[Security Solution][Detection engine] fix deduplication ES|QL test (#170772)

## Summary - fixes https://github.com/elastic/security-team/issues/7928 by changing test to use real rule executions and explicitly refreshing alerts index between the runs --------- Co-authored-by: Ievgen Sorokopud <e40pud@gmail.com>
2025-04-24 01:38:56 -04:00 · 2023-11-14 13:07:20 +00:00 · 2023-11-14 13:07:20 +00:00 · e4a039b70a
commit e4a039b70a
parent 5c5cd0532a
1 changed files with 48 additions and 16 deletions
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/esql.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/esql.ts
@ -11,6 +11,7 @@ import { orderBy } from 'lodash';

 import { EsqlRuleCreateProps } from '@kbn/security-solution-plugin/common/api/detection_engine/model/rule_schema';
 import { getCreateEsqlRulesSchemaMock } from '@kbn/security-solution-plugin/common/api/detection_engine/model/rule_schema/mocks';
+import { RuleExecutionStatusEnum } from '@kbn/security-solution-plugin/common/api/detection_engine/rule_monitoring';

 import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils';
 import {
@ -26,6 +27,7 @@ import { previewRuleWithExceptionEntries } from '../../utils/preview_rule_with_e
 import { deleteAllExceptions } from '../../../lists_api_integration/utils';
 import { dataGeneratorFactory } from '../../utils/data_generator';
 import { removeRandomValuedProperties } from './utils';
+import { patchRule } from '../../utils/patch_rule';

 // eslint-disable-next-line import/no-default-export
 export default ({ getService }: FtrProviderContext) => {
@ -710,18 +712,22 @@ export default ({ getService }: FtrProviderContext) => {
        expect(previewAlerts.length).toBe(150);
      });

-      // as per https://github.com/elastic/kibana/pull/170034, test is failing on CI and flaky locally
-      // skipping it for now for further investigation
-      it.skip('should generate alerts when docs overlap execution intervals and alerts number reached max_signals in one of the executions', async () => {
+      // we use actual rule executions, not preview, because for preview API alerts index refresh=false for non suppressed alerts
+      // first rule execution catches 130 documents and generates 100 alerts
+      // second rule execution catches 150 docs, 120 of which were captured during the first execution and generates only 60 alerts. Because rest are deduplicated
+      // so in total 160 alerts should be generated
+      it('should generate alerts when docs overlap execution intervals and alerts number reached max_signals in one of the real executions', async () => {
        const id = uuidv4();
        const rule: EsqlRuleCreateProps = {
-          ...getCreateEsqlRulesSchemaMock('rule-1', true),
+          ...getCreateEsqlRulesSchemaMock(`rule-${id}`, true),
          query: `from ecs_compliant [metadata _id] ${internalIdPipe(
            id
          )} | keep _id, agent.name | sort agent.name`,
-          from: 'now-45m',
-          interval: '30m',
+          from: '2020-10-28T05:15:00.000Z',
+          to: '2020-10-28T06:00:00.000Z',
+          interval: '45m',
          max_signals: 100,
+          enabled: true,
        };

        // docs fall in first rule executions
@ -772,20 +778,46 @@ export default ({ getService }: FtrProviderContext) => {
          }),
        });

-        const { previewId } = await previewRule({
+        const createdRule = await createRule(supertest, log, rule);
+
+        // first rule run should generate 100 alerts from first 3 batches of index documents
+        const alertsResponseFromFirstRuleExecution = await getOpenAlerts(
          supertest,
-          rule,
-          timeframeEnd: new Date('2020-10-28T06:30:00.000Z'),
-          invocationCount: 2,
-        });
-        const previewAlerts = await getPreviewAlerts({
+          log,
          es,
-          previewId,
-          size: 200,
+          createdRule,
+          // rule has warning, alerts were truncated, thus "partial failure" status
+          RuleExecutionStatusEnum['partial failure'],
+          200
+        );
+
+        // should return 100 alerts
+        expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100);
+
+        // re-trigger rule execution with new interval
+        await patchRule(supertest, log, {
+          id: createdRule.id,
+          enabled: false,
+        });
+        await patchRule(supertest, log, {
+          id: createdRule.id,
+          from: '2020-10-28T05:45:00.000Z',
+          to: '2020-10-28T06:30:00.000Z',
+          enabled: true,
        });

-        // should generate 160 alerts
-        expect(previewAlerts.length).toBe(160);
+        const alertsResponse = await getOpenAlerts(
+          supertest,
+          log,
+          es,
+          createdRule,
+          RuleExecutionStatusEnum.succeeded,
+          200,
+          new Date()
+        );
+
+        // should return 160 alerts
+        expect(alertsResponse.hits.hits.length).toBe(160);
      });
    });