[Detection Engine][MKI] Audit alerts FTRs in prep for MKI #179211
Conversation
yctercero
added
release_note:skip
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
| @@ -142,41 +136,13 @@ export default ({ getService }: FtrProviderContext) => { | |||
| await waitForAlertsToBePresent(supertest, log, 10, [id]); | |||
| const alertsOpen = await getAlertsByIds(supertest, log, [id]); | |||
| expect(alertsOpen.hits.hits.length).equal(10); | |||
| }); | |||
|
|
|||
| it('should be have set the alerts in an open state initially', async () => { | |||
There was a problem hiding this comment.
Duplicate. This was not testing anything that the test above it was doing.
| const everyAlertOpen = alertsOpen.hits.hits.every( | ||
| (hit) => hit._source?.[ALERT_WORKFLOW_STATUS] === 'open' | ||
| ); | ||
| expect(everyAlertOpen).to.eql(true); | ||
| }); | ||
|
|
||
| it('should be able to close alerts while logged in and populate workflow_user', async () => { |
There was a problem hiding this comment.
Moved to ESS specific folder due to the user we are using to test. Will need to match the test for serverless (see issues created and linked in description).
| @@ -262,75 +214,6 @@ export default ({ getService }: FtrProviderContext) => { | |||
| ); | |||
| expect(everyAlertWorkflowStatusUpdatedAtExists).to.eql(true); | |||
| }); | |||
| // This fails and should be investigated or removed if it no longer applies | |||
| it.skip('should be able to close alerts with t1 analyst user', async () => { | |||
There was a problem hiding this comment.
Was skipped because it was failing. Moved to ESS specific file and updated roles used for testing. Now unskipped. Need matching tests for prebuilt serverless roles (see issues I created to track in description).
| import { FtrProviderContext } from '../../../../../../ftr_provider_context'; | ||
|
|
||
| export default function ({ loadTestFile }: FtrProviderContext) { | ||
| describe('Alert status APIs', function () { |
There was a problem hiding this comment.
Changed language for test names from open_close_alert to change_status as we have more statuses than just open/close and added a test for the acknowledged status.
There was a problem hiding this comment.
That's a nice improvement, open_close_alert has never made much sense to me 👍
| @@ -74,7 +74,7 @@ export default ({ getService }: FtrProviderContext) => { | |||
| const esArchiver = getService('esArchiver'); | |||
| const security = getService('security'); | |||
|
|
|||
| describe('find alert with/without doc level security', () => { | |||
There was a problem hiding this comment.
This test has likely not been picked up as it did not have a tag. I think this test should apply to serverless as well.
@paulewing can you confirm my thinking that this is just a Platinum feature? If so we should test that it is blocked in lower tier.
| @@ -142,41 +136,13 @@ export default ({ getService }: FtrProviderContext) => { | |||
| await waitForAlertsToBePresent(supertest, log, 10, [id]); | |||
| const alertsOpen = await getAlertsByIds(supertest, log, [id]); | |||
| expect(alertsOpen.hits.hits.length).equal(10); | |||
| }); | |||
|
|
|||
| it('should be have set the alerts in an open state initially', async () => { | |||
| import { FtrProviderContext } from '../../../../../../ftr_provider_context'; | ||
|
|
||
| export default function ({ loadTestFile }: FtrProviderContext) { | ||
| describe('Alert status APIs', function () { |
There was a problem hiding this comment.
That's a nice improvement, open_close_alert has never made much sense to me 👍
|
|
||
| export default ({ getService }: FtrProviderContext) => { | ||
| const esArchiver = getService('esArchiver'); | ||
| const log = getService('log'); | ||
| const supertest = getService('supertest'); | ||
| const es = getService('es'); | ||
|
|
||
| describe('@ess Alerts Compatibility', function () { | ||
| describe('@ess alerts compatability with legacy siem signals index', function () { |
There was a problem hiding this comment.
nit:
| describe('@ess alerts compatability with legacy siem signals index', function () { | |
| describe('@ess alerts compatibility with legacy siem signals index', function () { |
| @@ -38,7 +38,7 @@ export default ({ getService }: FtrProviderContext) => { | |||
| await esArchiver.unload('x-pack/test/functional/es_archives/signals/index_alias_clash'); | |||
| }); | |||
|
|
|||
| // This fails and should be investigated or removed if it no longer applies | |||
| // Skipped: see https://github.com/elastic/kibana/issues/179208 | |||
| @@ -83,6 +84,10 @@ export default ({ getService }: FtrProviderContext): void => { | |||
|
|
|||
| afterEach(async () => { | |||
| await esArchiver.unload('x-pack/test/functional/es_archives/signals/outdated_signals_index'); | |||
| await deleteMigrations({ | |||
| @@ -190,7 +190,7 @@ export default ({ getService }: FtrProviderContext): void => { | |||
| }); | |||
|
|
|||
| // This fails and should be investigated or removed if it no longer applies | |||
| it.skip('deletes the underlying migration task', async () => { | |||
There was a problem hiding this comment.
This looked familiar: I wrote this test, and it's been skipped since it was originally introduced. I don't recall exactly why it was skipped, and it doesn't look like I left any clues for us 😢 .
However, I was surprised to see the build was green after unskipping this. It looks to be a false positive, as the actual assertions of this test are commented out below (and most obviously, no getMigration helper currently exists).
I would say: just keep this skipped for now, and (maybe) create a ticket to unskip it in the future.
| @@ -96,12 +104,16 @@ export default ({ getService }: FtrProviderContext) => { | |||
| describe('find_alerts_route', () => { | |||
| describe('validation checks', () => { | |||
| // This fails and should be investigated or removed if it no longer applies | |||
There was a problem hiding this comment.
| // This fails and should be investigated or removed if it no longer applies |
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @yctercero |
Summary
Begins work on #169185 and #151877 .
Related to #151877 this PR:
/alertsfolder that do not require Platinum license into the basics folder. Tests in/alerts/trial_license_complete_tierfolder should now relate to functionality that requires the higher license tier.Related to #169185 this PR:
@skipInQAtagIssues to follow up on:
x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/ess_specific_index_logic/create_index.ts#179208Old structure
New structure