Revert override alert timestamp (#189724)

## Revert override alert timestamp

Previously we added override of alert timestamp for manual rule runs.
Later was decided, that timestamp for manual rule run should behave the
same as regular alert and represent time when alert generated.

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts

@@ -249,13 +249,7 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper
           ...options,
           services: {
             ...options.services,
-            alertWithPersistence: async (
-              alerts,
-              refresh,
-              maxAlerts = undefined,
-              enrichAlerts,
-              currentTimeOverride
-            ) => {
+            alertWithPersistence: async (alerts, refresh, maxAlerts = undefined, enrichAlerts) => {
               const numAlerts = alerts.length;
               logger.debug(`Found ${numAlerts} alerts.`);
 
@@ -307,7 +301,7 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper
                   alerts: enrichedAlerts,
                   options,
                   kibanaVersion: ruleDataClient.kibanaVersion,
-                  currentTimeOverride,
+                  currentTimeOverride: undefined,
                 });
 
                 const response = await ruleDataClientWriter.bulk({

x-pack/plugins/rule_registry/server/utils/persistence_types.ts

@@ -38,8 +38,7 @@ export type PersistenceAlertService = <T>(
       _id: string;
       _source: T;
     }>
-  >,
-  currentTimeOverride?: Date
+  >
 ) => Promise<PersistenceAlertServiceResult<T>>;
 
 export type SuppressedAlertService = <T extends SuppressionFieldsLatest>(

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts

@@ -132,7 +132,6 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
             params,
             previousStartedAt,
             startedAt,
-            startedAtOverridden,
             services,
             spaceId,
             state,
@@ -366,13 +365,12 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
               lists: params.exceptionsList,
             });
 
-            const alertTimestampOverride = isPreview || startedAtOverridden ? startedAt : undefined;
+            const alertTimestampOverride = isPreview ? startedAt : undefined;
             const bulkCreate = bulkCreateFactory(
               alertWithPersistence,
               refresh,
               ruleExecutionLogger,
-              experimentalFeatures,
-              alertTimestampOverride
+              experimentalFeatures
             );
 
             const legacySignalFields: string[] = Object.keys(aadFieldConversion);

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.ts

@@ -35,8 +35,7 @@ export const bulkCreateFactory =
     alertWithPersistence: PersistenceAlertService,
     refreshForBulkCreate: RefreshTypes,
     ruleExecutionLogger: IRuleExecutionLogForExecutors,
-    experimentalFeatures?: ExperimentalFeatures,
-    currentTimeOverride?: Date
+    experimentalFeatures?: ExperimentalFeatures
   ) =>
   async <T extends BaseFieldsLatest>(
     wrappedDocs: Array<WrappedFieldsLatest<T>>,
@@ -87,8 +86,7 @@ export const bulkCreateFactory =
       })),
       refreshForBulkCreate,
       maxAlerts,
-      enrichAlertsWrapper,
-      currentTimeOverride
+      enrichAlertsWrapper
     );
 
     const end = performance.now();

x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/backfill/task_runner.ts

@@ -309,9 +309,9 @@ export default function createBackfillTaskRunnerTests({ getService }: FtrProvide
       // check timestamps in alert docs
       for (const alert of alertDocsBackfill1) {
         const source = alert._source!;
-        expect(source[ALERT_START]).to.eql(scheduleResult[0].schedule[0].run_at);
-        expect(source[ALERT_LAST_DETECTED]).to.eql(scheduleResult[0].schedule[0].run_at);
-        expect(source[TIMESTAMP]).to.eql(scheduleResult[0].schedule[0].run_at);
+        expect(source[ALERT_START]).to.match(timestampPattern);
+        expect(source[ALERT_LAST_DETECTED]).to.match(timestampPattern);
+        expect(source[TIMESTAMP]).not.to.eql(scheduleResult[0].schedule[0].run_at);
         expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).to.match(timestampPattern);
         expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).not.to.eql(
           scheduleResult[0].schedule[0].run_at
@@ -331,9 +331,9 @@ export default function createBackfillTaskRunnerTests({ getService }: FtrProvide
       // check timestamps in alert docs
       for (const alert of alertDocsBackfill2) {
         const source = alert._source!;
-        expect(source[ALERT_START]).to.eql(scheduleResult[0].schedule[1].run_at);
-        expect(source[ALERT_LAST_DETECTED]).to.eql(scheduleResult[0].schedule[1].run_at);
-        expect(source[TIMESTAMP]).to.eql(scheduleResult[0].schedule[1].run_at);
+        expect(source[ALERT_START]).to.match(timestampPattern);
+        expect(source[ALERT_LAST_DETECTED]).to.match(timestampPattern);
+        expect(source[TIMESTAMP]).not.to.eql(scheduleResult[0].schedule[1].run_at);
         expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).to.match(timestampPattern);
         expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).not.to.eql(
           scheduleResult[0].schedule[1].run_at
@@ -351,9 +351,9 @@ export default function createBackfillTaskRunnerTests({ getService }: FtrProvide
       // check timestamps in alert docs
       for (const alert of alertDocsBackfill3) {
         const source = alert._source!;
-        expect(source[ALERT_START]).to.eql(scheduleResult[0].schedule[2].run_at);
-        expect(source[ALERT_LAST_DETECTED]).to.eql(scheduleResult[0].schedule[2].run_at);
-        expect(source[TIMESTAMP]).to.eql(scheduleResult[0].schedule[2].run_at);
+        expect(source[ALERT_START]).to.match(timestampPattern);
+        expect(source[ALERT_LAST_DETECTED]).to.match(timestampPattern);
+        expect(source[TIMESTAMP]).not.to.eql(scheduleResult[0].schedule[2].run_at);
         expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).to.match(timestampPattern);
         expect(source[ALERT_RULE_EXECUTION_TIMESTAMP]).not.to.eql(
           scheduleResult[0].schedule[2].run_at

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts

@@ -617,7 +617,6 @@ export default ({ getService }: FtrProviderContext) => {
             expect.objectContaining({
               'user.name': ['irrelevant'],
               [TIMESTAMP]: timestamp,
-              [ALERT_START]: timestamp,
             })
           );
 
@@ -635,7 +634,6 @@ export default ({ getService }: FtrProviderContext) => {
             expect.objectContaining({
               'user.name': ['irrelevant'],
               [TIMESTAMP]: timestamp,
-              [ALERT_START]: timestamp,
             })
           );
           expect(previewAlerts[1]._source).toEqual(
@@ -657,7 +655,6 @@ export default ({ getService }: FtrProviderContext) => {
                 },
               ],
               [TIMESTAMP]: timestamp,
-              [ALERT_START]: timestamp,
               [ALERT_ORIGINAL_TIME]: timestamp,
               [ALERT_SUPPRESSION_START]: timestamp,
               [ALERT_SUPPRESSION_END]: timestamp,