From c2ab9f77fe88be3dc8019e970d001802b6f6134c Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Thu, 20 Jul 2023 11:22:42 +0200 Subject: [PATCH] Failing ES Promotion: FTR Configs #22 / detection engine api security and spaces enabled - rule execution logic Non ECS fields in alert document source should fail creating alert when ECS field mapping is geo_point (#162247) ## Summary Failing tests ticket: https://github.com/elastic/kibana/issues/154277 This PR fixes the non ECS fields in alert document source failing tests. There are two failing tests: 1. `should remove source array of keywords field from alert if ECS field mapping is nested` was filing due to wrong key path format passed to jest's `toHaveProperty`. When the field name has dot notation we should be using array format as a key path. See discussion [here](https://github.com/jestjs/jest/issues/5653) and usage examples [here](https://github.com/jestjs/jest/blob/main/docs/ExpectAPI.md#tohavepropertykeypath-value). 2. `should fail creating alert when ECS field mapping is geo_point` was failing due to changed error message format. --- .../rule_execution_logic/non_ecs_fields.ts | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts index 1065538ec09c8bc..32ae758b2080791 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts @@ -57,7 +57,7 @@ export default ({ getService }: FtrProviderContext) => { }; // FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/154277 - describe.skip('Non ECS fields in alert document source', () => { + describe('Non ECS fields in alert document source', () => { before(async () => { await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/ecs_non_compliant' @@ -232,7 +232,7 @@ export default ({ getService }: FtrProviderContext) => { // invalid ECS field is getting removed expect(alertSource).toHaveProperty('threat.enrichments', []); - expect(alertSource).toHaveProperty('threat.indicator.port', 443); + expect(alertSource).toHaveProperty(['threat', 'indicator.port'], 443); }); // source client.bytes is text, ECS mapping for client.bytes is long @@ -271,8 +271,9 @@ export default ({ getService }: FtrProviderContext) => { const { errors } = await indexAndCreatePreviewAlert(document); - expect(errors).toContain( - 'Bulk Indexing of signals failed: failed to parse field [client.geo.location] of type [geo_point]' + expect(errors[0]).toContain('Bulk Indexing of signals failed'); + expect(errors[0]).toContain( + 'failed to parse field [client.geo.location] of type [geo_point]' ); });