From 7698d9c2f850974ff67f866350ff540eb69bb29c Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Thu, 28 Mar 2024 09:48:24 -0700 Subject: [PATCH] [Detection Engine][MKI] Audit alerts FTRs in prep for MKI (#179211) ## Summary Begins work on https://github.com/elastic/kibana/issues/169185 and https://github.com/elastic/kibana/issues/151877 . Related to https://github.com/elastic/kibana/issues/151877 this PR: - Moves FTR tests under the `/alerts` folder that do not require Platinum license into the basics folder. Tests in `/alerts/trial_license_complete_tier` folder should now relate to functionality that requires the higher license tier. - Rearranged some of the folder structure so that it was clear what the intent of the tests is - Makes note of any issues in tickets that we will need to follow up on Related to https://github.com/elastic/kibana/issues/169185 this PR: - Ensures that tests are properly tagged for ESS & serverless - Ensures none of the tests that are critical contain the `@skipInQA` tag --- .../alert_status/alert_status.ts} | 151 ++---------------- .../alert_status_ess.ts} | 125 ++++++++------- .../alert_status/index.ts | 14 ++ .../alerts_compatibility.ts | 8 +- .../ess_specific_index_logic}/create_index.ts | 8 +- .../ess_specific_index_logic/index.ts | 16 ++ .../migrations/create_alerts_migrations.ts | 14 +- .../migrations/delete_alerts_migrations.ts | 13 +- .../migrations/finalize_alerts_migrations.ts | 12 +- .../migrations/get_alerts_migration_status.ts | 10 +- .../migrations/index.ts | 6 +- .../query_alerts_backword_compatibility.ts | 4 +- .../field_aliases.ts} | 2 +- .../basic_license_essentials_tier/index.ts | 8 +- .../query_alerts.ts | 27 +++- .../set_alert_tags.ts | 3 +- .../assignments/assignments.ts | 3 +- .../assignments/assignments_serverless.ts | 3 +- ...y_alerts.ts => document_level_security.ts} | 2 +- .../trial_license_complete_tier/index.ts | 8 +- 20 files changed, 187 insertions(+), 250 deletions(-) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier/open_close_alerts.ts => basic_license_essentials_tier/alert_status/alert_status.ts} (54%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/{open_close_alerts.ts => alert_status/alert_status_ess.ts} (54%) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/index.ts rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier => basic_license_essentials_tier/ess_specific_index_logic}/alerts_compatibility.ts (99%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier => basic_license_essentials_tier/ess_specific_index_logic}/create_index.ts (90%) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/index.ts rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier => basic_license_essentials_tier/ess_specific_index_logic}/migrations/create_alerts_migrations.ts (95%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier => basic_license_essentials_tier/ess_specific_index_logic}/migrations/delete_alerts_migrations.ts (91%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier => basic_license_essentials_tier/ess_specific_index_logic}/migrations/finalize_alerts_migrations.ts (95%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier => basic_license_essentials_tier/ess_specific_index_logic}/migrations/get_alerts_migration_status.ts (91%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier => basic_license_essentials_tier/ess_specific_index_logic}/migrations/index.ts (70%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/{ => ess_specific_index_logic}/query_alerts_backword_compatibility.ts (93%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier/aliases.ts => basic_license_essentials_tier/field_aliases.ts} (96%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/{trial_license_complete_tier => basic_license_essentials_tier}/set_alert_tags.ts (98%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/{query_alerts.ts => document_level_security.ts} (97%) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/open_close_alerts.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/alert_status.ts similarity index 54% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/open_close_alerts.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/alert_status.ts index 7a1ea17d1530a..c9bfadb7b3bfa 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/open_close_alerts.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/alert_status.ts @@ -6,8 +6,6 @@ */ import expect from '@kbn/expect'; -import { parse as parseCookie } from 'tough-cookie'; -import { adminTestUser } from '@kbn/test'; import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; @@ -15,9 +13,12 @@ import { DETECTION_ENGINE_SIGNALS_STATUS_URL, DETECTION_ENGINE_QUERY_SIGNALS_URL, } from '@kbn/security-solution-plugin/common/constants'; -import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { DetectionAlert } from '@kbn/security-solution-plugin/common/api/detection_engine'; -import { setAlertStatus, getAlertUpdateByQueryEmptyResponse, refreshIndex } from '../../../utils'; +import { + setAlertStatus, + getAlertUpdateByQueryEmptyResponse, + refreshIndex, +} from '../../../../utils'; import { createAlertsIndex, deleteAllAlerts, @@ -28,28 +29,21 @@ import { getAlertsByIds, waitForRuleSuccess, getRuleForAlertTesting, -} from '../../../../../../common/utils/security_solution'; -import { - createUserAndRole, - deleteUserAndRole, -} from '../../../../../../common/services/security_solution'; -import { FtrProviderContext } from '../../../../../ftr_provider_context'; -import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; +} from '../../../../../../../common/utils/security_solution'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../../es_archive_path_builder'; export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); - const supertestWithoutAuth = getService('supertestWithoutAuth'); const log = getService('log'); const es = getService('es'); - // TODO: add a new service for loading archiver files similar to "getService('es')" const config = getService('config'); const isServerless = config.get('serverless'); const dataPathBuilder = new EsArchivePathBuilder(isServerless); const path = dataPathBuilder.getPath('auditbeat/hosts'); - // Failing: See https://github.com/elastic/kibana/issues/170753 - describe.skip('@ess @serverless open_close_alerts', () => { + describe('@ess @serverless change alert status endpoints', () => { describe('validation checks', () => { describe('update by ids', () => { it('should not give errors when querying and the alerts index does not exist yet', async () => { @@ -142,41 +136,13 @@ export default ({ getService }: FtrProviderContext) => { await waitForAlertsToBePresent(supertest, log, 10, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); expect(alertsOpen.hits.hits.length).equal(10); - }); - - it('should be have set the alerts in an open state initially', async () => { - const rule = { - ...getRuleForAlertTesting(['auditbeat-*']), - query: 'process.executable: "/usr/bin/sudo"', - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForAlertsToBePresent(supertest, log, 10, [id]); - const alertsOpen = await getAlertsByIds(supertest, log, [id]); const everyAlertOpen = alertsOpen.hits.hits.every( (hit) => hit._source?.[ALERT_WORKFLOW_STATUS] === 'open' ); expect(everyAlertOpen).to.eql(true); }); - it('should be able to close alerts while logged in and populate workflow_user', async () => { - // Login so we can test changing alert status within an interactive session - // We write `profile_uid` to `kibana.alert.workflow_user` if it's available, - // but `profile_uid` is only available in interactive sessions - const response = await supertestWithoutAuth - .post('/internal/security/login') - .set('kbn-xsrf', 'xxx') - .send({ - providerType: 'basic', - providerName: 'basic', - currentURL: '/', - params: { username: adminTestUser.username, password: adminTestUser.password }, - }) - .expect(200); - - const cookies = response.header['set-cookie']; - expect(cookies).to.have.length(1); - + it('should set alerts to acknowledged', async () => { const rule = { ...getRuleForAlertTesting(['auditbeat-*']), query: 'process.executable: "/usr/bin/sudo"', @@ -187,37 +153,23 @@ export default ({ getService }: FtrProviderContext) => { const alertsOpen = await getAlertsByIds(supertest, log, [id]); const alertIds = alertsOpen.hits.hits.map((alert) => alert._id); - // set all of the alerts to the state of closed. There is no reason to use a waitUntil here - // as this route intentionally has a waitFor within it and should only return when the query has - // the data. - await supertestWithoutAuth + await supertest .post(DETECTION_ENGINE_SIGNALS_STATUS_URL) .set('kbn-xsrf', 'true') - .set('Cookie', parseCookie(cookies[0])!.cookieString()) - .send(setAlertStatus({ alertIds, status: 'closed' })) + .send(setAlertStatus({ alertIds, status: 'acknowledged' })) .expect(200); - await refreshIndex(es, '.alerts-security.alerts-default*'); - - const { body: alertsClosed }: { body: estypes.SearchResponse } = + const { body: alertsAcknowledged }: { body: estypes.SearchResponse } = await supertest .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) .set('kbn-xsrf', 'true') .send(getQueryAlertIds(alertIds)) .expect(200); - expect(alertsClosed.hits.hits.length).to.equal(10); - const everyAlertClosed = alertsClosed.hits.hits.every( - (hit) => hit._source?.['kibana.alert.workflow_status'] === 'closed' - ); - expect(everyAlertClosed).to.eql(true); - const everyAlertWorkflowUserExists = alertsClosed.hits.hits.every( - (hit) => hit._source?.['kibana.alert.workflow_user'] !== null - ); - expect(everyAlertWorkflowUserExists).to.eql(true); - const everyAlertWorkflowStatusUpdatedAtExists = alertsClosed.hits.hits.every( - (hit) => hit._source?.['kibana.alert.workflow_status_updated_at'] !== null + + const everyAlertAcknowledged = alertsAcknowledged.hits.hits.every( + (hit) => hit._source?.['kibana.alert.workflow_status'] === 'acknowledged' ); - expect(everyAlertWorkflowStatusUpdatedAtExists).to.eql(true); + expect(everyAlertAcknowledged).to.eql(true); }); it('should be able close alerts without logging in and workflow_user is set to null', async () => { @@ -262,75 +214,6 @@ export default ({ getService }: FtrProviderContext) => { ); expect(everyAlertWorkflowStatusUpdatedAtExists).to.eql(true); }); - // This fails and should be investigated or removed if it no longer applies - it.skip('should be able to close alerts with t1 analyst user', async () => { - const rule = getRuleForAlertTesting(['auditbeat-*']); - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForAlertsToBePresent(supertest, log, 1, [id]); - await createUserAndRole(getService, ROLES.t1_analyst); - const alertsOpen = await getAlertsByIds(supertest, log, [id]); - const alertIds = alertsOpen.hits.hits.map((alert) => alert._id); - - // Try to set all of the alerts to the state of closed. - // This should not be possible with the given user. - await supertestWithoutAuth - .post(DETECTION_ENGINE_SIGNALS_STATUS_URL) - .set('kbn-xsrf', 'true') - .auth(ROLES.t1_analyst, 'changeme') - .send(setAlertStatus({ alertIds, status: 'closed' })) - .expect(200); - - // query for the alerts with the superuser - // to allow a check that the alerts were NOT closed with t1 analyst - const { body: alertsClosed }: { body: estypes.SearchResponse } = - await supertest - .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) - .set('kbn-xsrf', 'true') - .send(getQueryAlertIds(alertIds)) - .expect(200); - - const everyAlertClosed = alertsClosed.hits.hits.every( - (hit) => hit._source?.['kibana.alert.workflow_status'] === 'closed' - ); - expect(everyAlertClosed).to.eql(true); - - await deleteUserAndRole(getService, ROLES.t1_analyst); - }); - // This fails and should be investigated or removed if it no longer applies - it.skip('should be able to close alerts with soc_manager user', async () => { - const rule = getRuleForAlertTesting(['auditbeat-*']); - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForAlertsToBePresent(supertest, log, 1, [id]); - const userAndRole = ROLES.soc_manager; - await createUserAndRole(getService, userAndRole); - const alertsOpen = await getAlertsByIds(supertest, log, [id]); - const alertIds = alertsOpen.hits.hits.map((alert) => alert._id); - - // Try to set all of the alerts to the state of closed. - // This should not be possible with the given user. - await supertestWithoutAuth - .post(DETECTION_ENGINE_SIGNALS_STATUS_URL) - .set('kbn-xsrf', 'true') - .auth(userAndRole, 'changeme') // each user has the same password - .send(setAlertStatus({ alertIds, status: 'closed' })) - .expect(200); - - const { body: alertsClosed }: { body: estypes.SearchResponse } = - await supertest - .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) - .set('kbn-xsrf', 'true') - .send(getQueryAlertIds(alertIds)) - .expect(200); - - const everyAlertClosed = alertsClosed.hits.hits.every( - (hit) => hit._source?.['kibana.alert.workflow_status'] === 'closed' - ); - expect(everyAlertClosed).to.eql(true); - - await deleteUserAndRole(getService, userAndRole); - }); }); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/open_close_alerts.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/alert_status_ess.ts similarity index 54% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/open_close_alerts.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/alert_status_ess.ts index 120155ac26eee..1b25b5b499e9c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/open_close_alerts.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/alert_status_ess.ts @@ -6,48 +6,59 @@ */ import expect from '@kbn/expect'; -import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; - import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { parse as parseCookie } from 'tough-cookie'; +import { adminTestUser } from '@kbn/test'; + import { DETECTION_ENGINE_SIGNALS_STATUS_URL, DETECTION_ENGINE_QUERY_SIGNALS_URL, } from '@kbn/security-solution-plugin/common/constants'; +import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { DetectionAlert } from '@kbn/security-solution-plugin/common/api/detection_engine'; -import { setAlertStatus } from '../../../utils'; +import { refreshIndex, setAlertStatus } from '../../../../utils'; import { + createAlertsIndex, + deleteAllAlerts, getQueryAlertIds, + deleteAllRules, createRule, waitForAlertsToBePresent, getAlertsByIds, waitForRuleSuccess, getRuleForAlertTesting, - deleteAllRules, - deleteAllAlerts, - createAlertsIndex, -} from '../../../../../../common/utils/security_solution'; -import { FtrProviderContext } from '../../../../../ftr_provider_context'; -import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; +} from '../../../../../../../common/utils/security_solution'; +import { + createUserAndRole, + deleteUserAndRole, +} from '../../../../../../../common/services/security_solution'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../../es_archive_path_builder'; export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const log = getService('log'); const es = getService('es'); // TODO: add a new service for loading archiver files similar to "getService('es')" const config = getService('config'); const isServerless = config.get('serverless'); const dataPathBuilder = new EsArchivePathBuilder(isServerless); - const auditbeatHost = dataPathBuilder.getPath('auditbeat/hosts'); + const path = dataPathBuilder.getPath('auditbeat/hosts'); - describe('@ess @serverless open_close_alerts', () => { - describe('tests with auditbeat data', () => { + describe('@ess change alert status endpoints ESS specific logic', () => { + describe('authentication checks', () => { before(async () => { - await esArchiver.load(auditbeatHost); + await esArchiver.load(path); + await createUserAndRole(getService, ROLES.hunter); + await createUserAndRole(getService, ROLES.reader); }); after(async () => { - await esArchiver.unload(auditbeatHost); + await esArchiver.unload(path); + await deleteUserAndRole(getService, ROLES.hunter); + await deleteUserAndRole(getService, ROLES.reader); }); beforeEach(async () => { @@ -60,34 +71,24 @@ export default ({ getService }: FtrProviderContext) => { await deleteAllRules(supertest, log); }); - it('should be able to execute and get 10 alerts', async () => { - const rule = { - ...getRuleForAlertTesting(['auditbeat-*']), - query: 'process.executable: "/usr/bin/sudo"', - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForAlertsToBePresent(supertest, log, 10, [id]); - const alertsOpen = await getAlertsByIds(supertest, log, [id]); - expect(alertsOpen.hits.hits.length).equal(10); - }); + it('should be able to close alerts while logged in and populate workflow_user', async () => { + // Login so we can test changing alert status within an interactive session + // We write `profile_uid` to `kibana.alert.workflow_user` if it's available, + // but `profile_uid` is only available in interactive sessions + const response = await supertestWithoutAuth + .post('/internal/security/login') + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'basic', + providerName: 'basic', + currentURL: '/', + params: { username: adminTestUser.username, password: adminTestUser.password }, + }) + .expect(200); - it('should be have set the alerts in an open state initially', async () => { - const rule = { - ...getRuleForAlertTesting(['auditbeat-*']), - query: 'process.executable: "/usr/bin/sudo"', - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForAlertsToBePresent(supertest, log, 10, [id]); - const alertsOpen = await getAlertsByIds(supertest, log, [id]); - const everyAlertOpen = alertsOpen.hits.hits.every( - (hit) => hit._source?.[ALERT_WORKFLOW_STATUS] === 'open' - ); - expect(everyAlertOpen).to.eql(true); - }); + const cookies = response.header['set-cookie']; + expect(cookies).to.have.length(1); - it('should be able to get a count of 10 closed alerts when closing 10', async () => { const rule = { ...getRuleForAlertTesting(['auditbeat-*']), query: 'process.executable: "/usr/bin/sudo"', @@ -101,12 +102,15 @@ export default ({ getService }: FtrProviderContext) => { // set all of the alerts to the state of closed. There is no reason to use a waitUntil here // as this route intentionally has a waitFor within it and should only return when the query has // the data. - await supertest + await supertestWithoutAuth .post(DETECTION_ENGINE_SIGNALS_STATUS_URL) .set('kbn-xsrf', 'true') + .set('Cookie', parseCookie(cookies[0])!.cookieString()) .send(setAlertStatus({ alertIds, status: 'closed' })) .expect(200); + await refreshIndex(es, '.alerts-security.alerts-default*'); + const { body: alertsClosed }: { body: estypes.SearchResponse } = await supertest .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) @@ -114,40 +118,39 @@ export default ({ getService }: FtrProviderContext) => { .send(getQueryAlertIds(alertIds)) .expect(200); expect(alertsClosed.hits.hits.length).to.equal(10); + const everyAlertClosed = alertsClosed.hits.hits.every( + (hit) => hit._source?.['kibana.alert.workflow_status'] === 'closed' + ); + expect(everyAlertClosed).to.eql(true); + const everyAlertWorkflowUserExists = alertsClosed.hits.hits.every( + (hit) => hit._source?.['kibana.alert.workflow_user'] !== null + ); + expect(everyAlertWorkflowUserExists).to.eql(true); + const everyAlertWorkflowStatusUpdatedAtExists = alertsClosed.hits.hits.every( + (hit) => hit._source?.['kibana.alert.workflow_status_updated_at'] !== null + ); + expect(everyAlertWorkflowStatusUpdatedAtExists).to.eql(true); }); - // Test is failing after changing refresh to false - it.skip('should be able close 10 alerts immediately and they all should be closed', async () => { + it('should NOT be able to close alerts with reader user', async () => { const rule = { ...getRuleForAlertTesting(['auditbeat-*']), query: 'process.executable: "/usr/bin/sudo"', }; const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForAlertsToBePresent(supertest, log, 10, [id]); + await waitForAlertsToBePresent(supertest, log, 1, [id]); const alertsOpen = await getAlertsByIds(supertest, log, [id]); const alertIds = alertsOpen.hits.hits.map((alert) => alert._id); - // set all of the alerts to the state of closed. There is no reason to use a waitUntil here - // as this route intentionally has a waitFor within it and should only return when the query has - // the data. - await supertest + // Try to set all of the alerts to the state of closed. + // This should not be possible with the given user. + await supertestWithoutAuth .post(DETECTION_ENGINE_SIGNALS_STATUS_URL) .set('kbn-xsrf', 'true') + .auth(ROLES.reader, 'changeme') // each user has the same password .send(setAlertStatus({ alertIds, status: 'closed' })) - .expect(200); - - const { body: alertsClosed }: { body: estypes.SearchResponse } = - await supertest - .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) - .set('kbn-xsrf', 'true') - .send(getQueryAlertIds(alertIds)) - .expect(200); - - const everyAlertClosed = alertsClosed.hits.hits.every( - (hit) => hit._source?.[ALERT_WORKFLOW_STATUS] === 'closed' - ); - expect(everyAlertClosed).to.eql(true); + .expect(403); }); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/index.ts new file mode 100644 index 0000000000000..7275c37497390 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/alert_status/index.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { + describe('Alert status APIs', function () { + loadTestFile(require.resolve('./alert_status_ess')); + loadTestFile(require.resolve('./alert_status')); + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/alerts_compatibility.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/alerts_compatibility.ts similarity index 99% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/alerts_compatibility.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/alerts_compatibility.ts index 1a2343ffe874d..7bde0e6f230ab 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/alerts_compatibility.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/alerts_compatibility.ts @@ -28,7 +28,7 @@ import { getThresholdRuleForAlertTesting, startAlertsMigration, removeRandomValuedPropertiesFromAlert, -} from '../../../utils'; +} from '../../../../utils'; import { createRule, createAlertsIndex, @@ -39,8 +39,8 @@ import { waitForRuleSuccess, waitForAlertsToBePresent, getRuleForAlertTesting, -} from '../../../../../../common/utils/security_solution'; -import { FtrProviderContext } from '../../../../../ftr_provider_context'; +} from '../../../../../../../common/utils/security_solution'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext) => { const esArchiver = getService('esArchiver'); @@ -48,7 +48,7 @@ export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const es = getService('es'); - describe('@ess Alerts Compatibility', function () { + describe('@ess alerts compatibility with legacy siem signals index', function () { describe('CTI', () => { const expectedDomain = 'elastic.local'; const expectedProvider = 'provider1'; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/create_index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/create_index.ts similarity index 90% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/create_index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/create_index.ts index 0538c0ea6e390..a66daa964ce82 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/create_index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/create_index.ts @@ -13,9 +13,9 @@ import { import { SIGNALS_FIELD_ALIASES_VERSION } from '@kbn/security-solution-plugin/server/lib/detection_engine/routes/index/get_signals_template'; -import { deleteAllAlerts } from '../../../../../../common/utils/security_solution'; +import { deleteAllAlerts } from '../../../../../../../common/utils/security_solution'; -import { FtrProviderContext } from '../../../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); @@ -23,7 +23,7 @@ export default ({ getService }: FtrProviderContext) => { const es = getService('es'); const log = getService('log'); - describe('@ess create_index', () => { + describe('@ess legacy create index route deals with 7.x to 8.x alerts index logic', () => { afterEach(async () => { await deleteAllAlerts(supertest, log, es); }); @@ -38,7 +38,7 @@ export default ({ getService }: FtrProviderContext) => { await esArchiver.unload('x-pack/test/functional/es_archives/signals/index_alias_clash'); }); - // This fails and should be investigated or removed if it no longer applies + // Skipped: see https://github.com/elastic/kibana/issues/179208 it.skip('should report that alerts index does not exist', async () => { const { body } = await supertest.get(DETECTION_ENGINE_INDEX_URL).send().expect(404); expect(body).to.eql({ message: 'index for this space does not exist', status_code: 404 }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/index.ts new file mode 100644 index 0000000000000..59ea9b63c8221 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/index.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { + describe('ESS specific alerts and alert index logic', function () { + loadTestFile(require.resolve('./migrations')); + loadTestFile(require.resolve('./alerts_compatibility')); + loadTestFile(require.resolve('./create_index')); + loadTestFile(require.resolve('./query_alerts_backword_compatibility')); + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/create_alerts_migrations.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/create_alerts_migrations.ts similarity index 95% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/create_alerts_migrations.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/create_alerts_migrations.ts index d1c8107bf2881..389527a532b40 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/create_alerts_migrations.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/create_alerts_migrations.ts @@ -16,16 +16,20 @@ import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { SIGNALS_TEMPLATE_VERSION } from '@kbn/security-solution-plugin/server/lib/detection_engine/routes/index/get_signals_template'; import { Signal } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/types'; -import { deleteMigrations, getIndexNameFromLoad, waitForIndexToPopulate } from '../../../../utils'; +import { + deleteMigrations, + getIndexNameFromLoad, + waitForIndexToPopulate, +} from '../../../../../utils'; import { createAlertsIndex, deleteAllAlerts, -} from '../../../../../../../common/utils/security_solution'; +} from '../../../../../../../../common/utils/security_solution'; import { createUserAndRole, deleteUserAndRole, -} from '../../../../../../../common/services/security_solution'; -import { FtrProviderContext } from '../../../../../../ftr_provider_context'; +} from '../../../../../../../../common/services/security_solution'; +import { FtrProviderContext } from '../../../../../../../ftr_provider_context'; interface CreateResponse { index: string; @@ -45,7 +49,7 @@ export default ({ getService }: FtrProviderContext): void => { const supertestWithoutAuth = getService('supertestWithoutAuth'); const log = getService('log'); - describe('Creating signals migrations', () => { + describe('@ess Creating signals migrations', () => { let createdMigrations: CreateResponse[]; let legacySignalsIndexName: string; let outdatedSignalsIndexName: string; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/delete_alerts_migrations.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/delete_alerts_migrations.ts similarity index 91% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/delete_alerts_migrations.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/delete_alerts_migrations.ts index 01f2ec0062f13..85911fc8ef7de 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/delete_alerts_migrations.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/delete_alerts_migrations.ts @@ -13,13 +13,13 @@ import { DETECTION_ENGINE_SIGNALS_MIGRATION_URL, } from '@kbn/security-solution-plugin/common/constants'; import { ROLES } from '@kbn/security-solution-plugin/common/test'; -import { getIndexNameFromLoad } from '../../../../utils'; +import { deleteMigrations, getIndexNameFromLoad } from '../../../../../utils'; import { createAlertsIndex, deleteAllAlerts, waitFor, -} from '../../../../../../../common/utils/security_solution'; -import { createUserAndRole } from '../../../../../../../common/services/security_solution'; +} from '../../../../../../../../common/utils/security_solution'; +import { createUserAndRole } from '../../../../../../../../common/services/security_solution'; interface CreateResponse { index: string; @@ -31,7 +31,7 @@ interface FinalizeResponse extends CreateResponse { completed?: boolean; error?: unknown; } -import { FtrProviderContext } from '../../../../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext): void => { const es = getService('es'); @@ -39,6 +39,7 @@ export default ({ getService }: FtrProviderContext): void => { const supertest = getService('supertest'); const supertestWithoutAuth = getService('supertestWithoutAuth'); const log = getService('log'); + const kbnClient = getService('kibanaServer'); describe('@ess Deleting alerts migrations', () => { let outdatedAlertsIndexName: string; @@ -83,6 +84,10 @@ export default ({ getService }: FtrProviderContext): void => { afterEach(async () => { await esArchiver.unload('x-pack/test/functional/es_archives/signals/outdated_signals_index'); + await deleteMigrations({ + kbnClient, + ids: [createdMigration.migration_id], + }); await deleteAllAlerts(supertest, log, es); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/finalize_alerts_migrations.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/finalize_alerts_migrations.ts similarity index 95% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/finalize_alerts_migrations.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/finalize_alerts_migrations.ts index e63993369bad2..02d681fe29712 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/finalize_alerts_migrations.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/finalize_alerts_migrations.ts @@ -13,16 +13,16 @@ import { DETECTION_ENGINE_SIGNALS_MIGRATION_URL, } from '@kbn/security-solution-plugin/common/constants'; import { ROLES } from '@kbn/security-solution-plugin/common/test'; -import { deleteMigrations, getIndexNameFromLoad } from '../../../../utils'; +import { deleteMigrations, getIndexNameFromLoad } from '../../../../../utils'; import { createAlertsIndex, deleteAllAlerts, waitFor, -} from '../../../../../../../common/utils/security_solution'; +} from '../../../../../../../../common/utils/security_solution'; import { createUserAndRole, deleteUserAndRole, -} from '../../../../../../../common/services/security_solution'; +} from '../../../../../../../../common/services/security_solution'; interface StatusResponse { index: string; @@ -40,7 +40,7 @@ interface FinalizeResponse { completed?: boolean; error?: unknown; } -import { FtrProviderContext } from '../../../../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext): void => { const esArchiver = getService('esArchiver'); @@ -189,7 +189,9 @@ export default ({ getService }: FtrProviderContext): void => { expect(indices.map((s: any) => s.is_outdated)).to.eql([false, false]); }); - // This fails and should be investigated or removed if it no longer applies + // it's been skipped since it was originally introduced in + // https://github.com/elastic/kibana/pull/85690. Created ticket to track skip. + // https://github.com/elastic/kibana/issues/179593 it.skip('deletes the underlying migration task', async () => { await waitFor( async () => { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/get_alerts_migration_status.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/get_alerts_migration_status.ts similarity index 91% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/get_alerts_migration_status.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/get_alerts_migration_status.ts index 1ed26a7bb5423..715ca428c93aa 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/get_alerts_migration_status.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/get_alerts_migration_status.ts @@ -9,17 +9,17 @@ import expect from '@kbn/expect'; import { DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL } from '@kbn/security-solution-plugin/common/constants'; import { ROLES } from '@kbn/security-solution-plugin/common/test'; -import { getIndexNameFromLoad } from '../../../../utils'; +import { getIndexNameFromLoad } from '../../../../../utils'; import { createAlertsIndex, deleteAllAlerts, -} from '../../../../../../../common/utils/security_solution'; +} from '../../../../../../../../common/utils/security_solution'; import { createUserAndRole, deleteUserAndRole, -} from '../../../../../../../common/services/security_solution'; +} from '../../../../../../../../common/services/security_solution'; -import { FtrProviderContext } from '../../../../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext): void => { const esArchiver = getService('esArchiver'); @@ -41,7 +41,7 @@ export default ({ getService }: FtrProviderContext): void => { return filteredIndices; }; - describe('Alerts migration status', () => { + describe('@ess Alerts migration status', () => { let legacyAlertsIndexName: string; beforeEach(async () => { legacyAlertsIndexName = getIndexNameFromLoad( diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/index.ts similarity index 70% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/index.ts index 8ce9a269a3e4d..2c1aed2b1387b 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/migrations/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/migrations/index.ts @@ -4,13 +4,13 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { FtrProviderContext } from '../../../../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../../../../ftr_provider_context'; export default function ({ loadTestFile }: FtrProviderContext) { - describe('Actions API', function () { + describe('ESS specific alerts index migration logic', function () { loadTestFile(require.resolve('./create_alerts_migrations')); loadTestFile(require.resolve('./delete_alerts_migrations')); loadTestFile(require.resolve('./finalize_alerts_migrations')); - loadTestFile(require.resolve('./finalize_alerts_migrations')); + loadTestFile(require.resolve('./get_alerts_migration_status')); }); } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts_backword_compatibility.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/query_alerts_backword_compatibility.ts similarity index 93% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts_backword_compatibility.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/query_alerts_backword_compatibility.ts index d040d902e6b05..2215fff8d99c2 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts_backword_compatibility.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/query_alerts_backword_compatibility.ts @@ -11,8 +11,8 @@ import { DETECTION_ENGINE_QUERY_SIGNALS_URL } from '@kbn/security-solution-plugi import { createAlertsIndex, deleteAllAlerts, -} from '../../../../../../common/utils/security_solution'; -import { FtrProviderContext } from '../../../../../ftr_provider_context'; +} from '../../../../../../../common/utils/security_solution'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/aliases.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/field_aliases.ts similarity index 96% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/aliases.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/field_aliases.ts index faef3e8b272dc..cc37d7396cc0f 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/aliases.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/field_aliases.ts @@ -29,7 +29,7 @@ export default ({ getService }: FtrProviderContext) => { name: string; } - describe('@ess Tests involving aliases of source indexes and the alerts index', () => { + describe('@ess @serverless Tests involving aliases of source indexes and the alerts index', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alias'); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/index.ts index e95da2122ea73..1c36d6bd88182 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/index.ts @@ -7,9 +7,11 @@ import { FtrProviderContext } from '../../../../../ftr_provider_context'; export default function ({ loadTestFile }: FtrProviderContext) { - describe('Alerts APIs - Basic License/Essentials Tier', function () { - loadTestFile(require.resolve('./open_close_alerts')); - loadTestFile(require.resolve('./query_alerts_backword_compatibility')); + describe('Alerts and alerts index related logic - Basic License/Essentials Tier', function () { + loadTestFile(require.resolve('./ess_specific_index_logic')); + loadTestFile(require.resolve('./alert_status')); + loadTestFile(require.resolve('./field_aliases')); loadTestFile(require.resolve('./query_alerts')); + loadTestFile(require.resolve('./set_alert_tags')); }); } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts index 22f77825e36b7..4412632f2c4a9 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts @@ -19,6 +19,15 @@ import { } from '../../../../../../common/utils/security_solution'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; +const query = { + ...getAlertStatus(), + query: { + bool: { + should: [{ match_all: {} }], + }, + }, +}; + export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -27,13 +36,12 @@ export default ({ getService }: FtrProviderContext) => { describe('@ess @serverless query_signals_route and find_alerts_route', () => { describe('validation checks', () => { - // This fails and should be investigated or removed if it no longer applies - it.skip('should not give errors when querying and the alerts index does exist and is empty', async () => { + it('should not give errors when querying and the alerts index does exist and is empty', async () => { await createAlertsIndex(supertest, log); const { body } = await supertest .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) .set('kbn-xsrf', 'true') - .send(getAlertStatus()) + .send(query) .expect(200); // remove any server generated items that are indeterministic @@ -69,7 +77,7 @@ export default ({ getService }: FtrProviderContext) => { }); it('should be able to filter using a runtime field defined in the request', async () => { - const query = { + const queryRuntime = { query: { bool: { should: [{ match_phrase: { signal_status_querytime: 'open' } }], @@ -87,7 +95,7 @@ export default ({ getService }: FtrProviderContext) => { const { body } = await supertest .post(DETECTION_ENGINE_QUERY_SIGNALS_URL) .set('kbn-xsrf', 'true') - .send(query) + .send(queryRuntime) .expect(200); expect(body.hits.total.value).to.eql(3); }); @@ -95,13 +103,16 @@ export default ({ getService }: FtrProviderContext) => { describe('find_alerts_route', () => { describe('validation checks', () => { - // This fails and should be investigated or removed if it no longer applies - it.skip('should not give errors when querying and the alerts index does exist and is empty', async () => { + it('should not give errors when querying and the alerts index does exist and is empty', async () => { await createAlertsIndex(supertest, log); const { body } = await supertest .post(ALERTS_AS_DATA_FIND_URL) .set('kbn-xsrf', 'true') - .send({ ...getAlertStatus(), index: '.siem-signals-default' }) + .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') + .send({ + ...query, + index: '.siem-signals-default', + }) .expect(200); // remove any server generated items that are indeterministic diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/set_alert_tags.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/set_alert_tags.ts similarity index 98% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/set_alert_tags.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/set_alert_tags.ts index 25ed0c62d0d58..305d57ace71eb 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/set_alert_tags.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/set_alert_tags.ts @@ -40,7 +40,8 @@ export default ({ getService }: FtrProviderContext) => { const dataPathBuilder = new EsArchivePathBuilder(isServerless); const path = dataPathBuilder.getPath('auditbeat/hosts'); - describe('@ess @serverless set_alert_tags', () => { + // Intentionally setting as @skipInQA, keeping tests running in MKI that should block release + describe('@ess @serverless @skipInQA set_alert_tags', () => { describe('validation checks', () => { it('should give errors when no alert ids are provided', async () => { const { body } = await supertest diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/assignments/assignments.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/assignments/assignments.ts index 4e4ecb21ca157..69538dfb6c1ca 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/assignments/assignments.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/assignments/assignments.ts @@ -39,7 +39,8 @@ export default ({ getService }: FtrProviderContext) => { const dataPathBuilder = new EsArchivePathBuilder(isServerless); const path = dataPathBuilder.getPath('auditbeat/hosts'); - describe('@ess @serverless Alert User Assignment - ESS & Serverless', () => { + // Intentionally setting as @skipInQA, keeping tests running in MKI that should block release + describe('@ess @serverless @skipInQA Alert User Assignment - ESS & Serverless', () => { describe('validation checks', () => { it('should give errors when no alert ids are provided', async () => { const { body } = await supertest diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/assignments/assignments_serverless.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/assignments/assignments_serverless.ts index 7064f27cfd3bd..48c9e5f065800 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/assignments/assignments_serverless.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/assignments/assignments_serverless.ts @@ -33,7 +33,8 @@ export default ({ getService }: FtrProviderContext) => { const dataPathBuilder = new EsArchivePathBuilder(isServerless); const path = dataPathBuilder.getPath('auditbeat/hosts'); - describe('@serverless Alert User Assignment - Serverless', () => { + // Intentionally setting as @skipInQA, keeping tests running in MKI that should block release + describe('@serverless @skipInQA Alert User Assignment - Serverless', () => { before(async () => { await esArchiver.load(path); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/query_alerts.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts similarity index 97% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/query_alerts.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts index 57d9a1cc0e9fe..32177044f8486 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/query_alerts.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts @@ -74,7 +74,7 @@ export default ({ getService }: FtrProviderContext) => { const esArchiver = getService('esArchiver'); const security = getService('security'); - describe('find alert with/without doc level security', () => { + describe('@ess @serverless @brokenInServerless find alert with/without doc level security', () => { before(async () => { await security.role.create( roleToAccessSecuritySolution.name, diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/index.ts index d4838d19901b3..2ec49ae352bcc 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/index.ts @@ -8,13 +8,7 @@ import { FtrProviderContext } from '../../../../../ftr_provider_context'; export default function ({ loadTestFile }: FtrProviderContext) { describe('Alerts APIs - Trial License/Complete Tier', function () { - loadTestFile(require.resolve('./aliases')); - loadTestFile(require.resolve('./create_index')); - loadTestFile(require.resolve('./alerts_compatibility')); - loadTestFile(require.resolve('./migrations')); - loadTestFile(require.resolve('./open_close_alerts')); - loadTestFile(require.resolve('./set_alert_tags')); loadTestFile(require.resolve('./assignments')); - loadTestFile(require.resolve('./query_alerts')); + loadTestFile(require.resolve('./document_level_security')); }); }