Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Only apply field aliases to legacy .siem-signals indices #115290

Merged
merged 17 commits into from
Oct 29, 2021

Conversation

marshallmain
Copy link
Contributor

@marshallmain marshallmain commented Oct 16, 2021

Summary

Closes #112600

Filtering Alerts as Data indices from legacy siem signals indices

This PR fixes an issue where the read and create index routes in the detection were treating the new alerts-as-data indices as legacy .siem-signals indices, since they both have .siem-signals as an index alias. This was causing problems because the backwards compatibility mappings intended for legacy .siem-signals indices are not compatible with the new alerts-as-data indices (the legacy compatibility mappings define kibana.alert.* fields as field aliases, so when added to alerts-as-data index mappings that define kibana.alert.* fields as real fields it causes a mapping conflict).

To fix this issue, we verify that the concrete index names we apply compatibility mappings to start with .siem-signals-<space id>-, ensuring that they are legacy indices. Alerts as data concrete index names start with .internal.alerts instead.

To verify that this issue is fixed, create an index that has .siem-signals-default as an alias, e.g.

PUT test-index-000001
{
  "aliases": {
    ".siem-signals-default": {
      "is_write_index": false
    }
  }
}

then visit the Detection Alerts page to trigger the calls to read_index_route and create_index_route. Prior to this PR, you would see the first call to read_index_route return that the signals index exists, but is outdated. Then a call to create_index_route would be made and fail because it attempts to add the backwards compatibility mappings to this test index, but the mappings are only valid for .siem-signals indices.

With this PR, the call to read_index_route in the above scenario correctly reports that the .siem-signals index doesn't exist. The call to create_index_route creates the .siem-signals index and does not attempt to apply the compatibility mappings to the test index that does not need them.

Improve performance of backwards compatibility mapping updates

This PR also improves the logic used to add field aliases to existing indices. Previously, the backwards compatibility mappings were added to all existing siem signals indices individually on every call to create_index_route, which is expensive and unnecessary. The new logic only adds the mappings to indices that have not already been updated, and also updates the mappings in batches of (up to) 20 to reduce the cost of round trip times to ES and other overhead of using many small requests. In local testing (both local ES and Kibana), this resulted in a 3x speedup with ~40 siem signals indices being updated. This speedup does not include any of the benefits from only updating the indices that need to be updated. The speedup should be greater in environments where ES and Kibana are running in separate environments and round trip times are higher.

@marshallmain marshallmain added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team auto-backport Deprecated - use backport:version if exact versions are needed v7.16.0 Team:Detection Alerts Security Detection Alerts Area Team labels Oct 16, 2021
@marshallmain
Copy link
Contributor Author

@elasticmachine merge upstream

@@ -170,7 +200,7 @@ const addFieldAliasesToIndices = async ({
// index: string;
// aadIndexAliasName: string;
// }) => {
// const { body: indices } = await esClient.indices.getAlias({ name: index });
// const { body: indices } = await esClient.indices.getAlias({ index: `${index}-*`, name: index });
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When we do use this code again (most likely for 8.0, so very soon) we'll want to limit this query the same way the getBootstrapIndexExists check is limited.

@@ -41,7 +41,10 @@ export const readIndexRoute = (router: SecuritySolutionPluginRouter, config: Con
const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental);

const index = siemClient.getSignalsIndex();
const indexExists = await getIndexExists(esClient, index);
const indexExists = await getBootstrapIndexExists(
context.core.elasticsearch.client.asInternalUser,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getBootstrapIndexExists requires either view_index_metadata or manage privileges for the concrete backing indices, which is not technically a required permission for detection engine users. To avoid potential permissions issues the internal user is used here, with the theory being that any user who has the Kibana application privilege to use this Security Solution API at all is authorized to know if the .siem-signals index exists - so this isn't a data leakage.

@marshallmain marshallmain marked this pull request as ready for review October 19, 2021 04:19
@marshallmain marshallmain requested a review from a team as a code owner October 19, 2021 04:19
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@marshallmain marshallmain requested a review from a team October 19, 2021 04:19
@marshallmain
Copy link
Contributor Author

@elasticmachine merge upstream

@marshallmain
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

kibanamachine commented Oct 20, 2021

💔 Build Failed

Failed CI Steps


Test Failures

Kibana Pipeline / general / X-Pack API Integration Tests.x-pack/test/api_integration/apis/security_solution/network_dns·ts.apis SecuritySolution Endpoints Network DNS With packetbeat Make sure that we get Dns data and sorting by uniqueDomains ascending

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 2 times on tracked branches: https://github.com/elastic/kibana/issues/109447

[00:00:00]     │
[00:00:00]       └-: apis
[00:00:00]         └-> "before all" hook in "apis"
[00:08:12]         └-: SecuritySolution Endpoints
[00:08:12]           └-> "before all" hook in "SecuritySolution Endpoints"
[00:08:45]           └-: Network DNS
[00:08:45]             └-> "before all" hook in "Network DNS"
[00:08:45]             └-: With packetbeat
[00:08:45]               └-> "before all" hook for "Make sure that we get Dns data and sorting by uniqueDomains ascending"
[00:08:45]               └-> "before all" hook for "Make sure that we get Dns data and sorting by uniqueDomains ascending"
[00:08:45]                 │ info [x-pack/test/functional/es_archives/packetbeat/dns] Loading "mappings.json"
[00:08:45]                 │ info [x-pack/test/functional/es_archives/packetbeat/dns] Loading "data.json.gz"
[00:08:45]                 │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [packetbeat-7.0.0-iot-2019.11] creating index, cause [api], templates [], shards [3]/[1]
[00:08:45]                 │ info [x-pack/test/functional/es_archives/packetbeat/dns] Created index "packetbeat-7.0.0-iot-2019.11"
[00:08:45]                 │ debg [x-pack/test/functional/es_archives/packetbeat/dns] "packetbeat-7.0.0-iot-2019.11" settings {"index":{"lifecycle":{"name":"packetbeat-7.0.0","rollover_alias":"packetbeat-7.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"3","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","type","server.process.name","server.process.args","server.process.executable","server.process.working_directory","server.process.start","client.process.name","client.process.args","client.process.executable","client.process.working_directory","client.process.start","flow.id","status","method","resource","path","query","params","request","response","amqp.reply-text","amqp.exchange","amqp.exchange-type","amqp.consumer-tag","amqp.routing-key","amqp.queue","amqp.content-type","amqp.content-encoding","amqp.delivery-mode","amqp.correlation-id","amqp.reply-to","amqp.expiration","amqp.message-id","amqp.timestamp","amqp.type","amqp.user-id","amqp.app-id","cassandra.request.headers.flags","cassandra.request.headers.stream","cassandra.request.headers.op","cassandra.request.query","cassandra.response.headers.flags","cassandra.response.headers.stream","cassandra.response.headers.op","cassandra.response.result.type","cassandra.response.result.rows.meta.keyspace","cassandra.response.result.rows.meta.table","cassandra.response.result.rows.meta.flags","cassandra.response.result.rows.meta.paging_state","cassandra.response.result.keyspace","cassandra.response.result.schema_change.change","cassandra.response.result.schema_change.keyspace","cassandra.response.result.schema_change.table","cassandra.response.result.schema_change.object","cassandra.response.result.schema_change.target","cassandra.response.result.schema_change.name","cassandra.response.result.schema_change.args","cassandra.response.result.prepared.prepared_id","cassandra.response.result.prepared.req_meta.keyspace","cassandra.response.result.prepared.req_meta.table","cassandra.response.result.prepared.req_meta.flags","cassandra.response.result.prepared.req_meta.paging_state","cassandra.response.result.prepared.resp_meta.keyspace","cassandra.response.result.prepared.resp_meta.table","cassandra.response.result.prepared.resp_meta.flags","cassandra.response.result.prepared.resp_meta.paging_state","cassandra.response.authentication.class","cassandra.response.warnings","cassandra.response.event.type","cassandra.response.event.change","cassandra.response.event.host","cassandra.response.event.schema_change.change","cassandra.response.event.schema_change.keyspace","cassandra.response.event.schema_change.table","cassandra.response.event.schema_change.object","cassandra.response.event.schema_change.target","cassandra.response.event.schema_change.name","cassandra.response.event.schema_change.args","cassandra.response.error.msg","cassandra.response.error.type","cassandra.response.error.details.read_consistency","cassandra.response.error.details.write_type","cassandra.response.error.details.keyspace","cassandra.response.error.details.table","cassandra.response.error.details.stmt_id","cassandra.response.error.details.num_failures","cassandra.response.error.details.function","cassandra.response.error.details.arg_types","dhcpv4.transaction_id","dhcpv4.flags","dhcpv4.client_mac","dhcpv4.server_name","dhcpv4.op_code","dhcpv4.hardware_type","dhcpv4.option.message_type","dhcpv4.option.parameter_request_list","dhcpv4.option.class_identifier","dhcpv4.option.domain_name","dhcpv4.option.hostname","dhcpv4.option.message","dhcpv4.option.boot_file_name","dns.op_code","dns.response_code","dns.question.name","dns.question.type","dns.question.class","dns.question.registered_domain","dns.answers.name","dns.answers.type","dns.answers.class","dns.answers.data","dns.authorities.name","dns.authorities.type","dns.authorities.class","dns.additionals.name","dns.additionals.type","dns.additionals.class","dns.additionals.data","dns.opt.version","dns.opt.ext_rcode","http.response.status_phrase","icmp.version","icmp.request.message","icmp.response.message","memcache.protocol_type","memcache.request.line","memcache.request.command","memcache.response.command","memcache.request.type","memcache.response.type","memcache.response.error_msg","memcache.request.opcode","memcache.response.opcode","memcache.response.status","memcache.request.raw_args","memcache.request.automove","memcache.response.version","mongodb.error","mongodb.fullCollectionName","mongodb.startingFrom","mongodb.query","mongodb.returnFieldsSelector","mongodb.selector","mongodb.update","mongodb.cursorId","mysql.insert_id","mysql.num_fields","mysql.num_rows","mysql.query","mysql.error_message","nfs.tag","nfs.opcode","nfs.status","rpc.xid","rpc.status","rpc.auth_flavor","rpc.cred.gids","rpc.cred.machinename","pgsql.error_message","pgsql.error_severity","pgsql.num_fields","pgsql.num_rows","redis.return_value","redis.error","thrift.params","thrift.service","thrift.return_value","thrift.exceptions","tls.version","tls.resumption_method","tls.client_hello.version","tls.client_hello.extensions.server_name_indication","tls.client_hello.extensions.application_layer_protocol_negotiation","tls.client_hello.extensions.session_ticket","tls.client_hello.extensions.supported_versions","tls.client_hello.extensions.supported_groups","tls.client_hello.extensions.signature_algorithms","tls.client_hello.extensions.ec_points_formats","tls.client_hello.extensions._unparsed_","tls.server_hello.version","tls.server_hello.selected_cipher","tls.server_hello.selected_compression_method","tls.server_hello.session_id","tls.server_hello.extensions.session_ticket","tls.server_hello.extensions.supported_versions","tls.server_hello.extensions.ec_points_formats","tls.server_hello.extensions._unparsed_","tls.client_certificate.serial_number","tls.client_certificate.public_key_algorithm","tls.client_certificate.signature_algorithm","tls.client_certificate.raw","tls.client_certificate.subject.country","tls.client_certificate.subject.organization","tls.client_certificate.subject.organizational_unit","tls.client_certificate.subject.province","tls.client_certificate.subject.common_name","tls.client_certificate.issuer.country","tls.client_certificate.issuer.organization","tls.client_certificate.issuer.organizational_unit","tls.client_certificate.issuer.province","tls.client_certificate.issuer.common_name","tls.client_certificate.fingerprint.md5","tls.client_certificate.fingerprint.sha1","tls.client_certificate.fingerprint.sha256","tls.server_certificate.serial_number","tls.server_certificate.public_key_algorithm","tls.server_certificate.signature_algorithm","tls.server_certificate.raw","tls.server_certificate.subject.country","tls.server_certificate.subject.organization","tls.server_certificate.subject.organizational_unit","tls.server_certificate.subject.province","tls.server_certificate.subject.common_name","tls.server_certificate.issuer.country","tls.server_certificate.issuer.organization","tls.server_certificate.issuer.organizational_unit","tls.server_certificate.issuer.province","tls.server_certificate.issuer.common_name","tls.server_certificate.fingerprint.md5","tls.server_certificate.fingerprint.sha1","tls.server_certificate.fingerprint.sha256","tls.alert_types","tls.fingerprints.ja3.hash","tls.fingerprints.ja3.str","fields.*"]},"refresh_interval":"5s"}}
[00:08:45]                 │ info [o.e.c.m.MetadataMappingService] [node-01] [packetbeat-7.0.0-iot-2019.11/BX-oX3CZRnixRJFu6IdS-w] update_mapping [_doc]
[00:08:47]                 │ info [x-pack/test/functional/es_archives/packetbeat/dns] Indexed 5700 docs into "packetbeat-7.0.0-iot-2019.11"
[00:08:47]               └-> Make sure that we get Dns data and sorting by uniqueDomains ascending
[00:08:47]                 └-> "before each" hook: global before each for "Make sure that we get Dns data and sorting by uniqueDomains ascending"
[00:08:47]                 └- ✖ fail: apis SecuritySolution Endpoints Network DNS With packetbeat Make sure that we get Dns data and sorting by uniqueDomains ascending
[00:08:47]                 │      Error: expected 0 to equal 10
[00:08:47]                 │       at Assertion.assert (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:08:47]                 │       at Assertion.be.Assertion.equal (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:227:8)
[00:08:47]                 │       at Assertion.be (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:69:22)
[00:08:47]                 │       at Context.<anonymous> (test/api_integration/apis/security_solution/network_dns.ts:52:44)
[00:08:47]                 │       at runMicrotasks (<anonymous>)
[00:08:47]                 │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:08:47]                 │       at Object.apply (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:08:47]                 │ 
[00:08:47]                 │ 

Stack Trace

Error: expected 0 to equal 10
    at Assertion.assert (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.be.Assertion.equal (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:227:8)
    at Assertion.be (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/expect/expect.js:69:22)
    at Context.<anonymous> (test/api_integration/apis/security_solution/network_dns.ts:52:44)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Object.apply (/dev/shm/workspace/parallel/18/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)

Kibana Pipeline / general / displays the data provider action menu when Enter is pressed.timeline data providers displays the data provider action menu when Enter is pressed

Link to Jenkins

Stack Trace

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

CypressError: Timed out retrying after 60050ms: `cy.click()` failed because this element is `disabled`:

`<button class="euiButton euiButton--primary euiButton--fill euiButton-isDisabled edit-data-provider-save" disabled="" type="button" data-test-subj="save">...</button>`

Fix this problem, or use `{force: true}` to disable error checking.

https://on.cypress.io/element-cannot-be-interacted-with
    at $Cy.ensureNotDisabled (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:160481:85)
    at runAllChecks (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:147820:14)
    at retryActionability (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:147894:16)
    at tryCatcher (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:13212:23)
    at Function.Promise.attempt.Promise.try (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:10486:29)
    at tryFn (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:165329:61)
    at whenStable (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:165368:14)
    at http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:164855:18
    at tryCatcher (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:13212:23)
    at Promise._settlePromiseFromHandler (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:11147:31)
    at Promise._settlePromise (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:11204:18)
    at Promise._settlePromise0 (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:11249:10)
    at Promise._settlePromises (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:11329:18)
    at Promise._fulfill (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:11273:18)
    at http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:12887:46
From Your Spec Code:
    at Object.addDataProvider (http://localhost:6121/__cypress/tests?p=cypress/integration/timelines/data_providers.spec.ts:16703:54)
    at Context.eval (http://localhost:6121/__cypress/tests?p=cypress/integration/timelines/data_providers.spec.ts:15559:20)

Metrics [docs]

Unknown metric groups

API count

id before after diff
@kbn/securitysolution-es-utils 54 57 +3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@marshallmain
Copy link
Contributor Author

@elasticmachine merge upstream

@marshallmain
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Unknown metric groups

API count

id before after diff
@kbn/securitysolution-es-utils 54 57 +3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@madirey
Copy link
Contributor

madirey commented Oct 28, 2021

Reviewed and tested locally / received expected results.

@marshallmain marshallmain removed the auto-backport Deprecated - use backport:version if exact versions are needed label Oct 29, 2021
@marshallmain marshallmain merged commit a68f3ff into elastic:main Oct 29, 2021
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 29, 2021
…indices (elastic#115290)

* Only apply field aliases to legacy .siem-signals indices

* Fix unit test mocks

* Add new function for special index existence check

* Actually add new function for special index existence check

* Undo getIndexVersion change

* Add basic integration tests for field alias logic

* Add back create_index to test list

* Add missing markdown to readme

* Revert change to delete_index_route

Co-authored-by: Kibana Machine <[email protected]>
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 29, 2021
…indices (elastic#115290)

* Only apply field aliases to legacy .siem-signals indices

* Fix unit test mocks

* Add new function for special index existence check

* Actually add new function for special index existence check

* Undo getIndexVersion change

* Add basic integration tests for field alias logic

* Add back create_index to test list

* Add missing markdown to readme

* Revert change to delete_index_route

Co-authored-by: Kibana Machine <[email protected]>
# Conflicts:
#	x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
#	x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
#	x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_index.ts
marshallmain added a commit that referenced this pull request Oct 30, 2021
…indices (#115290) (#116838)

* Only apply field aliases to legacy .siem-signals indices

* Fix unit test mocks

* Add new function for special index existence check

* Actually add new function for special index existence check

* Undo getIndexVersion change

* Add basic integration tests for field alias logic

* Add back create_index to test list

* Add missing markdown to readme

* Revert change to delete_index_route

Co-authored-by: Kibana Machine <[email protected]>

Co-authored-by: Kibana Machine <[email protected]>
marshallmain added a commit that referenced this pull request Oct 30, 2021
…ignals indices (#115290) (#116841)

* [Security Solution] Only apply field aliases to legacy .siem-signals indices (#115290)

* Only apply field aliases to legacy .siem-signals indices

* Fix unit test mocks

* Add new function for special index existence check

* Actually add new function for special index existence check

* Undo getIndexVersion change

* Add basic integration tests for field alias logic

* Add back create_index to test list

* Add missing markdown to readme

* Revert change to delete_index_route

Co-authored-by: Kibana Machine <[email protected]>
# Conflicts:
#	x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
#	x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
#	x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_index.ts

* Remove extra esClient definition

* Adjust for old ES client

Co-authored-by: Kibana Machine <[email protected]>
vitaliidm added a commit that referenced this pull request Jun 25, 2024
…oes not exist" FTR test (#186789)

## Summary

- addresses #179208 by removing
skipped test

I tracked skipped test to this PR:
#115290

Test was added already skipped
https://github.com/elastic/kibana/pull/115290/files#diff-16cebcbaef99c1aab50640a5bee66351bcbfd7575361d97eee4d2ca6753f5a27R38-R41

In the tested route itself, when index does not exist, it returns 200:
https://github.com/elastic/kibana/pull/115290/files#diff-a4e27aaa05560a7737e153e53fe4bdaf839056180347c338e8d0842ab39f1240R79-R84

So, test from the very beginning was not testing valid use case.

After talking to PR author @marshallmain , we agreed to remove that test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:skip Skip the PR/issue when compiling release notes Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team v7.16.0 v8.0.0 v8.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security Solution] Field aliases intended for .siem-signals are applied to RAC indices as well
4 participants