Skip to content

[SECURITY SOLUTION] [Detections] Fixes bug where rule failed to run on first execution #68429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

[SECURITY SOLUTION] [Detections] Fixes bug where rule failed to run on first execution #68429

wants to merge 5 commits into from

Conversation

@dhurley14
Copy link
Contributor

@dhurley14 dhurley14 commented Jun 5, 2020

Summary

fixes https://github.com/elastic/siem-team/issues/697

Source of the error was the addition of updateApiKey #67364 which would invalidate the api key of the rule as it was running or before it could start running which would yield the errors displayed in the above issue.

The fix involves creating the rule as disabled first, so that the task manager does not pick it up until after the actions are updated inside of https://github.com/patrykkopycinski/kibana/blob/f7e8c597b16756b2af15e81dfa0695d3d890c619/x-pack/plugins/siem/server/lib/detection_engine/rules/update_rules_notifications.ts

and the call to updateApiKey is executed. After this, we enable the rule which will allow task manager to pick up the rule and begin executing, this time with a new api key.

I have an idea that this PR may actually allow us to remove the updateApiKey call inside of https://github.com/patrykkopycinski/kibana/blob/f7e8c597b16756b2af15e81dfa0695d3d890c619/x-pack/plugins/siem/server/lib/detection_engine/rules/update_rules_notifications.ts since it will generate a new api key when it enables the rule. I will test that out later. Wanted to get feedback on this method first before changing anything further.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@dhurley14 dhurley14 requested review from a team as code owners June 5, 2020 18:37
@dhurley14 dhurley14 self-assigned this Jun 5, 2020
@elasticmachine
Copy link
Contributor

elasticmachine commented Jun 5, 2020

Pinging @elastic/siem (Team:SIEM)

dhurley14 added 5 commits June 5, 2020 14:44
@dhurley14
comment out updateapikey call in update_rules_notifications to fix bu…
398f383 
…g where api key was invalidated during alert execution
@dhurley14
only enable rule after notifications / actions have been updated. Oth…
93b4b17 
…erwise the call to updateApiKey inside of updateRulesNotifications will invalidate the api key for the currently running rule and throw an error on the initial rule run
@dhurley14
make sure to set enabled to true so rule response to UI accurately re…
28e0cd9 
…flects the rules state, adds e2e test case to ensure rule ran successfully instead of just 'going to run'
@dhurley14
adds tests to bulk create and updates test expectation for find_statuses
121d44e
@dhurley14
undo changes in rules actions
4d4f6bf
@dhurley14 dhurley14 force-pushed the update-api-key-catch-22 branch from b043ba9 to 4d4f6bf Compare June 5, 2020 18:48
@dhurley14 dhurley14 closed this Jun 5, 2020
@kibanamachine
Copy link
Contributor

kibanamachine commented Jun 5, 2020

💔 Build Failed

Failed CI Steps

Test Failures

Kibana Pipeline / kibana-xpack-agent / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/find_rules·ts.detection engine api security and spaces enabled find_rules should return a single rule when a single rule is loaded from a find with everything for the rule added

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://dryrun

[00:00:00]       │
[00:00:00]         └-: detection engine api security and spaces enabled
[00:00:00]           └-> "before all" hook
[00:02:35]           └-: find_rules
[00:02:35]             └-> "before all" hook
[00:02:35]             └-> should return an empty find body correctly if no rules are loaded
[00:02:35]               └-> "before each" hook: global before each
[00:02:35]               └-> "before each" hook
[00:02:35]                 │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding index lifecycle policy [.siem-signals-default]
[00:02:35]                 │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:02:35]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1], mappings [_doc]
[00:02:35]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:02:35]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] in policy [.siem-signals-default]
[00:02:35]               │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-follow-shard-tasks"}] in policy [.siem-signals-default]
[00:02:35]               └- ✓ pass  (54ms) "detection engine api security and spaces enabled find_rules should return an empty find body correctly if no rules are loaded"
[00:02:35]             └-> "after each" hook
[00:02:35]               │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001/3YsIotc1QouNNSKhVoaGXQ] deleting index
[00:02:35]               │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] removing template [.siem-signals-default]
[00:02:35]             └-> should return a single rule when a single rule is loaded from a find with defaults added
[00:02:35]               └-> "before each" hook: global before each
[00:02:35]               └-> "before each" hook
[00:02:36]                 │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding index lifecycle policy [.siem-signals-default]
[00:02:36]                 │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:02:36]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1], mappings [_doc]
[00:02:36]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:02:36]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] in policy [.siem-signals-default]
[00:02:36]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-follow-shard-tasks"}] in policy [.siem-signals-default]
[00:02:39]               └- ✓ pass  (3.3s) "detection engine api security and spaces enabled find_rules should return a single rule when a single rule is loaded from a find with defaults added"
[00:02:39]             └-> "after each" hook
[00:02:39]               │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001/uIr8wGUYTSuGC-dbZZi3iA] deleting index
[00:02:39]               │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] removing template [.siem-signals-default]
[00:02:39]             └-> should return a single rule when a single rule is loaded from a find with everything for the rule added
[00:02:39]               └-> "before each" hook: global before each
[00:02:39]               └-> "before each" hook
[00:02:39]                 │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding index lifecycle policy [.siem-signals-default]
[00:02:39]                 │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:02:39]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1], mappings [_doc]
[00:02:39]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:02:39]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] in policy [.siem-signals-default]
[00:02:39]               │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-follow-shard-tasks"}] in policy [.siem-signals-default]
[00:02:43]               └- ✖ fail: "detection engine api security and spaces enabled find_rules should return a single rule when a single rule is loaded from a find with everything for the rule added"
[00:02:43]               │

Stack Trace

{ Error: expected { page: 1,
  perPage: 20,
  total: 1,
  data: 
   [ { actions: [],
       created_by: 'elastic',
       description: 'Complex Rule Query',
       enabled: true,
       false_positives: [Object],
       filters: [Object],
       from: 'now-6m',
       immutable: false,
       index: [Object],
       interval: '5m',
       rule_id: 'rule-1',
       language: 'kuery',
       output_index: '.siem-signals-default',
       max_signals: 10,
       risk_score: 1,
       name: 'Complex Rule Query',
       query: 'user.name: root or user.name: admin',
       references: [Object],
       timeline_id: 'timeline_id',
       timeline_title: 'timeline_title',
       meta: [Object],
       severity: 'high',
       updated_by: 'elastic',
       tags: [Object],
       to: 'now',
       type: 'query',
       threat: [Object],
       throttle: 'no_actions',
       note: '# some investigation documentation',
       version: 1,
       exceptions_list: [] } ] } to sort of equal { data: 
   [ { actions: [],
       created_by: 'elastic',
       name: 'Complex Rule Query',
       description: 'Complex Rule Query',
       false_positives: [Object],
       risk_score: 1,
       rule_id: 'rule-1',
       filters: [Object],
       enabled: false,
       index: [Object],
       immutable: false,
       interval: '5m',
       output_index: '.siem-signals-default',
       meta: [Object],
       max_signals: 10,
       tags: [Object],
       to: 'now',
       from: 'now-6m',
       severity: 'high',
       language: 'kuery',
       type: 'query',
       threat: [Object],
       references: [Object],
       throttle: 'no_actions',
       timeline_id: 'timeline_id',
       timeline_title: 'timeline_title',
       updated_by: 'elastic',
       note: '# some investigation documentation',
       version: 1,
       query: 'user.name: root or user.name: admin',
       exceptions_list: [] } ],
  page: 1,
  perPage: 20,
  total: 1 }
    at Assertion.assert (/dev/shm/workspace/kibana/packages/kbn-expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/kibana/packages/kbn-expect/expect.js:244:8)
    at Context.it (test/detection_engine_api_integration/security_and_spaces/tests/find_rules.ts:92:23)
  actual:
   '{\n  "data": [\n    {\n      "actions": []\n      "created_by": "elastic"\n      "description": "Complex Rule Query"\n      "enabled": true\n      "exceptions_list": []\n      "false_positives": [\n        "https://www.example.com/some-article-about-a-false-positive"\n        "some text string about why another condition could be a false positive"\n      ]\n      "filters": [\n        {\n          "query": {\n            "match_phrase": {\n              "host.name": "siem-windows"\n            }\n          }\n        }\n      ]\n      "from": "now-6m"\n      "immutable": false\n      "index": [\n        "auditbeat-*"\n        "filebeat-*"\n      ]\n      "interval": "5m"\n      "language": "kuery"\n      "max_signals": 10\n      "meta": {\n        "anything_you_want_ui_related_or_otherwise": {\n          "as_deep_structured_as_you_need": {\n            "any_data_type": {}\n          }\n        }\n      }\n      "name": "Complex Rule Query"\n      "note": "# some investigation documentation"\n      "output_index": ".siem-signals-default"\n      "query": "user.name: root or user.name: admin"\n      "references": [\n        "http://www.example.com/some-article-about-attack"\n        "Some plain text string here explaining why this is a valid thing to look out for"\n      ]\n      "risk_score": 1\n      "rule_id": "rule-1"\n      "severity": "high"\n      "tags": [\n        "tag 1"\n        "tag 2"\n        "any tag you want"\n      ]\n      "threat": [\n        {\n          "framework": "MITRE ATT&CK"\n          "tactic": {\n            "id": "TA0040"\n            "name": "impact"\n            "reference": "https://attack.mitre.org/tactics/TA0040/"\n          }\n          "technique": [\n            {\n              "id": "T1499"\n              "name": "endpoint denial of service"\n              "reference": "https://attack.mitre.org/techniques/T1499/"\n            }\n          ]\n        }\n        {\n          "framework": "Some other Framework you want"\n          "tactic": {\n            "id": "some-other-id"\n            "name": "Some other name"\n            "reference": "https://example.com"\n          }\n          "technique": [\n            {\n              "id": "some-other-id"\n              "name": "some other technique name"\n              "reference": "https://example.com"\n            }\n          ]\n        }\n      ]\n      "throttle": "no_actions"\n      "timeline_id": "timeline_id"\n      "timeline_title": "timeline_title"\n      "to": "now"\n      "type": "query"\n      "updated_by": "elastic"\n      "version": 1\n    }\n  ]\n  "page": 1\n  "perPage": 20\n  "total": 1\n}',
  expected:
   '{\n  "data": [\n    {\n      "actions": []\n      "created_by": "elastic"\n      "description": "Complex Rule Query"\n      "enabled": false\n      "exceptions_list": []\n      "false_positives": [\n        "https://www.example.com/some-article-about-a-false-positive"\n        "some text string about why another condition could be a false positive"\n      ]\n      "filters": [\n        {\n          "query": {\n            "match_phrase": {\n              "host.name": "siem-windows"\n            }\n          }\n        }\n      ]\n      "from": "now-6m"\n      "immutable": false\n      "index": [\n        "auditbeat-*"\n        "filebeat-*"\n      ]\n      "interval": "5m"\n      "language": "kuery"\n      "max_signals": 10\n      "meta": {\n        "anything_you_want_ui_related_or_otherwise": {\n          "as_deep_structured_as_you_need": {\n            "any_data_type": {}\n          }\n        }\n      }\n      "name": "Complex Rule Query"\n      "note": "# some investigation documentation"\n      "output_index": ".siem-signals-default"\n      "query": "user.name: root or user.name: admin"\n      "references": [\n        "http://www.example.com/some-article-about-attack"\n        "Some plain text string here explaining why this is a valid thing to look out for"\n      ]\n      "risk_score": 1\n      "rule_id": "rule-1"\n      "severity": "high"\n      "tags": [\n        "tag 1"\n        "tag 2"\n        "any tag you want"\n      ]\n      "threat": [\n        {\n          "framework": "MITRE ATT&CK"\n          "tactic": {\n            "id": "TA0040"\n            "name": "impact"\n            "reference": "https://attack.mitre.org/tactics/TA0040/"\n          }\n          "technique": [\n            {\n              "id": "T1499"\n              "name": "endpoint denial of service"\n              "reference": "https://attack.mitre.org/techniques/T1499/"\n            }\n          ]\n        }\n        {\n          "framework": "Some other Framework you want"\n          "tactic": {\n            "id": "some-other-id"\n            "name": "Some other name"\n            "reference": "https://example.com"\n          }\n          "technique": [\n            {\n              "id": "some-other-id"\n              "name": "some other technique name"\n              "reference": "https://example.com"\n            }\n          ]\n        }\n      ]\n      "throttle": "no_actions"\n      "timeline_id": "timeline_id"\n      "timeline_title": "timeline_title"\n      "to": "now"\n      "type": "query"\n      "updated_by": "elastic"\n      "version": 1\n    }\n  ]\n  "page": 1\n  "perPage": 20\n  "total": 1\n}',
  showDiff: true }
Kibana Pipeline / kibana-xpack-agent / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/find_rules·ts.detection engine api security and spaces enabled find_rules should return a single rule when a single rule is loaded from a find with everything for the rule added

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]       │
[00:00:00]         └-: detection engine api security and spaces enabled
[00:00:00]           └-> "before all" hook
[00:02:37]           └-: find_rules
[00:02:37]             └-> "before all" hook
[00:02:37]             └-> should return an empty find body correctly if no rules are loaded
[00:02:37]               └-> "before each" hook: global before each
[00:02:37]               └-> "before each" hook
[00:02:37]                 │ proc [kibana]   log   [19:52:27.989] [info][eventLog][plugins] event logged: {"event":{"provider":"alerting","action":"execute","start":"2020-06-05T19:52:25.950Z","end":"2020-06-05T19:52:27.987Z","duration":2037000000,"outcome":"success"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"d84552d6-6d23-415a-914f-2f0e6f355e9f"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:d84552d6-6d23-415a-914f-2f0e6f355e9f: 'Simple Rule Query'","@timestamp":"2020-06-05T19:52:27.987Z","ecs":{"version":"1.5.0"}}
[00:02:37]                 │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding index lifecycle policy [.siem-signals-default]
[00:02:37]                 │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:02:37]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1], mappings [_doc]
[00:02:37]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:02:37]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] in policy [.siem-signals-default]
[00:02:37]               │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-follow-shard-tasks"}] in policy [.siem-signals-default]
[00:02:37]               └- ✓ pass  (64ms) "detection engine api security and spaces enabled find_rules should return an empty find body correctly if no rules are loaded"
[00:02:37]             └-> "after each" hook
[00:02:38]               │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001/mT9caXQkS6qy2sisOlAJ9Q] deleting index
[00:02:38]               │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] removing template [.siem-signals-default]
[00:02:38]             └-> should return a single rule when a single rule is loaded from a find with defaults added
[00:02:38]               └-> "before each" hook: global before each
[00:02:38]               └-> "before each" hook
[00:02:38]                 │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding index lifecycle policy [.siem-signals-default]
[00:02:38]                 │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:02:38]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1], mappings [_doc]
[00:02:38]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:02:38]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] in policy [.siem-signals-default]
[00:02:38]               │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-follow-shard-tasks"}] in policy [.siem-signals-default]
[00:02:41]               └- ✓ pass  (3.3s) "detection engine api security and spaces enabled find_rules should return a single rule when a single rule is loaded from a find with defaults added"
[00:02:41]             └-> "after each" hook
[00:02:41]               │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001/-2UD9zt2Sr6s4J5aHlngqA] deleting index
[00:02:41]               │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] removing template [.siem-signals-default]
[00:02:41]             └-> should return a single rule when a single rule is loaded from a find with everything for the rule added
[00:02:41]               └-> "before each" hook: global before each
[00:02:41]               └-> "before each" hook
[00:02:41]                 │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding index lifecycle policy [.siem-signals-default]
[00:02:41]                 │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:02:41]                 │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1], mappings [_doc]
[00:02:41]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:02:41]                 │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] in policy [.siem-signals-default]
[00:02:41]               │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-centos-tests-xl-1591382955420085929] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"wait-for-indexing-complete"}] to [{"phase":"hot","action":"unfollow","name":"wait-for-follow-shard-tasks"}] in policy [.siem-signals-default]
[00:02:44]               │ proc [kibana]   log   [19:52:34.800] [info][eventLog][plugins] event logged: {"event":{"provider":"alerting","action":"execute","start":"2020-06-05T19:52:31.951Z","end":"2020-06-05T19:52:34.798Z","duration":2847000000,"outcome":"success"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"5bb9b45b-512a-4824-b6fe-b0d53128f5a0"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:5bb9b45b-512a-4824-b6fe-b0d53128f5a0: 'Simple Rule Query'","@timestamp":"2020-06-05T19:52:34.798Z","ecs":{"version":"1.5.0"}}
[00:02:45]               └- ✖ fail: "detection engine api security and spaces enabled find_rules should return a single rule when a single rule is loaded from a find with everything for the rule added"
[00:02:45]               │

Stack Trace

{ Error: expected { page: 1,
  perPage: 20,
  total: 1,
  data: 
   [ { actions: [],
       created_by: 'elastic',
       description: 'Complex Rule Query',
       enabled: true,
       false_positives: [Object],
       filters: [Object],
       from: 'now-6m',
       immutable: false,
       index: [Object],
       interval: '5m',
       rule_id: 'rule-1',
       language: 'kuery',
       output_index: '.siem-signals-default',
       max_signals: 10,
       risk_score: 1,
       name: 'Complex Rule Query',
       query: 'user.name: root or user.name: admin',
       references: [Object],
       timeline_id: 'timeline_id',
       timeline_title: 'timeline_title',
       meta: [Object],
       severity: 'high',
       updated_by: 'elastic',
       tags: [Object],
       to: 'now',
       type: 'query',
       threat: [Object],
       throttle: 'no_actions',
       note: '# some investigation documentation',
       version: 1,
       exceptions_list: [] } ] } to sort of equal { data: 
   [ { actions: [],
       created_by: 'elastic',
       name: 'Complex Rule Query',
       description: 'Complex Rule Query',
       false_positives: [Object],
       risk_score: 1,
       rule_id: 'rule-1',
       filters: [Object],
       enabled: false,
       index: [Object],
       immutable: false,
       interval: '5m',
       output_index: '.siem-signals-default',
       meta: [Object],
       max_signals: 10,
       tags: [Object],
       to: 'now',
       from: 'now-6m',
       severity: 'high',
       language: 'kuery',
       type: 'query',
       threat: [Object],
       references: [Object],
       throttle: 'no_actions',
       timeline_id: 'timeline_id',
       timeline_title: 'timeline_title',
       updated_by: 'elastic',
       note: '# some investigation documentation',
       version: 1,
       query: 'user.name: root or user.name: admin',
       exceptions_list: [] } ],
  page: 1,
  perPage: 20,
  total: 1 }
    at Assertion.assert (/dev/shm/workspace/kibana/packages/kbn-expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/kibana/packages/kbn-expect/expect.js:244:8)
    at Context.it (test/detection_engine_api_integration/security_and_spaces/tests/find_rules.ts:92:23)
  actual:
   '{\n  "data": [\n    {\n      "actions": []\n      "created_by": "elastic"\n      "description": "Complex Rule Query"\n      "enabled": true\n      "exceptions_list": []\n      "false_positives": [\n        "https://www.example.com/some-article-about-a-false-positive"\n        "some text string about why another condition could be a false positive"\n      ]\n      "filters": [\n        {\n          "query": {\n            "match_phrase": {\n              "host.name": "siem-windows"\n            }\n          }\n        }\n      ]\n      "from": "now-6m"\n      "immutable": false\n      "index": [\n        "auditbeat-*"\n        "filebeat-*"\n      ]\n      "interval": "5m"\n      "language": "kuery"\n      "max_signals": 10\n      "meta": {\n        "anything_you_want_ui_related_or_otherwise": {\n          "as_deep_structured_as_you_need": {\n            "any_data_type": {}\n          }\n        }\n      }\n      "name": "Complex Rule Query"\n      "note": "# some investigation documentation"\n      "output_index": ".siem-signals-default"\n      "query": "user.name: root or user.name: admin"\n      "references": [\n        "http://www.example.com/some-article-about-attack"\n        "Some plain text string here explaining why this is a valid thing to look out for"\n      ]\n      "risk_score": 1\n      "rule_id": "rule-1"\n      "severity": "high"\n      "tags": [\n        "tag 1"\n        "tag 2"\n        "any tag you want"\n      ]\n      "threat": [\n        {\n          "framework": "MITRE ATT&CK"\n          "tactic": {\n            "id": "TA0040"\n            "name": "impact"\n            "reference": "https://attack.mitre.org/tactics/TA0040/"\n          }\n          "technique": [\n            {\n              "id": "T1499"\n              "name": "endpoint denial of service"\n              "reference": "https://attack.mitre.org/techniques/T1499/"\n            }\n          ]\n        }\n        {\n          "framework": "Some other Framework you want"\n          "tactic": {\n            "id": "some-other-id"\n            "name": "Some other name"\n            "reference": "https://example.com"\n          }\n          "technique": [\n            {\n              "id": "some-other-id"\n              "name": "some other technique name"\n              "reference": "https://example.com"\n            }\n          ]\n        }\n      ]\n      "throttle": "no_actions"\n      "timeline_id": "timeline_id"\n      "timeline_title": "timeline_title"\n      "to": "now"\n      "type": "query"\n      "updated_by": "elastic"\n      "version": 1\n    }\n  ]\n  "page": 1\n  "perPage": 20\n  "total": 1\n}',
  expected:
   '{\n  "data": [\n    {\n      "actions": []\n      "created_by": "elastic"\n      "description": "Complex Rule Query"\n      "enabled": false\n      "exceptions_list": []\n      "false_positives": [\n        "https://www.example.com/some-article-about-a-false-positive"\n        "some text string about why another condition could be a false positive"\n      ]\n      "filters": [\n        {\n          "query": {\n            "match_phrase": {\n              "host.name": "siem-windows"\n            }\n          }\n        }\n      ]\n      "from": "now-6m"\n      "immutable": false\n      "index": [\n        "auditbeat-*"\n        "filebeat-*"\n      ]\n      "interval": "5m"\n      "language": "kuery"\n      "max_signals": 10\n      "meta": {\n        "anything_you_want_ui_related_or_otherwise": {\n          "as_deep_structured_as_you_need": {\n            "any_data_type": {}\n          }\n        }\n      }\n      "name": "Complex Rule Query"\n      "note": "# some investigation documentation"\n      "output_index": ".siem-signals-default"\n      "query": "user.name: root or user.name: admin"\n      "references": [\n        "http://www.example.com/some-article-about-attack"\n        "Some plain text string here explaining why this is a valid thing to look out for"\n      ]\n      "risk_score": 1\n      "rule_id": "rule-1"\n      "severity": "high"\n      "tags": [\n        "tag 1"\n        "tag 2"\n        "any tag you want"\n      ]\n      "threat": [\n        {\n          "framework": "MITRE ATT&CK"\n          "tactic": {\n            "id": "TA0040"\n            "name": "impact"\n            "reference": "https://attack.mitre.org/tactics/TA0040/"\n          }\n          "technique": [\n            {\n              "id": "T1499"\n              "name": "endpoint denial of service"\n              "reference": "https://attack.mitre.org/techniques/T1499/"\n            }\n          ]\n        }\n        {\n          "framework": "Some other Framework you want"\n          "tactic": {\n            "id": "some-other-id"\n            "name": "Some other name"\n            "reference": "https://example.com"\n          }\n          "technique": [\n            {\n              "id": "some-other-id"\n              "name": "some other technique name"\n              "reference": "https://example.com"\n            }\n          ]\n        }\n      ]\n      "throttle": "no_actions"\n      "timeline_id": "timeline_id"\n      "timeline_title": "timeline_title"\n      "to": "now"\n      "type": "query"\n      "updated_by": "elastic"\n      "version": 1\n    }\n  ]\n  "page": 1\n  "perPage": 20\n  "total": 1\n}',
  showDiff: true }

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 23, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dhurley14 dhurley14

Labels

Feature:Detection Rules Security Solution rules and Detection Engine release_note:fix review Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.7.2 v7.8.1 v7.9.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dhurley14 @elasticmachine @kibanamachine @MindyRS