[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)

## Summary

Related: elastic/elasticsearch#116388

Adds support for shard failures for EQL event queries in the detection
engine.

Author: dhurley14

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/eql/build_eql_search_request.test.ts

@@ -57,6 +57,7 @@ describe('buildEqlSearchRequest', () => {
             ],
           },
         },
+        allow_partial_search_results: true,
         fields: [
           {
             field: '*',
@@ -141,6 +142,7 @@ describe('buildEqlSearchRequest', () => {
             ],
           },
         },
+        allow_partial_search_results: true,
         fields: [
           {
             field: '*',
@@ -198,6 +200,7 @@ describe('buildEqlSearchRequest', () => {
             ],
           },
         },
+        allow_partial_search_results: true,
         fields: [
           {
             field: '*',
@@ -235,97 +238,98 @@ describe('buildEqlSearchRequest', () => {
       exceptionFilter: filter,
     });
     expect(request).toMatchInlineSnapshot(`
-        Object {
-          "allow_no_indices": true,
-          "body": Object {
-            "event_category_field": undefined,
-            "fields": Array [
-              Object {
-                "field": "*",
-                "include_unmapped": true,
-              },
-              Object {
-                "field": "@timestamp",
-                "format": "strict_date_optional_time",
-              },
-            ],
-            "filter": Object {
-              "bool": Object {
-                "filter": Array [
-                  Object {
-                    "range": Object {
-                      "@timestamp": Object {
-                        "format": "strict_date_optional_time",
-                        "gte": "now-5m",
-                        "lte": "now",
-                      },
+      Object {
+        "allow_no_indices": true,
+        "body": Object {
+          "allow_partial_search_results": true,
+          "event_category_field": undefined,
+          "fields": Array [
+            Object {
+              "field": "*",
+              "include_unmapped": true,
+            },
+            Object {
+              "field": "@timestamp",
+              "format": "strict_date_optional_time",
+            },
+          ],
+          "filter": Object {
+            "bool": Object {
+              "filter": Array [
+                Object {
+                  "range": Object {
+                    "@timestamp": Object {
+                      "format": "strict_date_optional_time",
+                      "gte": "now-5m",
+                      "lte": "now",
                     },
                   },
-                  Object {
-                    "bool": Object {
-                      "filter": Array [],
-                      "must": Array [],
-                      "must_not": Array [
-                        Object {
-                          "bool": Object {
-                            "should": Array [
-                              Object {
-                                "bool": Object {
-                                  "filter": Array [
-                                    Object {
-                                      "nested": Object {
-                                        "path": "some.parentField",
-                                        "query": Object {
-                                          "bool": Object {
-                                            "minimum_should_match": 1,
-                                            "should": Array [
-                                              Object {
-                                                "match_phrase": Object {
-                                                  "some.parentField.nested.field": "some value",
-                                                },
+                },
+                Object {
+                  "bool": Object {
+                    "filter": Array [],
+                    "must": Array [],
+                    "must_not": Array [
+                      Object {
+                        "bool": Object {
+                          "should": Array [
+                            Object {
+                              "bool": Object {
+                                "filter": Array [
+                                  Object {
+                                    "nested": Object {
+                                      "path": "some.parentField",
+                                      "query": Object {
+                                        "bool": Object {
+                                          "minimum_should_match": 1,
+                                          "should": Array [
+                                            Object {
+                                              "match_phrase": Object {
+                                                "some.parentField.nested.field": "some value",
                                               },
-                                            ],
-                                          },
+                                            },
+                                          ],
                                         },
-                                        "score_mode": "none",
                                       },
+                                      "score_mode": "none",
                                     },
-                                    Object {
-                                      "bool": Object {
-                                        "minimum_should_match": 1,
-                                        "should": Array [
-                                          Object {
-                                            "match_phrase": Object {
-                                              "some.not.nested.field": "some value",
-                                            },
+                                  },
+                                  Object {
+                                    "bool": Object {
+                                      "minimum_should_match": 1,
+                                      "should": Array [
+                                        Object {
+                                          "match_phrase": Object {
+                                            "some.not.nested.field": "some value",
                                           },
-                                        ],
-                                      },
+                                        },
+                                      ],
                                     },
-                                  ],
-                                },
+                                  },
+                                ],
                               },
-                            ],
-                          },
+                            },
+                          ],
                         },
-                      ],
-                      "should": Array [],
-                    },
+                      },
+                    ],
+                    "should": Array [],
                   },
-                ],
-              },
+                },
+              ],
             },
-            "query": "process where true",
-            "runtime_mappings": undefined,
-            "size": 100,
-            "timestamp_field": undefined,
           },
-          "index": Array [
-            "testindex1",
-            "testindex2",
-          ],
-        }
-      `);
+          "query": "process where true",
+          "runtime_mappings": undefined,
+          "size": 100,
+          "timestamp_field": undefined,
+        },
+        "index": Array [
+          "testindex1",
+          "testindex2",
+        ],
+      }
+    `);
   });
 
   test('should build a request with filters', () => {
@@ -415,6 +419,7 @@ describe('buildEqlSearchRequest', () => {
             ],
           },
         },
+        allow_partial_search_results: true,
         fields: [
           {
             field: '*',

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/eql/build_eql_search_request.ts

@@ -87,6 +87,12 @@ export const buildEqlSearchRequest = ({
           filter: requestFilter,
         },
       },
+      // the allow_partial_search_results query parameter will supersede
+      // the corresponding xpack settings on cluster
+      // @ts-expect-error unknown property allow_partial_search_results
+      // TODO: remove this ts-expect when 8.18 elasticsearch client is released.
+      // issue: https://github.com/elastic/kibana/issues/208760
+      allow_partial_search_results: true,
       runtime_mappings: runtimeMappings,
       timestamp_field: timestampField,
       event_category_field: eventCategoryOverride,

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/eql/eql.ts

@@ -15,6 +15,8 @@ import type {
 } from '@kbn/alerting-plugin/server';
 import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import type { Filter } from '@kbn/es-query';
+import isEmpty from 'lodash/isEmpty';
+
 import { buildEqlSearchRequest } from './build_eql_search_request';
 import { createEnrichEventsFunction } from '../utils/enrichments';
 
@@ -55,6 +57,8 @@ import type { RulePreviewLoggedRequest } from '../../../../../common/api/detecti
 import { logEqlRequest } from '../utils/logged_requests';
 import * as i18n from '../translations';
 import { alertSuppressionTypeGuard } from '../utils/get_is_alert_suppression_active';
+import { isEqlSequenceQuery } from '../../../../../common/detection_engine/utils';
+import { logShardFailures } from '../utils/log_shard_failure';
 
 interface EqlExecutorParams {
   inputIndex: string[];
@@ -120,6 +124,8 @@ export const eqlExecutor = async ({
       uiSettingsClient: services.uiSettingsClient,
     });
 
+    const isSequenceQuery = isEqlSequenceQuery(ruleParams.query);
+
     const request = buildEqlSearchRequest({
       query: ruleParams.query,
       index: inputIndex,
@@ -165,6 +171,16 @@ export const eqlExecutor = async ({
 
       let newSignals: Array<WrappedFieldsLatest<BaseFieldsLatest>> | undefined;
 
+      // @ts-expect-error shard_failures exists in
+      // elasticsearch response v9
+      // needs to be spec needs to be backported
+      // https://github.com/elastic/elasticsearch-specification/pull/3372#issuecomment-2621835599
+      // TODO: remove ts-expect-error when ES lib version is updated
+      const shardFailures = response.shard_failures;
+      if (!isEmpty(shardFailures)) {
+        logShardFailures(isSequenceQuery, shardFailures, result, ruleExecutionLogger);
+      }
+
       const { events, sequences } = response.hits;
 
       if (events) {

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/translations.ts

@@ -28,6 +28,27 @@ export const EQL_SEARCH_REQUEST_DESCRIPTION = i18n.translate(
   }
 );
 
+export const EQL_SHARD_FAILURE_MESSAGE = (
+  isEqlSequenceQuery: boolean,
+  shardFailuresMessage: string
+) =>
+  isEqlSequenceQuery
+    ? i18n.translate(
+        'xpack.securitySolution.detectionEngine.eqlSequenceRuleType.eqlShardFailures',
+        {
+          defaultMessage: `The EQL query failed to run successfully due to unavailable shards: {shardFailures}`,
+          values: {
+            shardFailures: shardFailuresMessage,
+          },
+        }
+      )
+    : i18n.translate('xpack.securitySolution.detectionEngine.eqlEventRuleType.eqlShardFailures', {
+        defaultMessage: `The EQL event query was only executed on the available shards. The query failed to run successfully on the following shards: {shardFailures}`,
+        values: {
+          shardFailures: shardFailuresMessage,
+        },
+      });
+
 export const FIND_THRESHOLD_BUCKETS_DESCRIPTION = (afterBucket?: string) =>
   afterBucket
     ? i18n.translate(

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/log_shard_failure.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ShardFailure } from '@elastic/elasticsearch/lib/api/types';
+import type { IRuleExecutionLogForExecutors } from '../../rule_monitoring';
+import type { SearchAfterAndBulkCreateReturnType } from '../types';
+import * as i18n from '../translations';
+
+export const logShardFailures = (
+  isSequenceQuery: boolean,
+  shardFailures: ShardFailure[],
+  result: SearchAfterAndBulkCreateReturnType,
+  ruleExecutionLogger: IRuleExecutionLogForExecutors
+) => {
+  const shardFailureMessage = i18n.EQL_SHARD_FAILURE_MESSAGE(
+    isSequenceQuery,
+    JSON.stringify(shardFailures)
+  );
+  ruleExecutionLogger.error(shardFailureMessage);
+  if (isSequenceQuery) {
+    result.errors.push(shardFailureMessage);
+  } else {
+    result.warningMessages.push(shardFailureMessage);
+  }
+};