[9.4] [Entity Store] Cap window size (#268170) (#268446)

# Backport

This will backport the following commits from `main` to `9.4`:
- [[Entity Store] Cap window size
(#268170)](#268170)

<!--- Backport version: 11.0.2 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Rômulo
Farias","email":"romulo.farias@elastic.co"},"sourceCommit":{"committedDate":"2026-05-08T13:18:48Z","message":"[Entity
Store] Cap window size (#268170)\n\nIn lagging environments the
entity-store extraction window grows\nunboundedly. `getExtractionWindow`
always sets `toDateISO = now - delay`\nwhile `fromDateISO` advances only
via `lastExecutionTimestamp /\npaginationTimestamp`. If a run cannot
keep up, each subsequent run sees\na wider window. The probe
(`buildLogPaginationCursorProbeEsql`) sorts\nevery doc in that window in
ES|QL, so probe cost grows with window size\n— feeding a death-spiral
where slow runs widen the window which slows\nthe next run
further.\n\nWe want a hard cap on the width of each probe's window so
that probe\ncost stays bounded regardless of how far behind the engine
is. The cap\nis purely a cost-bounding device for the probe — it does
not\nartificially defer catch-up to a later run.\n\nWithin a single
extractLogs execution, once a capped sub-window is\ndrained we
immediately advance to the next sub-window and continue,\nuntil we reach
the effective window end (now - delay). Only when a run\nis interrupted
(crash, abort, hitting a slow probe) do we resume on the\nnext scheduled
run from the last persisted lastExecutionTimestamp.\n\n### How it
works\n\nWhen the gap between `fromDateISO` and the effective window end
(`now -\ndelay`) exceeds `maxTimeWindowSize + GRACE_PERIOD` (default
`15m +\n30s`), the run processes the time range as a sequence of
capped\n`[fromSub, toSub]` sub-windows of width `maxTimeWindowSize`,
advancing\nwithin a single execution until the effective end is
reached.\nSub-windows are an in-memory iteration concept — the
saved-object schema\nis unaware of them. Crash recovery uses the
per-slice persistence\nemitted by the inner outer-loop (last
`paginationTimestamp` /\n`checkpointTimestamp` written). Manual
`specificWindow` /\n`windowOverride` runs bypass capping and run as a
single pass.\n\n\n### Added\n\n- `maxTimeWindowSize` parameter to the
global configuration, available\non install and update paths. Also
exposed via status api\n\n\n### Why default 15m\n\n`15m` seems to be an
ok cap based on the default `3h` look back period.\nA too short `1m`
will cause 180 queries to elasticsearch. `15m` will\ncause only
12.\n\nThis will need to be configured on heavy environments where `15m`
worth\nof data account for millions of
logs.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"555237a0dba491c31901c1b3323f667ecb580a0d","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:version","v9.4.0","reviewer:macroscope","v9.5.0","v9.4.1"],"title":"[Entity
Store] Cap window
size","number":268170,"url":"https://github.com/elastic/kibana/pull/268170","mergeCommit":{"message":"[Entity
Store] Cap window size (#268170)\n\nIn lagging environments the
entity-store extraction window grows\nunboundedly. `getExtractionWindow`
always sets `toDateISO = now - delay`\nwhile `fromDateISO` advances only
via `lastExecutionTimestamp /\npaginationTimestamp`. If a run cannot
keep up, each subsequent run sees\na wider window. The probe
(`buildLogPaginationCursorProbeEsql`) sorts\nevery doc in that window in
ES|QL, so probe cost grows with window size\n— feeding a death-spiral
where slow runs widen the window which slows\nthe next run
further.\n\nWe want a hard cap on the width of each probe's window so
that probe\ncost stays bounded regardless of how far behind the engine
is. The cap\nis purely a cost-bounding device for the probe — it does
not\nartificially defer catch-up to a later run.\n\nWithin a single
extractLogs execution, once a capped sub-window is\ndrained we
immediately advance to the next sub-window and continue,\nuntil we reach
the effective window end (now - delay). Only when a run\nis interrupted
(crash, abort, hitting a slow probe) do we resume on the\nnext scheduled
run from the last persisted lastExecutionTimestamp.\n\n### How it
works\n\nWhen the gap between `fromDateISO` and the effective window end
(`now -\ndelay`) exceeds `maxTimeWindowSize + GRACE_PERIOD` (default
`15m +\n30s`), the run processes the time range as a sequence of
capped\n`[fromSub, toSub]` sub-windows of width `maxTimeWindowSize`,
advancing\nwithin a single execution until the effective end is
reached.\nSub-windows are an in-memory iteration concept — the
saved-object schema\nis unaware of them. Crash recovery uses the
per-slice persistence\nemitted by the inner outer-loop (last
`paginationTimestamp` /\n`checkpointTimestamp` written). Manual
`specificWindow` /\n`windowOverride` runs bypass capping and run as a
single pass.\n\n\n### Added\n\n- `maxTimeWindowSize` parameter to the
global configuration, available\non install and update paths. Also
exposed via status api\n\n\n### Why default 15m\n\n`15m` seems to be an
ok cap based on the default `3h` look back period.\nA too short `1m`
will cause 180 queries to elasticsearch. `15m` will\ncause only
12.\n\nThis will need to be configured on heavy environments where `15m`
worth\nof data account for millions of
logs.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"555237a0dba491c31901c1b3323f667ecb580a0d"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/268170","number":268170,"mergeCommit":{"message":"[Entity
Store] Cap window size (#268170)\n\nIn lagging environments the
entity-store extraction window grows\nunboundedly. `getExtractionWindow`
always sets `toDateISO = now - delay`\nwhile `fromDateISO` advances only
via `lastExecutionTimestamp /\npaginationTimestamp`. If a run cannot
keep up, each subsequent run sees\na wider window. The probe
(`buildLogPaginationCursorProbeEsql`) sorts\nevery doc in that window in
ES|QL, so probe cost grows with window size\n— feeding a death-spiral
where slow runs widen the window which slows\nthe next run
further.\n\nWe want a hard cap on the width of each probe's window so
that probe\ncost stays bounded regardless of how far behind the engine
is. The cap\nis purely a cost-bounding device for the probe — it does
not\nartificially defer catch-up to a later run.\n\nWithin a single
extractLogs execution, once a capped sub-window is\ndrained we
immediately advance to the next sub-window and continue,\nuntil we reach
the effective window end (now - delay). Only when a run\nis interrupted
(crash, abort, hitting a slow probe) do we resume on the\nnext scheduled
run from the last persisted lastExecutionTimestamp.\n\n### How it
works\n\nWhen the gap between `fromDateISO` and the effective window end
(`now -\ndelay`) exceeds `maxTimeWindowSize + GRACE_PERIOD` (default
`15m +\n30s`), the run processes the time range as a sequence of
capped\n`[fromSub, toSub]` sub-windows of width `maxTimeWindowSize`,
advancing\nwithin a single execution until the effective end is
reached.\nSub-windows are an in-memory iteration concept — the
saved-object schema\nis unaware of them. Crash recovery uses the
per-slice persistence\nemitted by the inner outer-loop (last
`paginationTimestamp` /\n`checkpointTimestamp` written). Manual
`specificWindow` /\n`windowOverride` runs bypass capping and run as a
single pass.\n\n\n### Added\n\n- `maxTimeWindowSize` parameter to the
global configuration, available\non install and update paths. Also
exposed via status api\n\n\n### Why default 15m\n\n`15m` seems to be an
ok cap based on the default `3h` look back period.\nA too short `1m`
will cause 180 queries to elasticsearch. `15m` will\ncause only
12.\n\nThis will need to be configured on heavy environments where `15m`
worth\nof data account for millions of
logs.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"555237a0dba491c31901c1b3323f667ecb580a0d"}}]}]
BACKPORT-->

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Author: romulets

oas_docs/output/kibana.serverless.yaml

@@ -62714,6 +62714,10 @@ paths:
                       maximum: 9007199254740991
                       minimum: 1
                       type: integer
+                    excludedIndexPatterns:
+                      items:
+                        type: string
+                      type: array
                     fieldHistoryLength:
                       maximum: 9007199254740991
                       minimum: -9007199254740991
@@ -62730,6 +62734,9 @@ paths:
                       maximum: 9007199254740991
                       minimum: 1
                       type: integer
+                    maxTimeWindowSize:
+                      pattern: '[smdh]$'
+                      type: string
               required:
                 - logExtraction
       responses:
@@ -70346,6 +70353,11 @@ paths:
                       maximum: 9007199254740991
                       minimum: 1
                       type: integer
+                    excludedIndexPatterns:
+                      default: []
+                      items:
+                        type: string
+                      type: array
                     fieldHistoryLength:
                       default: 10
                       maximum: 9007199254740991
@@ -70367,6 +70379,10 @@ paths:
                       maximum: 9007199254740991
                       minimum: 1
                       type: integer
+                    maxTimeWindowSize:
+                      default: 15m
+                      pattern: '[smdh]$'
+                      type: string
       responses:
         '200':
           content:

oas_docs/output/kibana.yaml

@@ -66707,6 +66707,10 @@ paths:
                       maximum: 9007199254740991
                       minimum: 1
                       type: integer
+                    excludedIndexPatterns:
+                      items:
+                        type: string
+                      type: array
                     fieldHistoryLength:
                       maximum: 9007199254740991
                       minimum: -9007199254740991
@@ -66723,6 +66727,9 @@ paths:
                       maximum: 9007199254740991
                       minimum: 1
                       type: integer
+                    maxTimeWindowSize:
+                      pattern: '[smdh]$'
+                      type: string
               required:
                 - logExtraction
       responses:
@@ -74339,6 +74346,11 @@ paths:
                       maximum: 9007199254740991
                       minimum: 1
                       type: integer
+                    excludedIndexPatterns:
+                      default: []
+                      items:
+                        type: string
+                      type: array
                     fieldHistoryLength:
                       default: 10
                       maximum: 9007199254740991
@@ -74360,6 +74372,10 @@ paths:
                       maximum: 9007199254740991
                       minimum: 1
                       type: integer
+                    maxTimeWindowSize:
+                      default: 15m
+                      pattern: '[smdh]$'
+                      type: string
       responses:
         '200':
           content:

packages/kbn-check-saved-objects-cli/src/migrations/__fixtures__/entity-store-global-state/10.2.0.json

@@ -0,0 +1,38 @@
+{
+  "10.1.0": [
+    {
+      "historySnapshot": {
+        "status": "stopped",
+        "frequency": "1h"
+      },
+      "logsExtraction": {
+        "additionalIndexPatterns": [],
+        "fieldHistoryLength": 10,
+        "lookbackPeriod": "24h",
+        "delay": "2m",
+        "docsLimit": 10000,
+        "timeout": "30s",
+        "frequency": "1h"
+      }
+    }
+  ],
+  "10.2.0": [
+    {
+      "historySnapshot": {
+        "status": "stopped",
+        "frequency": "1h"
+      },
+      "logsExtraction": {
+        "additionalIndexPatterns": [],
+        "fieldHistoryLength": 10,
+        "lookbackPeriod": "24h",
+        "delay": "2m",
+        "docsLimit": 10000,
+        "timeout": "30s",
+        "frequency": "1h",
+        "excludedIndexPatterns": [],
+        "maxTimeWindowSize": "15m"
+      }
+    }
+  ]
+}

src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts

@@ -105,7 +105,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "entity-engine-descriptor-v2": "44b60aa3d3d4583082b58500b297f2dddb4ffc14b77ad1d568b70536ca4ae787",
         "entity-engine-status": "005903620a00737932aa54ae57817b078810b2f71cc42e7715d1c22c5e5b715e",
         "entity-store-ccs-state": "79b9cdbb27444593a2c07a4384313ea37c8399604f016e9d633b71cb9c937489",
-        "entity-store-global-state": "8581bc65d1b2bf6d0218b693509129a2515599aeff8933d85353a3fb28d52bda",
+        "entity-store-global-state": "eb60227cc1e7be835ed87a912b8bb7ed5a05fa5bd9c48948496ca4d47fc5d102",
         "epm-packages": "46e4129dba3ac33d4924239672169f12ad75536e9f44f695964220a80ebfeaca",
         "epm-packages-assets": "1095b56fabdeb3994a60f4da02e87179dfaf57d5bb23b97458129bf14c66b46e",
         "event-annotation-group": "21141aa64bba4d05ee6ebe0b0d75475452bca50e73f902a38800457d0727014d",
@@ -666,6 +666,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "entity-store-global-state|global: f625b80f055d7a5a819b3b312d6cf51a5e10b61f",
         "entity-store-global-state|mappings: e1b10e5bec060a176469a5e9a4f80c94e23abcd7",
         "entity-store-global-state|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
+        "entity-store-global-state|10.2.0: 01078c5bd2f6664e89eab8e3e5e6de6ee23fc1fd9b00b88919ff568f4abd5c09",
         "entity-store-global-state|10.1.0: e142dccd899fda050613a1fc6414807296969934f97cbebe4a2b1dd02d20a4a0",
         "==================================================================================================",
         "epm-packages|global: 9d90d41b665a6b53aa6e984ad0e100ff733e05b9",
@@ -1480,7 +1481,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "entity-engine-descriptor-v2": "10.5.0",
         "entity-engine-status": "10.2.0",
         "entity-store-ccs-state": "10.1.0",
-        "entity-store-global-state": "10.1.0",
+        "entity-store-global-state": "10.2.0",
         "epm-packages": "10.8.0",
         "epm-packages-assets": "10.0.0",
         "event-annotation-group": "10.0.0",
@@ -1648,7 +1649,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "entity-engine-descriptor-v2": "10.5.0",
         "entity-engine-status": "10.2.0",
         "entity-store-ccs-state": "10.1.0",
-        "entity-store-global-state": "10.1.0",
+        "entity-store-global-state": "10.2.0",
         "epm-packages": "10.8.0",
         "epm-packages-assets": "0.0.0",
         "event-annotation-group": "0.0.0",

x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/PAGINATION.md

@@ -1,6 +1,8 @@
 # Logs Extraction Pagination
 
-Two nested loops process raw log documents into aggregated entity rows.
+Three nested loops process raw log documents into aggregated entity rows.
+
+**Window cap outer loop**: When the gap between `fromDateISO` and the effective window end (`now - delay`) exceeds `maxTimeWindowSize + GRACE_PERIOD` (default `15m + 30s`), the run processes the time range as a sequence of capped `[fromSub, toSub]` sub-windows of width `maxTimeWindowSize`, advancing within a single execution until the effective end is reached. Sub-windows are an in-memory iteration concept — the saved-object schema is unaware of them. Crash recovery uses the per-slice persistence emitted by the inner outer-loop (last `paginationTimestamp` / `checkpointTimestamp` written). Manual `specificWindow` / `windowOverride` runs bypass capping and run as a single pass.
 
 **Outer loop — log slices**: Each iteration runs a **boundary probe** (`buildLogPaginationCursorProbeEsql`) to locate the inclusive end of the next raw-log slice (up to `maxLogsPerPage` documents, sorted by `@timestamp ASC, _id ASC`). The probe returns `total_logs` (count before `LIMIT`) so the client knows when the window is exhausted.
 
@@ -12,7 +14,7 @@ Two nested loops process raw log documents into aggregated entity rows.
 
 | Cursor | Persisted fields | Semantics |
 |--------|-----------------|-----------|
-| **Log slice start** | `logsPageCursorStartTimestamp/Id` | Exclusive compound lower bound `(@timestamp, _id)` for the next probe. Set to the previous slice end after completing all entity pages. |
+| **Log slice start** | `logsPageCursorStartTimestamp/Id` | Exclusive compound lower bound `(@timestamp, _id)` for the next probe. Set to the previous slice end after completing all entity pages. Doubles as the resume point on crash mid-run — no separate sub-window checkpoint is persisted. |
 | **Log slice end** | `logsPageCursorEndTimestamp/Id` | Inclusive upper bound for the current slice. Set by the probe; cleared when the slice is fully processed. |
 | **Entity cursor** | `paginationTimestamp/Id` | `(FirstSeenLogInPage, UntypedId)` of the last ingested entity page. Cleared when a slice finishes. |
 
@@ -92,6 +94,39 @@ If the process crashes mid inner-loop, `paginationId` is set in the saved state.
 
 ---
 
+## Lagging environment: multiple sub-windows in one run
+
+When `effectiveWindowEnd - fromDateISO > maxTimeWindowSize + GRACE_PERIOD`, the time range is processed as a sequence of capped sub-windows within a single `extractLogs` run. Each sub-window runs the existing slice/entity loops to completion. Persistence between sub-windows is whatever the inner outer-loop already wrote (per-slice `paginationTimestamp`); no extra checkpoint round-trip is added.
+
+```mermaid
+sequenceDiagram
+    participant C as Client
+    participant ES as Elasticsearch
+    Note over C: fromDateISO=T0, effectiveEnd=T0+15m, cap=5m
+
+    rect rgb(240, 240, 240)
+    Note over C: sub-window 1: [T0, T0+5m]
+    C->>ES: probe → slice end, then extract + ingest entities
+    Note over C: per-slice persistence: paginationTimestamp = lastSliceEnd_ts
+    end
+
+    rect rgb(240, 240, 240)
+    Note over C: sub-window 2: [T0+5m, T0+10m] (in-memory advance)
+    C->>ES: probe → slice end, then extract + ingest entities
+    end
+
+    rect rgb(240, 240, 240)
+    Note over C: sub-window 3: [T0+10m, T0+15m] (effective end — not capped)
+    C->>ES: probe → slice end, then extract + ingest entities
+    end
+
+    Note over C: final cleanup: clear all cursors, set lastExecutionTimestamp = T0+15m
+```
+
+If the process is aborted between sub-windows, recovery resumes from the last persisted slice end (`paginationTimestamp` set by the inner outer-loop after the most recently completed slice) — not from a sub-window boundary. The next run re-establishes its own sub-window cap from that resume point.
+
+---
+
 ## Recovery
 
 A crash mid-entity-page leaves the following state on disk:
@@ -126,10 +161,16 @@ sequenceDiagram
 
 The entity-level pagination WHERE uses `> T_ent OR (= T_ent AND untypedId > E_ent)` — entities already ingested before the crash are skipped; the slice is re-established from `T_ent` inclusive.
 
+A crash *between* sub-windows is indistinguishable from a crash at a slice boundary: the most recently persisted state is `paginationTimestamp = lastSliceEnd_ts` (from the inner outer-loop's per-slice `advanceEngineStateAfterLogPageCompletes`). The next run reads that as `fromDateISO` and re-establishes the sub-window cap from there — re-fetching the slice-boundary doc itself, which is harmless under the idempotent aggregations (`TOP`, `LAST`, `MIN`, `MV_UNION`).
+
 ---
 
 ## Edge cases
 
+### Cap interaction with `specificWindow` / `windowOverride`
+
+When a manual window is supplied (admin-triggered API call), the sub-window cap is bypassed and the supplied bounds are processed in a single pass via the existing slice/entity loops. State is not advanced — the user explicitly picked the bounds, and we do not silently shorten or shift them.
+
 ### Timestamp collision at a slice boundary
 
 The compound cursor `(@timestamp = T AND _id > id)` is essential when multiple documents share the same millisecond timestamp. If the base time-window filter used `@timestamp > fromDateISO` (exclusive) and `fromDateISO == T`, all same-timestamp documents would be discarded before the compound filter could apply — permanently losing them.

x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/ccs_logs_extraction_client.test.ts

@@ -76,6 +76,9 @@ describe('CcsLogsExtractionClient', () => {
     lookbackPeriod: '3h',
     delay: '1m',
     entityDefinition: getEntityDefinition('host', 'default'),
+    // Use a very large cap so existing tests remain a single sub-window. The sub-window cap
+    // behavior is exercised by the dedicated tests at the end of this describe block.
+    maxTimeWindowSize: '999d',
   };
 
   beforeEach(() => {
@@ -472,4 +475,102 @@ describe('CcsLogsExtractionClient', () => {
     expect(mockExecuteEsqlQuery).not.toHaveBeenCalled();
     expect(mockCcsStateClient.clearRecoveryId).not.toHaveBeenCalled();
   });
+
+  describe('sub-window cap', () => {
+    it('walks the time window in capped sub-windows when checkpointTimestamp is far behind effectiveWindowEnd', async () => {
+      // FIXED_NOW = 2026-01-01T12:00 ; delay = 1m → effectiveWindowEnd = 2026-01-01T11:59
+      // checkpoint = 2026-01-01T11:29 → window ~30m, cap=5m, grace=30s → 6 sub-windows.
+      const checkpoint = '2026-01-01T11:29:00.000Z';
+      mockCcsStateClient.findOrInit.mockResolvedValue({
+        checkpointTimestamp: checkpoint,
+        paginationRecoveryId: null,
+      });
+      // Each sub-window probe returns empty (no logs), so the inner outer-loop terminates
+      // immediately and never persists per-slice checkpoints. No state updates occur.
+      mockExecuteEsqlQuery.mockResolvedValue(emptyProbeResponse);
+
+      const result = await client.extractToUpdates({
+        ...defaultExtractParams,
+        maxTimeWindowSize: '5m',
+      });
+
+      expect(result).toEqual({ count: 0, pages: 0 });
+      // 6 sub-windows × 1 probe each.
+      expect(mockExecuteEsqlQuery).toHaveBeenCalledTimes(6);
+      // No per-sub-window checkpoint persistence — inner per-slice persistence is the only
+      // mechanism, and it didn't fire because every probe was empty.
+      expect(mockCcsStateClient.update).not.toHaveBeenCalled();
+      // count=0 across all sub-windows → clearRecoveryId
+      expect(mockCcsStateClient.clearRecoveryId).toHaveBeenCalledWith('host');
+    });
+
+    it('does not cap when the gap is within maxTimeWindowSize + grace', async () => {
+      // Window ~ 5m + 10s, cap = 5m, grace = 30s → no cap, single sub-window.
+      const checkpoint = '2026-01-01T11:53:50.000Z';
+      mockCcsStateClient.findOrInit.mockResolvedValue({
+        checkpointTimestamp: checkpoint,
+        paginationRecoveryId: null,
+      });
+      mockExecuteEsqlQuery.mockResolvedValueOnce(emptyProbeResponse);
+
+      await client.extractToUpdates({
+        ...defaultExtractParams,
+        maxTimeWindowSize: '5m',
+      });
+
+      expect(mockExecuteEsqlQuery).toHaveBeenCalledTimes(1);
+      // Empty probe → no per-slice state updates either.
+      expect(mockCcsStateClient.update).not.toHaveBeenCalled();
+    });
+
+    it('bypasses the sub-window cap when windowOverride is provided', async () => {
+      const overrideFrom = '2024-01-01T00:00:00.000Z';
+      const overrideTo = '2024-12-31T23:59:00.000Z'; // ~1y, exceeds the 5m cap
+
+      mockExecuteEsqlQuery.mockResolvedValueOnce(emptyProbeResponse);
+
+      await client.extractToUpdates({
+        ...defaultExtractParams,
+        maxTimeWindowSize: '5m',
+        windowOverride: { fromDateISO: overrideFrom, toDateISO: overrideTo },
+      });
+
+      // Single probe over the full user-supplied window — no sub-window splitting.
+      expect(mockExecuteEsqlQuery).toHaveBeenCalledTimes(1);
+      const probeQuery = mockExecuteEsqlQuery.mock.calls[0][0].query as string;
+      expect(probeQuery).toContain(overrideFrom);
+      expect(probeQuery).toContain(overrideTo);
+      // Override runs do not touch CCS state.
+      expect(mockCcsStateClient.findOrInit).not.toHaveBeenCalled();
+      expect(mockCcsStateClient.update).not.toHaveBeenCalled();
+    });
+
+    it('passes monotonically advancing fromDateISO/toDateISO to each sub-window probe', async () => {
+      const checkpoint = '2026-01-01T11:44:00.000Z'; // 15m before effectiveWindowEnd
+      mockCcsStateClient.findOrInit.mockResolvedValue({
+        checkpointTimestamp: checkpoint,
+        paginationRecoveryId: null,
+      });
+      mockExecuteEsqlQuery.mockResolvedValue(emptyProbeResponse);
+
+      await client.extractToUpdates({
+        ...defaultExtractParams,
+        maxTimeWindowSize: '5m',
+      });
+
+      expect(mockExecuteEsqlQuery).toHaveBeenCalledTimes(3);
+
+      const subWindow1 = mockExecuteEsqlQuery.mock.calls[0][0].query as string;
+      expect(subWindow1).toContain('2026-01-01T11:44:00.000Z');
+      expect(subWindow1).toContain('2026-01-01T11:49:00.000Z');
+
+      const subWindow2 = mockExecuteEsqlQuery.mock.calls[1][0].query as string;
+      expect(subWindow2).toContain('2026-01-01T11:49:00.000Z');
+      expect(subWindow2).toContain('2026-01-01T11:54:00.000Z');
+
+      const subWindow3 = mockExecuteEsqlQuery.mock.calls[2][0].query as string;
+      expect(subWindow3).toContain('2026-01-01T11:54:00.000Z');
+      expect(subWindow3).toContain('2026-01-01T11:59:00.000Z');
+    });
+  });
 });