From bf7ef58fa1cfc3c2f0ac12a5f8d8a9db5e3fa2cb Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Tue, 7 Nov 2023 17:09:36 +0100 Subject: [PATCH 01/23] add keyword family --- .buildkite/ftr_configs.yml | 4 +- .../package.json | 7 +- .../configs/ess.config.ts | 22 +++ .../configs/serverless.config.ts | 14 ++ .../rule_execution_logic/index.ts | 13 ++ .../keyword_family/README.md | 11 ++ .../keyword_family/const_keyword.ts | 152 ++++++++++++++++ .../keyword_family/index.ts | 16 ++ .../keyword_family/keyword.ts | 126 +++++++++++++ .../keyword_mixed_with_const.ts | 165 ++++++++++++++++++ 10 files changed, 528 insertions(+), 2 deletions(-) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/ess.config.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/serverless.config.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/README.md create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/const_keyword.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/index.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/keyword.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/keyword_mixed_with_const.ts diff --git a/.buildkite/ftr_configs.yml b/.buildkite/ftr_configs.yml index c5028cd30ea29..3ae519c4a3efd 100644 --- a/.buildkite/ftr_configs.yml +++ b/.buildkite/ftr_configs.yml @@ -462,7 +462,9 @@ enabled: - x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/actions/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/configs/serverless.config.ts - x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/configs/ess.config.ts - + - x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/serverless.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/ess.config.ts + diff --git a/x-pack/test/security_solution_api_integration/package.json b/x-pack/test/security_solution_api_integration/package.json index 24696f0c00bf0..90f16d39d7852 100644 --- a/x-pack/test/security_solution_api_integration/package.json +++ b/x-pack/test/security_solution_api_integration/package.json @@ -41,6 +41,11 @@ "alerts:runner:serverless": "npm run run-tests:dr:default alerts serverless serverlessEnv", "alerts:qa:serverless": "npm run run-tests:dr:default alerts serverless qaEnv", "alerts:server:ess": "npm run initialize-server:dr:default alerts ess", - "alerts:runner:ess": "npm run run-tests:dr:default alerts ess essEnv" + "alerts:runner:ess": "npm run run-tests:dr:default alerts ess essEnv", + "rule_execution_login:server:serverless": "npm run initialize-server:dr:default rule_execution_logic serverless", + "rule_execution_login:runner:serverless": "npm run run-tests:dr:default rule_execution_logic serverless serverlessEnv", + "rule_execution_login:qa:serverless": "npm run run-tests:dr:default rule_execution_logic serverless qaEnv", + "rule_execution_login:server:ess": "npm run initialize-server:dr:default rule_execution_logic ess", + "rule_execution_login:runner:ess": "npm run run-tests:dr:default rule_execution_logic ess essEnv" } } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/ess.config.ts new file mode 100644 index 0000000000000..bbf6c6c0e3f7b --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/ess.config.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const functionalConfig = await readConfigFile( + require.resolve('../../../../../config/ess/config.base.trial') + ); + + return { + ...functionalConfig.getAll(), + testFiles: [require.resolve('..')], + junit: { + reportName: 'Detection Engine API Integration Tests - ESS - Rule Execution Logic', + }, + }; +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/serverless.config.ts new file mode 100644 index 0000000000000..d1bf65c7dd7a5 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/configs/serverless.config.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { createTestConfig } from '../../../../../config/serverless/config.base'; + +export default createTestConfig({ + testFiles: [require.resolve('..')], + junit: { + reportName: 'Detection Engine API Integration Tests - Serverless - Rule Execution Logic', + }, +}); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts new file mode 100644 index 0000000000000..f4356b6cd5678 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { FtrProviderContext } from '../../../../../../../../pr-kibana/kibana/x-pack/test/security_solution_api_integration/ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { + describe('Rule execution logic API', function () { + loadTestFile(require.resolve('./keyword_family')); + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/README.md b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/README.md new file mode 100644 index 0000000000000..ab7f2ec862b0d --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/README.md @@ -0,0 +1,11 @@ +These are tests for the [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/7.12/keyword.html) family where we test +* keyword +* const keyword +* alias fields against each one + +Against mock rules which contain the ECS values of: +* event.module +* even.dataset + +This is to ensure that if you have field aliases we will still correctly have detections occur. This also ensures that if you have +`keyword` mixed with `const keyword` across multiple indexes we will still have detections occur. \ No newline at end of file diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/const_keyword.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/const_keyword.ts new file mode 100644 index 0000000000000..0e3d01dc1ca22 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/const_keyword.ts @@ -0,0 +1,152 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { + EqlRuleCreateProps, + ThresholdRuleCreateProps, +} from '@kbn/security-solution-plugin/common/api/detection_engine'; +import { ALERT_THRESHOLD_RESULT } from '@kbn/security-solution-plugin/common/field_maps/field_names'; + +import { + createRule, + createAlertsIndex, + deleteAllRules, + deleteAllAlerts, + getEqlRuleForAlertTesting, + getRuleForAlertTesting, + getAlertsById, + getThresholdRuleForAlertTesting, + waitForRuleSuccess, + waitForAlertsToBePresent, +} from '../../../utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; + +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + const log = getService('log'); + const es = getService('es'); + + describe('@ess @serverless Rule detects against a keyword of event.dataset', () => { + before(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/rule_keyword_family/const_keyword'); + }); + + after(async () => { + await esArchiver.unload( + 'x-pack/test/functional/es_archives/rule_keyword_family/const_keyword' + ); + }); + + beforeEach(async () => { + await createAlertsIndex(supertest, log); + }); + + afterEach(async () => { + await deleteAllAlerts(supertest, log, es); + await deleteAllRules(supertest, log); + }); + + describe('"kql" rule type', () => { + it('should detect the "dataset_name_1" from "event.dataset" and have 4 alerts', async () => { + const rule = { + ...getRuleForAlertTesting(['const_keyword']), + query: 'event.dataset: "dataset_name_1"', + }; + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + expect(alertsOpen.hits.hits.length).to.eql(4); + }); + + it('should copy the dataset_name_1 from the index into the alert', async () => { + const rule = { + ...getRuleForAlertTesting(['const_keyword']), + query: 'event.dataset: "dataset_name_1"', + }; + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); + expect(hits).to.eql([ + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + ]); + }); + }); + + describe('"eql" rule type', () => { + it('should detect the "dataset_name_1" from "event.dataset" and have 4 alerts', async () => { + const rule: EqlRuleCreateProps = { + ...getEqlRuleForAlertTesting(['const_keyword']), + query: 'any where event.dataset=="dataset_name_1"', + }; + + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + expect(alertsOpen.hits.hits.length).to.eql(4); + }); + + it('should copy the "dataset_name_1" from "event.dataset"', async () => { + const rule: EqlRuleCreateProps = { + ...getEqlRuleForAlertTesting(['const_keyword']), + query: 'any where event.dataset=="dataset_name_1"', + }; + + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); + expect(hits).to.eql([ + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + ]); + }); + }); + + describe('"threshold" rule type', async () => { + it('should detect the "dataset_name_1" from "event.dataset"', async () => { + const rule: ThresholdRuleCreateProps = { + ...getThresholdRuleForAlertTesting(['const_keyword']), + threshold: { + field: 'event.dataset', + value: 1, + }, + }; + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 1, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits + .map((hit) => hit._source?.[ALERT_THRESHOLD_RESULT] ?? null) + .sort(); + expect(hits).to.eql([ + { + count: 4, + from: '2020-10-27T05:00:53.000Z', + terms: [ + { + field: 'event.dataset', + value: 'dataset_name_1', + }, + ], + }, + ]); + }); + }); + }); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/index.ts new file mode 100644 index 0000000000000..fa1cd825751d0 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/index.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext } from '../../../../../../../../../pr-kibana/kibana/x-pack/test/security_solution_api_integration/ftr_provider_context'; + +export default ({ loadTestFile }: FtrProviderContext): void => { + describe('Detection keyword family data types', function () { + loadTestFile(require.resolve('./keyword')); + loadTestFile(require.resolve('./const_keyword')); + loadTestFile(require.resolve('./keyword_mixed_with_const')); + }); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/keyword.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/keyword.ts new file mode 100644 index 0000000000000..5a4dbf0929425 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/keyword.ts @@ -0,0 +1,126 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; + +import { + EqlRuleCreateProps, + QueryRuleCreateProps, + ThresholdRuleCreateProps, +} from '@kbn/security-solution-plugin/common/api/detection_engine'; +import { ALERT_THRESHOLD_RESULT } from '@kbn/security-solution-plugin/common/field_maps/field_names'; +import { + createRule, + createAlertsIndex, + deleteAllRules, + deleteAllAlerts, + getEqlRuleForAlertTesting, + getRuleForAlertTesting, + getAlertsById, + getThresholdRuleForAlertTesting, + waitForRuleSuccess, + waitForAlertsToBePresent, +} from '../../../utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; + +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + const log = getService('log'); + const es = getService('es'); + + describe('Rule detects against a keyword of event.dataset', () => { + before(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/rule_keyword_family/keyword'); + }); + + after(async () => { + await esArchiver.unload('x-pack/test/functional/es_archives/rule_keyword_family/keyword'); + }); + + beforeEach(async () => { + await createAlertsIndex(supertest, log); + }); + + afterEach(async () => { + await deleteAllAlerts(supertest, log, es); + await deleteAllRules(supertest, log); + }); + + describe('@ess @serverless "kql" rule type', () => { + it('should detect the "dataset_name_1" from "event.dataset"', async () => { + const rule: QueryRuleCreateProps = { + ...getRuleForAlertTesting(['keyword']), + query: 'event.dataset: "dataset_name_1"', + }; + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); + expect(hits).to.eql([ + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + ]); + }); + }); + + describe('"eql" rule type', () => { + it('should detect the "dataset_name_1" from "event.dataset"', async () => { + const rule: EqlRuleCreateProps = { + ...getEqlRuleForAlertTesting(['keyword']), + query: 'any where event.dataset=="dataset_name_1"', + }; + + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); + expect(hits).to.eql([ + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + ]); + }); + }); + + describe('"threshold" rule type', async () => { + it('should detect the "dataset_name_1" from "event.dataset"', async () => { + const rule: ThresholdRuleCreateProps = { + ...getThresholdRuleForAlertTesting(['keyword']), + threshold: { + field: 'event.dataset', + value: 1, + }, + }; + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 1, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits + .map((hit) => hit._source?.[ALERT_THRESHOLD_RESULT] ?? null) + .sort(); + expect(hits).to.eql([ + { + count: 4, + from: '2020-10-28T05:00:53.000Z', + terms: [ + { + field: 'event.dataset', + value: 'dataset_name_1', + }, + ], + }, + ]); + }); + }); + }); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/keyword_mixed_with_const.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/keyword_mixed_with_const.ts new file mode 100644 index 0000000000000..1353c0b6ca5ed --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/keyword_mixed_with_const.ts @@ -0,0 +1,165 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { + EqlRuleCreateProps, + ThresholdRuleCreateProps, +} from '@kbn/security-solution-plugin/common/api/detection_engine'; +import { ALERT_THRESHOLD_RESULT } from '@kbn/security-solution-plugin/common/field_maps/field_names'; + +import { + createRule, + createAlertsIndex, + deleteAllRules, + deleteAllAlerts, + getEqlRuleForAlertTesting, + getRuleForAlertTesting, + getAlertsById, + waitForRuleSuccess, + waitForAlertsToBePresent, +} from '../../../utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; + +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + const log = getService('log'); + const es = getService('es'); + + describe('@ess @serverless Rule detects against a keyword and constant_keyword of event.dataset', () => { + before(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/rule_keyword_family/const_keyword'); + await esArchiver.load('x-pack/test/functional/es_archives/rule_keyword_family/keyword'); + }); + + after(async () => { + await esArchiver.unload( + 'x-pack/test/functional/es_archives/rule_keyword_family/const_keyword' + ); + await esArchiver.unload('x-pack/test/functional/es_archives/rule_keyword_family/keyword'); + }); + + beforeEach(async () => { + await createAlertsIndex(supertest, log); + }); + + afterEach(async () => { + await deleteAllAlerts(supertest, log, es); + await deleteAllRules(supertest, log); + }); + + describe('"kql" rule type', () => { + it('should detect the "dataset_name_1" from "event.dataset" and have 8 alerts, 4 from each index', async () => { + const rule = { + ...getRuleForAlertTesting(['keyword', 'const_keyword']), + query: 'event.dataset: "dataset_name_1"', + }; + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 8, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + expect(alertsOpen.hits.hits.length).to.eql(8); + }); + + it('should copy the dataset_name_1 from the index into the alert', async () => { + const rule = { + ...getRuleForAlertTesting(['keyword', 'const_keyword']), + query: 'event.dataset: "dataset_name_1"', + }; + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 8, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); + expect(hits).to.eql([ + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + ]); + }); + }); + + describe('"eql" rule type', () => { + it('should detect the "dataset_name_1" from "event.dataset" and have 8 alerts, 4 from each index', async () => { + const rule: EqlRuleCreateProps = { + ...getEqlRuleForAlertTesting(['keyword', 'const_keyword']), + query: 'any where event.dataset=="dataset_name_1"', + }; + + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 8, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + expect(alertsOpen.hits.hits.length).to.eql(8); + }); + + it('should copy the "dataset_name_1" from "event.dataset"', async () => { + const rule: EqlRuleCreateProps = { + ...getEqlRuleForAlertTesting(['keyword', 'const_keyword']), + query: 'any where event.dataset=="dataset_name_1"', + }; + + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 8, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); + expect(hits).to.eql([ + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + 'dataset_name_1', + ]); + }); + }); + + describe('"threshold" rule type', async () => { + it('should detect the "dataset_name_1" from "event.dataset"', async () => { + const rule: ThresholdRuleCreateProps = { + ...getRuleForAlertTesting(['keyword', 'const_keyword']), + rule_id: 'threshold-rule', + type: 'threshold', + language: 'kuery', + query: '*:*', + threshold: { + field: 'event.dataset', + value: 1, + }, + }; + const { id } = await createRule(supertest, log, rule); + await waitForRuleSuccess({ supertest, log, id }); + await waitForAlertsToBePresent(supertest, log, 1, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits + .map((hit) => hit._source?.[ALERT_THRESHOLD_RESULT] ?? null) + .sort(); + expect(hits).to.eql([ + { + count: 8, + from: '2020-10-27T05:00:53.000Z', + terms: [ + { + field: 'event.dataset', + value: 'dataset_name_1', + }, + ], + }, + ]); + }); + }); + }); +}; From cee4086002ceb5e11c378e3a4f95e9528d6c1893 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Tue, 7 Nov 2023 17:10:43 +0100 Subject: [PATCH 02/23] remove group5 --- .buildkite/ftr_configs.yml | 1 - .../security_and_spaces/group5/config.ts | 18 -- .../security_and_spaces/group5/index.ts | 15 -- .../group5/keyword_family/README.md | 11 -- .../group5/keyword_family/const_keyword.ts | 153 ---------------- .../group5/keyword_family/index.ts | 17 -- .../group5/keyword_family/keyword.ts | 127 -------------- .../keyword_mixed_with_const.ts | 166 ------------------ 8 files changed, 508 deletions(-) delete mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/group5/config.ts delete mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/group5/index.ts delete mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/README.md delete mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/const_keyword.ts delete mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/index.ts delete mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/keyword.ts delete mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/keyword_mixed_with_const.ts diff --git a/.buildkite/ftr_configs.yml b/.buildkite/ftr_configs.yml index 3ae519c4a3efd..83667f47b3914 100644 --- a/.buildkite/ftr_configs.yml +++ b/.buildkite/ftr_configs.yml @@ -224,7 +224,6 @@ enabled: - x-pack/test/detection_engine_api_integration/basic/config.ts - x-pack/test/detection_engine_api_integration/security_and_spaces/group1/config.ts - x-pack/test/detection_engine_api_integration/security_and_spaces/group4/config.ts - - x-pack/test/detection_engine_api_integration/security_and_spaces/group5/config.ts - x-pack/test/detection_engine_api_integration/security_and_spaces/group10/config.ts - x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/config.ts - x-pack/test/detection_engine_api_integration/security_and_spaces/prebuilt_rules/config.ts diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/config.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/config.ts deleted file mode 100644 index 2430b8f2148d9..0000000000000 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/config.ts +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { FtrConfigProviderContext } from '@kbn/test'; - -// eslint-disable-next-line import/no-default-export -export default async function ({ readConfigFile }: FtrConfigProviderContext) { - const functionalConfig = await readConfigFile(require.resolve('../config.base.ts')); - - return { - ...functionalConfig.getAll(), - testFiles: [require.resolve('.')], - }; -} diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/index.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/index.ts deleted file mode 100644 index ac107392d4b5c..0000000000000 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/index.ts +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { FtrProviderContext } from '../../common/ftr_provider_context'; - -// eslint-disable-next-line import/no-default-export -export default ({ loadTestFile }: FtrProviderContext): void => { - describe('detection engine api security and spaces enabled - Group 5', function () { - loadTestFile(require.resolve('./keyword_family')); - }); -}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/README.md b/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/README.md deleted file mode 100644 index ab7f2ec862b0d..0000000000000 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/README.md +++ /dev/null @@ -1,11 +0,0 @@ -These are tests for the [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/7.12/keyword.html) family where we test -* keyword -* const keyword -* alias fields against each one - -Against mock rules which contain the ECS values of: -* event.module -* even.dataset - -This is to ensure that if you have field aliases we will still correctly have detections occur. This also ensures that if you have -`keyword` mixed with `const keyword` across multiple indexes we will still have detections occur. \ No newline at end of file diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/const_keyword.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/const_keyword.ts deleted file mode 100644 index 44c25e51ba11f..0000000000000 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/const_keyword.ts +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import expect from '@kbn/expect'; -import { - EqlRuleCreateProps, - ThresholdRuleCreateProps, -} from '@kbn/security-solution-plugin/common/api/detection_engine'; -import { ALERT_THRESHOLD_RESULT } from '@kbn/security-solution-plugin/common/field_maps/field_names'; - -import { FtrProviderContext } from '../../../common/ftr_provider_context'; -import { - createRule, - createSignalsIndex, - deleteAllRules, - deleteAllAlerts, - getEqlRuleForSignalTesting, - getRuleForSignalTesting, - getSignalsById, - getThresholdRuleForSignalTesting, - waitForRuleSuccess, - waitForSignalsToBePresent, -} from '../../../utils'; - -// eslint-disable-next-line import/no-default-export -export default ({ getService }: FtrProviderContext) => { - const supertest = getService('supertest'); - const esArchiver = getService('esArchiver'); - const log = getService('log'); - const es = getService('es'); - - describe('Rule detects against a keyword of event.dataset', () => { - before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/rule_keyword_family/const_keyword'); - }); - - after(async () => { - await esArchiver.unload( - 'x-pack/test/functional/es_archives/rule_keyword_family/const_keyword' - ); - }); - - beforeEach(async () => { - await createSignalsIndex(supertest, log); - }); - - afterEach(async () => { - await deleteAllAlerts(supertest, log, es); - await deleteAllRules(supertest, log); - }); - - describe('"kql" rule type', () => { - it('should detect the "dataset_name_1" from "event.dataset" and have 4 signals', async () => { - const rule = { - ...getRuleForSignalTesting(['const_keyword']), - query: 'event.dataset: "dataset_name_1"', - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - expect(signalsOpen.hits.hits.length).to.eql(4); - }); - - it('should copy the dataset_name_1 from the index into the signal', async () => { - const rule = { - ...getRuleForSignalTesting(['const_keyword']), - query: 'event.dataset: "dataset_name_1"', - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); - expect(hits).to.eql([ - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - ]); - }); - }); - - describe('"eql" rule type', () => { - it('should detect the "dataset_name_1" from "event.dataset" and have 4 signals', async () => { - const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['const_keyword']), - query: 'any where event.dataset=="dataset_name_1"', - }; - - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - expect(signalsOpen.hits.hits.length).to.eql(4); - }); - - it('should copy the "dataset_name_1" from "event.dataset"', async () => { - const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['const_keyword']), - query: 'any where event.dataset=="dataset_name_1"', - }; - - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); - expect(hits).to.eql([ - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - ]); - }); - }); - - describe('"threshold" rule type', async () => { - it('should detect the "dataset_name_1" from "event.dataset"', async () => { - const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['const_keyword']), - threshold: { - field: 'event.dataset', - value: 1, - }, - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits - .map((hit) => hit._source?.[ALERT_THRESHOLD_RESULT] ?? null) - .sort(); - expect(hits).to.eql([ - { - count: 4, - from: '2020-10-27T05:00:53.000Z', - terms: [ - { - field: 'event.dataset', - value: 'dataset_name_1', - }, - ], - }, - ]); - }); - }); - }); -}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/index.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/index.ts deleted file mode 100644 index 1ecb06fbed4e5..0000000000000 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/index.ts +++ /dev/null @@ -1,17 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { FtrProviderContext } from '../../../common/ftr_provider_context'; - -// eslint-disable-next-line import/no-default-export -export default ({ loadTestFile }: FtrProviderContext): void => { - describe('Detection keyword family data types', function () { - loadTestFile(require.resolve('./keyword')); - loadTestFile(require.resolve('./const_keyword')); - loadTestFile(require.resolve('./keyword_mixed_with_const')); - }); -}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/keyword.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/keyword.ts deleted file mode 100644 index 39d62da77a1a8..0000000000000 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/keyword.ts +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import expect from '@kbn/expect'; - -import { - EqlRuleCreateProps, - QueryRuleCreateProps, - ThresholdRuleCreateProps, -} from '@kbn/security-solution-plugin/common/api/detection_engine'; -import { ALERT_THRESHOLD_RESULT } from '@kbn/security-solution-plugin/common/field_maps/field_names'; -import { FtrProviderContext } from '../../../common/ftr_provider_context'; -import { - createRule, - createSignalsIndex, - deleteAllRules, - deleteAllAlerts, - getEqlRuleForSignalTesting, - getRuleForSignalTesting, - getSignalsById, - getThresholdRuleForSignalTesting, - waitForRuleSuccess, - waitForSignalsToBePresent, -} from '../../../utils'; - -// eslint-disable-next-line import/no-default-export -export default ({ getService }: FtrProviderContext) => { - const supertest = getService('supertest'); - const esArchiver = getService('esArchiver'); - const log = getService('log'); - const es = getService('es'); - - describe('Rule detects against a keyword of event.dataset', () => { - before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/rule_keyword_family/keyword'); - }); - - after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/rule_keyword_family/keyword'); - }); - - beforeEach(async () => { - await createSignalsIndex(supertest, log); - }); - - afterEach(async () => { - await deleteAllAlerts(supertest, log, es); - await deleteAllRules(supertest, log); - }); - - describe('"kql" rule type', () => { - it('should detect the "dataset_name_1" from "event.dataset"', async () => { - const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['keyword']), - query: 'event.dataset: "dataset_name_1"', - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); - expect(hits).to.eql([ - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - ]); - }); - }); - - describe('"eql" rule type', () => { - it('should detect the "dataset_name_1" from "event.dataset"', async () => { - const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['keyword']), - query: 'any where event.dataset=="dataset_name_1"', - }; - - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); - expect(hits).to.eql([ - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - ]); - }); - }); - - describe('"threshold" rule type', async () => { - it('should detect the "dataset_name_1" from "event.dataset"', async () => { - const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['keyword']), - threshold: { - field: 'event.dataset', - value: 1, - }, - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits - .map((hit) => hit._source?.[ALERT_THRESHOLD_RESULT] ?? null) - .sort(); - expect(hits).to.eql([ - { - count: 4, - from: '2020-10-28T05:00:53.000Z', - terms: [ - { - field: 'event.dataset', - value: 'dataset_name_1', - }, - ], - }, - ]); - }); - }); - }); -}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/keyword_mixed_with_const.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/keyword_mixed_with_const.ts deleted file mode 100644 index 50bbd7efde9f2..0000000000000 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group5/keyword_family/keyword_mixed_with_const.ts +++ /dev/null @@ -1,166 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import expect from '@kbn/expect'; -import { - EqlRuleCreateProps, - ThresholdRuleCreateProps, -} from '@kbn/security-solution-plugin/common/api/detection_engine'; -import { ALERT_THRESHOLD_RESULT } from '@kbn/security-solution-plugin/common/field_maps/field_names'; - -import { FtrProviderContext } from '../../../common/ftr_provider_context'; -import { - createRule, - createSignalsIndex, - deleteAllRules, - deleteAllAlerts, - getEqlRuleForSignalTesting, - getRuleForSignalTesting, - getSignalsById, - waitForRuleSuccess, - waitForSignalsToBePresent, -} from '../../../utils'; - -// eslint-disable-next-line import/no-default-export -export default ({ getService }: FtrProviderContext) => { - const supertest = getService('supertest'); - const esArchiver = getService('esArchiver'); - const log = getService('log'); - const es = getService('es'); - - describe('Rule detects against a keyword and constant_keyword of event.dataset', () => { - before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/rule_keyword_family/const_keyword'); - await esArchiver.load('x-pack/test/functional/es_archives/rule_keyword_family/keyword'); - }); - - after(async () => { - await esArchiver.unload( - 'x-pack/test/functional/es_archives/rule_keyword_family/const_keyword' - ); - await esArchiver.unload('x-pack/test/functional/es_archives/rule_keyword_family/keyword'); - }); - - beforeEach(async () => { - await createSignalsIndex(supertest, log); - }); - - afterEach(async () => { - await deleteAllAlerts(supertest, log, es); - await deleteAllRules(supertest, log); - }); - - describe('"kql" rule type', () => { - it('should detect the "dataset_name_1" from "event.dataset" and have 8 signals, 4 from each index', async () => { - const rule = { - ...getRuleForSignalTesting(['keyword', 'const_keyword']), - query: 'event.dataset: "dataset_name_1"', - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 8, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - expect(signalsOpen.hits.hits.length).to.eql(8); - }); - - it('should copy the dataset_name_1 from the index into the signal', async () => { - const rule = { - ...getRuleForSignalTesting(['keyword', 'const_keyword']), - query: 'event.dataset: "dataset_name_1"', - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 8, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); - expect(hits).to.eql([ - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - ]); - }); - }); - - describe('"eql" rule type', () => { - it('should detect the "dataset_name_1" from "event.dataset" and have 8 signals, 4 from each index', async () => { - const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['keyword', 'const_keyword']), - query: 'any where event.dataset=="dataset_name_1"', - }; - - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 8, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - expect(signalsOpen.hits.hits.length).to.eql(8); - }); - - it('should copy the "dataset_name_1" from "event.dataset"', async () => { - const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['keyword', 'const_keyword']), - query: 'any where event.dataset=="dataset_name_1"', - }; - - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 8, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort(); - expect(hits).to.eql([ - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - 'dataset_name_1', - ]); - }); - }); - - describe('"threshold" rule type', async () => { - it('should detect the "dataset_name_1" from "event.dataset"', async () => { - const rule: ThresholdRuleCreateProps = { - ...getRuleForSignalTesting(['keyword', 'const_keyword']), - rule_id: 'threshold-rule', - type: 'threshold', - language: 'kuery', - query: '*:*', - threshold: { - field: 'event.dataset', - value: 1, - }, - }; - const { id } = await createRule(supertest, log, rule); - await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits - .map((hit) => hit._source?.[ALERT_THRESHOLD_RESULT] ?? null) - .sort(); - expect(hits).to.eql([ - { - count: 8, - from: '2020-10-27T05:00:53.000Z', - terms: [ - { - field: 'event.dataset', - value: 'dataset_name_1', - }, - ], - }, - ]); - }); - }); - }); -}; From aed2ddaf76e90706bea4b889905d7587be8f2d24 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Wed, 8 Nov 2023 15:24:04 +0100 Subject: [PATCH 03/23] fix linting --- .../rule_execution_logic/keyword_family/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/index.ts index fa1cd825751d0..7244085b6eff2 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/keyword_family/index.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { FtrProviderContext } from '../../../../../../../../../pr-kibana/kibana/x-pack/test/security_solution_api_integration/ftr_provider_context'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; export default ({ loadTestFile }: FtrProviderContext): void => { describe('Detection keyword family data types', function () { From 4bd661a65bfa239ebb4425abaa23a25d5d076836 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Wed, 8 Nov 2023 17:04:37 +0100 Subject: [PATCH 04/23] remove refresh_interval setting --- .../es_archives/rule_keyword_family/const_keyword/mappings.json | 1 - .../es_archives/rule_keyword_family/keyword/mappings.json | 1 - 2 files changed, 2 deletions(-) diff --git a/x-pack/test/functional/es_archives/rule_keyword_family/const_keyword/mappings.json b/x-pack/test/functional/es_archives/rule_keyword_family/const_keyword/mappings.json index 7e3d74f840142..8622a0f62cd5a 100644 --- a/x-pack/test/functional/es_archives/rule_keyword_family/const_keyword/mappings.json +++ b/x-pack/test/functional/es_archives/rule_keyword_family/const_keyword/mappings.json @@ -39,7 +39,6 @@ }, "settings": { "index": { - "refresh_interval": "1s", "number_of_replicas": "1", "number_of_shards": "1" } diff --git a/x-pack/test/functional/es_archives/rule_keyword_family/keyword/mappings.json b/x-pack/test/functional/es_archives/rule_keyword_family/keyword/mappings.json index 9d5274a002279..233b1148f04b4 100644 --- a/x-pack/test/functional/es_archives/rule_keyword_family/keyword/mappings.json +++ b/x-pack/test/functional/es_archives/rule_keyword_family/keyword/mappings.json @@ -25,7 +25,6 @@ }, "settings": { "index": { - "refresh_interval": "1s", "number_of_replicas": "1", "number_of_shards": "1" } From 942178128e8471e07108f171db8097790b690737 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Wed, 8 Nov 2023 17:54:02 +0100 Subject: [PATCH 05/23] fix linting --- .../default_license/rule_execution_logic/index.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts index f4356b6cd5678..53361749d1d1a 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts @@ -4,7 +4,8 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { FtrProviderContext } from '../../../../../../../../pr-kibana/kibana/x-pack/test/security_solution_api_integration/ftr_provider_context'; + +import { FtrProviderContext } from '../../../../ftr_provider_context'; export default function ({ loadTestFile }: FtrProviderContext) { describe('Rule execution logic API', function () { From 17fd9d14aa45b7702fe47bef95177da92345ab51 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Thu, 9 Nov 2023 11:12:25 +0100 Subject: [PATCH 06/23] move rule_execution_logic --- .../rule_execution_logic/config.ts | 18 - .../execution_logic}/README.md | 0 .../execution_logic}/eql.ts | 35 +- .../execution_logic}/esql.ts | 19 +- .../execution_logic}/index.ts | 3 +- .../execution_logic}/machine_learning.ts | 12 +- .../execution_logic}/mocks/new_terms.ts | 0 .../execution_logic}/new_terms.ts | 18 +- .../execution_logic}/non_ecs_fields.ts | 12 +- .../execution_logic}/query.ts | 122 ++-- .../execution_logic}/saved_query.ts | 13 +- .../execution_logic}/threat_match.ts | 17 +- .../execution_logic}/threshold.ts | 11 +- .../utils/alerts/get_preview_alerts.ts | 48 ++ .../detections_response/utils/alerts/index.ts | 1 + .../utils/data_generator/README.md | 606 ++++++++++++++++++ .../data_generator/data_generator_factory.ts | 75 +++ .../utils/data_generator/enhance_document.ts | 29 + .../utils/data_generator/enhance_documents.ts | 32 + .../data_generator/generate_documents.ts | 39 ++ .../get_kql_query_from_documents_list.ts | 41 ++ .../utils/data_generator/get_timestamp.ts | 16 + .../utils/data_generator/index.ts | 13 + .../utils/data_generator/index_documents.ts | 39 ++ .../utils/data_generator/types.ts | 10 + .../detections_response/utils/index.ts | 4 + .../utils/machine_learning/index.ts | 7 + .../machine_learning_setup.ts | 55 ++ .../utils/remove_random_valued_properties.ts} | 0 .../detections_response/utils/rules/index.ts | 3 + .../utils/rules}/patch_rule.ts | 0 .../utils/rules/preview_rule.ts | 50 ++ .../preview_rule_with_exception_entries.ts | 65 ++ 33 files changed, 1262 insertions(+), 151 deletions(-) delete mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/config.ts rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/README.md (100%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/eql.ts (95%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/esql.ts (98%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/index.ts (87%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/machine_learning.ts (96%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/mocks/new_terms.ts (100%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/new_terms.ts (98%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/non_ecs_fields.ts (97%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/query.ts (95%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/saved_query.ts (88%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/threat_match.ts (99%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic}/threshold.ts (97%) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/get_preview_alerts.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/README.md create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/data_generator_factory.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/enhance_document.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/enhance_documents.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/generate_documents.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/get_kql_query_from_documents_list.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/get_timestamp.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/index.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/index_documents.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/types.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/index.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/machine_learning_setup.ts rename x-pack/test/{detection_engine_api_integration/security_and_spaces/rule_execution_logic/utils.ts => security_solution_api_integration/test_suites/detections_response/utils/remove_random_valued_properties.ts} (100%) rename x-pack/test/{detection_engine_api_integration/utils => security_solution_api_integration/test_suites/detections_response/utils/rules}/patch_rule.ts (100%) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule_with_exception_entries.ts diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/config.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/config.ts deleted file mode 100644 index 2430b8f2148d9..0000000000000 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/config.ts +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { FtrConfigProviderContext } from '@kbn/test'; - -// eslint-disable-next-line import/no-default-export -export default async function ({ readConfigFile }: FtrConfigProviderContext) { - const functionalConfig = await readConfigFile(require.resolve('../config.base.ts')); - - return { - ...functionalConfig.getAll(), - testFiles: [require.resolve('.')], - }; -} diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/README.md b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/README.md similarity index 100% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/README.md rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/README.md diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/eql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts similarity index 95% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/eql.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts index b0469c90d8e4d..11ae95f653bd3 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/eql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts @@ -32,14 +32,13 @@ import { createRule, deleteAllRules, deleteAllAlerts, - getEqlRuleForSignalTesting, - getOpenSignals, + getEqlRuleForAlertTesting, + getOpenAlerts, getPreviewAlerts, previewRule, -} from '../../utils'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; +} from '../../../utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -66,11 +65,11 @@ export default ({ getService }: FtrProviderContext) => { // First test creates a real rule - remaining tests use preview API it('generates a correctly formatted signal from EQL non-sequence queries', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"', }; const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).eql(1); const fullSignal = alerts.hits.hits[0]._source; if (!fullSignal) { @@ -170,7 +169,7 @@ export default ({ getService }: FtrProviderContext) => { it('generates up to max_signals for non-sequence EQL queries', async () => { const maxSignals = 200; const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), max_signals: maxSignals, }; const { previewId } = await previewRule({ supertest, rule }); @@ -180,7 +179,7 @@ export default ({ getService }: FtrProviderContext) => { it('generates max signals warning when circuit breaker is hit', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), }; const { logs } = await previewRule({ supertest, rule }); expect(logs[0].warnings).contain(getMaxSignalsWarning()); @@ -188,7 +187,7 @@ export default ({ getService }: FtrProviderContext) => { it('uses the provided event_category_override', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'config_change where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"', event_category_override: 'auditd.message_type', }; @@ -259,7 +258,7 @@ export default ({ getService }: FtrProviderContext) => { it('uses the provided timestamp_field', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['fake.index.1']), + ...getEqlRuleForAlertTesting(['fake.index.1']), query: 'any where true', timestamp_field: 'created_at', }; @@ -273,7 +272,7 @@ export default ({ getService }: FtrProviderContext) => { it('uses the provided tiebreaker_field', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['fake.index.1']), + ...getEqlRuleForAlertTesting(['fake.index.1']), query: 'any where true', tiebreaker_field: 'locale', }; @@ -287,7 +286,7 @@ export default ({ getService }: FtrProviderContext) => { it('generates building block signals from EQL sequences in the expected form', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'sequence by host.name [anomoly where true] [any where true]', // TODO: spelling }; const { previewId } = await previewRule({ supertest, rule }); @@ -433,7 +432,7 @@ export default ({ getService }: FtrProviderContext) => { it('generates shell signals from EQL sequences in the expected form', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'sequence by host.name [anomoly where true] [any where true]', }; const { previewId } = await previewRule({ supertest, rule }); @@ -516,7 +515,7 @@ export default ({ getService }: FtrProviderContext) => { it('generates up to max_signals with an EQL rule', async () => { const maxSignals = 200; const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'sequence by host.name [any where true] [any where true]', max_signals: maxSignals, }; @@ -534,7 +533,7 @@ export default ({ getService }: FtrProviderContext) => { it('generates signals when an index name contains special characters to encode', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*', '']), + ...getEqlRuleForAlertTesting(['auditbeat-*', '']), query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"', }; const { previewId } = await previewRule({ supertest, rule }); @@ -544,7 +543,7 @@ export default ({ getService }: FtrProviderContext) => { it('uses the provided filters', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'any where true', filters: [ { @@ -599,7 +598,7 @@ export default ({ getService }: FtrProviderContext) => { it('should be enriched with host risk score', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['auditbeat-*']), + ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"', }; const { previewId } = await previewRule({ supertest, rule }); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/esql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts similarity index 98% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/esql.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts index 9ae0bf9773de6..db8ac63d4e129 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/esql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts @@ -19,15 +19,16 @@ import { getPreviewAlerts, previewRule, createRule, - getOpenSignals as getOpenAlerts, -} from '../../utils'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; -import { previewRuleWithExceptionEntries } from '../../utils/preview_rule_with_exception_entries'; -import { deleteAllExceptions } from '../../../lists_api_integration/utils'; -import { dataGeneratorFactory } from '../../utils/data_generator'; -import { removeRandomValuedProperties } from './utils'; - -// eslint-disable-next-line import/no-default-export + getOpenAlerts, + dataGeneratorFactory, + previewRuleWithExceptionEntries, + removeRandomValuedProperties, +} from '../../../utils'; +import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; + +// TODO replace signals + export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts similarity index 87% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts index e6cb1328c29b3..9220a7b0c0ade 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts @@ -5,9 +5,8 @@ * 2.0. */ -import { FtrProviderContext } from '../../common/ftr_provider_context'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; -// eslint-disable-next-line import/no-default-export export default ({ loadTestFile }: FtrProviderContext): void => { describe('detection engine api security and spaces enabled - rule execution logic', function () { loadTestFile(require.resolve('./eql')); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/machine_learning.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts similarity index 96% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/machine_learning.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts index 792fcb30b6645..2f7f7ae22b454 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/machine_learning.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts @@ -31,21 +31,21 @@ import { deleteAllExceptions, deleteListsIndex, importFile, -} from '../../../lists_api_integration/utils'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; +} from '../../../../../../lists_api_integration/utils'; import { createRule, deleteAllRules, deleteAllAlerts, executeSetupModuleRequest, forceStartDatafeeds, - getOpenSignals, + getOpenAlerts, getPreviewAlerts, previewRule, previewRuleWithExceptionEntries, -} from '../../utils'; +} from '../../../utils'; + +import { FtrProviderContext } from '../../../../../ftr_provider_context'; -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -85,7 +85,7 @@ export default ({ getService }: FtrProviderContext) => { // First test creates a real rule - remaining tests use preview API it('should create 1 alert from ML rule when record meets anomaly_threshold', async () => { const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).toBe(1); const signal = alerts.hits.hits[0]; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/mocks/new_terms.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/mocks/new_terms.ts similarity index 100% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/mocks/new_terms.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/mocks/new_terms.ts diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/new_terms.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts similarity index 98% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/new_terms.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts index 144d5e9bf51bd..178b9a9ae2736 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/new_terms.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts @@ -17,21 +17,21 @@ import { createRule, deleteAllRules, deleteAllAlerts, - getOpenSignals, + getOpenAlerts, getPreviewAlerts, previewRule, -} from '../../utils'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; -import { previewRuleWithExceptionEntries } from '../../utils/preview_rule_with_exception_entries'; -import { deleteAllExceptions } from '../../../lists_api_integration/utils'; -import { dataGeneratorFactory } from '../../utils/data_generator'; + dataGeneratorFactory, + previewRuleWithExceptionEntries, +} from '../../../utils'; +import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; -import { removeRandomValuedProperties } from './utils'; +import { removeRandomValuedProperties } from '../../../utils/remove_random_valued_properties'; const historicalWindowStart = '2022-10-13T05:00:04.000Z'; const ruleExecutionStart = '2022-10-19T05:00:04.000Z'; -// eslint-disable-next-line import/no-default-export +import { FtrProviderContext } from '../../../../../ftr_provider_context'; + export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -99,7 +99,7 @@ export default ({ getService }: FtrProviderContext) => { }; const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).eql(1); expect(removeRandomValuedProperties(alerts.hits.hits[0]._source)).eql({ diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/non_ecs_fields.ts similarity index 97% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/non_ecs_fields.ts index 20d2f8e1dc571..afa8a9e9eef78 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/non_ecs_fields.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/non_ecs_fields.ts @@ -10,18 +10,18 @@ import { deleteAllRules, deleteAllAlerts, getPreviewAlerts, - getRuleForSignalTesting, + getRuleForAlertTesting, previewRule, -} from '../../utils'; -import { dataGeneratorFactory, enhanceDocument } from '../../utils/data_generator'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; + dataGeneratorFactory, + enhanceDocument, +} from '../../../utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; const getQueryRule = (docIdToQuery: string) => ({ - ...getRuleForSignalTesting(['ecs_non_compliant']), + ...getRuleForAlertTesting(['ecs_non_compliant']), query: `id: "${docIdToQuery}"`, }); -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts similarity index 95% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/query.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 4c38edaf0cd28..22b14d55261d0 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -45,26 +45,27 @@ import { DETECTION_ENGINE_SIGNALS_STATUS_URL, } from '@kbn/security-solution-plugin/common/constants'; import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; -import { deleteAllExceptions } from '../../../lists_api_integration/utils'; +import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; import { createExceptionList, createExceptionListItem, createRule, deleteAllRules, deleteAllAlerts, - getOpenSignals, + getOpenAlerts, getPreviewAlerts, - getRuleForSignalTesting, + getRuleForAlertTesting, getSimpleRule, previewRule, - setSignalStatus, + setAlertStatus, getRuleSOById, + patchRule, createRuleThroughAlertingEndpoint, getRuleSavedObjectWithLegacyInvestigationFields, -} from '../../utils'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; -import { dataGeneratorFactory } from '../../utils/data_generator'; -import { patchRule } from '../../utils/patch_rule'; + dataGeneratorFactory, +} from '../../../utils'; + +import { FtrProviderContext } from '../../../../../ftr_provider_context'; /** * Specific _id to use for some of the tests. If the archiver changes and you see errors @@ -79,7 +80,6 @@ const ID = 'BhbXBmkBR346wHgn4PeZ'; * [x] - Alerts on alerts */ -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -109,18 +109,18 @@ export default ({ getService }: FtrProviderContext) => { // First test creates a real rule - most remaining tests use preview API it('should have the specific audit record for _id or none of these tests below will pass', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, }; const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).greaterThan(0); expect(alerts.hits.hits[0]._source?.['kibana.alert.ancestors'][0].id).eql(ID); }); it('generates max signals warning when circuit breaker is hit', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), }; const { logs } = await previewRule({ supertest, rule }); expect(logs[0].warnings).contain(getMaxSignalsWarning()); @@ -128,7 +128,7 @@ export default ({ getService }: FtrProviderContext) => { it("doesn't generate max signals warning when circuit breaker is met but not exceeded", async () => { const rule = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: 'process.executable: "/usr/bin/sudo"', max_signals: 10, }; @@ -139,7 +139,7 @@ export default ({ getService }: FtrProviderContext) => { it('should abide by max_signals > 100', async () => { const maxSignals = 200; const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), max_signals: maxSignals, }; const { previewId } = await previewRule({ supertest, rule }); @@ -150,7 +150,7 @@ export default ({ getService }: FtrProviderContext) => { it('should have recorded the rule_id within the signal', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, }; const { previewId } = await previewRule({ supertest, rule }); @@ -160,7 +160,7 @@ export default ({ getService }: FtrProviderContext) => { it('should query and get back expected signal structure using a basic KQL query', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, }; const { previewId } = await previewRule({ supertest, rule }); @@ -192,7 +192,7 @@ export default ({ getService }: FtrProviderContext) => { it('should query and get back expected signal structure when it is a signal on a signal', async () => { const alertId = '30a75fe46d3dbdfab55982036f77a8d60e2d1112e96f277c3b8c22f9bb57817a'; const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting([`.alerts-security.alerts-default*`]), + ...getRuleForAlertTesting([`.alerts-security.alerts-default*`]), rule_id: 'signal-on-signal', query: `_id:${alertId}`, }; @@ -238,7 +238,7 @@ export default ({ getService }: FtrProviderContext) => { it('should not have risk score fields without risk indices', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, }; const { previewId } = await previewRule({ supertest, rule }); @@ -258,7 +258,7 @@ export default ({ getService }: FtrProviderContext) => { it('should have host and user risk score fields', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, }; const { previewId } = await previewRule({ supertest, rule }); @@ -277,7 +277,7 @@ export default ({ getService }: FtrProviderContext) => { */ it('should get default severity and risk score if there is no mapping', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['signal_overrides']), + ...getRuleForAlertTesting(['signal_overrides']), severity: 'medium', risk_score: 75, }; @@ -297,7 +297,7 @@ export default ({ getService }: FtrProviderContext) => { it('should get overridden severity if the rule has a mapping for it', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['signal_overrides']), + ...getRuleForAlertTesting(['signal_overrides']), severity: 'medium', severity_mapping: [ { field: 'my_severity', operator: 'equals', value: 'sev_900', severity: 'high' }, @@ -334,7 +334,7 @@ export default ({ getService }: FtrProviderContext) => { it('should get overridden risk score if the rule has a mapping for it', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['signal_overrides']), + ...getRuleForAlertTesting(['signal_overrides']), severity: 'medium', risk_score: 75, risk_score_mapping: [ @@ -369,7 +369,7 @@ export default ({ getService }: FtrProviderContext) => { it('should get overridden severity and risk score if the rule has both mappings', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['signal_overrides']), + ...getRuleForAlertTesting(['signal_overrides']), severity: 'medium', severity_mapping: [ { field: 'my_severity', operator: 'equals', value: 'sev_900', severity: 'high' }, @@ -411,7 +411,7 @@ export default ({ getService }: FtrProviderContext) => { it('should generate signals with name_override field', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `event.action:boot`, rule_name_override: 'event.action', }; @@ -428,7 +428,7 @@ export default ({ getService }: FtrProviderContext) => { it('should not generate duplicate signals', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, }; @@ -448,7 +448,7 @@ export default ({ getService }: FtrProviderContext) => { it('should generate only 1 alert per host name when grouping by host name', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: "host-0"`, alert_suppression: { group_by: ['host.name'], @@ -481,7 +481,7 @@ export default ({ getService }: FtrProviderContext) => { it('should generate multiple alerts when multiple host names are found', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: *`, alert_suppression: { group_by: ['host.name'], @@ -521,7 +521,7 @@ export default ({ getService }: FtrProviderContext) => { it('should generate alerts when using multiple group by fields', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: *`, alert_suppression: { group_by: ['host.name', 'source.ip'], @@ -564,7 +564,7 @@ export default ({ getService }: FtrProviderContext) => { it('should not count documents that were covered by previous alerts', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: *`, alert_suppression: { group_by: ['host.name', 'source.ip'], @@ -632,7 +632,7 @@ export default ({ getService }: FtrProviderContext) => { // so we expect 2 groups to be created from the single document it('should generate multiple alerts for a single doc in multiple groups', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `*:*`, alert_suppression: { group_by: ['destination.ip'], @@ -689,7 +689,7 @@ export default ({ getService }: FtrProviderContext) => { // The last alert, with null for destination.ip, should be found by the first rule run but not duplicated // by the second run. const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `*:*`, alert_suppression: { group_by: ['destination.ip'], @@ -760,7 +760,7 @@ export default ({ getService }: FtrProviderContext) => { await indexListOfDocuments([firstDocument, firstDocument]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), rule_id: 'rule-2', query: `id:${id}`, alert_suppression: { @@ -772,7 +772,7 @@ export default ({ getService }: FtrProviderContext) => { }, }; const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).eql(1); expect(alerts.hits.hits[0]._source).to.eql({ ...alerts.hits.hits[0]._source, @@ -802,7 +802,7 @@ export default ({ getService }: FtrProviderContext) => { await patchRule(supertest, log, { id: createdRule.id, enabled: false }); await patchRule(supertest, log, { id: createdRule.id, enabled: true }); const afterTimestamp = new Date(); - const secondAlerts = await getOpenSignals( + const secondAlerts = await getOpenAlerts( supertest, log, es, @@ -841,7 +841,7 @@ export default ({ getService }: FtrProviderContext) => { await indexListOfDocuments([firstDocument, firstDocument]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), rule_id: 'rule-2', query: `id:${id}`, alert_suppression: { @@ -853,7 +853,7 @@ export default ({ getService }: FtrProviderContext) => { }, }; const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); // Close the alert. Subsequent rule executions should ignore this closed alert // for suppression purposes. @@ -861,7 +861,7 @@ export default ({ getService }: FtrProviderContext) => { await supertest .post(DETECTION_ENGINE_SIGNALS_STATUS_URL) .set('kbn-xsrf', 'true') - .send(setSignalStatus({ signalIds: alertIds, status: 'closed' })) + .send(setAlertStatus({ alertIds, status: 'closed' })) .expect(200); const secondTimestamp = new Date().toISOString(); @@ -878,7 +878,7 @@ export default ({ getService }: FtrProviderContext) => { await patchRule(supertest, log, { id: createdRule.id, enabled: false }); await patchRule(supertest, log, { id: createdRule.id, enabled: true }); const afterTimestamp = new Date(); - const secondAlerts = await getOpenSignals( + const secondAlerts = await getOpenAlerts( supertest, log, es, @@ -922,7 +922,7 @@ export default ({ getService }: FtrProviderContext) => { it('should generate an alert per rule run when duration is less than rule interval', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: "host-0"`, alert_suppression: { group_by: ['host.name'], @@ -981,7 +981,7 @@ export default ({ getService }: FtrProviderContext) => { it('should update an existing alert in the time window', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: "host-0"`, alert_suppression: { group_by: ['host.name'], @@ -1025,7 +1025,7 @@ export default ({ getService }: FtrProviderContext) => { it('should update the correct alerts based on group_by field-value pair', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: *`, alert_suppression: { group_by: ['host.name'], @@ -1099,7 +1099,7 @@ export default ({ getService }: FtrProviderContext) => { it('should update the correct alerts based on group_by field-value pair even when value is null', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: *`, alert_suppression: { group_by: ['destination.ip'], // Only 1 document populates destination.ip @@ -1162,7 +1162,7 @@ export default ({ getService }: FtrProviderContext) => { await indexListOfDocuments([docWithoutOverride, docWithOverride]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -1226,7 +1226,7 @@ export default ({ getService }: FtrProviderContext) => { ); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -1313,7 +1313,7 @@ export default ({ getService }: FtrProviderContext) => { await indexListOfDocuments([firstDoc, secondDoc, thirdDoc]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -1383,7 +1383,7 @@ export default ({ getService }: FtrProviderContext) => { it('should be enriched with host risk score', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['suppression-data']), + ...getRuleForAlertTesting(['suppression-data']), query: `host.name: "host-0"`, alert_suppression: { group_by: ['host.name'], @@ -1474,7 +1474,7 @@ export default ({ getService }: FtrProviderContext) => { ]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -1545,7 +1545,7 @@ export default ({ getService }: FtrProviderContext) => { ]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -1600,7 +1600,7 @@ export default ({ getService }: FtrProviderContext) => { await indexListOfDocuments([firstDoc, firstDoc]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -1654,7 +1654,7 @@ export default ({ getService }: FtrProviderContext) => { await indexListOfDocuments([firstDoc, firstDoc]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -1752,7 +1752,7 @@ export default ({ getService }: FtrProviderContext) => { ]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name', 'agent.version'], @@ -1831,7 +1831,7 @@ export default ({ getService }: FtrProviderContext) => { ]); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name', 'agent.version'], @@ -1898,7 +1898,7 @@ export default ({ getService }: FtrProviderContext) => { }); it('should create suppressed alerts for single host.name when rule configure with suppress', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -1965,7 +1965,7 @@ export default ({ getService }: FtrProviderContext) => { it('should create unsuppressed alerts for single host.name', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id}`, alert_suppression: { group_by: ['agent.name'], @@ -2076,7 +2076,7 @@ export default ({ getService }: FtrProviderContext) => { }); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID} or _id:GBbXBmkBR346wHgn5_eR or _id:x10zJ2oE9v5HJNSHhyxi`, exceptions_list: [{ id, list_id: listId, type, namespace_type: namespaceType }], }; @@ -2119,7 +2119,7 @@ export default ({ getService }: FtrProviderContext) => { }); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID} or _id:GBbXBmkBR346wHgn5_eR or _id:x10zJ2oE9v5HJNSHhyxi`, exceptions_list: [{ id, list_id: listId, type, namespace_type: namespaceType }], }; @@ -2157,7 +2157,7 @@ export default ({ getService }: FtrProviderContext) => { await indexEnhancedDocuments({ documents: [firstDoc, firstDoc, secondDoc], id }); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id} AND agent.n*: test-1`, from: 'now-1h', interval: '1h', @@ -2188,7 +2188,7 @@ export default ({ getService }: FtrProviderContext) => { await indexEnhancedDocuments({ documents: [firstDoc, firstDoc, secondDoc], id }); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id} AND NOT agent.na*: "test-1"`, from: 'now-1h', interval: '1h', @@ -2215,7 +2215,7 @@ export default ({ getService }: FtrProviderContext) => { await indexEnhancedDocuments({ documents: [firstDoc, secondDoc, thirdDoc], id }); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id} AND agent*: "test-1"`, from: 'now-1h', interval: '1h', @@ -2249,7 +2249,7 @@ export default ({ getService }: FtrProviderContext) => { await indexEnhancedDocuments({ documents: [firstDoc, secondDoc, thirdDoc], id }); const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['ecs_compliant']), + ...getRuleForAlertTesting(['ecs_compliant']), query: `id:${id} AND agent.\\*: test-1`, from: 'now-1h', interval: '1h', @@ -2317,7 +2317,7 @@ export default ({ getService }: FtrProviderContext) => { .set('elastic-api-version', '2023-10-31') .expect(200); - const alertsAfterEnable = await getOpenSignals(supertest, log, es, ruleBody, 'succeeded'); + const alertsAfterEnable = await getOpenAlerts(supertest, log, es, ruleBody, 'succeeded'); expect(alertsAfterEnable.hits.hits.length > 0).eql(true); }); }); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/saved_query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts similarity index 88% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/saved_query.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts index ed7173133f9f3..9c7bd7db2b690 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/saved_query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts @@ -20,10 +20,10 @@ import { createRule, deleteAllRules, deleteAllAlerts, - getOpenSignals, - getRuleForSignalTesting, -} from '../../utils'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; + getOpenAlerts, + getRuleForAlertTesting, +} from '../../../utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; /** * Specific _id to use for some of the tests. If the archiver changes and you see errors @@ -31,7 +31,6 @@ import { FtrProviderContext } from '../../common/ftr_provider_context'; */ const ID = 'BhbXBmkBR346wHgn4PeZ'; -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -52,13 +51,13 @@ export default ({ getService }: FtrProviderContext) => { // First test creates a real rule - remaining tests use preview API it('should query and get back expected signal structure using a saved query rule', async () => { const rule: SavedQueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), type: 'saved_query', query: `_id:${ID}`, saved_id: 'doesnt-exist', }; const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); const signal = alerts.hits.hits[0]._source; expect(signal).eql({ ...signal, diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/threat_match.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts similarity index 99% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/threat_match.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts index efed9c26375e2..fb71213444d3a 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/threat_match.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts @@ -38,13 +38,14 @@ import { RuleExecutionStatusEnum } from '@kbn/security-solution-plugin/common/ap import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { previewRule, - getOpenSignals, + getOpenAlerts, getPreviewAlerts, deleteAllAlerts, deleteAllRules, createRule, -} from '../../utils'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; +} from '../../../utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; + const format = (value: unknown): string => JSON.stringify(value, null, 2); // Asserts that each expected value is included in the subject, independent of @@ -138,8 +139,6 @@ function alertsAreTheSame(alertsA: any[], alertsB: any[]): void { expect(sort(alertsA.map(mapAlert))).to.eql(sort(alertsB.map(mapAlert))); } - -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const esArchiver = getService('esArchiver'); const supertest = getService('supertest'); @@ -168,7 +167,7 @@ export default ({ getService }: FtrProviderContext) => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule(); const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals( + const alerts = await getOpenAlerts( supertest, log, es, @@ -349,7 +348,7 @@ export default ({ getService }: FtrProviderContext) => { }); const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals( + const alerts = await getOpenAlerts( supertest, log, es, @@ -552,7 +551,7 @@ export default ({ getService }: FtrProviderContext) => { const createdRuleTerm = await createRule(supertest, log, termRule); const createdRuleMatch = await createRule(supertest, log, matchRule); - const alertsTerm = await getOpenSignals( + const alertsTerm = await getOpenAlerts( supertest, log, es, @@ -560,7 +559,7 @@ export default ({ getService }: FtrProviderContext) => { RuleExecutionStatusEnum.succeeded, 100 ); - const alertsMatch = await getOpenSignals( + const alertsMatch = await getOpenAlerts( supertest, log, es, diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/threshold.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts similarity index 97% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/threshold.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts index 36f41da15e1ee..4ec235a54c8fc 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/threshold.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts @@ -24,14 +24,13 @@ import { import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { createRule, - getOpenSignals, + getOpenAlerts, getPreviewAlerts, getThresholdRuleForSignalTesting, previewRule, -} from '../../utils'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; +} from '../../../utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -57,7 +56,7 @@ export default ({ getService }: FtrProviderContext) => { }, }; const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).eql(1); const fullSignal = alerts.hits.hits[0]._source; if (!fullSignal) { @@ -323,7 +322,7 @@ export default ({ getService }: FtrProviderContext) => { }, }; const createdRule = await createRule(supertest, log, rule); - const alerts = await getOpenSignals(supertest, log, es, createdRule); + const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).eql(1); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/get_preview_alerts.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/get_preview_alerts.ts new file mode 100644 index 0000000000000..744027c3fd4eb --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/get_preview_alerts.ts @@ -0,0 +1,48 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Client } from '@elastic/elasticsearch'; +import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; +import { DetectionAlert } from '@kbn/security-solution-plugin/common/api/detection_engine'; +import { RiskEnrichmentFields } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/enrichments/types'; +import { refreshIndex } from '../refresh_index'; + +/** + * Refresh an index, making changes available to search. + * Useful for tests where we want to ensure that a rule does NOT create alerts, e.g. testing exceptions. + * @param es The ElasticSearch handle + */ +export const getPreviewAlerts = async ({ + es, + previewId, + size, + sort, +}: { + es: Client; + previewId: string; + size?: number; + sort?: string[]; +}) => { + const index = '.preview.alerts-security.alerts-*'; + await refreshIndex(es, index); + const query = { + bool: { + filter: { + term: { + [ALERT_RULE_UUID]: previewId, + }, + }, + }, + }; + const result = await es.search({ + index, + size, + query, + sort, + }); + return result.hits.hits; +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/index.ts index ce29837b34f6e..5c698b24d5ba9 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/index.ts @@ -19,4 +19,5 @@ export * from './set_alert_status'; export * from './get_alert_status_empty_response'; export * from './get_query_alert_ids'; export * from './set_alert_tags'; +export * from './get_preview_alerts'; export * from './migrations'; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/README.md b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/README.md new file mode 100644 index 0000000000000..e737e7b133929 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/README.md @@ -0,0 +1,606 @@ +# Data Generator for functional tests + +Helper to generate and index documents for using in Kibana functional tests + +- [Data Generator for functional tests](#data-generator-for-functional-tests) + - [DataGenerator](#datagenerator) + - [Initialization](#initialization) + - [Prerequisites](#prerequisites) + - [dataGeneratorFactory](#datageneratorfactory) + - [methods](#methods) + - [**indexListOfDocuments**](#indexlistofdocuments) + - [**indexGeneratedDocuments**](#indexgenerateddocuments) + - [**indexEnhancedDocuments**](#indexenhanceddocuments) + - [Utils](#utils) + - [**generateDocuments**](#generatedocuments) + - [**enhanceDocument**](#enhancedocument) + - [**enhanceDocuments**](#enhancedocuments) + - [Usage](#usage) + - [create test query rule that queries indexed documents within a test](#create-test-query-rule-that-queries-indexed-documents-within-a-test) + +## DataGenerator + +### Initialization + + +#### Prerequisites +1. Create index mappings in `x-pack/test/functional/es_archives/security_solution` + - create folder for index `foo_bar` + - add mappings file `mappings.json` in it + +
+ x-pack/test/functional/es_archives/security_solution/foo_bar/mappings.json + + ```JSON + { + "type": "index", + "value": { + "index": "foo_bar", + "mappings": { + "properties": { + "id": { + "type": "keyword" + }, + "@timestamp": { + "type": "date" + }, + "foo": { + "type": "keyword" + }, + } + }, + "settings": { + "index": { + "number_of_replicas": "1", + "number_of_shards": "1" + } + } + } + } + ``` +
+2. Add in `before` of the test file index initialization + + ```ts + const esArchiver = getService('esArchiver'); + + before(async () => { + await esArchiver.load( + 'x-pack/test/functional/es_archives/security_solution/foo_bar' + ); + }); + + ``` + +3. Add in `after` of the test file index removal + + ```ts + const esArchiver = getService('esArchiver'); + + before(async () => { + await esArchiver.unload( + 'x-pack/test/functional/es_archives/security_solution/foo_bar' + ); + }); + + ``` + +#### dataGeneratorFactory + +`DataGeneratorParams` + +| Property | Description | Type | +| --------------- | ------------------------------------------------------ | ------ | +| es | ES client | `ESClient` | +| index | index where document will be added | `string` | +| log | log client | `LogClient`| + +1. import and initialize factory + + ```ts + import { dataGeneratorFactory } from '../../utils/data_generator'; + + const es = getService('es'); + const log = getService('log'); + + const { indexListOfDocuments, indexGeneratedDocuments } = dataGeneratorFactory({ + es, + index: 'foo_bar', + log, + }); + + ``` +2. Factory will return 2 methods which can be used to index documents into `foo_bar` + +where `getService` is method from `FtrProviderContext` + +### methods + +#### **indexListOfDocuments** + +| Property | Description | Type | +| --------------- | ------------------------------------------------------ | ------ | +| documents | list of documents to index | `Record` | + +Will index list of documents to `foo_bar` index as defined in `dataGeneratorFactory` params + +```ts + await indexListOfDocuments([{ foo: "bar" }, { id: "test-1" }]) + +``` + +#### **indexGeneratedDocuments** + +Will generate 10 documents in defined interval and index them in `foo_bar` index as defined in `dataGeneratorFactory` params +Method receives same parameters as [generateDocuments](#generateDocuments) util. + +```ts + await indexGeneratedDocuments({ + docsCount: 10, + interval: ['2020-10-28T07:30:00.000Z', '2020-10-30T07:30:00.000Z'], + seed: (i, id, timestamp) => ({ id, '@timestamp': timestamp, seq: i }) + }) + +``` + +#### **indexEnhancedDocuments** + +Will index list of enhanced documents to `foo_bar` index as defined in `dataGeneratorFactory` params +Method receives same parameters as [enhanceDocuments](#enhanceDocuments) util. + +```ts + await indexEnhancedDocuments({ + interval: ['1996-02-15T13:02:37.531Z', '2000-02-15T13:02:37.531Z'], + documents: [{ foo: 'bar' }, { foo: 'bar-1' }, { foo: 'bar-2' }] + }) + +``` + +## Utils + +### **generateDocuments** + +Util `generateDocuments` can generate list of documents based on basic seed function + + Seed callback will receive sequential number of document of document, generated id, timestamp. + Can be used to generate custom document with large set of options depends on needs. See examples below. + + | Property | Description | Type | + | --------------- | ------------------------------------------------------ | ------ | + | docsCount | number of documents to generate | `number` | + | seed | function that receives sequential number of document, generated id, timestamp as arguments and can used it create a document | `(index: number, id: string, timestamp: string) => Document` | + | interval | interval in which generate documents, defined by '@timestamp' field | `[string \| Date string \| Date]` _(optional)_ | + +Examples: + + 1. Generate 10 documents with random id, timestamp in interval between '2020-10-28T07:30:00.000Z', '2020-10-30T07:30:00.000Z', and field `seq` that represents sequential number of document + + ```ts + + const documents = generateDocuments({ + docsCount: 10, + interval: ['2020-10-28T07:30:00.000Z', '2020-10-30T07:30:00.000Z'], + seed: (i, id, timestamp) => ({ id, '@timestamp': timestamp, seq: i }) + }) + ``` + +
+Generated docs + + ```JSON + [ + { + "id": "87d3d231-13c8-4d03-9ae4-d40781b3b2d1", + "@timestamp": "2020-10-30T04:00:55.790Z", + "seq": 0 + }, + { + "id": "90b99797-d0da-460d-86fd-eca40bedff39", + "@timestamp": "2020-10-28T08:43:01.117Z", + "seq": 1 + }, + { + "id": "809c05be-f401-4e31-86e1-55be8af4fac4", + "@timestamp": "2020-10-29T15:06:23.054Z", + "seq": 2 + }, + { + "id": "a2720f82-5401-4eab-b2eb-444a8425c937", + "@timestamp": "2020-10-29T23:19:47.790Z", + "seq": 3 + }, + { + "id": "e36e4418-4e89-4388-97df-97085b3fca92", + "@timestamp": "2020-10-29T09:14:00.966Z", + "seq": 4 + }, + { + "id": "4747adb3-0603-4651-8c0f-0c7df037f779", + "@timestamp": "2020-10-28T14:23:50.500Z", + "seq": 5 + }, + { + "id": "1fbfd873-b0ca-4cda-9c96-9a044622e712", + "@timestamp": "2020-10-28T10:00:20.995Z", + "seq": 6 + }, + { + "id": "9173cf93-1f9f-4f91-be5e-1e6888cb3aae", + "@timestamp": "2020-10-28T08:52:27.830Z", + "seq": 7 + }, + { + "id": "53245337-e383-4b28-9975-acbd79901b7c", + "@timestamp": "2020-10-29T08:58:02.385Z", + "seq": 8 + }, + { + "id": "0c700d33-df10-426e-8f71-677f437923ec", + "@timestamp": "2020-10-29T16:33:10.240Z", + "seq": 9 + } + ] + ``` + +
+ + 2. Generate 3 identical documents `{foo: bar}` + + ```ts + + const documents = generateDocuments({ + docsCount: 3, + seed: () => ({ foo: 'bar' }) + }) + ``` + +
+Generated docs + + ```JSON + [ + { + "foo": "bar" + }, + { + "foo": "bar" + }, + { + "foo": "bar" + } + ] + ``` + +
+ + 3. Generate 5 documents with custom ingested timestamp, with no interval. If interval not defined, timestamp will be current time + + ```ts + + const documents = generateDocuments({ + docsCount: 5, + seed: (i, id, timestamp) => ({ foo: 'bar', event: { ingested: timestamp } }) + }) + ``` + +
+Generated docs + + ```JSON + [ + { + "foo": "bar", + "event": { + "ingested": "2023-02-15T13:02:37.531Z" + } + }, + { + "foo": "bar", + "event": { + "ingested": "2023-02-15T13:02:37.531Z" + } + }, + { + "foo": "bar", + "event": { + "ingested": "2023-02-15T13:02:37.531Z" + } + }, + { + "foo": "bar", + "event": { + "ingested": "2023-02-15T13:02:37.531Z" + } + }, + { + "foo": "bar", + "event": { + "ingested": "2023-02-15T13:02:37.531Z" + } + } + ] + ``` + +
+ + 4. Generate 4 documents with custom if based on sequential number id + + ```ts + + const documents = generateDocuments({ + docsCount: 4, + seed: (i) => ({ foo: 'bar', id: `id-${i}`}) + }) + ``` + +
+Generated docs + + ```JSON + [ + { + "foo": "bar", + "id": "id-0" + }, + { + "foo": "bar", + "id": "id-1" + }, + { + "foo": "bar", + "id": "id-2" + }, + { + "foo": "bar", + "id": "id-3" + } + ] + ``` + +
+ + +### **enhanceDocument** + +Adds generated `uuidv4` id and current time as `@timestamp` to document if `id`, `timestamp` params are not specified + + +`EnhanceDocumentOptions` + +| Property | Description | Type | +| --------------- | ------------------------------------------------------ | ------ | +| id | id for document | `string` _(optional)_ | +| timestamp | timestamp for document | `string` _(optional)_ | +| document | document to enhance | `Record` | + +Examples: + +1. Enhance document with generated `uuidv4` id and current time as `@timestamp` + + ```ts + const document = enhanceDocument({ + document: { foo: 'bar' }, + }); + ``` +
+ document + + ```JSON + { + "foo": "bar", + "id": "b501a64f-0dd4-4275-a38c-889be6a15a4d", + "@timestamp": "2023-02-15T17:21:21.429Z" + } + ``` + +
+ +2. Enhance document with generated `uuidv4` id and predefined timestamp + + + ```ts + const document = enhanceDocument({ + timestamp: '1996-02-15T13:02:37.531Z', + document: { foo: 'bar' }, + }); + ``` +
+ document + + ```JSON + { + "foo": "bar", + "id": "7b7460bf-e173-4744-af15-2c01ac52963b", + "@timestamp": "1996-02-15T13:02:37.531Z" + } + ``` + +
+ +3. Enhance document with predefined id and and current time as `@timestamp` + + + ```ts + const document = enhanceDocument({ + id: 'test-id', + document: { foo: 'bar' }, + }); + ``` +
+ document + + ```JSON + { + "foo": "bar", + "id": "test-id", + "@timestamp": "2023-02-15T17:21:21.429Z" + } + ``` +
+ +### **enhanceDocuments** + + + +Adds generated `uuidv4` `id` property to list of documents if `id` parameter is not specified. +Adds `@timestamp` in defined interval to list of documents. If it's not specified, `@timestamp` will be added as current time + +| Property | Description | Type | +| --------------- | ------------------------------------------------------ | ------ | +| documents | documents to enhance | `Record[]` | +| id | id for documents | `string` _(optional)_ | +| interval | interval in which generate documents, defined by '@timestamp' field | `[string \| Date string \| Date]` _(optional)_ | + +Examples: + +1. Enhance documents with generated `uuidv4` id and current time as `@timestamp` + + ```ts + const documents = enhanceDocuments({ + documents: [{ foo: 'bar' }, { foo: 'bar-1' }, { foo: 'bar-2' }] + }); + ``` +
+ documents + + ```JSON + [ + { + "foo": "bar", + "id": "c55ddd6b-3cf2-4ebf-94d6-4eeeb4e5b655", + "@timestamp": "2023-02-16T16:43:13.573Z" + }, + { + "foo": "bar-1", + "id": "61b157b9-5f1f-4d99-a5bf-072069f5139d", + "@timestamp": "2023-02-16T16:43:13.573Z" + }, + { + "foo": "bar-2", + "id": "04929927-6d9e-4ccc-b083-250e3fe2d7a7", + "@timestamp": "2023-02-16T16:43:13.573Z" + } + ] + ``` + +
+ +2. Enhance document with generated `uuidv4` id and timestamp in predefined interval + + ```ts + const documents = enhanceDocuments({ + interval: ['1996-02-15T13:02:37.531Z', '2000-02-15T13:02:37.531Z'], + documents: [{ foo: 'bar' }, { foo: 'bar-1' }, { foo: 'bar-2' }] + }); + ``` +
+ documents + + ```JSON + [ + { + "foo": "bar", + "id": "883a67cb-0a57-4711-bdf9-e8a394a52460", + "@timestamp": "1998-07-04T15:16:46.587Z" + }, + { + "foo": "bar-1", + "id": "70691d9e-1030-412f-8ae1-c6db50e90e91", + "@timestamp": "1998-05-15T07:00:52.339Z" + }, + { + "foo": "bar-2", + "id": "b2140328-5cc4-4532-947e-30b8fd830ed7", + "@timestamp": "1999-09-01T21:50:38.957Z" + } + ] + ``` + +
+ +3. Enhance documents with predefined id and and current time as `@timestamp` + + ```ts + const documents = enhanceDocuments({ + id: 'test-id', + documents: [{ foo: 'bar' }, { foo: 'bar-1' }, { foo: 'bar-2' }] + }); + ``` +
+ documents + + ```JSON + [ + { + "foo": "bar", + "id": "test-id", + "@timestamp": "2023-02-16T16:43:13.574Z" + }, + { + "foo": "bar-1", + "id": "test-id", + "@timestamp": "2023-02-16T16:43:13.574Z" + }, + { + "foo": "bar-2", + "id": "test-id", + "@timestamp": "2023-02-16T16:43:13.574Z" + } + ] + + ``` +
+ +## Usage + +### create test query rule that queries indexed documents within a test + +When documents generated and indexed, there might be a need to create a test rule that targets only these documents. So, documents generated in the test, will be used only in context of this test. + +There are few possible ways to do this + +1. Create new index every time for a new test. Thus, newly indexed documents, will be the only documents present in test index. It might be costly operation, as it will require to create new index for each test, that re-initialize dataGeneratorFactory, or delete index after rule's run + +2. Use the same id or specific field in documents. + For example: + + ```ts + + const id = uuidv4(); + const firstTimestamp = new Date().toISOString(); + const firstDocument = { + id, + '@timestamp': firstTimestamp, + agent: { + name: 'agent-1', + }, + }; + await indexListOfDocuments([firstDocument, firstDocument]); + + const rule: QueryRuleCreateProps = { + ...getRuleForSignalTesting(['ecs_compliant']), + query: `id:${id}`, + }; + + + ``` + + All documents will have the same `id` and can be queried by following `id:${id}` + +3. Use utility method `getKQLQueryFromDocumentList` that will create query from all ids in generated documents + + ```ts + const { documents } = await indexGeneratedDocuments({ + docsCount: 4, + document: { foo: 'bar' }, + enhance: true, + }); + + const query = getKQLQueryFromDocumentList(documents); + const rule = { + ...getRuleForSignalTesting(['ecs_non_compliant']), + query, + }; + ``` + + util will generate the following query: `(id: "f6ca3ee1-407c-4685-a94b-11ef4ed5136b" or id: "2a7358b2-8cad-47ce-83b7-e4418c266f3e" or id: "9daec569-0ba1-4c46-a0c6-e340cee1c5fb" or id: "b03c2fdf-0ca1-447c-b8c6-2cc5a663ffe2")`, that will include all generated documents \ No newline at end of file diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/data_generator_factory.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/data_generator_factory.ts new file mode 100644 index 0000000000000..7842d105e40b0 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/data_generator_factory.ts @@ -0,0 +1,75 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Client } from '@elastic/elasticsearch'; +import { ToolingLog } from '@kbn/tooling-log'; +import type { BulkResponse } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { indexDocuments } from './index_documents'; +import { generateDocuments } from './generate_documents'; +import { enhanceDocuments, EnhanceDocumentsOptions } from './enhance_documents'; +import type { GenerateDocumentsParams } from './generate_documents'; +import type { Document } from './types'; + +interface DataGeneratorParams { + es: Client; + documents: Array>; + index: string; + log: ToolingLog; +} + +interface DataGeneratorResponse { + response: BulkResponse; + documents: Document[]; +} + +interface DataGenerator { + indexListOfDocuments: (docs: Document[]) => Promise; + indexGeneratedDocuments: (params: GenerateDocumentsParams) => Promise; + indexEnhancedDocuments: (params: EnhanceDocumentsOptions) => Promise; +} + +/** + * initialize {@link DataGenerator} + * @param param.es - ES client + * @param params.index - index where document will be added + * @param params.log - logClient + * @returns methods of {@link DataGenerator} + */ +export const dataGeneratorFactory = ({ + es, + index, + log, +}: Omit): DataGenerator => { + return { + indexListOfDocuments: async (documents: DataGeneratorParams['documents']) => { + const response = await indexDocuments({ es, index, documents, log }); + + return { + documents, + response, + }; + }, + indexGeneratedDocuments: async (params: GenerateDocumentsParams) => { + const documents = generateDocuments(params); + const response = await indexDocuments({ es, index, documents, log }); + + return { + documents, + response, + }; + }, + indexEnhancedDocuments: async (params: EnhanceDocumentsOptions) => { + const documents = enhanceDocuments(params); + const response = await indexDocuments({ es, index, documents, log }); + + return { + documents, + response, + }; + }, + }; +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/enhance_document.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/enhance_document.ts new file mode 100644 index 0000000000000..f2e244edb90b3 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/enhance_document.ts @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { v4 as uuidv4 } from 'uuid'; + +interface EnhanceDocumentOptions { + id?: string; + timestamp?: string; + document: Record; +} + +/** + * enhances document with generated id and timestamp + * @param {string} options.id - optional id, if not provided randomly generated + * @param {string} options.timestamp - optional timestamp of document, if not provided current time + * @param {Record} options.document - document that will be enhanced + */ +export const enhanceDocument = (options: EnhanceDocumentOptions) => { + const id = options?.id ?? uuidv4(); + const timestamp = options?.timestamp ?? new Date().toISOString(); + return { + ...options.document, + id, + '@timestamp': timestamp, + }; +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/enhance_documents.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/enhance_documents.ts new file mode 100644 index 0000000000000..5d701afe166ed --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/enhance_documents.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { IndexingInterval, Document } from './types'; +import { getTimestamp } from './get_timestamp'; +import { enhanceDocument } from './enhance_document'; + +export interface EnhanceDocumentsOptions { + interval?: IndexingInterval; + documents: Document[]; + id?: string; +} + +/** + * enhances documents with generated id and timestamp within interval + * @param {string} options.id - optional id, if not provided randomly generated + * @param {string} options.interval - optional interval of document, if not provided set as a current time + * @param {Record[]} options.documents - documents that will be enhanced + */ +export const enhanceDocuments = ({ documents, interval, id }: EnhanceDocumentsOptions) => { + return documents.map((document) => + enhanceDocument({ + document, + id, + timestamp: getTimestamp(interval), + }) + ); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/generate_documents.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/generate_documents.ts new file mode 100644 index 0000000000000..c9ba960867a43 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/generate_documents.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { v4 as uuidv4 } from 'uuid'; +import { getTimestamp } from './get_timestamp'; + +import type { Document, IndexingInterval } from './types'; + +type DocumentSeedFunc = (index: number, id: string, timestamp: string) => Document; + +export interface GenerateDocumentsParams { + interval?: IndexingInterval; + docsCount: number; + seed: DocumentSeedFunc; +} + +/** + * + * @param param.interval - interval in which generate documents, defined by '@timestamp' field + * @param param.docsCount - number of document to generate + * @param param.seed - seed function. Function that receives index of document, generated id, timestamp as arguments and can used it create a document + * @returns generated Documents + */ +export const generateDocuments = ({ docsCount, interval, seed }: GenerateDocumentsParams) => { + const documents = []; + + for (let i = 0; i < docsCount; i++) { + const id = uuidv4(); + const timestamp = getTimestamp(interval); + + documents.push(seed(i, id, timestamp)); + } + + return documents; +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/get_kql_query_from_documents_list.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/get_kql_query_from_documents_list.ts new file mode 100644 index 0000000000000..3347c2120d4a4 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/get_kql_query_from_documents_list.ts @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import type { Document } from './types'; + +/** + * returns KQL query from a list documents that includes all documents by their ids. + * it can be used later to create test rules that will query only these documents + * ```ts + * const documents = [ + { + foo: 'bar', + id: 'f07df596-65ec-4ab1-b0b2-f3b69558ed26', + '@timestamp': '2020-10-29T07:10:51.989Z', + }, + { + foo: 'bar', + id: 'e07614f9-1dc5-4849-90c4-31362bbdf8d0', + '@timestamp': '2020-10-30T00:32:48.987Z', + }, + { + foo: 'test', + id: 'e03a5b12-77e6-4aa3-b0be-fbe5b0843f07', + '@timestamp': '2020-10-29T03:40:35.318Z', + }, + ]; + + const query = getKQLQueryFromDocumentList(documents); + + // query equals to + // (id: "f07df596-65ec-4ab1-b0b2-f3b69558ed26" or id: "e07614f9-1dc5-4849-90c4-31362bbdf8d0" or id: "e03a5b12-77e6-4aa3-b0be-fbe5b0843f07") + * ``` + */ +export const getKQLQueryFromDocumentList = (documents: Document[]) => { + const orClauses = documents.map(({ id }) => `id: "${id}"`).join(' or '); + + return `(${orClauses})`; +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/get_timestamp.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/get_timestamp.ts new file mode 100644 index 0000000000000..e828767a39650 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/get_timestamp.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import faker from 'faker'; +import type { IndexingInterval } from './types'; + +export const getTimestamp = (interval?: IndexingInterval) => { + if (interval) { + return faker.date.between(...interval).toISOString(); + } + + return new Date().toISOString(); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/index.ts new file mode 100644 index 0000000000000..73bd59ab11b75 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/index.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export * from './data_generator_factory'; +export * from './enhance_document'; +export * from './enhance_documents'; +export * from './generate_documents'; +export * from './get_kql_query_from_documents_list'; +export * from './get_timestamp'; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/index_documents.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/index_documents.ts new file mode 100644 index 0000000000000..5408e11b25015 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/index_documents.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { Client } from '@elastic/elasticsearch'; +import type { BulkResponse } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { ToolingLog } from '@kbn/tooling-log'; + +interface IndexDocumentsParams { + es: Client; + documents: Array>; + index: string; + log: ToolingLog; +} + +type IndexDocuments = (params: IndexDocumentsParams) => Promise; + +/** + * Indexes documents into provided index + */ +export const indexDocuments: IndexDocuments = async ({ es, documents, index, log }) => { + const operations = documents.flatMap((doc: object) => [{ index: { _index: index } }, doc]); + + const response = await es.bulk({ refresh: true, operations }); + + // throw error if document wasn't indexed, so test will be terminated earlier and no false positives can happen + response.items.some(({ index: responseIndex } = {}) => { + if (responseIndex?.error) { + log.error( + `Failed to index document in non_ecs_fields test suits: "${responseIndex.error?.reason}"` + ); + throw Error(responseIndex.error.message); + } + }); + return response; +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/types.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/types.ts new file mode 100644 index 0000000000000..bbf54be68cfee --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/data_generator/types.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export type IndexingInterval = [string | Date, string | Date]; + +export type Document = Record; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts index 56d166c501b6b..2cbae9b7973c3 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts @@ -8,6 +8,9 @@ export * from './rules'; export * from './exception_list_and_item'; export * from './alerts'; export * from './actions'; +export * from './data_generator'; +export * from './machine_learning'; + export * from './rules/get_rule_so_by_id'; export * from './rules/create_rule_saved_object'; export * from './rules/get_rule_with_legacy_investigation_fields'; @@ -19,3 +22,4 @@ export * from './update_username'; export * from './refresh_index'; export * from './wait_for'; export * from './wait_for_index_to_populate'; +export * from './remove_random_valued_properties'; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/index.ts new file mode 100644 index 0000000000000..6d6870b7ac92a --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/index.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +export * from './machine_learning_setup'; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/machine_learning_setup.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/machine_learning_setup.ts new file mode 100644 index 0000000000000..d7c7e6387c739 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/machine_learning_setup.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type SuperTest from 'supertest'; +import { getCommonRequestHeader } from '../../../../../functional/services/ml/common_api'; + +export const executeSetupModuleRequest = async ({ + module, + rspCode, + supertest, +}: { + module: string; + rspCode: number; + supertest: SuperTest.SuperTest; +}) => { + const { body } = await supertest + .post(`/internal/ml/modules/setup/${module}`) + .set(getCommonRequestHeader('1')) + .send({ + prefix: '', + groups: ['auditbeat'], + indexPatternName: 'auditbeat-*', + startDatafeed: false, + useDedicatedIndex: true, + applyToAllSpaces: true, + }) + .expect(rspCode); + + return body; +}; + +export const forceStartDatafeeds = async ({ + jobId, + rspCode, + supertest, +}: { + jobId: string; + rspCode: number; + supertest: SuperTest.SuperTest; +}) => { + const { body } = await supertest + .post(`/internal/ml/jobs/force_start_datafeeds`) + .set(getCommonRequestHeader('1')) + .send({ + datafeedIds: [`datafeed-${jobId}`], + start: new Date().getUTCMilliseconds(), + }) + .expect(rspCode); + + return body; +}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/utils.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/remove_random_valued_properties.ts similarity index 100% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/utils.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/remove_random_valued_properties.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/index.ts index c1810ca6d6560..bb6dd3465959c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/index.ts @@ -37,5 +37,8 @@ export * from './get_saved_query_rule_for_alert_testing'; export * from './get_rule_so_by_id'; export * from './create_rule_saved_object'; export * from './get_rule_with_legacy_investigation_fields'; +export * from './preview_rule'; +export * from './preview_rule_with_exception_entries'; +export * from './patch_rule'; export * from './prebuilt_rules'; diff --git a/x-pack/test/detection_engine_api_integration/utils/patch_rule.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/patch_rule.ts similarity index 100% rename from x-pack/test/detection_engine_api_integration/utils/patch_rule.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/patch_rule.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule.ts new file mode 100644 index 0000000000000..a97c304f5ffaa --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule.ts @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type SuperTest from 'supertest'; +import type { + RuleCreateProps, + PreviewRulesSchema, + RulePreviewLogs, +} from '@kbn/security-solution-plugin/common/api/detection_engine'; + +import { DETECTION_ENGINE_RULES_PREVIEW } from '@kbn/security-solution-plugin/common/constants'; + +/** + * Runs the preview for a rule. Any generated alerts will be written to .preview.alerts. + * This is much faster than actually running the rule, and can also quickly simulate multiple + * consecutive rule runs, e.g. for ensuring that rule state is properly handled across runs. + * @param supertest The supertest deps + * @param rule The rule to create + */ +export const previewRule = async ({ + supertest, + rule, + invocationCount = 1, + timeframeEnd = new Date(), +}: { + supertest: SuperTest.SuperTest; + rule: RuleCreateProps; + invocationCount?: number; + timeframeEnd?: Date; +}): Promise<{ + previewId: string; + logs: RulePreviewLogs[]; + isAborted: boolean; +}> => { + const previewRequest: PreviewRulesSchema = { + ...rule, + invocationCount, + timeframeEnd: timeframeEnd.toISOString(), + }; + const response = await supertest + .post(DETECTION_ENGINE_RULES_PREVIEW) + .set('kbn-xsrf', 'true') + .send(previewRequest) + .expect(200); + return response.body; +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule_with_exception_entries.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule_with_exception_entries.ts new file mode 100644 index 0000000000000..fb5d480bbbffc --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule_with_exception_entries.ts @@ -0,0 +1,65 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { ToolingLog } from '@kbn/tooling-log'; +import type SuperTest from 'supertest'; +import type { NonEmptyEntriesArray, OsTypeArray } from '@kbn/securitysolution-io-ts-list-types'; +import type { RuleCreateProps } from '@kbn/security-solution-plugin/common/api/detection_engine'; + +import { + createContainerWithEntries, + createContainerWithEndpointEntries, +} from '../exception_list_and_item'; +import { previewRule } from './preview_rule'; + +/** + * Convenience testing function where you can pass in just the entries and you will + * get a rule created with the entries added to an exception list and exception list item + * all auto-created at once. + * @param supertest super test agent + * @param rule The rule to create and attach an exception list to + * @param entries The entries to create the rule and exception list from + * @param endpointEntries The endpoint entries to create the rule and exception list from + * @param osTypes The os types to optionally add or not to add to the container + */ +export const previewRuleWithExceptionEntries = async ({ + supertest, + log, + rule, + entries, + endpointEntries, + invocationCount, + timeframeEnd, +}: { + supertest: SuperTest.SuperTest; + log: ToolingLog; + rule: RuleCreateProps; + entries: NonEmptyEntriesArray[]; + endpointEntries?: Array<{ + entries: NonEmptyEntriesArray; + osTypes: OsTypeArray | undefined; + }>; + invocationCount?: number; + timeframeEnd?: Date; +}) => { + const maybeExceptionList = await createContainerWithEntries(supertest, log, entries); + const maybeEndpointList = await createContainerWithEndpointEntries( + supertest, + log, + endpointEntries ?? [] + ); + + return previewRule({ + supertest, + rule: { + ...rule, + exceptions_list: [...maybeExceptionList, ...maybeEndpointList], + }, + invocationCount, + timeframeEnd, + }); +}; From 5750a13d9e4f070e54c51dabac8387aa3e003d94 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 9 Nov 2023 10:18:38 +0000 Subject: [PATCH 07/23] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- x-pack/test/security_solution_api_integration/tsconfig.json | 3 ++- x-pack/test/tsconfig.json | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/tsconfig.json b/x-pack/test/security_solution_api_integration/tsconfig.json index b2e2715a52ccd..6249249938db3 100644 --- a/x-pack/test/security_solution_api_integration/tsconfig.json +++ b/x-pack/test/security_solution_api_integration/tsconfig.json @@ -30,6 +30,7 @@ "@kbn/core-saved-objects-server", "@kbn/core", "@kbn/alerting-plugin", - "@kbn/securitysolution-ecs" + "@kbn/securitysolution-ecs", + "@kbn/securitysolution-rules" ] } diff --git a/x-pack/test/tsconfig.json b/x-pack/test/tsconfig.json index 61c42a76f3d9d..ffe8a5fc43fcf 100644 --- a/x-pack/test/tsconfig.json +++ b/x-pack/test/tsconfig.json @@ -86,7 +86,6 @@ "@kbn/data-views-plugin", "@kbn/datemath", "@kbn/safer-lodash-set", - "@kbn/securitysolution-rules", "@kbn/es-archiver", "@kbn/config-schema", "@kbn/kubernetes-security-plugin", From 602a4ca3aae2341f80db8fa4c1474a189b1542ed Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Thu, 9 Nov 2023 18:01:06 +0100 Subject: [PATCH 08/23] move all files --- .../security_and_spaces/group10/index.ts | 3 - .../ignore_fields/mappings.json | 1 - .../package.json | 10 +- .../alerts/alerts_compatibility.ts | 6 +- .../execution_logic/eql.ts | 100 +- .../execution_logic/esql.ts | 22 +- .../execution_logic/index.ts | 3 +- .../execution_logic/machine_learning.ts | 26 +- .../execution_logic/mocks/new_terms.ts | 1409 ----------------- .../execution_logic/new_terms.ts | 27 +- .../execution_logic/non_ecs_fields.ts | 2 +- .../execution_logic/query.ts | 60 +- .../execution_logic/saved_query.ts | 10 +- .../execution_logic/threat_match.ts | 110 +- .../execution_logic/threshold.ts | 106 +- .../rule_execution_logic}/ignore_fields.ts | 47 +- .../rule_execution_logic/index.ts | 4 + .../rule_execution_logic}/runtime.ts | 67 +- .../rule_execution_logic}/timestamps.ts | 197 ++- .../detections_response/utils/alerts/index.ts | 2 +- ...ve_random_valued_properties_from_alert.ts} | 2 +- .../detections_response/utils/index.ts | 1 - .../utils/remove_random_valued_properties.ts | 28 - 23 files changed, 392 insertions(+), 1851 deletions(-) delete mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/mocks/new_terms.ts rename x-pack/test/{detection_engine_api_integration/security_and_spaces/group10 => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic}/ignore_fields.ts (74%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/group10 => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic}/runtime.ts (70%) rename x-pack/test/{detection_engine_api_integration/security_and_spaces/group10 => security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic}/timestamps.ts (59%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/{remove_random_valued_properties.ts => remove_random_valued_properties_from_alert.ts} (90%) delete mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/remove_random_valued_properties.ts diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/index.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/index.ts index 350ac868ac90e..fe862c550e8eb 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/index.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/index.ts @@ -26,10 +26,7 @@ export default ({ loadTestFile }: FtrProviderContext): void => { loadTestFile(require.resolve('./perform_bulk_action_dry_run')); loadTestFile(require.resolve('./patch_rules')); loadTestFile(require.resolve('./read_privileges')); - loadTestFile(require.resolve('./timestamps')); - loadTestFile(require.resolve('./runtime')); loadTestFile(require.resolve('./throttle')); - loadTestFile(require.resolve('./ignore_fields')); loadTestFile(require.resolve('./risk_engine/init_and_status_apis')); loadTestFile(require.resolve('./risk_engine/risk_score_preview')); loadTestFile(require.resolve('./risk_engine/risk_score_calculation')); diff --git a/x-pack/test/functional/es_archives/security_solution/ignore_fields/mappings.json b/x-pack/test/functional/es_archives/security_solution/ignore_fields/mappings.json index e2c8ca3c2bc89..3c2cbeac06cca 100644 --- a/x-pack/test/functional/es_archives/security_solution/ignore_fields/mappings.json +++ b/x-pack/test/functional/es_archives/security_solution/ignore_fields/mappings.json @@ -32,7 +32,6 @@ }, "settings": { "index": { - "refresh_interval": "1s", "number_of_replicas": "1", "number_of_shards": "1" } diff --git a/x-pack/test/security_solution_api_integration/package.json b/x-pack/test/security_solution_api_integration/package.json index 90f16d39d7852..64fa187c25e17 100644 --- a/x-pack/test/security_solution_api_integration/package.json +++ b/x-pack/test/security_solution_api_integration/package.json @@ -42,10 +42,10 @@ "alerts:qa:serverless": "npm run run-tests:dr:default alerts serverless qaEnv", "alerts:server:ess": "npm run initialize-server:dr:default alerts ess", "alerts:runner:ess": "npm run run-tests:dr:default alerts ess essEnv", - "rule_execution_login:server:serverless": "npm run initialize-server:dr:default rule_execution_logic serverless", - "rule_execution_login:runner:serverless": "npm run run-tests:dr:default rule_execution_logic serverless serverlessEnv", - "rule_execution_login:qa:serverless": "npm run run-tests:dr:default rule_execution_logic serverless qaEnv", - "rule_execution_login:server:ess": "npm run initialize-server:dr:default rule_execution_logic ess", - "rule_execution_login:runner:ess": "npm run run-tests:dr:default rule_execution_logic ess essEnv" + "rule_execution_logic:server:serverless": "npm run initialize-server:dr:default rule_execution_logic serverless", + "rule_execution_logic:runner:serverless": "npm run run-tests:dr:default rule_execution_logic serverless serverlessEnv", + "rule_execution_logic:qa:serverless": "npm run run-tests:dr:default rule_execution_logic serverless qaEnv", + "rule_execution_logic:server:ess": "npm run initialize-server:dr:default rule_execution_logic ess", + "rule_execution_logic:runner:ess": "npm run run-tests:dr:default rule_execution_logic ess essEnv" } } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/alerts_compatibility.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/alerts_compatibility.ts index 9e4a9d05771d1..680073955ce99 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/alerts_compatibility.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/alerts_compatibility.ts @@ -36,7 +36,7 @@ import { waitFor, waitForRuleSuccess, waitForAlertsToBePresent, - removeRandomValuedProperties, + removeRandomValuedPropertiesFromAlert, } from '../../utils'; import { FtrProviderContext } from '../../../../ftr_provider_context'; @@ -231,7 +231,7 @@ export default ({ getService }: FtrProviderContext) => { expect(signalsOpen.hits.hits.length).greaterThan(0); const hit = signalsOpen.hits.hits[0]; expect(hit._source?.kibana).to.eql(undefined); - const source = removeRandomValuedProperties(hit._source); + const source = removeRandomValuedPropertiesFromAlert(hit._source); expect(source).to.eql({ 'kibana.alert.rule.category': 'Custom Query Rule', 'kibana.alert.rule.consumer': 'siem', @@ -393,7 +393,7 @@ export default ({ getService }: FtrProviderContext) => { expect(signalsOpen.hits.hits.length).greaterThan(0); const hit = signalsOpen.hits.hits[0]; expect(hit._source?.kibana).to.eql(undefined); - const source = removeRandomValuedProperties(hit._source); + const source = removeRandomValuedPropertiesFromAlert(hit._source); expect(source).to.eql({ 'kibana.alert.rule.category': 'Custom Query Rule', 'kibana.alert.rule.consumer': 'siem', diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts index 11ae95f653bd3..abb87864e80af 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts @@ -27,7 +27,7 @@ import { ALERT_ORIGINAL_EVENT_CATEGORY, ALERT_GROUP_ID, } from '@kbn/security-solution-plugin/common/field_maps/field_names'; -import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; +import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { createRule, deleteAllRules, @@ -45,7 +45,7 @@ export default ({ getService }: FtrProviderContext) => { const es = getService('es'); const log = getService('log'); - describe('EQL type rules', () => { + describe('@ess @serverless EQL type rules', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); await esArchiver.load( @@ -63,7 +63,7 @@ export default ({ getService }: FtrProviderContext) => { }); // First test creates a real rule - remaining tests use preview API - it('generates a correctly formatted signal from EQL non-sequence queries', async () => { + it('generates a correctly formatted alert from EQL non-sequence queries', async () => { const rule: EqlRuleCreateProps = { ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"', @@ -71,13 +71,13 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).eql(1); - const fullSignal = alerts.hits.hits[0]._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = alerts.hits.hits[0]._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - expect(fullSignal).eql({ - ...fullSignal, + expect(fullAlert).eql({ + ...fullAlert, agent: { ephemeral_id: '0010d67a-14f7-41da-be30-489fea735967', hostname: 'suricata-zeek-sensor-toronto', @@ -145,8 +145,8 @@ export default ({ getService }: FtrProviderContext) => { }, [ALERT_REASON]: 'configuration event on suricata-zeek-sensor-toronto created high alert Signal Testing Query.', - [ALERT_RULE_UUID]: fullSignal[ALERT_RULE_UUID], - [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME], + [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], + [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_WORKFLOW_TAGS]: [], [ALERT_DEPTH]: 1, @@ -166,23 +166,23 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('generates up to max_signals for non-sequence EQL queries', async () => { - const maxSignals = 200; + it('generates up to max_alerts for non-sequence EQL queries', async () => { + const maxAlerts = 200; const rule: EqlRuleCreateProps = { ...getEqlRuleForAlertTesting(['auditbeat-*']), - max_signals: maxSignals, + max_signals: maxAlerts, }; const { previewId } = await previewRule({ supertest, rule }); - const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxSignals * 2 }); - expect(previewAlerts.length).eql(maxSignals); + const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxAlerts * 2 }); + expect(previewAlerts.length).eql(maxAlerts); }); - it('generates max signals warning when circuit breaker is hit', async () => { + it('generates max alerts warning when circuit breaker is hit', async () => { const rule: EqlRuleCreateProps = { ...getEqlRuleForAlertTesting(['auditbeat-*']), }; const { logs } = await previewRule({ supertest, rule }); - expect(logs[0].warnings).contain(getMaxSignalsWarning()); + expect(logs[0].warnings).contain(getMaxAlertsWarning()); }); it('uses the provided event_category_override', async () => { @@ -194,13 +194,13 @@ export default ({ getService }: FtrProviderContext) => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); expect(previewAlerts.length).eql(1); - const fullSignal = previewAlerts[0]._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = previewAlerts[0]._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - expect(fullSignal).eql({ - ...fullSignal, + expect(fullAlert).eql({ + ...fullAlert, auditd: { data: { audit_enabled: '1', @@ -236,8 +236,8 @@ export default ({ getService }: FtrProviderContext) => { }, [ALERT_REASON]: 'configuration event on suricata-zeek-sensor-toronto created high alert Signal Testing Query.', - [ALERT_RULE_UUID]: fullSignal[ALERT_RULE_UUID], - [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME], + [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], + [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_DEPTH]: 1, [ALERT_ANCESTORS]: [ @@ -284,7 +284,7 @@ export default ({ getService }: FtrProviderContext) => { expect(createdAtHits).to.eql(['es', 'pt', 'ua']); }); - it('generates building block signals from EQL sequences in the expected form', async () => { + it('generates building block alerts from EQL sequences in the expected form', async () => { const rule: EqlRuleCreateProps = { ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'sequence by host.name [anomoly where true] [any where true]', // TODO: spelling @@ -297,13 +297,13 @@ export default ({ getService }: FtrProviderContext) => { get(alert._source, ALERT_ORIGINAL_EVENT_CATEGORY) === 'anomoly' ); expect(buildingBlock).not.eql(undefined); - const fullSignal = buildingBlock?._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = buildingBlock?._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - expect(fullSignal).eql({ - ...fullSignal, + expect(fullAlert).eql({ + ...fullAlert, agent: { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab', hostname: 'zeek-sensor-amsterdam', @@ -409,9 +409,9 @@ export default ({ getService }: FtrProviderContext) => { }, [ALERT_REASON]: 'anomoly event with process bro, by root on zeek-sensor-amsterdam created high alert Signal Testing Query.', - [ALERT_RULE_UUID]: fullSignal[ALERT_RULE_UUID], - [ALERT_GROUP_ID]: fullSignal[ALERT_GROUP_ID], - [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME], + [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], + [ALERT_GROUP_ID]: fullAlert[ALERT_GROUP_ID], + [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_DEPTH]: 1, [ALERT_ANCESTORS]: [ @@ -430,7 +430,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('generates shell signals from EQL sequences in the expected form', async () => { + it('generates shell alerts from EQL sequences in the expected form', async () => { const rule: EqlRuleCreateProps = { ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'sequence by host.name [anomoly where true] [any where true]', @@ -512,26 +512,26 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('generates up to max_signals with an EQL rule', async () => { - const maxSignals = 200; + it('generates up to max_alerts with an EQL rule', async () => { + const maxAlerts = 200; const rule: EqlRuleCreateProps = { ...getEqlRuleForAlertTesting(['auditbeat-*']), query: 'sequence by host.name [any where true] [any where true]', - max_signals: maxSignals, + max_signals: maxAlerts, }; const { previewId } = await previewRule({ supertest, rule }); - const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxSignals * 5 }); - // For EQL rules, max_signals is the maximum number of detected sequences: each sequence has a building block - // alert for each event in the sequence, so max_signals=200 results in 400 building blocks in addition to + const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxAlerts * 5 }); + // For EQL rules, max_alerts is the maximum number of detected sequences: each sequence has a building block + // alert for each event in the sequence, so max_alerts=200 results in 400 building blocks in addition to // 200 regular alerts - expect(previewAlerts.length).eql(maxSignals * 3); - const shellSignals = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 2); + expect(previewAlerts.length).eql(maxAlerts * 3); + const shellalerts = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 2); const buildingBlocks = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 1); - expect(shellSignals.length).eql(maxSignals); - expect(buildingBlocks.length).eql(maxSignals * 2); + expect(shellalerts.length).eql(maxAlerts); + expect(buildingBlocks.length).eql(maxAlerts * 2); }); - it('generates signals when an index name contains special characters to encode', async () => { + it('generates alerts when an index name contains special characters to encode', async () => { const rule: EqlRuleCreateProps = { ...getEqlRuleForAlertTesting(['auditbeat-*', '']), query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"', @@ -604,12 +604,12 @@ export default ({ getService }: FtrProviderContext) => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); expect(previewAlerts.length).eql(1); - const fullSignal = previewAlerts[0]._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = previewAlerts[0]._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - expect(fullSignal?.host?.risk?.calculated_level).to.eql('Critical'); - expect(fullSignal?.host?.risk?.calculated_score_norm).to.eql(96); + expect(fullAlert?.host?.risk?.calculated_level).to.eql('Critical'); + expect(fullAlert?.host?.risk?.calculated_score_norm).to.eql(96); }); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts index db8ac63d4e129..36c0a98c2603c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts @@ -12,7 +12,7 @@ import { orderBy } from 'lodash'; import { EsqlRuleCreateProps } from '@kbn/security-solution-plugin/common/api/detection_engine/model/rule_schema'; import { getCreateEsqlRulesSchemaMock } from '@kbn/security-solution-plugin/common/api/detection_engine/model/rule_schema/mocks'; -import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; +import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { deleteAllRules, deleteAllAlerts, @@ -22,13 +22,11 @@ import { getOpenAlerts, dataGeneratorFactory, previewRuleWithExceptionEntries, - removeRandomValuedProperties, + removeRandomValuedPropertiesFromAlert, } from '../../../utils'; import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; -// TODO replace signals - export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -46,7 +44,7 @@ export default ({ getService }: FtrProviderContext) => { */ const internalIdPipe = (id: string) => `| where id=="${id}"`; - describe('ES|QL rule type', () => { + describe('@ess @serverless ES|QL rule type', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/security_solution/ecs_compliant'); }); @@ -83,7 +81,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).toBe(1); - expect(removeRandomValuedProperties(alerts.hits.hits[0]._source)).toEqual({ + expect(removeRandomValuedPropertiesFromAlert(alerts.hits.hits[0]._source)).toEqual({ 'kibana.alert.rule.parameters': { description: 'Detecting root and admin users', risk_score: 55, @@ -601,8 +599,8 @@ export default ({ getService }: FtrProviderContext) => { }); }); - describe('max signals', () => { - it('generates max signals warning when circuit breaker is exceeded', async () => { + describe('max alerts', () => { + it('generates max alerts warning when circuit breaker is exceeded', async () => { const id = uuidv4(); const rule: EsqlRuleCreateProps = { ...getCreateEsqlRulesSchemaMock('rule-1', true), @@ -628,7 +626,7 @@ export default ({ getService }: FtrProviderContext) => { timeframeEnd: new Date('2020-10-28T06:30:00.000Z'), }); - expect(logs[0].warnings).toEqual(expect.arrayContaining([getMaxSignalsWarning()])); + expect(logs[0].warnings).toEqual(expect.arrayContaining([getMaxAlertsWarning()])); const previewAlerts = await getPreviewAlerts({ es, @@ -639,7 +637,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).toBe(100); }); - it("doesn't generate max signals warning when circuit breaker is met but not exceeded", async () => { + it("doesn't generate max alerts warning when circuit breaker is met but not exceeded", async () => { const id = uuidv4(); const rule: EsqlRuleCreateProps = { ...getCreateEsqlRulesSchemaMock('rule-1', true), @@ -664,7 +662,7 @@ export default ({ getService }: FtrProviderContext) => { rule, timeframeEnd: new Date('2020-10-28T06:30:00.000Z'), }); - expect(logs[0].warnings).not.toEqual(expect.arrayContaining([getMaxSignalsWarning()])); + expect(logs[0].warnings).not.toEqual(expect.arrayContaining([getMaxAlertsWarning()])); const previewAlerts = await getPreviewAlerts({ es, @@ -675,7 +673,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).toBe(100); }); - it('should work for max signals > 100', async () => { + it('should work for max alerts > 100', async () => { const id = uuidv4(); const rule: EsqlRuleCreateProps = { ...getCreateEsqlRulesSchemaMock('rule-1', true), diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts index 9220a7b0c0ade..36a249304c7e6 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts @@ -8,7 +8,7 @@ import { FtrProviderContext } from '../../../../../ftr_provider_context'; export default ({ loadTestFile }: FtrProviderContext): void => { - describe('detection engine api security and spaces enabled - rule execution logic', function () { + describe('Execution logic', function () { loadTestFile(require.resolve('./eql')); loadTestFile(require.resolve('./esql')); loadTestFile(require.resolve('./machine_learning')); @@ -17,7 +17,6 @@ export default ({ loadTestFile }: FtrProviderContext): void => { loadTestFile(require.resolve('./threat_match')); loadTestFile(require.resolve('./threshold')); loadTestFile(require.resolve('./non_ecs_fields')); - loadTestFile(require.resolve('./query')); }); }; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts index 2f7f7ae22b454..0fd0e1fdc87e7 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts @@ -24,7 +24,7 @@ import { ALERT_DEPTH, ALERT_ORIGINAL_TIME, } from '@kbn/security-solution-plugin/common/field_maps/field_names'; -import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; +import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { expect } from 'expect'; import { createListsIndex, @@ -66,7 +66,7 @@ export default ({ getService }: FtrProviderContext) => { rule_id: 'ml-rule-id', }; - describe('Machine learning type rules', () => { + describe('@ess @serverless Machine learning type rules', () => { before(async () => { // Order is critical here: auditbeat data must be loaded before attempting to start the ML job, // as the job looks for certain indices on start @@ -87,9 +87,9 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).toBe(1); - const signal = alerts.hits.hits[0]; + const alert = alerts.hits.hits[0]; - expect(signal._source).toEqual( + expect(alert._source).toEqual( expect.objectContaining({ '@timestamp': expect.any(String), [ALERT_RULE_EXECUTION_UUID]: expect.any(String), @@ -160,20 +160,20 @@ export default ({ getService }: FtrProviderContext) => { ); }); - it('generates max signals warning when circuit breaker is exceeded', async () => { + it('generates max alerts warning when circuit breaker is exceeded', async () => { const { logs } = await previewRule({ supertest, rule: { ...rule, anomaly_threshold: 1, max_signals: 5 }, // This threshold generates 10 alerts with the current esArchive }); - expect(logs[0].warnings).toContain(getMaxSignalsWarning()); + expect(logs[0].warnings).toContain(getMaxAlertsWarning()); }); - it("doesn't generate max signals warning when circuit breaker is met, but not exceeded", async () => { + it("doesn't generate max alerts warning when circuit breaker is met, but not exceeded", async () => { const { logs } = await previewRule({ supertest, rule: { ...rule, anomaly_threshold: 1, max_signals: 10 }, }); - expect(logs[0].warnings).not.toContain(getMaxSignalsWarning()); + expect(logs[0].warnings).not.toContain(getMaxAlertsWarning()); }); it('should create 7 alerts from ML rule when records meet anomaly_threshold', async () => { @@ -189,7 +189,7 @@ export default ({ getService }: FtrProviderContext) => { afterEach(async () => { await deleteAllExceptions(supertest, log); }); - it('generates no signals when an exception is added for an ML rule', async () => { + it('generates no alerts when an exception is added for an ML rule', async () => { const { previewId } = await previewRuleWithExceptionEntries({ supertest, log, @@ -220,7 +220,7 @@ export default ({ getService }: FtrProviderContext) => { await deleteAllExceptions(supertest, log); }); - it('generates no signals when a value list exception is added for an ML rule', async () => { + it('generates no alerts when a value list exception is added for an ML rule', async () => { const valueListId = 'value-list-id'; await importFile(supertest, log, 'keyword', ['mothra'], valueListId); const { previewId } = await previewRuleWithExceptionEntries({ @@ -259,10 +259,10 @@ export default ({ getService }: FtrProviderContext) => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); expect(previewAlerts.length).toBe(1); - const fullSignal = previewAlerts[0]._source; + const fullAlert = previewAlerts[0]._source; - expect(fullSignal?.host?.risk?.calculated_level).toBe('Low'); - expect(fullSignal?.host?.risk?.calculated_score_norm).toBe(1); + expect(fullAlert?.host?.risk?.calculated_level).toBe('Low'); + expect(fullAlert?.host?.risk?.calculated_score_norm).toBe(1); }); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/mocks/new_terms.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/mocks/new_terms.ts deleted file mode 100644 index 15c63546a4be7..0000000000000 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/mocks/new_terms.ts +++ /dev/null @@ -1,1409 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export const largeArraysBuckets = [ - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-0', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-1', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-2', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-3', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-4', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-5', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-6', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-7', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-8', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-0', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-1', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-2', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-3', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-4', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-5', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-6', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-7', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-8', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-9', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-10', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-11', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-12', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-13', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-14', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-15', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-16', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-17', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-18', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, - { - key: { - large_array_20: 'value-of-20-19', - large_array_10: 'value-of-10-9', - }, - doc_count: 1, - }, -]; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts index 178b9a9ae2736..0475b2f59ab65 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts @@ -12,7 +12,7 @@ import { NewTermsRuleCreateProps } from '@kbn/security-solution-plugin/common/ap import { orderBy } from 'lodash'; import { getCreateNewTermsRulesSchemaMock } from '@kbn/security-solution-plugin/common/api/detection_engine/model/rule_schema/mocks'; -import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; +import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { createRule, deleteAllRules, @@ -22,11 +22,10 @@ import { previewRule, dataGeneratorFactory, previewRuleWithExceptionEntries, + removeRandomValuedPropertiesFromAlert, } from '../../../utils'; import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; -import { removeRandomValuedProperties } from '../../../utils/remove_random_valued_properties'; - const historicalWindowStart = '2022-10-13T05:00:04.000Z'; const ruleExecutionStart = '2022-10-19T05:00:04.000Z'; @@ -72,7 +71,7 @@ export default ({ getService }: FtrProviderContext) => { return testId; }; - describe('New terms type rules', () => { + describe('@ess @serverless New terms type rules', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); await esArchiver.load('x-pack/test/functional/es_archives/security_solution/new_terms'); @@ -102,7 +101,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).eql(1); - expect(removeRandomValuedProperties(alerts.hits.hits[0]._source)).eql({ + expect(removeRandomValuedPropertiesFromAlert(alerts.hits.hits[0]._source)).eql({ 'kibana.alert.new_terms': ['zeek-newyork-sha-aa8df15'], 'kibana.alert.rule.category': 'New Terms Rule', 'kibana.alert.rule.consumer': 'siem', @@ -229,7 +228,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('generates max signals warning when circuit breaker is exceeded', async () => { + it('generates max alerts warning when circuit breaker is exceeded', async () => { const rule: NewTermsRuleCreateProps = { ...getCreateNewTermsRulesSchemaMock('rule-1', true), new_terms_fields: ['process.pid'], @@ -239,10 +238,10 @@ export default ({ getService }: FtrProviderContext) => { }; const { logs } = await previewRule({ supertest, rule }); - expect(logs[0].warnings).contain(getMaxSignalsWarning()); + expect(logs[0].warnings).contain(getMaxAlertsWarning()); }); - it("doesn't generate max signals warning when circuit breaker is met but not exceeded", async () => { + it("doesn't generate max alerts warning when circuit breaker is met but not exceeded", async () => { const rule: NewTermsRuleCreateProps = { ...getCreateNewTermsRulesSchemaMock('rule-1', true), new_terms_fields: ['host.ip'], @@ -252,7 +251,7 @@ export default ({ getService }: FtrProviderContext) => { }; const { logs } = await previewRule({ supertest, rule }); - expect(logs[0].warnings).not.contain(getMaxSignalsWarning()); + expect(logs[0].warnings).not.contain(getMaxAlertsWarning()); }); it('should generate 3 alerts when 1 document has 3 new values', async () => { @@ -990,21 +989,21 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('should work for max signals > 100', async () => { - const maxSignals = 200; + it('should work for max alerts > 100', async () => { + const maxAlerts = 200; const rule: NewTermsRuleCreateProps = { ...getCreateNewTermsRulesSchemaMock('rule-1', true), new_terms_fields: ['process.pid'], from: '2018-02-19T20:42:00.000Z', // Set the history_window_start close to 'from' so we should alert on all terms in the time range history_window_start: '2018-02-19T20:41:59.000Z', - max_signals: maxSignals, + max_signals: maxAlerts, }; const { previewId } = await previewRule({ supertest, rule }); - const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxSignals * 2 }); + const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxAlerts * 2 }); - expect(previewAlerts.length).eql(maxSignals); + expect(previewAlerts.length).eql(maxAlerts); const processPids = previewAlerts .map((signal) => signal._source?.['kibana.alert.new_terms']) .sort(); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/non_ecs_fields.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/non_ecs_fields.ts index afa8a9e9eef78..e452ffcfaf34e 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/non_ecs_fields.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/non_ecs_fields.ts @@ -56,7 +56,7 @@ export default ({ getService }: FtrProviderContext) => { }; }; - describe('Non ECS fields in alert document source', () => { + describe('@ess @serverless Non ECS fields in alert document source', () => { before(async () => { await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/ecs_non_compliant' diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 22b14d55261d0..1d1e486103710 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -42,9 +42,9 @@ import { import { DETECTION_ENGINE_RULES_BULK_ACTION, DETECTION_ENGINE_RULES_URL, - DETECTION_ENGINE_SIGNALS_STATUS_URL, + DETECTION_ENGINE_SIGNALS_STATUS_URL as DETECTION_ENGINE_ALERTS_STATUS_URL, } from '@kbn/security-solution-plugin/common/constants'; -import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; +import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; import { createExceptionList, @@ -76,7 +76,7 @@ const ID = 'BhbXBmkBR346wHgn4PeZ'; /** * Test coverage: * [x] - Happy path generating 1 alert - * [x] - Rule type respects max signals + * [x] - Rule type respects max alerts * [x] - Alerts on alerts */ @@ -87,7 +87,7 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const esDeleteAllIndices = getService('esDeleteAllIndices'); - describe('Query type rules', () => { + describe('@ess @serverless Query type rules', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); @@ -118,37 +118,37 @@ export default ({ getService }: FtrProviderContext) => { expect(alerts.hits.hits[0]._source?.['kibana.alert.ancestors'][0].id).eql(ID); }); - it('generates max signals warning when circuit breaker is hit', async () => { + it('generates max alerts warning when circuit breaker is hit', async () => { const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting(['auditbeat-*']), }; const { logs } = await previewRule({ supertest, rule }); - expect(logs[0].warnings).contain(getMaxSignalsWarning()); + expect(logs[0].warnings).contain(getMaxAlertsWarning()); }); - it("doesn't generate max signals warning when circuit breaker is met but not exceeded", async () => { + it("doesn't generate max alerts warning when circuit breaker is met but not exceeded", async () => { const rule = { ...getRuleForAlertTesting(['auditbeat-*']), query: 'process.executable: "/usr/bin/sudo"', max_signals: 10, }; const { logs } = await previewRule({ supertest, rule }); - expect(logs[0].warnings).not.contain(getMaxSignalsWarning()); + expect(logs[0].warnings).not.contain(getMaxAlertsWarning()); }); it('should abide by max_signals > 100', async () => { - const maxSignals = 200; + const maxAlerts = 200; const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting(['auditbeat-*']), - max_signals: maxSignals, + max_signals: maxAlerts, }; const { previewId } = await previewRule({ supertest, rule }); // Search for 2x max_signals to make sure we aren't making more than max_signals - const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxSignals * 2 }); - expect(previewAlerts.length).equal(maxSignals); + const previewAlerts = await getPreviewAlerts({ es, previewId, size: maxAlerts * 2 }); + expect(previewAlerts.length).equal(maxAlerts); }); - it('should have recorded the rule_id within the signal', async () => { + it('should have recorded the rule_id within the alert', async () => { const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, @@ -158,17 +158,17 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts[0]._source?.[ALERT_RULE_RULE_ID]).eql(getSimpleRule().rule_id); }); - it('should query and get back expected signal structure using a basic KQL query', async () => { + it('should query and get back expected alert structure using a basic KQL query', async () => { const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, }; const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - const signal = previewAlerts[0]._source; + const alert = previewAlerts[0]._source; - expect(signal).eql({ - ...signal, + expect(alert).eql({ + ...alert, [ALERT_ANCESTORS]: [ { id: 'BhbXBmkBR346wHgn4PeZ', @@ -189,7 +189,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('should query and get back expected signal structure when it is a signal on a signal', async () => { + it('should query and get back expected alert structure when it is a alert on a alert', async () => { const alertId = '30a75fe46d3dbdfab55982036f77a8d60e2d1112e96f277c3b8c22f9bb57817a'; const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting([`.alerts-security.alerts-default*`]), @@ -202,14 +202,14 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).to.eql(1); - const signal = previewAlerts[0]._source; + const alert = previewAlerts[0]._source; - if (!signal) { - return expect(signal).to.be.ok(); + if (!alert) { + return expect(alert).to.be.ok(); } - expect(signal).eql({ - ...signal, + expect(alert).eql({ + ...alert, [ALERT_ANCESTORS]: [ { id: 'ahEToH8BK09aFtXZFVMq', @@ -273,7 +273,7 @@ export default ({ getService }: FtrProviderContext) => { /** * Here we test the functionality of Severity and Risk Score overrides (also called "mappings" * in the code). If the rule specifies a mapping, then the final Severity or Risk Score - * value of the signal will be taken from the mapped field of the source event. + * value of the alert will be taken from the mapped field of the source event. */ it('should get default severity and risk score if there is no mapping', async () => { const rule: QueryRuleCreateProps = { @@ -409,7 +409,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('should generate signals with name_override field', async () => { + it('should generate alerts with name_override field', async () => { const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting(['auditbeat-*']), query: `event.action:boot`, @@ -418,15 +418,15 @@ export default ({ getService }: FtrProviderContext) => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); - const fullSignal = previewAlerts[0]; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = previewAlerts[0]; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } expect(previewAlerts[0]._source?.['kibana.alert.rule.name']).to.eql('boot'); }); - it('should not generate duplicate signals', async () => { + it('should not generate duplicate alerts', async () => { const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting(['auditbeat-*']), query: `_id:${ID}`, @@ -859,7 +859,7 @@ export default ({ getService }: FtrProviderContext) => { // for suppression purposes. const alertIds = alerts.hits.hits.map((alert) => alert._id); await supertest - .post(DETECTION_ENGINE_SIGNALS_STATUS_URL) + .post(DETECTION_ENGINE_ALERTS_STATUS_URL) .set('kbn-xsrf', 'true') .send(setAlertStatus({ alertIds, status: 'closed' })) .expect(200); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts index 9c7bd7db2b690..f33a539870cdb 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts @@ -37,7 +37,7 @@ export default ({ getService }: FtrProviderContext) => { const es = getService('es'); const log = getService('log'); - describe('Saved query type rules', () => { + describe('@ess @serverless Saved query type rules', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); }); @@ -49,7 +49,7 @@ export default ({ getService }: FtrProviderContext) => { }); // First test creates a real rule - remaining tests use preview API - it('should query and get back expected signal structure using a saved query rule', async () => { + it('should query and get back expected alert structure using a saved query rule', async () => { const rule: SavedQueryRuleCreateProps = { ...getRuleForAlertTesting(['auditbeat-*']), type: 'saved_query', @@ -58,9 +58,9 @@ export default ({ getService }: FtrProviderContext) => { }; const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); - const signal = alerts.hits.hits[0]._source; - expect(signal).eql({ - ...signal, + const alert = alerts.hits.hits[0]._source; + expect(alert).eql({ + ...alert, [ALERT_ANCESTORS]: [ { id: 'BhbXBmkBR346wHgn4PeZ', diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts index fb71213444d3a..773b4e96368c2 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts @@ -35,7 +35,7 @@ import { ALERT_ORIGINAL_TIME, } from '@kbn/security-solution-plugin/common/field_maps/field_names'; import { RuleExecutionStatusEnum } from '@kbn/security-solution-plugin/common/api/detection_engine/rule_monitoring'; -import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; +import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { previewRule, getOpenAlerts, @@ -149,10 +149,8 @@ export default ({ getService }: FtrProviderContext) => { * Specific api integration tests for threat matching rule type */ // FLAKY: https://github.com/elastic/kibana/issues/155304 - describe('Threat match type rules', () => { + describe('@ess @serverless Threat match type rules', () => { before(async () => { - // await deleteSignalsIndex(supertest, log); - // await deleteAllAlerts(supertest, log); await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); }); @@ -163,7 +161,7 @@ export default ({ getService }: FtrProviderContext) => { }); // First 2 test creates a real rule - remaining tests use preview API - it('should be able to execute and get all signals when doing a specific query (terms query)', async () => { + it('should be able to execute and get all alerts when doing a specific query (terms query)', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule(); const createdRule = await createRule(supertest, log, rule); @@ -177,16 +175,15 @@ export default ({ getService }: FtrProviderContext) => { ); expect(alerts.hits.hits.length).equal(88); const fullSource = alerts.hits.hits.find( - (signal) => - (signal._source?.[ALERT_ANCESTORS] as Ancestor[])[0].id === '7yJ-B2kBR346wHgnhlMn' + (alert) => (alert._source?.[ALERT_ANCESTORS] as Ancestor[])[0].id === '7yJ-B2kBR346wHgnhlMn' ); - const fullSignal = fullSource?._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = fullSource?._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - expect(fullSignal).eql({ - ...fullSignal, - '@timestamp': fullSignal['@timestamp'], + expect(fullAlert).eql({ + ...fullAlert, + '@timestamp': fullAlert['@timestamp'], agent: { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab', hostname: 'zeek-sensor-amsterdam', @@ -280,18 +277,18 @@ export default ({ getService }: FtrProviderContext) => { [ALERT_ORIGINAL_EVENT_ACTION]: 'error', [ALERT_ORIGINAL_EVENT_CATEGORY]: 'user-login', [ALERT_ORIGINAL_EVENT_MODULE]: 'auditd', - [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME], + [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_REASON]: 'user-login event with source 46.101.47.213 by root on zeek-sensor-amsterdam created high alert Query with a rule id.', - [ALERT_RULE_UUID]: fullSignal[ALERT_RULE_UUID], + [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], [ALERT_STATUS]: 'active', - [ALERT_UUID]: fullSignal[ALERT_UUID], + [ALERT_UUID]: fullAlert[ALERT_UUID], [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_WORKFLOW_TAGS]: [], [SPACE_IDS]: ['default'], - [VERSION]: fullSignal[VERSION], + [VERSION]: fullAlert[VERSION], threat: { - enrichments: get(fullSignal, 'threat.enrichments'), + enrichments: get(fullAlert, 'threat.enrichments'), }, ...flattenWithPrefix(ALERT_RULE_NAMESPACE, { actions: [], @@ -319,14 +316,14 @@ export default ({ getService }: FtrProviderContext) => { threat: [], to: 'now', type: 'threat_match', - updated_at: fullSignal[ALERT_RULE_UPDATED_AT], + updated_at: fullAlert[ALERT_RULE_UPDATED_AT], updated_by: 'elastic', - uuid: fullSignal[ALERT_RULE_UUID], + uuid: fullAlert[ALERT_RULE_UUID], version: 1, }), }); }); - it('should be able to execute and get all signals when doing a specific query (match query)', async () => { + it('should be able to execute and get all alerts when doing a specific query (match query)', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ threat_mapping: [ // We match host.name against host.name @@ -358,16 +355,15 @@ export default ({ getService }: FtrProviderContext) => { ); expect(alerts.hits.hits.length).equal(88); const fullSource = alerts.hits.hits.find( - (signal) => - (signal._source?.[ALERT_ANCESTORS] as Ancestor[])[0].id === '7yJ-B2kBR346wHgnhlMn' + (alert) => (alert._source?.[ALERT_ANCESTORS] as Ancestor[])[0].id === '7yJ-B2kBR346wHgnhlMn' ); - const fullSignal = fullSource?._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = fullSource?._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - expect(fullSignal).eql({ - ...fullSignal, - '@timestamp': fullSignal['@timestamp'], + expect(fullAlert).eql({ + ...fullAlert, + '@timestamp': fullAlert['@timestamp'], agent: { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab', hostname: 'zeek-sensor-amsterdam', @@ -461,17 +457,17 @@ export default ({ getService }: FtrProviderContext) => { [ALERT_ORIGINAL_EVENT_ACTION]: 'error', [ALERT_ORIGINAL_EVENT_CATEGORY]: 'user-login', [ALERT_ORIGINAL_EVENT_MODULE]: 'auditd', - [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME], + [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_REASON]: 'user-login event with source 46.101.47.213 by root on zeek-sensor-amsterdam created high alert Query with a rule id.', - [ALERT_RULE_UUID]: fullSignal[ALERT_RULE_UUID], + [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], [ALERT_STATUS]: 'active', - [ALERT_UUID]: fullSignal[ALERT_UUID], + [ALERT_UUID]: fullAlert[ALERT_UUID], [ALERT_WORKFLOW_STATUS]: 'open', [SPACE_IDS]: ['default'], - [VERSION]: fullSignal[VERSION], + [VERSION]: fullAlert[VERSION], threat: { - enrichments: get(fullSignal, 'threat.enrichments'), + enrichments: get(fullAlert, 'threat.enrichments'), }, ...flattenWithPrefix(ALERT_RULE_NAMESPACE, { actions: [], @@ -499,18 +495,18 @@ export default ({ getService }: FtrProviderContext) => { threat: [], to: 'now', type: 'threat_match', - updated_at: fullSignal[ALERT_RULE_UPDATED_AT], + updated_at: fullAlert[ALERT_RULE_UPDATED_AT], updated_by: 'elastic', - uuid: fullSignal[ALERT_RULE_UUID], + uuid: fullAlert[ALERT_RULE_UUID], version: 1, }), }); }); - it('generates max signals warning when circuit breaker is hit', async () => { + it('generates max alerts warning when circuit breaker is hit', async () => { const rule: ThreatMatchRuleCreateProps = { ...createThreatMatchRule(), max_signals: 87 }; // Query generates 88 alerts with current esArchive const { logs } = await previewRule({ supertest, rule }); - expect(logs[0].warnings).contain(getMaxSignalsWarning()); + expect(logs[0].warnings).contain(getMaxAlertsWarning()); }); it('terms and match should have the same alerts with pagination', async () => { @@ -592,7 +588,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).equal(0); }); - it('should return 0 signals when using an AND and one of the clauses does not have data', async () => { + it('should return 0 alerts when using an AND and one of the clauses does not have data', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ threat_mapping: [ { @@ -617,7 +613,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).equal(0); }); - it('should return 0 signals when using an AND and one of the clauses has a made up value that does not exist', async () => { + it('should return 0 alerts when using an AND and one of the clauses has a made up value that does not exist', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ threat_mapping: [ { @@ -667,7 +663,7 @@ export default ({ getService }: FtrProviderContext) => { await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/threat_intel'); }); - it('enriches signals with the single indicator that matched', async () => { + it('enriches alerts with the single indicator that matched', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ threat_mapping: [ { @@ -743,9 +739,9 @@ export default ({ getService }: FtrProviderContext) => { ]); }); - it('enriches signals with multiple indicators if several matched', async () => { + it('enriches alerts with multiple indicators if several matched', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ - query: 'NOT source.port:35326', // specify query to have signals more than treat indicators, but only 1 will match + query: 'NOT source.port:35326', // specify query to have alerts more than treat indicators, but only 1 will match threat_query: 'threat.indicator.ip: *', threat_index: ['filebeat-*'], // Mimics indicators from the filebeat MISP module threat_mapping: [ @@ -810,7 +806,7 @@ export default ({ getService }: FtrProviderContext) => { it('adds a single indicator that matched multiple fields', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ - query: 'NOT source.port:35326', // specify query to have signals more than treat indicators, but only 1 will match + query: 'NOT source.port:35326', // specify query to have alerts more than treat indicators, but only 1 will match threat_query: 'threat.indicator.port: 57324 or threat.indicator.ip:45.115.45.3', // narrow our query to a single indicator threat_index: ['filebeat-*'], // Mimics indicators from the filebeat MISP module threat_mapping: [ @@ -906,7 +902,7 @@ export default ({ getService }: FtrProviderContext) => { ]); }); - it('generates multiple signals with multiple matches', async () => { + it('generates multiple alerts with multiple matches', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ threat_query: '*:*', threat_index: ['filebeat-*'], // Mimics indicators from the filebeat MISP module @@ -1031,7 +1027,7 @@ export default ({ getService }: FtrProviderContext) => { }); // https://github.com/elastic/kibana/issues/149920 - // generates same number of alerts similarly to "enriches signals with the single indicator that matches" test + // generates same number of alerts similarly to "enriches alerts with the single indicator that matches" test it('generates alerts with single match if queries contain field path wildcards', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ // still matches all documents as default *:* @@ -1066,7 +1062,7 @@ export default ({ getService }: FtrProviderContext) => { await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/threat_intel'); }); - it('enriches signals with the single indicator that matched', async () => { + it('enriches alerts with the single indicator that matched', async () => { const termRule: ThreatMatchRuleCreateProps = createThreatMatchRule({ query: 'destination.ip:159.89.119.67', threat_query: 'threat.indicator.domain: *', // narrow things down to indicators with a domain @@ -1167,7 +1163,7 @@ export default ({ getService }: FtrProviderContext) => { alertsAreTheSame(termPreviewAlerts, matchPrevieAlerts); }); - it('enriches signals with multiple indicators if several matched', async () => { + it('enriches alerts with multiple indicators if several matched', async () => { const termRule: ThreatMatchRuleCreateProps = createThreatMatchRule({ query: 'source.port: 57324', // narrow our query to a single record that matches two indicatorsthreat_query: 'threat.indicator.ip: *', threat_query: 'threat.indicator.ip: *', @@ -1407,7 +1403,7 @@ export default ({ getService }: FtrProviderContext) => { ); }); - it('generates multiple signals with multiple matches', async () => { + it('generates multiple alerts with multiple matches', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ query: '(source.port:57324 and source.ip:45.115.45.3) or destination.ip:159.89.119.67', // narrow our query to a single record that matches two indicators threat_query: '*:*', @@ -1533,7 +1529,7 @@ export default ({ getService }: FtrProviderContext) => { }); // https://github.com/elastic/kibana/issues/149920 - // creates same number of alerts similarly to "generates multiple signals with multiple matches" test + // creates same number of alerts similarly to "generates multiple alerts with multiple matches" test it('generates alerts with multiple matches if queries contain field path wildcards', async () => { const rule: ThreatMatchRuleCreateProps = createThreatMatchRule({ // source.po* matches port source.port field @@ -1604,16 +1600,16 @@ export default ({ getService }: FtrProviderContext) => { const previewAlerts = await getPreviewAlerts({ es, previewId, size: 100 }); expect(previewAlerts.length).equal(88); const fullSource = previewAlerts.find( - (signal) => - (signal._source?.[ALERT_ANCESTORS] as Ancestor[])[0].id === '7yJ-B2kBR346wHgnhlMn' + (alert) => + (alert._source?.[ALERT_ANCESTORS] as Ancestor[])[0].id === '7yJ-B2kBR346wHgnhlMn' ); - const fullSignal = fullSource?._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = fullSource?._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - expect(fullSignal?.host?.risk?.calculated_level).to.eql('Critical'); - expect(fullSignal?.host?.risk?.calculated_score_norm).to.eql(70); + expect(fullAlert?.host?.risk?.calculated_level).to.eql('Critical'); + expect(fullAlert?.host?.risk?.calculated_score_norm).to.eql(70); }); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts index 4ec235a54c8fc..00d5e2883202b 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts @@ -21,12 +21,12 @@ import { ALERT_ORIGINAL_TIME, ALERT_THRESHOLD_RESULT, } from '@kbn/security-solution-plugin/common/field_maps/field_names'; -import { getMaxSignalsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; +import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; import { createRule, getOpenAlerts, getPreviewAlerts, - getThresholdRuleForSignalTesting, + getThresholdRuleForAlertTesting, previewRule, } from '../../../utils'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; @@ -37,7 +37,7 @@ export default ({ getService }: FtrProviderContext) => { const es = getService('es'); const log = getService('log'); - describe('Threshold type rules', () => { + describe('@ess @serverless Threshold type rules', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); }); @@ -47,9 +47,9 @@ export default ({ getService }: FtrProviderContext) => { }); // First test creates a real rule - remaining tests use preview API - it('generates 1 signal from Threshold rules when threshold is met', async () => { + it('generates 1 alert from Threshold rules when threshold is met', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: ['host.id'], value: 700, @@ -58,13 +58,13 @@ export default ({ getService }: FtrProviderContext) => { const createdRule = await createRule(supertest, log, rule); const alerts = await getOpenAlerts(supertest, log, es, createdRule); expect(alerts.hits.hits.length).eql(1); - const fullSignal = alerts.hits.hits[0]._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = alerts.hits.hits[0]._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - const eventIds = (fullSignal?.[ALERT_ANCESTORS] as Ancestor[]).map((event) => event.id); - expect(fullSignal).eql({ - ...fullSignal, + const eventIds = (fullAlert?.[ALERT_ANCESTORS] as Ancestor[]).map((event) => event.id); + expect(fullAlert).eql({ + ...fullAlert, 'host.id': '8cc95778cce5407c809480e8e32ad76b', [EVENT_KIND]: 'signal', [ALERT_ANCESTORS]: [ @@ -77,8 +77,8 @@ export default ({ getService }: FtrProviderContext) => { ], [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_REASON]: 'event created high alert Signal Testing Query.', - [ALERT_RULE_UUID]: fullSignal[ALERT_RULE_UUID], - [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME], + [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], + [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_DEPTH]: 1, [ALERT_THRESHOLD_RESULT]: { terms: [ @@ -93,9 +93,9 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('generates max signals warning when circuit breaker is exceeded', async () => { + it('generates max alerts warning when circuit breaker is exceeded', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: 'host.id', value: 1, // This value generates 7 alerts with the current esArchive @@ -103,12 +103,12 @@ export default ({ getService }: FtrProviderContext) => { max_signals: 5, }; const { logs } = await previewRule({ supertest, rule }); - expect(logs[0].warnings).contain(getMaxSignalsWarning()); + expect(logs[0].warnings).contain(getMaxAlertsWarning()); }); - it("doesn't generate max signals warning when circuit breaker is met but not exceeded", async () => { + it("doesn't generate max alerts warning when circuit breaker is met but not exceeded", async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: 'host.id', value: 1, // This value generates 7 alerts with the current esArchive @@ -116,12 +116,12 @@ export default ({ getService }: FtrProviderContext) => { max_signals: 7, }; const { logs } = await previewRule({ supertest, rule }); - expect(logs[0].warnings).not.contain(getMaxSignalsWarning()); + expect(logs[0].warnings).not.contain(getMaxAlertsWarning()); }); - it('generates 2 signals from Threshold rules when threshold is met', async () => { + it('generates 2 alerts from Threshold rules when threshold is met', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: 'host.id', value: 100, @@ -134,7 +134,7 @@ export default ({ getService }: FtrProviderContext) => { it('applies the provided query before bucketing ', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), query: 'host.id:"2ab45fc1c41e4c84bbd02202a7e5761f"', threshold: { field: 'process.name', @@ -146,9 +146,9 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).eql(1); }); - it('generates no signals from Threshold rules when threshold is met and cardinality is not met', async () => { + it('generates no alerts from Threshold rules when threshold is met and cardinality is not met', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: 'host.id', value: 100, @@ -165,9 +165,9 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).eql(0); }); - it('generates no signals from Threshold rules when cardinality is met and threshold is not met', async () => { + it('generates no alerts from Threshold rules when cardinality is met and threshold is not met', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: 'host.id', value: 1000, @@ -184,9 +184,9 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).eql(0); }); - it('generates signals from Threshold rules when threshold and cardinality are both met', async () => { + it('generates alerts from Threshold rules when threshold and cardinality are both met', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: 'host.id', value: 100, @@ -201,13 +201,13 @@ export default ({ getService }: FtrProviderContext) => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); expect(previewAlerts.length).eql(1); - const fullSignal = previewAlerts[0]._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = previewAlerts[0]._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - const eventIds = (fullSignal?.[ALERT_ANCESTORS] as Ancestor[]).map((event) => event.id); - expect(fullSignal).eql({ - ...fullSignal, + const eventIds = (fullAlert?.[ALERT_ANCESTORS] as Ancestor[]).map((event) => event.id); + expect(fullAlert).eql({ + ...fullAlert, 'host.id': '8cc95778cce5407c809480e8e32ad76b', [EVENT_KIND]: 'signal', [ALERT_ANCESTORS]: [ @@ -220,8 +220,8 @@ export default ({ getService }: FtrProviderContext) => { ], [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_REASON]: `event created high alert Signal Testing Query.`, - [ALERT_RULE_UUID]: fullSignal[ALERT_RULE_UUID], - [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME], + [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], + [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_DEPTH]: 1, [ALERT_THRESHOLD_RESULT]: { terms: [ @@ -242,9 +242,9 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('should not generate signals if only one field meets the threshold requirement', async () => { + it('should not generate alerts if only one field meets the threshold requirement', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: ['host.id', 'process.name'], value: 22, @@ -255,9 +255,9 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).eql(0); }); - it('generates signals from Threshold rules when bucketing by multiple fields', async () => { + it('generates alerts from Threshold rules when bucketing by multiple fields', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: ['host.id', 'process.name', 'event.module'], value: 21, @@ -266,13 +266,13 @@ export default ({ getService }: FtrProviderContext) => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); expect(previewAlerts.length).eql(1); - const fullSignal = previewAlerts[0]._source; - if (!fullSignal) { - return expect(fullSignal).to.be.ok(); + const fullAlert = previewAlerts[0]._source; + if (!fullAlert) { + return expect(fullAlert).to.be.ok(); } - const eventIds = (fullSignal[ALERT_ANCESTORS] as Ancestor[]).map((event) => event.id); - expect(fullSignal).eql({ - ...fullSignal, + const eventIds = (fullAlert[ALERT_ANCESTORS] as Ancestor[]).map((event) => event.id); + expect(fullAlert).eql({ + ...fullAlert, 'event.module': 'system', 'host.id': '2ab45fc1c41e4c84bbd02202a7e5761f', 'process.name': 'sshd', @@ -287,8 +287,8 @@ export default ({ getService }: FtrProviderContext) => { ], [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_REASON]: `event with process sshd, created high alert Signal Testing Query.`, - [ALERT_RULE_UUID]: fullSignal[ALERT_RULE_UUID], - [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME], + [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], + [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_DEPTH]: 1, [ALERT_THRESHOLD_RESULT]: { terms: [ @@ -314,8 +314,8 @@ export default ({ getService }: FtrProviderContext) => { // https://github.com/elastic/kibana/issues/149920 it('generates 1 alert when threshold is met and rule query has wildcard in field name', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), - query: 'agent.ty*:auditbeat', // this query should match all documents from index and we will receive 1 alert, similarly to "generates 1 signal from Threshold rules when threshold is met" test case + ...getThresholdRuleForAlertTesting(['auditbeat-*']), + query: 'agent.ty*:auditbeat', // this query should match all documents from index and we will receive 1 alert, similarly to "generates 1 alert from Threshold rules when threshold is met" test case threshold: { field: ['host.id'], value: 700, @@ -341,7 +341,7 @@ export default ({ getService }: FtrProviderContext) => { it('applies timestamp override when using single field', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['timestamp-fallback-test']), + ...getThresholdRuleForAlertTesting(['timestamp-fallback-test']), threshold: { field: 'host.name', value: 1, @@ -369,7 +369,7 @@ export default ({ getService }: FtrProviderContext) => { it('applies timestamp override when using multiple fields', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['timestamp-fallback-test']), + ...getThresholdRuleForAlertTesting(['timestamp-fallback-test']), threshold: { field: ['host.name', 'source.ip'], value: 1, @@ -407,7 +407,7 @@ export default ({ getService }: FtrProviderContext) => { it('should be enriched with host risk score', async () => { const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForSignalTesting(['auditbeat-*']), + ...getThresholdRuleForAlertTesting(['auditbeat-*']), threshold: { field: 'host.name', value: 100, diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/ignore_fields.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts similarity index 74% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/group10/ignore_fields.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts index 829224b9c6089..347d81c5c7f60 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/ignore_fields.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts @@ -7,16 +7,15 @@ import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../../common/ftr_provider_context'; import { createRule, - createSignalsIndex, + createAlertsIndex, deleteAllRules, deleteAllAlerts, - getEqlRuleForSignalTesting, - getSignalsById, + getEqlRuleForAlertTesting, + getAlertsById, waitForRuleSuccess, - waitForSignalsToBePresent, + waitForAlertsToBePresent, } from '../../utils'; interface Ignore { @@ -26,7 +25,7 @@ interface Ignore { testing_regex?: string; } -// eslint-disable-next-line import/no-default-export +import { FtrProviderContext } from '../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext): void => { /** * See the config file (detection_engine_api_integration/common/config.ts) for which field values were added to be ignored @@ -47,7 +46,7 @@ export default ({ getService }: FtrProviderContext): void => { * server/lib/detection_engine/signals/source_fields_merging/utils/is_ignored.ts * server/lib/detection_engine/signals/source_fields_merging/utils/is_eql_bug_77152.ts */ - describe('ignore_fields', () => { + describe('@ess @serverless ignore_fields', () => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); const log = getService('log'); @@ -62,7 +61,7 @@ export default ({ getService }: FtrProviderContext): void => { }); beforeEach(async () => { - await createSignalsIndex(supertest, log); + await createAlertsIndex(supertest, log); }); afterEach(async () => { @@ -71,13 +70,13 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should ignore the field of "testing_ignored"', async () => { - const rule = getEqlRuleForSignalTesting(['ignore_fields']); + const rule = getEqlRuleForAlertTesting(['ignore_fields']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits .map((hit) => (hit._source as Ignore).testing_ignored) .sort(); @@ -86,26 +85,26 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should ignore the field of "testing_regex"', async () => { - const rule = getEqlRuleForSignalTesting(['ignore_fields']); + const rule = getEqlRuleForAlertTesting(['ignore_fields']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map((hit) => (hit._source as Ignore).testing_regex).sort(); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((hit) => (hit._source as Ignore).testing_regex).sort(); // Value should be "undefined for all records" expect(hits).to.eql([undefined, undefined, undefined, undefined]); }); it('should have the field of "normal_constant"', async () => { - const rule = getEqlRuleForSignalTesting(['ignore_fields']); + const rule = getEqlRuleForAlertTesting(['ignore_fields']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits .map((hit) => (hit._source as Ignore).normal_constant) .sort(); @@ -115,13 +114,13 @@ export default ({ getService }: FtrProviderContext): void => { // TODO: Remove this test once https://github.com/elastic/elasticsearch/issues/77152 is fixed it('should ignore the field of "_ignored" when using EQL and index the data', async () => { - const rule = getEqlRuleForSignalTesting(['ignore_fields']); + const rule = getEqlRuleForAlertTesting(['ignore_fields']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map((hit) => (hit._source as Ignore).small_field).sort(); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((hit) => (hit._source as Ignore).small_field).sort(); // We just test a constant value to ensure this did not blow up on us and did index data. expect(hits).to.eql([ diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts index 53361749d1d1a..cc0e7279ad35a 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts @@ -10,5 +10,9 @@ import { FtrProviderContext } from '../../../../ftr_provider_context'; export default function ({ loadTestFile }: FtrProviderContext) { describe('Rule execution logic API', function () { loadTestFile(require.resolve('./keyword_family')); + loadTestFile(require.resolve('./ignore_fields')); + loadTestFile(require.resolve('./runtime')); + loadTestFile(require.resolve('./timestamps')); + loadTestFile(require.resolve('./execution_logic')); }); } diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/runtime.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/runtime.ts similarity index 70% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/group10/runtime.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/runtime.ts index 83c988c5ff9fd..030f2eafd6a1e 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/runtime.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/runtime.ts @@ -8,19 +8,18 @@ import expect from '@kbn/expect'; import { performance } from 'perf_hooks'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; import { createRule, - createSignalsIndex, + createAlertsIndex, deleteAllRules, deleteAllAlerts, - getRuleForSignalTesting, - getSignalsById, + getRuleForAlertTesting, + getAlertsById, waitForRuleSuccess, - waitForSignalsToBePresent, + waitForAlertsToBePresent, } from '../../utils'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -33,7 +32,7 @@ export default ({ getService }: FtrProviderContext) => { } // FAILING ES PROMOTION: https://github.com/elastic/kibana/issues/138923 - describe('Tests involving runtime fields of source indexes and the signals index', () => { + describe('@ess @serverless Tests involving runtime fields of source indexes and the alerts index', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/security_solution/runtime'); }); @@ -44,7 +43,7 @@ export default ({ getService }: FtrProviderContext) => { describe('Regular runtime field mappings', () => { beforeEach(async () => { - await createSignalsIndex(supertest, log); + await createAlertsIndex(supertest, log); }); afterEach(async () => { @@ -53,7 +52,7 @@ export default ({ getService }: FtrProviderContext) => { }); it('should execute a rule to completion and not timeout when there are a lot of runtime fields', async () => { - const rule = getRuleForSignalTesting(['runtime']); + const rule = getRuleForAlertTesting(['runtime']); const { id } = await createRule(supertest, log, rule); const start = performance.now(); await waitForRuleSuccess({ supertest, log, id }); @@ -61,26 +60,26 @@ export default ({ getService }: FtrProviderContext) => { expect(end - start).to.be.lessThan(10000); }); - it('should copy normal non-runtime data set from the source index into the signals index in the same position when the target is ECS compatible', async () => { - const rule = getRuleForSignalTesting(['runtime']); + it('should copy normal non-runtime data set from the source index into the alerts index in the same position when the target is ECS compatible', async () => { + const rule = getRuleForAlertTesting(['runtime']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits - .map((signal) => (signal._source?.host as Runtime).name) + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits + .map((alert) => (alert._source?.host as Runtime).name) .sort(); expect(hits).to.eql(['host name 1', 'host name 2', 'host name 3', 'host name 4']); }); - it('should copy "runtime mapping" data from a source index into the signals index in the same position when the target is ECS compatible', async () => { - const rule = getRuleForSignalTesting(['runtime']); + it('should copy "runtime mapping" data from a source index into the alerts index in the same position when the target is ECS compatible', async () => { + const rule = getRuleForAlertTesting(['runtime']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits - .map((signal) => (signal._source?.host as Runtime).hostname) + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits + .map((alert) => (alert._source?.host as Runtime).hostname) .sort(); expect(hits).to.eql(['host name 1', 'host name 2', 'host name 3', 'host name 4']); }); @@ -88,7 +87,7 @@ export default ({ getService }: FtrProviderContext) => { describe('Runtime field mappings that have conflicts within them', () => { beforeEach(async () => { - await createSignalsIndex(supertest, log); + await createAlertsIndex(supertest, log); await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/runtime_conflicting_fields' ); @@ -107,14 +106,14 @@ export default ({ getService }: FtrProviderContext) => { * risk with overwriting fields in the strategy we are currently using in detection engine. If you swap, change the strategies * because we decide to overwrite "_source" values with "fields", then expect to change this test. */ - it('should NOT copy normal non-runtime data set from the source index into the signals index in the same position when the target is ECS compatible', async () => { - const rule = getRuleForSignalTesting(['runtime_conflicting_fields']); + it('should NOT copy normal non-runtime data set from the source index into the alerts index in the same position when the target is ECS compatible', async () => { + const rule = getRuleForAlertTesting(['runtime_conflicting_fields']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits - .map((signal) => signal._source?.host as Array<{ name: string }>) + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits + .map((alert) => alert._source?.host as Array<{ name: string }>) .map((host) => { // sort the inner array elements first return host.sort((a, b) => a.name.localeCompare(b.name)); @@ -164,15 +163,13 @@ export default ({ getService }: FtrProviderContext) => { * fields as arrays of objects since the objects are flattened in "fields" and we detect something already there so we skip * this shadowed runtime data as it is ambiguous of where we would put it in the array. */ - it('should NOT copy "runtime mapping" data from a source index into the signals index in the same position when the target is ECS compatible', async () => { - const rule = getRuleForSignalTesting(['runtime_conflicting_fields']); + it('should NOT copy "runtime mapping" data from a source index into the alerts index in the same position when the target is ECS compatible', async () => { + const rule = getRuleForAlertTesting(['runtime_conflicting_fields']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 4, [id]); - const signalsOpen = await getSignalsById(supertest, log, id); - const hits = signalsOpen.hits.hits.map( - (signal) => (signal._source?.host as Runtime).hostname - ); + await waitForAlertsToBePresent(supertest, log, 4, [id]); + const alertsOpen = await getAlertsById(supertest, log, id); + const hits = alertsOpen.hits.hits.map((alert) => (alert._source?.host as Runtime).hostname); expect(hits).to.eql([undefined, undefined, undefined, undefined]); }); }); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/timestamps.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/timestamps.ts similarity index 59% rename from x-pack/test/detection_engine_api_integration/security_and_spaces/group10/timestamps.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/timestamps.ts index ef27b7c7ff4bd..7897ab6612e51 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/timestamps.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/timestamps.ts @@ -14,22 +14,21 @@ import { } from '@kbn/security-solution-plugin/common/api/detection_engine'; import { ALERT_ORIGINAL_TIME } from '@kbn/security-solution-plugin/common/field_maps/field_names'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; import { - createSignalsIndex, + createAlertsIndex, deleteAllRules, deleteAllAlerts, createRule, waitForRuleSuccess, - waitForSignalsToBePresent, - getOpenSignals, - getRuleForSignalTesting, - getSignalsByIds, - getEqlRuleForSignalTesting, + waitForAlertsToBePresent, + getOpenAlerts, + getRuleForAlertTesting, + getAlertsByIds, + getEqlRuleForAlertTesting, waitForRulePartialFailure, } from '../../utils'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; -// eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -37,14 +36,14 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); /** - * Tests around timestamps within signals such as the copying of timestamps correctly into - * the "signal.original_time" field, ensuring that timestamp overrides operate, and ensuring that + * Tests around timestamps within alerts such as the copying of timestamps correctly into + * the "alert.original_time" field, ensuring that timestamp overrides operate, and ensuring that * partial errors happen correctly */ - describe('timestamp tests', () => { - describe('Signals generated from events with a timestamp in seconds is converted correctly into the forced ISO8601 format when copying', () => { + describe('@ess @serverless timestamp tests', () => { + describe('alerts generated from events with a timestamp in seconds is converted correctly into the forced ISO8601 format when copying', () => { beforeEach(async () => { - await createSignalsIndex(supertest, log); + await createAlertsIndex(supertest, log); await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/timestamp_in_seconds' ); @@ -66,58 +65,50 @@ export default ({ getService }: FtrProviderContext) => { describe('KQL query', () => { it('should convert the @timestamp which is epoch_seconds into the correct ISO format', async () => { - const rule = getRuleForSignalTesting(['timestamp_in_seconds']); + const rule = getRuleForAlertTesting(['timestamp_in_seconds']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signalsOpen = await getSignalsByIds(supertest, log, [id]); - const hits = signalsOpen.hits.hits - .map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]) - .sort(); + await waitForAlertsToBePresent(supertest, log, 1, [id]); + const alertsOpen = await getAlertsByIds(supertest, log, [id]); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); expect(hits).to.eql(['2021-06-02T23:33:15.000Z']); }); it('should still use the @timestamp field even with an override field. It should never use the override field', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['myfakeindex-5']), + ...getRuleForAlertTesting(['myfakeindex-5']), timestamp_override: 'event.ingested', }; const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signalsOpen = await getSignalsByIds(supertest, log, [id]); - const hits = signalsOpen.hits.hits - .map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]) - .sort(); + await waitForAlertsToBePresent(supertest, log, 1, [id]); + const alertsOpen = await getAlertsByIds(supertest, log, [id]); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); expect(hits).to.eql(['2020-12-16T15:16:18.000Z']); }); }); describe('EQL query', () => { it('should convert the @timestamp which is epoch_seconds into the correct ISO format for EQL', async () => { - const rule = getEqlRuleForSignalTesting(['timestamp_in_seconds']); + const rule = getEqlRuleForAlertTesting(['timestamp_in_seconds']); const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signalsOpen = await getSignalsByIds(supertest, log, [id]); - const hits = signalsOpen.hits.hits - .map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]) - .sort(); + await waitForAlertsToBePresent(supertest, log, 1, [id]); + const alertsOpen = await getAlertsByIds(supertest, log, [id]); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); expect(hits).to.eql(['2021-06-02T23:33:15.000Z']); }); it('should still use the @timestamp field even with an override field. It should never use the override field', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['myfakeindex-5']), + ...getEqlRuleForAlertTesting(['myfakeindex-5']), timestamp_override: 'event.ingested', }; const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signalsOpen = await getSignalsByIds(supertest, log, [id]); - const hits = signalsOpen.hits.hits - .map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]) - .sort(); + await waitForAlertsToBePresent(supertest, log, 1, [id]); + const alertsOpen = await getAlertsByIds(supertest, log, [id]); + const hits = alertsOpen.hits.hits.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]).sort(); expect(hits).to.eql(['2020-12-16T15:16:18.000Z']); }); }); @@ -129,10 +120,10 @@ export default ({ getService }: FtrProviderContext) => { * If no timestamp override field exists in the indices but one was provided to the rule, * the rule's query will additionally search for events using the `@timestamp` field */ - describe('Signals generated from events with timestamp override field', async () => { + describe('alerts generated from events with timestamp override field', async () => { beforeEach(async () => { await deleteAllAlerts(supertest, log, es); - await createSignalsIndex(supertest, log); + await createAlertsIndex(supertest, log); await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/timestamp_override_1' ); @@ -165,9 +156,9 @@ export default ({ getService }: FtrProviderContext) => { }); describe('KQL', () => { - it('should generate signals with event.ingested, @timestamp and (event.ingested + timestamp)', async () => { + it('should generate alerts with event.ingested, @timestamp and (event.ingested + timestamp)', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['myfa*']), + ...getRuleForAlertTesting(['myfa*']), timestamp_override: 'event.ingested', }; @@ -178,17 +169,17 @@ export default ({ getService }: FtrProviderContext) => { log, id, }); - await waitForSignalsToBePresent(supertest, log, 3, [id]); - const signalsResponse = await getSignalsByIds(supertest, log, [id], 3); - const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + await waitForAlertsToBePresent(supertest, log, 3, [id]); + const alertsResponse = await getAlertsByIds(supertest, log, [id], 3); + const alerts = alertsResponse.hits.hits.map((hit) => hit._source); + const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(signalsOrderedByEventId.length).equal(3); + expect(alertsOrderedByEventId.length).equal(3); }); - it('should generate 2 signals with event.ingested when timestamp fallback is disabled', async () => { + it('should generate 2 alerts with event.ingested when timestamp fallback is disabled', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['myfa*']), + ...getRuleForAlertTesting(['myfa*']), rule_id: 'rule-without-timestamp-fallback', timestamp_override: 'event.ingested', timestamp_override_fallback_disabled: true, @@ -201,16 +192,16 @@ export default ({ getService }: FtrProviderContext) => { log, id, }); - await waitForSignalsToBePresent(supertest, log, 2, [id]); - const signalsResponse = await getSignalsByIds(supertest, log, [id], 2); - const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + await waitForAlertsToBePresent(supertest, log, 2, [id]); + const alertsResponse = await getAlertsByIds(supertest, log, [id], 2); + const alerts = alertsResponse.hits.hits.map((hit) => hit._source); + const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(signalsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId.length).equal(2); }); - it('should generate 2 signals with @timestamp', async () => { - const rule: QueryRuleCreateProps = getRuleForSignalTesting(['myfa*']); + it('should generate 2 alerts with @timestamp', async () => { + const rule: QueryRuleCreateProps = getRuleForAlertTesting(['myfa*']); const { id } = await createRule(supertest, log, rule); @@ -219,17 +210,17 @@ export default ({ getService }: FtrProviderContext) => { log, id, }); - await waitForSignalsToBePresent(supertest, log, 2, [id]); - const signalsResponse = await getSignalsByIds(supertest, log, [id]); - const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + await waitForAlertsToBePresent(supertest, log, 2, [id]); + const alertsResponse = await getAlertsByIds(supertest, log, [id]); + const alerts = alertsResponse.hits.hits.map((hit) => hit._source); + const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(signalsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId.length).equal(2); }); - it('should generate 2 signals when timestamp override does not exist', async () => { + it('should generate 2 alerts when timestamp override does not exist', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['myfa*']), + ...getRuleForAlertTesting(['myfa*']), timestamp_override: 'event.fakeingestfield', }; const { id } = await createRule(supertest, log, rule); @@ -239,50 +230,50 @@ export default ({ getService }: FtrProviderContext) => { log, id, }); - await waitForSignalsToBePresent(supertest, log, 2, [id]); - const signalsResponse = await getSignalsByIds(supertest, log, [id, id]); - const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + await waitForAlertsToBePresent(supertest, log, 2, [id]); + const alertsResponse = await getAlertsByIds(supertest, log, [id, id]); + const alerts = alertsResponse.hits.hits.map((hit) => hit._source); + const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(signalsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId.length).equal(2); }); - it('should not generate any signals when timestamp override does not exist and timestamp fallback is disabled', async () => { + it('should not generate any alerts when timestamp override does not exist and timestamp fallback is disabled', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['myfa*']), + ...getRuleForAlertTesting(['myfa*']), rule_id: 'rule-without-timestamp-fallback', timestamp_override: 'event.fakeingestfield', timestamp_override_fallback_disabled: true, }; const createdRule = await createRule(supertest, log, rule); - const signalsOpen = await getOpenSignals( + const alertsOpen = await getOpenAlerts( supertest, log, es, createdRule, RuleExecutionStatusEnum['partial failure'] ); - expect(signalsOpen.hits.hits.length).eql(0); + expect(alertsOpen.hits.hits.length).eql(0); }); /** * We should not use the timestamp override as the "original_time" as that can cause * confusion if you have both a timestamp and an override in the source event. Instead the "original_time" - * field should only be overridden by the "timestamp" since when we generate a signal - * and we add a new timestamp to the signal. + * field should only be overridden by the "timestamp" since when we generate a alert + * and we add a new timestamp to the alert. */ it('should NOT use the timestamp override as the "original_time"', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['myfakeindex-2']), + ...getRuleForAlertTesting(['myfakeindex-2']), timestamp_override: 'event.ingested', }; const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); - await waitForSignalsToBePresent(supertest, log, 1, [id]); - const signalsResponse = await getSignalsByIds(supertest, log, [id, id]); - const hits = signalsResponse.hits.hits + await waitForAlertsToBePresent(supertest, log, 1, [id]); + const alertsResponse = await getAlertsByIds(supertest, log, [id, id]); + const hits = alertsResponse.hits.hits .map((hit) => hit._source?.[ALERT_ORIGINAL_TIME]) .sort(); expect(hits).to.eql([undefined]); @@ -290,8 +281,8 @@ export default ({ getService }: FtrProviderContext) => { }); describe('EQL', () => { - it('should generate 2 signals with @timestamp', async () => { - const rule: EqlRuleCreateProps = getEqlRuleForSignalTesting(['myfa*']); + it('should generate 2 alerts with @timestamp', async () => { + const rule: EqlRuleCreateProps = getEqlRuleForAlertTesting(['myfa*']); const { id } = await createRule(supertest, log, rule); @@ -300,17 +291,17 @@ export default ({ getService }: FtrProviderContext) => { log, id, }); - await waitForSignalsToBePresent(supertest, log, 2, [id]); - const signalsResponse = await getSignalsByIds(supertest, log, [id]); - const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + await waitForAlertsToBePresent(supertest, log, 2, [id]); + const alertsResponse = await getAlertsByIds(supertest, log, [id]); + const alerts = alertsResponse.hits.hits.map((hit) => hit._source); + const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(signalsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId.length).equal(2); }); - it('should generate 2 signals when timestamp override does not exist', async () => { + it('should generate 2 alerts when timestamp override does not exist', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['myfa*']), + ...getEqlRuleForAlertTesting(['myfa*']), timestamp_override: 'event.fakeingestfield', }; const { id } = await createRule(supertest, log, rule); @@ -320,34 +311,34 @@ export default ({ getService }: FtrProviderContext) => { log, id, }); - await waitForSignalsToBePresent(supertest, log, 2, [id]); - const signalsResponse = await getSignalsByIds(supertest, log, [id, id]); - const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + await waitForAlertsToBePresent(supertest, log, 2, [id]); + const alertsResponse = await getAlertsByIds(supertest, log, [id, id]); + const alerts = alertsResponse.hits.hits.map((hit) => hit._source); + const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); - expect(signalsOrderedByEventId.length).equal(2); + expect(alertsOrderedByEventId.length).equal(2); }); - it('should not generate any signals when timestamp override does not exist and timestamp fallback is disabled', async () => { + it('should not generate any alerts when timestamp override does not exist and timestamp fallback is disabled', async () => { const rule: EqlRuleCreateProps = { - ...getEqlRuleForSignalTesting(['myfa*']), + ...getEqlRuleForAlertTesting(['myfa*']), timestamp_override: 'event.fakeingestfield', timestamp_override_fallback_disabled: true, }; const createdRule = await createRule(supertest, log, rule); - const signalsOpen = await getOpenSignals( + const alertsOpen = await getOpenAlerts( supertest, log, es, createdRule, RuleExecutionStatusEnum['partial failure'] ); - expect(signalsOpen.hits.hits.length).eql(0); + expect(alertsOpen.hits.hits.length).eql(0); }); }); }); - describe('Signals generated from events with timestamp override field and ensures search_after continues to work when documents are missing timestamp override field', () => { + describe('alerts generated from events with timestamp override field and ensures search_after continues to work when documents are missing timestamp override field', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); }); @@ -357,7 +348,7 @@ export default ({ getService }: FtrProviderContext) => { }); beforeEach(async () => { - await createSignalsIndex(supertest, log); + await createAlertsIndex(supertest, log); }); afterEach(async () => { @@ -377,9 +368,9 @@ export default ({ getService }: FtrProviderContext) => { * * ref: https://github.com/elastic/elasticsearch/issues/28806#issuecomment-369303620 */ - it('should generate 200 signals when timestamp override does not exist', async () => { + it('should generate 200 alerts when timestamp override does not exist', async () => { const rule: QueryRuleCreateProps = { - ...getRuleForSignalTesting(['auditbeat-*']), + ...getRuleForAlertTesting(['auditbeat-*']), timestamp_override: 'event.fakeingested', max_signals: 200, }; @@ -390,11 +381,11 @@ export default ({ getService }: FtrProviderContext) => { log, id, }); - await waitForSignalsToBePresent(supertest, log, 200, [id]); - const signalsResponse = await getSignalsByIds(supertest, log, [id], 200); - const signals = signalsResponse.hits.hits.map((hit) => hit._source); + await waitForAlertsToBePresent(supertest, log, 200, [id]); + const alertsResponse = await getAlertsByIds(supertest, log, [id], 200); + const alerts = alertsResponse.hits.hits.map((hit) => hit._source); - expect(signals.length).equal(200); + expect(alerts.length).equal(200); }); }); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/index.ts index 5c698b24d5ba9..975c6ffa509cc 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/index.ts @@ -14,7 +14,7 @@ export * from './get_open_alerts'; export * from './get_alerts_by_ids'; export * from './get_query_alerts_ids'; export * from './get_alerts_by_id'; -export * from './remove_random_valued_properties'; +export * from './remove_random_valued_properties_from_alert'; export * from './set_alert_status'; export * from './get_alert_status_empty_response'; export * from './get_query_alert_ids'; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties_from_alert.ts similarity index 90% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties_from_alert.ts index 8530c085e1a5d..e0c3fc4f4dbf6 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties_from_alert.ts @@ -8,7 +8,7 @@ import { DetectionAlert } from '@kbn/security-solution-plugin/common/api/detection_engine'; import { ALERT_LAST_DETECTED, ALERT_START } from '@kbn/rule-data-utils'; -export const removeRandomValuedProperties = (alert: DetectionAlert | undefined) => { +export const removeRandomValuedPropertiesFromAlert = (alert: DetectionAlert | undefined) => { if (!alert) { return undefined; } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts index 2cbae9b7973c3..16a17f2fe6136 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/index.ts @@ -22,4 +22,3 @@ export * from './update_username'; export * from './refresh_index'; export * from './wait_for'; export * from './wait_for_index_to_populate'; -export * from './remove_random_valued_properties'; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/remove_random_valued_properties.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/remove_random_valued_properties.ts deleted file mode 100644 index 8530c085e1a5d..0000000000000 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/remove_random_valued_properties.ts +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { DetectionAlert } from '@kbn/security-solution-plugin/common/api/detection_engine'; -import { ALERT_LAST_DETECTED, ALERT_START } from '@kbn/rule-data-utils'; - -export const removeRandomValuedProperties = (alert: DetectionAlert | undefined) => { - if (!alert) { - return undefined; - } - const { - 'kibana.version': version, - 'kibana.alert.rule.execution.uuid': execUuid, - 'kibana.alert.rule.uuid': uuid, - '@timestamp': timestamp, - 'kibana.alert.rule.created_at': createdAt, - 'kibana.alert.rule.updated_at': updatedAt, - 'kibana.alert.uuid': alertUuid, - [ALERT_START]: alertStart, - [ALERT_LAST_DETECTED]: lastDetected, - ...restOfAlert - } = alert; - return restOfAlert; -}; From ae3218e2457a5942fccc25d3a07eeb50140b7d33 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Thu, 9 Nov 2023 18:14:18 +0100 Subject: [PATCH 09/23] add comma --- x-pack/test/security_solution_api_integration/tsconfig.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/test/security_solution_api_integration/tsconfig.json b/x-pack/test/security_solution_api_integration/tsconfig.json index f603a64557b02..e740ef6f03f89 100644 --- a/x-pack/test/security_solution_api_integration/tsconfig.json +++ b/x-pack/test/security_solution_api_integration/tsconfig.json @@ -31,7 +31,7 @@ "@kbn/core", "@kbn/alerting-plugin", "@kbn/securitysolution-ecs", - "@kbn/securitysolution-rules" + "@kbn/securitysolution-rules", "@kbn/core-http-common", "@kbn/securitysolution-ecs" ] From d9e187e2cab22926a60d6cf4788d1469fe5eff29 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Fri, 10 Nov 2023 15:25:00 +0100 Subject: [PATCH 10/23] run some tests in serverless --- .../security_solution/runtime/mappings.json | 1 - .../runtime_conflicting_fields/mappings.json | 1 - .../timestamp_in_seconds/mappings.json | 1 - .../timestamp_override_5/mappings.json | 1 - .../timestamp_override_6/mappings.json | 1 - .../filebeat/threat_intel/data.json | 418 ++++++++++++++++++ .../filebeat/threat_intel/mappings.json | 240 ++++++++++ .../alerts/alerts_compatibility.ts | 8 +- .../execution_logic/eql.ts | 19 +- .../execution_logic/esql.ts | 2 +- .../execution_logic/index.ts | 4 +- .../execution_logic/machine_learning.ts | 11 +- .../execution_logic/new_terms.ts | 19 +- .../execution_logic/query.ts | 2 +- .../execution_logic/saved_query.ts | 10 +- .../execution_logic/threat_match.ts | 30 +- .../execution_logic/threshold.ts | 16 +- .../rule_execution_logic/index.ts | 1 + .../rule_execution_logic/timestamps.ts | 13 +- .../utils/rules/get_rule_for_alert_testing.ts | 2 +- ...r_alert_testing_with_timestamp_override.ts | 2 +- .../utils/rules/preview_rule.ts | 1 + 22 files changed, 750 insertions(+), 53 deletions(-) create mode 100644 x-pack/test/security_solution_api_integration/es_archive/serverless/filebeat/threat_intel/data.json create mode 100644 x-pack/test/security_solution_api_integration/es_archive/serverless/filebeat/threat_intel/mappings.json diff --git a/x-pack/test/functional/es_archives/security_solution/runtime/mappings.json b/x-pack/test/functional/es_archives/security_solution/runtime/mappings.json index fd3f30f2a2129..e0adb6cb55742 100644 --- a/x-pack/test/functional/es_archives/security_solution/runtime/mappings.json +++ b/x-pack/test/functional/es_archives/security_solution/runtime/mappings.json @@ -7027,7 +7027,6 @@ }, "settings": { "index": { - "refresh_interval": "1s", "number_of_replicas": "1", "number_of_shards": "1", "mapping": { diff --git a/x-pack/test/functional/es_archives/security_solution/runtime_conflicting_fields/mappings.json b/x-pack/test/functional/es_archives/security_solution/runtime_conflicting_fields/mappings.json index 2e34eae159a7f..ed15855be8e31 100644 --- a/x-pack/test/functional/es_archives/security_solution/runtime_conflicting_fields/mappings.json +++ b/x-pack/test/functional/es_archives/security_solution/runtime_conflicting_fields/mappings.json @@ -108,7 +108,6 @@ }, "settings": { "index": { - "refresh_interval": "1s", "number_of_replicas": "1", "number_of_shards": "1" } diff --git a/x-pack/test/functional/es_archives/security_solution/timestamp_in_seconds/mappings.json b/x-pack/test/functional/es_archives/security_solution/timestamp_in_seconds/mappings.json index fd8880fe0bc49..056d6467f510f 100644 --- a/x-pack/test/functional/es_archives/security_solution/timestamp_in_seconds/mappings.json +++ b/x-pack/test/functional/es_archives/security_solution/timestamp_in_seconds/mappings.json @@ -13,7 +13,6 @@ }, "settings": { "index": { - "refresh_interval": "1s", "number_of_replicas": "1", "number_of_shards": "1" } diff --git a/x-pack/test/functional/es_archives/security_solution/timestamp_override_5/mappings.json b/x-pack/test/functional/es_archives/security_solution/timestamp_override_5/mappings.json index a9735aaeca8ef..fd6f02966837c 100644 --- a/x-pack/test/functional/es_archives/security_solution/timestamp_override_5/mappings.json +++ b/x-pack/test/functional/es_archives/security_solution/timestamp_override_5/mappings.json @@ -30,7 +30,6 @@ }, "settings": { "index": { - "refresh_interval": "1s", "number_of_replicas": "1", "number_of_shards": "1" } diff --git a/x-pack/test/functional/es_archives/security_solution/timestamp_override_6/mappings.json b/x-pack/test/functional/es_archives/security_solution/timestamp_override_6/mappings.json index e3d8afd7a5b33..b1b35d6e1a23b 100644 --- a/x-pack/test/functional/es_archives/security_solution/timestamp_override_6/mappings.json +++ b/x-pack/test/functional/es_archives/security_solution/timestamp_override_6/mappings.json @@ -20,7 +20,6 @@ }, "settings": { "index": { - "refresh_interval": "1s", "number_of_replicas": "1", "number_of_shards": "1" } diff --git a/x-pack/test/security_solution_api_integration/es_archive/serverless/filebeat/threat_intel/data.json b/x-pack/test/security_solution_api_integration/es_archive/serverless/filebeat/threat_intel/data.json new file mode 100644 index 0000000000000..80ccf200301c7 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/es_archive/serverless/filebeat/threat_intel/data.json @@ -0,0 +1,418 @@ +{ + "type": "doc", + "value": { + "id": "978783", + "index": "filebeat-8.0.0-2021.01.26-000001", + "source": { + "@timestamp": "2021-01-26T11:09:05.529Z", + "agent": { + "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0", + "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51", + "name": "MacBook-Pro-de-Gloria.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.6.0" + }, + "event": { + "category": "threat", + "created": "2021-01-26T11:09:05.529Z", + "dataset": "ti_abusech.malware", + "ingested": "2021-01-26T11:09:06.595350Z", + "kind": "enrichment", + "module": "threatintel", + "reference": "https://urlhaus.abuse.ch/url/978783/", + "type": "indicator" + }, + "fileset": { + "name": "abuseurl" + }, + "input": { + "type": "httpjson" + }, + "service": { + "type": "threatintel" + }, + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threat": { + "indicator": { + "description": "domain should match the auditbeat hosts' data's source.ip", + "domain": "159.89.119.67", + "first_seen": "2021-01-26T11:09:04.000Z", + "provider": "geenensp", + "type": "url", + "url": { + "full": "http://159.89.119.67:59600/bin.sh", + "scheme": "http" + } + } + }, + "threatintel": { + "abuseurl": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "larted": false, + "tags": null, + "threat": "malware_download", + "url_status": "online" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "id": "978784", + "index": "filebeat-8.0.0-2021.01.26-000001", + "source": { + "@timestamp": "2021-01-26T11:09:05.529Z", + "agent": { + "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0", + "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51", + "name": "MacBook-Pro-de-Gloria.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.6.0" + }, + "event": { + "category": "threat", + "created": "2021-01-26T11:09:05.529Z", + "dataset": "ti_abusech.malware", + "ingested": "2021-01-26T11:09:06.616763Z", + "kind": "enrichment", + "module": "threatintel", + "reference": "https://urlhaus.abuse.ch/url/978782/", + "type": "indicator" + }, + "fileset": { + "name": "abuseurl" + }, + "input": { + "type": "httpjson" + }, + "service": { + "type": "threatintel" + }, + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threat": { + "indicator": { + "description": "this should not match the auditbeat hosts data", + "ip": "125.46.136.106", + "first_seen": "2021-01-26T11:06:03.000Z", + "provider": "geenensp", + "type": "ip" + } + }, + "threatintel": { + "abuseurl": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "larted": true, + "tags": [ + "32-bit", + "elf", + "mips" + ], + "threat": "malware_download", + "url_status": "online" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "id": "978785", + "index": "filebeat-8.0.0-2021.01.26-000001", + "source": { + "@timestamp": "2021-01-26T11:09:05.529Z", + "agent": { + "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0", + "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51", + "name": "MacBook-Pro-de-Gloria.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.6.0" + }, + "event": { + "category": "threat", + "created": "2021-01-26T11:09:05.529Z", + "dataset": "ti_abusech.malware", + "ingested": "2021-01-26T11:09:06.616763Z", + "kind": "enrichment", + "module": "threatintel", + "reference": "https://urlhaus.abuse.ch/url/978782/", + "type": "indicator" + }, + "fileset": { + "name": "abuseurl" + }, + "input": { + "type": "httpjson" + }, + "service": { + "type": "threatintel" + }, + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threat": { + "indicator": { + "description": "this should match auditbeat/hosts on both port and ip", + "ip": "45.115.45.3", + "port": 57324, + "first_seen": "2021-01-26T11:06:03.000Z", + "provider": "geenensp", + "type": "url" + } + }, + "threatintel": { + "abuseurl": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "larted": true, + "tags": [ + "32-bit", + "elf", + "mips" + ], + "threat": "malware_download", + "url_status": "online" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "id": "978787", + "index": "filebeat-8.0.0-2021.01.26-000001", + "source": { + "@timestamp": "2021-01-26T11:09:05.529Z", + "agent": { + "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0", + "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51", + "name": "MacBook-Pro-de-Gloria.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.6.0" + }, + "event": { + "category": "threat", + "created": "2021-01-26T11:09:05.529Z", + "dataset": "ti_abusech.malware", + "ingested": "2021-01-26T11:09:06.616763Z", + "kind": "enrichment", + "module": "threatintel", + "reference": "https://urlhaus.abuse.ch/url/978782/", + "type": "indicator" + }, + "fileset": { + "name": "abuseurl" + }, + "input": { + "type": "httpjson" + }, + "service": { + "type": "threatintel" + }, + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threat": { + "indicator": { + "description": "this should match auditbeat/hosts on ip", + "ip": "45.115.45.3", + "first_seen": "2021-01-26T11:06:03.000Z", + "provider": "other_provider", + "type": "ip" + } + }, + "threatintel": { + "abuseurl": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "larted": true, + "tags": [ + "32-bit", + "elf", + "mips" + ], + "threat": "malware_download", + "url_status": "online" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "id": "978766", + "index": "filebeat-8.0.0-2021.01.26-000001", + "source": { + "@timestamp": "2021-01-26T11:09:05.529Z", + "agent": { + "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0", + "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51", + "name": "MacBook-Pro-de-Gloria.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.6.0" + }, + "event": { + "category": "threat", + "created": "2021-01-26T11:09:05.529Z", + "dataset": "ti_abusech.malware", + "ingested": "2021-01-26T11:09:06.595350Z", + "kind": "enrichment", + "module": "threatintel", + "reference": "https://urlhaus.abuse.ch/url/978783/", + "type": "indicator" + }, + "fileset": { + "name": "abuseurl" + }, + "input": { + "type": "httpjson" + }, + "service": { + "type": "threatintel" + }, + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threat": { + "indicator": { + "description": "domain should match the auditbeat hosts' data's source.ip", + "domain": "172.16.0.0", + "ip": "8.8.8.8", + "port": 777, + "first_seen": "2021-01-26T11:09:04.000Z", + "provider": "geenensp", + "type": "url", + "url": { + "full": "http://159.89.119.67:59600/bin.sh", + "scheme": "http" + } + } + }, + "threatintel": { + "abuseurl": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "larted": false, + "tags": null, + "threat": "malware_download", + "url_status": "online" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "id": "978767", + "index": "filebeat-8.0.0-2021.01.26-000001", + "source": { + "@timestamp": "2021-01-26T11:09:05.529Z", + "agent": { + "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0", + "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51", + "name": "MacBook-Pro-de-Gloria.local", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "1.6.0" + }, + "event": { + "category": "threat", + "created": "2021-01-26T11:09:05.529Z", + "dataset": "ti_abusech.malware", + "ingested": "2021-01-26T11:09:06.595350Z", + "kind": "enrichment", + "module": "threatintel", + "reference": "https://urlhaus.abuse.ch/url/978783/", + "type": "indicator" + }, + "fileset": { + "name": "abuseurl" + }, + "input": { + "type": "httpjson" + }, + "service": { + "type": "threatintel" + }, + "tags": [ + "threatintel-abuseurls", + "forwarded" + ], + "threat": { + "indicator": { + "description": "domain should match the auditbeat hosts' data's source.ip", + "domain": "172.16.0.0", + "ip": "9.9.9.9", + "port": 123, + "first_seen": "2021-01-26T11:09:04.000Z", + "provider": "geenensp", + "type": "url", + "url": { + "full": "http://159.89.119.67:59600/bin.sh", + "scheme": "http" + } + } + }, + "threatintel": { + "abuseurl": { + "blacklists": { + "spamhaus_dbl": "not listed", + "surbl": "not listed" + }, + "larted": false, + "tags": null, + "threat": "malware_download", + "url_status": "online" + } + } + } + } +} \ No newline at end of file diff --git a/x-pack/test/security_solution_api_integration/es_archive/serverless/filebeat/threat_intel/mappings.json b/x-pack/test/security_solution_api_integration/es_archive/serverless/filebeat/threat_intel/mappings.json new file mode 100644 index 0000000000000..eda2430daef92 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/es_archive/serverless/filebeat/threat_intel/mappings.json @@ -0,0 +1,240 @@ +{ + "type": "index", + "value": { + "aliases": {}, + "index": "filebeat-8.0.0-2021.01.26-000001", + "mappings": { + "_meta": { + "beat": "filebeat", + "version": "7.0.0" + }, + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + }, + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "refresh_interval": "5s" + } + } + } +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/alerts_compatibility.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/alerts_compatibility.ts index 680073955ce99..7df54659da8ce 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/alerts_compatibility.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/alerts/alerts_compatibility.ts @@ -235,7 +235,7 @@ export default ({ getService }: FtrProviderContext) => { expect(source).to.eql({ 'kibana.alert.rule.category': 'Custom Query Rule', 'kibana.alert.rule.consumer': 'siem', - 'kibana.alert.rule.name': 'Signal Testing Query', + 'kibana.alert.rule.name': 'Alert Testing Query', 'kibana.alert.rule.producer': 'siem', 'kibana.alert.rule.rule_type_id': 'siem.queryRule', 'kibana.space_ids': ['default'], @@ -322,7 +322,7 @@ export default ({ getService }: FtrProviderContext) => { 'kibana.alert.workflow_tags': [], 'kibana.alert.depth': 2, 'kibana.alert.reason': - 'event on security-linux-1 created high alert Signal Testing Query.', + 'event on security-linux-1 created high alert Alert Testing Query.', 'kibana.alert.severity': 'high', 'kibana.alert.risk_score': 1, 'kibana.alert.rule.parameters': { @@ -397,7 +397,7 @@ export default ({ getService }: FtrProviderContext) => { expect(source).to.eql({ 'kibana.alert.rule.category': 'Custom Query Rule', 'kibana.alert.rule.consumer': 'siem', - 'kibana.alert.rule.name': 'Signal Testing Query', + 'kibana.alert.rule.name': 'Alert Testing Query', 'kibana.alert.rule.producer': 'siem', 'kibana.alert.rule.rule_type_id': 'siem.queryRule', 'kibana.space_ids': ['default'], @@ -484,7 +484,7 @@ export default ({ getService }: FtrProviderContext) => { 'kibana.alert.workflow_tags': [], 'kibana.alert.depth': 2, 'kibana.alert.reason': - 'event on security-linux-1 created high alert Signal Testing Query.', + 'event on security-linux-1 created high alert Alert Testing Query.', 'kibana.alert.severity': 'high', 'kibana.alert.risk_score': 1, 'kibana.alert.rule.parameters': { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts index abb87864e80af..4ed082f1da87d 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts @@ -38,23 +38,30 @@ import { previewRule, } from '../../../utils'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); const es = getService('es'); const log = getService('log'); + // TODO: add a new service + const config = getService('config'); + const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const path = dataPathBuilder.getPath('auditbeat/hosts'); describe('@ess @serverless EQL type rules', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.load(path); await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/timestamp_override_6' ); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.unload(path); await esArchiver.unload( 'x-pack/test/functional/es_archives/security_solution/timestamp_override_6' ); @@ -144,7 +151,7 @@ export default ({ getService }: FtrProviderContext) => { }, }, [ALERT_REASON]: - 'configuration event on suricata-zeek-sensor-toronto created high alert Signal Testing Query.', + 'configuration event on suricata-zeek-sensor-toronto created high alert Alert Testing Query.', [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_WORKFLOW_STATUS]: 'open', @@ -235,7 +242,7 @@ export default ({ getService }: FtrProviderContext) => { }, }, [ALERT_REASON]: - 'configuration event on suricata-zeek-sensor-toronto created high alert Signal Testing Query.', + 'configuration event on suricata-zeek-sensor-toronto created high alert Alert Testing Query.', [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_WORKFLOW_STATUS]: 'open', @@ -408,7 +415,7 @@ export default ({ getService }: FtrProviderContext) => { }, }, [ALERT_REASON]: - 'anomoly event with process bro, by root on zeek-sensor-amsterdam created high alert Signal Testing Query.', + 'anomoly event with process bro, by root on zeek-sensor-amsterdam created high alert Alert Testing Query.', [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], [ALERT_GROUP_ID]: fullAlert[ALERT_GROUP_ID], [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], @@ -479,7 +486,7 @@ export default ({ getService }: FtrProviderContext) => { [ALERT_DEPTH]: 2, [ALERT_GROUP_ID]: source[ALERT_GROUP_ID], [ALERT_REASON]: - 'event by root on zeek-sensor-amsterdam created high alert Signal Testing Query.', + 'event by root on zeek-sensor-amsterdam created high alert Alert Testing Query.', [ALERT_RULE_UUID]: source[ALERT_RULE_UUID], [ALERT_ANCESTORS]: [ { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts index 36c0a98c2603c..0afc16a565792 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/esql.ts @@ -44,7 +44,7 @@ export default ({ getService }: FtrProviderContext) => { */ const internalIdPipe = (id: string) => `| where id=="${id}"`; - describe('@ess @serverless ES|QL rule type', () => { + describe('@ess ES|QL rule type', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/security_solution/ecs_compliant'); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts index 36a249304c7e6..ee8c7e453b0c3 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts @@ -14,9 +14,9 @@ export default ({ loadTestFile }: FtrProviderContext): void => { loadTestFile(require.resolve('./machine_learning')); loadTestFile(require.resolve('./new_terms')); loadTestFile(require.resolve('./saved_query')); - loadTestFile(require.resolve('./threat_match')); + // loadTestFile(require.resolve('./threat_match')); loadTestFile(require.resolve('./threshold')); loadTestFile(require.resolve('./non_ecs_fields')); - loadTestFile(require.resolve('./query')); + // loadTestFile(require.resolve('./query')); }); }; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts index 0fd0e1fdc87e7..323ed14c5bdce 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts @@ -43,14 +43,19 @@ import { previewRule, previewRuleWithExceptionEntries, } from '../../../utils'; - import { FtrProviderContext } from '../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); const es = getService('es'); const log = getService('log'); + // TODO: add a new service + const config = getService('config'); + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const path = dataPathBuilder.getPath('auditbeat/hosts'); const siemModule = 'security_linux_v3'; const mlJobId = 'v3_linux_anomalous_network_activity'; @@ -70,13 +75,13 @@ export default ({ getService }: FtrProviderContext) => { before(async () => { // Order is critical here: auditbeat data must be loaded before attempting to start the ML job, // as the job looks for certain indices on start - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.load(path); await executeSetupModuleRequest({ module: siemModule, rspCode: 200, supertest }); await forceStartDatafeeds({ jobId: mlJobId, rspCode: 200, supertest }); await esArchiver.load('x-pack/test/functional/es_archives/security_solution/anomalies'); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.unload(path); await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/anomalies'); await deleteAllAlerts(supertest, log, es); await deleteAllRules(supertest, log); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts index 0475b2f59ab65..0aedb19748cf4 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/new_terms.ts @@ -25,12 +25,12 @@ import { removeRandomValuedPropertiesFromAlert, } from '../../../utils'; import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; +import { FtrProviderContext } from '../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; const historicalWindowStart = '2022-10-13T05:00:04.000Z'; const ruleExecutionStart = '2022-10-19T05:00:04.000Z'; -import { FtrProviderContext } from '../../../../../ftr_provider_context'; - export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); @@ -41,7 +41,12 @@ export default ({ getService }: FtrProviderContext) => { index: 'new_terms', log, }); - + // TODO: add a new service + const config = getService('config'); + const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const path = dataPathBuilder.getPath('auditbeat/hosts'); /** * indexes 2 sets of documents: * - documents in historical window @@ -73,12 +78,12 @@ export default ({ getService }: FtrProviderContext) => { describe('@ess @serverless New terms type rules', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.load(path); await esArchiver.load('x-pack/test/functional/es_archives/security_solution/new_terms'); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.unload(path); await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/new_terms'); await deleteAllAlerts(supertest, log, es); await deleteAllRules(supertest, log); @@ -195,7 +200,7 @@ export default ({ getService }: FtrProviderContext) => { }, 'kibana.alert.rule.actions': [], 'kibana.alert.rule.author': [], - 'kibana.alert.rule.created_by': 'elastic', + 'kibana.alert.rule.created_by': ELASTICSEARCH_USERNAME, 'kibana.alert.rule.description': 'Detecting root and admin users', 'kibana.alert.rule.enabled': true, 'kibana.alert.rule.exceptions_list': [], @@ -213,7 +218,7 @@ export default ({ getService }: FtrProviderContext) => { 'kibana.alert.rule.threat': [], 'kibana.alert.rule.to': 'now', 'kibana.alert.rule.type': 'new_terms', - 'kibana.alert.rule.updated_by': 'elastic', + 'kibana.alert.rule.updated_by': ELASTICSEARCH_USERNAME, 'kibana.alert.rule.version': 1, 'kibana.alert.rule.risk_score': 55, 'kibana.alert.rule.severity': 'high', diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 1d1e486103710..7df5b9c1e2a6c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -87,7 +87,7 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const esDeleteAllIndices = getService('esDeleteAllIndices'); - describe('@ess @serverless Query type rules', () => { + describe('@ess Query type rules', () => { before(async () => { await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts index f33a539870cdb..e387a2f840c41 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/saved_query.ts @@ -24,6 +24,7 @@ import { getRuleForAlertTesting, } from '../../../utils'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; /** * Specific _id to use for some of the tests. If the archiver changes and you see errors @@ -36,14 +37,19 @@ export default ({ getService }: FtrProviderContext) => { const esArchiver = getService('esArchiver'); const es = getService('es'); const log = getService('log'); + // TODO: add a new service + const config = getService('config'); + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const path = dataPathBuilder.getPath('auditbeat/hosts'); describe('@ess @serverless Saved query type rules', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.load(path); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.unload(path); await deleteAllAlerts(supertest, log, es); await deleteAllRules(supertest, log); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts index 773b4e96368c2..3102664b5b768 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts @@ -45,6 +45,7 @@ import { createRule, } from '../../../utils'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; const format = (value: unknown): string => JSON.stringify(value, null, 2); @@ -109,8 +110,8 @@ const createThreatMatchRule = ({ threat_index, threat_mapping, threat_filters: [], - threat_indicator_path, ...override, + threat_indicator_path, }); function alertsAreTheSame(alertsA: any[], alertsB: any[]): void { @@ -144,6 +145,13 @@ export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const es = getService('es'); const log = getService('log'); + // TODO: add a new service + const config = getService('config'); + const isServerless = config.get('serverless'); + const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const audibeatHostsPath = dataPathBuilder.getPath('auditbeat/hosts'); + const threatIntelPath = dataPathBuilder.getPath('filebeat/threat_intel'); /** * Specific api integration tests for threat matching rule type @@ -151,11 +159,11 @@ export default ({ getService }: FtrProviderContext) => { // FLAKY: https://github.com/elastic/kibana/issues/155304 describe('@ess @serverless Threat match type rules', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.load(audibeatHostsPath); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.unload(audibeatHostsPath); await deleteAllAlerts(supertest, log, es); await deleteAllRules(supertest, log); }); @@ -295,7 +303,7 @@ export default ({ getService }: FtrProviderContext) => { author: [], category: 'Indicator Match Rule', consumer: 'siem', - created_by: 'elastic', + created_by: ELASTICSEARCH_USERNAME, description: 'Detecting root and admin users', enabled: true, exceptions_list: [], @@ -317,7 +325,7 @@ export default ({ getService }: FtrProviderContext) => { to: 'now', type: 'threat_match', updated_at: fullAlert[ALERT_RULE_UPDATED_AT], - updated_by: 'elastic', + updated_by: ELASTICSEARCH_USERNAME, uuid: fullAlert[ALERT_RULE_UUID], version: 1, }), @@ -474,7 +482,7 @@ export default ({ getService }: FtrProviderContext) => { author: [], category: 'Indicator Match Rule', consumer: 'siem', - created_by: 'elastic', + created_by: ELASTICSEARCH_USERNAME, description: 'Detecting root and admin users', enabled: true, exceptions_list: [], @@ -496,7 +504,7 @@ export default ({ getService }: FtrProviderContext) => { to: 'now', type: 'threat_match', updated_at: fullAlert[ALERT_RULE_UPDATED_AT], - updated_by: 'elastic', + updated_by: ELASTICSEARCH_USERNAME, uuid: fullAlert[ALERT_RULE_UUID], version: 1, }), @@ -656,11 +664,11 @@ export default ({ getService }: FtrProviderContext) => { describe('indicator enrichment: threat-first search', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/filebeat/threat_intel'); + await esArchiver.load(threatIntelPath); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/threat_intel'); + await esArchiver.unload(threatIntelPath); }); it('enriches alerts with the single indicator that matched', async () => { @@ -1055,11 +1063,11 @@ export default ({ getService }: FtrProviderContext) => { describe('indicator enrichment: event-first search', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/filebeat/threat_intel'); + await esArchiver.load(threatIntelPath); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/filebeat/threat_intel'); + await esArchiver.unload(threatIntelPath); }); it('enriches alerts with the single indicator that matched', async () => { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts index 00d5e2883202b..81203c3d48a28 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threshold.ts @@ -30,20 +30,26 @@ import { previewRule, } from '../../../utils'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); const es = getService('es'); const log = getService('log'); + // TODO: add a new service + const config = getService('config'); + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const path = dataPathBuilder.getPath('auditbeat/hosts'); describe('@ess @serverless Threshold type rules', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.load(path); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.unload(path); }); // First test creates a real rule - remaining tests use preview API @@ -76,7 +82,7 @@ export default ({ getService }: FtrProviderContext) => { }, ], [ALERT_WORKFLOW_STATUS]: 'open', - [ALERT_REASON]: 'event created high alert Signal Testing Query.', + [ALERT_REASON]: 'event created high alert Alert Testing Query.', [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_DEPTH]: 1, @@ -219,7 +225,7 @@ export default ({ getService }: FtrProviderContext) => { }, ], [ALERT_WORKFLOW_STATUS]: 'open', - [ALERT_REASON]: `event created high alert Signal Testing Query.`, + [ALERT_REASON]: `event created high alert Alert Testing Query.`, [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_DEPTH]: 1, @@ -286,7 +292,7 @@ export default ({ getService }: FtrProviderContext) => { }, ], [ALERT_WORKFLOW_STATUS]: 'open', - [ALERT_REASON]: `event with process sshd, created high alert Signal Testing Query.`, + [ALERT_REASON]: `event with process sshd, created high alert Alert Testing Query.`, [ALERT_RULE_UUID]: fullAlert[ALERT_RULE_UUID], [ALERT_ORIGINAL_TIME]: fullAlert[ALERT_ORIGINAL_TIME], [ALERT_DEPTH]: 1, diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts index cc0e7279ad35a..4795de96f8aa6 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts @@ -13,6 +13,7 @@ export default function ({ loadTestFile }: FtrProviderContext) { loadTestFile(require.resolve('./ignore_fields')); loadTestFile(require.resolve('./runtime')); loadTestFile(require.resolve('./timestamps')); + // The execution logic is run last, as it encompasses the "query" test, resetting the alerts and resulting in failures in the following tests. loadTestFile(require.resolve('./execution_logic')); }); } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/timestamps.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/timestamps.ts index 7897ab6612e51..d7c645c115082 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/timestamps.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/timestamps.ts @@ -28,16 +28,21 @@ import { waitForRulePartialFailure, } from '../../utils'; import { FtrProviderContext } from '../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../es_archive_path_builder'; export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); const es = getService('es'); const log = getService('log'); - + // TODO: add a new service + const config = getService('config'); + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const path = dataPathBuilder.getPath('auditbeat/hosts'); /** * Tests around timestamps within alerts such as the copying of timestamps correctly into - * the "alert.original_time" field, ensuring that timestamp overrides operate, and ensuring that + * the "signal.original_time" field, ensuring that timestamp overrides operate, and ensuring that * partial errors happen correctly */ describe('@ess @serverless timestamp tests', () => { @@ -340,11 +345,11 @@ export default ({ getService }: FtrProviderContext) => { describe('alerts generated from events with timestamp override field and ensures search_after continues to work when documents are missing timestamp override field', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.load(path); }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); + await esArchiver.unload(path); }); beforeEach(async () => { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/get_rule_for_alert_testing.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/get_rule_for_alert_testing.ts index d6d51ebb52d00..5649031185feb 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/get_rule_for_alert_testing.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/get_rule_for_alert_testing.ts @@ -19,7 +19,7 @@ export const getRuleForAlertTesting = ( ruleId = 'rule-1', enabled = true ): QueryRuleCreateProps => ({ - name: 'Signal Testing Query', + name: 'Alert Testing Query', description: 'Tests a simple query', enabled, risk_score: 1, diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/get_rule_for_alert_testing_with_timestamp_override.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/get_rule_for_alert_testing_with_timestamp_override.ts index e8201ce517cff..86fc55bd29652 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/get_rule_for_alert_testing_with_timestamp_override.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/get_rule_for_alert_testing_with_timestamp_override.ts @@ -13,7 +13,7 @@ export const getRuleForAlertTestingWithTimestampOverride = ( enabled = true, timestampOverride = 'event.ingested' ): QueryRuleCreateProps => ({ - name: 'Signal Testing Query', + name: 'Alert Testing Query', description: 'Tests a simple query', enabled, risk_score: 1, diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule.ts index a97c304f5ffaa..ec060c4076404 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/preview_rule.ts @@ -44,6 +44,7 @@ export const previewRule = async ({ const response = await supertest .post(DETECTION_ENGINE_RULES_PREVIEW) .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') .send(previewRequest) .expect(200); return response.body; From 45f900b6ded26dfe7e66c24e14fe507de8601784 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Fri, 10 Nov 2023 15:25:54 +0100 Subject: [PATCH 11/23] fix some errors of serverless --- .../rule_execution_logic/execution_logic/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts index ee8c7e453b0c3..24d8ed4ffb889 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts @@ -14,7 +14,7 @@ export default ({ loadTestFile }: FtrProviderContext): void => { loadTestFile(require.resolve('./machine_learning')); loadTestFile(require.resolve('./new_terms')); loadTestFile(require.resolve('./saved_query')); - // loadTestFile(require.resolve('./threat_match')); + loadTestFile(require.resolve('./threat_match')); loadTestFile(require.resolve('./threshold')); loadTestFile(require.resolve('./non_ecs_fields')); // loadTestFile(require.resolve('./query')); From bdb92ca2a1b0d85c025c697a60d33f43d6227330 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Fri, 10 Nov 2023 16:25:34 +0100 Subject: [PATCH 12/23] add services of api integration in serverless --- .../config/serverless/config.base.ts | 5 ++++- .../rule_execution_logic/execution_logic/eql.ts | 1 - .../rule_execution_logic/execution_logic/index.ts | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/config/serverless/config.base.ts b/x-pack/test/security_solution_api_integration/config/serverless/config.base.ts index 6238282722cfc..374538e593efa 100644 --- a/x-pack/test/security_solution_api_integration/config/serverless/config.base.ts +++ b/x-pack/test/security_solution_api_integration/config/serverless/config.base.ts @@ -11,15 +11,18 @@ export interface CreateTestConfigOptions { kbnTestServerArgs?: string[]; kbnTestServerEnv?: Record; } +import { services } from '../../../../test_serverless/api_integration/services'; export function createTestConfig(options: CreateTestConfigOptions) { return async ({ readConfigFile }: FtrConfigProviderContext) => { const svlSharedConfig = await readConfigFile( require.resolve('../../../../test_serverless/shared/config.base.ts') ); - return { ...svlSharedConfig.getAll(), + services: { + ...services, + }, kbnTestServer: { ...svlSharedConfig.get('kbnTestServer'), serverArgs: [ diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts index 4ed082f1da87d..daf4e1a7ce50b 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts @@ -47,7 +47,6 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); // TODO: add a new service const config = getService('config'); - const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); const isServerless = config.get('serverless'); const dataPathBuilder = new EsArchivePathBuilder(isServerless); const path = dataPathBuilder.getPath('auditbeat/hosts'); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts index 24d8ed4ffb889..36a249304c7e6 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/index.ts @@ -17,6 +17,6 @@ export default ({ loadTestFile }: FtrProviderContext): void => { loadTestFile(require.resolve('./threat_match')); loadTestFile(require.resolve('./threshold')); loadTestFile(require.resolve('./non_ecs_fields')); - // loadTestFile(require.resolve('./query')); + loadTestFile(require.resolve('./query')); }); }; From 817259199e9111dbfaa463bcf9d8970e904cca0f Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Fri, 10 Nov 2023 17:36:27 +0100 Subject: [PATCH 13/23] enable query in Serverless --- .../execution_logic/query.ts | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 7df5b9c1e2a6c..efd11838c6d7c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -66,6 +66,7 @@ import { } from '../../../utils'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; +import { EsArchivePathBuilder } from '../../../../../es_archive_path_builder'; /** * Specific _id to use for some of the tests. If the archiver changes and you see errors @@ -86,11 +87,17 @@ export default ({ getService }: FtrProviderContext) => { const es = getService('es'); const log = getService('log'); const esDeleteAllIndices = getService('esDeleteAllIndices'); + // TODO: add a new service + const config = getService('config'); + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const auditbeatPath = dataPathBuilder.getPath('auditbeat/hosts'); - describe('@ess Query type rules', () => { + describe('@ess @serverless Query type rules', () => { before(async () => { - await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts'); - await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); + await esArchiver.load(auditbeatPath); + if (!isServerless) + await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); await esArchiver.load('x-pack/test/functional/es_archives/signals/severity_risk_overrides'); }); @@ -99,8 +106,12 @@ export default ({ getService }: FtrProviderContext) => { }); after(async () => { - await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts'); - await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); + await esArchiver.unload(auditbeatPath); + // ASK what could be the alertnative solution here + if (!isServerless) + await esArchiver.unload( + 'x-pack/test/functional/es_archives/security_solution/alerts/8.1.0' + ); await esArchiver.unload('x-pack/test/functional/es_archives/signals/severity_risk_overrides'); await deleteAllAlerts(supertest, log, es, ['.preview.alerts-security.alerts-*']); await deleteAllRules(supertest, log); @@ -189,6 +200,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); + // Is Rule Preview in Serverless? it('should query and get back expected alert structure when it is a alert on a alert', async () => { const alertId = '30a75fe46d3dbdfab55982036f77a8d60e2d1112e96f277c3b8c22f9bb57817a'; const rule: QueryRuleCreateProps = { @@ -2276,7 +2288,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - describe('legacy investigation_fields', () => { + describe('@brokenInServerless legacy investigation_fields', () => { let ruleWithLegacyInvestigationField: Rule; beforeEach(async () => { From e8c478c97b59d9f0d772127f0f9cde486211b840 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Mon, 13 Nov 2023 10:45:39 +0100 Subject: [PATCH 14/23] remove the condition of isserverless --- .../rule_execution_logic/execution_logic/query.ts | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index efd11838c6d7c..637499830429a 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -96,8 +96,7 @@ export default ({ getService }: FtrProviderContext) => { describe('@ess @serverless Query type rules', () => { before(async () => { await esArchiver.load(auditbeatPath); - if (!isServerless) - await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); + await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); await esArchiver.load('x-pack/test/functional/es_archives/signals/severity_risk_overrides'); }); @@ -107,11 +106,7 @@ export default ({ getService }: FtrProviderContext) => { after(async () => { await esArchiver.unload(auditbeatPath); - // ASK what could be the alertnative solution here - if (!isServerless) - await esArchiver.unload( - 'x-pack/test/functional/es_archives/security_solution/alerts/8.1.0' - ); + await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); await esArchiver.unload('x-pack/test/functional/es_archives/signals/severity_risk_overrides'); await deleteAllAlerts(supertest, log, es, ['.preview.alerts-security.alerts-*']); await deleteAllRules(supertest, log); @@ -2288,7 +2283,7 @@ export default ({ getService }: FtrProviderContext) => { }); }); - describe('@brokenInServerless legacy investigation_fields', () => { + describe('legacy investigation_fields', () => { let ruleWithLegacyInvestigationField: Rule; beforeEach(async () => { From 0301147212fe3cccfc787201efb9a0f6c17a5f40 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Tue, 14 Nov 2023 11:19:09 +0100 Subject: [PATCH 15/23] remove kibana.alert.url from the expected alerts --- .../rule_execution_logic/execution_logic/query.ts | 1 - .../rule_execution_logic/execution_logic/threat_match.ts | 1 + .../default_license/rule_execution_logic/ignore_fields.ts | 2 +- .../utils/alerts/remove_random_valued_properties_from_alert.ts | 1 + 4 files changed, 3 insertions(+), 2 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 637499830429a..48465eab23274 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -195,7 +195,6 @@ export default ({ getService }: FtrProviderContext) => { }); }); - // Is Rule Preview in Serverless? it('should query and get back expected alert structure when it is a alert on a alert', async () => { const alertId = '30a75fe46d3dbdfab55982036f77a8d60e2d1112e96f277c3b8c22f9bb57817a'; const rule: QueryRuleCreateProps = { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts index 3102664b5b768..8d7cf8fd9f89b 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/threat_match.ts @@ -132,6 +132,7 @@ function alertsAreTheSame(alertsA: any[], alertsB: any[]): void { 'kibana.alert.start', 'kibana.alert.reason', 'kibana.alert.uuid', + 'kibana.alert.url', ]); }; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts index 347d81c5c7f60..d74d6c9f16b07 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts @@ -28,7 +28,7 @@ interface Ignore { import { FtrProviderContext } from '../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext): void => { /** - * See the config file (detection_engine_api_integration/common/config.ts) for which field values were added to be ignored + * See the config file (config.ts) for which field values were added to be ignored * for testing. The values should be in the config around the area of: * --xpack.securitySolution.alertIgnoreFields=[testing.ignore_1,/[testingRegex] * meaning that the ignore fields values should be the array: ["testing.ignore_1", "/[testingRegex]/"] diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties_from_alert.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties_from_alert.ts index e0c3fc4f4dbf6..3161fe1a61a6e 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties_from_alert.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/alerts/remove_random_valued_properties_from_alert.ts @@ -20,6 +20,7 @@ export const removeRandomValuedPropertiesFromAlert = (alert: DetectionAlert | un 'kibana.alert.rule.created_at': createdAt, 'kibana.alert.rule.updated_at': updatedAt, 'kibana.alert.uuid': alertUuid, + 'kibana.alert.url': alertURL, [ALERT_START]: alertStart, [ALERT_LAST_DETECTED]: lastDetected, ...restOfAlert From e9681dcd75b0925287c128f7ed2094ef714d78b3 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Tue, 14 Nov 2023 12:20:55 +0100 Subject: [PATCH 16/23] remove old execution config --- .buildkite/ftr_configs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.buildkite/ftr_configs.yml b/.buildkite/ftr_configs.yml index 59a0061f94908..26fb1c44a3071 100644 --- a/.buildkite/ftr_configs.yml +++ b/.buildkite/ftr_configs.yml @@ -226,7 +226,6 @@ enabled: - x-pack/test/detection_engine_api_integration/security_and_spaces/group1/config.ts - x-pack/test/detection_engine_api_integration/security_and_spaces/group4/config.ts - x-pack/test/detection_engine_api_integration/security_and_spaces/group10/config.ts - - x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/config.ts - x-pack/test/disable_ems/config.ts - x-pack/test/encrypted_saved_objects_api_integration/config.ts - x-pack/test/examples/config.ts From 4ed5e0ee9beb1e16b063cdc1ca007ee604306072 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Tue, 14 Nov 2023 16:43:48 +0100 Subject: [PATCH 17/23] remove loading of alerts in 8.1.0 --- .../execution_logic/query.ts | 28 ++++++------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 48465eab23274..4b4d4c0b2dacb 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -96,7 +96,6 @@ export default ({ getService }: FtrProviderContext) => { describe('@ess @serverless Query type rules', () => { before(async () => { await esArchiver.load(auditbeatPath); - await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); await esArchiver.load('x-pack/test/functional/es_archives/signals/severity_risk_overrides'); }); @@ -106,7 +105,6 @@ export default ({ getService }: FtrProviderContext) => { after(async () => { await esArchiver.unload(auditbeatPath); - await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/alerts/8.1.0'); await esArchiver.unload('x-pack/test/functional/es_archives/signals/severity_risk_overrides'); await deleteAllAlerts(supertest, log, es, ['.preview.alerts-security.alerts-*']); await deleteAllRules(supertest, log); @@ -196,9 +194,9 @@ export default ({ getService }: FtrProviderContext) => { }); it('should query and get back expected alert structure when it is a alert on a alert', async () => { - const alertId = '30a75fe46d3dbdfab55982036f77a8d60e2d1112e96f277c3b8c22f9bb57817a'; + const alertId = 'BhbXBmkBR346wHgn4PeZ'; const rule: QueryRuleCreateProps = { - ...getRuleForAlertTesting([`.alerts-security.alerts-default*`]), + ...getRuleForAlertTesting([`auditbeat-*`]), rule_id: 'signal-on-signal', query: `_id:${alertId}`, }; @@ -218,26 +216,17 @@ export default ({ getService }: FtrProviderContext) => { ...alert, [ALERT_ANCESTORS]: [ { - id: 'ahEToH8BK09aFtXZFVMq', + id: 'BhbXBmkBR346wHgn4PeZ', type: 'event', - index: 'events-index-000001', + index: 'auditbeat-8.0.0-2019.02.19-000001', depth: 0, }, - { - rule: '031d5c00-a72f-11ec-a8a3-7b1c8077fc3e', - id: '30a75fe46d3dbdfab55982036f77a8d60e2d1112e96f277c3b8c22f9bb57817a', - type: 'signal', - index: '.internal.alerts-security.alerts-default-000001', - depth: 1, - }, ], [ALERT_WORKFLOW_STATUS]: 'open', - [ALERT_DEPTH]: 2, - [ALERT_ORIGINAL_TIME]: '2022-03-19T02:48:12.634Z', + [ALERT_DEPTH]: 1, + [ALERT_ORIGINAL_TIME]: '2019-02-19T17:40:03.790Z', ...flattenWithPrefix(ALERT_ORIGINAL_EVENT, { - agent_id_status: 'verified', - ingested: '2022-03-19T02:47:57.376Z', - dataset: 'elastic_agent.filebeat', + dataset: 'socket', }), }); }); @@ -2282,7 +2271,8 @@ export default ({ getService }: FtrProviderContext) => { }); }); - describe('legacy investigation_fields', () => { + // TODO: Ask YARA + describe('@brokenInServerless legacy investigation_fields', () => { let ruleWithLegacyInvestigationField: Rule; beforeEach(async () => { From 1526cd0efa22a469550989f75b3c4119515f3cf8 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Tue, 14 Nov 2023 17:10:54 +0100 Subject: [PATCH 18/23] remove the comment above the rule_execution bec. the query test doesnot unload the alerts data --- .../default_license/rule_execution_logic/index.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts index f959b3d64d4ad..b497472e0b574 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/index.ts @@ -14,6 +14,5 @@ export default function ({ loadTestFile }: FtrProviderContext) { loadTestFile(require.resolve('./runtime')); loadTestFile(require.resolve('./execution_logic')); loadTestFile(require.resolve('./timestamps')); - // The execution logic is run last, as it encompasses the "query" test, resetting the alerts and resulting in failures in the following tests. }); } From 78fcd6db1f9dbe28fe5dfc48ecc6f18fdfd56315 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Wed, 15 Nov 2023 14:33:19 +0100 Subject: [PATCH 19/23] fix loading legacy alert and unloading it --- .../security_solution/alerts/8.8.0/data.json | 422 + .../alerts/8.8.0/mappings.json | 7900 +++++++++++++++++ .../execution_logic/query.ts | 49 +- 3 files changed, 8351 insertions(+), 20 deletions(-) create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.8.0/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.8.0/mappings.json diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.8.0/data.json b/x-pack/test/functional/es_archives/security_solution/alerts/8.8.0/data.json new file mode 100644 index 0000000000000..dc677dd5bf812 --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alerts/8.8.0/data.json @@ -0,0 +1,422 @@ +{ + "type": "doc", + "value": { + "id": "eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1", + "index": ".alerts-security.alerts-default", + "source": { + "@timestamp": "2023-04-27T11:03:57.906Z", + "Endpoint": { + "capabilities": [ + "isolation", + "kill_process", + "suspend_process", + "running_processes", + "get_file", + "execute" + ], + "configuration": { + "isolation": true + }, + "policy": { + "applied": { + "endpoint_policy_version": 3, + "id": "C2A9093E-E289-4C0A-AA44-8C32A414FA7A", + "name": "With Eventing", + "status": "success", + "version": 5 + } + }, + "state": { + "isolation": true + }, + "status": "enrolled" + }, + "agent": { + "id": "b563ce99-e373-4a1f-a5fe-97e956140aeb", + "type": "endpoint", + "version": "8.8.0" + }, + "data_stream": { + "dataset": "endpoint.alerts", + "namespace": "default", + "type": "logs" + }, + "dll": [ + { + "Ext": { + "compile_time": 1534424710, + "malware_classification": { + "identifier": "Whitelisted", + "score": 0, + "threshold": 0, + "version": "3.0.0" + }, + "mapped_address": 5362483200, + "mapped_size": 0 + }, + "code_signature": { + "subject_name": "Cybereason Inc", + "trusted": true + }, + "hash": { + "md5": "1f2d082566b0fc5f2c238a5180db7451", + "sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d", + "sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2" + }, + "path": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe", + "pe": { + "architecture": "x64" + } + } + ], + "ecs": { + "version": "1.4.0" + }, + "elastic": { + "agent": { + "id": "b563ce99-e373-4a1f-a5fe-97e956140aeb" + } + }, + "event.action": "creation", + "event.agent_id_status": "auth_metadata_missing", + "event.category": "malware", + "event.code": "malicious_file", + "event.dataset": "endpoint", + "event.id": "b28993d4-8b8a-4f0f-9f54-84a89bad66ae", + "event.ingested": "2023-04-27T10:58:03Z", + "event.kind": "signal", + "event.module": "endpoint", + "event.sequence": 5826, + "event.type": "creation", + "file": { + "Ext": { + "code_signature": [ + { + "subject_name": "bad signer", + "trusted": false + } + ], + "malware_classification": { + "identifier": "endpointpe", + "score": 1, + "threshold": 0.66, + "version": "3.0.33" + }, + "quarantine_message": "fake quarantine message", + "quarantine_result": true, + "temp_file_path": "C:/temp/fake_malware.exe" + }, + "accessed": 1682752652103, + "created": 1682752652103, + "hash": { + "md5": "fake file md5", + "sha1": "fake file sha1", + "sha256": "fake file sha256" + }, + "mtime": 1682752652103, + "name": "fake_malware.exe", + "owner": "SYSTEM", + "path": "C:/fake_malware.exe", + "size": 3456 + }, + "user": { + "name": "user1" + }, + "host": { + "architecture": "wtnozeqvub", + "hostname": "Host-fwarau82er", + "id": "4260adf9-5e63-445d-92c6-e03359bcd342", + "ip": [ + "10.249.37.72", + "10.150.39.243", + "10.186.17.170" + ], + "mac": [ + "f5-f-97-dc-20-67", + "b5-56-ca-98-81-ca", + "22-86-39-4c-87-33" + ], + "name": "Host-fwarau82er", + "os": { + "Ext": { + "variant": "Darwin" + }, + "family": "Darwin", + "full": "macOS Monterey", + "name": "macOS", + "platform": "macOS", + "version": "12.6.1" + } + }, + "kibana.alert.ancestors": [ + { + "depth": 0, + "id": "vT9cwocBh3b8EMpD8lsi", + "index": ".ds-logs-endpoint.alerts-default-2023.04.27-000001", + "type": "event" + } + ], + "kibana.alert.depth": 1, + "kibana.alert.last_detected": "2023-04-27T11:03:57.993Z", + "kibana.alert.original_event.action": "creation", + "kibana.alert.original_event.agent_id_status": "auth_metadata_missing", + "kibana.alert.original_event.category": "malware", + "kibana.alert.original_event.code": "malicious_file", + "kibana.alert.original_event.dataset": "endpoint", + "kibana.alert.original_event.id": "b28993d4-8b8a-4f0f-9f54-84a89bad66ae", + "kibana.alert.original_event.ingested": "2023-04-27T10:58:03Z", + "kibana.alert.original_event.kind": "alert", + "kibana.alert.original_event.module": "endpoint", + "kibana.alert.original_event.sequence": 5826, + "kibana.alert.original_event.type": "creation", + "kibana.alert.original_time": "2023-04-29T07:17:32.103Z", + "kibana.alert.reason": "malware event with process malware writer, file fake_malware.exe, on Host-fwarau82er created medium alert Endpoint Security.", + "kibana.alert.risk_score": 47, + "kibana.alert.rule.actions": [ + ], + "kibana.alert.rule.author": [ + "Elastic" + ], + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.created_at": "2023-04-27T10:58:27.546Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.exceptions_list": [ + { + "id": "endpoint_list", + "list_id": "endpoint_list", + "namespace_type": "agnostic", + "type": "endpoint" + } + ], + "kibana.alert.rule.execution.uuid": "ebf843ff-e0e1-47f8-9ed2-cc8066afbcef", + "kibana.alert.rule.false_positives": [ + ], + "kibana.alert.rule.from": "now-10m", + "kibana.alert.rule.immutable": true, + "kibana.alert.rule.indices": [ + "logs-endpoint.alerts-*" + ], + "kibana.alert.rule.interval": "5m", + "kibana.alert.rule.license": "Elastic License v2", + "kibana.alert.rule.max_signals": 10000, + "kibana.alert.rule.name": "Endpoint Security", + "kibana.alert.rule.parameters": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", + "exceptions_list": [ + { + "id": "endpoint_list", + "list_id": "endpoint_list", + "namespace_type": "agnostic", + "type": "endpoint" + } + ], + "false_positives": [ + ], + "from": "now-10m", + "immutable": true, + "index": [ + "logs-endpoint.alerts-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 10000, + "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", + "references": [ + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", + "rule_name_override": "message", + "setup": "", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "threat": [ + ], + "timestamp_override": "event.ingested", + "to": "now", + "type": "query", + "version": 101 + }, + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.references": [ + ], + "kibana.alert.rule.revision": 0, + "kibana.alert.rule.risk_score": 47, + "kibana.alert.rule.risk_score_mapping": [ + { + "field": "event.risk_score", + "operator": "equals", + "value": "" + } + ], + "kibana.alert.rule.rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", + "kibana.alert.rule.rule_name_override": "message", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.severity": "medium", + "kibana.alert.rule.severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "kibana.alert.rule.tags": [ + "Elastic", + "Endpoint Security" + ], + "kibana.alert.rule.threat": [ + ], + "kibana.alert.rule.timestamp_override": "event.ingested", + "kibana.alert.rule.to": "now", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.updated_at": "2023-04-27T10:58:27.546Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.uuid": "7015a3e2-e4ea-11ed-8c11-49608884878f", + "kibana.alert.rule.version": 101, + "kibana.alert.severity": "medium", + "kibana.alert.start": "2023-04-27T11:03:57.993Z", + "kibana.alert.status": "active", + "kibana.alert.url": "http://localhost:5601/app/security/alerts/redirect/eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1?index=.alerts-security.alerts-default×tamp=2023-04-27T11:03:57.906Z", + "kibana.alert.uuid": "eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1", + "kibana.alert.workflow_status": "open", + "kibana.space_ids": [ + "default" + ], + "kibana.version": "8.8.0", + "process": { + "Ext": { + "ancestry": [ + "qa5jgw1wr7", + "5k1hclygc6" + ], + "code_signature": [ + { + "subject_name": "bad signer", + "trusted": false + } + ], + "token": { + "domain": "NT AUTHORITY", + "integrity_level": 16384, + "integrity_level_name": "system", + "privileges": [ + { + "description": "Replace a process level token", + "enabled": false, + "name": "SeAssignPrimaryTokenPrivilege" + } + ], + "sid": "S-1-5-18", + "type": "tokenPrimary", + "user": "SYSTEM" + }, + "user": "SYSTEM" + }, + "entity_id": "nqh8ts6ves", + "entry_leader": { + "entity_id": "jnm38bel0w", + "name": "fake entry", + "pid": 791 + }, + "executable": "C:/malware.exe", + "group_leader": { + "entity_id": "jnm38bel0w", + "name": "fake leader", + "pid": 848 + }, + "hash": { + "md5": "fake md5", + "sha1": "fake sha1", + "sha256": "fake sha256" + }, + "name": "malware writer", + "parent": { + "entity_id": "qa5jgw1wr7", + "pid": 1 + }, + "pid": 2, + "session_leader": { + "entity_id": "jnm38bel0w", + "name": "fake session", + "pid": 909 + }, + "start": 1682752652103, + "uptime": 0 + } + } + } +} diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.8.0/mappings.json b/x-pack/test/functional/es_archives/security_solution/alerts/8.8.0/mappings.json new file mode 100644 index 0000000000000..f5a6e53cc4d60 --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alerts/8.8.0/mappings.json @@ -0,0 +1,7900 @@ +{ + "type": "index", + "value": { + "aliases": { + ".alerts-security.alerts-default": { + "is_write_index": true + }, + ".siem-signals-default": { + "is_write_index": false + } + }, + "index": ".internal.alerts-security.alerts-default-000001", + "mappings": { + "_meta": { + "kibana": { + "version": "8.8.0" + }, + "managed": true, + "namespace": "default" + }, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "type": "wildcard" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "match_only_text" + }, + "stack_trace": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "alert": { + "properties": { + "action_group": { + "type": "keyword" + }, + "ancestors": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "building_block_type": { + "type": "keyword" + }, + "case_ids": { + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "end": { + "type": "date" + }, + "flapping": { + "type": "boolean" + }, + "flapping_history": { + "type": "boolean" + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "index": { + "type": "integer" + } + } + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "last_detected": { + "type": "date" + }, + "maintenance_window_ids": { + "type": "keyword" + }, + "new_terms": { + "type": "keyword" + }, + "original_event": { + "properties": { + "action": { + "type": "keyword" + }, + "agent_id_status": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "keyword" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + } + }, + "original_time": { + "type": "date" + }, + "reason": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "building_block_type": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "consumer": { + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "created_by": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enabled": { + "type": "keyword" + }, + "exceptions_list": { + "type": "object" + }, + "execution": { + "properties": { + "uuid": { + "type": "keyword" + } + } + }, + "false_positives": { + "type": "keyword" + }, + "from": { + "type": "keyword" + }, + "immutable": { + "type": "keyword" + }, + "interval": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "max_signals": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "note": { + "type": "keyword" + }, + "parameters": { + "ignore_above": 4096, + "type": "flattened" + }, + "producer": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "revision": { + "type": "long" + }, + "rule_id": { + "type": "keyword" + }, + "rule_name_override": { + "type": "keyword" + }, + "rule_type_id": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "timeline_id": { + "type": "keyword" + }, + "timeline_title": { + "type": "keyword" + }, + "timestamp_override": { + "type": "keyword" + }, + "to": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "updated_at": { + "type": "date" + }, + "updated_by": { + "type": "keyword" + }, + "uuid": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + }, + "start": { + "type": "date" + }, + "status": { + "type": "keyword" + }, + "suppression": { + "properties": { + "docs_count": { + "type": "long" + }, + "end": { + "type": "date" + }, + "start": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "system_status": { + "type": "keyword" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, + "count": { + "type": "long" + }, + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "time_range": { + "format": "epoch_millis||strict_date_optional_time", + "type": "date_range" + }, + "url": { + "ignore_above": 2048, + "index": false, + "type": "keyword" + }, + "uuid": { + "type": "keyword" + }, + "workflow_reason": { + "type": "keyword" + }, + "workflow_status": { + "type": "keyword" + }, + "workflow_user": { + "type": "keyword" + } + } + }, + "space_ids": { + "type": "keyword" + }, + "version": { + "type": "version" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flattened" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + } + } + }, + "start": { + "type": "date" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + } + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + } + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + } + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "type": "wildcard" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + } + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + } + } + }, + "start": { + "type": "date" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + } + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "signal": { + "properties": { + "ancestors": { + "properties": { + "depth": { + "path": "kibana.alert.ancestors.depth", + "type": "alias" + }, + "id": { + "path": "kibana.alert.ancestors.id", + "type": "alias" + }, + "index": { + "path": "kibana.alert.ancestors.index", + "type": "alias" + }, + "type": { + "path": "kibana.alert.ancestors.type", + "type": "alias" + } + } + }, + "depth": { + "path": "kibana.alert.depth", + "type": "alias" + }, + "group": { + "properties": { + "id": { + "path": "kibana.alert.group.id", + "type": "alias" + }, + "index": { + "path": "kibana.alert.group.index", + "type": "alias" + } + } + }, + "original_event": { + "properties": { + "action": { + "path": "kibana.alert.original_event.action", + "type": "alias" + }, + "category": { + "path": "kibana.alert.original_event.category", + "type": "alias" + }, + "code": { + "path": "kibana.alert.original_event.code", + "type": "alias" + }, + "created": { + "path": "kibana.alert.original_event.created", + "type": "alias" + }, + "dataset": { + "path": "kibana.alert.original_event.dataset", + "type": "alias" + }, + "duration": { + "path": "kibana.alert.original_event.duration", + "type": "alias" + }, + "end": { + "path": "kibana.alert.original_event.end", + "type": "alias" + }, + "hash": { + "path": "kibana.alert.original_event.hash", + "type": "alias" + }, + "id": { + "path": "kibana.alert.original_event.id", + "type": "alias" + }, + "kind": { + "path": "kibana.alert.original_event.kind", + "type": "alias" + }, + "module": { + "path": "kibana.alert.original_event.module", + "type": "alias" + }, + "outcome": { + "path": "kibana.alert.original_event.outcome", + "type": "alias" + }, + "provider": { + "path": "kibana.alert.original_event.provider", + "type": "alias" + }, + "reason": { + "path": "kibana.alert.original_event.reason", + "type": "alias" + }, + "risk_score": { + "path": "kibana.alert.original_event.risk_score", + "type": "alias" + }, + "risk_score_norm": { + "path": "kibana.alert.original_event.risk_score_norm", + "type": "alias" + }, + "sequence": { + "path": "kibana.alert.original_event.sequence", + "type": "alias" + }, + "severity": { + "path": "kibana.alert.original_event.severity", + "type": "alias" + }, + "start": { + "path": "kibana.alert.original_event.start", + "type": "alias" + }, + "timezone": { + "path": "kibana.alert.original_event.timezone", + "type": "alias" + }, + "type": { + "path": "kibana.alert.original_event.type", + "type": "alias" + } + } + }, + "original_time": { + "path": "kibana.alert.original_time", + "type": "alias" + }, + "reason": { + "path": "kibana.alert.reason", + "type": "alias" + }, + "rule": { + "properties": { + "author": { + "path": "kibana.alert.rule.author", + "type": "alias" + }, + "building_block_type": { + "path": "kibana.alert.building_block_type", + "type": "alias" + }, + "created_at": { + "path": "kibana.alert.rule.created_at", + "type": "alias" + }, + "created_by": { + "path": "kibana.alert.rule.created_by", + "type": "alias" + }, + "description": { + "path": "kibana.alert.rule.description", + "type": "alias" + }, + "enabled": { + "path": "kibana.alert.rule.enabled", + "type": "alias" + }, + "false_positives": { + "path": "kibana.alert.rule.false_positives", + "type": "alias" + }, + "from": { + "path": "kibana.alert.rule.from", + "type": "alias" + }, + "id": { + "path": "kibana.alert.rule.uuid", + "type": "alias" + }, + "immutable": { + "path": "kibana.alert.rule.immutable", + "type": "alias" + }, + "interval": { + "path": "kibana.alert.rule.interval", + "type": "alias" + }, + "license": { + "path": "kibana.alert.rule.license", + "type": "alias" + }, + "max_signals": { + "path": "kibana.alert.rule.max_signals", + "type": "alias" + }, + "name": { + "path": "kibana.alert.rule.name", + "type": "alias" + }, + "note": { + "path": "kibana.alert.rule.note", + "type": "alias" + }, + "references": { + "path": "kibana.alert.rule.references", + "type": "alias" + }, + "risk_score": { + "path": "kibana.alert.risk_score", + "type": "alias" + }, + "rule_id": { + "path": "kibana.alert.rule.rule_id", + "type": "alias" + }, + "rule_name_override": { + "path": "kibana.alert.rule.rule_name_override", + "type": "alias" + }, + "severity": { + "path": "kibana.alert.severity", + "type": "alias" + }, + "tags": { + "path": "kibana.alert.rule.tags", + "type": "alias" + }, + "threat": { + "properties": { + "framework": { + "path": "kibana.alert.rule.threat.framework", + "type": "alias" + }, + "tactic": { + "properties": { + "id": { + "path": "kibana.alert.rule.threat.tactic.id", + "type": "alias" + }, + "name": { + "path": "kibana.alert.rule.threat.tactic.name", + "type": "alias" + }, + "reference": { + "path": "kibana.alert.rule.threat.tactic.reference", + "type": "alias" + } + } + }, + "technique": { + "properties": { + "id": { + "path": "kibana.alert.rule.threat.technique.id", + "type": "alias" + }, + "name": { + "path": "kibana.alert.rule.threat.technique.name", + "type": "alias" + }, + "reference": { + "path": "kibana.alert.rule.threat.technique.reference", + "type": "alias" + }, + "subtechnique": { + "properties": { + "id": { + "path": "kibana.alert.rule.threat.technique.subtechnique.id", + "type": "alias" + }, + "name": { + "path": "kibana.alert.rule.threat.technique.subtechnique.name", + "type": "alias" + }, + "reference": { + "path": "kibana.alert.rule.threat.technique.subtechnique.reference", + "type": "alias" + } + } + } + } + } + } + }, + "timeline_id": { + "path": "kibana.alert.rule.timeline_id", + "type": "alias" + }, + "timeline_title": { + "path": "kibana.alert.rule.timeline_title", + "type": "alias" + }, + "timestamp_override": { + "path": "kibana.alert.rule.timestamp_override", + "type": "alias" + }, + "to": { + "path": "kibana.alert.rule.to", + "type": "alias" + }, + "type": { + "path": "kibana.alert.rule.type", + "type": "alias" + }, + "updated_at": { + "path": "kibana.alert.rule.updated_at", + "type": "alias" + }, + "updated_by": { + "path": "kibana.alert.rule.updated_by", + "type": "alias" + }, + "version": { + "path": "kibana.alert.rule.version", + "type": "alias" + } + } + }, + "status": { + "path": "kibana.alert.workflow_status", + "type": "alias" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "path": "kibana.alert.threshold_result.cardinality.field", + "type": "alias" + }, + "value": { + "path": "kibana.alert.threshold_result.cardinality.value", + "type": "alias" + } + } + }, + "count": { + "path": "kibana.alert.threshold_result.count", + "type": "alias" + }, + "from": { + "path": "kibana.alert.threshold_result.from", + "type": "alias" + }, + "terms": { + "properties": { + "field": { + "path": "kibana.alert.threshold_result.terms.field", + "type": "alias" + }, + "value": { + "path": "kibana.alert.threshold_result.terms.value", + "type": "alias" + } + } + } + } + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "hidden": "true", + "mapping": { + "total_fields": { + "limit": "2500" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1" + } + } + } +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 4b4d4c0b2dacb..2fbc3c6953354 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -96,6 +96,10 @@ export default ({ getService }: FtrProviderContext) => { describe('@ess @serverless Query type rules', () => { before(async () => { await esArchiver.load(auditbeatPath); + await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alerts/8.8.0', { + useCreate: true, + docsOnly: true, + }); await esArchiver.load('x-pack/test/functional/es_archives/signals/severity_risk_overrides'); }); @@ -194,9 +198,9 @@ export default ({ getService }: FtrProviderContext) => { }); it('should query and get back expected alert structure when it is a alert on a alert', async () => { - const alertId = 'BhbXBmkBR346wHgn4PeZ'; + const alertId = 'eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1'; const rule: QueryRuleCreateProps = { - ...getRuleForAlertTesting([`auditbeat-*`]), + ...getRuleForAlertTesting([`.alerts-security.alerts-default*`]), rule_id: 'signal-on-signal', query: `_id:${alertId}`, }; @@ -211,24 +215,29 @@ export default ({ getService }: FtrProviderContext) => { if (!alert) { return expect(alert).to.be.ok(); } - - expect(alert).eql({ - ...alert, - [ALERT_ANCESTORS]: [ - { - id: 'BhbXBmkBR346wHgn4PeZ', - type: 'event', - index: 'auditbeat-8.0.0-2019.02.19-000001', - depth: 0, - }, - ], - [ALERT_WORKFLOW_STATUS]: 'open', - [ALERT_DEPTH]: 1, - [ALERT_ORIGINAL_TIME]: '2019-02-19T17:40:03.790Z', - ...flattenWithPrefix(ALERT_ORIGINAL_EVENT, { - dataset: 'socket', - }), - }); + expect(alert[ALERT_ANCESTORS]).eql([ + { + id: 'vT9cwocBh3b8EMpD8lsi', + type: 'event', + index: '.ds-logs-endpoint.alerts-default-2023.04.27-000001', + depth: 0, + }, + { + rule: '7015a3e2-e4ea-11ed-8c11-49608884878f', + id: 'eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1', + type: 'signal', + index: '.ds-.alerts-security.alerts-default-2023.11.15-000001', + depth: 1, + }, + ]); + expect(alert[ALERT_WORKFLOW_STATUS]).eql('open'); + expect(alert[ALERT_DEPTH]).eql(2); + + expect(alert[ALERT_ORIGINAL_TIME]).eql('2023-04-27T11:03:57.906Z'); + expect(alert[`${ALERT_ORIGINAL_EVENT}.agent_id_status`]).eql('auth_metadata_missing'); + expect(alert[`${ALERT_ORIGINAL_EVENT}.ingested`]).eql('2023-04-27T10:58:03Z'); + expect(alert[`${ALERT_ORIGINAL_EVENT}.dataset`]).eql('endpoint'); + expect(alert[`${ALERT_ORIGINAL_EVENT}.ingested`]).eql('2023-04-27T10:58:03Z'); }); it('should not have risk score fields without risk indices', async () => { From 905cb56e740973704621b140b136ec7eb05a85ee Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Wed, 15 Nov 2023 15:40:38 +0100 Subject: [PATCH 20/23] add skipInQA to failing tests in QA --- .../execution_logic/machine_learning.ts | 6 +++--- .../default_license/rule_execution_logic/ignore_fields.ts | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts index 323ed14c5bdce..0f4ce7516e20e 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts @@ -165,7 +165,7 @@ export default ({ getService }: FtrProviderContext) => { ); }); - it('generates max alerts warning when circuit breaker is exceeded', async () => { + it('@skipInQA generates max alerts warning when circuit breaker is exceeded', async () => { const { logs } = await previewRule({ supertest, rule: { ...rule, anomaly_threshold: 1, max_signals: 5 }, // This threshold generates 10 alerts with the current esArchive @@ -181,7 +181,7 @@ export default ({ getService }: FtrProviderContext) => { expect(logs[0].warnings).not.toContain(getMaxAlertsWarning()); }); - it('should create 7 alerts from ML rule when records meet anomaly_threshold', async () => { + it('@skipInQA should create 7 alerts from ML rule when records meet anomaly_threshold', async () => { const { previewId } = await previewRule({ supertest, rule: { ...rule, anomaly_threshold: 20 }, @@ -260,7 +260,7 @@ export default ({ getService }: FtrProviderContext) => { await esArchiver.unload('x-pack/test/functional/es_archives/entity/risks'); }); - it('should be enriched with host risk score', async () => { + it('@skipInQA should be enriched with host risk score', async () => { const { previewId } = await previewRule({ supertest, rule }); const previewAlerts = await getPreviewAlerts({ es, previewId }); expect(previewAlerts.length).toBe(1); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts index d74d6c9f16b07..6ddee1846067d 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/ignore_fields.ts @@ -69,7 +69,7 @@ export default ({ getService }: FtrProviderContext): void => { await deleteAllRules(supertest, log); }); - it('should ignore the field of "testing_ignored"', async () => { + it('@skipInQA should ignore the field of "testing_ignored"', async () => { const rule = getEqlRuleForAlertTesting(['ignore_fields']); const { id } = await createRule(supertest, log, rule); @@ -84,7 +84,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(hits).to.eql([undefined, undefined, undefined, undefined]); }); - it('should ignore the field of "testing_regex"', async () => { + it('@skipInQA should ignore the field of "testing_regex"', async () => { const rule = getEqlRuleForAlertTesting(['ignore_fields']); const { id } = await createRule(supertest, log, rule); From ef7229ddf1687d698d61168e0f94f4048e16a935 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Wed, 15 Nov 2023 16:59:04 +0100 Subject: [PATCH 21/23] fix alert ancestor index name in ess --- .../rule_execution_logic/execution_logic/query.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 2fbc3c6953354..4f3c518dd1218 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -215,18 +215,21 @@ export default ({ getService }: FtrProviderContext) => { if (!alert) { return expect(alert).to.be.ok(); } + const alertAncestorIndex = isServerless + ? '.ds-.alerts-security.alerts-default-2023.11.15-000001' + : '.internal.alerts-security.alerts-default-000001'; expect(alert[ALERT_ANCESTORS]).eql([ { id: 'vT9cwocBh3b8EMpD8lsi', type: 'event', - index: '.ds-logs-endpoint.alerts-default-2023.04.27-000001', + index: alertAncestorIndex, depth: 0, }, { rule: '7015a3e2-e4ea-11ed-8c11-49608884878f', id: 'eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1', type: 'signal', - index: '.ds-.alerts-security.alerts-default-2023.11.15-000001', + index: alertAncestorIndex, depth: 1, }, ]); From c4e5aa68529c3a89af9264f3e24a61e6a6ec2ad6 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Wed, 15 Nov 2023 20:37:27 +0100 Subject: [PATCH 22/23] fix alert ancestors --- .../rule_execution_logic/execution_logic/query.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts index 4f3c518dd1218..a1241c60f5ccf 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/query.ts @@ -45,6 +45,7 @@ import { DETECTION_ENGINE_SIGNALS_STATUS_URL as DETECTION_ENGINE_ALERTS_STATUS_URL, } from '@kbn/security-solution-plugin/common/constants'; import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils'; +import moment from 'moment'; import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; import { createExceptionList, @@ -201,7 +202,7 @@ export default ({ getService }: FtrProviderContext) => { const alertId = 'eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1'; const rule: QueryRuleCreateProps = { ...getRuleForAlertTesting([`.alerts-security.alerts-default*`]), - rule_id: 'signal-on-signal', + rule_id: 'alert-on-alert', query: `_id:${alertId}`, }; @@ -215,19 +216,21 @@ export default ({ getService }: FtrProviderContext) => { if (!alert) { return expect(alert).to.be.ok(); } + const date = moment(); + const formattedDate = date.format('YYYY.MM.DD'); const alertAncestorIndex = isServerless - ? '.ds-.alerts-security.alerts-default-2023.11.15-000001' + ? `.ds-.alerts-security.alerts-default-${formattedDate}-000001` : '.internal.alerts-security.alerts-default-000001'; expect(alert[ALERT_ANCESTORS]).eql([ { id: 'vT9cwocBh3b8EMpD8lsi', type: 'event', - index: alertAncestorIndex, + index: '.ds-logs-endpoint.alerts-default-2023.04.27-000001', depth: 0, }, { rule: '7015a3e2-e4ea-11ed-8c11-49608884878f', - id: 'eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1', + id: alertId, type: 'signal', index: alertAncestorIndex, depth: 1, From 80f5368466d6b574b01893e1a8f1ab95688f1203 Mon Sep 17 00:00:00 2001 From: wafaanasr Date: Thu, 16 Nov 2023 14:04:31 +0100 Subject: [PATCH 23/23] apply comments --- .../rule_execution_logic/execution_logic/eql.ts | 10 +++++----- .../execution_logic/machine_learning.ts | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts index daf4e1a7ce50b..9cb85e3366cee 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/eql.ts @@ -49,18 +49,18 @@ export default ({ getService }: FtrProviderContext) => { const config = getService('config'); const isServerless = config.get('serverless'); const dataPathBuilder = new EsArchivePathBuilder(isServerless); - const path = dataPathBuilder.getPath('auditbeat/hosts'); + const auditPath = dataPathBuilder.getPath('auditbeat/hosts'); describe('@ess @serverless EQL type rules', () => { before(async () => { - await esArchiver.load(path); + await esArchiver.load(auditPath); await esArchiver.load( 'x-pack/test/functional/es_archives/security_solution/timestamp_override_6' ); }); after(async () => { - await esArchiver.unload(path); + await esArchiver.unload(auditPath); await esArchiver.unload( 'x-pack/test/functional/es_archives/security_solution/timestamp_override_6' ); @@ -531,9 +531,9 @@ export default ({ getService }: FtrProviderContext) => { // alert for each event in the sequence, so max_alerts=200 results in 400 building blocks in addition to // 200 regular alerts expect(previewAlerts.length).eql(maxAlerts * 3); - const shellalerts = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 2); + const shellAlerts = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 2); const buildingBlocks = previewAlerts.filter((alert) => alert._source?.[ALERT_DEPTH] === 1); - expect(shellalerts.length).eql(maxAlerts); + expect(shellAlerts.length).eql(maxAlerts); expect(buildingBlocks.length).eql(maxAlerts * 2); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts index 0f4ce7516e20e..3fd33d4ee8c90 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_execution_logic/execution_logic/machine_learning.ts @@ -55,7 +55,7 @@ export default ({ getService }: FtrProviderContext) => { const config = getService('config'); const isServerless = config.get('serverless'); const dataPathBuilder = new EsArchivePathBuilder(isServerless); - const path = dataPathBuilder.getPath('auditbeat/hosts'); + const auditPath = dataPathBuilder.getPath('auditbeat/hosts'); const siemModule = 'security_linux_v3'; const mlJobId = 'v3_linux_anomalous_network_activity'; @@ -75,13 +75,13 @@ export default ({ getService }: FtrProviderContext) => { before(async () => { // Order is critical here: auditbeat data must be loaded before attempting to start the ML job, // as the job looks for certain indices on start - await esArchiver.load(path); + await esArchiver.load(auditPath); await executeSetupModuleRequest({ module: siemModule, rspCode: 200, supertest }); await forceStartDatafeeds({ jobId: mlJobId, rspCode: 200, supertest }); await esArchiver.load('x-pack/test/functional/es_archives/security_solution/anomalies'); }); after(async () => { - await esArchiver.unload(path); + await esArchiver.unload(auditPath); await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/anomalies'); await deleteAllAlerts(supertest, log, es); await deleteAllRules(supertest, log);