elastic · hop-dev · Aug 5, 2025 · Jul 16, 2025 · Jul 18, 2025 · Jul 28, 2025
@@ -31,11 +31,17 @@ jest.mock('./tasks/privilege_monitoring_task', () => {
   };
 });
 
+const mockFind = jest.fn().mockResolvedValue({
+  saved_objects: [],
+  total: 0,
+});
+
 jest.mock('./saved_objects', () => {
   return {
     MonitoringEntitySourceDescriptorClient: jest.fn().mockImplementation(() => ({
       findByIndex: jest.fn().mockResolvedValue([]),
       create: jest.fn(),
+      find: mockFind,
     })),
     PrivilegeMonitoringEngineDescriptorClient: jest.fn().mockImplementation(() => ({
       init: jest.fn().mockResolvedValue({ status: 'success' }),

@@ -23,6 +23,7 @@ import Papa from 'papaparse';
 import { Readable } from 'stream';
 
 import type { SortResults } from '@elastic/elasticsearch/lib/api/types';
+import type { CreateMonitoringEntitySource } from '../../../../common/api/entity_analytics/privilege_monitoring/monitoring_entity_source/monitoring_entity_source.gen';
 import { defaultMonitoringUsersIndex } from '../../../../common/constants';
 import type { PrivmonBulkUploadUsersCSVResponse } from '../../../../common/api/entity_analytics/privilege_monitoring/users/upload_csv.gen';
 import type { HapiReadableStream } from '../../../types';
@@ -127,30 +128,9 @@ export class PrivilegeMonitoringDataClient {
 
     const descriptor = await this.engineClient.init();
     this.log('debug', `Initialized privileged monitoring engine saved object`);
-    // create default index source for privilege monitoring for each namespace
-    try {
-      const indexSourceDescriptor = await this.monitoringIndexSourceClient.create({
-        type: 'index',
-        managed: true,
-        indexPattern: defaultMonitoringUsersIndex(this.opts.namespace),
-        name: `default-monitoring-index-${this.opts.namespace}`,
-      });
-      this.log(
-        'debug',
-        `Created index source for privilege monitoring: ${JSON.stringify(indexSourceDescriptor)}`
-      );
-    } catch (e) {
-      this.log(
-        'error',
-        `Failed to create default index source for privilege monitoring: ${e.message}`
-      );
-      this.audit(
-        PrivilegeMonitoringEngineActions.INIT,
-        EngineComponentResourceEnum.privmon_engine,
-        'Failed to create default index source for privilege monitoring',
-        e
-      );
-    }
+
+    await this.createOrUpdateDefaultDataSource();
+
     try {
       this.log('debug', 'Creating privilege user monitoring event.ingested pipeline');
       await this.createIngestPipelineIfDoesNotExist();
@@ -799,6 +779,65 @@ export class PrivilegeMonitoringDataClient {
     });
   }
 
+  private createOrUpdateDefaultDataSource = async () => {
+    const sourceName = `default-monitoring-index-${this.opts.namespace}`;
+
+    const defaultIndexSource: CreateMonitoringEntitySource = {
+      type: 'index',
+      managed: true,
+      indexPattern: defaultMonitoringUsersIndex(this.opts.namespace),
+      name: sourceName,
+    };
+
+    const existingSources = await this.monitoringIndexSourceClient.find({
+      name: sourceName,
+    });
+
+    if (existingSources.saved_objects.length > 0) {
+      this.log('info', 'Default index source already exists, updating it.');
+      const existingSource = existingSources.saved_objects[0];
+      try {
+        await this.monitoringIndexSourceClient.update({
+          id: existingSource.id,
+          ...defaultIndexSource,
+        });
+      } catch (e) {
+        this.log(
+          'error',
+          `Failed to update default index source for privilege monitoring: ${e.message}`
+        );
+        this.audit(
+          PrivilegeMonitoringEngineActions.INIT,
+          EngineComponentResourceEnum.privmon_engine,
+          'Failed to update default index source for privilege monitoring',
+          e
+        );
+      }
+    } else {
+      this.log('info', 'Creating default index source for privilege monitoring.');
+
+      try {
+        const indexSourceDescriptor = this.monitoringIndexSourceClient.create(defaultIndexSource);
+
+        this.log(
+          'debug',
+          `Created index source for privilege monitoring: ${JSON.stringify(indexSourceDescriptor)}`
+        );
+      } catch (e) {
+        this.log(
+          'error',
+          `Failed to create default index source for privilege monitoring: ${e.message}`
+        );
+        this.audit(
+          PrivilegeMonitoringEngineActions.INIT,
+          EngineComponentResourceEnum.privmon_engine,
+          'Failed to create default index source for privilege monitoring',
+          e
+        );
+      }
+    }
+  };
+
   public async disable() {
     this.log('info', 'Disabling Privileged Monitoring Engine');
     // Check the current status of the engine

diff --git a/...integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/engine.ts b/...integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/engine.ts
@@ -40,5 +40,28 @@ export default ({ getService }: FtrProviderContext) => {
         expect(res.status).eql(200);
       });
     });
+
+    describe('init', () => {
+      it('should be able to be called multiple times', async () => {
+        log.info(`Initializing Privilege Monitoring engine`);
+        const res1 = await api.initMonitoringEngine();
+
+        if (res1.status !== 200) {
+          log.error(`Failed to initialize engine`);
+          log.error(JSON.stringify(res1.body));
+        }
+
+        expect(res1.status).eql(200);
+
+        log.info(`Re-initializing Privilege Monitoring engine`);
+        const res2 = await api.initMonitoringEngine();
+        if (res2.status !== 200) {
+          log.error(`Failed to re-initialize engine`);
+          log.error(JSON.stringify(res2.body));
+        }
+
+        expect(res2.status).eql(200);
+      });
+    });
   });
 };