* Unskip EQL tests
These _should_ be fixed with the latest ES on master, but let's see if
CI disagrees.
* Wait until alerts have populated on Rule Details
Occasionally our tests hit a scenario where the rule has executed (its
status is "succeeded"), but the generated alerts have not populated in
the same time frame. In this case the test fails oddly, saying that the
"alert count" element is not there when it is.
I attempted to improve the error message by using a .should() with a
callback, but that lead to even stranger behavior as the .should() would
fail once (expected), and then not be able to find the element a second
time. :(
So we instead focus on fixing the real problem, here: wait until alerts
populate (have a non-zero count) before performing the assertion.
Because the page will not update automatically, we can't rely on
cypress' retryability and must instead assert, click Refresh, and assert
again, much like we're doing while waiting for the rule to execute. And
like `waitForTheRuleToBeExecuted`, we're using a while loop that has no
guarantee of ever exiting :(
* More robust cypress assertions
* Uses should with a text matcher instead of using invoke('text')
* Use of not.equal between a string and an element may have been a false
positive
* Perform cypress loops in a manner guaranteed to exit
We have a few tasks that require polling for some background work to be
completed. The basic form is: assert the byproduct, or refresh the page
and try again.
We were previously doing this with a while loop, which was not
guaranteed to ever complete, leading to cryptic failures if the process
ever hung.
Instead, this implements a safer polling mechanism with a definite
termination similar to the cypress-wait-until plugin.
* Update other specs that are asserting on alerts
* Do not automatically refresh the page
* This is only necessary if we're not in the state we need. The
`waitFor` helper functions automatically reload whatever needs to be
reloaded, so we're delegating this task to them.
* Ensure we wait for alerts to be nonzero before our assertion
* Otherwise we get some strange behavior around this field's
availability; see previous commits
* Remove unused import
* Fix false positive in Rule Creation specs
Threat Match Rules introduced an additional query input, causing our
CUSTOM_QUERY_INPUT to be ambiguous.
However, instead of failing due to the ambiguity, the behavior of
cypress seems to be to pass! While I haven't yet tracked down the cause
of these false positives, disambiguating these selectors is the
immediate fix.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
### Summary
This PR addresses the remaining query preview bugs.
- it adds index, and request information to eql inspect - it seems that for some reason the eql search strategy response returns `null` for the `params.body` in complete responses, but not in partial responses and does not include index info. As a workaround, I set the inspect info on partial responses and manually add index info
- added to-dos pointing this out in the code
- updated eql sequence queries preview to use the last event timestamp of a sequence to display the hits within a histogram
- it checks buckets length to determine noise warning for threshold rules, as opposed to total hit count
- remove unused i18n text
- fixes bug where threshold is being passed in for all rule types as it's always defined in the creation step, added a check to only pass through to `useMatrixHistogram` hook when rule type is threshold
* Add empty state for user experience metrics.
* Add empty state for page load duration metrics.
* Add empty state for core web vitals.
* Fix bug injected by these changes.
* Add a test.
* Fix reactRouterNavigate when used with a string
* Update license management snapshots
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* remove all privileges on hidden saved object type of alert and change alerting privileges to read when read privileges are set for security solution.
This PR addresses a list of legacy code debt the plugin has incurred over the past year due to extensive changes in its internals and the adoption of the Kibana Platform.
It includes:
1. The `TaskManager` class has been split into several independent components: `TaskTypeDictionary`, `TaskPollingLifecycle`, `TaskScheduling`, `Middleware`. This has made it easier to understand the roles of the different parts and makes it easier to plug them into the observability work.
2. The exposed `mocks` have been corrected to correctly express the Kibana Platform api
3. The lifecycle has been corrected to remove the need for intermediary streames/promises which we're needed when we first introduced the `setup`/`start` lifecycle to support legacy.
4. The Logger mocks have been replaced with the platform's `coreMocks` implementation
5. The integration tests now test the plugin's actual public api (instead of the internals).
6. The Legacy Elasticsearch client has been replaced with the typed client in response to the deprecation notice.
7. Typing has been narrowed to prevent the `type` field from conflicting with the key in the `TaskDictionary`. This could have caused the displayed `type` on a task to differ from the `type` used in the Dictionary itself (this broke a test during refactoring and could have caused a bug in production code if left).
* Ensure we check for local setup mode data first
* Use a context to ensure deeply nested components have access
* Fix snapshots
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Fixes false positives that can be caused by empty records in the threat list. Previously I would drop a piece of data in an AND clause if it did not exist in the threat list rather than dropping the entire A clause.
* Adds unit tests
* Adds backend integration tests
* Reduces some boiler plate across the integration tests as suggested in earlier PR reviews
Example is if you create a threat list mapping and add records like so without a field/value such as `host.name`:
```json
"_source" : {
"@timestamp" : "2020-09-10T00:49:13Z",
"source" : {
"ip" : "127.0.0.1",
"port" : "1001"
}
```
And then you would create an "AND" relationship against the data like so using `host.name` which does not exist in your list:
<img width="1060" alt="Screen Shot 2020-10-16 at 7 29 45 AM" src="https://user-images.githubusercontent.com/1151048/96264530-8581b480-0f81-11eb-8ab9-16160d55c26b.png">
What would happen is that part of the AND would drop and you would match all the `source.ip` which gives us false positives or unexpected results. Instead, with this PR we now drop the entire AND clause if it cannot find part of a record.
This protection is per record level, so if you have N records where some M set is missing `host.name` only those M record sets would have this "AND" removed.
If you have 1 or more "OR"'s, it will still match the records against those OR's as long as their inner AND clauses have both records in your list match.
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
* Upgraded eui to v29.5.0; snapshot updates
* Cleaned up some types
* addresses feedback on types change
* Update EuiIcon snapshots in jest integration tests
* Updated snapshot from rebasing on master
* disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges
* adds tooltip to explain why the edit rule button is disabled
* prevent user from editing rules with actions on the all rules table
* adds tooltip to appear on all rules table
* updates tests for missing params and missing mock of useKibana
* disable activate switch on all rules table and rule details page
* remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record
* disable duplicate rule functionality for rules with actions
* fix positioning of tooltips and add tooltip to rule duplicate button in overflow button
* update tests
* WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled
* add eui tool tip as child of of each context menu item
* PR feedback and utilize map of rule ids to rules to replace usage of array.finds
* update snapshot
* fix mocks
* fix mocks
* update wording with feedback from design team
Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
* Properly unset global state on the listing page
* Fix how we handle global state in getSafeForExternalLink
* Fix breadcrumbs for clusters link
* Fix tests
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
