maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[master] More precise alerts matching (#99820)

Browse source 
* Split out test preparation and cleanup

* Load data on the remote cluster

* Update the rule to the new (remote) data
This commit is contained in:
Domenico Andreoli 2021-06-07 14:41:33 +02:00 committed by GitHub
parent 3930749f0e
commit a4b4da3674
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 149 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

208
x-pack/test/stack_functional_integration/apps/ccs/ccs_discover.js
View file

@ -5,7 +5,12 @@
* 2.0.
*/
import fs from 'fs';
import expect from '@kbn/expect';
import { Client as EsClient } from '@elastic/elasticsearch';
import { KbnClient } from '@kbn/test';
import { EsArchiver } from '@kbn/es-archiver';
import { CA_CERT_PATH } from '@kbn/dev-utils';
export default ({ getService, getPageObjects }) => {
describe('Cross cluster search test in discover', async () => {
@ -24,7 +29,6 @@ export default ({ getService, getPageObjects }) => {
const kibanaServer = getService('kibanaServer');
const queryBar = getService('queryBar');
const filterBar = getService('filterBar');
const supertest = getService('supertest');
before(async () => {
await browser.setWindowSize(1200, 800);
@ -98,8 +102,6 @@ export default ({ getService, getPageObjects }) => {
);
await PageObjects.security.logout();
}
// visit app/security so to create .siem-signals-* as side effect
await PageObjects.common.navigateToApp('security', { insertTimestamp: false });
const url = await browser.getCurrentUrl();
log.debug(url);
if (!url.includes('kibana')) {
@ -138,35 +140,6 @@ export default ({ getService, getPageObjects }) => {
expect(patternName).to.be('*:makelogs工程-*');
});
it('create local siem signals index pattern', async () => {
log.debug('Add index pattern: .siem-signals-*');
await supertest
.post('/api/index_patterns/index_pattern')
.set('kbn-xsrf', 'true')
.send({
index_pattern: {
title: '.siem-signals-*',
},
override: true,
})
.expect(200);
});
it('create remote monitoring ES index pattern', async () => {
log.debug('Add index pattern: data:.monitoring-es-*');
await supertest
.post('/api/index_patterns/index_pattern')
.set('kbn-xsrf', 'true')
.send({
index_pattern: {
title: 'data:.monitoring-es-*',
timeFieldName: 'timestamp',
},
override: true,
})
.expect(200);
});
it('local:makelogs(star) should discover data from the local cluster', async () => {
await PageObjects.common.navigateToApp('discover', { insertTimestamp: false });
@ -236,34 +209,151 @@ export default ({ getService, getPageObjects }) => {
});
});
it('should generate alerts based on remote events', async () => {
log.debug('Add detection rule type:shards on data:.monitoring-es-*');
await supertest
.post('/api/detection_engine/rules')
.set('kbn-xsrf', 'true')
.send({
description: 'This is the description of the rule',
risk_score: 17,
severity: 'low',
interval: '10s',
name: 'CCS_Detection_test',
type: 'query',
from: 'now-1d',
index: ['data:.monitoring-es-*'],
timestamp_override: 'timestamp',
query: 'type:shards',
language: 'kuery',
enabled: true,
})
.expect(200);
describe('Detection engine', async function () {
const supertest = getService('supertest');
const esSupertest = getService('esSupertest');
const config = getService('config');
log.debug('Check if any alert got to .siem-signals-*');
await PageObjects.common.navigateToApp('discover', { insertTimestamp: false });
await PageObjects.discover.selectIndexPattern('.siem-signals-*');
await retry.tryForTime(40000, async () => {
const hitCount = await PageObjects.discover.getHitCount();
log.debug('### hit count = ' + hitCount);
expect(hitCount).to.be.greaterThan('0');
const esClient = new EsClient({
ssl: {
ca: fs.readFileSync(CA_CERT_PATH, 'utf-8'),
},
nodes: [process.env.TEST_ES_URLDATA],
requestTimeout: config.get('timeouts.esRequestTimeout'),
});
const kbnClient = new KbnClient({
log,
url: process.env.TEST_KIBANA_URLDATA,
certificateAuthorities: config.get('servers.kibana.certificateAuthorities'),
uiSettingDefaults: kibanaServer.uiSettings,
importExportDir: config.get('kbnArchiver.directory'),
});
const esArchiver = new EsArchiver({
log,
client: esClient,
kbnClient,
dataDir: config.get('esArchiver.directory'),
});
let signalsId;
let dataId;
let ruleId;
before('Prepare .siem-signal-*', async function () {
log.info('Create index');
// visit app/security so to create .siem-signals-* as side effect
await PageObjects.common.navigateToApp('security', { insertTimestamp: false });
log.info('Create index pattern');
signalsId = await supertest
.post('/api/index_patterns/index_pattern')
.set('kbn-xsrf', 'true')
.send({
index_pattern: {
title: '.siem-signals-*',
},
override: true,
})
.expect(200)
.then((res) => JSON.parse(res.text).index_pattern.id);
log.debug('id: ' + signalsId);
});
before('Prepare data:metricbeat-*', async function () {
log.info('Create index');
await esArchiver.load('metricbeat');
log.info('Create index pattern');
dataId = await supertest
.post('/api/index_patterns/index_pattern')
.set('kbn-xsrf', 'true')
.send({
index_pattern: {
title: 'data:metricbeat-*',
},
override: true,
})
.expect(200)
.then((res) => JSON.parse(res.text).index_pattern.id);
log.debug('id: ' + dataId);
});
before('Add detection rule', async function () {
ruleId = await supertest
.post('/api/detection_engine/rules')
.set('kbn-xsrf', 'true')
.send({
description: 'This is the description of the rule',
risk_score: 17,
severity: 'low',
interval: '10s',
name: 'CCS_Detection_test',
type: 'query',
from: 'now-1y',
index: ['data:metricbeat-*'],
query: '*:*',
language: 'kuery',
enabled: true,
})
.expect(200)
.then((res) => JSON.parse(res.text).id);
log.debug('id: ' + ruleId);
});
after('Clean up detection rule', async function () {
if (ruleId !== undefined) {
log.debug('id: ' + ruleId);
await supertest
.delete('/api/detection_engine/rules?id=' + ruleId)
.set('kbn-xsrf', 'true')
.expect(200);
}
});
after('Clean up data:metricbeat-*', async function () {
if (dataId !== undefined) {
log.info('Delete index pattern');
log.debug('id: ' + dataId);
await supertest
.delete('/api/index_patterns/index_pattern/' + dataId)
.set('kbn-xsrf', 'true')
.expect(200);
}
log.info('Delete index');
await esArchiver.unload('metricbeat');
});
after('Clean up .siem-signal-*', async function () {
if (signalsId !== undefined) {
log.info('Delete index pattern: .siem-signals-*');
log.debug('id: ' + signalsId);
await supertest
.delete('/api/index_patterns/index_pattern/' + signalsId)
.set('kbn-xsrf', 'true')
.expect(200);
}
log.info('Delete index alias: .siem-signals-default');
await esSupertest
.delete('/.siem-signals-default-000001/_alias/.siem-signals-default')
.expect(200);
log.info('Delete index: .siem-signals-default-000001');
await esSupertest.delete('/.siem-signals-default-000001').expect(200);
});
it('Should generate alerts based on remote events', async function () {
log.info('Check if any alert got to .siem-signals-*');
await PageObjects.common.navigateToApp('discover', { insertTimestamp: false });
await PageObjects.discover.selectIndexPattern('.siem-signals-*');
await retry.tryForTime(30000, async () => {
const hitCount = await PageObjects.discover.getHitCount();
log.debug('### hit count = ' + hitCount);
expect(hitCount).to.be('100');
});
});
});
});