Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Adds EQL sequence rule test #79287

Merged
merged 2 commits into from
Oct 5, 2020

Conversation

MadameSheema
Copy link
Member

@MadameSheema MadameSheema commented Oct 2, 2020

Summary

Adds a Cypress test in order to test that an EQL rule with sequence query generates alerts.

@MadameSheema MadameSheema self-assigned this Oct 2, 2020
@MadameSheema MadameSheema added v7.10.0 v8.0.0 Team:SIEM Team:Detections and Resp Security Detection Response Team release_note:skip Skip the PR/issue when compiling release notes labels Oct 2, 2020
@MadameSheema MadameSheema marked this pull request as ready for review October 2, 2020 16:24
@MadameSheema MadameSheema requested review from a team as code owners October 2, 2020 16:24
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
cy.get(ALERT_RULE_METHOD).first().should('have.text', 'eql');
cy.get(ALERT_RULE_SEVERITY).first().should('have.text', eqlSequenceRule.severity.toLowerCase());
cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', eqlSequenceRule.riskScore);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also verify that the appropriate number of sequence "building block" alerts are generated. The number of sequence "building block" alerts created should be equal to the number of events in the sequence. For example, if your rule query matches one sequence of 3 events, there should be 4 alerts created: one main alert, and 3 "building block" alerts corresponding to the events in the sequence.

@MadameSheema
Copy link
Member Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@MadameSheema MadameSheema merged commit fdc6562 into elastic:master Oct 5, 2020
MadameSheema added a commit to MadameSheema/kibana that referenced this pull request Oct 5, 2020
jloleysens added a commit to jloleysens/kibana that referenced this pull request Oct 5, 2020
…nes/fix-description-field

* 'master' of github.com:elastic/kibana:
  A11y tests for user page (elastic#79199)
  [Ingest Pipelines] Processors editor a11y focus states (elastic#79122)
  [Ingest pipelines] Clean up component integration tests (elastic#78838)
  Drilldowns in examples (elastic#75640)
  Storybook and Jest cleanup (elastic#79305)
  adds EQL sequence rule test (elastic#79287)
  PR template a11y checklist item improvement (elastic#79243)
  [Security Solution] Adding tests for dns pipeline in the endpoint package (elastic#79177)
  [ML] Only adjust the bounds of SMV if annotations are visible (elastic#79210)
  global search to ts refs (elastic#79446)
  [Index management] Update TemplateDeserialized interface (elastic#78913)
  [Telemetry] server fetcher check all collectors ready before sending (elastic#79398)
  [Mappings editor] Fix app crash when selecting "other" field type (elastic#79434)
  [`/api/stats`] Add documentation + small improvement (elastic#79330)
  [Discover] "View surrounding documents" encodes spaces in filters (elastic#79283)
  [Lens] refactor DimensionContainer and fix flyout bug (elastic#79277)

# Conflicts:
#	x-pack/plugins/ingest_pipelines/public/application/components/pipeline_processors_editor/components/pipeline_processors_editor_item/inline_text_input.tsx
#	x-pack/plugins/ingest_pipelines/public/application/components/pipeline_processors_editor/components/processors_tree/components/private_tree.tsx
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label Oct 7, 2020
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

1 similar comment
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

6 similar comments
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 79287 or prevent reminders by adding the backport:skip label.

@rylnd
Copy link
Contributor

rylnd commented Oct 20, 2020

I conflicted with this missing 7.10 backport when attempting to backport #80440 to 7.10. I have included the changes here in that backport.

@rylnd rylnd added the backport:skip This commit does not require backporting label Oct 20, 2020
@kibanamachine kibanamachine removed the backport missing Added to PRs automatically when the are determined to be missing a backport. label Oct 20, 2020
@MadameSheema MadameSheema deleted the sequence branch July 14, 2021 10:41
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants