[Security Solution] Rule incorrectly reports gap when modifying interval while disabled and then re-enabling

[spong]

First identified in 8.8/main (in testing https://github.com/elastic/kibana/pull/155384), but based on the issue this probably has existed since the initial implementation of the Detection Engine/Gap Detection logic. This is very low impact based on the reproduction steps, but logging for future iterations of our gap detection/remediation logic.

Summary

If a previously executed disabled rule's interval is modified to be less than the previous interval, when it is re-enabled a gap will be reported even though it is just being re-enabled.

Reproduction steps

• Create rule with a 10min interval and let it run once, then disable.
• Edit rule to have a 10sec interval
• Wait a few minutes
• Enable rule and observe false gap warning (with duration being since its last execution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[yctercero]

@nkhristinin are we fixing this as part of manual rule runs work?

[nkhristinin]

@yctercero I can look into that as part of gaps work, it's should not affect manual rule runs

[yctercero]

@nkhristinin @approksiu this goes to the definition of a gap and I think I would argue that we should indeed not treat this as a reported gap (when rules are disabled).