diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts index 550bb16d1dfe8..c951c4fbd846c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts @@ -122,7 +122,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForRuleSuccess({ supertest, log, id: createdId }); await waitForAlertsToBePresent(supertest, log, 10, [createdId]); const alertsOpen = await getAlertsByIds(supertest, log, [createdId]); - expect(alertsOpen.hits.hits.length).toEqual(10); + expect(alertsOpen.hits.hits).toHaveLength(10); }); it('should be able to execute against an exception list that does include valid entries and get back 0 alerts', async () => { @@ -149,7 +149,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('should be able to execute against an exception list that does include valid case sensitive entries and get back 0 alerts', async () => { @@ -201,10 +201,10 @@ export default ({ getService }: FtrProviderContext) => { const alertsOpen2 = await getOpenAlerts(supertest, log, es, createdRule2); // Expect alerts here because all values are "Ubuntu" // and exception is one of ["ubuntu"] - expect(alertsOpen.hits.hits.length).toEqual(10); + expect(alertsOpen.hits.hits).toHaveLength(10); // Expect no alerts here because all values are "Ubuntu" // and exception is one of ["ubuntu", "Ubuntu"] - expect(alertsOpen2.hits.hits.length).toEqual(0); + expect(alertsOpen2.hits.hits).toHaveLength(0); }); it('generates no alerts when an exception is added for an EQL rule', async () => { @@ -223,7 +223,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when an exception is added for a threshold rule', async () => { @@ -245,7 +245,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when an exception is added for a threat match rule', async () => { @@ -288,8 +288,9 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); + describe('rules with value list exceptions', () => { beforeEach(async () => { await createListsIndex(supertest, log); @@ -328,7 +329,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when a value list exception is added for a threat match rule', async () => { @@ -376,7 +377,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when a value list exception is added for a threshold rule', async () => { @@ -413,7 +414,7 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); it('generates no alerts when a value list exception is added for an EQL rule', async () => { @@ -438,8 +439,9 @@ export default ({ getService }: FtrProviderContext) => { ], ]); const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); + it('should Not allow deleting value list when there are references and ignoreReferences is false', async () => { const valueListId = 'value-list-id.txt'; await importFile(supertest, log, 'keyword', ['suricata-sensor-amsterdam'], valueListId); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts index 85d83807c375b..8b6e6ddcaabda 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts @@ -10,6 +10,7 @@ import moment from 'moment'; import supertestLib from 'supertest'; import url from 'url'; import expect from '@kbn/expect'; +import expect_ from 'expect'; import { ALERT_REASON, ALERT_RULE_UUID, @@ -82,8 +83,7 @@ export default ({ getService }: FtrProviderContext) => { const auditPath = dataPathBuilder.getPath('auditbeat/hosts'); const packetBeatPath = dataPathBuilder.getPath('packetbeat/default'); - // Failing: See https://github.com/elastic/kibana/issues/209024 - describe.skip('@ess @serverless @serverlessQA EQL type rules', () => { + describe('@ess @serverless @serverlessQA EQL type rules', () => { const { indexListOfDocuments } = dataGeneratorFactory({ es, index: 'ecs_compliant', @@ -116,7 +116,7 @@ export default ({ getService }: FtrProviderContext) => { }; const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).eql(1); + expect_(alerts.hits.hits).toHaveLength(1); const fullAlert = alerts.hits.hits[0]._source; if (!fullAlert) { return expect(fullAlert).to.be.ok(); @@ -285,7 +285,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxAlerts * 2 }); - expect(previewAlerts.length).eql(maxAlerts); + expect_(previewAlerts).toHaveLength(maxAlerts); }); it('generates max alerts warning when circuit breaker is hit', async () => { @@ -304,7 +304,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).eql(1); + expect_(previewAlerts).toHaveLength(1); const fullAlert = previewAlerts[0]._source; if (!fullAlert) { return expect(fullAlert).to.be.ok(); @@ -374,7 +374,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).eql(3); + expect_(previewAlerts).toHaveLength(3); const createdAtHits = previewAlerts.map((hit) => hit._source?.created_at).sort(); expect(createdAtHits).to.eql([1622676785, 1622676790, 1622676795]); @@ -388,7 +388,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).eql(3); + expect_(previewAlerts).toHaveLength(3); const createdAtHits = previewAlerts.map((hit) => hit._source?.locale); expect(createdAtHits).to.eql(['es', 'pt', 'ua']); @@ -668,7 +668,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId, sort: ['agent.name'] }); - expect(previewAlerts).to.have.length(3); + expect_(previewAlerts).toHaveLength(3); const buildingBlockAlerts = previewAlerts.filter( (alert) => alert._source?.['kibana.alert.building_block_type'] @@ -712,11 +712,11 @@ export default ({ getService }: FtrProviderContext) => { // For EQL rules, max_alerts is the maximum number of detected sequences: each sequence has a building block // alert for each event in the sequence, so max_alerts=200 results in 400 building blocks in addition to // 200 regular alerts - expect(previewAlerts.length).eql(maxAlerts * 3); + expect_(previewAlerts).toHaveLength(maxAlerts * 3); const shellAlerts = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 2); const buildingBlocks = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 1); - expect(shellAlerts.length).eql(maxAlerts); - expect(buildingBlocks.length).eql(maxAlerts * 2); + expect_(shellAlerts).toHaveLength(maxAlerts); + expect_(buildingBlocks).toHaveLength(maxAlerts * 2); }); it('generates alerts when an index name contains special characters to encode', async () => { @@ -726,7 +726,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).eql(1); + expect_(previewAlerts).toHaveLength(1); }); it('uses the provided filters', async () => { @@ -772,7 +772,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).eql(2); + expect_(previewAlerts).toHaveLength(2); }); describe('with host risk index', () => { @@ -791,7 +791,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).eql(1); + expect_(previewAlerts).toHaveLength(1); const fullAlert = previewAlerts[0]._source; if (!fullAlert) { return expect(fullAlert).to.be.ok(); @@ -842,7 +842,7 @@ export default ({ getService }: FtrProviderContext) => { expect(_log.warnings).to.eql([expectedWarning]); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).to.be.greaterThan(0); + expect_(previewAlerts).not.toHaveLength(0); }); it('specifying only timestamp_override results in alert creation with an expected warning', async () => { @@ -860,7 +860,7 @@ export default ({ getService }: FtrProviderContext) => { expect(_log.warnings).to.eql([expectedWarning]); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).to.be.greaterThan(0); + expect_(previewAlerts).not.toHaveLength(0); }); it('specifying both timestamp_override and timestamp_field results in alert creation with an expected warning', async () => { @@ -879,7 +879,7 @@ export default ({ getService }: FtrProviderContext) => { expect(_log.warnings).to.eql([expectedWarning]); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).to.be.greaterThan(0); + expect_(previewAlerts).not.toHaveLength(0); }); }); @@ -951,7 +951,7 @@ export default ({ getService }: FtrProviderContext) => { expect(_log.warnings).to.be.empty(); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts).to.have.length(3); + expect_(previewAlerts).toHaveLength(3); }); }); @@ -1024,7 +1024,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).equal(3); + expect_(alerts.hits.hits).toHaveLength(3); expect(alerts.hits.hits[0]?._source?.[ALERT_RULE_EXECUTION_TYPE]).equal('scheduled'); const backfill = await scheduleRuleRun(supertest, [createdRule.id], { @@ -1034,7 +1034,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log }); const allNewAlerts = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlerts.hits.hits.length).equal(6); + expect_(allNewAlerts.hits.hits).toHaveLength(6); expect(allNewAlerts.hits.hits[5]?._source?.[ALERT_RULE_EXECUTION_TYPE]).equal('manual'); const secondBackfill = await scheduleRuleRun(supertest, [createdRule.id], { @@ -1044,7 +1044,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log }); const allNewAlertsAfter2ManualRuns = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlertsAfter2ManualRuns.hits.hits.length).equal(6); + expect_(allNewAlertsAfter2ManualRuns.hits.hits).toHaveLength(6); }); it('does not alert if the manual run overlaps with a previous scheduled rule execution', async () => { @@ -1083,7 +1083,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).equal(3); + expect_(alerts.hits.hits).toHaveLength(3); const backfill = await scheduleRuleRun(supertest, [createdRule.id], { startDate: moment(firstTimestamp).subtract(5, 'm'), @@ -1092,7 +1092,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log }); const allNewAlerts = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlerts.hits.hits.length).equal(3); + expect_(allNewAlerts.hits.hits).toHaveLength(3); }); it('supression per rule execution should work for manual rule runs', async () => { @@ -1136,7 +1136,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).equal(0); + expect_(alerts.hits.hits).toHaveLength(0); const backfill = await scheduleRuleRun(supertest, [createdRule.id], { startDate: moment(firstTimestamp).subtract(5, 'm'), @@ -1145,7 +1145,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log }); const allNewAlerts = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlerts.hits.hits.length).equal(1); + expect_(allNewAlerts.hits.hits).toHaveLength(1); expect(allNewAlerts.hits.hits[0]._source?.[ALERT_SUPPRESSION_DOCS_COUNT]).equal(2); }); @@ -1181,7 +1181,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).equal(0); + expect_(alerts.hits.hits).toHaveLength(0); // generate alert in the past const backfill = await scheduleRuleRun(supertest, [createdRule.id], { @@ -1190,7 +1190,7 @@ export default ({ getService }: FtrProviderContext) => { }); await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log }); const allNewAlerts = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlerts.hits.hits.length).equal(1); + expect_(allNewAlerts.hits.hits).toHaveLength(1); // now we will ingest new event, and manual rule run should update original alert const secondDocument = { @@ -1210,9 +1210,9 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log }); const updatedAlerts = await getAlerts(supertest, log, es, createdRule); - expect(updatedAlerts.hits.hits.length).equal(1); + expect_(updatedAlerts.hits.hits).toHaveLength(1); - expect(updatedAlerts.hits.hits.length).equal(1); + expect_(updatedAlerts.hits.hits).toHaveLength(1); expect(updatedAlerts.hits.hits[0]._source?.[ALERT_SUPPRESSION_DOCS_COUNT]).equal(1); }); @@ -1236,7 +1236,7 @@ export default ({ getService }: FtrProviderContext) => { const requests = logs[0].requests; - expect(requests).to.have.length(1); + expect_(requests).toHaveLength(1); expect(requests![0].description).to.be('EQL request to find all matches'); expect(requests![0].request).to.contain( 'POST /auditbeat-*/_eql/search?allow_no_indices=true' diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts index c3ff57ef46190..b75003fb3da2a 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts @@ -169,7 +169,7 @@ export default ({ getService }: FtrProviderContext) => { undefined, afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(1); + expect(secondAlerts.hits.hits).toHaveLength(1); expect(secondAlerts.hits.hits[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -342,7 +342,7 @@ export default ({ getService }: FtrProviderContext) => { afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(3); + expect(secondAlerts.hits.hits).toHaveLength(3); const sortedAlerts = sortBy(secondAlerts.hits.hits, ALERT_ORIGINAL_TIME); @@ -405,7 +405,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -490,7 +490,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -560,7 +560,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -621,7 +621,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -698,7 +698,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -789,7 +789,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(4); + expect(previewAlerts).toHaveLength(4); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -855,7 +855,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -905,7 +905,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -961,7 +961,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1054,7 +1054,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', 'agent.version', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(4); + expect(previewAlerts).toHaveLength(4); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1154,7 +1154,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1242,7 +1242,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['agent.name', 'agent.version', ALERT_ORIGINAL_TIME], }); // from 7 injected, only one should be suppressed - expect(previewAlerts.length).toEqual(6); + expect(previewAlerts).toHaveLength(6); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1310,7 +1310,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1381,7 +1381,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1451,7 +1451,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1526,7 +1526,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1591,7 +1591,7 @@ export default ({ getService }: FtrProviderContext) => { size: 1000, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(100); + expect(previewAlerts).toHaveLength(100); }); it('adds execution values to rule execution state', async () => { @@ -1695,7 +1695,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1846,10 +1846,10 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one created alert and one suppressed alert // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -1917,13 +1917,13 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one created alert and one suppressed alert // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partition( previewAlerts, (alert) => alert?._source?.[ALERT_SUPPRESSION_DOCS_COUNT] != null ); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -1998,11 +1998,11 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect two sequence alerts // each sequence alert having two building block alerts - expect(previewAlerts.length).toEqual(6); + expect(previewAlerts).toHaveLength(6); const [sequenceAlerts, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(4); - expect(sequenceAlerts.length).toEqual(2); + expect(buildingBlockAlerts).toHaveLength(4); + expect(sequenceAlerts).toHaveLength(2); expect(sequenceAlerts[0]?._source).toEqual({ ...sequenceAlerts[0]?._source, @@ -2106,13 +2106,13 @@ export default ({ getService }: FtrProviderContext) => { // and two building block alerts per shell alert, let's confirm that const [sequenceAlerts, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(6); - expect(sequenceAlerts.length).toEqual(3); + expect(buildingBlockAlerts).toHaveLength(6); + expect(sequenceAlerts).toHaveLength(3); const [suppressedSequenceAlerts] = partition( sequenceAlerts, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); - expect(suppressedSequenceAlerts.length).toEqual(1); + expect(suppressedSequenceAlerts).toHaveLength(1); expect(suppressedSequenceAlerts[0]._source).toEqual({ ...suppressedSequenceAlerts[0]._source, @@ -2175,15 +2175,15 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one alert and two suppressed alerts // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(6); + expect(previewAlerts).toHaveLength(6); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); const [suppressedSequenceAlerts] = partition( sequenceAlert, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); - expect(buildingBlockAlerts.length).toEqual(4); - expect(sequenceAlert.length).toEqual(2); - expect(suppressedSequenceAlerts.length).toEqual(0); + expect(buildingBlockAlerts).toHaveLength(4); + expect(sequenceAlert).toHaveLength(2); + expect(suppressedSequenceAlerts).toHaveLength(0); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, [ALERT_SUPPRESSION_TERMS]: undefined, @@ -2248,15 +2248,15 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one alert and two suppressed alerts // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); const [suppressedSequenceAlerts] = partition( sequenceAlert, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); - expect(suppressedSequenceAlerts.length).toEqual(1); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(suppressedSequenceAlerts).toHaveLength(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -2334,18 +2334,18 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(9); + expect(previewAlerts).toHaveLength(9); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); const [suppressedSequenceAlerts] = partition( sequenceAlert, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); // no alerts should be suppressed because doNotSuppress is set - expect(suppressedSequenceAlerts.length).toEqual(0); - expect(buildingBlockAlerts.length).toEqual(6); + expect(suppressedSequenceAlerts).toHaveLength(0); + expect(buildingBlockAlerts).toHaveLength(6); // 3 sequence alerts comprised of // (doc1 + doc1WithNoHost), (doc1WithNoHost + doc2WithNoHost), (doc2WithNoHost + doc3WithNoHost) - expect(sequenceAlert.length).toEqual(3); + expect(sequenceAlert).toHaveLength(3); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -2403,10 +2403,10 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one alert and two suppressed alerts // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]?._source).toEqual({ ...sequenceAlert[0]?._source, @@ -2487,10 +2487,10 @@ export default ({ getService }: FtrProviderContext) => { }); // we expect one alert and two suppressed alerts // and two building block alerts, let's confirm that - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, @@ -2547,7 +2547,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); const [sequenceAlert] = partitionSequenceBuildingBlocks(previewAlerts); - expect(previewAlerts.length).toEqual(3); // one sequence, two building block + expect(previewAlerts).toHaveLength(3); // one sequence, two building block expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2644,7 +2644,7 @@ export default ({ getService }: FtrProviderContext) => { const [sequenceAlert] = partitionSequenceBuildingBlocks(previewAlerts); // for sequence alerts if neither of the fields are there, we cannot suppress - expect(sequenceAlert.length).toEqual(4); + expect(sequenceAlert).toHaveLength(4); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2791,7 +2791,7 @@ export default ({ getService }: FtrProviderContext) => { sequenceAlert, (alert) => (alert?._source?.['kibana.alert.suppression.docs_count'] as number) >= 0 ); - expect(suppressedSequenceAlerts.length).toEqual(1); + expect(suppressedSequenceAlerts).toHaveLength(1); expect(suppressedSequenceAlerts[0]._source).toEqual({ ...suppressedSequenceAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2860,8 +2860,8 @@ export default ({ getService }: FtrProviderContext) => { }); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks(previewAlerts); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2875,8 +2875,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - // FLAKY: https://github.com/elastic/kibana/issues/202940 - describe.skip('@skipInServerless sequence queries with suppression duration', () => { + describe('@skipInServerless sequence queries with suppression duration', () => { it('suppresses alerts across two rule executions when the suppression duration exceeds the rule interval', async () => { const id = uuidv4(); const firstTimestamp = new Date(Date.now() - 1000).toISOString(); @@ -2911,12 +2910,12 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toEqual(3); + expect(alerts.hits.hits).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks( alerts.hits.hits ); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); // suppression start equal to alert timestamp const suppressionStart = sequenceAlert[0]._source?.[TIMESTAMP]; @@ -2964,7 +2963,7 @@ export default ({ getService }: FtrProviderContext) => { const [sequenceAlert2] = partitionSequenceBuildingBlocks(secondAlerts.hits.hits); - expect(sequenceAlert2.length).toEqual(1); + expect(sequenceAlert2).toHaveLength(1); expect(sequenceAlert2[0]._source).toEqual({ ...sequenceAlert2[0]?._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2983,8 +2982,7 @@ export default ({ getService }: FtrProviderContext) => { expect(suppressionEnd).toBeGreaterThan(new Date(secondTimestamp).getDate()); }); - // Skipped here: https://github.com/elastic/kibana/issues/202945 - it.skip('does not suppress alerts outside of duration', async () => { + it('does not suppress alerts outside of duration', async () => { const id = uuidv4(); // this timestamp is 1 minute in the past const firstTimestamp = new Date(Date.now() - 5000).toISOString(); @@ -3019,12 +3017,12 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toEqual(3); + expect(alerts.hits.hits).toHaveLength(3); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks( alerts.hits.hits ); - expect(buildingBlockAlerts.length).toEqual(2); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(2); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, @@ -3069,7 +3067,7 @@ export default ({ getService }: FtrProviderContext) => { const [sequenceAlert2] = partitionSequenceBuildingBlocks(secondAlerts.hits.hits); - expect(sequenceAlert2.length).toEqual(2); + expect(sequenceAlert2).toHaveLength(2); expect(sequenceAlert2[0]._source).toEqual({ ...sequenceAlert2[0]?._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -3153,12 +3151,12 @@ export default ({ getService }: FtrProviderContext) => { // we expect one shell alert // and three building block alerts - expect(alerts.hits.hits.length).toEqual(4); + expect(alerts.hits.hits).toHaveLength(4); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks( alerts.hits.hits ); - expect(buildingBlockAlerts.length).toEqual(3); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(3); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, @@ -3172,8 +3170,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - // Skipped here: https://github.com/elastic/kibana/issues/202945 - it.skip('does not suppress alerts outside of duration when query with 3 sequences', async () => { + it('does not suppress alerts outside of duration when query with 3 sequences', async () => { const id = uuidv4(); const dateNow = Date.now(); const timestampSequenceEvent1 = new Date(dateNow - 5000).toISOString(); @@ -3212,12 +3209,12 @@ export default ({ getService }: FtrProviderContext) => { // we expect one shell alert // and three building block alerts - expect(alerts.hits.hits.length).toEqual(4); + expect(alerts.hits.hits).toHaveLength(4); const [sequenceAlert, buildingBlockAlerts] = partitionSequenceBuildingBlocks( alerts.hits.hits ); - expect(buildingBlockAlerts.length).toEqual(3); - expect(sequenceAlert.length).toEqual(1); + expect(buildingBlockAlerts).toHaveLength(3); + expect(sequenceAlert).toHaveLength(1); expect(sequenceAlert[0]._source).toEqual({ ...sequenceAlert[0]._source, @@ -3270,8 +3267,8 @@ export default ({ getService }: FtrProviderContext) => { // two sequence alerts because the second one happened // outside of the rule's suppression duration - expect(sequenceAlert2.length).toEqual(2); - expect(buildingBlockAlerts2.length).toEqual(6); + expect(sequenceAlert2).toHaveLength(2); + expect(buildingBlockAlerts2).toHaveLength(6); // timestamps should be different for two alerts, showing they were // created in different rule executions expect(sequenceAlert2[0]?._source?.[TIMESTAMP]).not.toEqual( diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts index a6a605d3f6123..c4e48784ad0ea 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts @@ -102,7 +102,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toBe(1); + expect(alerts.hits.hits).toHaveLength(1); expect(removeRandomValuedPropertiesFromAlert(alerts.hits.hits[0]._source)).toEqual({ 'kibana.alert.rule.parameters': { description: 'Detecting root and admin users', @@ -212,7 +212,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ 'agent.name': 'test-1', @@ -248,7 +248,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(3); + expect(previewAlerts).toHaveLength(3); }); describe('non-aggregating query rules', () => { @@ -287,7 +287,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); // all fields from source document should be returned expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ @@ -331,7 +331,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); }); }); @@ -406,7 +406,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty('custom_named_agent', 'test-1'); expect(previewAlerts[0]._source).not.toHaveProperty(['agent.name']); expect(previewAlerts[0]._source).not.toHaveProperty('agent.name'); @@ -447,7 +447,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(3); + expect(previewAlerts).toHaveLength(3); expect(previewAlerts.map((_) => _._source?.['agent.name'])).toEqual( expect.arrayContaining(['part-0', 'part-1', 'test-1']) ); @@ -487,7 +487,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(3); + expect(previewAlerts).toHaveLength(3); }); // When expanded field dropped, ES|QL response rows will be identical. @@ -526,7 +526,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); }); it('should generate alert per expanded row when mv_expand used multiple times', async () => { @@ -567,7 +567,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(7); + expect(previewAlerts).toHaveLength(7); expect(previewAlerts.map((_) => _._source?.['agent.name'])).toEqual( expect.arrayContaining(['part-0', 'part-1', 'test-1']) ); @@ -607,7 +607,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); }); it('should deduplicate alerts generated form expanded rows when expanded field renamed', async () => { @@ -643,7 +643,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); }); it('should deduplicate alert when expanded field dropped', async () => { @@ -679,7 +679,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); }); describe('pagination', () => { @@ -725,7 +725,7 @@ export default ({ getService }: FtrProviderContext) => { 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution runSoonRule(supertest, createdRule.id); @@ -740,7 +740,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(120); + expect(alertsResponse.hits.hits).toHaveLength(120); }); it('should create alerts from all events(2 x max_signals)', async () => { @@ -776,7 +776,7 @@ export default ({ getService }: FtrProviderContext) => { RuleExecutionStatusEnum['partial failure'], 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution await patchRule(supertest, log, { @@ -799,7 +799,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(200); + expect(alertsResponse.hits.hits).toHaveLength(200); }); it('should create alerts from all events(2 x max_signals) when used timestamp override', async () => { @@ -838,7 +838,7 @@ export default ({ getService }: FtrProviderContext) => { RuleExecutionStatusEnum['partial failure'], 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution await patchRule(supertest, log, { @@ -861,7 +861,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(200); + expect(alertsResponse.hits.hits).toHaveLength(200); }); it('should create alerts from all events(2 x max_signals) when used timestamp override without fallback', async () => { @@ -900,7 +900,7 @@ export default ({ getService }: FtrProviderContext) => { RuleExecutionStatusEnum['partial failure'], 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution await patchRule(supertest, log, { @@ -923,7 +923,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(200); + expect(alertsResponse.hits.hits).toHaveLength(200); }); it('should not create more than max_signals alerts from single document when paginate through results', async () => { @@ -969,7 +969,7 @@ export default ({ getService }: FtrProviderContext) => { 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution runSoonRule(supertest, createdRule.id); @@ -985,7 +985,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(200); + expect(alertsResponse.hits.hits).toHaveLength(200); const agentTypeCounts = alertsResponse.hits.hits.reduce>( (acc, curr) => { @@ -1048,7 +1048,7 @@ export default ({ getService }: FtrProviderContext) => { 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution runSoonRule(supertest, createdRule.id); @@ -1063,7 +1063,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); - expect(alertsResponse.hits.hits.length).toBe(120); + expect(alertsResponse.hits.hits).toHaveLength(120); }); it('should create alerts from multiple expanded values', async () => { @@ -1110,7 +1110,7 @@ export default ({ getService }: FtrProviderContext) => { 200 ); - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution runSoonRule(supertest, createdRule.id); @@ -1125,7 +1125,7 @@ export default ({ getService }: FtrProviderContext) => { new Date() ); // 60 from doc1 and 75 from doc2 - expect(alertsResponse.hits.hits.length).toBe(135); + expect(alertsResponse.hits.hits).toHaveLength(135); }); }); }); @@ -1167,7 +1167,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['agent.name'], }); - expect(previewAlertsOrderedByAgentName.length).toBe(3); + expect(previewAlertsOrderedByAgentName).toHaveLength(3); expect(previewAlertsOrderedByAgentName[0]._source).toEqual( expect.objectContaining({ 'agent.name': 'test-1', @@ -1221,7 +1221,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toHaveProperty(['_counted'], 1); expect(previewAlerts[1]._source).toHaveProperty(['_counted'], 1); }); @@ -1250,7 +1250,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); // no data has been injected during rule execution interval expect(previewAlerts[0]._source).toHaveProperty(['_counted'], 0); }); @@ -1305,7 +1305,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['event.ingested'], }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toHaveProperty(['event.ingested'], expectedEventIngested); expect(previewAlerts[1]._source).not.toHaveProperty(['event.ingested']); }); @@ -1336,7 +1336,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty(['event.ingested'], expectedEventIngested); }); }); @@ -1381,7 +1381,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); }); }); @@ -1420,7 +1420,7 @@ export default ({ getService }: FtrProviderContext) => { size: 200, }); - expect(previewAlerts.length).toBe(100); + expect(previewAlerts).toHaveLength(100); }); it("doesn't generate max alerts warning when circuit breaker is met but not exceeded", async () => { @@ -1456,7 +1456,7 @@ export default ({ getService }: FtrProviderContext) => { size: 200, }); - expect(previewAlerts.length).toBe(100); + expect(previewAlerts).toHaveLength(100); }); it('should work for max alerts > 100', async () => { @@ -1492,7 +1492,7 @@ export default ({ getService }: FtrProviderContext) => { size: 200, }); - expect(previewAlerts.length).toBe(150); + expect(previewAlerts).toHaveLength(150); }); // we use actual rule executions, not preview, because for preview API alerts index refresh=false for non suppressed alerts @@ -1575,7 +1575,7 @@ export default ({ getService }: FtrProviderContext) => { ); // should return 100 alerts - expect(alertsResponseFromFirstRuleExecution.hits.hits.length).toBe(100); + expect(alertsResponseFromFirstRuleExecution.hits.hits).toHaveLength(100); // re-trigger rule execution with new interval await patchRule(supertest, log, { @@ -1600,7 +1600,7 @@ export default ({ getService }: FtrProviderContext) => { ); // should return 160 alerts - expect(alertsResponse.hits.hits.length).toBe(160); + expect(alertsResponse.hits.hits).toHaveLength(160); }); }); @@ -1635,7 +1635,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty('host.risk.calculated_level', 'Low'); expect(previewAlerts[0]._source).toHaveProperty('host.risk.calculated_score_norm', 1); @@ -1673,7 +1673,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]?._source?.['host.asset.criticality']).toBe('extreme_impact'); }); @@ -1713,7 +1713,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty(['observer.os.full'], 'full test os'); // *.text is multifield define in mappings for observer.os.full expect(previewAlerts[0]._source).not.toHaveProperty(['observer.os.full.text']); @@ -1756,7 +1756,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty( ['process.entry_leader.name'], 'test_process_name' @@ -1819,7 +1819,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); // all multifields have been indexed, which is expected, seen we don't know original mappings expect(previewAlerts[0]._source).toHaveProperty( ['random.entry_leader.name'], @@ -1866,7 +1866,7 @@ export default ({ getService }: FtrProviderContext) => { timeframeEnd: new Date('2020-10-28T06:30:00.000Z'), }); - expect(logs[0].errors.length).toEqual(0); + expect(logs[0].errors).toHaveLength(0); }); }); }); @@ -1935,7 +1935,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log }); const allNewAlertsAfter2ManualRuns = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlertsAfter2ManualRuns.hits.hits.length).toEqual(2); + expect(allNewAlertsAfter2ManualRuns.hits.hits).toHaveLength(2); }); it('does not alert if the manual run overlaps with a previous scheduled rule execution', async () => { @@ -2230,8 +2230,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - // Failing: See https://github.com/elastic/kibana/issues/224699 - describe.skip('shard failures', () => { + describe('shard failures', () => { const config = getService('config'); const isServerless = config.get('serverless'); const dataPathBuilder = new EsArchivePathBuilder(isServerless); @@ -2280,7 +2279,7 @@ export default ({ getService }: FtrProviderContext) => { ]) ); - expect(previewAlerts?.length).toBeGreaterThan(0); + expect(previewAlerts).not.toHaveLength(0); }); it('should handle shard failures and include errors in logs for query that is aggregating', async () => { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts index 624925c87f7f1..7b18aa6dfcf6d 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts @@ -116,7 +116,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toBe(1); + expect(alerts.hits.hits).toHaveLength(1); expect(alerts.hits.hits[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -157,7 +157,7 @@ export default ({ getService }: FtrProviderContext) => { undefined, afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(1); + expect(secondAlerts.hits.hits).toHaveLength(1); expect(secondAlerts.hits.hits[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -239,7 +239,7 @@ export default ({ getService }: FtrProviderContext) => { undefined, afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(1); + expect(secondAlerts.hits.hits).toHaveLength(1); expect(alerts.hits.hits[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -324,7 +324,7 @@ export default ({ getService }: FtrProviderContext) => { afterTimestamp ); - expect(secondAlerts.hits.hits.length).toEqual(2); + expect(secondAlerts.hits.hits).toHaveLength(2); const sortedAlerts = sortBy(secondAlerts.hits.hits, ALERT_ORIGINAL_TIME); @@ -391,7 +391,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toBe(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -488,7 +488,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -575,7 +575,7 @@ export default ({ getService }: FtrProviderContext) => { // 3 alerts should be generated: // 1. for pair 'host-a', 1 - suppressed // 2. for pair 'host-a', 2 - not suppressed - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -666,7 +666,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -746,7 +746,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -830,7 +830,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -928,7 +928,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(4); + expect(previewAlerts).toHaveLength(4); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1019,7 +1019,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1102,7 +1102,7 @@ export default ({ getService }: FtrProviderContext) => { }); // lodash sortBy is used here because custom_field is non ECS and not mapped in alerts index, so can't be sorted by const sortedAlerts = sortBy(previewAlerts, '_source.custom_field'); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(sortedAlerts[0]._source).toEqual({ ...sortedAlerts[0]._source, @@ -1200,7 +1200,7 @@ export default ({ getService }: FtrProviderContext) => { }); // lodash sortBy is used here because custom_field is non ECS and not mapped in alerts index, so can't be sorted by const sortedAlerts = sortBy(previewAlerts, '_source.custom_field'); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(sortedAlerts[0]._source).toEqual({ ...sortedAlerts[0]._source, @@ -1279,7 +1279,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, @@ -1353,7 +1353,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, @@ -1436,7 +1436,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1495,7 +1495,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1594,7 +1594,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['agent.name', 'agent.version', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(4); + expect(previewAlerts).toHaveLength(4); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1738,7 +1738,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['agent.name', 'agent.version', ALERT_ORIGINAL_TIME], }); // from 8 injected, only one should be suppressed - expect(previewAlerts.length).toEqual(7); + expect(previewAlerts).toHaveLength(7); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1825,7 +1825,7 @@ export default ({ getService }: FtrProviderContext) => { previewId, sort: ['host.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1900,7 +1900,7 @@ export default ({ getService }: FtrProviderContext) => { sort: ['agent.name', ALERT_ORIGINAL_TIME], size: 1000, }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -1961,7 +1961,7 @@ export default ({ getService }: FtrProviderContext) => { size: 1000, sort: ['agent.name', ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(150); + expect(previewAlerts).toHaveLength(150); }); }); @@ -2009,7 +2009,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual({ ...previewAlerts[0]._source, [ALERT_SUPPRESSION_TERMS]: [ @@ -2058,7 +2058,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty('host.risk.calculated_level', 'Low'); expect(previewAlerts[0]._source).toHaveProperty('host.risk.calculated_score_norm', 1); @@ -2100,7 +2100,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]?._source?.['host.asset.criticality']).toBe('extreme_impact'); }); @@ -2139,7 +2139,7 @@ export default ({ getService }: FtrProviderContext) => { }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 2); }); @@ -2178,7 +2178,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 2); }); @@ -2217,7 +2217,7 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 1); }); @@ -2266,7 +2266,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 3); }); @@ -2317,7 +2317,7 @@ export default ({ getService }: FtrProviderContext) => { size: 10, }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 3); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts index cb2ba34a67c45..dc9cb3bb83a94 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts @@ -5,7 +5,7 @@ * 2.0. */ -import expect from '@kbn/expect'; +import expect from 'expect'; import { orderBy } from 'lodash'; import { RuleExecutionStatusEnum } from '@kbn/security-solution-plugin/common/api/detection_engine/rule_monitoring'; import { @@ -75,7 +75,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); - expect(hits).to.eql(['2021-06-02T23:33:15.000Z']); + expect(hits).toEqual(['2021-06-02T23:33:15.000Z']); }); it('should still use the @timestamp field even with an override field. It should never use the override field', async () => { @@ -88,7 +88,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); - expect(hits).to.eql(['2020-12-16T15:16:18.000Z']); + expect(hits).toEqual(['2020-12-16T15:16:18.000Z']); }); }); @@ -100,7 +100,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); - expect(hits).to.eql(['2021-06-02T23:33:15.000Z']); + expect(hits).toEqual(['2021-06-02T23:33:15.000Z']); }); it('should still use the @timestamp field even with an override field. It should never use the override field', async () => { @@ -113,7 +113,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); - expect(hits).to.eql(['2020-12-16T15:16:18.000Z']); + expect(hits).toEqual(['2020-12-16T15:16:18.000Z']); }); }); }); @@ -178,7 +178,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(3); + expect(alertsOrderedByEventId).toHaveLength(3); }); it('should generate 2 alerts with event.ingested when timestamp fallback is disabled', async () => { @@ -201,7 +201,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should generate 2 alerts with @timestamp', async () => { @@ -219,7 +219,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should generate 2 alerts when timestamp override does not exist', async () => { @@ -239,7 +239,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should not generate any alerts when timestamp override does not exist and timestamp fallback is disabled', async () => { @@ -258,7 +258,7 @@ export default ({ getService }: FtrProviderContext) => { createdRule, RuleExecutionStatusEnum['partial failure'] ); - expect(alertsOpen.hits.hits.length).eql(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); /** @@ -280,7 +280,7 @@ export default ({ getService }: FtrProviderContext) => { const hits = alertsResponse.hits.hits .map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]) .sort(); - expect(hits).to.eql([undefined]); + expect(hits).toEqual([undefined]); }); }); @@ -300,7 +300,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should generate 2 alerts when timestamp override does not exist', async () => { @@ -320,7 +320,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(alertsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId).toHaveLength(2); }); it('should not generate any alerts when timestamp override does not exist and timestamp fallback is disabled', async () => { @@ -337,7 +337,7 @@ export default ({ getService }: FtrProviderContext) => { createdRule, RuleExecutionStatusEnum['partial failure'] ); - expect(alertsOpen.hits.hits.length).eql(0); + expect(alertsOpen.hits.hits).toHaveLength(0); }); }); }); @@ -389,7 +389,7 @@ export default ({ getService }: FtrProviderContext) => { const alertsResponse = await getAlertsByIds(supertest, log, [id], 200); const alerts = alertsResponse.hits.hits.map((hit) => hit._source); - expect(alerts.length).equal(200); + expect(alerts).toHaveLength(200); }); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts index 80d5ff9138628..b6b5bfc808530 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning.ts @@ -109,7 +109,7 @@ export default ({ getService }: FtrProviderContext) => { it('should create 1 alert from ML rule when record meets anomaly_threshold', async () => { const createdRule = await createRule(supertest, log, rule); const alerts = await getAlerts(supertest, log, es, createdRule); - expect(alerts.hits.hits.length).toBe(1); + expect(alerts.hits.hits).toHaveLength(1); const alert = alerts.hits.hits[0]; expect(alert._source).toEqual( @@ -240,7 +240,7 @@ export default ({ getService }: FtrProviderContext) => { rule: { ...rule, anomaly_threshold: 20 }, }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(7); + expect(previewAlerts).toHaveLength(7); }); describe('with non-value list exception', () => { @@ -264,7 +264,7 @@ export default ({ getService }: FtrProviderContext) => { ], }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(0); + expect(previewAlerts).toHaveLength(0); }); }); @@ -300,7 +300,7 @@ export default ({ getService }: FtrProviderContext) => { ], }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(0); + expect(previewAlerts).toHaveLength(0); }); }); @@ -316,7 +316,7 @@ export default ({ getService }: FtrProviderContext) => { it('@skipInServerlessMKI should be enriched with host risk score', async () => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - expect(previewAlerts.length).toBe(1); + expect(previewAlerts).toHaveLength(1); const fullAlert = previewAlerts[0]._source; expect(fullAlert?.host?.risk?.calculated_level).toBe('Low'); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts index 8ebcafcdc46b5..85ad20ed85d27 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_alert_suppression.ts @@ -390,7 +390,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -430,7 +430,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -479,7 +479,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -534,7 +534,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_SUPPRESSION_DOCS_COUNT], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -609,7 +609,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(3); + expect(previewAlerts).toHaveLength(3); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ 'user.name': ['irrelevant'], @@ -824,7 +824,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -874,7 +874,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(2); + expect(previewAlerts).toHaveLength(2); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ @@ -1077,7 +1077,7 @@ export default ({ getService }: FtrProviderContext) => { sort: [ALERT_ORIGINAL_TIME], }); - expect(previewAlerts.length).toEqual(1); + expect(previewAlerts).toHaveLength(1); expect(previewAlerts[0]._source).toEqual( expect.objectContaining({ [ALERT_SUPPRESSION_TERMS]: [ diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts index ba3282b9ad734..b55c95adb9d8e 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/machine_learning/trial_license_complete_tier/machine_learning_manual_run.ts @@ -132,7 +132,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log }); const allNewAlertsAfter2ManualRuns = await getAlerts(supertest, log, es, createdRule); - expect(allNewAlertsAfter2ManualRuns.hits.hits.length).toEqual(2); + expect(allNewAlertsAfter2ManualRuns.hits.hits).toHaveLength(2); }); it('does not alert if the manual run overlaps with a previous scheduled rule execution', async () => {