maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[7.x] [Security Solution] Narrow down indices to match case descriptions (#89592) (#92283)

Browse source 
* [Security Solution] Narrow down indices to match case descriptions (#89592)

* update default index to match with description

* narrow down indices to match case description

* run specific tests

* run only security solution's tests

* debug users integration test

* wait_for_completion_timeout

* run only security_solution

* add back integration tests

* avoid multiple requests

* uncomment tests

* unskip tests

* add smaller mock data for users and uncommon_processes

* put test back

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
# Conflicts:
#	x-pack/test/api_integration/apis/security_solution/users.ts

* update mocked users data

* update mocked index

* update mocked index

* update mocked index

* update mock data

* update mock data
This commit is contained in:
Angela Chuang 2021-02-23 22:10:03 +00:00 committed by GitHub
parent 02e250c0f2
commit 5c03051487
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 4150464 additions and 170 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
x-pack/test/api_integration/apis/security_solution/authentications.ts
View file

@ -44,9 +44,10 @@ export default function ({ getService }: FtrProviderContext) {
fakePossibleCount: 3,
querySize: 1,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -72,9 +73,10 @@ export default function ({ getService }: FtrProviderContext) {
fakePossibleCount: 5,
querySize: 2,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);

1
x-pack/test/api_integration/apis/security_solution/host_details.ts
View file

@ -229,6 +229,7 @@ export default function ({ getService }: FtrProviderContext) {
docValueFields: [],
hostName: 'raspberrypi',
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(hostDetails).to.eql(expectedResult.hostDetails);

17
x-pack/test/api_integration/apis/security_solution/hosts.ts
View file

@ -42,7 +42,7 @@ export default function ({ getService }: FtrProviderContext) {
to: TO,
from: FROM,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-*'],
docValueFields: [],
sort: {
field: HostsFields.lastSeen,
@ -55,6 +55,7 @@ export default function ({ getService }: FtrProviderContext) {
querySize: 1,
},
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(hosts.edges.length).to.be(EDGE_LENGTH);
@ -77,7 +78,7 @@ export default function ({ getService }: FtrProviderContext) {
field: HostsFields.lastSeen,
direction: Direction.asc,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-*'],
docValueFields: [],
pagination: {
activePage: 2,
@ -86,6 +87,7 @@ export default function ({ getService }: FtrProviderContext) {
querySize: 2,
},
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(hosts.edges.length).to.be(EDGE_LENGTH);
@ -133,9 +135,10 @@ export default function ({ getService }: FtrProviderContext) {
to: TO,
from: FROM,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -148,10 +151,11 @@ export default function ({ getService }: FtrProviderContext) {
.set('kbn-xsrf', 'true')
.send({
factoryQueryType: HostsQueries.firstOrLastSeen,
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-*'],
docValueFields: [],
hostName: 'zeek-sensor-san-francisco',
order: 'asc',
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(firstLastSeenHost.firstSeen).to.eql('2019-02-19T19:36:23.561Z');
@ -163,10 +167,11 @@ export default function ({ getService }: FtrProviderContext) {
.set('kbn-xsrf', 'true')
.send({
factoryQueryType: HostsQueries.firstOrLastSeen,
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-*'],
docValueFields: [],
hostName: 'zeek-sensor-san-francisco',
order: 'desc',
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(firstLastSeenHost.lastSeen).to.eql('2019-02-19T20:42:33.561Z');
@ -182,6 +187,7 @@ export default function ({ getService }: FtrProviderContext) {
docValueFields: [{ field: '@timestamp', format: 'epoch_millis' }],
hostName: 'zeek-sensor-san-francisco',
order: 'asc',
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(firstLastSeenHost.firstSeen).to.eql(new Date('2019-02-19T19:36:23.561Z').valueOf());
@ -197,6 +203,7 @@ export default function ({ getService }: FtrProviderContext) {
docValueFields: [{ field: '@timestamp', format: 'epoch_millis' }],
hostName: 'zeek-sensor-san-francisco',
order: 'desc',
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(firstLastSeenHost.lastSeen).to.eql(new Date('2019-02-19T20:42:33.561Z').valueOf());

9
x-pack/test/api_integration/apis/security_solution/kpi_hosts.ts
View file

@ -98,6 +98,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -119,6 +120,10 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
/* We need a very long timeout to avoid returning just partial data.
** https://github.com/elastic/kibana/blob/master/x-pack/test/api_integration/apis/search/search.ts#L18
*/
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(body.authenticationsSuccess!).to.eql(expectedResult.authSuccess);
@ -141,6 +146,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(body.uniqueDestinationIps!).to.eql(expectedResult.uniqueDestinationIps);
@ -224,6 +230,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['auditbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -245,6 +252,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['auditbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(body.authenticationsSuccess!).to.eql(expectedResult.authSuccess);
@ -267,6 +275,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['auditbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(body.uniqueDestinationIps!).to.eql(expectedResult.uniqueDestinationIps);

11
x-pack/test/api_integration/apis/security_solution/kpi_network.ts
View file

@ -79,6 +79,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -99,6 +100,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -119,6 +121,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -139,6 +142,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -159,6 +163,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -179,6 +184,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['filebeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -226,6 +232,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -246,6 +253,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -266,6 +274,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -286,6 +295,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -306,6 +316,7 @@ export default function ({ getService }: FtrProviderContext) {
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);

4
x-pack/test/api_integration/apis/security_solution/network_details.ts
View file

@ -24,10 +24,11 @@ export default function ({ getService }: FtrProviderContext) {
.set('kbn-xsrf', 'true')
.send({
ip: '151.205.0.17',
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['filebeat-*'],
factoryQueryType: NetworkQueries.details,
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -51,6 +52,7 @@ export default function ({ getService }: FtrProviderContext) {
factoryQueryType: NetworkQueries.details,
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);

14
x-pack/test/api_integration/apis/security_solution/network_dns.ts
View file

@ -32,15 +32,7 @@ export default function ({ getService }: FtrProviderContext) {
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
defaultIndex: [
'apm-*-transaction*',
'auditbeat-*',
'endgame-*',
'filebeat-*',
'logs-*',
'packetbeat-*',
'winlogbeat-*',
],
defaultIndex: ['packetbeat-*'],
docValueFields: [],
factoryQueryType: NetworkQueries.dns,
filterQuery:
@ -53,6 +45,7 @@ export default function ({ getService }: FtrProviderContext) {
to: TO,
from: FROM,
},
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -70,7 +63,7 @@ export default function ({ getService }: FtrProviderContext) {
.set('kbn-xsrf', 'true')
.send({
ip: '151.205.0.17',
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['packetbeat-*'],
factoryQueryType: NetworkQueries.dns,
docValueFields: [],
inspect: false,
@ -87,6 +80,7 @@ export default function ({ getService }: FtrProviderContext) {
to: TO,
from: FROM,
},
wait_for_completion_timeout: '10s',
})
.expect(200);

44
x-pack/test/api_integration/apis/security_solution/network_top_n_flow.ts
View file

@ -35,15 +35,7 @@ export default function ({ getService }: FtrProviderContext) {
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
defaultIndex: [
'apm-*-transaction*',
'auditbeat-*',
'endgame-*',
'filebeat-*',
'logs-*',
'packetbeat-*',
'winlogbeat-*',
],
defaultIndex: ['filebeat-*'],
factoryQueryType: NetworkQueries.topNFlow,
flowTarget: FlowTargetSourceDest.source,
sort: { field: NetworkTopTablesFields.bytes_in, direction: Direction.desc },
@ -60,6 +52,7 @@ export default function ({ getService }: FtrProviderContext) {
},
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -81,15 +74,7 @@ export default function ({ getService }: FtrProviderContext) {
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
defaultIndex: [
'apm-*-transaction*',
'auditbeat-*',
'endgame-*',
'filebeat-*',
'logs-*',
'packetbeat-*',
'winlogbeat-*',
],
defaultIndex: ['filebeat-*'],
factoryQueryType: 'topNFlow',
filterQuery:
'{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
@ -108,6 +93,7 @@ export default function ({ getService }: FtrProviderContext) {
},
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -129,15 +115,7 @@ export default function ({ getService }: FtrProviderContext) {
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
defaultIndex: [
'apm-*-transaction*',
'auditbeat-*',
'endgame-*',
'filebeat-*',
'logs-*',
'packetbeat-*',
'winlogbeat-*',
],
defaultIndex: ['filebeat-*'],
factoryQueryType: 'topNFlow',
filterQuery:
'{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
@ -156,6 +134,7 @@ export default function ({ getService }: FtrProviderContext) {
},
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(networkTopNFlow.edges.length).to.be(EDGE_LENGTH);
@ -171,15 +150,7 @@ export default function ({ getService }: FtrProviderContext) {
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
defaultIndex: [
'apm-*-transaction*',
'auditbeat-*',
'endgame-*',
'filebeat-*',
'logs-*',
'packetbeat-*',
'winlogbeat-*',
],
defaultIndex: ['filebeat-*'],
factoryQueryType: 'topNFlow',
filterQuery:
'{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}',
@ -198,6 +169,7 @@ export default function ({ getService }: FtrProviderContext) {
},
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);

11
x-pack/test/api_integration/apis/security_solution/overview_host.ts
View file

@ -47,15 +47,7 @@ export default function ({ getService }: FtrProviderContext) {
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
defaultIndex: [
'apm-*-transaction*',
'auditbeat-*',
'endgame-*',
'filebeat-*',
'logs-*',
'packetbeat-*',
'winlogbeat-*',
],
defaultIndex: ['auditbeat-*'],
factoryQueryType: HostsQueries.overview,
timerange: {
interval: '12h',
@ -64,6 +56,7 @@ export default function ({ getService }: FtrProviderContext) {
},
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(overviewHost).to.eql(expectedResult);

3
x-pack/test/api_integration/apis/security_solution/overview_network.ts
View file

@ -49,6 +49,7 @@ export default function ({ getService }: FtrProviderContext) {
},
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(overviewNetwork).to.eql(expectedResult);
@ -89,6 +90,7 @@ export default function ({ getService }: FtrProviderContext) {
},
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -130,6 +132,7 @@ export default function ({ getService }: FtrProviderContext) {
},
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(overviewNetwork).to.eql(expectedResult);

7
x-pack/test/api_integration/apis/security_solution/sources.ts
View file

@ -24,6 +24,7 @@ export default function ({ getService }: FtrProviderContext) {
.send({
indices: ['auditbeat-*'],
onlyCheckIfIndicesExist: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -38,6 +39,7 @@ export default function ({ getService }: FtrProviderContext) {
.send({
indices: ['auditbeat-*', 'filebeat-*'],
onlyCheckIfIndicesExist: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -51,6 +53,7 @@ export default function ({ getService }: FtrProviderContext) {
.send({
indices: [],
onlyCheckIfIndicesExist: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -64,6 +67,7 @@ export default function ({ getService }: FtrProviderContext) {
.send({
indices: ['_all'],
onlyCheckIfIndicesExist: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -77,6 +81,7 @@ export default function ({ getService }: FtrProviderContext) {
.send({
indices: [''],
onlyCheckIfIndicesExist: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -90,6 +95,7 @@ export default function ({ getService }: FtrProviderContext) {
.send({
indices: [' '],
onlyCheckIfIndicesExist: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
@ -103,6 +109,7 @@ export default function ({ getService }: FtrProviderContext) {
.send({
indices: ['', 'auditbeat-*'],
onlyCheckIfIndicesExist: false,
wait_for_completion_timeout: '10s',
})
.expect(200);

4
x-pack/test/api_integration/apis/security_solution/timeline.ts
View file

@ -80,7 +80,7 @@ export default function ({ getService }: FtrProviderContext) {
direction: Direction.desc,
},
fieldRequested: ['@timestamp', 'host.name'],
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-*'],
docValueFields: [],
inspect: false,
timerange: {
@ -88,6 +88,7 @@ export default function ({ getService }: FtrProviderContext) {
to: TO,
interval: '12h',
},
wait_for_completion_timeout: '10s',
},
})
.then((resp) => {
@ -124,6 +125,7 @@ export default function ({ getService }: FtrProviderContext) {
to: TO,
interval: '12h',
},
wait_for_completion_timeout: '10s',
},
})
.then((resp) => {

2
x-pack/test/api_integration/apis/security_solution/timeline_details.ts
View file

@ -454,6 +454,7 @@ export default function ({ getService }: FtrProviderContext) {
indexName: INDEX_NAME,
inspect: false,
eventId: ID,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(sortBy(detailsData, 'name')).to.eql(sortBy(EXPECTED_DATA, 'name'));
@ -471,6 +472,7 @@ export default function ({ getService }: FtrProviderContext) {
indexName: INDEX_NAME,
inspect: false,
eventId: ID,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect({ destinationIpCount, hostCount, processCount, sourceIpCount, userCount }).to.eql(

12
x-pack/test/api_integration/apis/security_solution/tls.ts
View file

@ -109,9 +109,10 @@ export default function ({ getService }: FtrProviderContext) {
fakePossibleCount: 30,
querySize: 10,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(tls.edges.length).to.be(1);
@ -139,9 +140,10 @@ export default function ({ getService }: FtrProviderContext) {
fakePossibleCount: 30,
querySize: 10,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(tls.edges.length).to.be(1);
@ -174,9 +176,10 @@ export default function ({ getService }: FtrProviderContext) {
fakePossibleCount: 30,
querySize: 10,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(tls.pageInfo).to.eql(expectedOverviewSourceResult.pageInfo);
@ -203,9 +206,10 @@ export default function ({ getService }: FtrProviderContext) {
fakePossibleCount: 30,
querySize: 10,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['packetbeat-*'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(tls.pageInfo).to.eql(expectedOverviewDestinationResult.pageInfo);

188
x-pack/test/api_integration/apis/security_solution/uncommon_processes.ts
View file

@ -7,9 +7,16 @@
import expect from '@kbn/expect';
import { HostsQueries } from '../../../../plugins/security_solution/common/search_strategy';
import {
HostsQueries,
HostsUncommonProcessesStrategyResponse,
} from '../../../../plugins/security_solution/common/search_strategy';
import { FtrProviderContext } from '../../ftr_provider_context';
interface UncommonProcessesResponse {
body: HostsUncommonProcessesStrategyResponse;
}
const FROM = '2000-01-01T00:00:00.000Z';
const TO = '3000-01-01T00:00:00.000Z';
@ -20,10 +27,9 @@ export default function ({ getService }: FtrProviderContext) {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
// FLAKY: https://github.com/elastic/kibana/issues/90416
describe.skip('uncommon_processes', () => {
before(() => esArchiver.load('auditbeat/hosts'));
after(() => esArchiver.unload('auditbeat/hosts'));
describe('uncommon_processes', () => {
before(() => esArchiver.load('auditbeat/uncommon_processes'));
after(() => esArchiver.unload('auditbeat/uncommon_processes'));
it('should return an edge of length 1 when given a pagination of length 1', async () => {
const { body: UncommonProcesses } = await supertest
@ -43,7 +49,7 @@ export default function ({ getService }: FtrProviderContext) {
fakePossibleCount: 3,
querySize: 1,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-uncommon-processes'],
docValueFields: [],
inspect: false,
})
@ -51,103 +57,93 @@ export default function ({ getService }: FtrProviderContext) {
expect(UncommonProcesses.edges.length).to.be(1);
});
it('should return an edge of length 2 when given a pagination of length 2', async () => {
const { body: UncommonProcesses } = await supertest
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
factoryQueryType: HostsQueries.uncommonProcesses,
sourceId: 'default',
timerange: {
interval: '12h',
to: TO,
from: FROM,
},
pagination: {
activePage: 0,
cursorStart: 0,
fakePossibleCount: 3,
querySize: 2,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
docValueFields: [],
inspect: false,
})
.expect(200);
describe('when given a pagination of length 2', () => {
let response: null | UncommonProcessesResponse = null;
expect(UncommonProcesses.edges.length).to.be(2);
before(async () => {
response = await supertest
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
factoryQueryType: HostsQueries.uncommonProcesses,
sourceId: 'default',
timerange: {
interval: '12h',
to: TO,
from: FROM,
},
pagination: {
activePage: 0,
cursorStart: 0,
fakePossibleCount: 3,
querySize: 2,
},
defaultIndex: ['auditbeat-uncommon-processes'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
});
});
it('should return an edge of length 2 ', () => {
expect(response!.body.edges.length).to.be(2);
});
});
it('should return a total count of elements', async () => {
const { body: UncommonProcesses } = await supertest
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
factoryQueryType: HostsQueries.uncommonProcesses,
sourceId: 'default',
timerange: {
interval: '12h',
to: TO,
from: FROM,
},
pagination: {
activePage: 0,
cursorStart: 0,
fakePossibleCount: 3,
querySize: 1,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
docValueFields: [],
inspect: false,
})
.expect(200);
describe('when given a pagination of length 1', () => {
let response: null | UncommonProcessesResponse = null;
before(async () => {
response = await supertest
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
factoryQueryType: HostsQueries.uncommonProcesses,
sourceId: 'default',
timerange: {
interval: '12h',
to: TO,
from: FROM,
},
pagination: {
activePage: 0,
cursorStart: 0,
fakePossibleCount: 3,
querySize: 1,
},
defaultIndex: ['auditbeat-uncommon-processes'],
docValueFields: [],
inspect: false,
wait_for_completion_timeout: '10s',
});
});
it('should return an edge of length 1 ', () => {
expect(response!.body.edges.length).to.be(1);
});
expect(UncommonProcesses.totalCount).to.be(TOTAL_COUNT);
});
it('should return a total count of elements', () => {
expect(response!.body.totalCount).to.be(TOTAL_COUNT);
});
it('should return a single data set with pagination of 1', async () => {
const { body: UncommonProcesses } = await supertest
.post('/internal/search/securitySolutionSearchStrategy/')
.set('kbn-xsrf', 'true')
.send({
factoryQueryType: HostsQueries.uncommonProcesses,
sourceId: 'default',
timerange: {
interval: '12h',
to: TO,
from: FROM,
it('should return a single data set with pagination of 1', () => {
const expected = {
_id: 'HCFxB2kBR346wHgnL4ik',
instances: 1,
process: {
args: [],
name: ['kworker/u2:0'],
},
pagination: {
activePage: 0,
cursorStart: 0,
fakePossibleCount: 3,
querySize: 1,
user: {
id: ['0'],
name: ['root'],
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
docValueFields: [],
inspect: false,
})
.expect(200);
const expected = {
_id: 'HCFxB2kBR346wHgnL4ik',
instances: 1,
process: {
args: [],
name: ['kworker/u2:0'],
},
user: {
id: ['0'],
name: ['root'],
},
hosts: [
{
id: ['zeek-sensor-san-francisco'],
name: ['zeek-sensor-san-francisco'],
},
],
};
expect(UncommonProcesses.edges[0].node).to.eql(expected);
hosts: [
{
id: ['zeek-sensor-san-francisco'],
name: ['zeek-sensor-san-francisco'],
},
],
};
expect(response!.body.edges[0].node).to.eql(expected);
});
});
});
}

14
x-pack/test/api_integration/apis/security_solution/users.ts
View file

@ -22,11 +22,10 @@ const IP = '0.0.0.0';
export default function ({ getService }: FtrProviderContext) {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
// Failing: See https://github.com/elastic/kibana/issues/90136
describe.skip('Users', () => {
describe('Users', () => {
describe('With auditbeat', () => {
before(() => esArchiver.load('auditbeat/default'));
after(() => esArchiver.unload('auditbeat/default'));
before(() => esArchiver.load('auditbeat/users'));
after(() => esArchiver.unload('auditbeat/users'));
it('Ensure data is returned from auditbeat', async () => {
const { body: users } = await supertest
@ -40,7 +39,7 @@ export default function ({ getService }: FtrProviderContext) {
to: TO,
from: FROM,
},
defaultIndex: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
defaultIndex: ['auditbeat-users'],
docValueFields: [],
ip: IP,
flowTarget: FlowTarget.destination,
@ -52,9 +51,12 @@ export default function ({ getService }: FtrProviderContext) {
querySize: 10,
},
inspect: false,
/* We need a very long timeout to avoid returning just partial data.
** https://github.com/elastic/kibana/blob/master/x-pack/test/api_integration/apis/search/search.ts#L18
*/
wait_for_completion_timeout: '10s',
})
.expect(200);
expect(users.edges.length).to.be(1);
expect(users.totalCount).to.be(1);
expect(users.edges[0].node.user!.id).to.eql(['0']);

258
x-pack/test/functional/es_archives/auditbeat/uncommon_processes/data.json Normal file
View file

@ -0,0 +1,258 @@
{
"type": "doc",
"value": {
"id": "HCFxB2kBR346wHgnL4ik",
"index": "auditbeat-uncommon-processes",
"source": {
"@timestamp": "2019-02-19T20:27:31.074Z",
"agent": {
"ephemeral_id": "8502ef53-ee89-4b0b-a321-e12726f58084",
"hostname": "zeek-sensor-san-francisco",
"id": "4348052a-b8d2-4577-bca6-aeb71de81993",
"type": "auditbeat",
"version": "8.0.0"
},
"cloud": {
"instance": {
"id": "132972452"
},
"provider": "digitalocean",
"region": "sfo2"
},
"ecs": {
"version": "1.0.0-beta2"
},
"event": {
"action": "process_started",
"dataset": "process",
"kind": "event",
"module": "system"
},
"host": {
"architecture": "x86_64",
"containerized": false,
"hostname": "zeek-sensor-san-francisco",
"id": "2ab45fc1c41e4c84bbd02202a7e5761f",
"name": "zeek-sensor-san-francisco",
"os": {
"codename": "bionic",
"family": "debian",
"kernel": "4.15.0-45-generic",
"name": "Ubuntu",
"platform": "ubuntu",
"version": "18.04.2 LTS (Bionic Beaver)"
}
},
"message": "Process kworker/u2:0 (PID: 5893) by user root STARTED",
"process": {
"args": [
],
"entity_id": "bba738273633ea1cccc6abba38c5d87c1c7baaad869eaaa59a516c62ddd1dd62",
"executable": "",
"name": "kworker/u2:0",
"pid": 5893,
"ppid": 2,
"start": "2019-02-19T20:27:27.470Z",
"working_directory": "/"
},
"service": {
"type": "system"
},
"user": {
"effective": {
"group": {
"id": "0"
},
"id": "0"
},
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root",
"saved": {
"group": {
"id": "0"
},
"id": "0"
}
}
},
"type": "_doc"
}
}
{
"type": "doc",
"value": {
"id": "AyJ8B2kBR346wHgnJDDU",
"index": "auditbeat-uncommon-processes",
"source": {
"@timestamp": "2019-02-19T20:39:29.051Z",
"agent": {
"ephemeral_id": "1b4978a0-48be-49b1-ac96-323425b389ab",
"hostname": "zeek-sensor-amsterdam",
"id": "e52588e6-7aa3-4c89-a2c4-d6bc5c286db1",
"type": "auditbeat",
"version": "8.0.0"
},
"cloud": {
"instance": {
"id": "133551048"
},
"provider": "digitalocean",
"region": "ams3"
},
"ecs": {
"version": "1.0.0-beta2"
},
"event": {
"action": "process_started",
"dataset": "process",
"kind": "event",
"module": "system"
},
"host": {
"architecture": "x86_64",
"containerized": false,
"hostname": "zeek-sensor-amsterdam",
"id": "2ce8b1e7d69e4a1d9c6bcddc473da9d9",
"name": "zeek-sensor-amsterdam",
"os": {
"codename": "bionic",
"family": "debian",
"kernel": "4.15.0-45-generic",
"name": "Ubuntu",
"platform": "ubuntu",
"version": "18.04.2 LTS (Bionic Beaver)"
}
},
"message": "Process kworker/u2:2 (PID: 32729) by user root STARTED",
"process": {
"args": [
],
"entity_id": "014d841783862c8204967a38a59038f25ae5f7fc9c77293ec4701c6bc39a2e2d",
"executable": "",
"name": "kworker/u2:2",
"pid": 32729,
"ppid": 2,
"start": "2019-02-19T20:39:21.440Z",
"working_directory": "/"
},
"service": {
"type": "system"
},
"user": {
"effective": {
"group": {
"id": "0"
},
"id": "0"
},
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root",
"saved": {
"group": {
"id": "0"
},
"id": "0"
}
}
},
"type": "_doc"
}
}
{
"type": "doc",
"value": {
"id": "dSJ-B2kBR346wHgnV1E4",
"index": "auditbeat-uncommon-processes",
"source": {
"@timestamp": "2019-02-19T20:41:53.180Z",
"agent": {
"ephemeral_id": "7fddaeb0-9ff1-486f-bca8-b18721c41e7a",
"hostname": "suricata-sensor-san-francisco",
"id": "cca6c2e3-b17b-41c7-b2ad-5b777cf34abc",
"type": "auditbeat",
"version": "8.0.0"
},
"cloud": {
"instance": {
"id": "132794432"
},
"provider": "digitalocean",
"region": "sfo2"
},
"ecs": {
"version": "1.0.0-beta2"
},
"event": {
"action": "process_started",
"dataset": "process",
"kind": "event",
"module": "system"
},
"host": {
"architecture": "x86_64",
"containerized": false,
"hostname": "suricata-sensor-san-francisco",
"id": "f9c7ca2d33f548a8b37667f6fffc59ce",
"name": "suricata-sensor-san-francisco",
"os": {
"codename": "bionic",
"family": "debian",
"kernel": "4.15.0-45-generic",
"name": "Ubuntu",
"platform": "ubuntu",
"version": "18.04.2 LTS (Bionic Beaver)"
}
},
"message": "Process sshd (PID: 24911) by user sshd STARTED",
"process": {
"args": [
"sshd: [net]"
],
"entity_id": "00efb5cdf11c3040ff7958f56b77681b10f7fd8ca675e34a4de253cdefa3c405",
"executable": "/usr/sbin/sshd",
"name": "sshd",
"pid": 24911,
"ppid": 24910,
"start": "2019-02-19T20:41:51.400Z",
"working_directory": "/run/sshd"
},
"service": {
"type": "system"
},
"user": {
"effective": {
"group": {
"id": "65534"
},
"id": "109"
},
"group": {
"id": "65534",
"name": "nogroup"
},
"id": "109",
"name": "sshd",
"saved": {
"group": {
"id": "65534"
},
"id": "109"
}
}
},
"type": "_doc"
}
}

3117
x-pack/test/functional/es_archives/auditbeat/uncommon_processes/mappings.json Normal file
View file

File diff suppressed because it is too large Load diff

69
x-pack/test/functional/es_archives/auditbeat/users/data.json Normal file
View file

@ -0,0 +1,69 @@
{
"type": "doc",
"value": {
"index": "auditbeat-users",
"type": "_doc",
"id": "Xa2ipWkBCQofM5eXEgsv",
"source": {
"@timestamp": "2018-11-27T02:59:28.060Z",
"auditd": {
"data": {
"hostname": "51.38.82.60",
"terminal": "ssh",
"op": "PAM:bad_ident"
},
"summary": {
"actor": {
"primary": "unset",
"secondary": "root"
},
"object": {
"primary": "ssh",
"secondary": "51.38.82.60",
"type": "user-session"
},
"how": "/usr/sbin/sshd"
},
"sequence": 43319,
"result": "fail",
"session": "unset"
},
"destination" : {
"ip" : "0.0.0.0",
"port": "22"
},
"event": {
"type": "user_err",
"action": "error",
"module": "auditd",
"category": "user-login"
},
"user" : {
"group" : {
"name" : "root",
"id" : "0"
},
"id" : "0",
"name" : "root"
},
"process": {
"exe": "/usr/sbin/sshd",
"pid": "13647"
},
"source": {
"ip": "51.38.82.60"
},
"network": {
"direction": "incoming"
},
"beat": {
"name": "demo-stack-mysql-01",
"hostname": "demo-stack-mysql-01",
"version": "7.0.0-alpha1"
},
"host": {
"name": "demo-stack-mysql-01"
}
}
}
}

1903
x-pack/test/functional/es_archives/auditbeat/users/mappings.json Normal file
View file

File diff suppressed because it is too large Load diff

4144940
x-pack/test/security_solution_cypress/es_archives/auditbeat/data.json Normal file
View file

File diff suppressed because one or more lines are too long