Add order-dependent integration test

I realized in the course of changing implementation that, because all of the existing tests have the _same_ risk score value for all alerts, the ordering/aggregation of them doesn't really matter. This test does not have that robustness, and so if it fails, it means we changed our sorting/summing logic.
2025-04-24 17:59:23 -04:00 · 2023-03-28 22:43:12 -05:00 · 2023-03-28 22:43:12 -05:00 · 153a16a411
commit 153a16a411
parent 573f82f046
1 changed files with 40 additions and 0 deletions
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/risk_engine.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/risk_engine.ts
@ -53,11 +53,13 @@ export default ({ getService }: FtrProviderContext): void => {
    riskScore = 21,
    maxSignals = 100,
    query,
+    riskScoreOverride,
  }: {
    alerts?: number;
    riskScore?: number;
    maxSignals?: number;
    query: string;
+    riskScoreOverride?: string;
  }): Promise<void> => {
    const rule = getRuleForSignalTesting(['ecs_compliant']);
    const { id } = await createRule(supertest, log, {
@ -65,6 +67,13 @@ export default ({ getService }: FtrProviderContext): void => {
      risk_score: riskScore,
      query,
      max_signals: maxSignals,
+      ...(riskScoreOverride
+        ? {
+            risk_score_mapping: [
+              { field: riskScoreOverride, operator: 'equals', value: '', risk_score: undefined },
+            ],
+          }
+        : {}),
    });
    await waitForRuleSuccessOrStatus(supertest, log, id);
    await waitForSignalsToBePresent(supertest, log, alerts, [id]);
@ -168,6 +177,7 @@ export default ({ getService }: FtrProviderContext): void => {
            },
          ]);
        });
+
        it('risk scores calculated for 2 alert with different host names', async () => {
          const documentId = uuidv4();
          await indexListOfDocuments([
@ -313,6 +323,36 @@ export default ({ getService }: FtrProviderContext): void => {
        });
      });

+      describe('risk score ordering', () => {
+        it('aggregates multiple scores such that the highest-risk scores contribute the majority of the score', async () => {
+          const documentId = uuidv4();
+          const doc = buildDocument({ host: { name: 'host-1' } }, documentId);
+          await indexListOfDocuments(
+            Array(100)
+              .fill(doc)
+              .map((_doc, i) => ({ ...doc, 'event.risk_score': 100 - i }))
+          );
+
+          await createAndSyncRuleAndAlerts({
+            query: `id: ${documentId}`,
+            alerts: 100,
+            riskScore: 100,
+            riskScoreOverride: 'event.risk_score',
+          });
+          const { scores } = await getRiskScores({ body: {} });
+
+          expect(removeFields(scores)).to.eql([
+            {
+              calculatedLevel: 'High',
+              calculatedScore: 225.1106801442913,
+              calculatedScoreNorm: 86.18326192354185,
+              identifierField: 'host.name',
+              identifierValue: 'host-1',
+            },
+          ]);
+        });
+      });
+
      context('with global risk weights', () => {
        it('weights host scores differently when host risk weight is configured', async () => {
          const documentId = uuidv4();