[Security Solution] [Detections] Adds FTR test for lucene query rule (#189829)

## Summary

This test case covers the bug where certain lucene rules were not
running successfully due to a faulty parsing error that lead to a commit
revert and fix here: https://github.com/elastic/kibana-team/issues/971

Resolves: https://github.com/elastic/security-team/issues/9900 and
https://github.com/elastic/kibana-team/issues/971

x-pack/test/common/utils/security_solution/detections_response/rules/get_rule_for_alert_testing.ts

@@ -30,3 +30,18 @@ export const getRuleForAlertTesting = (
   query: '*:*',
   from: '1900-01-01T00:00:00.000Z',
 });
+
+export const getLuceneRuleForTesting = (): QueryRuleCreateProps => ({
+  rule_id: 'lucene-rule-1',
+  enabled: true,
+  name: 'Incident 496 test rule',
+  description: 'Ensures lucene rules generate alerts',
+  risk_score: 1,
+  severity: 'high',
+  type: 'query',
+  index: ['auditbeat-*'],
+  query:
+    '((event.category: (network OR network_traffic) AND type: (tls OR http)) OR event.dataset: (network_traffic.tls OR network_traffic.http)) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}..*/',
+  language: 'lucene',
+  from: '1900-01-01T00:00:00.000Z',
+});

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/custom_query.ts

@@ -69,6 +69,7 @@ import {
   deleteAllRules,
   deleteAllAlerts,
   getRuleForAlertTesting,
+  getLuceneRuleForTesting,
 } from '../../../../../../../common/utils/security_solution';
 
 import { FtrProviderContext } from '../../../../../../ftr_provider_context';
@@ -117,7 +118,10 @@ export default ({ getService }: FtrProviderContext) => {
     after(async () => {
       await esArchiver.unload(auditbeatPath);
       await esArchiver.unload('x-pack/test/functional/es_archives/signals/severity_risk_overrides');
-      await deleteAllAlerts(supertest, log, es, ['.preview.alerts-security.alerts-*']);
+      await deleteAllAlerts(supertest, log, es, [
+        '.preview.alerts-security.alerts-*',
+        '.alerts-security.alerts-*',
+      ]);
       await deleteAllRules(supertest, log);
     });
 
@@ -2750,5 +2754,18 @@ export default ({ getService }: FtrProviderContext) => {
         });
       });
     });
+
+    describe('with a Lucene query rule', () => {
+      it('should run successfully and generate an alert that matches the lucene query', async () => {
+        const luceneQueryRule = getLuceneRuleForTesting();
+        const { previewId } = await previewRule({ supertest, rule: luceneQueryRule });
+        const previewAlerts = await getPreviewAlerts({ es, previewId });
+        expect(previewAlerts.length).toBeGreaterThan(0);
+        expect(previewAlerts[0]?._source?.destination).toEqual(
+          expect.objectContaining({ domain: 'aaa.stage.11111111.hello' })
+        );
+        expect(previewAlerts[0]?._source?.['event.dataset']).toEqual('network_traffic.tls');
+      });
+    });
   });
 };

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/threshold.ts

@@ -133,7 +133,7 @@ export default ({ getService }: FtrProviderContext) => {
           field: 'host.id',
           value: 1, // This value generates 7 alerts with the current esArchive
         },
-        max_signals: 7,
+        max_signals: 8,
       };
       const { logs } = await previewRule({ supertest, rule });
       expect(logs[0].warnings).not.toContain(getMaxAlertsWarning());