elastic · nikitaindik · Jul 5, 2025 · Jul 2, 2025
@@ -59,12 +59,11 @@ enabled:
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_update/basic_license_essentials_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/common/configs/ess_basic_license.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/common/configs/ess_air_gapped.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/common/configs/ess_air_gapped_large_package.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_disabled/configs/ess_basic_license.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/upgrade_prebuilt_rules/diffable_rule_fields/common_fields/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/upgrade_prebuilt_rules/diffable_rule_fields/type_specific_fields/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/prebuilt_rules_package/air_gapped/configs/ess_air_gapped_large_package.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/prebuilt_rules_package/air_gapped/configs/ess_air_gapped.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/ml_disabled/configs/ess_basic_license.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/trial_license_complete_tier/configs/ess.config.ts

@@ -10,7 +10,7 @@ import path from 'path';
 
 const SECURITY_DETECTION_ENGINE_PACKAGES_PATH = path.join(
   path.dirname(__filename),
-  '../import/fixtures/packages'
+  '../fixtures/packages'
 );
 
 export default async function ({ readConfigFile }: FtrConfigProviderContext) {
@@ -20,7 +20,10 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
 
   return {
     ...functionalConfig.getAll(),
-    testFiles: [require.resolve('../import/import_with_installing_package')],
+    testFiles: [
+      require.resolve('../import/import_with_installing_package'),
+      require.resolve('../prebuilt_rules_package/air_gapped'),
+    ],
     kbnTestServer: {
       ...functionalConfig.get('kbnTestServer'),
       serverArgs: [

@@ -10,15 +10,19 @@ import path from 'path';
 
 export const BUNDLED_PACKAGE_DIR = path.join(
   path.dirname(__filename),
-  './../fixtures/packages/large'
+  '../fixtures/packages/large'
 );
 
 export default async function ({ readConfigFile }: FtrConfigProviderContext) {
-  const functionalConfig = await readConfigFile(require.resolve('../../../configs/ess.config'));
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../../config/ess/config.base.basic')
+  );
 
   return {
     ...functionalConfig.getAll(),
-    testFiles: [require.resolve('../install_large_bundled_package')],
+    testFiles: [
+      require.resolve('../prebuilt_rules_package/air_gapped/install_large_bundled_package'),
+    ],
     kbnTestServer: {
       ...functionalConfig.get('kbnTestServer'),
       serverArgs: [

@@ -32,8 +32,8 @@ export default ({ getService }: FtrProviderContext): void => {
     rule_id: PREBUILT_RULE_ID_A,
     version: 3,
     type: 'query',
-    name: 'Mock rule A from mock 90.0.0 package',
-    description: 'Mock rule A from mock 90.0.0 package',
+    name: 'Mock rule A from mock 99.0.0 package',
+    description: 'Mock rule A from mock 99.0.0 package',
     risk_score: 47,
     severity: 'medium',
     from: 'now-30m',
@@ -53,7 +53,7 @@ export default ({ getService }: FtrProviderContext): void => {
     rule_id: PREBUILT_RULE_ID_B,
     version: 3,
     type: 'eql',
-    name: 'Mock rule B from mock 90.0.0 package',
+    name: 'Mock rule B from mock 99.0.0 package',
     description: 'Custom description',
     tags: ['custom-tag'],
     risk_score: 47,
@@ -252,7 +252,7 @@ async function installMockPrebuiltRulesPackageWithTestRules(
   supertest: SuperTest.Agent
 ): Promise<void> {
   const buffer = fs.readFileSync(
-    path.join(path.dirname(__filename), './fixtures/packages/security_detection_engine-90.0.0.zip')
+    path.join(path.dirname(__filename), '../fixtures/packages/security_detection_engine-99.0.0.zip')
   );
   const response = await supertest
     .post('/api/fleet/epm/packages')
@@ -270,7 +270,7 @@ async function installMockPrebuiltRulesPackageWithTestRules(
 
 function deleteMockPrebuiltRulesPackage(supertest: SuperTest.Agent): SuperTest.Test {
   return supertest
-    .delete('/api/fleet/epm/packages/security_detection_engine/90.0.0')
+    .delete('/api/fleet/epm/packages/security_detection_engine/99.0.0')
     .set('kbn-xsrf', 'xxxx')
     .set('elastic-api-version', '2023-10-31')
     .send();

@@ -11,5 +11,7 @@ export default ({ loadTestFile }: FtrProviderContext): void => {
   describe('Rules Management - Prebuilt Rules (Common tests)', function () {
     this.tags('skipFIPS');
     loadTestFile(require.resolve('./import'));
+    loadTestFile(require.resolve('./install_prebuilt_rules'));
+    loadTestFile(require.resolve('./status'));
   });
 };
@@ -18,7 +18,6 @@ import {
   getPrebuiltRulesStatus,
   installPrebuiltRules,
   getInstalledRules,
-  getWebHookAction,
 } from '../../../../utils';
 import { deleteAllRules, deleteRule } from '../../../../../../../common/utils/security_solution';
 
@@ -204,21 +203,16 @@ export default ({ getService }: FtrProviderContext): void => {
         ]);
         await installPrebuiltRulesAndTimelines(es, supertest);
 
-        const { body: hookAction } = await supertest
-          .post('/api/actions/connector')
-          .set('kbn-xsrf', 'true')
-          .send(getWebHookAction())
-          .expect(200);
-
         await securitySolutionApi
           .patchRule({
             body: {
               rule_id: 'rule-1',
               actions: [
+                // use a pre-configured connector
                 {
                   group: 'default',
-                  id: hookAction.id,
-                  action_type_id: hookAction.connector_type_id,
+                  id: 'my-test-email',
+                  action_type_id: '.email',
                   params: {},
                 },
               ],
@@ -243,10 +237,10 @@ export default ({ getService }: FtrProviderContext): void => {
         // Check the actions field of existing prebuilt rules is not overwritten
         expect(prebuiltRule.actions).toEqual([
           expect.objectContaining({
-            action_type_id: hookAction.connector_type_id,
+            action_type_id: '.email',
             frequency: { notifyWhen: 'onActiveAlert', summary: true, throttle: null },
             group: 'default',
-            id: hookAction.id,
+            id: 'my-test-email',
             params: {},
           }),
         ]);

@@ -8,7 +8,8 @@
 import { FtrProviderContext } from '../../../../../../../ftr_provider_context';
 
 export default ({ loadTestFile }: FtrProviderContext): void => {
-  describe('Air-gapped environment with pre-bundled packages', () => {
+  describe('Air-gapped environment with pre-bundled packages', function () {
+    this.tags('skipFIPS');
     loadTestFile(require.resolve('./install_bundled_package'));
     loadTestFile(require.resolve('./prerelease_packages'));
   });

@@ -52,8 +52,13 @@ export default ({ getService }: FtrProviderContext): void => {
         retryService
       );
 
-      expect(fleetPackageInstallationResponse.items.length).toBe(1);
-      expect(fleetPackageInstallationResponse.items[0].id).toBe('rule_99.0.0'); // Name of the rule in package 99.0.0
+      expect(fleetPackageInstallationResponse.items.length).toBe(2);
+      expect(fleetPackageInstallationResponse.items).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({ id: 'test-prebuilt-rule-a' }),
+          expect.objectContaining({ id: 'test-prebuilt-rule-b' }),
+        ])
+      ); // Name of the rule in package 99.0.0
 
       // Get the installed package and check if the version is 99.0.0
       const prebuiltRulesFleetPackage = await getPrebuiltRulesFleetPackage(supertest);
@@ -63,23 +68,23 @@ export default ({ getService }: FtrProviderContext): void => {
       // Get status of our prebuilt rules (nothing should be instaled yet)
       const statusAfterPackageInstallation = await getPrebuiltRulesStatus(es, supertest);
       expect(statusAfterPackageInstallation.stats.num_prebuilt_rules_installed).toBe(0);
-      expect(statusAfterPackageInstallation.stats.num_prebuilt_rules_to_install).toBe(1); // 1 rule in package 99.0.0
+      expect(statusAfterPackageInstallation.stats.num_prebuilt_rules_to_install).toBe(2); // 1 rule in package 99.0.0
       expect(statusAfterPackageInstallation.stats.num_prebuilt_rules_to_upgrade).toBe(0);
 
       // Install prebuilt rules
       await installPrebuiltRules(es, supertest);
 
       // Verify that status is updated after package installation
       const statusAfterRulesInstallation = await getPrebuiltRulesStatus(es, supertest);
-      expect(statusAfterRulesInstallation.stats.num_prebuilt_rules_installed).toBe(1); // 1 rule in package 99.0.0
+      expect(statusAfterRulesInstallation.stats.num_prebuilt_rules_installed).toBe(2); // 1 rule in package 99.0.0
       expect(statusAfterRulesInstallation.stats.num_prebuilt_rules_to_install).toBe(0);
       expect(statusAfterRulesInstallation.stats.num_prebuilt_rules_to_upgrade).toBe(0);
 
       // Get installed rules
       const rulesResponse = await getInstalledRules(supertest);
 
       // Assert that installed rules are from package 99.0.0 and not from prerelease (beta) package
-      expect(rulesResponse.data.length).toBe(1);
+      expect(rulesResponse.data.length).toBe(2);
       expect(rulesResponse.data[0].name).not.toContain('beta');
       expect(rulesResponse.data[0].name).toContain('99.0.0');
     });

@@ -11,8 +11,6 @@ export default ({ loadTestFile }: FtrProviderContext): void => {
   describe('Rules Management - Prebuilt Rules (Customization Enabled)', function () {
     loadTestFile(require.resolve('./customization'));
     loadTestFile(require.resolve('./export'));
-    loadTestFile(require.resolve('./install_prebuilt_rules'));
-    loadTestFile(require.resolve('./status'));
     loadTestFile(require.resolve('./upgrade_prebuilt_rules'));
   });
 };