diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts index d46e87fe0340d..d284a8b586bcc 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts @@ -122,7 +122,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForRuleSuccess({ supertest, log, id: createdId }); await waitForAlertsToBePresent(supertest, log, 10, [createdId]); const alertsOpen = await getAlertsByIds(supertest, log, [createdId]); - expect(alertsOpen.hits.hits.length).toEqual(10); + expect(alertsOpen.hits.hits).toHaveLength(10); }); it('should be able to execute against an exception list that does include valid entries and get back 0 alerts', async () => { @@ -149,7 +149,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('should be able to execute against an exception list that does include valid case sensitive entries and get back 0 alerts', async () => { @@ -201,10 +201,10 @@ export default ({ getService }: FtrProviderContext) => { const alertsOpen2 = await getOpenAlerts(supertest, log, es, createdRule2); // Expect alerts here because all values are "Ubuntu" // and exception is one of ["ubuntu"] - expect(alertsOpen.hits.hits.length).toEqual(10); + expect(alertsOpen.hits.hits).toHaveLength(10); // Expect no alerts here because all values are "Ubuntu" // and exception is one of ["ubuntu", "Ubuntu"] - expect(alertsOpen2.hits.hits.length).toEqual(0); + expect(alertsOpen2.hits.hits).toHaveLength(0); }); it('generates no alerts when an exception is added for an EQL rule', async () => { @@ -223,7 +223,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when an exception is added for a threshold rule', async () => { @@ -245,7 +245,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when an exception is added for a threat match rule', async () => { @@ -288,8 +288,9 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); + describe('rules with value list exceptions', () => { beforeEach(async () => { await createListsIndex(supertest, log); @@ -328,7 +329,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when a value list exception is added for a threat match rule', async () => { @@ -376,7 +377,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when a value list exception is added for a threshold rule', async () => { @@ -413,7 +414,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when a value list exception is added for an EQL rule', async () => { @@ -438,8 +439,9 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); + it('should Not allow deleting value list when there are references and ignoreReferences is false', async () => { const valueListId = 'value-list-id.txt'; await importFile(supertest, log, 'keyword', ['suricata-sensor-amsterdam'], valueListId); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts index 672f1edb5cf57..992eecb407e8c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts @@ -82,8 +82,7 @@ export default ({ getService }: FtrProviderContext) => { const auditPath = dataPathBuilder.getPath('auditbeat/hosts'); const packetBeatPath = dataPathBuilder.getPath('packetbeat/default'); - // FLAKY: https://github.com/elastic/kibana/issues/220943 - describe.skip('@ess @serverless @serverlessQA EQL type rules', () => { + describe('@ess @serverless @serverlessQA EQL type rules', () => { const { indexListOfDocuments } = dataGeneratorFactory({ es, index: 'ecs_compliant', @@ -120,7 +119,7 @@ export default ({ getService }: FtrProviderContext) => { }; const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(alerts.hits.hits.length).eql(1); + expect(alerts.hits.hits).toHaveLength(1); const fullAlert = alerts.hits.hits[0]._source; if (!fullAlert) { return kbnExpect(fullAlert).to.be.ok(); @@ -289,7 +288,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxAlerts * 2 }); - kbnExpect(previewAlerts.length).eql(maxAlerts); + expect(previewAlerts).toHaveLength(maxAlerts); }); it('generates max alerts warning when circuit breaker is hit', async () => { @@ -308,7 +307,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).eql(1); + expect(previewAlerts).toHaveLength(1); const fullAlert = previewAlerts[0]._source; if (!fullAlert) { return kbnExpect(fullAlert).to.be.ok(); @@ -378,7 +377,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).eql(3); + expect(previewAlerts).toHaveLength(3); const createdAtHits = previewAlerts.map((hit) => hit._source?.created_at).sort(); kbnExpect(createdAtHits).to.eql([1622676785, 1622676790, 1622676795]); @@ -392,7 +391,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).eql(3); + expect(previewAlerts).toHaveLength(3); const createdAtHits = previewAlerts.map((hit) => hit._source?.locale); kbnExpect(createdAtHits).to.eql(['es', 'pt', 'ua']); @@ -672,7 +671,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId, sort: ['agent.name'] }); - kbnExpect(previewAlerts).to.have.length(3); + expect(previewAlerts).toHaveLength(3); const buildingBlockAlerts = previewAlerts.filter( (alert) => alert._source?.['kibana.alert.building_block_type'] @@ -716,11 +715,11 @@ export default ({ getService }: FtrProviderContext) => { // For EQL rules, max_alerts is the maximum number of detected sequences: each sequence has a building block // alert for each event in the sequence, so max_alerts=200 results in 400 building blocks in addition to // 200 regular alerts - kbnExpect(previewAlerts.length).eql(maxAlerts * 3); + expect(previewAlerts).toHaveLength(maxAlerts * 3); const shellAlerts = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 2); const buildingBlocks = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 1); - kbnExpect(shellAlerts.length).eql(maxAlerts); - kbnExpect(buildingBlocks.length).eql(maxAlerts * 2); + expect(shellAlerts).toHaveLength(maxAlerts); + expect(buildingBlocks).toHaveLength(maxAlerts * 2); }); it('generates alerts when an index name contains special characters to encode', async () => { @@ -730,7 +729,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).eql(1); + expect(previewAlerts).toHaveLength(1); }); it('uses the provided filters', async () => { @@ -776,7 +775,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).eql(2); + expect(previewAlerts).toHaveLength(2); }); describe('with host risk index', () => { @@ -795,7 +794,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).eql(1); + expect(previewAlerts).toHaveLength(1); const fullAlert = previewAlerts[0]._source; if (!fullAlert) { return kbnExpect(fullAlert).to.be.ok(); @@ -850,7 +849,7 @@ export default ({ getService }: FtrProviderContext) => { kbnExpect(_log.warnings).to.eql([expectedWarning]); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).to.be.greaterThan(0); + expect(previewAlerts).not.toHaveLength(0); }); it('specifying only timestamp_override results in alert creation with an kbnExpect.expected warning', async () => { @@ -868,7 +867,7 @@ export default ({ getService }: FtrProviderContext) => { kbnExpect(_log.warnings).to.eql([expectedWarning]); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).to.be.greaterThan(0); + expect(previewAlerts).not.toHaveLength(0); }); it('specifying both timestamp_override and timestamp_field results in alert creation with an kbnExpect.expected warning', async () => { @@ -887,7 +886,7 @@ export default ({ getService }: FtrProviderContext) => { kbnExpect(_log.warnings).to.eql([expectedWarning]); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts.length).to.be.greaterThan(0); + expect(previewAlerts).not.toHaveLength(0); }); }); @@ -959,7 +958,7 @@ export default ({ getService }: FtrProviderContext) => { kbnExpect(_log.warnings).to.be.empty(); const previewAlerts = await getPreviewAlerts({ es, previewId }); - kbnExpect(previewAlerts).to.have.length(3); + expect(previewAlerts).toHaveLength(3); }); }); @@ -1034,7 +1033,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(alerts.hits.hits.length).equal(3); + expect(alerts.hits.hits).toHaveLength(3); kbnExpect(alerts.hits.hits[0]?._source?.[ALERT_RULE_EXECUTION_TYPE]).equal('scheduled'); const backfill = await scheduleRuleRun(supertest, [createdRule.id], { @@ -1044,7 +1043,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log }); const allNewAlerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(allNewAlerts.hits.hits.length).equal(6); + expect(allNewAlerts.hits.hits).toHaveLength(6); kbnExpect(allNewAlerts.hits.hits[5]?._source?.[ALERT_RULE_EXECUTION_TYPE]).equal('manual'); const secondBackfill = await scheduleRuleRun(supertest, [createdRule.id], { @@ -1054,7 +1053,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log }); const allNewAlertsAfter2ManualRuns = await getAlerts(supertest, log, es, createdRule); - kbnExpect(allNewAlertsAfter2ManualRuns.hits.hits.length).equal(6); + expect(allNewAlertsAfter2ManualRuns.hits.hits).toHaveLength(6); }); it('does not alert if the manual run overlaps with a previous scheduled rule execution', async () => { @@ -1093,7 +1092,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(alerts.hits.hits.length).equal(3); + expect(alerts.hits.hits).toHaveLength(3); const backfill = await scheduleRuleRun(supertest, [createdRule.id], { startDate: moment(firstTimestamp).subtract(5, 'm'), @@ -1102,7 +1101,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log }); const allNewAlerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(allNewAlerts.hits.hits.length).equal(3); + expect(allNewAlerts.hits.hits).toHaveLength(3); }); it('supression per rule execution should work for manual rule runs', async () => { @@ -1146,7 +1145,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(alerts.hits.hits.length).equal(0); + expect(alerts.hits.hits).toHaveLength(0); const backfill = await scheduleRuleRun(supertest, [createdRule.id], { startDate: moment(firstTimestamp).subtract(5, 'm'), @@ -1155,7 +1154,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log }); const allNewAlerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(allNewAlerts.hits.hits.length).equal(1); + expect(allNewAlerts.hits.hits).toHaveLength(1); kbnExpect(allNewAlerts.hits.hits[0]._source?.[ALERT_SUPPRESSION_DOCS_COUNT]).equal(2); }); @@ -1191,7 +1190,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(alerts.hits.hits.length).equal(0); + expect(alerts.hits.hits).toHaveLength(0); // generate alert in the past const backfill = await scheduleRuleRun(supertest, [createdRule.id], { @@ -1200,7 +1199,7 @@ export default ({ getService }: FtrProviderContext) => { }); await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log }); const allNewAlerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(allNewAlerts.hits.hits.length).equal(1); + expect(allNewAlerts.hits.hits).toHaveLength(1); // now we will ingest new event, and manual rule run should update original alert const secondDocument = { @@ -1220,9 +1219,9 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log }); const updatedAlerts = await getAlerts(supertest, log, es, createdRule); - kbnExpect(updatedAlerts.hits.hits.length).equal(1); + expect(updatedAlerts.hits.hits).toHaveLength(1); - kbnExpect(updatedAlerts.hits.hits.length).equal(1); + expect(updatedAlerts.hits.hits).toHaveLength(1); kbnExpect(updatedAlerts.hits.hits[0]._source?.[ALERT_SUPPRESSION_DOCS_COUNT]).equal(1); }); @@ -1247,7 +1246,7 @@ export default ({ getService }: FtrProviderContext) => { const requests = logs[0].requests; - kbnExpect(requests).to.have.length(1); + expect(requests).toHaveLength(1); kbnExpect(requests![0].description).to.be('EQL request to find all matches'); kbnExpect(requests![0].request).to.contain( 'POST /auditbeat-*/_eql/search?allow_no_indices=true' diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts index 3c1eb718b9aca..b193d95297088 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts @@ -172,7 +172,7 @@ export default ({ getService }: FtrProviderContext) => { undefined, afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(1); + expect(secondAlerts.hits.hits).toHaveLength(1); expect(secondAlerts.hits.hits[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -345,7 +345,7 @@ export default ({ getService }: FtrProviderContext) => { afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(3); + expect(secondAlerts.hits.hits).toHaveLength(3); const sortedAlerts = sortBy(secondAlerts.hits.hits, ALERT_ORIGINAL_TIME); @@ -408,7 +408,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -493,7 +493,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -563,7 +563,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -624,7 +624,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -701,7 +701,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -792,7 +792,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(4); + expect(previewAlerts).toHaveLength(4); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -858,7 +858,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -908,7 +908,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -964,7 +964,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1057,7 +1057,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', 'agent.version', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(4); + expect(previewAlerts).toHaveLength(4); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1157,7 +1157,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1245,7 +1245,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['agent.name', 'agent.version', ALERT_ORIGINAL_TIME], }); // from 7 injected, only one should be suppressed - expect(previewAlerts.length).toEqual(6); + expect(previewAlerts).toHaveLength(6); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1313,7 +1313,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1384,7 +1384,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1454,7 +1454,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1529,7 +1529,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1594,7 +1594,7 @@ export default ({ getService }: FtrProviderContext) => { size: 1000, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(100); + expect(previewAlerts).toHaveLength(100); }); it('adds execution values to rule execution state', async () => { @@ -1698,7 +1698,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1855,10 +1855,10 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one created alert and one suppressed alert // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -1926,13 +1926,13 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one created alert and one suppressed alert // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partition( previewAlerts, (alert) => alert?._source?.[ALERT_SUPPRESSION_DOCS_COUNT] != null ); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -2007,11 +2007,11 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect two sequence alerts // each sequence alert having two building block alerts - expect(previewAlerts.length).toEqual(6); + expect(previewAlerts).toHaveLength(6); const [sequenceAlerts, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(4); - expect(sequenceAlerts.length).toEqual(2); + expect(buildingBlockAlerts).toHaveLength(4); + expect(sequenceAlerts).toHaveLength(2); expect(sequenceAlerts[0]?._source).toEqual({ ...sequenceAlerts[0]?._source, @@ -2115,13 +2115,13 @@ export default ({ getService }: FtrProviderContext) => { // and two building block alerts per shell alert, let's confirm that const [sequenceAlerts, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(6); - expect(sequenceAlerts.length).toEqual(3); + expect(buildingBlockAlerts).toHaveLength(6); + expect(sequenceAlerts).toHaveLength(3); const [suppressedSequenceAlerts] = partition( sequenceAlerts, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); - expect(suppressedSequenceAlerts.length).toEqual(1); + expect(suppressedSequenceAlerts).toHaveLength(1); expect(suppressedSequenceAlerts[0]._source).toEqual({ ...suppressedSequenceAlerts[0]._source, @@ -2184,15 +2184,15 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one alert and two suppressed alerts // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(6); + expect(previewAlerts).toHaveLength(6); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); const [suppressedSequenceAlerts] = partition( sequenceAlert, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); - expect(buildingBlockAlerts.length).toEqual(4); - expect(sequenceAlert.length).toEqual(2); - expect(suppressedSequenceAlerts.length).toEqual(0); + expect(buildingBlockAlerts).toHaveLength(4); + expect(sequenceAlert).toHaveLength(2); + expect(suppressedSequenceAlerts).toHaveLength(0); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, [ALERT_SUPPRESSION_TERMS]: undefined, @@ -2257,15 +2257,15 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one alert and two suppressed alerts // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); const [suppressedSequenceAlerts] = partition( sequenceAlert, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); - expect(suppressedSequenceAlerts.length).toEqual(1); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(suppressedSequenceAlerts).toHaveLength(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -2343,18 +2343,18 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(9); + expect(previewAlerts).toHaveLength(9); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); const [suppressedSequenceAlerts] = partition( sequenceAlert, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); // no alerts should be suppressed because doNotSuppress is set - expect(suppressedSequenceAlerts.length).toEqual(0); - expect(buildingBlockAlerts.length).toEqual(6); + expect(suppressedSequenceAlerts).toHaveLength(0); + expect(buildingBlockAlerts).toHaveLength(6); // 3 sequence alerts comprised of // (doc1 + doc1WithNoHost), (doc1WithNoHost + doc2WithNoHost), (doc2WithNoHost + doc3WithNoHost) - expect(sequenceAlert.length).toEqual(3); + expect(sequenceAlert).toHaveLength(3); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -2412,10 +2412,10 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one alert and two suppressed alerts // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -2496,10 +2496,10 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one alert and two suppressed alerts // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, @@ -2556,7 +2556,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); const [sequenceAlert] = partitionSequenceBuildingBlocks(previewAlerts); - expect(previewAlerts.length).toEqual(3); // one sequence, two building block + expect(previewAlerts).toHaveLength(3); // one sequence, two building block expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2653,7 +2653,7 @@ export default ({ getService }: FtrProviderContext) => { const [sequenceAlert] = partitionSequenceBuildingBlocks(previewAlerts); // for sequence alerts if neither of the fields are there, we cannot suppress - expect(sequenceAlert.length).toEqual(4); + expect(sequenceAlert).toHaveLength(4); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2800,7 +2800,7 @@ export default ({ getService }: FtrProviderContext) => { sequenceAlert, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); - expect(suppressedSequenceAlerts.length).toEqual(1); + expect(suppressedSequenceAlerts).toHaveLength(1); expect(suppressedSequenceAlerts[0]._source).toEqual({ ...suppressedSequenceAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2869,8 +2869,8 @@ export default ({ getService }: FtrProviderContext) => { }); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2884,9 +2884,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - // FLAKY: https://github.com/elastic/kibana/issues/202940 - // FLAKY: https://github.com/elastic/kibana/issues/202945 - describe.skip('@skipInServerless sequence queries with suppression duration', () => { + describe('@skipInServerless sequence queries with suppression duration', () => { it('suppresses alerts across two rule executions when the suppression duration exceeds the rule interval', async () => { const id = uuidv4(); const firstTimestamp = new Date(Date.now() - 1000).toISOString(); @@ -2921,12 +2919,12 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toEqual(3); + expect(alerts.hits.hits).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks( alerts.hits.hits ); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); // suppression start equal to alert timestamp const suppressionStart = sequenceAlert[0]._source?.[TIMESTAMP]; @@ -2974,7 +2972,7 @@ export default ({ getService }: FtrProviderContext) => { const [sequenceAlert2] = partitionSequenceBuildingBlocks(secondAlerts.hits.hits); - expect(sequenceAlert2.length).toEqual(1); + expect(sequenceAlert2).toHaveLength(1); expect(sequenceAlert2[0]._source).toEqual({ ...sequenceAlert2[0]?._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2993,8 +2991,7 @@ export default ({ getService }: FtrProviderContext) => { expect(suppressionEnd).toBeGreaterThan(new Date(secondTimestamp).getDate()); }); - // Skipped here: https://github.com/elastic/kibana/issues/202945 - it.skip('does not suppress alerts outside of duration', async () => { + it('does not suppress alerts outside of duration', async () => { const id = uuidv4(); // this timestamp is 1 minute in the past const firstTimestamp = new Date(Date.now() - 5000).toISOString(); @@ -3029,12 +3026,12 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toEqual(3); + expect(alerts.hits.hits).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks( alerts.hits.hits ); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, @@ -3079,7 +3076,7 @@ export default ({ getService }: FtrProviderContext) => { const [sequenceAlert2] = partitionSequenceBuildingBlocks(secondAlerts.hits.hits); - expect(sequenceAlert2.length).toEqual(2); + expect(sequenceAlert2).toHaveLength(2); expect(sequenceAlert2[0]._source).toEqual({ ...sequenceAlert2[0]?._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -3163,12 +3160,12 @@ export default ({ getService }: FtrProviderContext) => { // we expect one shell alert // and three building block alerts - expect(alerts.hits.hits.length).toEqual(4); + expect(alerts.hits.hits).toHaveLength(4); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks( alerts.hits.hits ); - expect(buildingBlockAlerts.length).toEqual(3); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(3); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, @@ -3182,8 +3179,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - // Skipped here: https://github.com/elastic/kibana/issues/202945 - it.skip('does not suppress alerts outside of duration when query with 3 sequences', async () => { + it('does not suppress alerts outside of duration when query with 3 sequences', async () => { const id = uuidv4(); const dateNow = Date.now(); const timestampSequenceEvent1 = new Date(dateNow - 5000).toISOString(); @@ -3222,12 +3218,12 @@ export default ({ getService }: FtrProviderContext) => { // we expect one shell alert // and three building block alerts - expect(alerts.hits.hits.length).toEqual(4); + expect(alerts.hits.hits).toHaveLength(4); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks( alerts.hits.hits ); - expect(buildingBlockAlerts.length).toEqual(3); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(3); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, @@ -3280,8 +3276,8 @@ export default ({ getService }: FtrProviderContext) => { // two sequence alerts because the second one happened // outside of the rule's suppression duration - expect(sequenceAlert2.length).toEqual(2); - expect(buildingBlockAlerts2.length).toEqual(6); + expect(sequenceAlert2).toHaveLength(2); + expect(buildingBlockAlerts2).toHaveLength(6); // timestamps should be different for two alerts, showing they were // created in different rule executions expect(sequenceAlert2[0]?._source?.[TIMESTAMP]).not.toEqual( diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts index 7d706ce59e11d..20c11b50427ab 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts @@ -106,7 +106,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toBe(1); + expect(alerts.hits.hits).toHaveLength(1); expect(removeRandomValuedPropertiesFromAlert(alerts.hits.hits[0]._source)).toEqual({ 'kibana.alert.rule.parameters': { description: 'Detecting root and admin users', @@ -216,7 +216,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ 'agent.name': 'test-1', @@ -252,7 +252,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(3); + expect(previewAlerts).toHaveLength(3); }); describe('non-aggregating query rules', () => { @@ -291,7 +291,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); // all fields from source document should be returned expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ @@ -335,7 +335,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); }); }); @@ -369,7 +369,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty('custom_named_agent', 'test-1'); expect(previewAlerts[0]._source).not.toHaveProperty(['agent.name']); expect(previewAlerts[0]._source).not.toHaveProperty('agent.name'); @@ -410,7 +410,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(3); + expect(previewAlerts).toHaveLength(3); expect(previewAlerts.map((_) => _._source?.['agent.name'])).toEqual( expect.arrayContaining(['part-0', 'part-1', 'test-1']) ); @@ -450,7 +450,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(3); + expect(previewAlerts).toHaveLength(3); }); // When expanded field dropped, ES|QL response rows will be identical. @@ -489,7 +489,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); }); it('should generate alert per expanded row when mv_expand used multiple times', async () => { @@ -530,7 +530,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(7); + expect(previewAlerts).toHaveLength(7); expect(previewAlerts.map((_) => _._source?.['agent.name'])).toEqual( expect.arrayContaining(['part-0', 'part-1', 'test-1']) ); @@ -570,7 +570,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); }); it('should deduplicate alerts generated form expanded rows when expanded field renamed', async () => { @@ -606,7 +606,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); }); it('should deduplicate alert when expanded field dropped', async () => { @@ -642,7 +642,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); }); describe('pagination', () => { @@ -688,7 +688,7 @@ export default ({ getService }: FtrProviderContext) => { 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution runSoonRule(supertest, createdRule.id); @@ -703,7 +703,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(120); + expect(alertsResponse.hits.hits).toHaveLength(120); }); it('should create alerts from all events(2 x max_signals)', async () => { @@ -739,7 +739,7 @@ export default ({ getService }: FtrProviderContext) => { RuleExecutionStatusEnum['partial failure'], 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution await patchRule(supertest, log, { @@ -762,7 +762,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(200); + expect(alertsResponse.hits.hits).toHaveLength(200); }); it('should create alerts from all events(2 x max_signals) when used timestamp override', async () => { @@ -801,7 +801,7 @@ export default ({ getService }: FtrProviderContext) => { RuleExecutionStatusEnum['partial failure'], 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution await patchRule(supertest, log, { @@ -824,7 +824,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(200); + expect(alertsResponse.hits.hits).toHaveLength(200); }); it('should create alerts from all events(2 x max_signals) when used timestamp override without fallback', async () => { @@ -863,7 +863,7 @@ export default ({ getService }: FtrProviderContext) => { RuleExecutionStatusEnum['partial failure'], 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution await patchRule(supertest, log, { @@ -886,7 +886,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(200); + expect(alertsResponse.hits.hits).toHaveLength(200); }); it('should not create more than max_signals alerts from single document when paginate through results', async () => { @@ -932,7 +932,7 @@ export default ({ getService }: FtrProviderContext) => { 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution runSoonRule(supertest, createdRule.id); @@ -948,7 +948,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(200); + expect(alertsResponse.hits.hits).toHaveLength(200); const agentTypeCounts = alertsResponse.hits.hits.reduce>( (acc, curr) => { @@ -1011,7 +1011,7 @@ export default ({ getService }: FtrProviderContext) => { 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution runSoonRule(supertest, createdRule.id); @@ -1026,7 +1026,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(120); + expect(alertsResponse.hits.hits).toHaveLength(120); }); it('should create alerts from multiple expanded values', async () => { @@ -1073,7 +1073,7 @@ export default ({ getService }: FtrProviderContext) => { 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution runSoonRule(supertest, createdRule.id); @@ -1088,7 +1088,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); // 60 from doc1 and 75 from doc2 - expect(alertsResponse.hits.hits.length).toBe(135); + expect(alertsResponse.hits.hits).toHaveLength(135); }); }); }); @@ -1130,7 +1130,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['agent.name'], }); - expect(previewAlertsOrderedByAgentName.length).toBe(3); + expect(previewAlertsOrderedByAgentName).toHaveLength(3); expect(previewAlertsOrderedByAgentName[0]._source).toEqual( expect.objectContaining({ 'agent.name': 'test-1', @@ -1184,7 +1184,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toHaveProperty(['_counted'], 1); expect(previewAlerts[1]._source).toHaveProperty(['_counted'], 1); }); @@ -1213,7 +1213,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); // no data has been injected during rule execution interval expect(previewAlerts[0]._source).toHaveProperty(['_counted'], 0); }); @@ -1268,7 +1268,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['event.ingested'], }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toHaveProperty(['event.ingested'], expectedEventIngested); expect(previewAlerts[1]._source).not.toHaveProperty(['event.ingested']); }); @@ -1299,7 +1299,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty(['event.ingested'], expectedEventIngested); }); }); @@ -1344,7 +1344,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); }); }); @@ -1383,7 +1383,7 @@ export default ({ getService }: FtrProviderContext) => { size: 200, }); - expect(previewAlerts.length).toBe(100); + expect(previewAlerts).toHaveLength(100); }); it("doesn't generate max alerts warning when circuit breaker is met but not exceeded", async () => { @@ -1419,7 +1419,7 @@ export default ({ getService }: FtrProviderContext) => { size: 200, }); - expect(previewAlerts.length).toBe(100); + expect(previewAlerts).toHaveLength(100); }); it('should work for max alerts > 100', async () => { @@ -1455,7 +1455,7 @@ export default ({ getService }: FtrProviderContext) => { size: 200, }); - expect(previewAlerts.length).toBe(150); + expect(previewAlerts).toHaveLength(150); }); // we use actual rule executions, not preview, because for preview API alerts index refresh=false for non suppressed alerts @@ -1538,7 +1538,7 @@ export default ({ getService }: FtrProviderContext) => { ); // should return 100 alerts - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution with new interval await patchRule(supertest, log, { @@ -1563,7 +1563,7 @@ export default ({ getService }: FtrProviderContext) => { ); // should return 160 alerts - expect(alertsResponse.hits.hits.length).toBe(160); + expect(alertsResponse.hits.hits).toHaveLength(160); }); }); @@ -1598,7 +1598,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty('host.risk.calculated_level', 'Low'); expect(previewAlerts[0]._source).toHaveProperty('host.risk.calculated_score_norm', 1); @@ -1640,7 +1640,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]?._source?.['host.asset.criticality']).toBe('extreme_impact'); }); @@ -1680,7 +1680,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty(['observer.os.full'], 'full test os'); // *.text is multifield define in mappings for observer.os.full expect(previewAlerts[0]._source).not.toHaveProperty(['observer.os.full.text']); @@ -1723,7 +1723,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty( ['process.entry_leader.name'], 'test_process_name' @@ -1786,7 +1786,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); // all multifields have been indexed, which is expected, seen we don't know original mappings expect(previewAlerts[0]._source).toHaveProperty( ['random.entry_leader.name'], @@ -1833,7 +1833,7 @@ export default ({ getService }: FtrProviderContext) => { timeframeEnd: new Date('2020-10-28T06:30:00.000Z'), }); - expect(logs[0].errors.length).toEqual(0); + expect(logs[0].errors).toHaveLength(0); }); }); }); @@ -1904,7 +1904,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log }); const allNewAlertsAfter2ManualRuns = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlertsAfter2ManualRuns.hits.hits.length).toEqual(2); + expect(allNewAlertsAfter2ManualRuns.hits.hits).toHaveLength(2); }); it('does not alert if the manual run overlaps with a previous scheduled rule execution', async () => { @@ -2199,8 +2199,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - // Failing: See https://github.com/elastic/kibana/issues/224699 - describe.skip('shard failures', () => { + describe('shard failures', () => { const config = getService('config'); const isServerless = config.get('serverless'); const dataPathBuilder = new EsArchivePathBuilder(isServerless); @@ -2249,7 +2248,7 @@ export default ({ getService }: FtrProviderContext) => { ]) ); - expect(previewAlerts?.length).toBeGreaterThan(0); + expect(previewAlerts).not.toHaveLength(0); }); it('should handle shard failures and include errors in logs for query that is aggregating', async () => { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts index 3146d8c9b95f0..06c46062bbe59 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts @@ -120,7 +120,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toBe(1); + expect(alerts.hits.hits).toHaveLength(1); expect(alerts.hits.hits[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -161,7 +161,7 @@ export default ({ getService }: FtrProviderContext) => { undefined, afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(1); + expect(secondAlerts.hits.hits).toHaveLength(1); expect(secondAlerts.hits.hits[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -243,7 +243,7 @@ export default ({ getService }: FtrProviderContext) => { undefined, afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(1); + expect(secondAlerts.hits.hits).toHaveLength(1); expect(alerts.hits.hits[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -328,7 +328,7 @@ export default ({ getService }: FtrProviderContext) => { afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(2); + expect(secondAlerts.hits.hits).toHaveLength(2); const sortedAlerts = sortBy(secondAlerts.hits.hits, ALERT_ORIGINAL_TIME); @@ -395,7 +395,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -492,7 +492,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -579,7 +579,7 @@ export default ({ getService }: FtrProviderContext) => { // 3 alerts should be generated: // 1. for pair 'host-a', 1 - suppressed // 2. for pair 'host-a', 2 - not suppressed - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -670,7 +670,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -750,7 +750,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -834,7 +834,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -932,7 +932,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(4); + expect(previewAlerts).toHaveLength(4); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1023,7 +1023,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1106,7 +1106,7 @@ export default ({ getService }: FtrProviderContext) => { }); // lodash sortBy is used here because custom_field is non ECS and not mapped in alerts index, so can't be sorted by const sortedAlerts = sortBy(previewAlerts, '_source.custom_field'); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(sortedAlerts[0]._source).toEqual({ ...sortedAlerts[0]._source, @@ -1204,7 +1204,7 @@ export default ({ getService }: FtrProviderContext) => { }); // lodash sortBy is used here because custom_field is non ECS and not mapped in alerts index, so can't be sorted by const sortedAlerts = sortBy(previewAlerts, '_source.custom_field'); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(sortedAlerts[0]._source).toEqual({ ...sortedAlerts[0]._source, @@ -1283,7 +1283,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, @@ -1357,7 +1357,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, @@ -1440,7 +1440,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1499,7 +1499,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1598,7 +1598,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', 'agent.version', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(4); + expect(previewAlerts).toHaveLength(4); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1742,7 +1742,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['agent.name', 'agent.version', ALERT_ORIGINAL_TIME], }); // from 8 injected, only one should be suppressed - expect(previewAlerts.length).toEqual(7); + expect(previewAlerts).toHaveLength(7); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1829,7 +1829,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1904,7 +1904,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['agent.name', ALERT_ORIGINAL_TIME], size: 1000, }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1965,7 +1965,7 @@ export default ({ getService }: FtrProviderContext) => { size: 1000, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(150); + expect(previewAlerts).toHaveLength(150); }); }); @@ -2013,7 +2013,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2062,7 +2062,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty('host.risk.calculated_level', 'Low'); expect(previewAlerts[0]._source).toHaveProperty('host.risk.calculated_score_norm', 1); @@ -2108,7 +2108,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]?._source?.['host.asset.criticality']).toBe('extreme_impact'); }); @@ -2147,7 +2147,7 @@ export default ({ getService }: FtrProviderContext) => { }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 2); }); @@ -2186,7 +2186,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 2); }); @@ -2225,7 +2225,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 1); }); @@ -2274,7 +2274,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 3); }); @@ -2325,7 +2325,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 3); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts index 30942a9fc897f..236f18bd72ad4 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts @@ -5,7 +5,7 @@ * 2.0. */ -import expect from '@kbn/expect'; +import expect from 'expect'; import { orderBy } from 'lodash'; import { RuleExecutionStatusEnum } from '@kbn/security-solution-plugin/common/api/detection_engine/rule_monitoring'; import { @@ -75,7 +75,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); - expect(hits).to.eql(['2021-06-02T23:33:15.000Z']); + expect(hits).toEqual(['2021-06-02T23:33:15.000Z']); }); it('should still use the @timestamp field even with an override field. It should never use the override field', async () => { @@ -88,7 +88,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); - expect(hits).to.eql(['2020-12-16T15:16:18.000Z']); + expect(hits).toEqual(['2020-12-16T15:16:18.000Z']); }); }); @@ -100,7 +100,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); - expect(hits).to.eql(['2021-06-02T23:33:15.000Z']); + expect(hits).toEqual(['2021-06-02T23:33:15.000Z']); }); it('should still use the @timestamp field even with an override field. It should never use the override field', async () => { @@ -113,7 +113,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); - expect(hits).to.eql(['2020-12-16T15:16:18.000Z']); + expect(hits).toEqual(['2020-12-16T15:16:18.000Z']); }); }); }); @@ -159,8 +159,7 @@ export default ({ getService }: FtrProviderContext) => { ); }); - // FLAKY: https://github.com/elastic/kibana/issues/224780 - describe.skip('KQL', () => { + describe('KQL', () => { it('should generate alerts with event.ingested, @timestamp and (event.ingested + timestamp)', async () => { const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting(['myfa*']), @@ -179,7 +178,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(3); + expect(alertsOrderedByEventId).toHaveLength(3); }); it('should generate 2 alerts with event.ingested when timestamp fallback is disabled', async () => { @@ -202,7 +201,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should generate 2 alerts with @timestamp', async () => { @@ -220,7 +219,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should generate 2 alerts when timestamp override does not exist', async () => { @@ -240,7 +239,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should not generate any alerts when timestamp override does not exist and timestamp fallback is disabled', async () => { @@ -259,7 +258,7 @@ export default ({ getService }: FtrProviderContext) => { createdRule, RuleExecutionStatusEnum['partial failure'] ); - expect(alertsOpen.hits.hits.length).eql(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); /** @@ -281,7 +280,7 @@ export default ({ getService }: FtrProviderContext) => { const hits = alertsResponse.hits.hits .map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]) .sort(); - expect(hits).to.eql([undefined]); + expect(hits).toEqual([undefined]); }); }); @@ -301,7 +300,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should generate 2 alerts when timestamp override does not exist', async () => { @@ -321,7 +320,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should not generate any alerts when timestamp override does not exist and timestamp fallback is disabled', async () => { @@ -338,7 +337,7 @@ export default ({ getService }: FtrProviderContext) => { createdRule, RuleExecutionStatusEnum['partial failure'] ); - expect(alertsOpen.hits.hits.length).eql(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); }); }); @@ -390,7 +389,7 @@ export default ({ getService }: FtrProviderContext) => { const alertsResponse = await getAlertsByIds(supertest, log, [id], 200); const alerts = alertsResponse.hits.hits.map((hit) => hit._source); - expect(alerts.length).equal(200); + expect(alerts).toHaveLength(200); }); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts index 883a175588e4c..00dfc43bf7534 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts @@ -113,7 +113,7 @@ export default ({ getService }: FtrProviderContext) => { it('should create 1 alert from ML rule when record meets anomaly_threshold', async () => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toBe(1); + expect(alerts.hits.hits).toHaveLength(1); const alert = alerts.hits.hits[0]; expect(alert._source).toEqual( @@ -244,7 +244,7 @@ export default ({ getService }: FtrProviderContext) => { rule: { ...rule, anomaly_threshold: 20 }, }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(7); + expect(previewAlerts).toHaveLength(7); }); describe('with non-value list exception', () => { @@ -268,7 +268,7 @@ export default ({ getService }: FtrProviderContext) => { ], }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(0); + expect(previewAlerts).toHaveLength(0); }); }); @@ -304,7 +304,7 @@ export default ({ getService }: FtrProviderContext) => { ], }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(0); + expect(previewAlerts).toHaveLength(0); }); }); @@ -320,7 +320,7 @@ export default ({ getService }: FtrProviderContext) => { it('@skipInServerlessMKI should be enriched with host risk score', async () => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); const fullAlert = previewAlerts[0]._source; expect(fullAlert?.host?.risk?.calculated_level).toBe('Low'); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts index 4cf540578f6dd..591eaa36022bc 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts @@ -394,7 +394,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -434,7 +434,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -483,7 +483,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -538,7 +538,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_SUPPRESSION_DOCS_COUNT], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -613,7 +613,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ 'user.name': ['irrelevant'], @@ -828,7 +828,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -878,7 +878,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -1081,7 +1081,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts index 609b716ed9339..4013fe6931e0e 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts @@ -136,7 +136,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log }); const allNewAlertsAfter2ManualRuns = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlertsAfter2ManualRuns.hits.hits.length).toEqual(2); + expect(allNewAlertsAfter2ManualRuns.hits.hits).toHaveLength(2); }); it('does not alert if the manual run overlaps with a previous scheduled rule execution', async () => {