[9.0] [Security Solution] [Detections] Use preview route for testing EQL shard failure (#214284) (#215166)

# Backport

This will backport the following commits from `main` to `9.0`:
- [[Security Solution] [Detections] Use preview route for testing EQL
shard failure (#214284)](#214284)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Devin W.
Hurley","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-19T13:12:38Z","message":"[Security
Solution] [Detections] Use preview route for testing EQL shard failure
(#214284)\n\nfixes flakey test
https://github.com/elastic/kibana/issues/209024\n- [x] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests
changed","sha":"cd491c34e79b65641e00f95cf8120557a407a338","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["review","release_note:skip","v9.0.0","Team:Detection
Engine","backport:version","v9.1.0","v9.0.1"],"title":"[Security
Solution] [Detections] Use preview route for testing EQL shard
failure","number":214284,"url":"https://github.com/elastic/kibana/pull/214284","mergeCommit":{"message":"[Security
Solution] [Detections] Use preview route for testing EQL shard failure
(#214284)\n\nfixes flakey test
https://github.com/elastic/kibana/issues/209024\n- [x] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests
changed","sha":"cd491c34e79b65641e00f95cf8120557a407a338"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/214284","number":214284,"mergeCommit":{"message":"[Security
Solution] [Detections] Use preview route for testing EQL shard failure
(#214284)\n\nfixes flakey test
https://github.com/elastic/kibana/issues/209024\n- [x] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests
changed","sha":"cd491c34e79b65641e00f95cf8120557a407a338"}}]}]
BACKPORT-->

Co-authored-by: Devin W. Hurley <[email protected]>

Author: kibanamachine

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts

@@ -53,7 +53,6 @@ import {
   deleteAllRules,
   deleteAllAlerts,
   waitForRuleFailure,
-  waitForRulePartialFailure,
   routeWithNamespace,
 } from '../../../../../../../common/utils/security_solution';
 import { FtrProviderContext } from '../../../../../../ftr_provider_context';
@@ -247,32 +246,23 @@ export default ({ getService }: FtrProviderContext) => {
       ).eql(1);
     });
 
-    // Failing: See https://github.com/elastic/kibana/issues/209024
-    it.skip('parses shard failures for EQL event query', async () => {
+    it('parses shard failures for EQL event query', async () => {
       await esArchiver.load(packetBeatPath);
       const rule: EqlRuleCreateProps = {
         ...getEqlRuleForAlertTesting(['auditbeat-*', 'packetbeat-*']),
         query: 'any where agent.type == "packetbeat" or broken == 1',
       };
       await setBrokenRuntimeField({ es, index: 'auditbeat-*' });
-      const createdRule = await createRule(supertest, log, rule);
-      const createdRuleId = createdRule.id;
-      await waitForRulePartialFailure({ supertest, log, id: createdRuleId });
-      const route = routeWithNamespace(DETECTION_ENGINE_RULES_URL);
-      const response = await supertest
-        .get(route)
-        .set('kbn-xsrf', 'true')
-        .set('elastic-api-version', '2023-10-31')
-        .query({ id: createdRule.id })
-        .expect(200);
-
-      const ruleResponse = response.body;
+      const { logs } = await previewRule({ supertest, rule });
       expect(
-        ruleResponse.execution_summary.last_execution.message.includes(
-          'The EQL event query was only executed on the available shards. The query failed to run successfully on the following shards:'
+        logs.some((previewLog) =>
+          previewLog.warnings.some((warning) =>
+            warning.includes(
+              'The EQL event query was only executed on the available shards. The query failed to run successfully on the following shards:'
+            )
+          )
         )
       ).eql(true);
-
       await unsetBrokenRuntimeField({ es, index: 'auditbeat-*' });
       await esArchiver.unload(packetBeatPath);
     });