Skip to content

Commit

Permalink
Failing ES Promotion: FTR Configs #22 / detection engine api security…
Browse files Browse the repository at this point in the history
… and spaces enabled - rule execution logic Non ECS fields in alert document source should fail creating alert when ECS field mapping is geo_point (elastic#162247)

## Summary

Failing tests ticket: elastic#154277

This PR fixes the non ECS fields in alert document source failing tests.

There are two failing tests:
1. `should remove source array of keywords field from alert if ECS field
mapping is nested` was filing due to wrong key path format passed to
jest's `toHaveProperty`. When the field name has dot notation we should
be using array format as a key path. See discussion
[here](jestjs/jest#5653) and usage examples
[here](https://github.com/jestjs/jest/blob/main/docs/ExpectAPI.md#tohavepropertykeypath-value).
2. `should fail creating alert when ECS field mapping is geo_point` was
failing due to changed error message format.
  • Loading branch information
e40pud authored Jul 20, 2023
1 parent 4fa42f7 commit 2cdcc18
Showing 1 changed file with 5 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ export default ({ getService }: FtrProviderContext) => {
};

// FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/154277
describe.skip('Non ECS fields in alert document source', () => {
describe('Non ECS fields in alert document source', () => {
before(async () => {
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/ecs_non_compliant'
Expand Down Expand Up @@ -232,7 +232,7 @@ export default ({ getService }: FtrProviderContext) => {
// invalid ECS field is getting removed
expect(alertSource).toHaveProperty('threat.enrichments', []);

expect(alertSource).toHaveProperty('threat.indicator.port', 443);
expect(alertSource).toHaveProperty(['threat', 'indicator.port'], 443);
});

// source client.bytes is text, ECS mapping for client.bytes is long
Expand Down Expand Up @@ -271,8 +271,9 @@ export default ({ getService }: FtrProviderContext) => {

const { errors } = await indexAndCreatePreviewAlert(document);

expect(errors).toContain(
'Bulk Indexing of signals failed: failed to parse field [client.geo.location] of type [geo_point]'
expect(errors[0]).toContain('Bulk Indexing of signals failed');
expect(errors[0]).toContain(
'failed to parse field [client.geo.location] of type [geo_point]'
);
});

Expand Down

0 comments on commit 2cdcc18

Please sign in to comment.