From 3b33d246fbba97706d4cdcb0ef5657a9ecbb990d Mon Sep 17 00:00:00 2001
From: Hannah Brooks <hannah.brooks@elastic.co>
Date: Thu, 19 Feb 2026 10:49:43 -0500
Subject: [PATCH] [Security][Detection Engine] ESQL Rule Execution Logic
 Integration Test (#252936)

## Summary

Resolves [#235895](https://github.com/elastic/kibana/issues/235895)
When mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.

(cherry picked from commit 8cb144ef0002d4b54e157374d0f481ad89657a66)
---
 .../esql/trial_license_complete_tier/esql.ts           | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
index 154ed800c685e..f27e3532a3b03 100644
--- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
+++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
@@ -64,8 +64,7 @@ export default ({ getService }: FtrProviderContext) => {
    */
   const internalIdPipe = (id: string) => `| where id=="${id}"`;
 
-  // Failing: See https://github.com/elastic/kibana/issues/235895
-  describe.skip('@ess @serverless ES|QL rule type', () => {
+  describe('@ess @serverless ES|QL rule type', () => {
     before(async () => {
       await esArchiver.load(
         'x-pack/solutions/security/test/fixtures/es_archives/security_solution/ecs_compliant'
@@ -1712,14 +1711,13 @@ export default ({ getService }: FtrProviderContext) => {
           expect(alertsResponse.hits.hits).toHaveLength(4);
         });
 
-        // flaky test: https://github.com/elastic/kibana/issues/235895
-        it.skip('should generate alerts over multiple pages from different indices but same event id for mv_expand when number alerts exceeds max signal', async () => {
+        it('should generate alerts over multiple pages from different indices but same event id for mv_expand when number alerts exceeds max signal', async () => {
           const id = uuidv4();
           const rule: EsqlRuleCreateProps = {
             ...getCreateEsqlRulesSchemaMock(`rule-${id}`, true),
             query: `from ecs_compliant, ecs_compliant_synthetic_source metadata _id, _index ${internalIdPipe(
               id
-            )} | mv_expand agent.name | sort @timestamp asc`,
+            )} | mv_expand agent.name | sort @timestamp asc, _index asc`, // sort by timestamp and index to ensure deterministic results, see https://github.com/elastic/kibana/issues/253849
             from: '2020-10-28T05:15:00.000Z',
             to: '2020-10-28T06:00:00.000Z',
             interval: '45m',
@@ -1733,7 +1731,7 @@ export default ({ getService }: FtrProviderContext) => {
           };
 
           await Promise.all(
-            ['ecs_compliant', 'ecs_compliant_synthetic_source'].map((index) =>
+            ['ecs_compliant', 'ecs_compliant_synthetic_source'].map((index, i) =>
               es.index({
                 index,
                 id,