[9.1] [Detection Engine] Unskip some flaky tests, add better failure messages (elastic#230318) (elastic#231523)

# Backport

This will backport the following commits from `main` to `9.1`:
- [[Detection Engine] Unskip some flaky tests, add better failure
messages (elastic#230318)](elastic#230318)

<!--- Backport version: 10.0.1 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Ryland
Herrick","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-08-11T16:40:18Z","message":"[Detection
Engine] Unskip some flaky tests, add better failure messages
(elastic#230318)\n\n## Summary\n\nWhile the tests affected by this PR are
varied, the changes contained\nhere fall under one of two
categories:\n\n1. Unskipping flaky tests\n2. Adding better test
assertions (in order to produce more actionable\nfailures later)\n\n###
Related Issues\n* Closes elastic#224699\n* Closes elastic#224780\n* Closes elastic#220943\n*
Closes elastic#202940\n* Closes elastic#202945\n\n\n### Checklist\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"0a3e7bb41a92b25ca6ae25bef76e53ef634d244b","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport
missing","Team:Detection
Engine","backport:version","v9.2.0","v9.1.1","v8.19.1"],"title":"[Detection
Engine] Unskip some flaky tests, add better failure
messages","number":230318,"url":"https://github.com/elastic/kibana/pull/230318","mergeCommit":{"message":"[Detection
Engine] Unskip some flaky tests, add better failure messages
(elastic#230318)\n\n## Summary\n\nWhile the tests affected by this PR are
varied, the changes contained\nhere fall under one of two
categories:\n\n1. Unskipping flaky tests\n2. Adding better test
assertions (in order to produce more actionable\nfailures later)\n\n###
Related Issues\n* Closes elastic#224699\n* Closes elastic#224780\n* Closes elastic#220943\n*
Closes elastic#202940\n* Closes elastic#202945\n\n\n### Checklist\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"0a3e7bb41a92b25ca6ae25bef76e53ef634d244b"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/230318","number":230318,"mergeCommit":{"message":"[Detection
Engine] Unskip some flaky tests, add better failure messages
(elastic#230318)\n\n## Summary\n\nWhile the tests affected by this PR are
varied, the changes contained\nhere fall under one of two
categories:\n\n1. Unskipping flaky tests\n2. Adding better test
assertions (in order to produce more actionable\nfailures later)\n\n###
Related Issues\n* Closes elastic#224699\n* Closes elastic#224780\n* Closes elastic#220943\n*
Closes elastic#202940\n* Closes elastic#202945\n\n\n### Checklist\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"0a3e7bb41a92b25ca6ae25bef76e53ef634d244b"}},{"branch":"9.1","label":"v9.1.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Author: rylnd

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts

@@ -122,7 +122,7 @@ export default ({ getService }: FtrProviderContext) => {
         await waitForRuleSuccess({ supertest, log, id: createdId });
         await waitForAlertsToBePresent(supertest, log, 10, [createdId]);
         const alertsOpen = await getAlertsByIds(supertest, log, [createdId]);
-        expect(alertsOpen.hits.hits.length).toEqual(10);
+        expect(alertsOpen.hits.hits).toHaveLength(10);
       });
 
       it('should be able to execute against an exception list that does include valid entries and get back 0 alerts', async () => {
@@ -149,7 +149,7 @@ export default ({ getService }: FtrProviderContext) => {
           ],
         ]);
         const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule);
-        expect(alertsOpen.hits.hits.length).toEqual(0);
+        expect(alertsOpen.hits.hits).toHaveLength(0);
       });
 
       it('should be able to execute against an exception list that does include valid case sensitive entries and get back 0 alerts', async () => {
@@ -201,10 +201,10 @@ export default ({ getService }: FtrProviderContext) => {
         const alertsOpen2 = await getOpenAlerts(supertest, log, es, createdRule2);
         // Expect alerts here because all values are "Ubuntu"
         // and exception is one of ["ubuntu"]
-        expect(alertsOpen.hits.hits.length).toEqual(10);
+        expect(alertsOpen.hits.hits).toHaveLength(10);
         // Expect no alerts here because all values are "Ubuntu"
         // and exception is one of ["ubuntu", "Ubuntu"]
-        expect(alertsOpen2.hits.hits.length).toEqual(0);
+        expect(alertsOpen2.hits.hits).toHaveLength(0);
       });
 
       it('generates no alerts when an exception is added for an EQL rule', async () => {
@@ -223,7 +223,7 @@ export default ({ getService }: FtrProviderContext) => {
           ],
         ]);
         const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule);
-        expect(alertsOpen.hits.hits.length).toEqual(0);
+        expect(alertsOpen.hits.hits).toHaveLength(0);
       });
 
       it('generates no alerts when an exception is added for a threshold rule', async () => {
@@ -245,7 +245,7 @@ export default ({ getService }: FtrProviderContext) => {
           ],
         ]);
         const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule);
-        expect(alertsOpen.hits.hits.length).toEqual(0);
+        expect(alertsOpen.hits.hits).toHaveLength(0);
       });
 
       it('generates no alerts when an exception is added for a threat match rule', async () => {
@@ -288,8 +288,9 @@ export default ({ getService }: FtrProviderContext) => {
           ],
         ]);
         const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule);
-        expect(alertsOpen.hits.hits.length).toEqual(0);
+        expect(alertsOpen.hits.hits).toHaveLength(0);
       });
+
       describe('rules with value list exceptions', () => {
         beforeEach(async () => {
           await createListsIndex(supertest, log);
@@ -328,7 +329,7 @@ export default ({ getService }: FtrProviderContext) => {
             ],
           ]);
           const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule);
-          expect(alertsOpen.hits.hits.length).toEqual(0);
+          expect(alertsOpen.hits.hits).toHaveLength(0);
         });
 
         it('generates no alerts when a value list exception is added for a threat match rule', async () => {
@@ -376,7 +377,7 @@ export default ({ getService }: FtrProviderContext) => {
             ],
           ]);
           const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule);
-          expect(alertsOpen.hits.hits.length).toEqual(0);
+          expect(alertsOpen.hits.hits).toHaveLength(0);
         });
 
         it('generates no alerts when a value list exception is added for a threshold rule', async () => {
@@ -413,7 +414,7 @@ export default ({ getService }: FtrProviderContext) => {
             ],
           ]);
           const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule);
-          expect(alertsOpen.hits.hits.length).toEqual(0);
+          expect(alertsOpen.hits.hits).toHaveLength(0);
         });
 
         it('generates no alerts when a value list exception is added for an EQL rule', async () => {
@@ -438,8 +439,9 @@ export default ({ getService }: FtrProviderContext) => {
             ],
           ]);
           const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule);
-          expect(alertsOpen.hits.hits.length).toEqual(0);
+          expect(alertsOpen.hits.hits).toHaveLength(0);
         });
+
         it('should Not allow deleting value list when there are references and ignoreReferences is false', async () => {
           const valueListId = 'value-list-id.txt';
           await importFile(supertest, log, 'keyword', ['suricata-sensor-amsterdam'], valueListId);

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts

@@ -82,8 +82,7 @@ export default ({ getService }: FtrProviderContext) => {
   const auditPath = dataPathBuilder.getPath('auditbeat/hosts');
   const packetBeatPath = dataPathBuilder.getPath('packetbeat/default');
 
-  // FLAKY: https://github.com/elastic/kibana/issues/220943
-  describe.skip('@ess @serverless @serverlessQA EQL type rules', () => {
+  describe('@ess @serverless @serverlessQA EQL type rules', () => {
     const { indexListOfDocuments } = dataGeneratorFactory({
       es,
       index: 'ecs_compliant',
@@ -120,7 +119,7 @@ export default ({ getService }: FtrProviderContext) => {
       };
       const createdRule = await createRule(supertest, log, rule);
       const alerts = await getAlerts(supertest, log, es, createdRule);
-      kbnExpect(alerts.hits.hits.length).eql(1);
+      expect(alerts.hits.hits).toHaveLength(1);
       const fullAlert = alerts.hits.hits[0]._source;
       if (!fullAlert) {
         return kbnExpect(fullAlert).to.be.ok();
@@ -289,7 +288,7 @@ export default ({ getService }: FtrProviderContext) => {
       };
       const { previewId } = await previewRule({ supertest, rule });
       const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxAlerts * 2 });
-      kbnExpect(previewAlerts.length).eql(maxAlerts);
+      expect(previewAlerts).toHaveLength(maxAlerts);
     });
 
     it('generates max alerts warning when circuit breaker is hit', async () => {
@@ -308,7 +307,7 @@ export default ({ getService }: FtrProviderContext) => {
       };
       const { previewId } = await previewRule({ supertest, rule });
       const previewAlerts = await getPreviewAlerts({ es, previewId });
-      kbnExpect(previewAlerts.length).eql(1);
+      expect(previewAlerts).toHaveLength(1);
       const fullAlert = previewAlerts[0]._source;
       if (!fullAlert) {
         return kbnExpect(fullAlert).to.be.ok();
@@ -378,7 +377,7 @@ export default ({ getService }: FtrProviderContext) => {
       };
       const { previewId } = await previewRule({ supertest, rule });
       const previewAlerts = await getPreviewAlerts({ es, previewId });
-      kbnExpect(previewAlerts.length).eql(3);
+      expect(previewAlerts).toHaveLength(3);
 
       const createdAtHits = previewAlerts.map((hit) => hit._source?.created_at).sort();
       kbnExpect(createdAtHits).to.eql([1622676785, 1622676790, 1622676795]);
@@ -392,7 +391,7 @@ export default ({ getService }: FtrProviderContext) => {
       };
       const { previewId } = await previewRule({ supertest, rule });
       const previewAlerts = await getPreviewAlerts({ es, previewId });
-      kbnExpect(previewAlerts.length).eql(3);
+      expect(previewAlerts).toHaveLength(3);
 
       const createdAtHits = previewAlerts.map((hit) => hit._source?.locale);
       kbnExpect(createdAtHits).to.eql(['es', 'pt', 'ua']);
@@ -672,7 +671,7 @@ export default ({ getService }: FtrProviderContext) => {
 
       const previewAlerts = await getPreviewAlerts({ es, previewId, sort: ['agent.name'] });
 
-      kbnExpect(previewAlerts).to.have.length(3);
+      expect(previewAlerts).toHaveLength(3);
 
       const buildingBlockAlerts = previewAlerts.filter(
         (alert) => alert._source?.['kibana.alert.building_block_type']
@@ -716,11 +715,11 @@ export default ({ getService }: FtrProviderContext) => {
       // For EQL rules, max_alerts is the maximum number of detected sequences: each sequence has a building block
       // alert for each event in the sequence, so max_alerts=200 results in 400 building blocks in addition to
       // 200 regular alerts
-      kbnExpect(previewAlerts.length).eql(maxAlerts * 3);
+      expect(previewAlerts).toHaveLength(maxAlerts * 3);
       const shellAlerts = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 2);
       const buildingBlocks = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 1);
-      kbnExpect(shellAlerts.length).eql(maxAlerts);
-      kbnExpect(buildingBlocks.length).eql(maxAlerts * 2);
+      expect(shellAlerts).toHaveLength(maxAlerts);
+      expect(buildingBlocks).toHaveLength(maxAlerts * 2);
     });
 
     it('generates alerts when an index name contains special characters to encode', async () => {
@@ -730,7 +729,7 @@ export default ({ getService }: FtrProviderContext) => {
       };
       const { previewId } = await previewRule({ supertest, rule });
       const previewAlerts = await getPreviewAlerts({ es, previewId });
-      kbnExpect(previewAlerts.length).eql(1);
+      expect(previewAlerts).toHaveLength(1);
     });
 
     it('uses the provided filters', async () => {
@@ -776,7 +775,7 @@ export default ({ getService }: FtrProviderContext) => {
       };
       const { previewId } = await previewRule({ supertest, rule });
       const previewAlerts = await getPreviewAlerts({ es, previewId });
-      kbnExpect(previewAlerts.length).eql(2);
+      expect(previewAlerts).toHaveLength(2);
     });
 
     describe('with host risk index', () => {
@@ -795,7 +794,7 @@ export default ({ getService }: FtrProviderContext) => {
         };
         const { previewId } = await previewRule({ supertest, rule });
         const previewAlerts = await getPreviewAlerts({ es, previewId });
-        kbnExpect(previewAlerts.length).eql(1);
+        expect(previewAlerts).toHaveLength(1);
         const fullAlert = previewAlerts[0]._source;
         if (!fullAlert) {
           return kbnExpect(fullAlert).to.be.ok();
@@ -850,7 +849,7 @@ export default ({ getService }: FtrProviderContext) => {
         kbnExpect(_log.warnings).to.eql([expectedWarning]);
 
         const previewAlerts = await getPreviewAlerts({ es, previewId });
-        kbnExpect(previewAlerts.length).to.be.greaterThan(0);
+        expect(previewAlerts).not.toHaveLength(0);
       });
 
       it('specifying only timestamp_override results in alert creation with an kbnExpect.expected warning', async () => {
@@ -868,7 +867,7 @@ export default ({ getService }: FtrProviderContext) => {
         kbnExpect(_log.warnings).to.eql([expectedWarning]);
 
         const previewAlerts = await getPreviewAlerts({ es, previewId });
-        kbnExpect(previewAlerts.length).to.be.greaterThan(0);
+        expect(previewAlerts).not.toHaveLength(0);
       });
 
       it('specifying both timestamp_override and timestamp_field results in alert creation with an kbnExpect.expected warning', async () => {
@@ -887,7 +886,7 @@ export default ({ getService }: FtrProviderContext) => {
         kbnExpect(_log.warnings).to.eql([expectedWarning]);
 
         const previewAlerts = await getPreviewAlerts({ es, previewId });
-        kbnExpect(previewAlerts.length).to.be.greaterThan(0);
+        expect(previewAlerts).not.toHaveLength(0);
       });
     });
 
@@ -959,7 +958,7 @@ export default ({ getService }: FtrProviderContext) => {
         kbnExpect(_log.warnings).to.be.empty();
         const previewAlerts = await getPreviewAlerts({ es, previewId });
 
-        kbnExpect(previewAlerts).to.have.length(3);
+        expect(previewAlerts).toHaveLength(3);
       });
     });
 
@@ -1034,7 +1033,7 @@ export default ({ getService }: FtrProviderContext) => {
 
         const createdRule = await createRule(supertest, log, rule);
         const alerts = await getAlerts(supertest, log, es, createdRule);
-        kbnExpect(alerts.hits.hits.length).equal(3);
+        expect(alerts.hits.hits).toHaveLength(3);
         kbnExpect(alerts.hits.hits[0]?._source?.[ALERT_RULE_EXECUTION_TYPE]).equal('scheduled');
 
         const backfill = await scheduleRuleRun(supertest, [createdRule.id], {
@@ -1044,7 +1043,7 @@ export default ({ getService }: FtrProviderContext) => {
 
         await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log });
         const allNewAlerts = await getAlerts(supertest, log, es, createdRule);
-        kbnExpect(allNewAlerts.hits.hits.length).equal(6);
+        expect(allNewAlerts.hits.hits).toHaveLength(6);
         kbnExpect(allNewAlerts.hits.hits[5]?._source?.[ALERT_RULE_EXECUTION_TYPE]).equal('manual');
 
         const secondBackfill = await scheduleRuleRun(supertest, [createdRule.id], {
@@ -1054,7 +1053,7 @@ export default ({ getService }: FtrProviderContext) => {
 
         await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log });
         const allNewAlertsAfter2ManualRuns = await getAlerts(supertest, log, es, createdRule);
-        kbnExpect(allNewAlertsAfter2ManualRuns.hits.hits.length).equal(6);
+        expect(allNewAlertsAfter2ManualRuns.hits.hits).toHaveLength(6);
       });
 
       it('does not alert if the manual run overlaps with a previous scheduled rule execution', async () => {
@@ -1093,7 +1092,7 @@ export default ({ getService }: FtrProviderContext) => {
         const createdRule = await createRule(supertest, log, rule);
         const alerts = await getAlerts(supertest, log, es, createdRule);
 
-        kbnExpect(alerts.hits.hits.length).equal(3);
+        expect(alerts.hits.hits).toHaveLength(3);
 
         const backfill = await scheduleRuleRun(supertest, [createdRule.id], {
           startDate: moment(firstTimestamp).subtract(5, 'm'),
@@ -1102,7 +1101,7 @@ export default ({ getService }: FtrProviderContext) => {
 
         await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log });
         const allNewAlerts = await getAlerts(supertest, log, es, createdRule);
-        kbnExpect(allNewAlerts.hits.hits.length).equal(3);
+        expect(allNewAlerts.hits.hits).toHaveLength(3);
       });
 
       it('supression per rule execution should work for manual rule runs', async () => {
@@ -1146,7 +1145,7 @@ export default ({ getService }: FtrProviderContext) => {
         const createdRule = await createRule(supertest, log, rule);
         const alerts = await getAlerts(supertest, log, es, createdRule);
 
-        kbnExpect(alerts.hits.hits.length).equal(0);
+        expect(alerts.hits.hits).toHaveLength(0);
 
         const backfill = await scheduleRuleRun(supertest, [createdRule.id], {
           startDate: moment(firstTimestamp).subtract(5, 'm'),
@@ -1155,7 +1154,7 @@ export default ({ getService }: FtrProviderContext) => {
 
         await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log });
         const allNewAlerts = await getAlerts(supertest, log, es, createdRule);
-        kbnExpect(allNewAlerts.hits.hits.length).equal(1);
+        expect(allNewAlerts.hits.hits).toHaveLength(1);
 
         kbnExpect(allNewAlerts.hits.hits[0]._source?.[ALERT_SUPPRESSION_DOCS_COUNT]).equal(2);
       });
@@ -1191,7 +1190,7 @@ export default ({ getService }: FtrProviderContext) => {
         const createdRule = await createRule(supertest, log, rule);
         const alerts = await getAlerts(supertest, log, es, createdRule);
 
-        kbnExpect(alerts.hits.hits.length).equal(0);
+        expect(alerts.hits.hits).toHaveLength(0);
 
         // generate alert in the past
         const backfill = await scheduleRuleRun(supertest, [createdRule.id], {
@@ -1200,7 +1199,7 @@ export default ({ getService }: FtrProviderContext) => {
         });
         await waitForBackfillExecuted(backfill, [createdRule.id], { supertest, log });
         const allNewAlerts = await getAlerts(supertest, log, es, createdRule);
-        kbnExpect(allNewAlerts.hits.hits.length).equal(1);
+        expect(allNewAlerts.hits.hits).toHaveLength(1);
 
         // now we will ingest new event, and manual rule run should update original alert
         const secondDocument = {
@@ -1220,9 +1219,9 @@ export default ({ getService }: FtrProviderContext) => {
 
         await waitForBackfillExecuted(secondBackfill, [createdRule.id], { supertest, log });
         const updatedAlerts = await getAlerts(supertest, log, es, createdRule);
-        kbnExpect(updatedAlerts.hits.hits.length).equal(1);
+        expect(updatedAlerts.hits.hits).toHaveLength(1);
 
-        kbnExpect(updatedAlerts.hits.hits.length).equal(1);
+        expect(updatedAlerts.hits.hits).toHaveLength(1);
 
         kbnExpect(updatedAlerts.hits.hits[0]._source?.[ALERT_SUPPRESSION_DOCS_COUNT]).equal(1);
       });
@@ -1247,7 +1246,7 @@ export default ({ getService }: FtrProviderContext) => {
 
         const requests = logs[0].requests;
 
-        kbnExpect(requests).to.have.length(1);
+        expect(requests).toHaveLength(1);
         kbnExpect(requests![0].description).to.be('EQL request to find all matches');
         kbnExpect(requests![0].request).to.contain(
           'POST /auditbeat-*/_eql/search?allow_no_indices=true'