[Detection Engine] Fix and unskip Machine Learning rule execution tes…

…ts (#181918) ## Summary These tests were skipped previously due to `es_archiver` [failing](#171426) on a mapping error, but upon unskipping it was discovered that there were a few mistakes in these tests, as they had been modified while skipped. There are three main changes here: * Fixes an incorrect assertion related to error classification * Fixes an incorrect assertion related to asset criticality enrichment * Adds additional `afterEach` hooks for housekeeping of generated data Closes #171426
elastic · Apr 29, 2024 · bf1d711 · bf1d711
1 parent a452d36
commit bf1d711
Showing 1 changed file with 16 additions and 7 deletions.
diff --git a/...gine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning.ts b/...gine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning.ts
@@ -86,8 +86,7 @@ export default ({ getService }: FtrProviderContext) => {
     rule_id: 'ml-rule-id',
   };
 
-  // FLAKY: https://github.com/elastic/kibana/issues/171426
-  describe.skip('@ess @serverless @serverlessQA Machine learning type rules', () => {
+  describe('@ess @serverless @serverlessQA Machine learning type rules', () => {
     before(async () => {
       // Order is critical here: auditbeat data must be loaded before attempting to start the ML job,
       // as the job looks for certain indices on start
@@ -96,13 +95,19 @@ export default ({ getService }: FtrProviderContext) => {
       await forceStartDatafeeds({ jobId: mlJobId, rspCode: 200, supertest });
       await esArchiver.load('x-pack/test/functional/es_archives/security_solution/anomalies');
     });
+
     after(async () => {
       await esArchiver.unload(auditPath);
       await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/anomalies');
       await deleteAllAlerts(supertest, log, es);
       await deleteAllRules(supertest, log);
     });
 
+    afterEach(async () => {
+      await deleteAllAlerts(supertest, log, es);
+      await deleteAllRules(supertest, log);
+    });
+
     // First test creates a real rule - remaining tests use preview API
     it('should create 1 alert from ML rule when record meets anomaly_threshold', async () => {
       const createdRule = await createRule(supertest, log, rule);
@@ -211,7 +216,9 @@ export default ({ getService }: FtrProviderContext) => {
         (metrics) =>
           metrics.metrics?.task_run?.value.by_type['alerting:siem__mlRule'].user_errors === 1
       );
-      expect(metricsResponse.metrics?.task_run?.value.by_type['alerting:siem__mlRule']).toEqual(1);
+      expect(metricsResponse.metrics?.task_run?.value.by_type['alerting:siem__mlRule']).toEqual(
+        expect.objectContaining({ user_errors: 1 })
+      );
     });
 
     it('@skipInServerlessMKI generates max alerts warning when circuit breaker is exceeded', async () => {
@@ -335,11 +342,13 @@ export default ({ getService }: FtrProviderContext) => {
       it('should be enriched alert with criticality_level', async () => {
         const { previewId } = await previewRule({ supertest, rule });
         const previewAlerts = await getPreviewAlerts({ es, previewId });
-        expect(previewAlerts.length).toBe(1);
-        const fullAlert = previewAlerts[0]._source;
 
-        expect(fullAlert?.['host.asset.criticality']).toBe('medium_impact');
-        expect(fullAlert?.['user.asset.criticality']).toBe('extreme_impact');
+        expect(previewAlerts).toHaveLength(1);
+        expect(previewAlerts[0]._source).toEqual(
+          expect.objectContaining({
+            'user.asset.criticality': 'extreme_impact',
+          })
+        );
       });
     });
   });