Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ILM] Allow multiple searchable snapshot actions #92789

Conversation

jloleysens
Copy link
Contributor

@jloleysens jloleysens commented Feb 25, 2021

Summary

As of 7.12+, ES will allow ILM policies to specify multiple, subsequent searchable snapshot actions that all use the same snapshot repository. This PR updates the form to be in line with this behaviour.

This requirement was surfaced as @andreidan and I were reviewing the current ILM policy UI.

@jloleysens jloleysens added Feature:ILM v8.0.0 Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more release_note:skip Skip the PR/issue when compiling release notes v7.12.0 v7.13.0 labels Feb 25, 2021
@jloleysens
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

merge conflict between base and head

…tiple-searchable-snapshot-actions

* 'master' of github.com:elastic/kibana:
  [Rollup] Fix use of undefined value in JS import (elastic#92791)
  [ILM] Fix replicas not showing  (elastic#92782)
  [Event Log] Extended README.md with the documentation for a REST API and Start plugin contract. (elastic#92562)
  [XY] Enables page reload toast for the legacyChartsLibrary setting (elastic#92811)
  [Security Solution][Case] Improve hooks (elastic#89580)
  [Security Solution] Update wordings and breadcrumb for timelines page (elastic#90809)
  [Security Solution] Replace EUI theme with mocks in jest suites (elastic#92462)
  docs: ✏️ use correct heading level (elastic#92806)
  [ILM ] Fix logic for showing/hiding recommended allocation on Cloud (elastic#90592)
  [Security Solution][Detections] Pull gap detection logic out in preparation for sharing between rule types (elastic#91966)
  [core.savedObjects] Remove _shard_doc tiebreaker since ES now adds it automatically. (elastic#92295)
  docs: ✏️ fix links in embeddable plugin readme (elastic#92778)

# Conflicts:
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/components/phases/shared_fields/searchable_snapshot_field/searchable_snapshot_field.tsx
@jloleysens jloleysens marked this pull request as ready for review February 25, 2021 17:16
@jloleysens jloleysens requested a review from a team as a code owner February 25, 2021 17:17
@elasticmachine
Copy link
Contributor

Pinging @elastic/es-ui (Team:Elasticsearch UI)

@jloleysens
Copy link
Contributor Author

@elasticmachine merge upstream

Copy link
Contributor

@yuliacech yuliacech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jloleysens, thanks a lot for working on this!
I tested locally and noticed that when a searchable snapshot is configured in the hot phase, there is still an info callout saying that searchable snapshot in the cold phase is not possible.
Screenshot 2021-03-01 at 12 18 37

Also it's not possible to save a policy with 2 different snapshot repos configured for hot and cold searchable snapshots. That is not blocking, but could be worth looking into. The API error is not very descriptive, it just says couldn't parse policy. We could probably add validation, pre-fill the combobox or limit the options for this field in relation to the other phase.
Screenshot 2021-03-01 at 13 14 48

@andreidan
Copy link

andreidan commented Mar 1, 2021

Thanks for working on this @jloleysens!

@yuliacech @jloleysens we don't support multiple searchable snapshot actions being defined for different repositories. We validate against this elastic/elasticsearch#68856

I'd like to also mention elastic/elasticsearch#68714 which introduced another option in the searchable snapshot configuration called storage - I'm not sure if we should allow configuring this in the UI though as the defaults do the right thing (ie. configure a full searchable snapshot in the cold tier and a partial one in the frozen tier), but maybe there's a UI/UX medium where that needs to be discussed? (my personal opinion is that we shouldn't expose this at the UI level, but leave it only at the API level)

@jloleysens
Copy link
Contributor Author

jloleysens commented Mar 1, 2021

I tested locally and noticed that when a searchable snapshot is configured in the hot phase, there is still an info callout saying that searchable snapshot in the cold phase is not possible.

@yuliacech Great catch! In the process of cherry picking I think I excluded the commit for removing this!!

Also it's not possible to save a policy with 2 different snapshot repos configured for hot and cold searchable snapshots.

This is a really good point, I think for now we can rely on ES validation for this (especially given Lee's PR description about enabling this in future: elastic/elasticsearch#68714 (comment)), but I think you are right with respect to the error message not being very helpful. I'll see what I can do to improve the situation!

@jloleysens
Copy link
Contributor Author

@yuliacech I think I have addressed your feedback! Would you mind taking another look?

I updated the error handling logic server side to include the full caused_by chain so that we can report more detail:

Screenshot 2021-03-01 at 17 17 06

I spoke with @sebelga and he mentioned that we should probably enhance the form to prevent users from getting into this error state in the first place. This is something we can do for 7.13.

@andreidan how likely do you think it is that we will have the ability to configure different snapshots?

Copy link
Contributor

@yuliacech yuliacech left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jloleysens, thanks a lot for addressing my feedback! Tested locally and all worked for me. I think seeing a detailed ES error is very helpful.

@jloleysens
Copy link
Contributor Author

@elasticmachine merge upstream

@jloleysens jloleysens added v7.12.1 and removed v7.12.0 labels Mar 2, 2021
@andreidan
Copy link

andreidan commented Mar 2, 2021

@jloleysens

@andreidan how likely do you think it is that we will have the ability to configure different snapshots?

Different repositories? Not likely as it's a niche use case.

@kibanamachine
Copy link
Contributor

💛 Build succeeded, but was flaky


Test Failures

Kibana Pipeline / general / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching·ts.detection engine api security and spaces enabled create_threat_matching tests with auditbeat data indicator enrichment generates multiple signals with multiple matches

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 5 times on tracked branches: https://github.com/elastic/kibana/issues/93152

[00:00:00]       │
[00:00:00]         └-: detection engine api security and spaces enabled
[00:00:00]           └-> "before all" hook in "detection engine api security and spaces enabled"
[00:00:00]           └-: 
[00:00:00]             └-> "before all" hook in ""
[00:06:18]             └-: create_threat_matching
[00:06:18]               └-> "before all" hook in "create_threat_matching"
[00:06:33]               └-: tests with auditbeat data
[00:06:33]                 └-> "before all" hook for "should be able to execute and get 10 signals when doing a specific query"
[00:06:33]                 └-> should be able to execute and get 10 signals when doing a specific query
[00:06:33]                   └-> "before each" hook: global before each for "should be able to execute and get 10 signals when doing a specific query"
[00:06:33]                   └-> "before each" hook for "should be able to execute and get 10 signals when doing a specific query"
[00:06:33]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding index lifecycle policy [.siem-signals-default]
[00:06:33]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:06:33]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:06:33]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:06:33]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:06:33]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:06:33]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:06:33]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:06:33]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:06:33]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:33]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:06:34]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:06:34]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:06:39]                   │ proc [kibana]   log   [09:37:31.970] [info][plugins][securitySolution] [+] Finished indexing 88   name: "Query with a rule id" id: "e67d67f0-7b3a-11eb-859e-ddec397f7e92" rule id: "rule-1" signals index: ".siem-signals-default"
[00:06:39]                   │ proc [kibana]   log   [09:37:31.979] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T09:37:28.984Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T09:37:28.984Z","outcome":"success","end":"2021-03-02T09:37:31.978Z","duration":2994000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"e67d67f0-7b3a-11eb-859e-ddec397f7e92"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:e67d67f0-7b3a-11eb-859e-ddec397f7e92: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:06:39]                   └- ✓ pass  (5.1s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data should be able to execute and get 10 signals when doing a specific query"
[00:06:39]                 └-> "after each" hook for "should be able to execute and get 10 signals when doing a specific query"
[00:06:39]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001/EkuAGKFBSbWV3jDRpJetFA] deleting index
[00:06:39]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] removing template [.siem-signals-default]
[00:06:42]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:06:42]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001/vhPsg571TmqeDVYK0U0bLA] deleting index
[00:06:42]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:42]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:06:42]                 └-> should return 0 matches if the mapping does not match against anything in the mapping
[00:06:42]                   └-> "before each" hook: global before each for "should return 0 matches if the mapping does not match against anything in the mapping"
[00:06:42]                   └-> "before each" hook for "should return 0 matches if the mapping does not match against anything in the mapping"
[00:06:42]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding index lifecycle policy [.siem-signals-default]
[00:06:42]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:06:42]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:06:42]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:06:42]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:06:42]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:06:42]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:06:42]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:06:42]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:06:42]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:42]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:06:43]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:06:43]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:06:48]                   │ proc [kibana]   log   [09:37:41.080] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Query with a rule id" id: "ebfa9680-7b3a-11eb-859e-ddec397f7e92" rule id: "rule-1" signals index: ".siem-signals-default"
[00:06:48]                   │ proc [kibana]   log   [09:37:41.090] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T09:37:37.992Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T09:37:37.992Z","outcome":"success","end":"2021-03-02T09:37:41.089Z","duration":3097000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"ebfa9680-7b3a-11eb-859e-ddec397f7e92"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:ebfa9680-7b3a-11eb-859e-ddec397f7e92: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:06:48]                   └- ✓ pass  (5.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data should return 0 matches if the mapping does not match against anything in the mapping"
[00:06:48]                 └-> "after each" hook for "should return 0 matches if the mapping does not match against anything in the mapping"
[00:06:48]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001/VkgCy7t1RJCNCEN_aYKQ_Q] deleting index
[00:06:48]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] removing template [.siem-signals-default]
[00:06:51]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:06:51]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001/deS4fWh4QOOrg_IKKLFKfg] deleting index
[00:06:51]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:51]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:06:51]                 └-> should return 0 signals when using an AND and one of the clauses does not have data
[00:06:51]                   └-> "before each" hook: global before each for "should return 0 signals when using an AND and one of the clauses does not have data"
[00:06:51]                   └-> "before each" hook for "should return 0 signals when using an AND and one of the clauses does not have data"
[00:06:51]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding index lifecycle policy [.siem-signals-default]
[00:06:51]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:06:51]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:06:51]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:06:51]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:06:51]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:06:51]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:06:51]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:06:51]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:06:51]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:51]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:06:52]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:06:52]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:06:56]                   │ proc [kibana]   log   [09:37:49.168] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Query with a rule id" id: "f15b8a80-7b3a-11eb-859e-ddec397f7e92" rule id: "rule-1" signals index: ".siem-signals-default"
[00:06:56]                   │ proc [kibana]   log   [09:37:49.182] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T09:37:46.993Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T09:37:46.993Z","outcome":"success","end":"2021-03-02T09:37:49.181Z","duration":2188000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"f15b8a80-7b3a-11eb-859e-ddec397f7e92"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:f15b8a80-7b3a-11eb-859e-ddec397f7e92: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:06:56]                   └- ✓ pass  (4.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data should return 0 signals when using an AND and one of the clauses does not have data"
[00:06:56]                 └-> "after each" hook for "should return 0 signals when using an AND and one of the clauses does not have data"
[00:06:56]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001/HIVEWOd6TyORZVJ0TDpMqQ] deleting index
[00:06:56]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] removing template [.siem-signals-default]
[00:06:59]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:06:59]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001/hIWwB4akTGG72qHvRk1kBw] deleting index
[00:06:59]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:59]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:06:59]                 └-> should return 0 signals when using an AND and one of the clauses has a made up value that does not exist
[00:06:59]                   └-> "before each" hook: global before each for "should return 0 signals when using an AND and one of the clauses has a made up value that does not exist"
[00:06:59]                   └-> "before each" hook for "should return 0 signals when using an AND and one of the clauses has a made up value that does not exist"
[00:06:59]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding index lifecycle policy [.siem-signals-default]
[00:06:59]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:06:59]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:06:59]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:06:59]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:06:59]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:06:59]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:06:59]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:06:59]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:00]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:00]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:00]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:00]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:05]                   │ proc [kibana]   log   [09:37:58.271] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Query with a rule id" id: "f62ee480-7b3a-11eb-859e-ddec397f7e92" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:05]                   │ proc [kibana]   log   [09:37:58.279] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T09:37:55.992Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T09:37:55.992Z","outcome":"success","end":"2021-03-02T09:37:58.278Z","duration":2286000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"f62ee480-7b3a-11eb-859e-ddec397f7e92"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:f62ee480-7b3a-11eb-859e-ddec397f7e92: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:05]                   └- ✓ pass  (5.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data should return 0 signals when using an AND and one of the clauses has a made up value that does not exist"
[00:07:05]                 └-> "after each" hook for "should return 0 signals when using an AND and one of the clauses has a made up value that does not exist"
[00:07:05]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001/FnymcoflTNuQRz-EyYQ1-A] deleting index
[00:07:05]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] removing template [.siem-signals-default]
[00:07:08]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:07:08]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001/UEtwPgUvQia1-Z9TV8x2-Q] deleting index
[00:07:08]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:08]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:07:08]                 └-: indicator enrichment
[00:07:08]                   └-> "before all" hook for "enriches signals with the single indicator that matched"
[00:07:08]                   └-> enriches signals with the single indicator that matched
[00:07:08]                     └-> "before each" hook: global before each for "enriches signals with the single indicator that matched"
[00:07:08]                     └-> "before each" hook for "enriches signals with the single indicator that matched"
[00:07:08]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding index lifecycle policy [.siem-signals-default]
[00:07:08]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:07:08]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:07:08]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:07:08]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:07:08]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:07:09]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:07:09]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:07:09]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:09]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:09]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:09]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:09]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:09]                     └-> "before each" hook for "enriches signals with the single indicator that matched"
[00:07:09]                       │ info [filebeat/threat_intel] Loading "mappings.json"
[00:07:09]                       │ info [filebeat/threat_intel] Loading "data.json"
[00:07:09]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001] creating index, cause [api], templates [], shards [1]/[0]
[00:07:09]                       │ info [filebeat/threat_intel] Created index "filebeat-8.0.0-2021.01.26-000001"
[00:07:09]                       │ debg [filebeat/threat_intel] "filebeat-8.0.0-2021.01.26-000001" settings {"index":{"lifecycle":{"name":"filebeat-8.0.0","rollover_alias":"filebeat-filebeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"0","number_of_shards":"1","refresh_interval":"5s"}}
[00:07:09]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/AweB5OcsTv-98i0V-dEooA] update_mapping [_doc]
[00:07:09]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/AweB5OcsTv-98i0V-dEooA] update_mapping [_doc]
[00:07:09]                       │ info [filebeat/threat_intel] Indexed 4 docs into "filebeat-8.0.0-2021.01.26-000001"
[00:07:14]                     │ proc [kibana]   log   [09:38:07.362] [info][plugins][securitySolution] [+] Finished indexing 2   name: "Query with a rule id" id: "fba694d0-7b3a-11eb-859e-ddec397f7e92" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:14]                     │ proc [kibana]   log   [09:38:07.374] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T09:38:04.986Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T09:38:04.986Z","outcome":"success","end":"2021-03-02T09:38:07.373Z","duration":2387000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"fba694d0-7b3a-11eb-859e-ddec397f7e92"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:fba694d0-7b3a-11eb-859e-ddec397f7e92: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:14]                     └- ✓ pass  (5.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data indicator enrichment enriches signals with the single indicator that matched"
[00:07:14]                   └-> "after each" hook for "enriches signals with the single indicator that matched"
[00:07:14]                     │ info [filebeat/threat_intel] Unloading indices from "mappings.json"
[00:07:14]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/AweB5OcsTv-98i0V-dEooA] deleting index
[00:07:14]                     │ info [filebeat/threat_intel] Deleted existing index "filebeat-8.0.0-2021.01.26-000001"
[00:07:14]                     │ info [filebeat/threat_intel] Unloading indices from "data.json"
[00:07:14]                   └-> "after each" hook for "enriches signals with the single indicator that matched"
[00:07:14]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001/iqbeKrhKSNSUQ3VjdefUqQ] deleting index
[00:07:14]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] removing template [.siem-signals-default]
[00:07:17]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:07:17]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001/NjDrUbVhRcaEqz-K8YTHhw] deleting index
[00:07:17]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:17]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:07:17]                   └-> enriches signals with multiple indicators if several matched
[00:07:17]                     └-> "before each" hook: global before each for "enriches signals with multiple indicators if several matched"
[00:07:17]                     └-> "before each" hook for "enriches signals with multiple indicators if several matched"
[00:07:17]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding index lifecycle policy [.siem-signals-default]
[00:07:18]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:07:18]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:07:18]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:07:18]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:07:18]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:07:18]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:07:18]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:18]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:07:18]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:18]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:18]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:18]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:18]                     └-> "before each" hook for "enriches signals with multiple indicators if several matched"
[00:07:18]                       │ info [filebeat/threat_intel] Loading "mappings.json"
[00:07:18]                       │ info [filebeat/threat_intel] Loading "data.json"
[00:07:18]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001] creating index, cause [api], templates [], shards [1]/[0]
[00:07:18]                       │ info [filebeat/threat_intel] Created index "filebeat-8.0.0-2021.01.26-000001"
[00:07:18]                       │ debg [filebeat/threat_intel] "filebeat-8.0.0-2021.01.26-000001" settings {"index":{"lifecycle":{"name":"filebeat-8.0.0","rollover_alias":"filebeat-filebeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"0","number_of_shards":"1","refresh_interval":"5s"}}
[00:07:18]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/Rwd2dtLST2CUuLItYdp0Cw] update_mapping [_doc]
[00:07:18]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/Rwd2dtLST2CUuLItYdp0Cw] update_mapping [_doc]
[00:07:18]                       │ info [filebeat/threat_intel] Indexed 4 docs into "filebeat-8.0.0-2021.01.26-000001"
[00:07:23]                     │ proc [kibana]   log   [09:38:16.460] [info][plugins][securitySolution] [+] Finished indexing 1   name: "Query with a rule id" id: "011bad10-7b3b-11eb-859e-ddec397f7e92" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:23]                     │ proc [kibana]   log   [09:38:16.468] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T09:38:13.993Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T09:38:13.993Z","outcome":"success","end":"2021-03-02T09:38:16.467Z","duration":2474000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"011bad10-7b3b-11eb-859e-ddec397f7e92"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:011bad10-7b3b-11eb-859e-ddec397f7e92: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:23]                     └- ✓ pass  (5.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data indicator enrichment enriches signals with multiple indicators if several matched"
[00:07:23]                   └-> "after each" hook for "enriches signals with multiple indicators if several matched"
[00:07:23]                     │ info [filebeat/threat_intel] Unloading indices from "mappings.json"
[00:07:23]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/Rwd2dtLST2CUuLItYdp0Cw] deleting index
[00:07:23]                     │ info [filebeat/threat_intel] Deleted existing index "filebeat-8.0.0-2021.01.26-000001"
[00:07:23]                     │ info [filebeat/threat_intel] Unloading indices from "data.json"
[00:07:23]                   └-> "after each" hook for "enriches signals with multiple indicators if several matched"
[00:07:23]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001/Ed2evPfrTHG2_F_kDI0Mjg] deleting index
[00:07:23]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] removing template [.siem-signals-default]
[00:07:26]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:07:26]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001/ZgPAxFF5TqGs8r_f0LVU2g] deleting index
[00:07:26]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:26]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:07:26]                   └-> adds a single indicator that matched multiple fields
[00:07:26]                     └-> "before each" hook: global before each for "adds a single indicator that matched multiple fields"
[00:07:26]                     └-> "before each" hook for "adds a single indicator that matched multiple fields"
[00:07:27]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding index lifecycle policy [.siem-signals-default]
[00:07:27]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:07:27]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:07:27]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:07:27]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:07:27]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:07:27]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:07:27]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:07:27]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:27]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:27]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:27]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:27]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:27]                     └-> "before each" hook for "adds a single indicator that matched multiple fields"
[00:07:27]                       │ info [filebeat/threat_intel] Loading "mappings.json"
[00:07:27]                       │ info [filebeat/threat_intel] Loading "data.json"
[00:07:27]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001] creating index, cause [api], templates [], shards [1]/[0]
[00:07:27]                       │ info [filebeat/threat_intel] Created index "filebeat-8.0.0-2021.01.26-000001"
[00:07:27]                       │ debg [filebeat/threat_intel] "filebeat-8.0.0-2021.01.26-000001" settings {"index":{"lifecycle":{"name":"filebeat-8.0.0","rollover_alias":"filebeat-filebeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"0","number_of_shards":"1","refresh_interval":"5s"}}
[00:07:27]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/z0mAo7AJSeaQVJd2FBwzAg] update_mapping [_doc]
[00:07:27]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/z0mAo7AJSeaQVJd2FBwzAg] update_mapping [_doc]
[00:07:27]                       │ info [filebeat/threat_intel] Indexed 4 docs into "filebeat-8.0.0-2021.01.26-000001"
[00:07:32]                     │ proc [kibana]   log   [09:38:25.557] [info][plugins][securitySolution] [+] Finished indexing 1   name: "Query with a rule id" id: "068a5cb0-7b3b-11eb-859e-ddec397f7e92" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:32]                     │ proc [kibana]   log   [09:38:25.565] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T09:38:22.998Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T09:38:22.998Z","outcome":"success","end":"2021-03-02T09:38:25.564Z","duration":2566000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"068a5cb0-7b3b-11eb-859e-ddec397f7e92"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:068a5cb0-7b3b-11eb-859e-ddec397f7e92: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:32]                     └- ✓ pass  (5.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data indicator enrichment adds a single indicator that matched multiple fields"
[00:07:32]                   └-> "after each" hook for "adds a single indicator that matched multiple fields"
[00:07:32]                     │ info [filebeat/threat_intel] Unloading indices from "mappings.json"
[00:07:32]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/z0mAo7AJSeaQVJd2FBwzAg] deleting index
[00:07:32]                     │ info [filebeat/threat_intel] Deleted existing index "filebeat-8.0.0-2021.01.26-000001"
[00:07:32]                     │ info [filebeat/threat_intel] Unloading indices from "data.json"
[00:07:32]                   └-> "after each" hook for "adds a single indicator that matched multiple fields"
[00:07:32]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001/R9vgLAVTQdqG0c_LkLPlbQ] deleting index
[00:07:32]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] removing template [.siem-signals-default]
[00:07:35]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:07:35]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001/eKhgfY2lR_OqcCPINcSl3Q] deleting index
[00:07:35]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:35]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:07:35]                   └-> generates multiple signals with multiple matches
[00:07:35]                     └-> "before each" hook: global before each for "generates multiple signals with multiple matches"
[00:07:35]                     └-> "before each" hook for "generates multiple signals with multiple matches"
[00:07:36]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding index lifecycle policy [.siem-signals-default]
[00:07:36]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:07:36]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:07:36]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:07:36]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:07:36]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:07:36]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:07:36]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:07:36]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:36]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:36]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:36]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:36]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:36]                     └-> "before each" hook for "generates multiple signals with multiple matches"
[00:07:36]                       │ info [filebeat/threat_intel] Loading "mappings.json"
[00:07:36]                       │ info [filebeat/threat_intel] Loading "data.json"
[00:07:36]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001] creating index, cause [api], templates [], shards [1]/[0]
[00:07:36]                       │ info [filebeat/threat_intel] Created index "filebeat-8.0.0-2021.01.26-000001"
[00:07:36]                       │ debg [filebeat/threat_intel] "filebeat-8.0.0-2021.01.26-000001" settings {"index":{"lifecycle":{"name":"filebeat-8.0.0","rollover_alias":"filebeat-filebeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"0","number_of_shards":"1","refresh_interval":"5s"}}
[00:07:36]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/1jwGb2kKQmmD5zKb4EAS-g] update_mapping [_doc]
[00:07:36]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1614674184263773292] [filebeat-8.0.0-2021.01.26-000001/1jwGb2kKQmmD5zKb4EAS-g] update_mapping [_doc]
[00:07:36]                       │ info [filebeat/threat_intel] Indexed 4 docs into "filebeat-8.0.0-2021.01.26-000001"
[00:07:44]                     │ proc [kibana]   log   [09:38:37.655] [info][plugins][securitySolution] [+] Finished indexing 2   name: "Query with a rule id" id: "0becd750-7b3b-11eb-859e-ddec397f7e92" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:44]                     │ proc [kibana]   log   [09:38:37.664] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T09:38:34.994Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T09:38:34.994Z","outcome":"success","end":"2021-03-02T09:38:37.663Z","duration":2669000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"0becd750-7b3b-11eb-859e-ddec397f7e92"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:0becd750-7b3b-11eb-859e-ddec397f7e92: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:45]                     └- ✖ fail: detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data indicator enrichment generates multiple signals with multiple matches
[00:07:45]                     │       Error: expected [ { indicator: [ [Object] ] },
[00:07:45]                     │   { indicator: [ [Object], [Object], [Object] ] } ] to sort of equal [ { indicator: [ [Object] ] },
[00:07:45]                     │   { indicator: [ [Object], [Object], [Object] ] } ]
[00:07:45]                     │       + expected - actual
[00:07:45]                     │ 
[00:07:45]                     │          }
[00:07:45]                     │          {
[00:07:45]                     │            "indicator": [
[00:07:45]                     │              {
[00:07:45]                     │       -        "description": "this should match auditbeat/hosts on both port and ip"
[00:07:45]                     │       -        "first_seen": "2021-01-26T11:06:03.000Z"
[00:07:45]                     │       -        "ip": "45.115.45.3"
[00:07:45]                     │       -        "matched": {
[00:07:45]                     │       -          "atomic": "45.115.45.3"
[00:07:45]                     │       -          "field": "source.ip"
[00:07:45]                     │       -          "id": "978785"
[00:07:45]                     │       -          "index": "filebeat-8.0.0-2021.01.26-000001"
[00:07:45]                     │       -          "type": "url"
[00:07:45]                     │       -        }
[00:07:45]                     │       -        "port": 57324
[00:07:45]                     │       -        "provider": "geenensp"
[00:07:45]                     │       -        "type": "url"
[00:07:45]                     │       -      }
[00:07:45]                     │       -      {
[00:07:45]                     │                "description": "domain should match the auditbeat hosts' data's source.ip"
[00:07:45]                     │                "domain": "159.89.119.67"
[00:07:45]                     │                "first_seen": "2021-01-26T11:09:04.000Z"
[00:07:45]                     │                "matched": {
[00:07:45]                     │ --
[00:07:45]                     │                "description": "this should match auditbeat/hosts on both port and ip"
[00:07:45]                     │                "first_seen": "2021-01-26T11:06:03.000Z"
[00:07:45]                     │                "ip": "45.115.45.3"
[00:07:45]                     │                "matched": {
[00:07:45]                     │       +          "atomic": "45.115.45.3"
[00:07:45]                     │       +          "field": "source.ip"
[00:07:45]                     │       +          "id": "978785"
[00:07:45]                     │       +          "index": "filebeat-8.0.0-2021.01.26-000001"
[00:07:45]                     │       +          "type": "url"
[00:07:45]                     │       +        }
[00:07:45]                     │       +        "port": 57324
[00:07:45]                     │       +        "provider": "geenensp"
[00:07:45]                     │       +        "type": "url"
[00:07:45]                     │       +      }
[00:07:45]                     │       +      {
[00:07:45]                     │       +        "description": "this should match auditbeat/hosts on both port and ip"
[00:07:45]                     │       +        "first_seen": "2021-01-26T11:06:03.000Z"
[00:07:45]                     │       +        "ip": "45.115.45.3"
[00:07:45]                     │       +        "matched": {
[00:07:45]                     │                  "atomic": 57324
[00:07:45]                     │                  "field": "source.port"
[00:07:45]                     │                  "id": "978785"
[00:07:45]                     │                  "index": "filebeat-8.0.0-2021.01.26-000001"
[00:07:45]                     │       
[00:07:45]                     │       at Assertion.assert (/dev/shm/workspace/parallel/16/kibana/packages/kbn-expect/expect.js:100:11)
[00:07:45]                     │       at Assertion.eql (/dev/shm/workspace/parallel/16/kibana/packages/kbn-expect/expect.js:244:8)
[00:07:45]                     │       at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts:578:30)
[00:07:45]                     │       at Object.apply (/dev/shm/workspace/parallel/16/kibana/packages/kbn-test/src/functional_test_runner/lib/mocha/wrap_function.js:73:16)
[00:07:45]                     │ 
[00:07:45]                     │ 

Stack Trace

Error: expected [ { indicator: [ [Object] ] },
  { indicator: [ [Object], [Object], [Object] ] } ] to sort of equal [ { indicator: [ [Object] ] },
  { indicator: [ [Object], [Object], [Object] ] } ]
    at Assertion.assert (/dev/shm/workspace/parallel/16/kibana/packages/kbn-expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/16/kibana/packages/kbn-expect/expect.js:244:8)
    at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts:578:30)
    at Object.apply (/dev/shm/workspace/parallel/16/kibana/packages/kbn-test/src/functional_test_runner/lib/mocha/wrap_function.js:73:16) {
  actual: '[\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": "45.115.45.3"\n' +
    '          "field": "source.ip"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": 57324\n' +
    '          "field": "source.port"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    ']',
  expected: '[\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": "45.115.45.3"\n' +
    '          "field": "source.ip"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": 57324\n' +
    '          "field": "source.port"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    ']',
  showDiff: true
}

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
indexLifecycleManagement 242.6KB 242.0KB -596.0B
triggersActionsUi 1.6MB 1.5MB -23.9KB
total -24.5KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
indexLifecycleManagement 53.1KB 53.3KB +265.0B
triggersActionsUi 104.0KB 104.1KB +82.0B
total +347.0B
Unknown metric groups

async chunk count

id before after diff
triggersActionsUi 41 42 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link

@andreidan andreidan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks JL! Left a minor comment regarding the error message displayed, but I might be misreading where the message is applied

@@ -254,7 +251,7 @@ export const SearchableSnapshotField: FunctionComponent<Props> = ({ phase }) =>
'xpack.indexLifecycleMgmt.editPolicy.searchableSnapshotCalloutBody',
{
defaultMessage:
'Force merge, shrink, freeze and cold phase searchable snapshots are not allowed when searchable snapshots are enabled in the hot phase.',
'Force merge, shrink and freeze actions are not allowed when searchable snapshots are enabled in this phase.',

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this message needs to be a bit different (maybe the validation too?) eg. shrinking in warm would not be allowed if searchable_snapshot is configured in hot (these actions are not allowed to follow searchable_snapshot, irrespective if they're configured in the same phase or a later phase)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, at the moment the form hides force merge, shrink and freeze only in subsequent phases to hot because in hot searchable snapshot is the last action:

https://github.com/elastic/elasticsearch/blob/fe6f50e121807692b3a84695687cb1ed1176ea63/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ilm/TimeseriesLifecycleType.java#L69

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But perhaps we need to slightly re-word to state that more clearly, force merge etc. are not allowed in subsequent phases. I might be misunderstanding you so let me know what you think :)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha! Makes sense, thanks @jloleysens! (when the frozen tier comes to life we'll need to adjust this message and the validation - as the cold phase searchable_snapshot can precede the frozen phase actions)

@sebelga
Copy link
Contributor

sebelga commented Mar 2, 2021

@andreidan

I'd like to also mention elastic/elasticsearch#68714 which introduced another option in the searchable snapshot configuration called storage

I have added support for storage in my work for supporting frozen tier (#93068) that we plan to ship in 7.13.
Do we consider it a bug for 7.12 and want to address it or is it an enhancement in the UI? It seems to me that it is the later.

@andreidan
Copy link

@sebelga I don't think this is a bug. My view is that we shouldn't display it at all in the UI (as the API defaults configure the mount type to "shared_cache" in the frozen phase and "full_copy" in all other phases, and other configurations shouldn't be encouraged - and are a niche use case at best), but maybe this is a question for @jethr0null

@sebelga
Copy link
Contributor

sebelga commented Mar 2, 2021

My view is that we shouldn't display it at all in the UI

I can bring it to the team but I am not sure the API should let you do more than the UI. If we really don't want users to change some parameters we shouldn't expose them at all IMO. But I hear you, we should probably hide it behind an "advanced" section.

@jloleysens jloleysens merged commit cce6861 into elastic:master Mar 2, 2021
@jloleysens jloleysens deleted the ilm/allow-multiple-searchable-snapshot-actions branch March 2, 2021 15:00
jloleysens added a commit to jloleysens/kibana that referenced this pull request Mar 2, 2021
* remove logic that disables SS action in cold if no rollover and always show replicas field

* update test coverage to be consistent with new form behaviour and expand hot phase without rollover test

* only licensing can disable searchable snapshot field

* clean up i18n

* remove ss field callout

* update error reporting logic to include causes chain, also update UI to show causes

* updated searchable snapshot field in hot phase callout

Co-authored-by: Kibana Machine <[email protected]>
jloleysens added a commit to jloleysens/kibana that referenced this pull request Mar 2, 2021
* remove logic that disables SS action in cold if no rollover and always show replicas field

* update test coverage to be consistent with new form behaviour and expand hot phase without rollover test

* only licensing can disable searchable snapshot field

* clean up i18n

* remove ss field callout

* update error reporting logic to include causes chain, also update UI to show causes

* updated searchable snapshot field in hot phase callout

Co-authored-by: Kibana Machine <[email protected]>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 2, 2021
…bana into task-manager/docs-monitoring

* 'task-manager/docs-monitoring' of github.com:gmmorris/kibana:
  [ILM] Allow multiple searchable snapshot actions (elastic#92789)
  Improve consistency for display of management items (elastic#92694)
  skip flaky suite (elastic#93152)
  skip flaky suite (elastic#93152)
  [ILM] Refactor edit_policy client integration tests into separate feature files (elastic#92826)
  Add developer documentation about the building blocks we offer plugin developers (elastic#92743)
  [Security Solution] Case ui enhancement (elastic#91863)
  [Security Solution] [Detections] Updates warning message when no indices match provided index patterns (elastic#93094)
  Collect agent telemetry even when fleet server is disabled. (elastic#93198)
  [Lens] Fix runtime validation error message (elastic#93195)
  [Lens] Remove warning about ordinal x-domain (elastic#93049)
  [Security Solution] Fixes the Customize Event Renderers modal by removing the EuiOverlayMask (elastic#93150)
  Cleanup Security plugin imports (elastic#93056)
  [Security Solution] - Bug fixes (elastic#92294)
  Updated doc links (elastic#92968)
  [ML] Transforms: Fixes chart histograms for runtime fields. (elastic#93028)
  [chore] Enable core's eslint rule: `@ts-expect-error` (elastic#93086)
jloleysens added a commit that referenced this pull request Mar 2, 2021
* remove logic that disables SS action in cold if no rollover and always show replicas field

* update test coverage to be consistent with new form behaviour and expand hot phase without rollover test

* only licensing can disable searchable snapshot field

* clean up i18n

* remove ss field callout

* update error reporting logic to include causes chain, also update UI to show causes

* updated searchable snapshot field in hot phase callout

Co-authored-by: Kibana Machine <[email protected]>

Co-authored-by: Kibana Machine <[email protected]>
jloleysens added a commit that referenced this pull request Mar 2, 2021
* remove logic that disables SS action in cold if no rollover and always show replicas field

* update test coverage to be consistent with new form behaviour and expand hot phase without rollover test

* only licensing can disable searchable snapshot field

* clean up i18n

* remove ss field callout

* update error reporting logic to include causes chain, also update UI to show causes

* updated searchable snapshot field in hot phase callout

Co-authored-by: Kibana Machine <[email protected]>

Co-authored-by: Kibana Machine <[email protected]>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 2, 2021
* master: (199 commits)
  Convert Canvas docs to MDX for use in Elastic Docs (elastic#91969)
  [Bazel] More resilient Workspace Status (elastic#93244)
  [Discover] Change icon of saved search in open search panel and embeddable selection (elastic#93001)
  [Workplace Search] Role Mappings to Kibana (elastic#93123)
  [Fleet] Use type-only imports where possible (elastic#92979)
  [Lens] Set pie chart slices sorted clockwise (elastic#92617)
  Remove ms label from CPU load on status page (elastic#92836)
  [App Search] Migrate Create Meta Engine View (elastic#92127)
  [Time to Visualize] Disable Visualize URL Tracker When Linked to OriginatingApp (elastic#92917)
  [ILM] Allow multiple searchable snapshot actions (elastic#92789)
  Improve consistency for display of management items (elastic#92694)
  skip flaky suite (elastic#93152)
  skip flaky suite (elastic#93152)
  [ILM] Refactor edit_policy client integration tests into separate feature files (elastic#92826)
  Add developer documentation about the building blocks we offer plugin developers (elastic#92743)
  [Security Solution] Case ui enhancement (elastic#91863)
  [Security Solution] [Detections] Updates warning message when no indices match provided index patterns (elastic#93094)
  Collect agent telemetry even when fleet server is disabled. (elastic#93198)
  [Lens] Fix runtime validation error message (elastic#93195)
  [Lens] Remove warning about ordinal x-domain (elastic#93049)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:ILM release_note:skip Skip the PR/issue when compiling release notes Team:Kibana Management Dev Tools, Index Management, Upgrade Assistant, ILM, Ingest Node Pipelines, and more v7.12.1 v7.13.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants