[9.2] [Privmon] Deletion Detection and Monitoring Sources FTR Test Updates (#240051) (#240853)

# Backport

This will backport the following commits from `main` to `9.2`:
- [[Privmon] Deletion Detection and Monitoring Sources FTR Test Updates
(#240051)](#240051)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Charlotte Alexandra
Wilson","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-10-27T15:39:27Z","message":"[Privmon]
Deletion Detection and Monitoring Sources FTR Test Updates
(#240051)\n\nThis PR introduces FTR Testing for deletion detection in
the privileged\nuser monitoring, integrations sync, feature.\n\n### Key
Updates: \n\n- Coverage to test when a user is deleted, they are
correctly handled\nduring a full sync window - labels updated,
privileged status set to\nfalse. This also tests the full sync detection
functionality.\n- Coverage to test the case of start + complete window
outside of the\ncurrent batch of users, soft deleting ALL users.\n-
Updated utilities functions with some common helpers and constants
to\ncreate the full sync window, delete integrations user and reduce
hard\ncoded values.\n- Updated default entity source tests to include
AD.\n\n### 🐞 Bugs Found & Fixed During Test Creation\n\n**First-run
handling:**\n- Previously, the fallback logic inside “detect full sync”
didn’t handle\nthe first run correctly.\n- When the SO had no previous
sync, it treated `fullSync ===\nlastCompletedEvent`\n- and skipped the
first full-sync run.\n- This has been fixed to ensure the initial run
executes properly.\n\n**The fix - Last full sync source**\n* Updated
lastFullSync to read only from the Saved Object (SO).\n* The checks for
a completed marker now live inside the deletion\ndetection logic
itself.","sha":"41a5600a8278e28aab5e14084814a354b62ead39","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Entity
Analytics","backport:version","v9.2.0","v9.3.0"],"title":"[Privmon]
Deletion Detection and Monitoring Sources FTR Test
Updates","number":240051,"url":"https://github.com/elastic/kibana/pull/240051","mergeCommit":{"message":"[Privmon]
Deletion Detection and Monitoring Sources FTR Test Updates
(#240051)\n\nThis PR introduces FTR Testing for deletion detection in
the privileged\nuser monitoring, integrations sync, feature.\n\n### Key
Updates: \n\n- Coverage to test when a user is deleted, they are
correctly handled\nduring a full sync window - labels updated,
privileged status set to\nfalse. This also tests the full sync detection
functionality.\n- Coverage to test the case of start + complete window
outside of the\ncurrent batch of users, soft deleting ALL users.\n-
Updated utilities functions with some common helpers and constants
to\ncreate the full sync window, delete integrations user and reduce
hard\ncoded values.\n- Updated default entity source tests to include
AD.\n\n### 🐞 Bugs Found & Fixed During Test Creation\n\n**First-run
handling:**\n- Previously, the fallback logic inside “detect full sync”
didn’t handle\nthe first run correctly.\n- When the SO had no previous
sync, it treated `fullSync ===\nlastCompletedEvent`\n- and skipped the
first full-sync run.\n- This has been fixed to ensure the initial run
executes properly.\n\n**The fix - Last full sync source**\n* Updated
lastFullSync to read only from the Saved Object (SO).\n* The checks for
a completed marker now live inside the deletion\ndetection logic
itself.","sha":"41a5600a8278e28aab5e14084814a354b62ead39"}},"sourceBranch":"main","suggestedTargetBranches":["9.2"],"targetPullRequestStates":[{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/240051","number":240051,"mergeCommit":{"message":"[Privmon]
Deletion Detection and Monitoring Sources FTR Test Updates
(#240051)\n\nThis PR introduces FTR Testing for deletion detection in
the privileged\nuser monitoring, integrations sync, feature.\n\n### Key
Updates: \n\n- Coverage to test when a user is deleted, they are
correctly handled\nduring a full sync window - labels updated,
privileged status set to\nfalse. This also tests the full sync detection
functionality.\n- Coverage to test the case of start + complete window
outside of the\ncurrent batch of users, soft deleting ALL users.\n-
Updated utilities functions with some common helpers and constants
to\ncreate the full sync window, delete integrations user and reduce
hard\ncoded values.\n- Updated default entity source tests to include
AD.\n\n### 🐞 Bugs Found & Fixed During Test Creation\n\n**First-run
handling:**\n- Previously, the fallback logic inside “detect full sync”
didn’t handle\nthe first run correctly.\n- When the SO had no previous
sync, it treated `fullSync ===\nlastCompletedEvent`\n- and skipped the
first full-sync run.\n- This has been fixed to ensure the initial run
executes properly.\n\n**The fix - Last full sync source**\n* Updated
lastFullSync to read only from the Saved Object (SO).\n* The checks for
a completed marker now live inside the deletion\ndetection logic
itself.","sha":"41a5600a8278e28aab5e14084814a354b62ead39"}}]}]
BACKPORT-->

Co-authored-by: Charlotte Alexandra Wilson <[email protected]>

Author: kibanamachine

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/data_sources/sync/integrations/sync_markers/sync_markers.ts

@@ -58,17 +58,9 @@ export const createSyncMarkersService = (
   const getLastFullSyncMarker = async (
     source: MonitoringEntitySource
   ): Promise<string | undefined> => {
-    // Try from the SO first
     const fromSO = await monitoringIndexSourceClient.getLastFullSyncMarker(source);
     if (fromSO) return fromSO;
-
-    // Fallback: search index
-    const fromIndex = await findLastEventMarkerInIndex(source, 'completed');
-    if (!fromIndex) return undefined;
-
-    // Update the SO for next time
-    await updateLastFullSyncMarker(source, fromIndex);
-    return fromIndex;
+    return undefined;
   };
 
   const findLastEventMarkerInIndex = async (
@@ -100,7 +92,6 @@ export const createSyncMarkersService = (
     const shouldUpdate = !lastFullSync || latestCompletedEvent > lastFullSync;
 
     if (!shouldUpdate) return false;
-
     await updateLastFullSyncMarker(source, latestCompletedEvent);
     return true;
   };

x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/engine.ts

@@ -438,7 +438,7 @@ export default ({ getService }: FtrProviderContext) => {
         );
         // Set timestamps to be within last month so they are included in sync (default first run is now - 1M)
         await privMonUtils.integrationsSync.updateIntegrationsUsersWithRelativeTimestamps({
-          indexPattern: 'logs-entityanalytics_okta.user-default',
+          indexPattern: privMonUtils.integrationsSync.OKTA_INDEX,
         });
         await enablePrivmonSetting(kibanaServer);
         await privMonUtils.initPrivMonEngine();
@@ -462,8 +462,7 @@ export default ({ getService }: FtrProviderContext) => {
         expect(monitoringSource?.name).toBe(
           '.entity_analytics.monitoring.sources.entityanalytics_okta-default'
         );
-        await privMonUtils.scheduleMonitoringEngineNow({ ignoreConflict: true });
-        await privMonUtils.waitForSyncTaskRun();
+        await privMonUtils.runSync();
 
         const { body: usersBefore } = await api.listPrivMonUsers({ query: {} });
         // each user should be privileged and have correct source
@@ -500,13 +499,12 @@ export default ({ getService }: FtrProviderContext) => {
 
         // update okta user to non-privileged, to test sync updates
         await privMonUtils.integrationsSync.setIntegrationUserPrivilege({
-          id: 'AZlHQD20hY07UD0HNBs-',
+          id: privMonUtils.integrationsSync.OKTA_USER_IDS.mable,
           isPrivileged: false,
-          indexPattern: 'logs-entityanalytics_okta.user-default',
+          indexPattern: privMonUtils.integrationsSync.OKTA_INDEX,
         });
         // schedule another sync
-        await privMonUtils.scheduleMonitoringEngineNow({ ignoreConflict: true });
-        await privMonUtils.waitForSyncTaskRun();
+        await privMonUtils.runSync();
         const { body: usersAfter } = await api.listPrivMonUsers({ query: {} });
 
         // find the updated user
@@ -534,24 +532,25 @@ export default ({ getService }: FtrProviderContext) => {
       });
 
       it('should update and create users within lastProcessedMarker range during update detection ', async () => {
-        const oktaIndex = 'logs-entityanalytics_okta.user-default';
-        const IDS = {
-          devon: 'AZmLBcGV9XhZAwOqZV5t', // Devan.Nienow
-          elinor: 'AZmLBcGV9XhZAwOqZV5u', // Elinor.Johnston-Shanahan
-          kaelyn: 'AZmLBcGV9XhZAwOqZV5s', // Kaelyn.Shanahan
-          bennett: 'AZmLBcGV9XhZAwOqZV5y', // Bennett.Becker
-        };
         // --- Timestamps
-        const nowMinus1M1D = await privMonUtils.integrationsSync.dateOffsetFromNow({
+        const nowMinus1M1D = await privMonUtils.integrationsSync.dateOffsetFrom({
           months: 2,
           days: 1,
         });
-        const nowMinus2M = await privMonUtils.integrationsSync.dateOffsetFromNow({ months: 2 });
-        const nowMinus1w = await privMonUtils.integrationsSync.dateOffsetFromNow({ days: 7 });
-        const nowMinus6d = await privMonUtils.integrationsSync.dateOffsetFromNow({ days: 6 });
+        const nowMinus2M = await privMonUtils.integrationsSync.dateOffsetFrom({ months: 2 });
+        const nowMinus1w = await privMonUtils.integrationsSync.dateOffsetFrom({ days: 7 });
+        const nowMinus6d = await privMonUtils.integrationsSync.dateOffsetFrom({ days: 6 });
         // PHASE 1: Push two users out of range, sync => expect 4 privileged remain
-        await privMonUtils.integrationsSync.setTimestamp(IDS.devon, nowMinus1M1D, oktaIndex);
-        await privMonUtils.integrationsSync.setTimestamp(IDS.elinor, nowMinus2M, oktaIndex);
+        await privMonUtils.integrationsSync.setTimestamp(
+          privMonUtils.integrationsSync.OKTA_USER_IDS.devon,
+          nowMinus1M1D,
+          privMonUtils.integrationsSync.OKTA_INDEX
+        );
+        await privMonUtils.integrationsSync.setTimestamp(
+          privMonUtils.integrationsSync.OKTA_USER_IDS.elinor,
+          nowMinus2M,
+          privMonUtils.integrationsSync.OKTA_INDEX
+        );
         await privMonUtils.runSync();
         const snapA = await privMonUtils.integrationsSync.expectUserCount(4);
 
@@ -561,39 +560,73 @@ export default ({ getService }: FtrProviderContext) => {
         expect(new Set(snapB)).toEqual(new Set(snapA));
 
         const markerAfterPhase2 = await privMonUtils.integrationsSync.getLastProcessedMarker(
-          oktaIndex
+          privMonUtils.integrationsSync.OKTA_INDEX
         );
         expect(markerAfterPhase2).toBe(
           privMonUtils.integrationsSync.DEFAULT_INTEGRATIONS_RELATIVE_TIMESTAMP
         );
 
         // PHASE 3: Bring one user back in-range, sync => last processed marker updates to that timestamp
-        await privMonUtils.integrationsSync.setTimestamp(IDS.kaelyn, nowMinus1w, oktaIndex);
+        await privMonUtils.integrationsSync.setTimestamp(
+          privMonUtils.integrationsSync.OKTA_USER_IDS.kaelyn,
+          nowMinus1w,
+          privMonUtils.integrationsSync.OKTA_INDEX
+        );
         await privMonUtils.runSync();
         const markerAfterPhase3 = await privMonUtils.integrationsSync.getLastProcessedMarker(
-          oktaIndex
+          privMonUtils.integrationsSync.OKTA_INDEX
         );
         expect(markerAfterPhase3).toBe(nowMinus1w);
 
         // PHASE 4: Flip a non-privileged user to privileged + in-range, sync => count 5, last processed marker updates
         await privMonUtils.integrationsSync.setIntegrationUserPrivilege({
-          id: IDS.bennett,
+          id: privMonUtils.integrationsSync.OKTA_USER_IDS.bennett,
           isPrivileged: true,
-          indexPattern: 'logs-entityanalytics_okta.user-default',
+          indexPattern: privMonUtils.integrationsSync.OKTA_INDEX,
         });
-        await privMonUtils.integrationsSync.setTimestamp(IDS.bennett, nowMinus6d, oktaIndex);
+        await privMonUtils.integrationsSync.setTimestamp(
+          privMonUtils.integrationsSync.OKTA_USER_IDS.bennett,
+          nowMinus6d,
+          privMonUtils.integrationsSync.OKTA_INDEX
+        );
 
         await privMonUtils.runSync();
         await privMonUtils.integrationsSync.expectUserCount(5);
 
         const markerAfterPhase4 = await privMonUtils.integrationsSync.getLastProcessedMarker(
-          oktaIndex
+          privMonUtils.integrationsSync.OKTA_INDEX
         );
         expect(markerAfterPhase4).toBe(nowMinus6d);
       });
 
-      it.skip('deletion detection should delete users on full sync', async () => {
-        // placeholder for deletion detection
+      it('deletes missing users during a full sync window', async () => {
+        const EXPECTED_DELETED_USERNAME = 'Mable.Mann';
+        // Initial sync to establish users - deletion detection NOT expected
+        await privMonUtils.runSync();
+        // Create sync window
+        await privMonUtils.integrationsSync.createFullSyncWindowFromOffsets();
+        // Remove on user from source, simulating deletion
+        await privMonUtils.integrationsSync.deleteIntegrationUser({
+          id: privMonUtils.integrationsSync.OKTA_USER_IDS.mable,
+          indexPattern: privMonUtils.integrationsSync.OKTA_INDEX,
+        });
+        // Run sync - deletion detection expected to run and remove the user
+        await privMonUtils.runSync();
+        const users = await privMonUtils.integrationsSync.expectUserCount(6);
+        const mable = privMonUtils.findUser(users, EXPECTED_DELETED_USERNAME);
+        expect(mable).toBeDefined();
+        privMonUtils.assertIsPrivileged(mable, false);
+        expect(mable?.entity_analytics_monitoring?.labels).toEqual([]);
+        await privMonUtils.integrationsSync.createFullSyncWindowFromOffsets({
+          startOffsetMinutes: -40,
+          completeOffsetMinutes: -45,
+        });
+        await privMonUtils.runSync();
+        const usersAfter = await privMonUtils.integrationsSync.expectUserCount(6);
+        usersAfter.forEach((u: any) => {
+          expect(u.user.is_privileged).toBe(false);
+        });
+        await privMonUtils.integrationsSync.cleanupEventsIndex();
       });
     });
 
@@ -614,14 +647,15 @@ export default ({ getService }: FtrProviderContext) => {
         expect(names).toEqual(
           expect.arrayContaining([
             '.entity_analytics.monitoring.sources.entityanalytics_okta-default',
-            // '.entity_analytics.monitoring.sources.ad-default',
+            '.entity_analytics.monitoring.sources.entityanalytics_ad-default',
             '.entity_analytics.monitoring.users-default',
           ])
         );
         expect(syncMarkersIndices).toEqual(
           expect.arrayContaining([
-            'logs-entityanalytics_okta.entity-default',
-            //  '.entity_analytics.monitoring.sources.ad-default',
+            undefined, // default users source has no sync marker since index does not use sync markers
+            'logs-entityanalytics_okta.entity-default', // okta sync markers source
+            'logs-entityanalytics_ad.user-default', // ad sync markers source
           ])
         );
       });