[Security Solution][Detection Engine] adds support of identical ids across multiple indices during ES|QL rule pagination requests#219278
Merged
vitaliidm merged 52 commits intoelastic:mainfrom Jul 11, 2025
Conversation
…ase of alerts deduplication
…ion in case of alerts deduplication" This reverts commit 28cfab6.
…b.com/vitaliidm/kibana into de_9_1/esql_deduplication_enhancement
…b.com/vitaliidm/kibana into de_9_1/esql_deduplication_enhancement
…cross multiple indices during ES|QL rule pagination requests
vitaliidm
added
Team:Detection Engine
Contributor
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#8503[❌] x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/configs/ess.config.ts: 173/200 tests passed. |
Contributor
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#8507[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/configs/ess.config.ts: 200/200 tests passed. |
…idm/kibana into de_9_1/esql_identical_ids
…idm/kibana into de_9_1/esql_identical_ids
Contributor
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#8511[❌] x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/configs/ess.config.ts: 174/200 tests passed. |
Contributor
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Contributor
💚 Build Succeeded
Metrics [docs]
History
cc @vitaliidm |
kibanamachine
added
the
backport missing
Contributor
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
vitaliidm
added
backport:skip
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
Jul 25, 2025
…cross multiple indices during ES|QL rule pagination requests (elastic#219278) ## Summary - addresses elastic#216891 - follow up to elastic#217069 - accounts for index when excluding ids from subsequent pagination requests. It will prevent situations when identical event ids present in multiple indices and can be excluded when encountered first time for one of the indices - changes state from `excludedDocuments?: ExcludedDocument[];` to ` excludedDocuments?: Record<string, ExcludedDocument[]>;` to store information of index. Where key is document index ### Setup <details> <summary> Setup 2 indices with identical documents ids </summary> ```JSON PUT close_alerts_1 PUT close_alerts_1/_mapping { "properties": { "@timestamp": { "type": "date" }, "agent": { "properties": { "name": { "type": "keyword" } } }, "source": { "properties": { "ip": { "type": "ip" } } }, "destination": { "properties": { "ip": { "type": "ip" }, "port": { "type": "keyword" } } } } } PUT close_alerts_2 PUT close_alerts_2/_mapping { "properties": { "@timestamp": { "type": "date" }, "agent": { "properties": { "name": { "type": "keyword" } } }, "source": { "properties": { "ip": { "type": "ip" } } }, "destination": { "properties": { "ip": { "type": "ip" }, "port": { "type": "keyword" } } } } } POST close_alerts_1/_doc/CFnnxZcBgU3wmL9Lp7xG { "@timestamp": "2025-07-01T09:26:30.425Z", "source.ip": "127.0.0.1", "destination.ip": "127.0.0.1", "destination.port": 1, "agent.name": "test-0" } POST close_alerts_2/_doc/CFnnxZcBgU3wmL9Lp7xG { "@timestamp": "2025-07-01T09:26:30.425Z", "source.ip": "127.0.0.1", "destination.ip": "127.0.0.1", "destination.port": 1, "agent.name": "test-0" } ``` </details> Exported rule [Test rule](https://github.com/user-attachments/files/20998493/rules_export_identical_ids_pr.ndjson.zip) ### query before ```JSON POST _query/async?drop_null_columns=true&allow_partial_results=true { "query": "from close_alerts* METADATA _id, _index | limit 101", "filter": { "bool": { "filter": [ { "range": { "@timestamp": { "lte": "2025-07-01T12:26:45.110Z", "gte": "2025-06-30T11:56:45.110Z", "format": "strict_date_optional_time" } } }, { "bool": { "must": [], "filter": [], "should": [], "must_not": [] } } ], "must_not": { "ids": { "values": [ "CFnnxZcBgU3wmL9Lp7xG" ] } } } }, "wait_for_completion_timeout": "4m", "keep_alive": "60s" } ``` ### query after ```JSON POST _query/async?drop_null_columns=true&allow_partial_results=true { "query": "from close_alerts* METADATA _id, _index | limit 101", "filter": { "bool": { "filter": [ { "range": { "@timestamp": { "lte": "2025-07-01T12:27:57.472Z", "gte": "2025-06-30T11:57:57.472Z", "format": "strict_date_optional_time" } } }, { "bool": { "must": [], "filter": [], "should": [], "must_not": [] } } ], "must_not": [ { "bool": { "filter": [ { "ids": { "values": [ "CFnnxZcBgU3wmL9Lp7xG" ] } }, { "term": { "_index": "close_alerts_1" } } ] } }, { "bool": { "filter": [ { "ids": { "values": [ "CFnnxZcBgU3wmL9Lp7xG" ] } }, { "term": { "_index": "close_alerts_2" } } ] } } ] } }, "wait_for_completion_timeout": "4m", "keep_alive": "60s" } ```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
excludedDocuments?: ExcludedDocument[];toexcludedDocuments?: Record<string, ExcludedDocument[]>;to store information of index. Where key is document indexSetup
Setup 2 indices with identical documents ids
Exported rule Test rule
query before
query after