[Security Solution][Detection Engine] tests

elastic · Mar 3, 2025 · 1e9c1e4 · 1e9c1e4
1 parent 2c7f2f8
commit 1e9c1e4
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/...s_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts b/...s_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
@@ -407,6 +407,7 @@ export default ({ getService }: FtrProviderContext) => {
             expect.arrayContaining(['part-0', 'part-1', 'test-1'])
           );
         });
+
         it('should generate alert per expanded row when expanded field renamed', async () => {
           const id = uuidv4();
           const interval: [string, string] = [
@@ -443,6 +444,9 @@ export default ({ getService }: FtrProviderContext) => {
 
           expect(previewAlerts.length).toBe(3);
         });
+
+        //  When expanded field dropped, ES|QL response rows will be identical.
+        //  In this case, identical duplicated alerts won't be created
         it('should NOT generate alert per expanded row when expanded field dropped', async () => {
           const id = uuidv4();
           const interval: [string, string] = [
@@ -479,7 +483,8 @@ export default ({ getService }: FtrProviderContext) => {
 
           expect(previewAlerts.length).toBe(2);
         });
-        it('should generate alert per expanded row when mv_expand multiple used', async () => {
+
+        it('should generate alert per expanded row when mv_expand used multiple times', async () => {
           const id = uuidv4();
           const interval: [string, string] = [
             '2020-10-28T06:00:00.000Z',
@@ -525,6 +530,7 @@ export default ({ getService }: FtrProviderContext) => {
             expect.arrayContaining([undefined, 'host-0', 'host-1', 'host-2', 'host-3'])
           );
         });
+
         it('should deduplicate alerts generated from expanded rows', async () => {
           const id = uuidv4();
           // document will fall into 2 rule execution windows
@@ -558,6 +564,7 @@ export default ({ getService }: FtrProviderContext) => {
 
           expect(previewAlerts.length).toBe(2);
         });
+
         it('should deduplicate alerts generated form expanded rows when expanded field renamed', async () => {
           const id = uuidv4();
           // document will fall into 2 rule execution windows
@@ -594,7 +601,7 @@ export default ({ getService }: FtrProviderContext) => {
           expect(previewAlerts.length).toBe(2);
         });
 
-        it('should deduplicate alerts from expanded rows when expanded field dropped', async () => {
+        it('should deduplicate alert when expanded field dropped', async () => {
           const id = uuidv4();
           // document will fall into 2 rule execution windows
           const doc1 = {

diff --git a/...etection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts b/...etection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts
@@ -2142,6 +2142,7 @@ export default ({ getService }: FtrProviderContext) => {
         expect(previewAlerts.length).toBe(1);
         expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 2);
       });
+
       it('should suppress alerts generated from expanded rows when expanded field renamed', async () => {
         const id = uuidv4();
         const interval: [string, string] = ['2020-10-28T06:00:00.000Z', '2020-10-28T06:10:00.000Z'];
@@ -2181,7 +2182,7 @@ export default ({ getService }: FtrProviderContext) => {
         expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 2);
       });
 
-      it('should NOT generate alert per expanded row when expanded field dropped', async () => {
+      it('should NOT generate alerts per expanded row when expanded field dropped', async () => {
         const id = uuidv4();
         const interval: [string, string] = ['2020-10-28T06:00:00.000Z', '2020-10-28T06:10:00.000Z'];
         const documents = [
@@ -2220,7 +2221,7 @@ export default ({ getService }: FtrProviderContext) => {
         expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 1);
       });
 
-      it('should suppress on interval alerts, created from expanded rows', async () => {
+      it('should suppress alerts from expanded rows on interval', async () => {
         const id = uuidv4();
         const doc1 = {
           id,
@@ -2268,7 +2269,8 @@ export default ({ getService }: FtrProviderContext) => {
         expect(previewAlerts.length).toBe(1);
         expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 3);
       });
-      it('should suppress on interval alerts, created from expanded rows when expanded field renamed', async () => {
+
+      it('should suppress alerts on interval when expanded field renamed', async () => {
         const id = uuidv4();
         const doc1 = {
           id,