From eac0359d1fc5a076afe34dd7ae54f034c11c8e72 Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Tue, 5 Jan 2021 18:23:33 -0600
Subject: [PATCH] [Security Solution][Detections] Re-enable skipped integration
 test (#87254) (#87397)

* Re-enable test skipped due to temporary failure

This failure may still be present/intermittent, but it passes reliably
locally; trying again on CI to check status.

* Triggering build

This should fail on the latest snapshot

* Update EQL integration tests to reflect new default pipe

We were previously using what is effectively `results | head` to
retrieve the desired amount of results. The default behavior was changed
in elastic/elasticsearch#66387, which caused these tests to fail as
different results were returned over such a large dataset.

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../tests/generating_signals.ts               | 21 ++++++++-----------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
index 34f7074326550..c3c7ecd0aba81 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
@@ -201,8 +201,7 @@ export default ({ getService }: FtrProviderContext) => {
         });
       });
 
-      // ES PROMOTION FAILURE: http://github.com/elastic/kibana/issues/86709
-      describe.skip('EQL Rules', () => {
+      describe('EQL Rules', () => {
         it('generates signals from EQL sequences in the expected form', async () => {
           const rule: EqlCreateSchema = {
             ...getRuleForSignalTesting(['auditbeat-*']),
@@ -226,28 +225,26 @@ export default ({ getService }: FtrProviderContext) => {
             ancestors: [
               {
                 depth: 0,
-                id: 'UBXOBmkBR346wHgnLP8T',
+                id: 'gCF0B2kBR346wHgnb7m0',
                 index: 'auditbeat-8.0.0-2019.02.19-000001',
                 type: 'event',
               },
             ],
             original_event: {
-              action: 'boot',
-              dataset: 'login',
-              kind: 'event',
-              module: 'system',
-              origin: '/var/log/wtmp',
+              action: 'error',
+              category: 'user-login',
+              module: 'auditd',
             },
             parent: {
               depth: 0,
-              id: 'UBXOBmkBR346wHgnLP8T',
+              id: 'gCF0B2kBR346wHgnb7m0',
               index: 'auditbeat-8.0.0-2019.02.19-000001',
               type: 'event',
             },
             parents: [
               {
                 depth: 0,
-                id: 'UBXOBmkBR346wHgnLP8T',
+                id: 'gCF0B2kBR346wHgnb7m0',
                 index: 'auditbeat-8.0.0-2019.02.19-000001',
                 type: 'event',
               },
@@ -284,7 +281,7 @@ export default ({ getService }: FtrProviderContext) => {
             ancestors: [
               {
                 depth: 0,
-                id: 'UBXOBmkBR346wHgnLP8T',
+                id: 'gCF0B2kBR346wHgnb7m0',
                 index: 'auditbeat-8.0.0-2019.02.19-000001',
                 type: 'event',
               },
@@ -297,7 +294,7 @@ export default ({ getService }: FtrProviderContext) => {
               },
               {
                 depth: 0,
-                id: 'URXOBmkBR346wHgnLP8T',
+                id: 'CCF0B2kBR346wHgngLtX',
                 index: 'auditbeat-8.0.0-2019.02.19-000001',
                 type: 'event',
               },