[Detections Response][FTR] FTR migration cleanup (#173403)

## Summary

Addressing feedback from https://github.com/elastic/kibana/pull/172173.

This is not yet addressing file restructure, going to keep the file
restructure in a separate PR to try to make reviews more readable.

x-pack/test/security_solution_api_integration/config/ess/config.base.ts

@@ -51,7 +51,7 @@ export function createTestConfig(options: CreateTestConfigOptions, testFiles?: s
       servers,
       services,
       junit: {
-        reportName: 'X-Pack Detection Engine API Integration Tests',
+        reportName: 'X-Pack Security Solution API Integration Tests',
       },
       esTestCluster: {
         ...xPackApiIntegrationTestsConfig.get('esTestCluster'),

x-pack/test/security_solution_api_integration/package.json

@@ -13,36 +13,43 @@
     "run-tests:ea:default": "node ./scripts/index.js runner entity_analytics default_license",
     "initialize-server:lists:default": "node ./scripts/index.js server lists_and_exception_lists default_license",
     "run-tests:lists:default": "node ./scripts/index.js runner lists_and_exception_lists default_license",
+    
     "exception_workflows:server:serverless": "npm run initialize-server:dr:default exceptions/workflows serverless",
     "exception_workflows:runner:serverless": "npm run run-tests:dr:default exceptions/workflows serverless serverlessEnv",
     "exception_workflows:qa:serverless": "npm run run-tests:dr:default exceptions/workflows serverless qaEnv",
     "exception_workflows:server:ess": "npm run initialize-server:dr:default exceptions/workflows ess",
     "exception_workflows:runner:ess": "npm run run-tests:dr:default exceptions/workflows ess essEnv",
+   
     "exception_operators_date_numeric_types:server:serverless": "npm run initialize-server:dr:default exceptions/operators_data_types/date_numeric_types serverless",
     "exception_operators_date_numeric_types:runner:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/date_numeric_types serverless serverlessEnv",
     "exception_operators_date_numeric_types:qa:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/date_numeric_types serverless qaEnv",
     "exception_operators_date_numeric_types:server:ess": "npm run initialize-server:dr:default exceptions/operators_data_types/date_numeric_types ess",
     "exception_operators_date_numeric_types:runner:ess": "npm run run-tests:dr:default exceptions/operators_data_types/date_numeric_types ess essEnv",
+   
     "exception_operators_keyword:server:serverless": "npm run initialize-server:dr:default exceptions/operators_data_types/keyword serverless",
     "exception_operators_keyword:runner:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/keyword serverless serverlessEnv",
     "exception_operators_keyword:qa:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/keyword serverless qaEnv",
     "exception_operators_keyword:server:ess": "npm run initialize-server:dr:default exceptions/operators_data_types/keyword ess",
     "exception_operators_keyword:runner:ess": "npm run run-tests:dr:default exceptions/operators_data_types/keyword ess essEnv",
+    
     "exception_operators_ips:server:serverless": "npm run initialize-server:dr:default exceptions/operators_data_types/ips serverless",
     "exception_operators_ips:runner:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/ips serverless serverlessEnv",
     "exception_operators_ips:qa:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/ips serverless qaEnv",
     "exception_operators_ips:server:ess": "npm run initialize-server:dr:default exceptions/operators_data_types/ips ess",
     "exception_operators_ips:runner:ess": "npm run run-tests:dr:default exceptions/operators_data_types/ips ess essEnv",
+    
     "exception_operators_long:server:serverless": "npm run initialize-server:dr:default exceptions/operators_data_types/long serverless",
     "exception_operators_long:runner:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/long serverless serverlessEnv",
     "exception_operators_long:qa:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/long serverless qaEnv",
     "exception_operators_long:server:ess": "npm run initialize-server:dr:default exceptions/operators_data_types/long ess",
     "exception_operators_long:runner:ess": "npm run run-tests:dr:default exceptions/operators_data_types/long ess essEnv",
+    
     "exception_operators_text:server:serverless": "npm run initialize-server:dr:default exceptions/operators_data_types/text serverless",
     "exception_operators_text:runner:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/text serverless serverlessEnv",
     "exception_operators_text:qa:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/text serverless qaEnv",
     "exception_operators_text:server:ess": "npm run initialize-server:dr:default exceptions/operators_data_types/text ess",
     "exception_operators_text:runner:ess": "npm run run-tests:dr:default exceptions/operators_data_types/text ess essEnv",
+    
     "exception_operators_ips_text_array:server:serverless": "npm run initialize-server:dr:default exceptions/operators_data_types/ips_text_array serverless",
     "exception_operators_ips_text_array:runner:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/ips_text_array serverless serverlessEnv",
     "exception_operators_ips_text_array:qa:serverless": "npm run run-tests:dr:default exceptions/operators_data_types/ips_text_array serverless qaEnv",
@@ -54,31 +61,37 @@
     "actions:qa:serverless": "npm run run-tests:dr:default actions serverless qaEnv",
     "actions:server:ess": "npm run initialize-server:dr:default actions ess",
     "actions:runner:ess": "npm run run-tests:dr:default actions ess essEnv",
+    
     "alerts:server:serverless": "npm run initialize-server:dr:default alerts serverless",
     "alerts:runner:serverless": "npm run run-tests:dr:default alerts serverless serverlessEnv",
     "alerts:qa:serverless": "npm run run-tests:dr:default alerts serverless qaEnv",
     "alerts:server:ess": "npm run initialize-server:dr:default alerts ess",
     "alerts:runner:ess": "npm run run-tests:dr:default alerts ess essEnv",
+    
     "entity_analytics:server:serverless": "npm run initialize-server:ea:default risk_engine serverless",
     "entity_analytics:runner:serverless": "npm run run-tests:ea:default risk_engine serverless serverlessEnv",
     "entity_analytics:qa:serverless": "npm run run-tests:ea:default risk_engine serverless qaEnv",
     "entity_analytics:server:ess": "npm run initialize-server:ea:default risk_engine ess",
     "entity_analytics:runner:ess": "npm run run-tests:ea:default risk_engine ess essEnv",
+    
     "prebuilt_rules_management:server:serverless": "npm run initialize-server:dr:default prebuilt_rules/management serverless",
     "prebuilt_rules_management:runner:serverless": "npm run run-tests:dr:default prebuilt_rules/management serverless serverlessEnv",
     "prebuilt_rules_management:qa:serverless": "npm run run-tests:dr:default prebuilt_rules/management serverless qaEnv",
     "prebuilt_rules_management:server:ess": "npm run initialize-server:dr:default prebuilt_rules/management ess",
     "prebuilt_rules_management:runner:ess": "npm run run-tests:dr:default prebuilt_rules/management ess essEnv",
+    
     "prebuilt_rules_bundled_prebuilt_rules_package:server:serverless": "npm run initialize-server:dr:default prebuilt_rules/bundled_prebuilt_rules_package serverless",
     "prebuilt_rules_bundled_prebuilt_rules_package:runner:serverless": "npm run run-tests:dr:default prebuilt_rules/bundled_prebuilt_rules_package serverless serverlessEnv",
     "prebuilt_rules_bundled_prebuilt_rules_package:qa:serverless": "npm run run-tests:dr:default prebuilt_rules/bundled_prebuilt_rules_package serverless qaEnv",
     "prebuilt_rules_bundled_prebuilt_rules_package:server:ess": "npm run initialize-server:dr:default prebuilt_rules/bundled_prebuilt_rules_package ess",
     "prebuilt_rules_bundled_prebuilt_rules_package:runner:ess": "npm run run-tests:dr:default prebuilt_rules/bundled_prebuilt_rules_package ess essEnv",
+    
     "prebuilt_rules_large_prebuilt_rules_package:server:serverless": "npm run initialize-server:dr:default prebuilt_rules/large_prebuilt_rules_package serverless",
     "prebuilt_rules_large_prebuilt_rules_package:runner:serverless": "npm run run-tests:dr:default prebuilt_rules/large_prebuilt_rules_package serverless serverlessEnv",
     "prebuilt_rules_large_prebuilt_rules_package:qa:serverless": "npm run run-tests:dr:default prebuilt_rules/large_prebuilt_rules_package serverless qaEnv",
     "prebuilt_rules_large_prebuilt_rules_package:server:ess": "npm run initialize-server:dr:default prebuilt_rules/large_prebuilt_rules_package ess",
     "prebuilt_rules_large_prebuilt_rules_package:runner:ess": "npm run run-tests:dr:default prebuilt_rules/large_prebuilt_rules_package ess essEnv",
+    
     "prebuilt_rules_update_prebuilt_rules_package:server:serverless": "npm run initialize-server:dr:default prebuilt_rules/update_prebuilt_rules_package serverless",
     "prebuilt_rules_update_prebuilt_rules_package:runner:serverless": "npm run run-tests:dr:default prebuilt_rules/update_prebuilt_rules_package serverless serverlessEnv",
     "prebuilt_rules_update_prebuilt_rules_package:qa:serverless": "npm run run-tests:dr:default prebuilt_rules/update_prebuilt_rules_package serverless qaEnv",
@@ -151,17 +164,11 @@
     "rule_read:server:ess": "npm run initialize-server:dr:default rule_read ess",
     "rule_read:runner:ess": "npm run run-tests:dr:default rule_read ess essEnv",
     
-    "detection_engine_basicessentionals:server:serverless": "npm run initialize-server:dr:basicEssentials detection_engine serverless",
-    "detection_engine_basicessentionals:runner:serverless": "npm run run-tests:dr:basicEssentials detection_engine serverless serverlessEnv",
-    "detection_engine_basicessentionals:qa:serverless": "npm run run-tests:dr:basicEssentials detection_engine serverless qaEnv",
-    "detection_engine_basicessentionals:server:ess": "npm run initialize-server:dr:basicEssentials detection_engine ess",
-    "detection_engine_basicessentionals:runner:ess": "npm run run-tests:dr:basicEssentials detection_engine ess essEnv",
-
-    "rule_management_basicessentionals:server:serverless": "npm run initialize-server:dr:basicEssentials rule_management serverless",
-    "rule_management_basicessentionals:runner:serverless": "npm run run-tests:dr:basicEssentials rule_management serverless serverlessEnv",
-    "rule_management_basicessentionals:qa:serverless": "npm run run-tests:dr:basicEssentials rule_management serverless qaEnv",
-    "rule_management_basicessentionals:server:ess": "npm run initialize-server:dr:basicEssentials rule_management ess",
-    "rule_management_basicessentionals:runner:ess": "npm run run-tests:dr:basicEssentials rule_management ess essEnv",
+    "detection_engine:essentials:server:serverless": "npm run initialize-server:dr:essentials detection_engine serverless",
+    "detection_engine:essentials:runner:serverless": "npm run run-tests:dr:essentials detection_engine serverless serverlessEnv",
+    "detection_engine:essentials:qa:serverless": "npm run run-tests:dr:essentials detection_engine serverless qaEnv",
+    "detection_engine:basic:server:ess": "npm run initialize-server:dr:basic detection:engine ess",
+    "detection_engine:basic:runner:ess": "npm run run-tests:dr:basic detection_engine ess essEnv",
     
     "exception_lists_items:server:serverless": "npm run initialize-server:lists:default exception_lists_items serverless",
     "exception_lists_items:runner:serverless": "npm run run-tests:lists:default exception_lists_items serverless serverlessEnv",

x-pack/test/security_solution_api_integration/test_suites/detections_response/basic_essentials_license/detection_engine/alerts/open_close_alerts.ts

@@ -34,7 +34,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/basic_essentials_license/detection_engine/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS - Basic Integration Tests',
+      reportName: 'Detection Engine - Integration Tests - ESS Env - Basic License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/basic_essentials_license/detection_engine/configs/serverless.config.ts

@@ -10,6 +10,6 @@ import { createTestConfig } from '../../../../../config/serverless/config.base.e
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine Serverless - Essentials Integration Tests',
+    reportName: 'Detection Engine - Integration Tests - Serverless Env - Essentials License ',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/basic_essentials_license/detection_engine/rules/create_ml_rules_privileges.ts

@@ -25,7 +25,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
   const isServerless = config.get('serverless');

x-pack/test/security_solution_api_integration/test_suites/detections_response/basic_essentials_license/detection_engine/rules/create_rules.ts

@@ -30,7 +30,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
   const isServerless = config.get('serverless');

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/actions/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS - Actions API Integration Tests',
+      reportName: 'Detection Engine - Rule Actions Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/actions/configs/serverless.config.ts

@@ -10,6 +10,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine Serverless - Actions API Integration Tests',
+    reportName:
+      'Detection Engine - Rule Actions Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine API Integration Tests - ESS - Alerts',
+      reportName: 'Detection Engine - Alerts Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/configs/serverless.config.ts

@@ -10,6 +10,6 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine API Integration Tests - Serverless - Alerts',
+    reportName: 'Detection Engine - Alerts Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/open_close_alerts.ts

@@ -44,7 +44,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertestWithoutAuth = getService('supertestWithoutAuth');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/set_alert_tags.ts

@@ -34,7 +34,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/date_numeric_types/configs/ess.config.ts

@@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     testFiles: [require.resolve('..')],
     junit: {
       reportName:
-        'Detection Engine ESS - Exception Operators Data Types API - Date_numeric_types Integration Tests',
+        'Detection Engine - Exception Operators Date & Numeric Types Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/date_numeric_types/configs/serverless.config.ts

@@ -11,6 +11,6 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Detection Engine Serverless - Exception Operators Data Types API - Date_numeric_types Integration Tests',
+      'Detection Engine - Exception Operators Date & Numeric Types Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/ips/configs/ess.config.ts

@@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     testFiles: [require.resolve('..')],
     junit: {
       reportName:
-        'Detection Engine ESS - Exception Operators Data Types API- IPS Integration Tests',
+        'Detection Engine - Exception Operators IP Types Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/ips/configs/serverless.config.ts

@@ -11,6 +11,6 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Detection Engine Serverless - Exception Operators Data Types API- IPS API Integration Tests',
+      'Detection Engine - Exception Operators IP Types Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/keyword/configs/ess.config.ts

@@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     testFiles: [require.resolve('..')],
     junit: {
       reportName:
-        'Detection Engine ESS - Exception Operators Data Types API- Keyword Integration Tests',
+        'Detection Engine - Exception Operators Keyword Types Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/keyword/configs/serverless.config.ts

@@ -11,6 +11,6 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Detection Engine Serverless - Exception Operators Data Types API - Keyword Integration Tests',
+      'Detection Engine - Exception Operators Keyword Types Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/long/configs/ess.config.ts

@@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     testFiles: [require.resolve('..')],
     junit: {
       reportName:
-        'Detection Engine ESS - Exception Operators Data Types API - Long Integration Tests',
+        'Detection Engine - Exception Operators Long Types Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/long/configs/serverless.config.ts

@@ -11,6 +11,6 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Detection Engine Serverless - Exception Operators Data Types API - Long Integration Tests',
+      'Detection Engine - Exception Operators Long Types Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/text/configs/ess.config.ts

@@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     testFiles: [require.resolve('..')],
     junit: {
       reportName:
-        'Detection Engine ESS - - Exception Operators Data Types API - Text Integration Tests',
+        'Detection Engine - Exception Operators Text Types Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/operators_data_types/text/configs/serverless.config.ts

@@ -11,6 +11,6 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Detection Engine Serverless - Exception Operators Data Types API - Text Integration Tests',
+      'Detection Engine - Exception Operators Text Types Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/configs/ess.config.ts

@@ -16,7 +16,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS - Exception - Workflows API Integration Tests',
+      reportName:
+        'Detection Engine - Exception Workflows Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/configs/serverless.config.ts

@@ -10,6 +10,7 @@ import { createTestConfig } from '../../../../../../config/serverless/config.bas
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine Serverless - Exception - Workflows API Integration Tests',
+    reportName:
+      'Detection Engine - Exception Workflows Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/create_rule_exceptions.ts

@@ -27,6 +27,7 @@ import {
   getRuleSOById,
   createRuleThroughAlertingEndpoint,
   getRuleSavedObjectWithLegacyInvestigationFields,
+  checkInvestigationFieldSoValue,
 } from '../../../utils';
 import {
   deleteAllExceptions,
@@ -290,10 +291,14 @@ export default ({ getService }: FtrProviderContext) => {
             hits: [{ _source: ruleSO }],
           },
         } = await getRuleSOById(es, ruleWithLegacyInvestigationField.id);
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(ruleSO, {
+          field_names: ['client.address', 'agent.name'],
+        });
+
         expect(
           ruleSO?.alert.params.exceptionsList.some((list) => list.type === 'rule_default')
         ).to.eql(true);
-        expect(ruleSO?.alert.params.investigationFields).to.eql(['client.address', 'agent.name']);
+        expect(isInvestigationFieldMigratedInSo).to.eql(false);
       });
     });
   });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts

@@ -73,7 +73,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
   const isServerless = config.get('serverless');

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/bundled_prebuilt_rules_package/configs/ess.config.ts

@@ -22,7 +22,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS / Bundled Prebuilt Rules Package API Integration Tests',
+      reportName:
+        'Rules Management - Bundled Prebuilt Rules Integration Tests - ESS Env - Trial License',
     },
     kbnTestServer: {
       ...functionalConfig.get('kbnTestServer'),

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/bundled_prebuilt_rules_package/configs/serverless.config.ts

@@ -16,7 +16,7 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Detection Engine Serverless / Bundled Prebuilte Rules Package API Integration Tests',
+      'Rules Management - Bundled Prebuilt Rules Integration Tests - Serverless Env - Complete License',
   },
   kbnTestServerArgs: [
     /*  Tests in this directory simulate an air-gapped environment in which the instance doesn't have access to EPR.

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/large_prebuilt_rules_package/configs/ess.config.ts

@@ -23,7 +23,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     testFiles: [require.resolve('..')],
     junit: {
       reportName:
-        'Detection Engine ESS / Large Prebuilt Rules Package Installation API Integration Tests',
+        'Rules Management - Large Prebuilt Rules Package Integration Tests - ESS Env - Trial License',
     },
     kbnTestServer: {
       ...functionalConfig.get('kbnTestServer'),

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/large_prebuilt_rules_package/configs/serverless.config.ts

@@ -16,7 +16,7 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Detection Engine Serverless / Large Prebuilt Rules Package Installation API Integration Tests',
+      'Rules Management - Large Prebuilt Rules Package Installation Integration Tests - Serverless Env - Complete License',
   },
   kbnTestServerArgs: [
     /*  Tests in this directory simulate an air-gapped environment in which the instance doesn't have access to EPR.

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/management/configs/ess.config.ts

@@ -16,7 +16,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS / Prebuilt Rules Management API Integration Tests',
+      reportName:
+        'Rules Management - Prebuilt Rules Management Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/management/configs/serverless.config.ts

@@ -10,6 +10,7 @@ import { createTestConfig } from '../../../../../../config/serverless/config.bas
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine Serverless / Prebuilt Rules Management API Integration Tests',
+    reportName:
+      'Rules Management - Prebuilt Rules Management Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/update_prebuilt_rules_package/configs/ess.config.ts

@@ -16,7 +16,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS / Update Prebuilt Rules Package - API Integration Tests',
+      reportName:
+        'Rules Management - Update Prebuilt Rules Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/update_prebuilt_rules_package/configs/serverless.config.ts

@@ -11,6 +11,6 @@ export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Detection Engine Serverless / Update Prebuilt Rules Package - API Integration Tests',
+      'Rules Management - Update Prebuilt Rules Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/configs/ess.config.ts

@@ -16,7 +16,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Rule Bulk Actions API Integration Tests - ESS - Rule bulk actions logic',
+      reportName:
+        'Rules Management - Rule Bulk Actions Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/configs/serverless.config.ts

@@ -9,6 +9,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Rule Bulk Actions API Integration Tests - Serverless - Rule bulk actions logic',
+    reportName:
+      'Rules Management - Rule Bulk Actions Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action.ts

@@ -43,7 +43,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const es = getService('es');
   const log = getService('log');
   const esArchiver = getService('esArchiver');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_bulk_actions/perform_bulk_action_ess.ts

@@ -34,6 +34,7 @@ import {
   createRuleThroughAlertingEndpoint,
   getRuleSavedObjectWithLegacyInvestigationFields,
   getRuleSavedObjectWithLegacyInvestigationFieldsEmptyArray,
+  checkInvestigationFieldSoValue,
 } from '../../utils';
 
 import { FtrProviderContext } from '../../../../ftr_provider_context';
@@ -470,6 +471,7 @@ export default ({ getService }: FtrProviderContext): void => {
     describe('legacy investigation fields', () => {
       let ruleWithLegacyInvestigationField: Rule<BaseRuleParams>;
       let ruleWithLegacyInvestigationFieldEmptyArray: Rule<BaseRuleParams>;
+      let ruleWithIntendedInvestigationField: RuleResponse;
 
       beforeEach(async () => {
         await deleteAllAlerts(supertest, log, es);
@@ -483,7 +485,7 @@ export default ({ getService }: FtrProviderContext): void => {
           supertest,
           getRuleSavedObjectWithLegacyInvestigationFieldsEmptyArray()
         );
-        await createRule(supertest, log, {
+        ruleWithIntendedInvestigationField = await createRule(supertest, log, {
           ...getSimpleRule('rule-with-investigation-field'),
           name: 'Test investigation fields object',
           investigation_fields: { field_names: ['host.name'] },
@@ -528,12 +530,14 @@ export default ({ getService }: FtrProviderContext): void => {
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should not include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, JSON.parse(rule1).id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(['client.address', 'agent.name']);
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: ['client.address', 'agent.name'] },
+          es,
+          JSON.parse(rule1).id
+        );
+
+        expect(isInvestigationFieldMigratedInSo).to.eql(false);
 
         const exportDetails = JSON.parse(exportDetailsJson);
         expect(exportDetails).to.eql({
@@ -618,7 +622,6 @@ export default ({ getService }: FtrProviderContext): void => {
           (returnedRule: RuleResponse) => returnedRule.rule_id === 'rule-with-investigation-field'
         );
         expect(ruleWithIntendedType.investigation_fields).to.eql({ field_names: ['host.name'] });
-
         /**
          * Confirm type on SO so that it's clear in the tests whether it's expected that
          * the SO itself is migrated to the inteded object type, or if the transformation is
@@ -629,7 +632,12 @@ export default ({ getService }: FtrProviderContext): void => {
             hits: [{ _source: ruleSO }],
           },
         } = await getRuleSOById(es, ruleWithLegacyField.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(['client.address', 'agent.name']);
+
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(ruleSO, {
+          field_names: ['client.address', 'agent.name'],
+        });
+
+        expect(isInvestigationFieldMigratedInSo).to.eql(false);
         expect(ruleSO?.alert?.enabled).to.eql(true);
 
         const {
@@ -688,26 +696,36 @@ export default ({ getService }: FtrProviderContext): void => {
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should not include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, ruleWithLegacyField.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(['client.address', 'agent.name']);
+        const isInvestigationFieldForRuleWithLegacyFieldMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            {
+              field_names: ['client.address', 'agent.name'],
+            },
+            es,
+            ruleWithLegacyField.id
+          );
+        expect(isInvestigationFieldForRuleWithLegacyFieldMigratedInSo).to.eql(false);
 
-        const {
-          hits: {
-            hits: [{ _source: ruleSO2 }],
-          },
-        } = await getRuleSOById(es, ruleWithEmptyArray.id);
-        expect(ruleSO2?.alert?.params?.investigationFields).to.eql([]);
+        const isInvestigationFieldForRuleWithEmptyArraydMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            {
+              field_names: [],
+            },
+            es,
+            ruleWithEmptyArray.id
+          );
+        expect(isInvestigationFieldForRuleWithEmptyArraydMigratedInSo).to.eql(false);
 
-        const {
-          hits: {
-            hits: [{ _source: ruleSO3 }],
-          },
-        } = await getRuleSOById(es, ruleWithIntendedType.id);
-        expect(ruleSO3?.alert?.params?.investigationFields).to.eql({ field_names: ['host.name'] });
+        const isInvestigationFieldForRuleWithIntendedTypeMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: ['host.name'] },
+            es,
+            ruleWithIntendedType.id
+          );
+        expect(isInvestigationFieldForRuleWithIntendedTypeMigratedInSo).to.eql(true);
       });
 
       it('should duplicate rules with legacy investigation fields and transform field in response', async () => {
@@ -751,64 +769,75 @@ export default ({ getService }: FtrProviderContext): void => {
             returnedRule.name === 'Test investigation fields object [Duplicate]'
         );
 
+        // DUPLICATED RULES
         /**
          * Confirm type on SO so that it's clear in the tests whether it's expected that
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, duplicated
          * rules should NOT have migrated value on write.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, ruleWithLegacyField.id);
+        const isInvestigationFieldForRuleWithLegacyFieldMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: ['client.address', 'agent.name'] },
+            es,
+            ruleWithLegacyField.id
+          );
+        expect(isInvestigationFieldForRuleWithLegacyFieldMigratedInSo).to.eql(false);
 
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(['client.address', 'agent.name']);
+        const isInvestigationFieldForRuleWithEmptyArrayMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: [] },
+            es,
+            ruleWithEmptyArray.id
+          );
+        expect(isInvestigationFieldForRuleWithEmptyArrayMigratedInSo).to.eql(false);
 
-        const {
-          hits: {
-            hits: [{ _source: ruleSO2 }],
-          },
-        } = await getRuleSOById(es, ruleWithEmptyArray.id);
-        expect(ruleSO2?.alert?.params?.investigationFields).to.eql([]);
-
-        const {
-          hits: {
-            hits: [{ _source: ruleSO3 }],
-          },
-        } = await getRuleSOById(es, ruleWithIntendedType.id);
-        expect(ruleSO3?.alert?.params?.investigationFields).to.eql({ field_names: ['host.name'] });
+        const isInvestigationFieldForRuleWithIntendedTypeMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: ['host.name'] },
+            es,
+            ruleWithIntendedType.id
+          );
+        expect(isInvestigationFieldForRuleWithIntendedTypeMigratedInSo).to.eql({
+          field_names: ['host.name'],
+        });
 
+        // ORIGINAL RULES - rules selected to be duplicated
         /**
          * Confirm type on SO so that it's clear in the tests whether it's expected that
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, the original
          * rules selected to be duplicated should not be migrated.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSOOriginalLegacy }],
-          },
-        } = await getRuleSOById(es, ruleWithLegacyInvestigationField.id);
+        const isInvestigationFieldForOriginalRuleWithLegacyFieldMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: ['client.address', 'agent.name'] },
+            es,
+            ruleWithLegacyInvestigationField.id
+          );
+        expect(isInvestigationFieldForOriginalRuleWithLegacyFieldMigratedInSo).to.eql(false);
 
-        expect(ruleSOOriginalLegacy?.alert?.params?.investigationFields).to.eql([
-          'client.address',
-          'agent.name',
-        ]);
+        const isInvestigationFieldForOriginalRuleWithEmptyArrayMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: [] },
+            es,
+            ruleWithLegacyInvestigationFieldEmptyArray.id
+          );
+        expect(isInvestigationFieldForOriginalRuleWithEmptyArrayMigratedInSo).to.eql(false);
 
-        const {
-          hits: {
-            hits: [{ _source: ruleSOOriginalLegacyEmptyArray }],
-          },
-        } = await getRuleSOById(es, ruleWithLegacyInvestigationFieldEmptyArray.id);
-        expect(ruleSOOriginalLegacyEmptyArray?.alert?.params?.investigationFields).to.eql([]);
-
-        const {
-          hits: {
-            hits: [{ _source: ruleSOOriginalNoLegacy }],
-          },
-        } = await getRuleSOById(es, ruleWithIntendedType.id);
-        expect(ruleSOOriginalNoLegacy?.alert?.params?.investigationFields).to.eql({
+        const isInvestigationFieldForOriginalRuleWithIntendedTypeMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: ['host.name'] },
+            es,
+            ruleWithIntendedInvestigationField.id
+          );
+        expect(isInvestigationFieldForOriginalRuleWithIntendedTypeMigratedInSo).to.eql({
           field_names: ['host.name'],
         });
       });
@@ -860,26 +889,32 @@ export default ({ getService }: FtrProviderContext): void => {
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should not include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, ruleWithLegacyInvestigationField.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(['client.address', 'agent.name']);
+        const isInvestigationFieldForRuleWithLegacyFieldMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: ['client.address', 'agent.name'] },
+            es,
+            ruleWithLegacyInvestigationField.id
+          );
+        expect(isInvestigationFieldForRuleWithLegacyFieldMigratedInSo).to.eql(false);
 
-        const {
-          hits: {
-            hits: [{ _source: ruleSO2 }],
-          },
-        } = await getRuleSOById(es, ruleWithLegacyInvestigationFieldEmptyArray.id);
-        expect(ruleSO2?.alert?.params?.investigationFields).to.eql([]);
+        const isInvestigationFieldForRuleWithEmptyArrayFieldMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: [] },
+            es,
+            ruleWithLegacyInvestigationFieldEmptyArray.id
+          );
+        expect(isInvestigationFieldForRuleWithEmptyArrayFieldMigratedInSo).to.eql(false);
 
-        const {
-          hits: {
-            hits: [{ _source: ruleSO3 }],
-          },
-        } = await getRuleSOById(es, ruleWithIntendedType.id);
-        expect(ruleSO3?.alert?.params?.investigationFields).to.eql({ field_names: ['host.name'] });
+        const isInvestigationFieldForRuleWithIntendedTypeMigratedInSo =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            { field_names: ['host.name'] },
+            es,
+            ruleWithIntendedType.id
+          );
+        expect(isInvestigationFieldForRuleWithIntendedTypeMigratedInSo).to.eql(true);
       });
     });
   });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS/ Rule creation API Integration Tests',
+      reportName: 'Detection Engine - Rule Creation Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/configs/serverless.config.ts

@@ -10,6 +10,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine Serverless/ Rule creation API Integration Tests',
+    reportName:
+      'Detection Engine - Rule Creation Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts

@@ -45,7 +45,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertestWithoutAuth = getService('supertestWithoutAuth');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules_bulk.ts

@@ -42,9 +42,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const log = getService('log');
   const es = getService('es');
 
-  // Marking as ESS and brokenInServerless as it's currently exposed in both, but if this is already
-  // deprecated, it should cease being exposed in Serverless prior to GA, in which case this
-  // test would be run for ESS only.
+  // See https://github.com/elastic/kibana/issues/130963 for discussion on deprecation
   describe('@ess @brokenInServerless @skipInQA create_rules_bulk', () => {
     describe('deprecations', () => {
       afterEach(async () => {

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/preview_rules.ts

@@ -24,7 +24,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const supertestWithoutAuth = getService('supertestWithoutAuth');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_delete/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Rule Management API Integration Tests - ESS - Rule Delete logic',
+      reportName: 'Detection Engine - Rule Deletion Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_delete/configs/serverless.config.ts

@@ -9,6 +9,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Rule Management API Integration Tests - Serverless - Rule Delete logic',
+    reportName:
+      'Detection Engine - Rule Deletion Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_delete/delete_rules.ts

@@ -27,7 +27,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_delete/delete_rules_bulk.ts

@@ -32,13 +32,11 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 
-  // Marking as ESS and brokenInServerless as it's currently exposed in both, but if this is already
-  // deprecated, it should cease being exposed in Serverless prior to GA, in which case this
-  // test would be run for ESS only.
+  // See https://github.com/elastic/kibana/issues/130963 for discussion on deprecation
   describe('@ess @brokenInServerless @skipInQA delete_rules_bulk', () => {
     describe('deprecations', () => {
       it('should return a warning header', async () => {

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_delete/delete_rules_bulk_legacy.ts

@@ -176,7 +176,7 @@ export default ({ getService }: FtrProviderContext): void => {
 
         // Test to ensure that we have exactly 0 legacy actions by querying the Alerting client REST API directly
         // See: https://www.elastic.co/guide/en/kibana/current/find-rules-api.html
-        // Note: We specifically query for both the filter of type "siem.notifications" and the "has_reference" to keep it very specific
+        // Note: We specifically filter for both the type "siem.notifications" and the "has_reference" field to ensure we only retrieve legacy actions
         const { body: bodyAfterDelete } = await supertest
           .get(`${BASE_ALERTING_API_PATH}/rules/_find`)
           .query({

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_delete/delete_rules_legacy.ts

@@ -27,7 +27,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const log = getService('log');
   const es = getService('es');
 
-  describe('@ess delete_rules_legacy', () => {
+  describe('@ess Legacy route for deleting rules', () => {
     describe('deleting rules', () => {
       beforeEach(async () => {
         await createAlertsIndex(supertest, log);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/ess.config.ts

@@ -16,7 +16,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine API Integration Tests - ESS - Rule Execution Logic',
+      reportName:
+        'Detection Engine - Rule Execution Logic Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/serverless.config.ts

@@ -9,7 +9,8 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine API Integration Tests - Serverless - Rule Execution Logic',
+    reportName:
+      'Detection Engine - Rule Execution Logic Integration Tests - Serverless Env - Complete License',
   },
   kbnTestServerArgs: [
     `--xpack.securitySolution.alertIgnoreFields=${JSON.stringify([

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts

@@ -53,7 +53,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const es = getService('es');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts

@@ -52,7 +52,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const es = getService('es');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts

@@ -41,7 +41,7 @@ export default ({ getService }: FtrProviderContext) => {
     index: 'new_terms',
     log,
   });
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
   const isServerless = config.get('serverless');

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts

@@ -88,7 +88,7 @@ export default ({ getService }: FtrProviderContext) => {
   const es = getService('es');
   const log = getService('log');
   const esDeleteAllIndices = getService('esDeleteAllIndices');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts

@@ -37,7 +37,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const es = getService('es');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts

@@ -147,7 +147,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const es = getService('es');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts

@@ -39,7 +39,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const es = getService('es');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/timestamps.ts

@@ -35,7 +35,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const es = getService('es');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_import_export/configs/ess.config.ts

@@ -16,7 +16,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Rule Management API Integration Tests - ESS - Rule Import and Export logic',
+      reportName:
+        'Rules Management - Rule Import And Export Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_import_export/configs/serverless.config.ts

@@ -9,6 +9,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Rule Management API Integration Tests - Serverless - Rule Import and Export logic',
+    reportName:
+      'Rules Management - Rule Import And Export Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_import_export/export_rules.ts

@@ -28,7 +28,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_import_export/export_rules_ess.ts

@@ -26,9 +26,9 @@ import {
   removeServerGeneratedProperties,
   getRuleSavedObjectWithLegacyInvestigationFields,
   getRuleSavedObjectWithLegacyInvestigationFieldsEmptyArray,
-  getRuleSOById,
   updateUsername,
   createRuleThroughAlertingEndpoint,
+  checkInvestigationFieldSoValue,
 } from '../../utils';
 import { FtrProviderContext } from '../../../../ftr_provider_context';
 
@@ -36,7 +36,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 
@@ -417,21 +417,20 @@ export default ({ getService }: FtrProviderContext): void => {
         expect(exportedRule.investigation_fields).toEqual({
           field_names: ['client.address', 'agent.name'],
         });
+
         /**
          * Confirm type on SO so that it's clear in the tests whether it's expected that
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should
          * NOT include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, ruleWithLegacyInvestigationField.id);
-        expect(ruleSO?.alert?.params?.investigationFields).toEqual([
-          'client.address',
-          'agent.name',
-        ]);
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: ['client.address', 'agent.name'] },
+          es,
+          ruleWithLegacyInvestigationField.id
+        );
+        expect(isInvestigationFieldMigratedInSo).toEqual(false);
       });
 
       it('exports a rule that has a legacy investigation field set to empty array and unsets field in response', async () => {
@@ -455,12 +454,13 @@ export default ({ getService }: FtrProviderContext): void => {
          * happening just on the response. In this case, change should
          * NOT include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, ruleWithLegacyInvestigationFieldEmptyArray.id);
-        expect(ruleSO?.alert?.params?.investigationFields).toEqual([]);
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: [] },
+          es,
+          ruleWithLegacyInvestigationFieldEmptyArray.id
+        );
+        expect(isInvestigationFieldMigratedInSo).toEqual(false);
       });
 
       it('exports rule with investigation fields as intended object type', async () => {
@@ -484,12 +484,14 @@ export default ({ getService }: FtrProviderContext): void => {
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should
          * NOT include a migration on SO.
-         */ const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, exportedRule.id);
-        expect(ruleSO?.alert?.params?.investigationFields).toEqual({ field_names: ['host.name'] });
+         */
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: ['host.name'] },
+          es,
+          exportedRule.id
+        );
+        expect(isInvestigationFieldMigratedInSo).toEqual(true);
       });
     });
   });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_import_export/import_rules_ess.ts

@@ -22,9 +22,9 @@ import {
   getLegacyActionSO,
   createRule,
   fetchRule,
-  getRuleSOById,
   getWebHookAction,
   getSimpleRuleAsNdjson,
+  checkInvestigationFieldSoValue,
 } from '../../utils';
 import {
   createUserAndRole,
@@ -308,18 +308,20 @@ export default ({ getService }: FtrProviderContext): void => {
 
         const rule = await fetchRule(supertest, { ruleId: 'rule-1' });
         expect(rule.investigation_fields).to.eql({ field_names: ['foo', 'bar'] });
+
         /**
          * Confirm type on SO so that it's clear in the tests whether it's expected that
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should
          * include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, rule.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql({ field_names: ['foo', 'bar'] });
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: ['foo', 'bar'] },
+          es,
+          rule.id
+        );
+        expect(isInvestigationFieldMigratedInSo).to.eql(true);
       });
 
       it('imports rule with investigation fields as empty array', async () => {
@@ -342,18 +344,20 @@ export default ({ getService }: FtrProviderContext): void => {
 
         const rule = await fetchRule(supertest, { ruleId: 'rule-1' });
         expect(rule.investigation_fields).to.eql(undefined);
+
         /**
          * Confirm type on SO so that it's clear in the tests whether it's expected that
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should
          * include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, rule.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(undefined);
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          undefined,
+          es,
+          rule.id
+        );
+        expect(isInvestigationFieldMigratedInSo).to.eql(true);
       });
 
       it('imports rule with investigation fields as intended object type', async () => {
@@ -381,12 +385,13 @@ export default ({ getService }: FtrProviderContext): void => {
          * happening just on the response. In this case, change should
          * include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, rule.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql({ field_names: ['foo'] });
+        const isInvestigationFieldIntendedTypeInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: ['foo'] },
+          es,
+          rule.id
+        );
+        expect(isInvestigationFieldIntendedTypeInSo).to.eql(true);
       });
     });
   });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_management/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Rule Management API Integration Tests - ESS - Rule management logic',
+      reportName: 'Rules Management - Rule Management Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_management/configs/serverless.config.ts

@@ -9,6 +9,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Rule Management API Integration Tests - Serverless - Rule management logic',
+    reportName:
+      'Rules Management - Rule Management Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_management/get_rule_execution_results.ts

@@ -41,7 +41,7 @@ export default ({ getService }: FtrProviderContext) => {
   const esArchiver = getService('esArchiver');
   const es = getService('es');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for loading archiver files similar to "getService('es')"
   const config = getService('config');
   const isServerless = config.get('serverless');
   const dataPathBuilder = new EsArchivePathBuilder(isServerless);

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_patch/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Rule Management API Integration Tests - ESS - Rule Patch logic',
+      reportName: 'Detection Engine - Rule Patch Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_patch/configs/serverless.config.ts

@@ -9,6 +9,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Rule Management API Integration Tests - Serverless - Rule Patch logic',
+    reportName:
+      'Detection Engine - Rule Patch Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_patch/patch_rules.ts

@@ -41,7 +41,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_patch/patch_rules_bulk.ts

@@ -29,6 +29,7 @@ import {
   createRuleThroughAlertingEndpoint,
   getRuleSavedObjectWithLegacyInvestigationFieldsEmptyArray,
   getRuleSavedObjectWithLegacyInvestigationFields,
+  checkInvestigationFieldSoValue,
 } from '../../utils';
 import { FtrProviderContext } from '../../../../ftr_provider_context';
 
@@ -36,13 +37,11 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 
-  // Marking as ESS and brokenInServerless as it's currently exposed in both, but if this is already
-  // deprecated, it should cease being exposed in Serverless prior to GA, in which case this
-  // test would be run for ESS only.
+  // See https://github.com/elastic/kibana/issues/130963 for discussion on deprecation
   describe('@ess @brokenInServerless @skipInQA patch_rules_bulk', () => {
     describe('deprecations', () => {
       afterEach(async () => {
@@ -588,18 +587,20 @@ export default ({ getService }: FtrProviderContext) => {
           field_names: ['client.address', 'agent.name'],
         });
         expect(bodyToCompareLegacyField.name).to.eql('some other name');
+
         /**
          * Confirm type on SO so that it's clear in the tests whether it's expected that
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should
          * NOT include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, body[0].id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(['client.address', 'agent.name']);
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: ['client.address', 'agent.name'] },
+          es,
+          body[0].id
+        );
+        expect(isInvestigationFieldMigratedInSo).to.eql(false);
       });
 
       it('should patch a rule with a legacy investigation field - empty array - and transform field in response', async () => {
@@ -619,18 +620,20 @@ export default ({ getService }: FtrProviderContext) => {
         const bodyToCompareLegacyFieldEmptyArray = removeServerGeneratedProperties(body[0]);
         expect(bodyToCompareLegacyFieldEmptyArray.investigation_fields).to.eql(undefined);
         expect(bodyToCompareLegacyFieldEmptyArray.name).to.eql('some other name 2');
+
         /**
          * Confirm type on SO so that it's clear in the tests whether it's expected that
          * the SO itself is migrated to the inteded object type, or if the transformation is
          * happening just on the response. In this case, change should
          * NOT include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, body[0].id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql([]);
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: [] },
+          es,
+          body[0].id
+        );
+        expect(isInvestigationFieldMigratedInSo).to.eql(false);
       });
 
       it('should patch a rule with an investigation field', async () => {

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_patch/patch_rules_ess.ts

@@ -16,7 +16,6 @@ import {
   deleteAllRules,
   deleteAllAlerts,
   removeServerGeneratedProperties,
-  getRuleSOById,
   createRuleThroughAlertingEndpoint,
   getRuleSavedObjectWithLegacyInvestigationFields,
   getRuleSavedObjectWithLegacyInvestigationFieldsEmptyArray,
@@ -26,6 +25,7 @@ import {
   updateUsername,
   createLegacyRuleAction,
   getSimpleRule,
+  checkInvestigationFieldSoValue,
 } from '../../utils';
 import { FtrProviderContext } from '../../../../ftr_provider_context';
 
@@ -33,7 +33,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 
@@ -158,15 +158,15 @@ export default ({ getService }: FtrProviderContext) => {
            * happening just on the response. In this case, change should
            * NOT include a migration on SO.
            */
-          const {
-            hits: {
-              hits: [{ _source: ruleSO }],
+          const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+            undefined,
+            {
+              field_names: ['client.address', 'agent.name'],
             },
-          } = await getRuleSOById(es, body.id);
-          expect(ruleSO?.alert?.params?.investigationFields).to.eql([
-            'client.address',
-            'agent.name',
-          ]);
+            es,
+            body.id
+          );
+          expect(isInvestigationFieldMigratedInSo).to.eql(false);
         });
 
         it('should patch a rule with a legacy investigation field - empty array - and transform response', async () => {
@@ -188,12 +188,15 @@ export default ({ getService }: FtrProviderContext) => {
            * happening just on the response. In this case, change should
            * NOT include a migration on SO.
            */
-          const {
-            hits: {
-              hits: [{ _source: ruleSO }],
+          const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+            undefined,
+            {
+              field_names: [],
             },
-          } = await getRuleSOById(es, body.id);
-          expect(ruleSO?.alert?.params?.investigationFields).to.eql([]);
+            es,
+            body.id
+          );
+          expect(isInvestigationFieldMigratedInSo).to.eql(false);
         });
       });
     });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_read/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Rule Management API Integration Tests - ESS - Rule Read logic',
+      reportName: 'Rules Management - Rule Read Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_read/configs/serverless.config.ts

@@ -9,6 +9,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Rule Management API Integration Tests - Serverless - Rule Read logic',
+    reportName:
+      'Rules Management - Rule Read Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_read/find_rules.ts

@@ -27,7 +27,7 @@ import { FtrProviderContext } from '../../../../ftr_provider_context';
 export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const log = getService('log');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_read/find_rules_ess.ts

@@ -18,7 +18,6 @@ import {
   createRule,
   createRuleThroughAlertingEndpoint,
   deleteAllRules,
-  getRuleSOById,
   getSimpleRule,
   getSimpleRuleOutput,
   getWebHookAction,
@@ -26,6 +25,7 @@ import {
   removeServerGeneratedProperties,
   getRuleSavedObjectWithLegacyInvestigationFields,
   getRuleSavedObjectWithLegacyInvestigationFieldsEmptyArray,
+  checkInvestigationFieldSoValue,
 } from '../../utils';
 import { FtrProviderContext } from '../../../../ftr_provider_context';
 
@@ -33,7 +33,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 
@@ -171,24 +171,36 @@ export default ({ getService }: FtrProviderContext): void => {
          * happening just on the response. In this case, change should
          * NOT include a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          {
+            field_names: ['client.address', 'agent.name'],
           },
-        } = await getRuleSOById(es, ruleWithLegacyInvestigationField.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(['client.address', 'agent.name']);
-        const {
-          hits: {
-            hits: [{ _source: ruleSO2 }],
+          es,
+          ruleWithLegacyInvestigationField.id
+        );
+        expect(isInvestigationFieldMigratedInSo).to.eql(false);
+
+        const isInvestigationFieldMigratedInSoForRuleWithEmptyArray =
+          await checkInvestigationFieldSoValue(
+            undefined,
+            {
+              field_names: [],
+            },
+            es,
+            ruleWithLegacyInvestigationFieldEmptyArray.id
+          );
+        expect(isInvestigationFieldMigratedInSoForRuleWithEmptyArray).to.eql(false);
+
+        const isInvestigationFieldSoExpectedType = await checkInvestigationFieldSoValue(
+          undefined,
+          {
+            field_names: ['host.name'],
           },
-        } = await getRuleSOById(es, ruleWithLegacyInvestigationFieldEmptyArray.id);
-        expect(ruleSO2?.alert?.params?.investigationFields).to.eql([]);
-        const {
-          hits: {
-            hits: [{ _source: ruleSO3 }],
-          },
-        } = await getRuleSOById(es, ruleWithExpectedTyping.id);
-        expect(ruleSO3?.alert?.params?.investigationFields).to.eql({ field_names: ['host.name'] });
+          es,
+          ruleWithExpectedTyping.id
+        );
+        expect(isInvestigationFieldSoExpectedType).to.eql(true);
       });
     });
   });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_read/read_rules.ts

@@ -27,7 +27,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_read/read_rules_ess.ts

@@ -21,11 +21,11 @@ import {
   getSimpleRuleOutput,
   getWebHookAction,
   removeServerGeneratedProperties,
-  getRuleSOById,
   updateUsername,
   getRuleSavedObjectWithLegacyInvestigationFields,
   createRuleThroughAlertingEndpoint,
   getRuleSavedObjectWithLegacyInvestigationFieldsEmptyArray,
+  checkInvestigationFieldSoValue,
 } from '../../utils';
 import { FtrProviderContext } from '../../../../ftr_provider_context';
 
@@ -33,7 +33,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 
@@ -164,12 +164,15 @@ export default ({ getService }: FtrProviderContext) => {
          * happening just on the response. In this case, change should
          * just be a transform on read, not a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          {
+            field_names: ['client.address', 'agent.name'],
           },
-        } = await getRuleSOById(es, body.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql(['client.address', 'agent.name']);
+          es,
+          body.id
+        );
+        expect(isInvestigationFieldMigratedInSo).to.eql(false);
       });
 
       it('should be able to read a rule with a legacy investigation field - empty array', async () => {
@@ -190,12 +193,15 @@ export default ({ getService }: FtrProviderContext) => {
          * happening just on the response. In this case, change should
          * just be a transform on read, not a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
+        const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          {
+            field_names: [],
           },
-        } = await getRuleSOById(es, body.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql([]);
+          es,
+          body.id
+        );
+        expect(isInvestigationFieldMigratedInSo).to.eql(false);
       });
 
       it('does not migrate investigation fields when intended object type', async () => {
@@ -214,12 +220,13 @@ export default ({ getService }: FtrProviderContext) => {
          * happening just on the response. In this case, change should
          * just be a transform on read, not a migration on SO.
          */
-        const {
-          hits: {
-            hits: [{ _source: ruleSO }],
-          },
-        } = await getRuleSOById(es, body.id);
-        expect(ruleSO?.alert?.params?.investigationFields).to.eql({ field_names: ['host.name'] });
+        const isInvestigationFieldIntendedTypeInSo = await checkInvestigationFieldSoValue(
+          undefined,
+          { field_names: ['host.name'] },
+          es,
+          body.id
+        );
+        expect(isInvestigationFieldIntendedTypeInSo).to.eql(true);
       });
     });
   });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_update/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Rule Management API Integration Tests - ESS - Rule Update logic',
+      reportName: 'Detection Engine - Rule Update Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_update/configs/serverless.config.ts

@@ -9,6 +9,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Rule Management API Integration Tests - Serverless - Rule Update logic',
+    reportName:
+      'Detection Engine - Rule Update Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_update/update_rules.ts

@@ -44,7 +44,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_update/update_rules_bulk.ts

@@ -48,13 +48,11 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 
-  // Marking as ESS and brokenInServerless as it's currently exposed in both, but if this is already
-  // deprecated, it should cease being exposed in Serverless prior to GA, in which case this
-  // test would be run for ESS only.
+  // See https://github.com/elastic/kibana/issues/130963 for discussion on deprecation
   describe('@ess @brokenInServerless @skipInQA update_rules_bulk', () => {
     describe('deprecations', () => {
       afterEach(async () => {

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_update/update_rules_ess.ts

@@ -34,7 +34,7 @@ export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
   const log = getService('log');
   const es = getService('es');
-  // TODO: add a new service
+  // TODO: add a new service for pulling kibana username, similar to getService('es')
   const config = getService('config');
   const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username');
 

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/telemetry/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine API Integration Tests - ESS - Telemetry',
+      reportName: 'Detection Engine - Telemetry Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/telemetry/configs/serverless.config.ts

@@ -10,7 +10,8 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine API Integration Tests - Serverless - Telemetry',
+    reportName:
+      'Detection Engine - Telemetry Integration Tests - Serverless Env - Complete License',
   },
   kbnTestServerArgs: [
     `--xpack.securitySolution.enableExperimental=${JSON.stringify(['previewTelemetryUrlEnabled'])}`,

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/user_roles/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS - User roles API Integration Tests',
+      reportName: 'Detection Engine - User Roles Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/user_roles/configs/serverless.config.ts

@@ -10,6 +10,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine Serverless - User roles API Integration Tests',
+    reportName:
+      'Detection Engine - User Roles Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/check_investigation_field_in_so.ts

@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Client } from '@elastic/elasticsearch';
+import { SavedObjectReference } from '@kbn/core/server';
+import { InvestigationFields } from '@kbn/security-solution-plugin/common/api/detection_engine';
+import { Rule } from '@kbn/alerting-plugin/common';
+import { BaseRuleParams } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_schema';
+import { isEqual } from 'lodash/fp';
+import { getRuleSOById } from './get_rule_so_by_id';
+
+interface RuleSO {
+  alert: Rule<BaseRuleParams>;
+  references: SavedObjectReference[];
+}
+
+export const checkInvestigationFieldSoValue = async (
+  ruleSO: RuleSO | undefined,
+  expectedSoValue: undefined | InvestigationFields,
+  es?: Client,
+  ruleId?: string
+): Promise<boolean> => {
+  if (!ruleSO && es && ruleId) {
+    const {
+      hits: {
+        hits: [{ _source: rule }],
+      },
+    } = await getRuleSOById(es, ruleId);
+
+    return isEqual(rule?.alert.params.investigationFields, expectedSoValue);
+  }
+
+  return isEqual(ruleSO?.alert.params.investigationFields, expectedSoValue);
+};

x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/index.ts

@@ -10,6 +10,7 @@ export * from './create_rule_with_exception_entries';
 export * from './create_rule_saved_object';
 export * from './create_rule_with_auth';
 export * from './create_non_security_rule';
+export * from './check_investigation_field_in_so';
 export * from './downgrade_immutable_rule';
 export * from './delete_all_rules';
 export * from './delete_rule';

x-pack/test/security_solution_api_integration/test_suites/entity_analytics/default_license/risk_engine/configs/ess.config.ts

@@ -24,7 +24,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     },
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Entity Analytics API Integration Tests -  ESS - Risk Engine',
+      reportName: 'Entity Analytics - Risk Engine Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/entity_analytics/default_license/risk_engine/configs/serverless.config.ts

@@ -15,6 +15,7 @@ export default createTestConfig({
   ],
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Entity Analytics API Integration Tests -  Serverless - Risk Engine',
+    reportName:
+      'Entity Analytics - Risk Engine Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/default_license/exception_lists_items/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS - Execption Lists and Items Integration Tests APIS',
+      reportName: 'Detection Engine - Exception Lists Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/default_license/exception_lists_items/configs/serverless.config.ts

@@ -10,6 +10,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine Serverless - Execption Lists and Items Integration Tests APIS',
+    reportName:
+      'Detection Engine - Exception Lists Integration Tests - Serverless Env - Complete License',
   },
 });

x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/default_license/lists_items/configs/ess.config.ts

@@ -16,7 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
-      reportName: 'Detection Engine ESS - Lists and Items Integration Tests APIS',
+      reportName: 'Detection Engine - Value Lists Integration Tests - ESS Env - Trial License',
     },
   };
 }

x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/default_license/lists_items/configs/serverless.config.ts

@@ -10,6 +10,7 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
-    reportName: 'Detection Engine Serverless - Lists and Items Integration Tests APIS',
+    reportName:
+      'Detection Engine - Value Lists Integration Tests - Serverless Env - Complete License',
   },
 });