maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[ML] Functional tests - increase module test coverage (#99758)

Browse source 
This PR adds a couple API integrations tests to get, recognize and setup modules.
This commit is contained in:
Robert Oskamp 2021-05-12 13:18:36 +02:00 committed by GitHub
parent a76677e78f
commit c44e5f75a3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 43363 additions and 228 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
x-pack/test/api_integration/apis/ml/index.ts
View file

@ -36,6 +36,11 @@ export default function ({ getService, loadTestFile }: FtrProviderContext) {
await ml.testResources.deleteIndexPatternByTitle('ft_module_siem_winlogbeat');
await ml.testResources.deleteIndexPatternByTitle('ft_farequote');
await ml.testResources.deleteIndexPatternByTitle('ft_logs-endpoint.events.*');
await ml.testResources.deleteIndexPatternByTitle('ft_module_metricbeat');
await ml.testResources.deleteIndexPatternByTitle('ft_module_siem_cloudtrail');
await ml.testResources.deleteIndexPatternByTitle('ft_module_metrics_ui');
await ml.testResources.deleteIndexPatternByTitle('ft_module_apache_data_stream');
await ml.testResources.deleteIndexPatternByTitle('ft_module_nginx_data_stream');
await esArchiver.unload('ml/ecommerce');
await esArchiver.unload('ml/categorization');
@ -54,6 +59,11 @@ export default function ({ getService, loadTestFile }: FtrProviderContext) {
await esArchiver.unload('ml/farequote');
await esArchiver.unload('ml/bm_classification');
await esArchiver.unload('ml/ihp_outlier');
await esArchiver.unload('ml/module_metricbeat');
await esArchiver.unload('ml/module_siem_cloudtrail');
await esArchiver.unload('ml/module_metrics_ui');
await esArchiver.unload('ml/module_apache_data_stream');
await esArchiver.unload('ml/module_nginx_data_stream');
await ml.testResources.resetKibanaTimeZone();
});

2
x-pack/test/api_integration/apis/ml/modules/get_module.ts
View file

@ -14,6 +14,7 @@ import { COMMON_REQUEST_HEADERS } from '../../../../functional/services/ml/commo
import { isPopulatedObject } from '../../../../../plugins/ml/common/util/object_utils';
const moduleIds = [
'apache_data_stream',
'apache_ecs',
'apm_jsbase',
'apm_nodejs',
@ -25,6 +26,7 @@ const moduleIds = [
'metricbeat_system_ecs',
'metrics_ui_hosts',
'metrics_ui_k8s',
'nginx_data_stream',
'nginx_ecs',
'sample_data_ecommerce',
'sample_data_weblogs',

18
x-pack/test/api_integration/apis/ml/modules/index.ts
View file

@ -7,8 +7,24 @@
import { FtrProviderContext } from '../../../ftr_provider_context';
export default function ({ loadTestFile }: FtrProviderContext) {
export default function ({ getService, loadTestFile }: FtrProviderContext) {
const ml = getService('ml');
const fleetPackages = ['apache-0.5.0', 'nginx-0.5.0'];
describe('modules', function () {
before(async () => {
for (const fleetPackage of fleetPackages) {
await ml.testResources.installFleetPackage(fleetPackage);
}
});
after(async () => {
for (const fleetPackage of fleetPackages) {
await ml.testResources.removeFleetPackage(fleetPackage);
}
});
loadTestFile(require.resolve('./get_module'));
loadTestFile(require.resolve('./recognize_module'));
loadTestFile(require.resolve('./setup_module'));

57
x-pack/test/api_integration/apis/ml/modules/recognize_module.ts
View file

@ -104,7 +104,12 @@ export default ({ getService }: FtrProviderContext) => {
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['siem_winlogbeat'],
moduleIds: [
'security_network',
'security_windows',
'siem_winlogbeat',
'siem_winlogbeat_auth',
],
},
},
{
@ -146,6 +151,56 @@ export default ({ getService }: FtrProviderContext) => {
moduleIds: ['security_linux', 'security_network', 'security_windows'],
},
},
{
testTitleSuffix: 'for metricbeat dataset',
sourceDataArchive: 'ml/module_metricbeat',
indexPattern: 'ft_module_metricbeat',
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['metricbeat_system_ecs', 'security_linux'],
},
},
{
testTitleSuffix: 'for siem clodutrail dataset',
sourceDataArchive: 'ml/module_siem_cloudtrail',
indexPattern: 'ft_module_siem_cloudtrail',
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['siem_cloudtrail'],
},
},
{
testTitleSuffix: 'for metrics ui dataset',
sourceDataArchive: 'ml/module_metrics_ui',
indexPattern: 'ft_module_metrics_ui',
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['security_linux'], // the metrics ui modules don't define a query and can't be recognized
},
},
{
testTitleSuffix: 'for apache data stream dataset',
sourceDataArchive: 'ml/module_apache_data_stream',
indexPattern: 'ft_module_apache_data_stream',
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['apache_data_stream'],
},
},
{
testTitleSuffix: 'for nginx data stream dataset',
sourceDataArchive: 'ml/module_nginx_data_stream',
indexPattern: 'ft_module_nginx_data_stream',
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['nginx_data_stream'],
},
},
];
async function executeRecognizeModuleRequest(indexPattern: string, user: USER, rspCode: number) {

449
x-pack/test/api_integration/apis/ml/modules/setup_module.ts
View file

@ -41,19 +41,16 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf1_low_request_rate',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '10mb',
},
{
jobId: 'pf1_response_code_rates',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '10mb',
},
{
jobId: 'pf1_url_scanning',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '10mb',
},
],
searches: [] as string[],
@ -81,19 +78,16 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf2_low_request_rate',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf2_response_code_rates',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf2_url_scanning',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '16mb',
},
],
searches: [] as string[],
@ -121,31 +115,26 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf3_low_request_rate_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf3_source_ip_request_rate_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf3_source_ip_url_count_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '16mb',
},
{
jobId: 'pf3_status_code_rate_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf3_visitor_rate_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: ['ml_http_access_filebeat_ecs'] as string[],
@ -181,19 +170,16 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf4_abnormal_span_durations_nodejs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf4_abnormal_trace_durations_nodejs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf4_decreased_throughput_nodejs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
@ -221,7 +207,6 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf5_high_mean_transaction_duration',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
@ -249,7 +234,6 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf6_log-entry-rate',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
@ -277,7 +261,6 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf7_log-entry-categories-count',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '41mb',
},
],
searches: [] as string[],
@ -304,31 +287,26 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf8_visitor_rate_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf8_status_code_rate_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf8_source_ip_url_count_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '16mb',
},
{
jobId: 'pf8_source_ip_request_rate_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf8_low_request_rate_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: ['ml_http_access_filebeat_ecs'] as string[],
@ -364,7 +342,6 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf9_high_sum_total_sales',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
@ -392,7 +369,6 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf11_suspicious_login_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
@ -420,31 +396,26 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf12_packetbeat_dns_tunneling',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '16mb',
},
{
jobId: 'pf12_packetbeat_rare_dns_question',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf12_packetbeat_rare_server_domain',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf12_packetbeat_rare_urls',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf12_packetbeat_rare_user_agent',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
@ -472,7 +443,6 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf13_high_latency_by_geo',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
@ -500,13 +470,11 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf14_hosts_high_count_process_events_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf14_hosts_rare_process_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: ['ml_auditbeat_hosts_process_events_ecs'] as string[],
@ -541,37 +509,31 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf15_v2_rare_process_by_host_linux_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_rare_metadata_user',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_rare_metadata_process',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_anomalous_user_name_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_anomalous_process_all_hosts_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_anomalous_network_port_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
@ -599,49 +561,397 @@ export default ({ getService }: FtrProviderContext) => {
jobId: 'pf16_v2_rare_process_by_host_windows_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_anomalous_network_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_anomalous_path_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '10mb',
},
{
jobId: 'pf16_v2_windows_anomalous_process_all_hosts_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_anomalous_process_creation',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_anomalous_user_name_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_rare_metadata_process',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_rare_metadata_user',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for metricbeat_system_ecs with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_metricbeat',
indexPattern: { name: 'ft_module_metricbeat', timeField: '@timestamp' },
module: 'metricbeat_system_ecs',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf17_',
indexPatternName: 'ft_module_metricbeat',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf17_max_disk_utilization_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf17_metricbeat_outages_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf17_high_mean_cpu_iowait_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for metrics_ui_hosts with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_metrics_ui',
indexPattern: { name: 'ft_module_metrics_ui', timeField: '@timestamp' },
module: 'metrics_ui_hosts',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf18_',
indexPatternName: 'ft_module_metrics_ui',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf18_hosts_memory_usage',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf18_hosts_network_in',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf18_hosts_network_out',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for metrics_ui_k8s with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_metrics_ui',
indexPattern: { name: 'ft_module_metrics_ui', timeField: '@timestamp' },
module: 'metrics_ui_k8s',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf19_',
indexPatternName: 'ft_module_metrics_ui',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf19_k8s_memory_usage',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf19_k8s_network_in',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf19_k8s_network_out',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for siem_cloudtrail with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_siem_cloudtrail',
indexPattern: { name: 'ft_module_siem_cloudtrail', timeField: '@timestamp' },
module: 'siem_cloudtrail',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf20_',
indexPatternName: 'ft_module_siem_cloudtrail',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf20_rare_method_for_a_city',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf20_rare_method_for_a_country',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf20_rare_method_for_a_username',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf20_high_distinct_count_error_message',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf20_rare_error_code',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for siem_winlogbeat with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_siem_winlogbeat',
indexPattern: { name: 'ft_module_siem_winlogbeat', timeField: '@timestamp' },
module: 'siem_winlogbeat',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf21_',
indexPatternName: 'ft_module_siem_winlogbeat',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf21_rare_process_by_host_windows_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_anomalous_network_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_anomalous_path_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_anomalous_process_all_hosts_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_anomalous_process_creation',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_anomalous_script',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_anomalous_service',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_anomalous_user_name_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_rare_user_runas_event',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_rare_metadata_process',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf21_windows_rare_metadata_user',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for siem_winlogbeat_auth with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_siem_winlogbeat',
indexPattern: { name: 'ft_module_siem_winlogbeat', timeField: '@timestamp' },
module: 'siem_winlogbeat_auth',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf22_',
indexPatternName: 'ft_module_siem_winlogbeat',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf22_windows_rare_user_type10_remote_login',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for apache_data_stream with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_apache_data_stream',
indexPattern: { name: 'ft_module_apache_data_stream', timeField: '@timestamp' },
module: 'apache_data_stream',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf23_',
indexPatternName: 'ft_module_apache_data_stream',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf23_visitor_rate_apache',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf23_status_code_rate_apache',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf23_source_ip_url_count_apache',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf23_source_ip_request_rate_apache',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf23_low_request_rate_apache',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for nginx_data_stream with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_nginx_data_stream',
indexPattern: { name: 'ft_module_nginx_data_stream', timeField: '@timestamp' },
module: 'nginx_data_stream',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf24_',
indexPatternName: 'ft_module_nginx_data_stream',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf24_visitor_rate_nginx',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf24_status_code_rate_nginx',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf24_source_ip_url_count_nginx',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf24_source_ip_request_rate_nginx',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
{
jobId: 'pf24_low_request_rate_nginx',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
},
],
searches: [] as string[],
@ -828,7 +1138,7 @@ export default ({ getService }: FtrProviderContext) => {
);
}
// verify job and datafeed creation + states
// verify job + datafeed creation + states and model memory limit
for (const job of testData.expected.jobs) {
const datafeedId = `datafeed-${job.jobId}`;
await ml.api.waitForAnomalyDetectionJobToExist(job.jobId);
@ -838,42 +1148,19 @@ export default ({ getService }: FtrProviderContext) => {
}
await ml.api.waitForJobState(job.jobId, job.jobState);
await ml.api.waitForDatafeedState(datafeedId, job.datafeedState);
// model memory limit should be <= 99mb
const {
body: jobsDetails,
}: {
body: {
jobs: Job[];
};
} = await ml.api.getAnomalyDetectionJob(job.jobId);
const actualModelMemoryLimit = jobsDetails.jobs[0].analysis_limits?.model_memory_limit;
expect(actualModelMemoryLimit).to.match(/\d{1,2}mb/);
}
// compare model memory limits for created jobs
const expectedModelMemoryLimits = sortBy(
testData.expected.jobs.map((j) => ({
id: j.jobId,
modelMemoryLimit: j.modelMemoryLimit,
})),
'id'
);
const {
body: { jobs },
}: {
body: {
jobs: Job[];
};
} = await ml.api.getAnomalyDetectionJob(
testData.expected.jobs.map((j) => j.jobId).join()
);
const actualModelMemoryLimits = sortBy(
jobs.map((j) => ({
id: j.job_id,
modelMemoryLimit: j.analysis_limits!.model_memory_limit,
})),
'id'
);
expect(actualModelMemoryLimits).to.eql(
expectedModelMemoryLimits,
`Expected job model memory limits '${JSON.stringify(
expectedModelMemoryLimits
)}' (got '${JSON.stringify(actualModelMemoryLimits)}')`
);
// verify saved objects creation
for (const search of testData.expected.searches) {
await ml.testResources.assertSavedSearchExistById(search);

BIN
x-pack/test/functional/es_archives/ml/module_apache_data_stream/data.json.gz Normal file
View file

Binary file not shown.

2671
x-pack/test/functional/es_archives/ml/module_apache_data_stream/mappings.json Normal file
View file

File diff suppressed because it is too large Load diff

BIN
x-pack/test/functional/es_archives/ml/module_metricbeat/data.json.gz Normal file
View file

Binary file not shown.

441
x-pack/test/functional/es_archives/ml/module_metricbeat/mappings.json Normal file
View file

@ -0,0 +1,441 @@
{
"type": "index",
"value": {
"aliases": {
},
"index": "ft_module_metricbeat",
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"agent": {
"properties": {
"ephemeral_id": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"hostname": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"id": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"type": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"version": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"cloud": {
"properties": {
"availability_zone": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"instance": {
"properties": {
"id": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"name": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"machine": {
"properties": {
"type": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"project": {
"properties": {
"id": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"provider": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"ecs": {
"properties": {
"version": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"event": {
"properties": {
"dataset": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"duration": {
"type": "long"
},
"module": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"host": {
"properties": {
"architecture": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"containerized": {
"type": "boolean"
},
"hostname": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"id": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"name": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"os": {
"properties": {
"codename": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"family": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"kernel": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"name": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"platform": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"version": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
}
}
},
"metricset": {
"properties": {
"name": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"service": {
"properties": {
"type": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
}
}
},
"system": {
"properties": {
"cpu": {
"properties": {
"cores": {
"type": "long"
},
"idle": {
"properties": {
"pct": {
"type": "float"
}
}
},
"iowait": {
"properties": {
"pct": {
"type": "float"
}
}
},
"irq": {
"properties": {
"pct": {
"type": "long"
}
}
},
"nice": {
"properties": {
"pct": {
"type": "long"
}
}
},
"softirq": {
"properties": {
"pct": {
"type": "float"
}
}
},
"steal": {
"properties": {
"pct": {
"type": "long"
}
}
},
"system": {
"properties": {
"pct": {
"type": "float"
}
}
},
"total": {
"properties": {
"pct": {
"type": "float"
}
}
},
"user": {
"properties": {
"pct": {
"type": "float"
}
}
}
}
},
"filesystem": {
"properties": {
"available": {
"type": "long"
},
"device_name": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"files": {
"type": "long"
},
"free": {
"type": "long"
},
"free_files": {
"type": "long"
},
"mount_point": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"total": {
"type": "long"
},
"type": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"type": "text"
},
"used": {
"properties": {
"bytes": {
"type": "long"
},
"pct": {
"type": "long"
}
}
}
}
}
}
}
}
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "5000"
}
},
"number_of_replicas": "0",
"number_of_shards": "1",
"refresh_interval": "-1"
}
}
}
}

BIN
x-pack/test/functional/es_archives/ml/module_metrics_ui/data.json.gz Normal file
View file

Binary file not shown.

20668
x-pack/test/functional/es_archives/ml/module_metrics_ui/mappings.json Normal file
View file

File diff suppressed because it is too large Load diff

BIN
x-pack/test/functional/es_archives/ml/module_nginx_data_stream/data.json.gz Normal file
View file

Binary file not shown.

2675
x-pack/test/functional/es_archives/ml/module_nginx_data_stream/mappings.json Normal file
View file

File diff suppressed because it is too large Load diff

BIN
x-pack/test/functional/es_archives/ml/module_siem_cloudtrail/data.json.gz Normal file
View file

Binary file not shown.

12950
x-pack/test/functional/es_archives/ml/module_siem_cloudtrail/mappings.json Normal file
View file

File diff suppressed because it is too large Load diff

BIN
x-pack/test/functional/es_archives/ml/module_siem_winlogbeat/data.json.gz
View file

Binary file not shown.

3628
x-pack/test/functional/es_archives/ml/module_siem_winlogbeat/mappings.json
View file

File diff suppressed because it is too large Load diff

22
x-pack/test/functional/services/ml/test_resources.ts
View file

@ -528,5 +528,27 @@ export function MachineLearningTestResourcesProvider({ getService }: FtrProvider
}
log.debug('> ML saved objects deleted.');
},
async installFleetPackage(packageIdentifier: string) {
log.debug(`Installing Fleet package'${packageIdentifier}'`);
await supertest
.post(`/api/fleet/epm/packages/${packageIdentifier}`)
.set(COMMON_REQUEST_HEADERS)
.expect(200);
log.debug(` > Installed`);
},
async removeFleetPackage(packageIdentifier: string) {
log.debug(`Removing Fleet package'${packageIdentifier}'`);
await supertest
.delete(`/api/fleet/epm/packages/${packageIdentifier}`)
.set(COMMON_REQUEST_HEADERS)
.expect(200);
log.debug(` > Removed`);
},
};
}