d503b7268a
## Summary * Adds Endgame events to the SIEM Overview page, per the following screenshot: <img width="1680" alt="overview-chrome" src="https://user-images.githubusercontent.com/4459398/66524250-26a47800-eaaf-11e9-8ff9-311c031e5d00.png"> * Adds `endgame-*` to the default SIEM index pattern, per the following screenshot: <img width="1665" alt="siem-advanced-settings" src="https://user-images.githubusercontent.com/4459398/66524300-45a30a00-eaaf-11e9-93c3-dce74917e73a.png"> RELEASE NOTE: To view Endgame events in existing SIEM deployments, you must manually add `endgame-*` to the SIEM index pattern in `Kibana Management > Advanced Settings > SIEM > Elasticsearch indices`. Also note that the `Reset to default` feature for this setting in the Advanced Settings page now includes `endgame-*`. * Adds the GraphQL plumbing for rendering Endgame data in the Timeline via row renderers (in an upcoming PR), with the introduction of the following fields: ``` dns.question.name dns.question.type dns.resolved_ip dns.response_code endgame.exit_code endgame.file_name endgame.file_path endgame.logon_type endgame.parent_process_name endgame.pid endgame.process_name endgame.subject_domain_name endgame.subject_logon_id endgame.subject_user_name endgame.target_domain_name endgame.target_logon_id endgame.target_user_name event.code file.name process.hash.md5 process.hash.sha1 process.hash.sha256 user.domain winlog.event_id ``` ## Testing ### Cypress The `smoke_tests/overview/overview.spec.ts` Cypress test was updated to include the new counts on the Overview page, per the screenshot below:  ### API Integration test The Overview page API integration test `xpack/test/api_integration/apis/siem/overview_host.ts` was updated to include counts of mock Endgame data added to `test/functional/es_archives/auditbeat/overview/data.json.gz` ### Unit tests Overview page unit tests were updated to include the new Endgame event counts ### Desk testing * Desk tested by hand-editing `components/page/overview/overview_host/index.tsx` and setting the `endDate` and `startDate` values below to a fixed datetime: ``` <OverviewHostQuery endDate={endDate} sourceId="default" startDate={startDate}> ``` The counts shown on the overview page where then compared to the counts shown in the timeline in the same date period, to verify the counts match 1:1. * The additional fields mentioned above in this PR (e.g. `dns.question.name`,`endgame.target_domain_name`) that are now being requested via GraphQL can be seen via the Timeline Inspect (query) feature: 1) Enter `event.module: endgame` in the Timeline KQL bar. (Adjust the date range if necessary.) 2) After Endgame events are displayed in the timeline, click the Inspect button in the Timeline settings gear. The additional fields (and values) will be included in the Inspect query Request / Response tabs. ### Cross-browser dark/light testing #### Firefox <img width="1680" alt="overview-firefox" src="https://user-images.githubusercontent.com/4459398/66524773-9c5d1380-eab0-11e9-9383-c155872881b0.png"> #### Safari <img width="1680" alt="overview-safari" src="https://user-images.githubusercontent.com/4459398/66524790-a54de500-eab0-11e9-9786-aa7dbe18c1bf.png"> #### IE11 This PR was *not* tested in IE11 due to the current blocker with `react-reverse-portal` https://github.com/elastic/siem-team/issues/465 https://github.com/elastic/ecs-dev/issues/178 |
||
|---|---|---|
| .. | ||
| .github | ||
| build_chromium | ||
| dev-tools | ||
| legacy | ||
| plugins | ||
| scripts | ||
| tasks | ||
| test | ||
| test_utils | ||
| typings | ||
| .gitignore | ||
| .i18nrc.json | ||
| .kibana-plugin-helpers.json | ||
| gulpfile.js | ||
| index.js | ||
| package.json | ||
| README.md | ||
| tsconfig.json | ||
Elastic License Functionality
This directory tree contains files subject to the Elastic License. The files subject to the Elastic License are grouped in this directory to clearly separate them from files licensed under the Apache License 2.0.
Development
By default, Kibana will run with X-Pack installed as mentioned in the contributing guide.
Elasticsearch will run with a basic license. To run with a trial license, including security, you can specifying that with the yarn es command.
Example: yarn es snapshot --license trial --password changeme
By default, this will also set the password for native realm accounts to the password provided (changeme by default). This includes that of the kibana user which elasticsearch.username defaults to in development. If you wish to specific a password for a given native realm account, you can do that like so: --password.kibana=notsecure
Testing
Running specific tests
| Test runner | Test location | Runner command (working directory is kibana/x-pack) |
|---|---|---|
| Jest | x-pack/**/*.test.jsx-pack/**/*.test.ts |
cd x-pack && node scripts/jest -t regexp [test path] |
| Functional | x-pack/test/*integration/**/config.jsx-pack/test/*functional/config.js |
node scripts/functional_tests_server --config x-pack/test/[directory]/config.jsnode scripts/functional_test_runner --config x-pack/test/[directory]/config.js --grep=regexp |
Examples:
- Run the jest test case whose description matches 'filtering should skip values of null':
cd x-pack && yarn test:jest -t 'filtering should skip values of null' plugins/ml/public/explorer/explorer_charts/explorer_charts_container_service.test.js - Run the x-pack api integration test case whose description matches the given string:
node scripts/functional_tests_server --config x-pack/test/api_integration/config.jsnode scripts/functional_test_runner --config x-pack/test/api_integration/config.js --grep='apis Monitoring Beats list with restarted beat instance should load multiple clusters'
In addition to to providing a regular expression argument, specific tests can also be run by appeding .only to an it or describe function block. E.g. describe( to describe.only(.
Running all tests
You can run unit tests by running:
yarn test
If you want to run tests only for a specific plugin (to save some time), you can run:
yarn test --plugins <plugin>[,<plugin>]* # where <plugin> is "reporting", etc.
Debugging browser tests
yarn test:browser:dev
Initializes an environment for debugging the browser tests. Includes an dedicated instance of the kibana server for building the test bundle, and a karma server. When running this task the build is optimized for the first time and then a karma-owned instance of the browser is opened. Click the "debug" button to open a new tab that executes the unit tests.
Run single tests by appending grep parameter to the end of the URL. For example http://localhost:9876/debug.html?grep=ML%20-%20Explorer%20Controller will only run tests with 'ML - Explorer Controller' in the describe block.
Running server unit tests
You can run server-side unit tests by running:
yarn test:server
Running functional tests
The functional UI tests, the API integration tests, and the SAML API integration tests are all run against a live browser, Kibana, and Elasticsearch install. Each set of tests is specified with a unique config that describes how to start the Elasticsearch server, the Kibana server, and what tests to run against them. The sets of tests that exist today are functional UI tests (specified by this config), API integration tests (specified by this config), and SAML API integration tests (specified by this config).
The script runs all sets of tests sequentially like so:
- builds Elasticsearch and X-Pack
- runs Elasticsearch with X-Pack
- starts up the Kibana server with X-Pack
- runs the functional UI tests against those servers
- tears down the servers
- repeats the same process for the API and SAML API integration test configs.
To do all of this in a single command run:
node scripts/functional_tests
Developing functional UI tests
If you are developing functional tests then you probably don't want to rebuild Elasticsearch and wait for all that setup on every test run, so instead use this command to build and start just the Elasticsearch and Kibana servers:
node scripts/functional_tests_server
After the servers are started, open a new terminal and run this command to run just the tests (without tearing down Elasticsearch or Kibana):
node scripts/functional_test_runner
For both of the above commands, it's crucial that you pass in --config to specify the same config file to both commands. This makes sure that the right tests will run against the right servers. Typically a set of tests and server configuration go together.
Read more about how the scripts work here.
For a deeper dive, read more about the way functional tests and servers work here.
Running API integration tests
API integration tests are run with a unique setup usually without UI assets built for the Kibana server.
API integration tests are intended to test only programmatic API exposed by Kibana. There is no need to run browser and simulate user actions, which significantly reduces execution time. In addition, the configuration for API integration tests typically sets optimize.enabled=false for Kibana because UI assets are usually not needed for these tests.
To run only the API integration tests:
node scripts/functional_tests --config test/api_integration/config
Running SAML API integration tests
We also have SAML API integration tests which set up Elasticsearch and Kibana with SAML support. Run only API integration tests with SAML enabled like so:
node scripts/functional_tests --config test/saml_api_integration/config
Running Jest integration tests
Jest integration tests can be used to test behavior with Elasticsearch and the Kibana server.
node scripts/jest_integration
An example test exists at test_utils/jest/integration_tests/example_integration.test.ts
Running Reporting functional tests
See here for more information on running reporting tests.