-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Detection Engine][MKI] Audit alerts FTRs in prep for MKI #179211
Conversation
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
@@ -142,41 +136,13 @@ export default ({ getService }: FtrProviderContext) => { | |||
await waitForAlertsToBePresent(supertest, log, 10, [id]); | |||
const alertsOpen = await getAlertsByIds(supertest, log, [id]); | |||
expect(alertsOpen.hits.hits.length).equal(10); | |||
}); | |||
|
|||
it('should be have set the alerts in an open state initially', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Duplicate. This was not testing anything that the test above it was doing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great catch!
const everyAlertOpen = alertsOpen.hits.hits.every( | ||
(hit) => hit._source?.[ALERT_WORKFLOW_STATUS] === 'open' | ||
); | ||
expect(everyAlertOpen).to.eql(true); | ||
}); | ||
|
||
it('should be able to close alerts while logged in and populate workflow_user', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved to ESS specific folder due to the user we are using to test. Will need to match the test for serverless (see issues created and linked in description).
@@ -262,75 +214,6 @@ export default ({ getService }: FtrProviderContext) => { | |||
); | |||
expect(everyAlertWorkflowStatusUpdatedAtExists).to.eql(true); | |||
}); | |||
// This fails and should be investigated or removed if it no longer applies | |||
it.skip('should be able to close alerts with t1 analyst user', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was skipped because it was failing. Moved to ESS specific file and updated roles used for testing. Now unskipped. Need matching tests for prebuilt serverless roles (see issues I created to track in description).
import { FtrProviderContext } from '../../../../../../ftr_provider_context'; | ||
|
||
export default function ({ loadTestFile }: FtrProviderContext) { | ||
describe('Alert status APIs', function () { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed language for test names from open_close_alert
to change_status
as we have more statuses than just open/close and added a test for the acknowledged status.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a nice improvement, open_close_alert
has never made much sense to me 👍
@@ -74,7 +74,7 @@ export default ({ getService }: FtrProviderContext) => { | |||
const esArchiver = getService('esArchiver'); | |||
const security = getService('security'); | |||
|
|||
describe('find alert with/without doc level security', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test has likely not been picked up as it did not have a tag. I think this test should apply to serverless as well.
@paulewing can you confirm my thinking that this is just a Platinum feature? If so we should test that it is blocked in lower tier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new file naming/locations make much more sense; this is a great improvement.
I had one nit about keeping a no-op test skipped, and there were a few outdated comments that should be deleted. I'm gonna approve anyway.
Thanks!
@@ -142,41 +136,13 @@ export default ({ getService }: FtrProviderContext) => { | |||
await waitForAlertsToBePresent(supertest, log, 10, [id]); | |||
const alertsOpen = await getAlertsByIds(supertest, log, [id]); | |||
expect(alertsOpen.hits.hits.length).equal(10); | |||
}); | |||
|
|||
it('should be have set the alerts in an open state initially', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great catch!
import { FtrProviderContext } from '../../../../../../ftr_provider_context'; | ||
|
||
export default function ({ loadTestFile }: FtrProviderContext) { | ||
describe('Alert status APIs', function () { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a nice improvement, open_close_alert
has never made much sense to me 👍
|
||
export default ({ getService }: FtrProviderContext) => { | ||
const esArchiver = getService('esArchiver'); | ||
const log = getService('log'); | ||
const supertest = getService('supertest'); | ||
const es = getService('es'); | ||
|
||
describe('@ess Alerts Compatibility', function () { | ||
describe('@ess alerts compatability with legacy siem signals index', function () { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
describe('@ess alerts compatability with legacy siem signals index', function () { | |
describe('@ess alerts compatibility with legacy siem signals index', function () { |
@@ -38,7 +38,7 @@ export default ({ getService }: FtrProviderContext) => { | |||
await esArchiver.unload('x-pack/test/functional/es_archives/signals/index_alias_clash'); | |||
}); | |||
|
|||
// This fails and should be investigated or removed if it no longer applies | |||
// Skipped: see https://github.com/elastic/kibana/issues/179208 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@@ -83,6 +84,10 @@ export default ({ getService }: FtrProviderContext): void => { | |||
|
|||
afterEach(async () => { | |||
await esArchiver.unload('x-pack/test/functional/es_archives/signals/outdated_signals_index'); | |||
await deleteMigrations({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
@@ -190,7 +190,7 @@ export default ({ getService }: FtrProviderContext): void => { | |||
}); | |||
|
|||
// This fails and should be investigated or removed if it no longer applies | |||
it.skip('deletes the underlying migration task', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looked familiar: I wrote this test, and it's been skipped since it was originally introduced. I don't recall exactly why it was skipped, and it doesn't look like I left any clues for us 😢 .
However, I was surprised to see the build was green after unskipping this. It looks to be a false positive, as the actual assertions of this test are commented out below (and most obviously, no getMigration
helper currently exists).
I would say: just keep this skipped for now, and (maybe) create a ticket to unskip it in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tracking #179593
@@ -96,12 +104,16 @@ export default ({ getService }: FtrProviderContext) => { | |||
describe('find_alerts_route', () => { | |||
describe('validation checks', () => { | |||
// This fails and should be investigated or removed if it no longer applies |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// This fails and should be investigated or removed if it no longer applies |
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @yctercero |
Summary
Begins work on #169185 and #151877 .
Related to #151877 this PR:
/alerts
folder that do not require Platinum license into the basics folder. Tests in/alerts/trial_license_complete_tier
folder should now relate to functionality that requires the higher license tier.Related to #169185 this PR:
@skipInQA
tagIssues to follow up on:
x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/create_index.ts
#179208Old structure
New structure