[Security Solution] Add alerts_suppressed_count metrics tests for all rule types (elastic#262662)

**Epic:** elastic/security-team#15617 (internal)
**Relates to:** elastic#257203

## Summary

Adds `alerts_suppressed_count` rule execution metric functional tests to make sure we log this metric correctly.

## Changes

- Add integration test coverage for the `alerts_suppressed_count` execution metric across all detection rule types (EQL, ES|QL, indicator match, ML, new terms, custom query, threshold)
- Each rule type gets two tests: verifying the count is 0 when no suppression is configured and verifying the correct count when alerts are suppressed
- Refactor ML metrics tests to use inline document indexing instead of heavy esArchiver/ML module setup
- Update `getLatestSecurityRuleExecutionMetricsFromEventLog` to accept an options object for better extensibility

## Flaky Test Runs

- ✅  [EQL ESS + Serverless x100](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/11567)
- 🟡   [ES|QL ESS + Serverless x100](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/11569) (one of the Serverless runs failed during setup with `index_not_found_exception: no such index [.kibana_streams]`. It looks like a flakiness in the test setup and not in the tests themselves).
- ✅  [Machine Learning ESS + Serverless x100](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/11549)
- ✅  [Indicator Match ESS + Serverless x100](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/11561)
- ✅  [New Terms ESS + Serverless x100](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/11559)
- ✅  [Threshold ESS + Serverless x100](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/11557)
- ✅  [Custom Query ESS + Serverless x100](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/11553)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Author: maximpn

x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_metrics.ts

@@ -226,6 +226,74 @@ export default ({ getService }: FtrProviderContext) => {
           expect(alerts_candidate_count).toBe(2);
         });
       });
+
+      describe('alerts_suppressed_count', () => {
+        it('records alerts_suppressed_count as 0 when no suppression is configured', async () => {
+          const timestamp = new Date().toISOString();
+          const document = {
+            '@timestamp': timestamp,
+            host: {
+              name: 'test',
+            },
+          };
+          const rule = getEqlRuleParams({
+            index: ['test-data-1'],
+            query: 'any where true',
+            from: 'now-35m',
+            interval: '30m',
+            enabled: true,
+          });
+
+          await indexListOfSourceDocuments([document]);
+
+          const createdRule = await createRule(supertest, log, rule);
+          const alerts = await getOpenAlerts(supertest, log, es, createdRule);
+
+          expect(alerts.hits.hits).toHaveLength(1);
+
+          const { alerts_suppressed_count } =
+            await getLatestSecurityRuleExecutionMetricsFromEventLog(es, log, createdRule.id);
+
+          expect(alerts_suppressed_count).toBe(0);
+        });
+
+        it('records alerts_suppressed_count when alerts are suppressed', async () => {
+          const timestamp = new Date().toISOString();
+          const document = {
+            '@timestamp': timestamp,
+            host: {
+              name: 'host-suppression-metrics',
+            },
+          };
+          const rule = getEqlRuleParams({
+            index: ['test-data-1'],
+            query: 'any where true',
+            alert_suppression: {
+              group_by: ['host.name'],
+              duration: {
+                value: 300,
+                unit: 'm',
+              },
+              missing_fields_strategy: 'suppress',
+            },
+            from: 'now-35m',
+            interval: '30m',
+            enabled: true,
+          });
+
+          await indexListOfSourceDocuments([document, document]);
+
+          const createdRule = await createRule(supertest, log, rule);
+          const alerts = await getOpenAlerts(supertest, log, es, createdRule);
+
+          expect(alerts.hits.hits).toHaveLength(1);
+
+          const { alerts_suppressed_count } =
+            await getLatestSecurityRuleExecutionMetricsFromEventLog(es, log, createdRule.id);
+
+          expect(alerts_suppressed_count).toBe(1);
+        });
+      });
     });
   });
 };

x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_metrics.ts

@@ -199,6 +199,68 @@ export default ({ getService }: FtrProviderContext) => {
           expect(alerts_candidate_count).toBe(2);
         });
       });
+
+      describe('alerts_suppressed_count', () => {
+        it('records alerts_suppressed_count as 0 when no suppression is configured', async () => {
+          const timestamp = new Date().toISOString();
+          const document = {
+            '@timestamp': timestamp,
+            host: { name: 'test-1' },
+          };
+          const rule = getEsqlRuleParams({
+            query: 'from test-data-1 metadata _id, _index, _version',
+            from: 'now-35m',
+            interval: '30m',
+            enabled: true,
+          });
+
+          await indexListOfSourceDocuments([document]);
+
+          const createdRule = await createRule(supertest, log, rule);
+          const alerts = await getOpenAlerts(supertest, log, es, createdRule);
+
+          expect(alerts.hits.hits).toHaveLength(1);
+
+          const { alerts_suppressed_count } =
+            await getLatestSecurityRuleExecutionMetricsFromEventLog(es, log, createdRule.id);
+
+          expect(alerts_suppressed_count).toBe(0);
+        });
+
+        it('records alerts_suppressed_count when alerts are suppressed', async () => {
+          const timestamp = new Date().toISOString();
+          const document = {
+            '@timestamp': timestamp,
+            host: { name: 'test-1' },
+          };
+          const rule = getEsqlRuleParams({
+            query: 'from test-data-1 metadata _id, _index, _version',
+            alert_suppression: {
+              group_by: ['host.name'],
+              duration: {
+                value: 300,
+                unit: 'm',
+              },
+              missing_fields_strategy: 'suppress',
+            },
+            from: 'now-35m',
+            interval: '30m',
+            enabled: true,
+          });
+
+          await indexListOfSourceDocuments([document, document]);
+
+          const createdRule = await createRule(supertest, log, rule);
+          const alerts = await getOpenAlerts(supertest, log, es, createdRule);
+
+          expect(alerts.hits.hits).toHaveLength(1);
+
+          const { alerts_suppressed_count } =
+            await getLatestSecurityRuleExecutionMetricsFromEventLog(es, log, createdRule.id);
+
+          expect(alerts_suppressed_count).toBe(1);
+        });
+      });
     });
   });
 };

x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/indicator_match/trial_license_complete_tier/indicator_match_metrics.ts

@@ -255,6 +255,84 @@ export default ({ getService }: FtrProviderContext) => {
           expect(alerts_candidate_count).toBe(2);
         });
       });
+
+      describe('alerts_suppressed_count', () => {
+        it('records alerts_suppressed_count as 0 when no suppression is configured', async () => {
+          const timestamp = new Date().toISOString();
+          const threatIndicatorDocument = {
+            '@timestamp': timestamp,
+            host: { name: 'test-1' },
+          };
+          const document = {
+            '@timestamp': timestamp,
+            host: { name: 'test-1' },
+          };
+          const rule = getThreatMatchRuleParams({
+            threat_query: '*:*',
+            threat_index: ['ti_test_1'],
+            query: '*:*',
+            index: ['test-data-1'],
+            from: 'now-35m',
+            interval: '30m',
+            enabled: true,
+          });
+
+          await indexThreatIndicatorDocuments([threatIndicatorDocument]);
+          await indexListOfSourceDocuments([document]);
+
+          const createdRule = await createRule(supertest, log, rule);
+          const alerts = await getOpenAlerts(supertest, log, es, createdRule);
+
+          expect(alerts.hits.hits).toHaveLength(1);
+
+          const { alerts_suppressed_count } =
+            await getLatestSecurityRuleExecutionMetricsFromEventLog(es, log, createdRule.id);
+
+          expect(alerts_suppressed_count).toBe(0);
+        });
+
+        it('records alerts_suppressed_count when alerts are suppressed', async () => {
+          const timestamp = new Date().toISOString();
+          const threatIndicatorDocument = {
+            '@timestamp': timestamp,
+            host: { name: 'test-1' },
+          };
+          const document = {
+            '@timestamp': timestamp,
+            host: { name: 'test-1' },
+          };
+          const rule = getThreatMatchRuleParams({
+            threat_query: '*:*',
+            threat_index: ['ti_test_1'],
+            query: '*:*',
+            index: ['test-data-1'],
+            from: 'now-35m',
+            interval: '30m',
+            alert_suppression: {
+              group_by: ['host.name'],
+              duration: {
+                value: 300,
+                unit: 'm',
+              },
+              missing_fields_strategy: 'suppress',
+            },
+            enabled: true,
+          });
+
+          await indexThreatIndicatorDocuments([threatIndicatorDocument]);
+          await indexListOfSourceDocuments([document, document]);
+
+          const createdRule = await createRule(supertest, log, rule);
+          const alerts = await getOpenAlerts(supertest, log, es, createdRule);
+
+          expect(alerts.hits.hits).toHaveLength(1);
+
+          const { alerts_suppressed_count } =
+            await getLatestSecurityRuleExecutionMetricsFromEventLog(es, log, createdRule.id);
+
+          expect(alerts_suppressed_count).toBe(1);
+        });
+      });
     });
   });
 };

x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_metrics.ts

@@ -11,32 +11,22 @@ import type { Anomaly } from '@kbn/security-solution-plugin/server/lib/machine_l
 import {
   getMLRuleParams,
   dataGeneratorFactory,
-  forceStartDatafeeds,
   getLatestSecurityRuleExecutionMetricsFromEventLog,
   getOpenAlerts,
-  setupMlModulesWithRetry,
 } from '../../../../utils';
 import type { FtrProviderContext } from '../../../../../../ftr_provider_context';
-import { EsArchivePathBuilder } from '../../../../../../es_archive_path_builder';
 
 export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
-  const esArchiver = getService('esArchiver');
   const es = getService('es');
   const log = getService('log');
-  const config = getService('config');
-  const retry = getService('retry');
 
-  const isServerless = config.get('serverless');
-  const dataPathBuilder = new EsArchivePathBuilder(isServerless);
-  const auditPath = dataPathBuilder.getPath('auditbeat/hosts');
-
-  const siemModule = 'security_linux_v3';
   const mlJobId = 'v3_linux_anomalous_network_activity_ea';
+  const sourceEventsIndexName = '.ml-anomalies-custom-v3_linux_anomalous_network_activity_ea';
 
   const { indexListOfDocuments } = dataGeneratorFactory({
     es,
-    index: '.ml-anomalies-custom-v3_linux_anomalous_network_activity_ea',
+    index: sourceEventsIndexName,
     log,
   });
 
@@ -58,25 +48,12 @@ export default ({ getService }: FtrProviderContext) => {
   };
 
   describe('@ess @serverless Rule execution metrics for Machine Learning rules', () => {
-    before(async () => {
-      await esArchiver.load(auditPath);
-      await setupMlModulesWithRetry({ module: siemModule, supertest, retry });
-      await forceStartDatafeeds({ jobId: mlJobId, rspCode: 200, supertest });
-      await esArchiver.load(
-        'x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies'
-      );
-    });
-
-    after(async () => {
-      await esArchiver.unload(auditPath);
-      await esArchiver.unload(
-        'x-pack/solutions/security/test/fixtures/es_archives/security_solution/anomalies'
-      );
-      await deleteAllAlerts(supertest, log, es);
-      await deleteAllRules(supertest, log);
-    });
-
     beforeEach(async () => {
+      await es.indices.delete({
+        index: sourceEventsIndexName,
+        ignore_unavailable: true,
+      });
+
       await deleteAllAlerts(supertest, log, es);
       await deleteAllRules(supertest, log);
     });
@@ -108,13 +85,19 @@ export default ({ getService }: FtrProviderContext) => {
 
       describe('alerts_candidate_count', () => {
         it('records alerts_candidate_count value', async () => {
+          const timestamp = new Date().toISOString();
+          const anomaly = {
+            ...baseAnomaly,
+            timestamp,
+          };
+          await indexListOfDocuments([anomaly]);
+
           const createdRule = await createRule(
             supertest,
             log,
             getMLRuleParams({
               ...sharedMlRuleRewrites,
               anomaly_threshold: 30,
-              from: '1900-01-01T00:00:00.000Z',
               enabled: true,
             })
           );
@@ -160,6 +143,67 @@ export default ({ getService }: FtrProviderContext) => {
           expect(alerts_candidate_count).toBe(2);
         });
       });
+
+      describe('alerts_suppressed_count', () => {
+        it('records alerts_suppressed_count as 0 when no suppression is configured', async () => {
+          const timestamp = new Date().toISOString();
+          const anomaly = {
+            ...baseAnomaly,
+            timestamp,
+          };
+          await indexListOfDocuments([anomaly]);
+
+          const createdRule = await createRule(
+            supertest,
+            log,
+            getMLRuleParams({
+              ...sharedMlRuleRewrites,
+              anomaly_threshold: 30,
+              enabled: true,
+            })
+          );
+          const alerts = await getOpenAlerts(supertest, log, es, createdRule);
+
+          expect(alerts.hits.hits).toHaveLength(1);
+
+          const { alerts_suppressed_count } =
+            await getLatestSecurityRuleExecutionMetricsFromEventLog(es, log, createdRule.id);
+
+          expect(alerts_suppressed_count).toBe(0);
+        });
+
+        it('records alerts_suppressed_count when alerts are suppressed', async () => {
+          const timestamp = new Date().toISOString();
+          const anomaly = {
+            ...baseAnomaly,
+            timestamp,
+          };
+          await indexListOfDocuments([anomaly, anomaly]);
+
+          const createdRule = await createRule(
+            supertest,
+            log,
+            getMLRuleParams({
+              ...sharedMlRuleRewrites,
+              anomaly_threshold: 40,
+              enabled: true,
+              alert_suppression: {
+                group_by: ['user.name'],
+                missing_fields_strategy: 'suppress',
+              },
+              from: timestamp,
+            })
+          );
+          const alerts = await getOpenAlerts(supertest, log, es, createdRule);
+
+          expect(alerts.hits.hits).toHaveLength(1);
+
+          const { alerts_suppressed_count } =
+            await getLatestSecurityRuleExecutionMetricsFromEventLog(es, log, createdRule.id);
+
+          expect(alerts_suppressed_count).toBe(1);
+        });
+      });
     });
   });
 };