From 527c2e917af7663b36b7786a8bfc8e1d664e5787 Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Wed, 19 Jul 2023 15:28:19 +0200 Subject: [PATCH 1/2] Failing ES Promotion: FTR Configs #22 / detection engine api security and spaces enabled - rule execution logic Non ECS fields in alert document source should fail creating alert when ECS field mapping is geo_point (#154277) --- .../rule_execution_logic/non_ecs_fields.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts index 1065538ec09c8..3970bbec68677 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts @@ -57,7 +57,7 @@ export default ({ getService }: FtrProviderContext) => { }; // FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/154277 - describe.skip('Non ECS fields in alert document source', () => { + describe('Non ECS fields in alert document source', () => { before(async () => { await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/ecs_non_compliant' @@ -232,7 +232,7 @@ export default ({ getService }: FtrProviderContext) => { // invalid ECS field is getting removed expect(alertSource).toHaveProperty('threat.enrichments', []); - expect(alertSource).toHaveProperty('threat.indicator.port', 443); + expect(alertSource).toHaveProperty(['threat', 'indicator.port'], 443); }); // source client.bytes is text, ECS mapping for client.bytes is long @@ -271,8 +271,8 @@ export default ({ getService }: FtrProviderContext) => { const { errors } = await indexAndCreatePreviewAlert(document); - expect(errors).toContain( - 'Bulk Indexing of signals failed: failed to parse field [client.geo.location] of type [geo_point]' + expect(errors[0]).toContain( + 'Bulk Indexing of signals failed: [1:1193] failed to parse field [client.geo.location] of type [geo_point]' ); }); From 382da9983351305b8046ae355523c9cedef8c4f4 Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Wed, 19 Jul 2023 17:42:07 +0200 Subject: [PATCH 2/2] Fix dynamic error message failure --- .../security_and_spaces/rule_execution_logic/non_ecs_fields.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts index 3970bbec68677..32ae758b20807 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts @@ -271,8 +271,9 @@ export default ({ getService }: FtrProviderContext) => { const { errors } = await indexAndCreatePreviewAlert(document); + expect(errors[0]).toContain('Bulk Indexing of signals failed'); expect(errors[0]).toContain( - 'Bulk Indexing of signals failed: [1:1193] failed to parse field [client.geo.location] of type [geo_point]' + 'failed to parse field [client.geo.location] of type [geo_point]' ); });