[8.16] [Security Solution][Detection Engine] fixes ES|QL data tier filter from adv settings (#196390) (#196698)

# Backport

This will backport the following commits from `main` to `8.16`:
- [[Security Solution][Detection Engine] fixes ES|QL data tier filter
from adv settings
(#196390)](https://github.com/elastic/kibana/pull/196390)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-10-17T13:28:14Z","message":"[Security
Solution][Detection Engine] fixes ES|QL data tier filter from adv
settings (#196390)\n\n## Summary\r\n\r\n- fixes absent data tier filter
for ES|QL rule\r\n- followup to
https://github.com/elastic/kibana/pull/186908\r\n\r\n###
Demo\r\n\r\n\r\nhttps://github.com/user-attachments/assets/a6f1290f-ea77-43bf-8def-42712ca5d1b0\r\n\r\n\r\n\r\n###
How to test\r\n\r\nCreate a deployment with cold and frozen data tiers
and use following\r\ncommands to create index and
ILM\r\n\r\n\r\n<details>\r\n<summary>Data tiers
commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n
\"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"1m\"\r\n
}\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n
\"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\":
\"10m\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n }\r\n }\r\n },\r\n \"cold\": {\r\n \"min_age\": \"1m\",\r\n
\"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n },\r\n \"set_priority\": {\r\n \"priority\": 0\r\n }\r\n }\r\n
},\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n
\"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\n\r\nPUT
/_index_template/filtering_data_tiers_template\r\n{\r\n
\"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n
\"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\":
\"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\":
\"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\":
{\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n
\"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n
\"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n
\"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\":
{\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n
}\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n
\"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\":
\"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>","sha":"c79f0ae78633c81beebd3f95735326cc872be7f6","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","backport:prev-minor","Team:Detection
Engine","v8.16.0"],"title":"[Security Solution][Detection Engine] fixes
ES|QL data tier filter from adv
settings","number":196390,"url":"https://github.com/elastic/kibana/pull/196390","mergeCommit":{"message":"[Security
Solution][Detection Engine] fixes ES|QL data tier filter from adv
settings (#196390)\n\n## Summary\r\n\r\n- fixes absent data tier filter
for ES|QL rule\r\n- followup to
https://github.com/elastic/kibana/pull/186908\r\n\r\n###
Demo\r\n\r\n\r\nhttps://github.com/user-attachments/assets/a6f1290f-ea77-43bf-8def-42712ca5d1b0\r\n\r\n\r\n\r\n###
How to test\r\n\r\nCreate a deployment with cold and frozen data tiers
and use following\r\ncommands to create index and
ILM\r\n\r\n\r\n<details>\r\n<summary>Data tiers
commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n
\"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"1m\"\r\n
}\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n
\"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\":
\"10m\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n }\r\n }\r\n },\r\n \"cold\": {\r\n \"min_age\": \"1m\",\r\n
\"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n },\r\n \"set_priority\": {\r\n \"priority\": 0\r\n }\r\n }\r\n
},\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n
\"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\n\r\nPUT
/_index_template/filtering_data_tiers_template\r\n{\r\n
\"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n
\"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\":
\"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\":
\"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\":
{\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n
\"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n
\"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n
\"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\":
{\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n
}\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n
\"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\":
\"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>","sha":"c79f0ae78633c81beebd3f95735326cc872be7f6"}},"sourceBranch":"main","suggestedTargetBranches":["8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196390","number":196390,"mergeCommit":{"message":"[Security
Solution][Detection Engine] fixes ES|QL data tier filter from adv
settings (#196390)\n\n## Summary\r\n\r\n- fixes absent data tier filter
for ES|QL rule\r\n- followup to
https://github.com/elastic/kibana/pull/186908\r\n\r\n###
Demo\r\n\r\n\r\nhttps://github.com/user-attachments/assets/a6f1290f-ea77-43bf-8def-42712ca5d1b0\r\n\r\n\r\n\r\n###
How to test\r\n\r\nCreate a deployment with cold and frozen data tiers
and use following\r\ncommands to create index and
ILM\r\n\r\n\r\n<details>\r\n<summary>Data tiers
commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n
\"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"1m\"\r\n
}\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n
\"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\":
\"10m\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n }\r\n }\r\n },\r\n \"cold\": {\r\n \"min_age\": \"1m\",\r\n
\"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n },\r\n \"set_priority\": {\r\n \"priority\": 0\r\n }\r\n }\r\n
},\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n
\"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\n\r\nPUT
/_index_template/filtering_data_tiers_template\r\n{\r\n
\"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n
\"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\":
\"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\":
\"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\":
{\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n
\"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n
\"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n
\"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\":
{\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n
}\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n
\"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\":
\"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>","sha":"c79f0ae78633c81beebd3f95735326cc872be7f6"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/esql.ts

@@ -30,6 +30,7 @@ import { buildReasonMessageForEsqlAlert } from '../utils/reason_formatters';
 import type { RulePreviewLoggedRequest } from '../../../../../common/api/detection_engine/rule_preview/rule_preview.gen';
 import type { CreateRuleOptions, RunOpts, SignalSource } from '../types';
 import { logEsqlRequest } from '../utils/logged_requests';
+import { getDataTierFilter } from '../utils/get_data_tier_filter';
 import * as i18n from '../translations';
 
 import {
@@ -90,6 +91,10 @@ export const esqlExecutor = async ({
   return withSecuritySpan('esqlExecutor', async () => {
     const result = createSearchAfterReturnType();
     let size = tuple.maxSignals;
+    const dataTiersFilters = await getDataTierFilter({
+      uiSettingsClient: services.uiSettingsClient,
+    });
+
     try {
       while (
         result.createdSignalsCount <= tuple.maxSignals &&
@@ -100,7 +105,7 @@ export const esqlExecutor = async ({
           from: tuple.from.toISOString(),
           to: tuple.to.toISOString(),
           size,
-          filters: [],
+          filters: dataTiersFilters,
           primaryTimestamp,
           secondaryTimestamp,
           exceptionFilter,

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/esql.ts

@@ -14,6 +14,7 @@ import { getCreateEsqlRulesSchemaMock } from '@kbn/security-solution-plugin/comm
 import { RuleExecutionStatusEnum } from '@kbn/security-solution-plugin/common/api/detection_engine/rule_monitoring';
 
 import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils';
+import { EXCLUDED_DATA_TIERS_FOR_RULE_EXECUTION } from '@kbn/security-solution-plugin/common/constants';
 import {
   getPreviewAlerts,
   previewRule,
@@ -25,6 +26,7 @@ import {
   scheduleRuleRun,
   stopAllManualRuns,
   waitForBackfillExecuted,
+  setAdvancedSettings,
 } from '../../../../utils';
 import {
   deleteAllRules,
@@ -1428,6 +1430,12 @@ export default ({ getService }: FtrProviderContext) => {
         await indexEnhancedDocuments({ documents: [doc1], interval, id });
       });
 
+      afterEach(async () => {
+        await setAdvancedSettings(supertest, {
+          [EXCLUDED_DATA_TIERS_FOR_RULE_EXECUTION]: [],
+        });
+      });
+
       it('should not return requests property when not enabled', async () => {
         const { logs } = await previewRule({
           supertest,
@@ -1463,6 +1471,35 @@ export default ({ getService }: FtrProviderContext) => {
           'POST /ecs_compliant/_search?ignore_unavailable=true'
         );
       });
+      it('should not return requests with any data tier filter', async () => {
+        const { logs } = await previewRule({
+          supertest,
+          rule,
+          timeframeEnd: new Date('2020-10-28T06:30:00.000Z'),
+          enableLoggedRequests: true,
+        });
+
+        const requests = logs[0].requests;
+
+        expect(requests![0].request).not.toContain('data_frozen');
+      });
+      it('should return requests with included data tiers filters from advanced settings', async () => {
+        await setAdvancedSettings(supertest, {
+          [EXCLUDED_DATA_TIERS_FOR_RULE_EXECUTION]: ['data_frozen'],
+        });
+        const { logs } = await previewRule({
+          supertest,
+          rule,
+          timeframeEnd: new Date('2020-10-28T06:30:00.000Z'),
+          enableLoggedRequests: true,
+        });
+
+        const requests = logs[0].requests;
+
+        expect(requests![0].request).toMatch(
+          /"must_not":\s*\[\s*{\s*"terms":\s*{\s*"_tier":\s*\[\s*"data_frozen"\s*\]/
+        );
+      });
     });
   });
 };

x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts

@@ -24,3 +24,4 @@ export * from './get_stats';
 export * from './get_detection_metrics_from_body';
 export * from './get_stats_url';
 export * from './combine_to_ndjson';
+export * from './set_advanced_settings';

x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/set_advanced_settings.ts

@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+  ELASTIC_HTTP_VERSION_HEADER,
+  X_ELASTIC_INTERNAL_ORIGIN_REQUEST,
+} from '@kbn/core-http-common';
+
+import type SuperTest from 'supertest';
+
+export const setAdvancedSettings = async (
+  supertest: SuperTest.Agent,
+  settings: Record<string, string[] | string | number | boolean>
+) => {
+  return supertest
+    .post('/internal/kibana/settings')
+    .set('kbn-xsrf', 'true')
+    .set(ELASTIC_HTTP_VERSION_HEADER, '1')
+    .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
+    .send({ changes: settings })
+    .expect(200);
+};