Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing test: X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/esql·ts - detection engine api security and spaces enabled - rule execution logic ES|QL rule type timestamp override and fallback should generate the correct alerts when timestamp_override defined #171358

Closed
kibanamachine opened this issue Nov 15, 2023 · 5 comments
Closed

Failing test: X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/esql·ts - detection engine api security and spaces enabled - rule execution logic ES|QL rule type timestamp override and fallback should generate the correct alerts when timestamp_override defined #171358

kibanamachine opened this issue Nov 15, 2023 · 5 comments
Assignees
@vitaliidm
Labels
failed-test A test failure on a tracked branch, potentially flaky-test Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed

Comments

@kibanamachine
Copy link
Contributor

A test failed on a tracked branch

JestAssertionError: expect(received).toHaveProperty(path, value)

Expected path: ["event.ingested"]
Received path: []

Expected value: "2020-10-28T06:00:00.000Z"
Received value: {"@timestamp": "2020-10-28T06:30:00.000Z", "agent.name": "test-1", "event.kind": "signal", "id": "078d3992-dcb4-41e2-86c3-53485c3854c3", "kibana.alert.ancestors": [{"depth": 0, "id": "", "index": "", "type": "event"}], "kibana.alert.depth": 1, "kibana.alert.last_detected": "2023-11-15T21:08:21.417Z", "kibana.alert.original_time": "2020-10-28T06:00:00.000Z", "kibana.alert.reason": "event created high alert Query with a rule id.", "kibana.alert.risk_score": 55, "kibana.alert.rule.actions": [], "kibana.alert.rule.author": [], "kibana.alert.rule.category": "ES|QL Rule", "kibana.alert.rule.consumer": "siem", "kibana.alert.rule.created_at": "2023-11-15T21:08:21.311Z", "kibana.alert.rule.created_by": "elastic", "kibana.alert.rule.description": "Detecting root and admin users", "kibana.alert.rule.enabled": true, "kibana.alert.rule.exceptions_list": [], "kibana.alert.rule.execution.uuid": "bb14cd68-1c08-4332-8933-189f390695d2", "kibana.alert.rule.false_positives": [], "kibana.alert.rule.from": "now-1h", "kibana.alert.rule.immutable": false, "kibana.alert.rule.indices": [], "kibana.alert.rule.interval": "1h", "kibana.alert.rule.max_signals": 100, "kibana.alert.rule.name": "Query with a rule id", "kibana.alert.rule.parameters": {"author": [], "description": "Detecting root and admin users", "exceptions_list": [], "false_positives": [], "from": "now-1h", "immutable": false, "language": "esql", "max_signals": 100, "query": "from ecs_compliant | where id==\"078d3992-dcb4-41e2-86c3-53485c3854c3\" | where agent.name==\"test-1\"", "references": [], "related_integrations": [], "required_fields": [], "risk_score": 55, "risk_score_mapping": [], "rule_id": "rule-1", "setup": "", "severity": "high", "severity_mapping": [], "threat": [], "timestamp_override": "event.ingested", "to": "now", "type": "esql", "version": 1}, "kibana.alert.rule.producer": "preview-producer", "kibana.alert.rule.references": [], "kibana.alert.rule.revision": 0, "kibana.alert.rule.risk_score": 55, "kibana.alert.rule.risk_score_mapping": [], "kibana.alert.rule.rule_id": "rule-1", "kibana.alert.rule.rule_type_id": "siem.esqlRule", "kibana.alert.rule.severity": "high", "kibana.alert.rule.severity_mapping": [], "kibana.alert.rule.tags": [], "kibana.alert.rule.threat": [], "kibana.alert.rule.timestamp_override": "event.ingested", "kibana.alert.rule.to": "now", "kibana.alert.rule.type": "esql", "kibana.alert.rule.updated_at": "2023-11-15T21:08:21.311Z", "kibana.alert.rule.updated_by": "elastic", "kibana.alert.rule.uuid": "8ebedfff-0990-4b2a-b114-872ea144da06", "kibana.alert.rule.version": 1, "kibana.alert.severity": "high", "kibana.alert.start": "2023-11-15T21:08:21.417Z", "kibana.alert.status": "active", "kibana.alert.uuid": "ba25a5e000cc8380e63e66409fb682b838f7f9b3", "kibana.alert.workflow_status": "open", "kibana.alert.workflow_tags": [], "kibana.space_ids": ["default"], "kibana.version": "8.12.0-SNAPSHOT"}
    at Context.<anonymous> (esql.ts:526:42)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Object.apply (wrap_function.js:73:16) {
  matcherResult: {
    message: '\x1B[2mexpect(\x1B[22m\x1B[31mreceived\x1B[39m\x1B[2m).\x1B[22mtoHaveProperty\x1B[2m(\x1B[22m\x1B[32mpath\x1B[39m\x1B[2m, \x1B[22m\x1B[32mvalue\x1B[39m\x1B[2m)\x1B[22m\n' +
      '\n' +
      'Expected path: \x1B[32m["event.ingested"]\x1B[39m\n' +
      'Received path: \x1B[31m[]\x1B[39m\n' +
      '\n' +
      'Expected value: \x1B[32m"2020-10-28T06:00:00.000Z"\x1B[39m\n' +
      'Received value: \x1B[31m{"@timestamp": "2020-10-28T06:30:00.000Z", "agent.name": "test-1", "event.kind": "signal", "id": "078d3992-dcb4-41e2-86c3-53485c3854c3", "kibana.alert.ancestors": [{"depth": 0, "id": "", "index": "", "type": "event"}], "kibana.alert.depth": 1, "kibana.alert.last_detected": "2023-11-15T21:08:21.417Z", "kibana.alert.original_time": "2020-10-28T06:00:00.000Z", "kibana.alert.reason": "event created high alert Query with a rule id.", "kibana.alert.risk_score": 55, "kibana.alert.rule.actions": [], "kibana.alert.rule.author": [], "kibana.alert.rule.category": "ES|QL Rule", "kibana.alert.rule.consumer": "siem", "kibana.alert.rule.created_at": "2023-11-15T21:08:21.311Z", "kibana.alert.rule.created_by": "elastic", "kibana.alert.rule.description": "Detecting root and admin users", "kibana.alert.rule.enabled": true, "kibana.alert.rule.exceptions_list": [], "kibana.alert.rule.execution.uuid": "bb14cd68-1c08-4332-8933-189f390695d2", "kibana.alert.rule.false_positives": [], "kibana.alert.rule.from": "now-1h", "kibana.alert.rule.immutable": false, "kibana.alert.rule.indices": [], "kibana.alert.rule.interval": "1h", "kibana.alert.rule.max_signals": 100, "kibana.alert.rule.name": "Query with a rule id", "kibana.alert.rule.parameters": {"author": [], "description": "Detecting root and admin users", "exceptions_list": [], "false_positives": [], "from": "now-1h", "immutable": false, "language": "esql", "max_signals": 100, "query": "from ecs_compliant | where id==\\"078d3992-dcb4-41e2-86c3-53485c3854c3\\" | where agent.name==\\"test-1\\"", "references": [], "related_integrations": [], "required_fields": [], "risk_score": 55, "risk_score_mapping": [], "rule_id": "rule-1", "setup": "", "severity": "high", "severity_mapping": [], "threat": [], "timestamp_override": "event.ingested", "to": "now", "type": "esql", "version": 1}, "kibana.alert.rule.producer": "preview-producer", "kibana.alert.rule.references": [], "kibana.alert.rule.revision": 0, "kibana.alert.rule.risk_score": 55, "kibana.alert.rule.risk_score_mapping": [], "kibana.alert.rule.rule_id": "rule-1", "kibana.alert.rule.rule_type_id": "siem.esqlRule", "kibana.alert.rule.severity": "high", "kibana.alert.rule.severity_mapping": [], "kibana.alert.rule.tags": [], "kibana.alert.rule.threat": [], "kibana.alert.rule.timestamp_override": "event.ingested", "kibana.alert.rule.to": "now", "kibana.alert.rule.type": "esql", "kibana.alert.rule.updated_at": "2023-11-15T21:08:21.311Z", "kibana.alert.rule.updated_by": "elastic", "kibana.alert.rule.uuid": "8ebedfff-0990-4b2a-b114-872ea144da06", "kibana.alert.rule.version": 1, "kibana.alert.severity": "high", "kibana.alert.start": "2023-11-15T21:08:21.417Z", "kibana.alert.status": "active", "kibana.alert.uuid": "ba25a5e000cc8380e63e66409fb682b838f7f9b3", "kibana.alert.workflow_status": "open", "kibana.alert.workflow_tags": [], "kibana.space_ids": ["default"], "kibana.version": "8.12.0-SNAPSHOT"}\x1B[39m',
    pass: false
  }
}

First failure: CI Build - main
@kibanamachine kibanamachine added the failed-test A test failure on a tracked branch, potentially flaky-test label Nov 15, 2023
@botelastic botelastic bot added the needs-team Issues missing a team label label Nov 15, 2023
@kibanamachine kibanamachine added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Nov 15, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Nov 15, 2023
@yctercero yctercero added the Team:Detection Engine Security Solution Detection Engine Area label Dec 2, 2023
@yctercero
Copy link
Contributor

@vitaliidm can we triage to see if it's a legitimate flake that needs addressing? Many thanks!

@MadameSheema MadameSheema added the Team:Detections and Resp Security Detection Response Team label Dec 3, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@vitaliidm
Copy link
Contributor

@yctercero
Ran it in flaky test runner 200x times: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4138
No failures.
Same locally

@vitaliidm vitaliidm mentioned this issue Dec 4, 2023
Closed
@yctercero
Copy link
Contributor

Thanks @vitaliidm ! I'll close this for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vitaliidm vitaliidm

Labels
failed-test A test failure on a tracked branch, potentially flaky-test Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@yctercero @elasticmachine @MadameSheema @kibanamachine @vitaliidm