55 */
66import expect from '@kbn/expect/expect.js' ;
77import { FtrProviderContext } from '../../../ftr_provider_context' ;
8- import { AlertData } from '../../../../../plugins/security_solution/common/endpoint_alerts/types' ;
9- import { eventsIndexPattern } from '../../../../../plugins/security_solution/common/endpoint/constants' ;
108import {
119 deleteEventsStream ,
1210 deleteMetadataStream ,
@@ -26,46 +24,8 @@ const numberOfAlertsInFixture = numberOfHosts * numberOfAlertsPerHost;
2624 */
2725const defaultPageSize = 10 ;
2826
29- /**
30- * `NULLABLE_EVENT_FIELD` should be a field in the fixture that exists for some alerts,
31- * but not all.
32- *
33- * This allows us to test sorting and paging on mixed data that may or may not exist
34- * for each alert.
35- */
36- const NULLABLE_EVENT_FIELD = 'process.parent.entity_id' ;
37-
38- /**
39- * An Elasticsearch query to get the alert (or alerts) without `NULLABLE_EVENT_FIELD`.
40- */
41- const ES_QUERY_MISSING = {
42- query : {
43- bool : {
44- must : [
45- {
46- bool : {
47- must_not : {
48- exists : {
49- field : NULLABLE_EVENT_FIELD ,
50- } ,
51- } ,
52- } ,
53- } ,
54- {
55- term : {
56- 'event.kind' : {
57- value : 'alert' ,
58- } ,
59- } ,
60- } ,
61- ] ,
62- } ,
63- } ,
64- } ;
65-
6627export default function ( { getService } : FtrProviderContext ) {
6728 const supertest = getService ( 'supertest' ) ;
68- const es = getService ( 'legacyEs' ) ;
6929 const client = getService ( 'es' ) ;
7030 const nextPrevPrefixQuery = "query=(language:kuery,query:'')" ;
7131 const nextPrevPrefixDateRange = "date_range=(from:'2018-01-10T00:00:00.000Z',to:now)" ;
@@ -74,8 +34,6 @@ export default function ({ getService }: FtrProviderContext) {
7434 const nextPrevPrefixPageSize = 'page_size=10' ;
7535 const nextPrevPrefix = `${ nextPrevPrefixQuery } ${ nextPrevPrefixDateRange } ${ nextPrevPrefixSort } ${ nextPrevPrefixOrder } ${ nextPrevPrefixPageSize } ;
7636
77- let nullableEventId = '' ;
78-
7937 describe ( 'Endpoint alert API' , ( ) => {
8038 describe ( 'when data is in elasticsearch' , ( ) => {
8139 before ( async ( ) => {
@@ -89,12 +47,6 @@ export default function ({ getService }: FtrProviderContext) {
8947 'events-endpoint-1' ,
9048 numberOfAlertsPerHost
9149 ) ;
92-
93- const res = await es . search ( {
94- index : eventsIndexPattern ,
95- body : ES_QUERY_MISSING ,
96- } ) ;
97- nullableEventId = res . hits . hits [ 0 ] . _source . event . id ;
9850 } ) ;
9951
10052 after ( async ( ) => {
@@ -260,134 +212,6 @@ export default function ({ getService }: FtrProviderContext) {
260212 expect ( emptyBody . alerts . length ) . to . eql ( 0 ) ;
261213 } ) ;
262214
263- it ( 'alerts api should return data using `before` by custom sort parameter, descending' , async ( ) => {
264- const { body } = await supertest
265- . get (
266- `/api/endpoint/alerts?${ nextPrevPrefixDateRange } ${ nextPrevPrefixPageSize } ${ nextPrevPrefixOrder }
267- )
268- . set ( 'kbn-xsrf' , 'xxx' )
269- . expect ( 200 ) ;
270- let valid : boolean = true ;
271- ( body . alerts as AlertData [ ] ) . forEach ( ( alert ) => {
272- if ( alert . process ?. name > 'malware writer' ) {
273- valid = false ;
274- }
275- } ) ;
276- expect ( valid ) . to . eql ( true ) ;
277- } ) ;
278-
279- it ( 'alerts api should return data using `before` on undefined primary sort values by custom sort parameter, descending' , async ( ) => {
280- const { body } = await supertest
281- . get (
282- `/api/endpoint/alerts?${ nextPrevPrefixDateRange } ${ nextPrevPrefixPageSize } ${ NULLABLE_EVENT_FIELD } ${ nullableEventId }
283- )
284- . set ( 'kbn-xsrf' , 'xxx' )
285- . expect ( 200 ) ;
286-
287- let lastSeen : string | undefined = 'zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz' ;
288- let valid : boolean = true ;
289-
290- for ( const alert of body . alerts ) {
291- const entityId = alert . process ?. parent ?. entity_id ;
292- if ( entityId === undefined && alert . event . id > nullableEventId ) {
293- valid = false ;
294- }
295- if ( entityId !== undefined && lastSeen !== undefined && entityId > lastSeen ) {
296- valid = false ;
297- } else {
298- lastSeen = entityId ;
299- }
300- }
301-
302- expect ( valid ) . to . eql ( true ) ;
303- } ) ;
304-
305- it ( 'alerts api should return data using `before` on undefined primary sort values by custom sort parameter, ascending' , async ( ) => {
306- const { body } = await supertest
307- . get (
308- `/api/endpoint/alerts?${ nextPrevPrefixDateRange } ${ NULLABLE_EVENT_FIELD } ${ nullableEventId }
309- )
310- . set ( 'kbn-xsrf' , 'xxx' )
311- . expect ( 200 ) ;
312-
313- let lastSeen : string | undefined = '1' ;
314- let valid : boolean = true ;
315-
316- for ( const alert of body . alerts ) {
317- const entityId = alert . process ?. parent ?. entity_id ;
318- if ( entityId === undefined && alert . event . id < nullableEventId ) {
319- valid = false ;
320- }
321- if ( entityId !== undefined && lastSeen !== undefined && entityId < lastSeen ) {
322- valid = false ;
323- } else {
324- lastSeen = entityId ;
325- }
326- }
327- expect ( valid ) . to . eql ( true ) ;
328- } ) ;
329-
330- it ( 'should return data using `after` by custom sort parameter, descending' , async ( ) => {
331- const { body } = await supertest
332- . get (
333- `/api/endpoint/alerts?${ nextPrevPrefixDateRange } ${ nextPrevPrefixPageSize } ${ nextPrevPrefixOrder }
334- )
335- . set ( 'kbn-xsrf' , 'xxx' )
336- . expect ( 200 ) ;
337- expect ( body . alerts . length ) . to . eql ( 10 ) ;
338- expect ( body . alerts [ 0 ] . process . pid ) . to . eql ( 2 ) ;
339- } ) ;
340-
341- it ( 'alerts api should return data using `after` on undefined primary sort values by custom sort parameter, descending' , async ( ) => {
342- const { body } = await supertest
343- . get (
344- `/api/endpoint/alerts?${ nextPrevPrefixDateRange } ${ nextPrevPrefixPageSize } ${ NULLABLE_EVENT_FIELD } ${ nullableEventId }
345- )
346- . set ( 'kbn-xsrf' , 'xxx' )
347- . expect ( 200 ) ;
348-
349- let lastSeen : string | undefined = 'zzzzzzzzzzzzzzzzzzzzzzzzzzz' ;
350- let valid : boolean = true ;
351-
352- for ( const alert of body . alerts ) {
353- const entityId = alert . process ?. parent ?. entity_id ;
354- if ( entityId === undefined && alert . event . id < nullableEventId ) {
355- valid = false ;
356- }
357- if ( entityId !== undefined && lastSeen !== undefined && entityId > lastSeen ) {
358- valid = false ;
359- } else {
360- lastSeen = entityId ;
361- }
362- }
363- expect ( valid ) . to . eql ( true ) ;
364- } ) ;
365-
366- it ( 'alerts api should return data using `after` on undefined primary sort values by custom sort parameter, ascending' , async ( ) => {
367- const { body } = await supertest
368- . get (
369- `/api/endpoint/alerts?${ nextPrevPrefixDateRange } ${ nextPrevPrefixPageSize } ${ NULLABLE_EVENT_FIELD } ${ nullableEventId }
370- )
371- . set ( 'kbn-xsrf' , 'xxx' )
372- . expect ( 200 ) ;
373-
374- let lastSeen : string | undefined = '1' ;
375- let valid : boolean = true ;
376-
377- for ( const alert of body . alerts ) {
378- const entityId = alert . process ?. parent ?. entity_id ;
379- if ( entityId === undefined && alert . event . id < nullableEventId ) {
380- valid = false ;
381- }
382- if ( entityId !== undefined && lastSeen !== undefined && entityId < lastSeen ) {
383- valid = false ;
384- } else {
385- lastSeen = entityId ;
386- }
387- }
388- expect ( valid ) . to . eql ( true ) ;
389- } ) ;
390-
391215 it ( 'should filter results of alert data using rison-encoded filters' , async ( ) => {
392216 const { body : firstBody } = await supertest
393217 . get ( '/api/endpoint/alerts?page_index=0' )
0 commit comments