From 527c2e917af7663b36b7786a8bfc8e1d664e5787 Mon Sep 17 00:00:00 2001 From: Ievgen Sorokopud Date: Wed, 19 Jul 2023 15:28:19 +0200 Subject: [PATCH] Failing ES Promotion: FTR Configs #22 / detection engine api security and spaces enabled - rule execution logic Non ECS fields in alert document source should fail creating alert when ECS field mapping is geo_point (#154277) --- .../rule_execution_logic/non_ecs_fields.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts index 1065538ec09c8b..3970bbec686775 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts @@ -57,7 +57,7 @@ export default ({ getService }: FtrProviderContext) => { }; // FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/154277 - describe.skip('Non ECS fields in alert document source', () => { + describe('Non ECS fields in alert document source', () => { before(async () => { await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/ecs_non_compliant' @@ -232,7 +232,7 @@ export default ({ getService }: FtrProviderContext) => { // invalid ECS field is getting removed expect(alertSource).toHaveProperty('threat.enrichments', []); - expect(alertSource).toHaveProperty('threat.indicator.port', 443); + expect(alertSource).toHaveProperty(['threat', 'indicator.port'], 443); }); // source client.bytes is text, ECS mapping for client.bytes is long @@ -271,8 +271,8 @@ export default ({ getService }: FtrProviderContext) => { const { errors } = await indexAndCreatePreviewAlert(document); - expect(errors).toContain( - 'Bulk Indexing of signals failed: failed to parse field [client.geo.location] of type [geo_point]' + expect(errors[0]).toContain( + 'Bulk Indexing of signals failed: [1:1193] failed to parse field [client.geo.location] of type [geo_point]' ); });