: { field: 'host.name' },
+                    aggregations: { host: { top_hits: { size: 1, _source: [] } } },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                should: [
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'agent.type': 'auditbeat' } },
+                        { term: { 'event.module': 'auditd' } },
+                        { term: { 'event.action': 'executed' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'agent.type': 'auditbeat' } },
+                        { term: { 'event.module': 'system' } },
+                        { term: { 'event.dataset': 'process' } },
+                        { term: { 'event.action': 'process_started' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'agent.type': 'winlogbeat' } },
+                        { term: { 'event.code': '4688' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'winlog.event_id': 1 } },
+                        { term: { 'winlog.channel': 'Microsoft-Windows-Sysmon/Operational' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'event.type': 'process_start' } },
+                        { term: { 'event.category': 'process' } },
+                      ],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        { term: { 'event.category': 'process' } },
+                        { term: { 'event.type': 'start' } },
+                      ],
+                    },
+                  },
+                ],
+                minimum_should_match: 1,
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        { match_phrase: { 'host.name': { query: 'siem-kibana' } } },
+                      ],
+                      should: [],
+                      must_not: [],
+                    },
+                  },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-06T15:23:52.757Z',
+                        lte: '2020-09-07T15:23:52.757Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: {
@@ -4401,7 +4525,17 @@ export const expectedDsl = {
         ],
         minimum_should_match: 1,
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}},{"match_phrase":{"host.name":{"query":"siem-kibana"}}}],"should":[],"must_not":[]}}',
+          {
+            bool: {
+              must: [],
+              filter: [
+                { match_all: {} },
+                { match_phrase: { 'host.name': { query: 'siem-kibana' } } },
+              ],
+              should: [],
+              must_not: [],
+            },
+          },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/index.ts
index fcc76eebe4cf5..5682e63b50ed0 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/uncommon_processes/index.ts
@@ -58,7 +58,7 @@ export const uncommonProcesses: SecuritySolutionFactory<HostsQueries.uncommonPro
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts
index 73cf74087aad6..c1c4db53ba4e3 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/__mocks__/index.ts
@@ -28,7 +28,96 @@ export const formattedAlertsSearchStrategyResponse: MatrixHistogramStrategyRespo
   ...mockAlertsSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "alertsGroup": {\n        "terms": {\n          "field": "event.module",\n          "missing": "All others",\n          "order": {\n            "_count": "desc"\n          },\n          "size": 10\n        },\n        "aggs": {\n          "alerts": {\n            "date_histogram": {\n              "field": "@timestamp",\n              "fixed_interval": "2700000ms",\n              "min_doc_count": 0,\n              "extended_bounds": {\n                "min": 1599574984482,\n                "max": 1599661384482\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"filter\\":[{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"host.name\\"}}],\\"minimum_should_match\\":1}}]}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "bool": {\n              "filter": [\n                {\n                  "bool": {\n                    "should": [\n                      {\n                        "match": {\n                          "event.kind": "alert"\n                        }\n                      }\n                    ],\n                    "minimum_should_match": 1\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-08T14:23:04.482Z",\n                "lte": "2020-09-09T14:23:04.482Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              alertsGroup: {
+                terms: {
+                  field: 'event.module',
+                  missing: 'All others',
+                  order: { _count: 'desc' },
+                  size: 10,
+                },
+                aggs: {
+                  alerts: {
+                    date_histogram: {
+                      field: '@timestamp',
+                      fixed_interval: '2700000ms',
+                      min_doc_count: 0,
+                      extended_bounds: { min: 1599574984482, max: 1599661384482 },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        {
+                          bool: {
+                            filter: [
+                              {
+                                bool: {
+                                  should: [{ exists: { field: 'host.name' } }],
+                                  minimum_should_match: 1,
+                                },
+                              },
+                            ],
+                          },
+                        },
+                      ],
+                      should: [],
+                      must_not: [],
+                    },
+                  },
+                  {
+                    bool: {
+                      filter: [
+                        {
+                          bool: {
+                            should: [{ match: { 'event.kind': 'alert' } }],
+                            minimum_should_match: 1,
+                          },
+                        },
+                      ],
+                    },
+                  },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-08T14:23:04.482Z',
+                        lte: '2020-09-09T14:23:04.482Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   matrixHistogramData: [],
@@ -105,7 +194,75 @@ export const formattedAnomaliesSearchStrategyResponse: MatrixHistogramStrategyRe
   ...mockAnomaliesSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggs": {\n      "anomalyActionGroup": {\n        "terms": {\n          "field": "job_id",\n          "order": {\n            "_count": "desc"\n          },\n          "size": 10\n        },\n        "aggs": {\n          "anomalies": {\n            "date_histogram": {\n              "field": "timestamp",\n              "fixed_interval": "2700000ms",\n              "min_doc_count": 0,\n              "extended_bounds": {\n                "min": 1599578075566,\n                "max": 1599664475566\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"should\\":[],\\"minimum_should_match\\":1}},{\\"match_phrase\\":{\\"result_type\\":\\"record\\"}},null,{\\"range\\":{\\"record_score\\":{\\"gte\\":50}}}],\\"should\\":[{\\"exists\\":{\\"field\\":\\"source.ip\\"}},{\\"exists\\":{\\"field\\":\\"destination.ip\\"}}],\\"must_not\\":[],\\"minimum_should_match\\":1}}",\n          {\n            "range": {\n              "timestamp": {\n                "gte": "2020-09-08T15:14:35.566Z",\n                "lte": "2020-09-09T15:14:35.566Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggs: {
+              anomalyActionGroup: {
+                terms: { field: 'job_id', order: { _count: 'desc' }, size: 10 },
+                aggs: {
+                  anomalies: {
+                    date_histogram: {
+                      field: 'timestamp',
+                      fixed_interval: '2700000ms',
+                      min_doc_count: 0,
+                      extended_bounds: { min: 1599578075566, max: 1599664475566 },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        { bool: { should: [], minimum_should_match: 1 } },
+                        { match_phrase: { result_type: 'record' } },
+                        null,
+                        { range: { record_score: { gte: 50 } } },
+                      ],
+                      should: [
+                        { exists: { field: 'source.ip' } },
+                        { exists: { field: 'destination.ip' } },
+                      ],
+                      must_not: [],
+                      minimum_should_match: 1,
+                    },
+                  },
+                  {
+                    range: {
+                      timestamp: {
+                        gte: '2020-09-08T15:14:35.566Z',
+                        lte: '2020-09-09T15:14:35.566Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   matrixHistogramData: [],
@@ -219,7 +376,64 @@ export const formattedAuthenticationsSearchStrategyResponse: MatrixHistogramStra
   ...mockAuthenticationsSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "eventActionGroup": {\n        "terms": {\n          "field": "event.outcome",\n          "include": [\n            "success",\n            "failure"\n          ],\n          "order": {\n            "_count": "desc"\n          },\n          "size": 2\n        },\n        "aggs": {\n          "events": {\n            "date_histogram": {\n              "field": "@timestamp",\n              "fixed_interval": "2700000ms",\n              "min_doc_count": 0,\n              "extended_bounds": {\n                "min": 1599578520325,\n                "max": 1599664920325\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "bool": {\n              "must": [\n                {\n                  "term": {\n                    "event.category": "authentication"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-08T15:22:00.325Z",\n                "lte": "2020-09-09T15:22:00.325Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              eventActionGroup: {
+                terms: {
+                  field: 'event.outcome',
+                  include: ['success', 'failure'],
+                  order: { _count: 'desc' },
+                  size: 2,
+                },
+                aggs: {
+                  events: {
+                    date_histogram: {
+                      field: '@timestamp',
+                      fixed_interval: '2700000ms',
+                      min_doc_count: 0,
+                      extended_bounds: { min: 1599578520325, max: 1599664920325 },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  { bool: { must: [{ term: { 'event.category': 'authentication' } }] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-08T15:22:00.325Z',
+                        lte: '2020-09-09T15:22:00.325Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   matrixHistogramData: [
@@ -728,7 +942,63 @@ export const formattedEventsSearchStrategyResponse: MatrixHistogramStrategyRespo
   ...mockEventsSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "eventActionGroup": {\n        "terms": {\n          "field": "event.action",\n          "missing": "All others",\n          "order": {\n            "_count": "desc"\n          },\n          "size": 10\n        },\n        "aggs": {\n          "events": {\n            "date_histogram": {\n              "field": "@timestamp",\n              "fixed_interval": "2700000ms",\n              "min_doc_count": 0,\n              "extended_bounds": {\n                "min": 1599581486215,\n                "max": 1599667886215\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-08T16:11:26.215Z",\n                "lte": "2020-09-09T16:11:26.215Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              eventActionGroup: {
+                terms: {
+                  field: 'event.action',
+                  missing: 'All others',
+                  order: { _count: 'desc' },
+                  size: 10,
+                },
+                aggs: {
+                  events: {
+                    date_histogram: {
+                      field: '@timestamp',
+                      fixed_interval: '2700000ms',
+                      min_doc_count: 0,
+                      extended_bounds: { min: 1599581486215, max: 1599667886215 },
+                    },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-08T16:11:26.215Z',
+                        lte: '2020-09-09T16:11:26.215Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   totalCount: 0,
@@ -1294,7 +1564,58 @@ export const formattedDnsSearchStrategyResponse: MatrixHistogramStrategyResponse
   ...mockDnsSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "allowNoIndices": true,\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "NetworkDns": {\n        "date_histogram": {\n          "field": "@timestamp",\n          "fixed_interval": "2700000ms"\n        },\n        "aggs": {\n          "dns": {\n            "terms": {\n              "field": "dns.question.registered_domain",\n              "order": {\n                "orderAgg": "desc"\n              },\n              "size": 10\n            },\n            "aggs": {\n              "orderAgg": {\n                "cardinality": {\n                  "field": "dns.question.name"\n                }\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-08T15:41:15.528Z",\n                "lte": "2020-09-09T15:41:15.529Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": true\n  }\n}',
+      JSON.stringify(
+        {
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          allowNoIndices: true,
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              NetworkDns: {
+                date_histogram: { field: '@timestamp', fixed_interval: '2700000ms' },
+                aggs: {
+                  dns: {
+                    terms: {
+                      field: 'dns.question.registered_domain',
+                      order: { orderAgg: 'desc' },
+                      size: 10,
+                    },
+                    aggs: { orderAgg: { cardinality: { field: 'dns.question.name' } } },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-08T15:41:15.528Z',
+                        lte: '2020-09-09T15:41:15.529Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: true,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   matrixHistogramData: [
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts
index 8b2e666ad0103..df304552f9fc2 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/alerts/__mocks__/index.ts
@@ -59,7 +59,28 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"filter":[{"bool":{"should":[{"exists":{"field":"host.name"}}],"minimum_should_match":1}}]}}],"should":[],"must_not":[]}}',
+          {
+            bool: {
+              must: [],
+              filter: [
+                { match_all: {} },
+                {
+                  bool: {
+                    filter: [
+                      {
+                        bool: {
+                          should: [{ exists: { field: 'host.name' } }],
+                          minimum_should_match: 1,
+                        },
+                      },
+                    ],
+                  },
+                },
+              ],
+              should: [],
+              must_not: [],
+            },
+          },
           {
             bool: {
               filter: [
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts
index 6ca3c785e2e75..de0fcd8e22207 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/anomalies/__mocks__/index.ts
@@ -54,7 +54,21 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}},{"bool":{"should":[],"minimum_should_match":1}},{"match_phrase":{"result_type":"record"}},null,{"range":{"record_score":{"gte":50}}}],"should":[{"exists":{"field":"source.ip"}},{"exists":{"field":"destination.ip"}}],"must_not":[],"minimum_should_match":1}}',
+          {
+            bool: {
+              must: [],
+              filter: [
+                { match_all: {} },
+                { bool: { should: [], minimum_should_match: 1 } },
+                { match_phrase: { result_type: 'record' } },
+                null,
+                { range: { record_score: { gte: 50 } } },
+              ],
+              should: [{ exists: { field: 'source.ip' } }, { exists: { field: 'destination.ip' } }],
+              must_not: [],
+              minimum_should_match: 1,
+            },
+          },
           {
             range: {
               timestamp: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts
index 1fd420dbb94cb..136c9964717c3 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/authentications/__mocks__/index.ts
@@ -58,7 +58,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           { bool: { must: [{ term: { 'event.category': 'authentication' } }] } },
           {
             range: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts
index 94ba20327a404..3a769127bbe85 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/dns/__mocks__/index.ts
@@ -53,7 +53,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts
index 09b710ab33c76..61f672203e45f 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/matrix_histogram/events/__mocks__/index.ts
@@ -63,7 +63,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
index f0605c5523fd9..d3625a96c6db9 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
@@ -127,7 +127,59 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "dns_count": {\n        "cardinality": {\n          "field": "dns.question.registered_domain"\n        }\n      },\n      "dns_name_query_count": {\n        "terms": {\n          "field": "dns.question.registered_domain",\n          "size": 10,\n          "order": {\n            "unique_domains": "desc"\n          }\n        },\n        "aggs": {\n          "unique_domains": {\n            "cardinality": {\n              "field": "dns.question.name"\n            }\n          },\n          "dns_bytes_in": {\n            "sum": {\n              "field": "source.bytes"\n            }\n          },\n          "dns_bytes_out": {\n            "sum": {\n              "field": "destination.bytes"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T09:00:43.249Z",\n                "lte": "2020-09-14T09:00:43.249Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ],\n        "must_not": [\n          {\n            "term": {\n              "dns.question.type": {\n                "value": "PTR"\n              }\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              dns_count: { cardinality: { field: 'dns.question.registered_domain' } },
+              dns_name_query_count: {
+                terms: {
+                  field: 'dns.question.registered_domain',
+                  size: 10,
+                  order: { unique_domains: 'desc' },
+                },
+                aggs: {
+                  unique_domains: { cardinality: { field: 'dns.question.name' } },
+                  dns_bytes_in: { sum: { field: 'source.bytes' } },
+                  dns_bytes_out: { sum: { field: 'destination.bytes' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T09:00:43.249Z',
+                        lte: '2020-09-14T09:00:43.249Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+                must_not: [{ term: { 'dns.question.type': { value: 'PTR' } } }],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 2, showMorePagesIndicator: false },
@@ -165,7 +217,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts
index 8e734ca9d1179..ca7743126df4c 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/index.ts
@@ -48,7 +48,7 @@ export const networkDns: SecuritySolutionFactory<NetworkQueries.dns> = {
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts
index 9991d267707b7..d105cb621cf46 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts
@@ -615,7 +615,58 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "http_count": {\n        "cardinality": {\n          "field": "url.path"\n        }\n      },\n      "url": {\n        "terms": {\n          "field": "url.path",\n          "size": 10,\n          "order": {\n            "_count": "desc"\n          }\n        },\n        "aggs": {\n          "methods": {\n            "terms": {\n              "field": "http.request.method",\n              "size": 4\n            }\n          },\n          "domains": {\n            "terms": {\n              "field": "url.domain",\n              "size": 4\n            }\n          },\n          "status": {\n            "terms": {\n              "field": "http.response.status_code",\n              "size": 4\n            }\n          },\n          "source": {\n            "top_hits": {\n              "size": 1,\n              "_source": {\n                "includes": [\n                  "host.name",\n                  "source.ip"\n                ]\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T09:00:43.249Z",\n                "lte": "2020-09-14T09:00:43.249Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          },\n          {\n            "exists": {\n              "field": "http.request.method"\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              http_count: { cardinality: { field: 'url.path' } },
+              url: {
+                terms: { field: 'url.path', size: 10, order: { _count: 'desc' } },
+                aggs: {
+                  methods: { terms: { field: 'http.request.method', size: 4 } },
+                  domains: { terms: { field: 'url.domain', size: 4 } },
+                  status: { terms: { field: 'http.response.status_code', size: 4 } },
+                  source: {
+                    top_hits: { size: 1, _source: { includes: ['host.name', 'source.ip'] } },
+                  },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T09:00:43.249Z',
+                        lte: '2020-09-14T09:00:43.249Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                  { exists: { field: 'http.request.method' } },
+                ],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 50, showMorePagesIndicator: true },
@@ -650,7 +701,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/index.ts
index c0205ccce63cc..6ad4ac9cb8e33 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/index.ts
@@ -48,7 +48,7 @@ export const networkHttp: SecuritySolutionFactory<NetworkQueries.http> = {
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/overview/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/overview/__mocks__/index.ts
index 8f34d31e49e1d..2c3eb37e25453 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/overview/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/overview/__mocks__/index.ts
@@ -97,7 +97,96 @@ export const formattedSearchStrategyResponse = {
   ...mockSearchStrategyResponse,
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "unique_flow_count": {\n        "filter": {\n          "term": {\n            "type": "flow"\n          }\n        }\n      },\n      "unique_dns_count": {\n        "filter": {\n          "term": {\n            "type": "dns"\n          }\n        }\n      },\n      "unique_suricata_count": {\n        "filter": {\n          "term": {\n            "service.type": "suricata"\n          }\n        }\n      },\n      "unique_zeek_count": {\n        "filter": {\n          "term": {\n            "service.type": "zeek"\n          }\n        }\n      },\n      "unique_socket_count": {\n        "filter": {\n          "term": {\n            "event.dataset": "socket"\n          }\n        }\n      },\n      "unique_filebeat_count": {\n        "filter": {\n          "term": {\n            "agent.type": "filebeat"\n          }\n        },\n        "aggs": {\n          "unique_netflow_count": {\n            "filter": {\n              "term": {\n                "input.type": "netflow"\n              }\n            }\n          },\n          "unique_panw_count": {\n            "filter": {\n              "term": {\n                "event.module": "panw"\n              }\n            }\n          },\n          "unique_cisco_count": {\n            "filter": {\n              "term": {\n                "event.module": "cisco"\n              }\n            }\n          }\n        }\n      },\n      "unique_packetbeat_count": {\n        "filter": {\n          "term": {\n            "agent.type": "packetbeat"\n          }\n        },\n        "aggs": {\n          "unique_tls_count": {\n            "filter": {\n              "term": {\n                "network.protocol": "tls"\n              }\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}},{\\"bool\\":{\\"filter\\":[{\\"bool\\":{\\"should\\":[{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"source.ip\\"}}],\\"minimum_should_match\\":1}},{\\"bool\\":{\\"should\\":[{\\"exists\\":{\\"field\\":\\"destination.ip\\"}}],\\"minimum_should_match\\":1}}],\\"minimum_should_match\\":1}}]}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T12:54:24.685Z",\n                "lte": "2020-09-14T12:54:24.685Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": false\n  }\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              unique_flow_count: { filter: { term: { type: 'flow' } } },
+              unique_dns_count: { filter: { term: { type: 'dns' } } },
+              unique_suricata_count: { filter: { term: { 'service.type': 'suricata' } } },
+              unique_zeek_count: { filter: { term: { 'service.type': 'zeek' } } },
+              unique_socket_count: { filter: { term: { 'event.dataset': 'socket' } } },
+              unique_filebeat_count: {
+                filter: { term: { 'agent.type': 'filebeat' } },
+                aggs: {
+                  unique_netflow_count: { filter: { term: { 'input.type': 'netflow' } } },
+                  unique_panw_count: { filter: { term: { 'event.module': 'panw' } } },
+                  unique_cisco_count: { filter: { term: { 'event.module': 'cisco' } } },
+                },
+              },
+              unique_packetbeat_count: {
+                filter: { term: { 'agent.type': 'packetbeat' } },
+                aggs: { unique_tls_count: { filter: { term: { 'network.protocol': 'tls' } } } },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      must: [],
+                      filter: [
+                        { match_all: {} },
+                        {
+                          bool: {
+                            filter: [
+                              {
+                                bool: {
+                                  should: [
+                                    {
+                                      bool: {
+                                        should: [{ exists: { field: 'source.ip' } }],
+                                        minimum_should_match: 1,
+                                      },
+                                    },
+                                    {
+                                      bool: {
+                                        should: [{ exists: { field: 'destination.ip' } }],
+                                        minimum_should_match: 1,
+                                      },
+                                    },
+                                  ],
+                                  minimum_should_match: 1,
+                                },
+                              },
+                            ],
+                          },
+                        },
+                      ],
+                      should: [],
+                      must_not: [],
+                    },
+                  },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T12:54:24.685Z',
+                        lte: '2020-09-14T12:54:24.685Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: false,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   overviewNetwork: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/__mocks__/index.ts
index 15e2ac3cc0f69..50a263572edb8 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/__mocks__/index.ts
@@ -8,10 +8,10 @@ import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/dat
 
 import {
   Direction,
+  FlowTargetSourceDest,
+  NetworkQueries,
   NetworkTlsFields,
   NetworkTlsRequestOptions,
-  NetworkQueries,
-  FlowTargetSourceDest,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: NetworkTlsRequestOptions = {
@@ -55,7 +55,55 @@ export const formattedSearchStrategyResponse = {
   edges: [],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggs": {\n      "count": {\n        "cardinality": {\n          "field": "tls.server.hash.sha1"\n        }\n      },\n      "sha1": {\n        "terms": {\n          "field": "tls.server.hash.sha1",\n          "size": 10,\n          "order": {\n            "_key": "desc"\n          }\n        },\n        "aggs": {\n          "issuers": {\n            "terms": {\n              "field": "tls.server.issuer"\n            }\n          },\n          "subjects": {\n            "terms": {\n              "field": "tls.server.subject"\n            }\n          },\n          "not_after": {\n            "terms": {\n              "field": "tls.server.not_after"\n            }\n          },\n          "ja3": {\n            "terms": {\n              "field": "tls.server.ja3s"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T09:58:58.637Z",\n                "lte": "2020-09-14T09:58:58.637Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": false\n  }\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggs: {
+              count: { cardinality: { field: 'tls.server.hash.sha1' } },
+              sha1: {
+                terms: { field: 'tls.server.hash.sha1', size: 10, order: { _key: 'desc' } },
+                aggs: {
+                  issuers: { terms: { field: 'tls.server.issuer' } },
+                  subjects: { terms: { field: 'tls.server.subject' } },
+                  not_after: { terms: { field: 'tls.server.not_after' } },
+                  ja3: { terms: { field: 'tls.server.ja3s' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T09:58:58.637Z',
+                        lte: '2020-09-14T09:58:58.637Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+            size: 0,
+            track_total_hits: false,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 0, showMorePagesIndicator: false },
@@ -90,7 +138,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/index.ts
index 46556f46d3a50..7ada299a513bb 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/index.ts
@@ -48,7 +48,7 @@ export const networkTls: SecuritySolutionFactory<NetworkQueries.tls> = {
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/__mocks__/index.ts
index 0578d99accbf5..dfa2722b142ea 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/__mocks__/index.ts
@@ -8,9 +8,9 @@ import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/dat
 
 import {
   Direction,
-  NetworkTopCountriesRequestOptions,
-  NetworkQueries,
   FlowTargetSourceDest,
+  NetworkQueries,
+  NetworkTopCountriesRequestOptions,
   NetworkTopTablesFields,
 } from '../../../../../../../common/search_strategy';
 
@@ -54,7 +54,60 @@ export const formattedSearchStrategyResponse = {
   edges: [],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "top_countries_count": {\n        "cardinality": {\n          "field": "destination.geo.country_iso_code"\n        }\n      },\n      "destination": {\n        "terms": {\n          "field": "destination.geo.country_iso_code",\n          "size": 10,\n          "order": {\n            "bytes_in": "desc"\n          }\n        },\n        "aggs": {\n          "bytes_in": {\n            "sum": {\n              "field": "source.bytes"\n            }\n          },\n          "bytes_out": {\n            "sum": {\n              "field": "destination.bytes"\n            }\n          },\n          "flows": {\n            "cardinality": {\n              "field": "network.community_id"\n            }\n          },\n          "source_ips": {\n            "cardinality": {\n              "field": "source.ip"\n            }\n          },\n          "destination_ips": {\n            "cardinality": {\n              "field": "destination.ip"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T09:58:58.637Z",\n                "lte": "2020-09-14T09:58:58.637Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              top_countries_count: { cardinality: { field: 'destination.geo.country_iso_code' } },
+              destination: {
+                terms: {
+                  field: 'destination.geo.country_iso_code',
+                  size: 10,
+                  order: { bytes_in: 'desc' },
+                },
+                aggs: {
+                  bytes_in: { sum: { field: 'source.bytes' } },
+                  bytes_out: { sum: { field: 'destination.bytes' } },
+                  flows: { cardinality: { field: 'network.community_id' } },
+                  source_ips: { cardinality: { field: 'source.ip' } },
+                  destination_ips: { cardinality: { field: 'destination.ip' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T09:58:58.637Z',
+                        lte: '2020-09-14T09:58:58.637Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 0, showMorePagesIndicator: false },
@@ -90,7 +143,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/index.ts
index ba4565b068eb4..ad698046cc030 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/index.ts
@@ -51,7 +51,7 @@ export const networkTopCountries: SecuritySolutionFactory<NetworkQueries.topCoun
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts
index 84c1ca129ecac..b1470b17eea5d 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts
@@ -8,10 +8,10 @@ import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/dat
 
 import {
   Direction,
-  NetworkTopNFlowRequestOptions,
+  FlowTargetSourceDest,
   NetworkQueries,
+  NetworkTopNFlowRequestOptions,
   NetworkTopTablesFields,
-  FlowTargetSourceDest,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: NetworkTopNFlowRequestOptions = {
@@ -781,7 +781,67 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggregations": {\n      "top_n_flow_count": {\n        "cardinality": {\n          "field": "source.ip"\n        }\n      },\n      "source": {\n        "terms": {\n          "field": "source.ip",\n          "size": 10,\n          "order": {\n            "bytes_out": "desc"\n          }\n        },\n        "aggs": {\n          "bytes_in": {\n            "sum": {\n              "field": "destination.bytes"\n            }\n          },\n          "bytes_out": {\n            "sum": {\n              "field": "source.bytes"\n            }\n          },\n          "domain": {\n            "terms": {\n              "field": "source.domain",\n              "order": {\n                "timestamp": "desc"\n              }\n            },\n            "aggs": {\n              "timestamp": {\n                "max": {\n                  "field": "@timestamp"\n                }\n              }\n            }\n          },\n          "location": {\n            "filter": {\n              "exists": {\n                "field": "source.geo"\n              }\n            },\n            "aggs": {\n              "top_geo": {\n                "top_hits": {\n                  "_source": "source.geo.*",\n                  "size": 1\n                }\n              }\n            }\n          },\n          "autonomous_system": {\n            "filter": {\n              "exists": {\n                "field": "source.as"\n              }\n            },\n            "aggs": {\n              "top_as": {\n                "top_hits": {\n                  "_source": "source.as.*",\n                  "size": 1\n                }\n              }\n            }\n          },\n          "flows": {\n            "cardinality": {\n              "field": "network.community_id"\n            }\n          },\n          "destination_ips": {\n            "cardinality": {\n              "field": "destination.ip"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T10:16:46.870Z",\n                "lte": "2020-09-14T10:16:46.870Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          }\n        ]\n      }\n    }\n  },\n  "size": 0,\n  "track_total_hits": false\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggregations: {
+              top_n_flow_count: { cardinality: { field: 'source.ip' } },
+              source: {
+                terms: { field: 'source.ip', size: 10, order: { bytes_out: 'desc' } },
+                aggs: {
+                  bytes_in: { sum: { field: 'destination.bytes' } },
+                  bytes_out: { sum: { field: 'source.bytes' } },
+                  domain: {
+                    terms: { field: 'source.domain', order: { timestamp: 'desc' } },
+                    aggs: { timestamp: { max: { field: '@timestamp' } } },
+                  },
+                  location: {
+                    filter: { exists: { field: 'source.geo' } },
+                    aggs: { top_geo: { top_hits: { _source: 'source.geo.*', size: 1 } } },
+                  },
+                  autonomous_system: {
+                    filter: { exists: { field: 'source.as' } },
+                    aggs: { top_as: { top_hits: { _source: 'source.as.*', size: 1 } } },
+                  },
+                  flows: { cardinality: { field: 'network.community_id' } },
+                  destination_ips: { cardinality: { field: 'destination.ip' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T10:16:46.870Z',
+                        lte: '2020-09-14T10:16:46.870Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                ],
+              },
+            },
+          },
+          size: 0,
+          track_total_hits: false,
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 50, showMorePagesIndicator: true },
@@ -828,7 +888,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/index.ts
index 198368d981800..60ae4069e8f9c 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/index.ts
@@ -48,7 +48,7 @@ export const networkTopNFlow: SecuritySolutionFactory<NetworkQueries.topNFlow> =
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/__mocks__/index.ts
index 3f57de7c78d1a..d9591ca3640ab 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/__mocks__/index.ts
@@ -8,10 +8,10 @@ import { IEsSearchResponse } from '../../../../../../../../../../src/plugins/dat
 
 import {
   Direction,
-  NetworkUsersRequestOptions,
+  FlowTarget,
   NetworkQueries,
   NetworkUsersFields,
-  FlowTarget,
+  NetworkUsersRequestOptions,
 } from '../../../../../../../common/search_strategy';
 
 export const mockOptions: NetworkUsersRequestOptions = {
@@ -115,7 +115,56 @@ export const formattedSearchStrategyResponse = {
   ],
   inspect: {
     dsl: [
-      '{\n  "allowNoIndices": true,\n  "index": [\n    "apm-*-transaction*",\n    "auditbeat-*",\n    "endgame-*",\n    "filebeat-*",\n    "logs-*",\n    "packetbeat-*",\n    "winlogbeat-*"\n  ],\n  "ignoreUnavailable": true,\n  "body": {\n    "aggs": {\n      "user_count": {\n        "cardinality": {\n          "field": "user.name"\n        }\n      },\n      "users": {\n        "terms": {\n          "field": "user.name",\n          "size": 10,\n          "order": {\n            "_key": "asc"\n          }\n        },\n        "aggs": {\n          "id": {\n            "terms": {\n              "field": "user.id"\n            }\n          },\n          "groupId": {\n            "terms": {\n              "field": "user.group.id"\n            }\n          },\n          "groupName": {\n            "terms": {\n              "field": "user.group.name"\n            }\n          }\n        }\n      }\n    },\n    "query": {\n      "bool": {\n        "filter": [\n          "{\\"bool\\":{\\"must\\":[],\\"filter\\":[{\\"match_all\\":{}}],\\"should\\":[],\\"must_not\\":[]}}",\n          {\n            "range": {\n              "@timestamp": {\n                "gte": "2020-09-13T10:16:46.870Z",\n                "lte": "2020-09-14T10:16:46.870Z",\n                "format": "strict_date_optional_time"\n              }\n            }\n          },\n          {\n            "term": {\n              "source.ip": "10.142.0.7"\n            }\n          }\n        ],\n        "must_not": [\n          {\n            "term": {\n              "event.category": "authentication"\n            }\n          }\n        ]\n      }\n    },\n    "size": 0,\n    "track_total_hits": false\n  }\n}',
+      JSON.stringify(
+        {
+          allowNoIndices: true,
+          index: [
+            'apm-*-transaction*',
+            'auditbeat-*',
+            'endgame-*',
+            'filebeat-*',
+            'logs-*',
+            'packetbeat-*',
+            'winlogbeat-*',
+          ],
+          ignoreUnavailable: true,
+          body: {
+            aggs: {
+              user_count: { cardinality: { field: 'user.name' } },
+              users: {
+                terms: { field: 'user.name', size: 10, order: { _key: 'asc' } },
+                aggs: {
+                  id: { terms: { field: 'user.id' } },
+                  groupId: { terms: { field: 'user.group.id' } },
+                  groupName: { terms: { field: 'user.group.name' } },
+                },
+              },
+            },
+            query: {
+              bool: {
+                filter: [
+                  { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
+                  {
+                    range: {
+                      '@timestamp': {
+                        gte: '2020-09-13T10:16:46.870Z',
+                        lte: '2020-09-14T10:16:46.870Z',
+                        format: 'strict_date_optional_time',
+                      },
+                    },
+                  },
+                  { term: { 'source.ip': '10.142.0.7' } },
+                ],
+                must_not: [{ term: { 'event.category': 'authentication' } }],
+              },
+            },
+            size: 0,
+            track_total_hits: false,
+          },
+        },
+        null,
+        2
+      ),
     ],
   },
   pageInfo: { activePage: 0, fakeTotalCount: 3, showMorePagesIndicator: false },
@@ -139,7 +188,7 @@ export const expectedDsl = {
     query: {
       bool: {
         filter: [
-          '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
+          { bool: { must: [], filter: [{ match_all: {} }], should: [], must_not: [] } },
           {
             range: {
               '@timestamp': {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/index.ts
index f9b9a2fd2747f..a5ceb447f7bc0 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/users/index.ts
@@ -47,7 +47,7 @@ export const networkUsers: SecuritySolutionFactory<NetworkQueries.users> = {
       edges,
       inspect,
       pageInfo: {
-        activePage: activePage ? activePage : 0,
+        activePage: activePage ?? 0,
         fakeTotalCount,
         showMorePagesIndicator,
       },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/constants.ts
new file mode 100644
index 0000000000000..924426e56361f
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/constants.ts
@@ -0,0 +1,219 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const TIMELINE_EVENTS_FIELDS = [
+  '@timestamp',
+  'signal.status',
+  'signal.original_time',
+  'signal.rule.filters',
+  'signal.rule.from',
+  'signal.rule.language',
+  'signal.rule.query',
+  'signal.rule.name',
+  'signal.rule.to',
+  'signal.rule.id',
+  'signal.rule.index',
+  'signal.rule.type',
+  'signal.original_event.kind',
+  'signal.original_event.module',
+  'file.path',
+  'file.Ext.code_signature.subject_name',
+  'file.Ext.code_signature.trusted',
+  'file.hash.sha256',
+  'host.os.family',
+  'event.code',
+  'signal.rule.version',
+  'signal.rule.severity',
+  'signal.rule.risk_score',
+  'event.module',
+  'event.action',
+  'event.category',
+  'host.name',
+  'user.name',
+  'source.ip',
+  'destination.ip',
+  'message',
+  'system.auth.ssh.signature',
+  'system.auth.ssh.method',
+  'system.audit.package.arch',
+  'system.audit.package.entity_id',
+  'system.audit.package.name',
+  'system.audit.package.size',
+  'system.audit.package.summary',
+  'system.audit.package.version',
+  'event.created',
+  'event.dataset',
+  'event.duration',
+  'event.end',
+  'event.hash',
+  'event.id',
+  'event.kind',
+  'event.original',
+  'event.outcome',
+  'event.risk_score',
+  'event.risk_score_norm',
+  'event.severity',
+  'event.start',
+  'event.timezone',
+  'event.type',
+  'agent.type',
+  'auditd.result',
+  'auditd.session',
+  'auditd.data.acct',
+  'auditd.data.terminal',
+  'auditd.data.op',
+  'auditd.summary.actor.primary',
+  'auditd.summary.actor.secondary',
+  'auditd.summary.object.primary',
+  'auditd.summary.object.secondary',
+  'auditd.summary.object.type',
+  'auditd.summary.how',
+  'auditd.summary.message_type',
+  'auditd.summary.sequence',
+  'file.name',
+  'file.target_path',
+  'file.extension',
+  'file.type',
+  'file.device',
+  'file.inode',
+  'file.uid',
+  'file.owner',
+  'file.gid',
+  'file.group',
+  'file.mode',
+  'file.size',
+  'file.mtime',
+  'file.ctime',
+  'host.id',
+  'host.ip',
+  'rule.reference',
+  'source.bytes',
+  'source.packets',
+  'source.port',
+  'source.geo.continent_name',
+  'source.geo.country_name',
+  'source.geo.country_iso_code',
+  'source.geo.city_name',
+  'source.geo.region_iso_code',
+  'source.geo.region_name',
+  'destination.bytes',
+  'destination.packets',
+  'destination.port',
+  'destination.geo.continent_name',
+  'destination.geo.country_name',
+  'destination.geo.country_iso_code',
+  'destination.geo.city_name',
+  'destination.geo.region_iso_code',
+  'destination.geo.region_name',
+  'dns.question.name',
+  'dns.question.type',
+  'dns.resolved_ip',
+  'dns.response_code',
+  'endgame.exit_code',
+  'endgame.file_name',
+  'endgame.file_path',
+  'endgame.logon_type',
+  'endgame.parent_process_name',
+  'endgame.pid',
+  'endgame.process_name',
+  'endgame.subject_domain_name',
+  'endgame.subject_logon_id',
+  'endgame.subject_user_name',
+  'endgame.target_domain_name',
+  'endgame.target_logon_id',
+  'endgame.target_user_name',
+  'signal.rule.saved_id',
+  'signal.rule.timeline_id',
+  'signal.rule.timeline_title',
+  'signal.rule.output_index',
+  'signal.rule.note',
+  'signal.rule.threshold',
+  'signal.rule.exceptions_list',
+  'suricata.eve.proto',
+  'suricata.eve.flow_id',
+  'suricata.eve.alert.signature',
+  'suricata.eve.alert.signature_id',
+  'network.bytes',
+  'network.community_id',
+  'network.direction',
+  'network.packets',
+  'network.protocol',
+  'network.transport',
+  'http.version',
+  'http.request.method',
+  'http.request.body.bytes',
+  'http.request.body.content',
+  'http.request.referrer',
+  'http.response.status_code',
+  'http.response.body.bytes',
+  'http.response.body.content',
+  'tls.client_certificate.fingerprint.sha1',
+  'tls.fingerprints.ja3.hash',
+  'tls.server_certificate.fingerprint.sha1',
+  'user.domain',
+  'winlog.event_id',
+  'process.hash.md5',
+  'process.hash.sha1',
+  'process.hash.sha256',
+  'process.pid',
+  'process.name',
+  'process.ppid',
+  'process.args',
+  'process.entity_id',
+  'process.executable',
+  'process.title',
+  'process.working_directory',
+  'zeek.session_id',
+  'zeek.connection.local_resp',
+  'zeek.connection.local_orig',
+  'zeek.connection.missed_bytes',
+  'zeek.connection.state',
+  'zeek.connection.history',
+  'zeek.notice.suppress_for',
+  'zeek.notice.msg',
+  'zeek.notice.note',
+  'zeek.notice.sub',
+  'zeek.notice.dst',
+  'zeek.notice.dropped',
+  'zeek.notice.peer_descr',
+  'zeek.dns.AA',
+  'zeek.dns.qclass_name',
+  'zeek.dns.RD',
+  'zeek.dns.qtype_name',
+  'zeek.dns.qtype',
+  'zeek.dns.query',
+  'zeek.dns.trans_id',
+  'zeek.dns.qclass',
+  'zeek.dns.RA',
+  'zeek.dns.TC',
+  'zeek.http.resp_mime_types',
+  'zeek.http.trans_depth',
+  'zeek.http.status_msg',
+  'zeek.http.resp_fuids',
+  'zeek.http.tags',
+  'zeek.files.session_ids',
+  'zeek.files.timedout',
+  'zeek.files.local_orig',
+  'zeek.files.tx_host',
+  'zeek.files.source',
+  'zeek.files.is_orig',
+  'zeek.files.overflow_bytes',
+  'zeek.files.sha1',
+  'zeek.files.duration',
+  'zeek.files.depth',
+  'zeek.files.analyzers',
+  'zeek.files.mime_type',
+  'zeek.files.rx_host',
+  'zeek.files.total_bytes',
+  'zeek.files.fuid',
+  'zeek.files.seen_bytes',
+  'zeek.files.missing_bytes',
+  'zeek.files.md5',
+  'zeek.ssl.cipher',
+  'zeek.ssl.established',
+  'zeek.ssl.resumed',
+  'zeek.ssl.version',
+];
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts
new file mode 100644
index 0000000000000..edff22766cc54
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts
@@ -0,0 +1,92 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { get, has, merge, uniq } from 'lodash/fp';
+import { EventHit, TimelineEdges } from '../../../../../../common/search_strategy';
+import { toArray } from '../../../../helpers/to_array';
+
+export const formatTimelineData = (
+  dataFields: readonly string[],
+  ecsFields: readonly string[],
+  hit: EventHit,
+  fieldMap: Readonly<Record<string, string>>
+) =>
+  uniq([...ecsFields, ...dataFields]).reduce<TimelineEdges>(
+    (flattenedFields, fieldName) => {
+      flattenedFields.node._id = hit._id;
+      flattenedFields.node._index = hit._index;
+      flattenedFields.node.ecs._id = hit._id;
+      flattenedFields.node.ecs._index = hit._index;
+      if (hit.sort && hit.sort.length > 1) {
+        flattenedFields.cursor.value = hit.sort[0];
+        flattenedFields.cursor.tiebreaker = hit.sort[1];
+      }
+      return mergeTimelineFieldsWithHit(
+        fieldName,
+        flattenedFields,
+        fieldMap,
+        hit,
+        dataFields,
+        ecsFields
+      );
+    },
+    {
+      node: { ecs: { _id: '' }, data: [], _id: '', _index: '' },
+      cursor: {
+        value: '',
+        tiebreaker: null,
+      },
+    }
+  );
+
+const specialFields = ['_id', '_index', '_type', '_score'];
+
+const mergeTimelineFieldsWithHit = <T>(
+  fieldName: string,
+  flattenedFields: T,
+  fieldMap: Readonly<Record<string, string>>,
+  hit: { _source: {} },
+  dataFields: readonly string[],
+  ecsFields: readonly string[]
+) => {
+  if (fieldMap[fieldName] != null || dataFields.includes(fieldName)) {
+    const esField = dataFields.includes(fieldName) ? fieldName : fieldMap[fieldName];
+    if (has(esField, hit._source) || specialFields.includes(esField)) {
+      const objectWithProperty = {
+        node: {
+          ...get('node', flattenedFields),
+          data: dataFields.includes(fieldName)
+            ? [
+                ...get('node.data', flattenedFields),
+                {
+                  field: fieldName,
+                  value: specialFields.includes(esField)
+                    ? toArray(get(esField, hit))
+                    : toArray(get(esField, hit._source)),
+                },
+              ]
+            : get('node.data', flattenedFields),
+          ecs: ecsFields.includes(fieldName)
+            ? {
+                ...get('node.ecs', flattenedFields),
+                // @ts-expect-error
+                ...fieldName.split('.').reduceRight(
+                  // @ts-expect-error
+                  (obj, next) => ({ [next]: obj }),
+                  toArray<string>(get(esField, hit._source))
+                ),
+              }
+            : get('node.ecs', flattenedFields),
+        },
+      };
+      return merge(flattenedFields, objectWithProperty);
+    } else {
+      return flattenedFields;
+    }
+  } else {
+    return flattenedFields;
+  }
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts
new file mode 100644
index 0000000000000..12729eb88a666
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts
@@ -0,0 +1,68 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { cloneDeep, getOr, uniq } from 'lodash/fp';
+
+import { DEFAULT_MAX_TABLE_QUERY_SIZE } from '../../../../../../common/constants';
+import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
+import {
+  TimelineEventsQueries,
+  TimelineEventsAllStrategyResponse,
+  TimelineEventsAllRequestOptions,
+  TimelineEdges,
+} from '../../../../../../common/search_strategy/timeline';
+import { inspectStringifyObject, reduceFields } from '../../../../../utils/build_query';
+import { SecuritySolutionTimelineFactory } from '../../types';
+import { buildTimelineEventsAllQuery } from './query.events_all.dsl';
+import { eventFieldsMap } from '../../../../../lib/ecs_fields';
+import { TIMELINE_EVENTS_FIELDS } from './constants';
+import { formatTimelineData } from './helpers';
+
+export const timelineEventsAll: SecuritySolutionTimelineFactory<TimelineEventsQueries.all> = {
+  buildDsl: (options: TimelineEventsAllRequestOptions) => {
+    if (options.pagination && options.pagination.querySize >= DEFAULT_MAX_TABLE_QUERY_SIZE) {
+      throw new Error(`No query size above ${DEFAULT_MAX_TABLE_QUERY_SIZE}`);
+    }
+    const { fieldRequested, ...queryOptions } = cloneDeep(options);
+    queryOptions.fields = uniq([
+      ...fieldRequested,
+      ...reduceFields(TIMELINE_EVENTS_FIELDS, eventFieldsMap),
+    ]);
+    return buildTimelineEventsAllQuery(queryOptions);
+  },
+  parse: async (
+    options: TimelineEventsAllRequestOptions,
+    response: IEsSearchResponse<unknown>
+  ): Promise<TimelineEventsAllStrategyResponse> => {
+    const { fieldRequested, ...queryOptions } = cloneDeep(options);
+    queryOptions.fields = uniq([
+      ...fieldRequested,
+      ...reduceFields(TIMELINE_EVENTS_FIELDS, eventFieldsMap),
+    ]);
+    const { activePage, querySize } = options.pagination;
+
+    const totalCount = getOr(0, 'hits.total.value', response.rawResponse);
+    const hits = response.rawResponse.hits.hits;
+    const edges: TimelineEdges[] = hits.map((hit) =>
+      // @ts-expect-error
+      formatTimelineData(options.fieldRequested, TIMELINE_EVENTS_FIELDS, hit, eventFieldsMap)
+    );
+    const inspect = {
+      dsl: [inspectStringifyObject(buildTimelineEventsAllQuery(queryOptions))],
+    };
+
+    return {
+      ...response,
+      inspect,
+      edges,
+      totalCount,
+      pageInfo: {
+        activePage: activePage ?? 0,
+        totalPages: Math.ceil(totalCount / querySize),
+      },
+    };
+  },
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
new file mode 100644
index 0000000000000..261a27b0110e8
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
@@ -0,0 +1,76 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { isEmpty } from 'lodash/fp';
+
+import {
+  SortField,
+  TimerangeFilter,
+  TimerangeInput,
+  TimelineEventsAllRequestOptions,
+} from '../../../../../../common/search_strategy';
+import { createQueryFilterClauses } from '../../../../../utils/build_query';
+import { TIMELINE_EVENTS_FIELDS } from './constants';
+
+export const buildTimelineEventsAllQuery = ({
+  defaultIndex,
+  docValueFields,
+  filterQuery,
+  pagination: { activePage, querySize },
+  sort,
+  timerange,
+}: Omit<TimelineEventsAllRequestOptions, 'fieldRequested'>) => {
+  const filterClause = [...createQueryFilterClauses(filterQuery)];
+
+  const getTimerangeFilter = (timerangeOption: TimerangeInput | undefined): TimerangeFilter[] => {
+    if (timerangeOption) {
+      const { to, from } = timerangeOption;
+      return [
+        {
+          range: {
+            '@timestamp': {
+              gte: from,
+              lte: to,
+              format: 'strict_date_optional_time',
+            },
+          },
+        },
+      ];
+    }
+    return [];
+  };
+
+  const filter = [...filterClause, ...getTimerangeFilter(timerange), { match_all: {} }];
+
+  const getSortField = (sortField: SortField) => {
+    if (sortField.field) {
+      const field: string = sortField.field === 'timestamp' ? '@timestamp' : sortField.field;
+
+      return [{ [field]: sortField.direction }];
+    }
+    return [];
+  };
+
+  const dslQuery = {
+    allowNoIndices: true,
+    index: defaultIndex,
+    ignoreUnavailable: true,
+    body: {
+      ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
+      query: {
+        bool: {
+          filter,
+        },
+      },
+      from: activePage * querySize,
+      size: querySize,
+      track_total_hits: true,
+      sort: getSortField(sort),
+      _source: TIMELINE_EVENTS_FIELDS,
+    },
+  };
+
+  return dslQuery;
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/helpers.ts
similarity index 81%
rename from x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts
rename to x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/helpers.ts
index b772dec773dce..3b0935db9a5d6 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/helpers.ts
@@ -6,8 +6,8 @@
 
 import { get, isEmpty, isNumber, isObject, isString } from 'lodash/fp';
 
-import { DetailItem } from '../../../../../common/search_strategy/timeline';
-import { baseCategoryFields } from '../../../../utils/beat_schema/8.0.0';
+import { TimelineEventsDetailsItem } from '../../../../../../common/search_strategy/timeline';
+import { baseCategoryFields } from '../../../../../utils/beat_schema/8.0.0';
 
 export const getFieldCategory = (field: string): string => {
   const fieldCategory = field.split('.')[0];
@@ -21,8 +21,8 @@ export const getDataFromHits = (
   sources: EventSource,
   category?: string,
   path?: string
-): DetailItem[] =>
-  Object.keys(sources).reduce<DetailItem[]>((accumulator, source) => {
+): TimelineEventsDetailsItem[] =>
+  Object.keys(sources).reduce<TimelineEventsDetailsItem[]>((accumulator, source) => {
     const item: EventSource = get(source, sources);
     if (Array.isArray(item) || isString(item) || isNumber(item)) {
       const field = path ? `${path}.${source}` : source;
@@ -43,7 +43,7 @@ export const getDataFromHits = (
               })
             : [item],
           originalValue: item,
-        } as DetailItem,
+        } as TimelineEventsDetailsItem,
       ];
     } else if (isObject(item)) {
       return [
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/index.ts
similarity index 58%
rename from x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts
rename to x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/index.ts
index e1fabe2b4d586..54e138c1e9d6f 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/index.ts
@@ -6,26 +6,26 @@
 
 import { getOr, merge } from 'lodash/fp';
 
-import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
 import {
-  TimelineQueries,
-  TimelineDetailsStrategyResponse,
-  TimelineDetailsRequestOptions,
-} from '../../../../../common/search_strategy/timeline';
-import { inspectStringifyObject } from '../../../../utils/build_query';
-import { SecuritySolutionTimelineFactory } from '../types';
-import { buildTimelineDetailsQuery } from './query.timeline_details.dsl';
+  TimelineEventsQueries,
+  TimelineEventsDetailsStrategyResponse,
+  TimelineEventsDetailsRequestOptions,
+} from '../../../../../../common/search_strategy/timeline';
+import { inspectStringifyObject } from '../../../../../utils/build_query';
+import { SecuritySolutionTimelineFactory } from '../../types';
+import { buildTimelineDetailsQuery } from './query.events_details.dsl';
 import { getDataFromHits } from './helpers';
 
-export const timelineDetails: SecuritySolutionTimelineFactory<TimelineQueries.details> = {
-  buildDsl: (options: TimelineDetailsRequestOptions) => {
+export const timelineEventsDetails: SecuritySolutionTimelineFactory<TimelineEventsQueries.details> = {
+  buildDsl: (options: TimelineEventsDetailsRequestOptions) => {
     const { indexName, eventId, docValueFields = [] } = options;
     return buildTimelineDetailsQuery(indexName, eventId, docValueFields);
   },
   parse: async (
-    options: TimelineDetailsRequestOptions,
+    options: TimelineEventsDetailsRequestOptions,
     response: IEsSearchResponse<unknown>
-  ): Promise<TimelineDetailsStrategyResponse> => {
+  ): Promise<TimelineEventsDetailsStrategyResponse> => {
     const { indexName, eventId, docValueFields = [] } = options;
     const sourceData = getOr({}, 'hits.hits.0._source', response.rawResponse);
     const hitsData = getOr({}, 'hits.hits.0', response.rawResponse);
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
similarity index 88%
rename from x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts
rename to x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
index 4f003c1c27ef2..216e8f947d261 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { DocValueFields } from '../../../../../common/search_strategy';
+import { DocValueFields } from '../../../../../../common/search_strategy';
 
 export const buildTimelineDetailsQuery = (
   indexName: string,
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/index.ts
new file mode 100644
index 0000000000000..a4e2c168a41d9
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/index.ts
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  TimelineFactoryQueryTypes,
+  TimelineEventsQueries,
+} from '../../../../../common/search_strategy/timeline';
+
+import { SecuritySolutionTimelineFactory } from '../types';
+import { timelineEventsAll } from './all';
+import { timelineEventsDetails } from './details';
+import { timelineEventsLastEventTime } from './last_event_time';
+
+export const timelineEventsFactory: Record<
+  TimelineEventsQueries,
+  SecuritySolutionTimelineFactory<TimelineFactoryQueryTypes>
+> = {
+  [TimelineEventsQueries.all]: timelineEventsAll,
+  [TimelineEventsQueries.details]: timelineEventsDetails,
+  [TimelineEventsQueries.lastEventTime]: timelineEventsLastEventTime,
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/index.ts
new file mode 100644
index 0000000000000..97d7383fa831a
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/index.ts
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getOr } from 'lodash/fp';
+
+import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
+import {
+  TimelineEventsQueries,
+  TimelineEventsLastEventTimeStrategyResponse,
+  TimelineEventsLastEventTimeRequestOptions,
+} from '../../../../../../common/search_strategy/timeline';
+import { inspectStringifyObject } from '../../../../../utils/build_query';
+import { SecuritySolutionTimelineFactory } from '../../types';
+import { buildLastEventTimeQuery } from './query.events_last_event_time.dsl';
+
+export const timelineEventsLastEventTime: SecuritySolutionTimelineFactory<TimelineEventsQueries.lastEventTime> = {
+  buildDsl: (options: TimelineEventsLastEventTimeRequestOptions) =>
+    buildLastEventTimeQuery(options),
+  parse: async (
+    options: TimelineEventsLastEventTimeRequestOptions,
+    response: IEsSearchResponse<unknown>
+  ): Promise<TimelineEventsLastEventTimeStrategyResponse> => {
+    const inspect = {
+      dsl: [inspectStringifyObject(buildLastEventTimeQuery(options))],
+    };
+
+    return {
+      ...response,
+      lastSeen: getOr(null, 'aggregations.last_seen_event.value_as_string', response.rawResponse),
+      inspect,
+    };
+  },
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts
new file mode 100644
index 0000000000000..0f4eabf692919
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts
@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isEmpty } from 'lodash/fp';
+import {
+  TimelineEventsLastEventTimeRequestOptions,
+  LastEventIndexKey,
+} from '../../../../../../common/search_strategy';
+
+import { assertUnreachable } from '../../../../../../common/utility_types';
+
+interface EventIndices {
+  [key: string]: string[];
+}
+
+export const buildLastEventTimeQuery = ({
+  indexKey,
+  details,
+  defaultIndex,
+  docValueFields,
+}: TimelineEventsLastEventTimeRequestOptions) => {
+  const indicesToQuery: EventIndices = {
+    hosts: defaultIndex,
+    network: defaultIndex,
+  };
+  const getHostDetailsFilter = (hostName: string) => [{ term: { 'host.name': hostName } }];
+  const getIpDetailsFilter = (ip: string) => [
+    { term: { 'source.ip': ip } },
+    { term: { 'destination.ip': ip } },
+  ];
+  const getQuery = (eventIndexKey: LastEventIndexKey) => {
+    switch (eventIndexKey) {
+      case LastEventIndexKey.ipDetails:
+        if (details.ip) {
+          return {
+            allowNoIndices: true,
+            index: indicesToQuery.network,
+            ignoreUnavailable: true,
+            body: {
+              ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
+              aggregations: {
+                last_seen_event: { max: { field: '@timestamp' } },
+              },
+              query: { bool: { should: getIpDetailsFilter(details.ip) } },
+              size: 0,
+              track_total_hits: false,
+            },
+          };
+        }
+        throw new Error('buildLastEventTimeQuery - no IP argument provided');
+      case LastEventIndexKey.hostDetails:
+        if (details.hostName) {
+          return {
+            allowNoIndices: true,
+            index: indicesToQuery.hosts,
+            ignoreUnavailable: true,
+            body: {
+              ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
+              aggregations: {
+                last_seen_event: { max: { field: '@timestamp' } },
+              },
+              query: { bool: { filter: getHostDetailsFilter(details.hostName) } },
+              size: 0,
+              track_total_hits: false,
+            },
+          };
+        }
+        throw new Error('buildLastEventTimeQuery - no hostName argument provided');
+      case LastEventIndexKey.hosts:
+      case LastEventIndexKey.network:
+        return {
+          allowNoIndices: true,
+          index: indicesToQuery[indexKey],
+          ignoreUnavailable: true,
+          body: {
+            ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
+            aggregations: {
+              last_seen_event: { max: { field: '@timestamp' } },
+            },
+            query: { match_all: {} },
+            size: 0,
+            track_total_hits: false,
+          },
+        };
+      default:
+        return assertUnreachable(eventIndexKey);
+    }
+  };
+  return getQuery(indexKey);
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts
index aa4cdaeedb131..cf2c3c552f30d 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts
@@ -4,17 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import {
-  TimelineFactoryQueryTypes,
-  TimelineQueries,
-} from '../../../../common/search_strategy/timeline';
-
-import { timelineDetails } from './details';
+import { TimelineFactoryQueryTypes } from '../../../../common/search_strategy/timeline';
 import { SecuritySolutionTimelineFactory } from './types';
+import { timelineEventsFactory } from './events';
 
 export const securitySolutionTimelineFactory: Record<
   TimelineFactoryQueryTypes,
   SecuritySolutionTimelineFactory<TimelineFactoryQueryTypes>
 > = {
-  [TimelineQueries.details]: timelineDetails,
+  ...timelineEventsFactory,
 };
diff --git a/x-pack/plugins/security_solution/server/utils/build_query/filters.ts b/x-pack/plugins/security_solution/server/utils/build_query/filters.ts
index ac736e8cb51ee..bde03be3f5edc 100644
--- a/x-pack/plugins/security_solution/server/utils/build_query/filters.ts
+++ b/x-pack/plugins/security_solution/server/utils/build_query/filters.ts
@@ -4,9 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { isEmpty } from 'lodash/fp';
+import { isEmpty, isString } from 'lodash/fp';
 
 import { ESQuery } from '../../../common/typed_json';
 
 export const createQueryFilterClauses = (filterQuery: ESQuery | string | undefined) =>
-  !isEmpty(filterQuery) ? [filterQuery] : [];
+  !isEmpty(filterQuery) ? [isString(filterQuery) ? JSON.parse(filterQuery) : filterQuery] : [];
diff --git a/x-pack/plugins/security_solution/server/utils/build_query/index.ts b/x-pack/plugins/security_solution/server/utils/build_query/index.ts
index f0f4ba07ab2ae..b7d96c3224c39 100644
--- a/x-pack/plugins/security_solution/server/utils/build_query/index.ts
+++ b/x-pack/plugins/security_solution/server/utils/build_query/index.ts
@@ -8,6 +8,7 @@ export * from './fields';
 export * from './filters';
 export * from './merge_fields_with_hits';
 export * from './calculate_timeseries_interval';
+export * from './reduce_fields';
 
 export const inspectStringifyObject = (obj: unknown) => {
   try {
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index ad74a35b4f9e0..cdb70f2c8cec7 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -16130,7 +16130,6 @@
     "xpack.securitySolution.footer.live": "ライブ",
     "xpack.securitySolution.footer.loadingLabel": "読み込み中",
     "xpack.securitySolution.footer.loadingTimelineData": "タイムラインデータを読み込み中",
-    "xpack.securitySolution.footer.loadMoreLabel": "さらに読み込む",
     "xpack.securitySolution.footer.of": "/",
     "xpack.securitySolution.footer.rows": "行",
     "xpack.securitySolution.footer.totalCountOfEvents": "イベントが検索条件に一致します",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index 164d83aa85948..68eb59d3e4e89 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -16140,7 +16140,6 @@
     "xpack.securitySolution.footer.live": "实时",
     "xpack.securitySolution.footer.loadingLabel": "正在加载",
     "xpack.securitySolution.footer.loadingTimelineData": "正在加载时间线数据",
-    "xpack.securitySolution.footer.loadMoreLabel": "加载更多",
     "xpack.securitySolution.footer.of": "/",
     "xpack.securitySolution.footer.rows": "行",
     "xpack.securitySolution.footer.totalCountOfEvents": "个事件匹配搜索条件",