Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Discover] Improve doc viewer code in Discover #114759

Merged
merged 10 commits into from
Oct 19, 2021
Merged

[Discover] Improve doc viewer code in Discover #114759

merged 10 commits into from
Oct 19, 2021

Conversation

kertal
Copy link
Member

@kertal kertal commented Oct 13, 2021
edited
Loading

Summary

Improving Discover doc view code by applying changes written while space, time (#113814).

  • Mainly it's centralizing the usage of index pattern to a single instance
  • 🧹 Also some more cleanups under the hood
  • Fixes Discover Context silently failing when an invalid index pattern was provided via URL

Checklist

@kertal kertal self-assigned this Oct 13, 2021
@kertal kertal added Feature:Discover Discover Application release_note:skip Skip the PR/issue when compiling release notes v7.16.0 Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. labels Oct 13, 2021
@kertal kertal added the v8.0.0 label Oct 14, 2021
@kertal kertal marked this pull request as ready for review October 15, 2021 09:02
@kertal kertal requested a review from a team as a code owner October 15, 2021 09:02
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@kertal
Copy link
Member Author

kertal commented Oct 15, 2021

@elasticmachine merge upstream

dimaanj
dimaanj reviewed Oct 15, 2021
View reviewed changes
Copy link
Contributor

@dimaanj dimaanj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, did some testing.

src/plugins/discover/public/application/apps/context/context_app_route.tsx Show resolved Hide resolved
src/plugins/discover/public/application/apps/doc/single_doc_route.tsx Show resolved Hide resolved
@kertal
Copy link
Member Author

kertal commented Oct 18, 2021

@elasticmachine merge upstream

@kertal
Copy link
Member Author

kertal commented Oct 19, 2021

@elasticmachine merge upstream

@kertal kertal requested a review from majagrubic October 19, 2021 06:00
@kertal
Copy link
Member Author

kertal commented Oct 19, 2021

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Test Failures

Kibana Pipeline / general / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals·ts.detection engine api security and spaces enabled Generating signals from source indexes Signals generated from events with name override field should generate signals with name_override field

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]     │
[00:00:00]       └-: detection engine api security and spaces enabled
[00:00:00]         └-> "before all" hook in "detection engine api security and spaces enabled"
[00:00:00]         └-: 
[00:00:00]           └-> "before all" hook in ""
[00:17:43]           └-: Generating signals from source indexes
[00:17:43]             └-> "before all" hook in "Generating signals from source indexes"
[00:22:52]             └-: Signals generated from events with name override field
[00:22:52]               └-> "before all" hook for "should generate signals with name_override field"
[00:22:52]               └-> "before all" hook for "should generate signals with name_override field"
[00:22:52]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Loading "mappings.json"
[00:22:52]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Loading "data.json.gz"
[00:22:52]                 │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:22:52]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:22:52]                 │ debg [x-pack/test/functional/es_archives/auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:22:53]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:22:53]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:22:53]               └-> should generate signals with name_override field
[00:22:53]                 └-> "before each" hook: global before each for "should generate signals with name_override field"
[00:22:53]                 └-> "before each" hook for "should generate signals with name_override field"
[00:22:53]                   │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:22:53]                   │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:22:53]                   │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:22:53]                   │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:22:53]                 └-> "before each" hook for "should generate signals with name_override field"
[00:22:53]                   │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.siem-signals-default-000001/EZToJH2oTJSuUGSHpGsjxA] deleting index
[00:22:53]                   │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing index template [.siem-signals-default]
[00:22:54]                   │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:22:54]                   │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:22:54]                   │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:22:54]                   │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:22:55]                 │ proc [kibana] [2021-10-19T10:17:59.883+00:00][INFO ][plugins.eventLog] event logged: {"@timestamp":"2021-10-19T10:17:59.882Z","event":{"provider":"alerting","action":"execute-start","kind":"alert","category":["siem"],"start":"2021-10-19T10:17:59.882Z"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"d52c3ee0-30c5-11ec-9cc7-a11162288992","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T10:17:58.908Z","schedule_delay":974000000},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"8.0.0"},"rule":{"id":"d52c3ee0-30c5-11ec-9cc7-a11162288992","license":"basic","category":"siem.signals","ruleset":"siem"},"message":"alert execution start: \"d52c3ee0-30c5-11ec-9cc7-a11162288992\"","ecs":{"version":"1.8.0"}}
[00:22:59]                 │ proc [kibana] [2021-10-19T10:18:03.976+00:00][INFO ][plugins.securitySolution] [+] Finished indexing 100  signals searched between date ranges [
[00:22:59]                 │ proc [kibana]   {
[00:22:59]                 │ proc [kibana]     "to": "2021-10-19T10:18:01.955Z",
[00:22:59]                 │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:22:59]                 │ proc [kibana]     "maxSignals": 100
[00:22:59]                 │ proc [kibana]   }
[00:22:59]                 │ proc [kibana] ] name: "Signal Testing Query" id: "d52c3ee0-30c5-11ec-9cc7-a11162288992" rule id: "rule-1" signals index: ".siem-signals-default"
[00:22:59]                 │ proc [kibana] [2021-10-19T10:18:03.987+00:00][INFO ][plugins.eventLog] event logged: {"@timestamp":"2021-10-19T10:17:59.882Z","event":{"provider":"alerting","action":"execute","kind":"alert","category":["siem"],"start":"2021-10-19T10:17:59.882Z","outcome":"success","end":"2021-10-19T10:18:03.986Z","duration":4104000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"d52c3ee0-30c5-11ec-9cc7-a11162288992","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T10:17:58.908Z","schedule_delay":974000000},"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"8.0.0"},"rule":{"id":"d52c3ee0-30c5-11ec-9cc7-a11162288992","license":"basic","category":"siem.signals","ruleset":"siem","name":"Signal Testing Query"},"message":"alert executed: siem.signals:d52c3ee0-30c5-11ec-9cc7-a11162288992: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:22:59]                 └- ✖ fail: detection engine api security and spaces enabled  Generating signals from source indexes Signals generated from events with name override field should generate signals with name_override field
[00:22:59]                 │       Error: expected { '@timestamp': '2021-10-19T10:18:02.270Z',
[00:22:59]                 │   agent: 
[00:22:59]                 │    { ephemeral_id: '0010d67a-14f7-41da-be30-489fea735967',
[00:22:59]                 │      hostname: 'suricata-zeek-sensor-toronto',
[00:22:59]                 │      id: 'a1d7b39c-f898-4dbe-a761-efb61939302d',
[00:22:59]                 │      type: 'auditbeat',
[00:22:59]                 │      version: '8.0.0' },
[00:22:59]                 │   cloud: 
[00:22:59]                 │    { instance: { id: '133555295' },
[00:22:59]                 │      provider: 'digitalocean',
[00:22:59]                 │      region: 'tor1' },
[00:22:59]                 │   ecs: { version: '1.0.0-beta2' },
[00:22:59]                 │   event: 
[00:22:59]                 │    { action: 'existing_process',
[00:22:59]                 │      dataset: 'process',
[00:22:59]                 │      id: 'dd5a28f2-03ba-47bb-8a4d-a2a7c280b2ae',
[00:22:59]                 │      kind: 'signal',
[00:22:59]                 │      module: 'system' },
[00:22:59]                 │   host: 
[00:22:59]                 │    { architecture: 'x86_64',
[00:22:59]                 │      containerized: false,
[00:22:59]                 │      hostname: 'suricata-zeek-sensor-toronto',
[00:22:59]                 │      id: '8cc95778cce5407c809480e8e32ad76b',
[00:22:59]                 │      name: 'suricata-zeek-sensor-toronto',
[00:22:59]                 │      os: 
[00:22:59]                 │       { codename: 'bionic',
[00:22:59]                 │         family: 'debian',
[00:22:59]                 │         kernel: '4.15.0-45-generic',
[00:22:59]                 │         name: 'Ubuntu',
[00:22:59]                 │         platform: 'ubuntu',
[00:22:59]                 │         version: '18.04.2 LTS (Bionic Beaver)' } },
[00:22:59]                 │   message: 'Process kintegrityd (PID: 24) by user root is RUNNING',
[00:22:59]                 │   process: 
[00:22:59]                 │    { args: [],
[00:22:59]                 │      entity_id: 'a3a52b3fcb9845a56ca2e681009671f79841a70461bc2a2fc086cb73a75f5820',
[00:22:59]                 │      executable: '',
[00:22:59]                 │      name: 'kintegrityd',
[00:22:59]                 │      pid: 24,
[00:22:59]                 │      ppid: 2,
[00:22:59]                 │      start: '2019-02-19T07:39:13.160Z',
[00:22:59]                 │      working_directory: '/' },
[00:22:59]                 │   service: { type: 'system' },
[00:22:59]                 │   user: 
[00:22:59]                 │    { effective: { group: [Object], id: '0' },
[00:22:59]                 │      group: { id: '0', name: 'root' },
[00:22:59]                 │      id: '0',
[00:22:59]                 │      name: 'root',
[00:22:59]                 │      saved: { group: [Object], id: '0' } },
[00:22:59]                 │   signal: 
[00:22:59]                 │    { _meta: { version: 57 },
[00:22:59]                 │      parents: [ [Object] ],
[00:22:59]                 │      ancestors: [ [Object] ],
[00:22:59]                 │      status: 'open',
[00:22:59]                 │      rule: 
[00:22:59]                 │       { id: 'd52c3ee0-30c5-11ec-9cc7-a11162288992',
[00:22:59]                 │         actions: [],
[00:22:59]                 │         interval: '5m',
[00:22:59]                 │         name: 'existing_process',
[00:22:59]                 │         tags: [],
[00:22:59]                 │         enabled: true,
[00:22:59]                 │         created_by: 'elastic',
[00:22:59]                 │         updated_by: 'elastic',
[00:22:59]                 │         throttle: null,
[00:22:59]                 │         created_at: '2021-10-19T10:17:58.766Z',
[00:22:59]                 │         updated_at: '2021-10-19T10:17:58.914Z',
[00:22:59]                 │         description: 'Tests a simple query',
[00:22:59]                 │         risk_score: 1,
[00:22:59]                 │         severity: 'high',
[00:22:59]                 │         output_index: '.siem-signals-default',
[00:22:59]                 │         meta: [Object],
[00:22:59]                 │         rule_name_override: 'event.action',
[00:22:59]                 │         author: [],
[00:22:59]                 │         false_positives: [],
[00:22:59]                 │         from: '1900-01-01T00:00:00.000Z',
[00:22:59]                 │         rule_id: 'rule-1',
[00:22:59]                 │         max_signals: 100,
[00:22:59]                 │         risk_score_mapping: [],
[00:22:59]                 │         severity_mapping: [],
[00:22:59]                 │         threat: [],
[00:22:59]                 │         to: 'now',
[00:22:59]                 │         references: [],
[00:22:59]                 │         version: 1,
[00:22:59]                 │         exceptions_list: [],
[00:22:59]                 │         immutable: false,
[00:22:59]                 │         type: 'query',
[00:22:59]                 │         language: 'kuery',
[00:22:59]                 │         index: [Object],
[00:22:59]                 │         query: '*:*' },
[00:22:59]                 │      reason: 'event with process kintegrityd, by root on suricata-zeek-sensor-toronto created high alert existing_process.',
[00:22:59]                 │      depth: 1,
[00:22:59]                 │      parent: 
[00:22:59]                 │       { id: 'cBbRBmkBR346wHgnjELF',
[00:22:59]                 │         type: 'event',
[00:22:59]                 │         index: 'auditbeat-8.0.0-2019.02.19-000001',
[00:22:59]                 │         depth: 0 },
[00:22:59]                 │      original_time: '2019-02-19T17:33:09.074Z',
[00:22:59]                 │      original_event: 
[00:22:59]                 │       { action: 'existing_process',
[00:22:59]                 │         dataset: 'process',
[00:22:59]                 │         id: 'dd5a28f2-03ba-47bb-8a4d-a2a7c280b2ae',
[00:22:59]                 │         kind: 'state',
[00:22:59]                 │         module: 'system' } } } to sort of equal { '@timestamp': '2021-10-19T10:18:02.270Z',
[00:22:59]                 │   agent: 
[00:22:59]                 │    { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab',
[00:22:59]                 │      hostname: 'zeek-sensor-amsterdam',
[00:22:59]                 │      id: 'e52588e6-7aa3-4c89-a2c4-d6bc5c286db1',
[00:22:59]                 │      type: 'auditbeat',
[00:22:59]                 │      version: '8.0.0' },
[00:22:59]                 │   cloud: 
[00:22:59]                 │    { instance: { id: '133551048' },
[00:22:59]                 │      provider: 'digitalocean',
[00:22:59]                 │      region: 'ams3' },
[00:22:59]                 │   ecs: { version: '1.0.0-beta2' },
[00:22:59]                 │   event: 
[00:22:59]                 │    { action: 'boot',
[00:22:59]                 │      dataset: 'login',
[00:22:59]                 │      kind: 'signal',
[00:22:59]                 │      module: 'system',
[00:22:59]                 │      origin: '/var/log/wtmp' },
[00:22:59]                 │   host: 
[00:22:59]                 │    { architecture: 'x86_64',
[00:22:59]                 │      containerized: false,
[00:22:59]                 │      hostname: 'zeek-sensor-amsterdam',
[00:22:59]                 │      id: '2ce8b1e7d69e4a1d9c6bcddc473da9d9',
[00:22:59]                 │      name: 'zeek-sensor-amsterdam',
[00:22:59]                 │      os: 
[00:22:59]                 │       { codename: 'bionic',
[00:22:59]                 │         family: 'debian',
[00:22:59]                 │         kernel: '4.15.0-45-generic',
[00:22:59]                 │         name: 'Ubuntu',
[00:22:59]                 │         platform: 'ubuntu',
[00:22:59]                 │         version: '18.04.2 LTS (Bionic Beaver)' } },
[00:22:59]                 │   message: 'System boot',
[00:22:59]                 │   service: { type: 'system' },
[00:22:59]                 │   signal: 
[00:22:59]                 │    { _meta: { version: 57 },
[00:22:59]                 │      parents: [ [Object] ],
[00:22:59]                 │      ancestors: [ [Object] ],
[00:22:59]                 │      status: 'open',
[00:22:59]                 │      reason: 'event on zeek-sensor-amsterdam created high alert boot.',
[00:22:59]                 │      rule: 
[00:22:59]                 │       { id: 'd52c3ee0-30c5-11ec-9cc7-a11162288992',
[00:22:59]                 │         actions: [],
[00:22:59]                 │         interval: '5m',
[00:22:59]                 │         name: 'boot',
[00:22:59]                 │         tags: [],
[00:22:59]                 │         enabled: true,
[00:22:59]                 │         created_by: 'elastic',
[00:22:59]                 │         updated_by: 'elastic',
[00:22:59]                 │         throttle: null,
[00:22:59]                 │         created_at: '2021-10-19T10:17:58.766Z',
[00:22:59]                 │         updated_at: '2021-10-19T10:17:58.914Z',
[00:22:59]                 │         description: 'Tests a simple query',
[00:22:59]                 │         risk_score: 1,
[00:22:59]                 │         severity: 'high',
[00:22:59]                 │         output_index: '.siem-signals-default',
[00:22:59]                 │         meta: [Object],
[00:22:59]                 │         rule_name_override: 'event.action',
[00:22:59]                 │         author: [],
[00:22:59]                 │         false_positives: [],
[00:22:59]                 │         from: '1900-01-01T00:00:00.000Z',
[00:22:59]                 │         rule_id: 'rule-1',
[00:22:59]                 │         max_signals: 100,
[00:22:59]                 │         risk_score_mapping: [],
[00:22:59]                 │         severity_mapping: [],
[00:22:59]                 │         threat: [],
[00:22:59]                 │         to: 'now',
[00:22:59]                 │         references: [],
[00:22:59]                 │         version: 1,
[00:22:59]                 │         exceptions_list: [],
[00:22:59]                 │         immutable: false,
[00:22:59]                 │         type: 'query',
[00:22:59]                 │         language: 'kuery',
[00:22:59]                 │         index: [Object],
[00:22:59]                 │         query: '*:*' },
[00:22:59]                 │      original_time: '2019-02-19T17:33:09.074Z',
[00:22:59]                 │      depth: 1,
[00:22:59]                 │      parent: 
[00:22:59]                 │       { id: 'UBXOBmkBR346wHgnLP8T',
[00:22:59]                 │         type: 'event',
[00:22:59]                 │         index: 'auditbeat-8.0.0-2019.02.19-000001',
[00:22:59]                 │         depth: 0 },
[00:22:59]                 │      original_event: 
[00:22:59]                 │       { action: 'boot',
[00:22:59]                 │         dataset: 'login',
[00:22:59]                 │         kind: 'event',
[00:22:59]                 │         module: 'system',
[00:22:59]                 │         origin: '/var/log/wtmp' } } }
[00:22:59]                 │       + expected - actual
[00:22:59]                 │ 
[00:22:59]                 │        {
[00:22:59]                 │          "@timestamp": "2021-10-19T10:18:02.270Z"
[00:22:59]                 │          "agent": {
[00:22:59]                 │       -    "ephemeral_id": "0010d67a-14f7-41da-be30-489fea735967"
[00:22:59]                 │       -    "hostname": "suricata-zeek-sensor-toronto"
[00:22:59]                 │       -    "id": "a1d7b39c-f898-4dbe-a761-efb61939302d"
[00:22:59]                 │       +    "ephemeral_id": "1b4978a0-48be-49b1-ac96-323425b389ab"
[00:22:59]                 │       +    "hostname": "zeek-sensor-amsterdam"
[00:22:59]                 │       +    "id": "e52588e6-7aa3-4c89-a2c4-d6bc5c286db1"
[00:22:59]                 │            "type": "auditbeat"
[00:22:59]                 │            "version": "8.0.0"
[00:22:59]                 │          }
[00:22:59]                 │          "cloud": {
[00:22:59]                 │            "instance": {
[00:22:59]                 │       -      "id": "133555295"
[00:22:59]                 │       +      "id": "133551048"
[00:22:59]                 │            }
[00:22:59]                 │            "provider": "digitalocean"
[00:22:59]                 │       -    "region": "tor1"
[00:22:59]                 │       +    "region": "ams3"
[00:22:59]                 │          }
[00:22:59]                 │          "ecs": {
[00:22:59]                 │            "version": "1.0.0-beta2"
[00:22:59]                 │          }
[00:22:59]                 │          "event": {
[00:22:59]                 │       -    "action": "existing_process"
[00:22:59]                 │       -    "dataset": "process"
[00:22:59]                 │       -    "id": "dd5a28f2-03ba-47bb-8a4d-a2a7c280b2ae"
[00:22:59]                 │       +    "action": "boot"
[00:22:59]                 │       +    "dataset": "login"
[00:22:59]                 │            "kind": "signal"
[00:22:59]                 │            "module": "system"
[00:22:59]                 │       +    "origin": "/var/log/wtmp"
[00:22:59]                 │          }
[00:22:59]                 │          "host": {
[00:22:59]                 │            "architecture": "x86_64"
[00:22:59]                 │            "containerized": false
[00:22:59]                 │       -    "hostname": "suricata-zeek-sensor-toronto"
[00:22:59]                 │       -    "id": "8cc95778cce5407c809480e8e32ad76b"
[00:22:59]                 │       -    "name": "suricata-zeek-sensor-toronto"
[00:22:59]                 │       +    "hostname": "zeek-sensor-amsterdam"
[00:22:59]                 │       +    "id": "2ce8b1e7d69e4a1d9c6bcddc473da9d9"
[00:22:59]                 │       +    "name": "zeek-sensor-amsterdam"
[00:22:59]                 │            "os": {
[00:22:59]                 │              "codename": "bionic"
[00:22:59]                 │              "family": "debian"
[00:22:59]                 │              "kernel": "4.15.0-45-generic"
[00:22:59]                 │ --
[00:22:59]                 │              "platform": "ubuntu"
[00:22:59]                 │              "version": "18.04.2 LTS (Bionic Beaver)"
[00:22:59]                 │            }
[00:22:59]                 │          }
[00:22:59]                 │       -  "message": "Process kintegrityd (PID: 24) by user root is RUNNING"
[00:22:59]                 │       -  "process": {
[00:22:59]                 │       -    "args": []
[00:22:59]                 │       -    "entity_id": "a3a52b3fcb9845a56ca2e681009671f79841a70461bc2a2fc086cb73a75f5820"
[00:22:59]                 │       -    "executable": ""
[00:22:59]                 │       -    "name": "kintegrityd"
[00:22:59]                 │       -    "pid": 24
[00:22:59]                 │       -    "ppid": 2
[00:22:59]                 │       -    "start": "2019-02-19T07:39:13.160Z"
[00:22:59]                 │       -    "working_directory": "/"
[00:22:59]                 │       -  }
[00:22:59]                 │       +  "message": "System boot"
[00:22:59]                 │          "service": {
[00:22:59]                 │            "type": "system"
[00:22:59]                 │          }
[00:22:59]                 │          "signal": {
[00:22:59]                 │ --
[00:22:59]                 │            }
[00:22:59]                 │            "ancestors": [
[00:22:59]                 │              {
[00:22:59]                 │                "depth": 0
[00:22:59]                 │       -        "id": "cBbRBmkBR346wHgnjELF"
[00:22:59]                 │       +        "id": "UBXOBmkBR346wHgnLP8T"
[00:22:59]                 │                "index": "auditbeat-8.0.0-2019.02.19-000001"
[00:22:59]                 │                "type": "event"
[00:22:59]                 │              }
[00:22:59]                 │            ]
[00:22:59]                 │            "depth": 1
[00:22:59]                 │            "original_event": {
[00:22:59]                 │       -      "action": "existing_process"
[00:22:59]                 │       -      "dataset": "process"
[00:22:59]                 │       -      "id": "dd5a28f2-03ba-47bb-8a4d-a2a7c280b2ae"
[00:22:59]                 │       -      "kind": "state"
[00:22:59]                 │       +      "action": "boot"
[00:22:59]                 │       +      "dataset": "login"
[00:22:59]                 │       +      "kind": "event"
[00:22:59]                 │              "module": "system"
[00:22:59]                 │       +      "origin": "/var/log/wtmp"
[00:22:59]                 │            }
[00:22:59]                 │            "original_time": "2019-02-19T17:33:09.074Z"
[00:22:59]                 │            "parent": {
[00:22:59]                 │              "depth": 0
[00:22:59]                 │       -      "id": "cBbRBmkBR346wHgnjELF"
[00:22:59]                 │       +      "id": "UBXOBmkBR346wHgnLP8T"
[00:22:59]                 │              "index": "auditbeat-8.0.0-2019.02.19-000001"
[00:22:59]                 │              "type": "event"
[00:22:59]                 │            }
[00:22:59]                 │            "parents": [
[00:22:59]                 │              {
[00:22:59]                 │                "depth": 0
[00:22:59]                 │       -        "id": "cBbRBmkBR346wHgnjELF"
[00:22:59]                 │       +        "id": "UBXOBmkBR346wHgnLP8T"
[00:22:59]                 │                "index": "auditbeat-8.0.0-2019.02.19-000001"
[00:22:59]                 │                "type": "event"
[00:22:59]                 │              }
[00:22:59]                 │            ]
[00:22:59]                 │       -    "reason": "event with process kintegrityd, by root on suricata-zeek-sensor-toronto created high alert existing_process."
[00:22:59]                 │       +    "reason": "event on zeek-sensor-amsterdam created high alert boot."
[00:22:59]                 │            "rule": {
[00:22:59]                 │              "actions": []
[00:22:59]                 │              "author": []
[00:22:59]                 │              "created_at": "2021-10-19T10:17:58.766Z"
[00:22:59]                 │ --
[00:22:59]                 │              "max_signals": 100
[00:22:59]                 │              "meta": {
[00:22:59]                 │                "ruleNameOverridden": true
[00:22:59]                 │              }
[00:22:59]                 │       -      "name": "existing_process"
[00:22:59]                 │       +      "name": "boot"
[00:22:59]                 │              "output_index": ".siem-signals-default"
[00:22:59]                 │              "query": "*:*"
[00:22:59]                 │              "references": []
[00:22:59]                 │              "risk_score": 1
[00:22:59]                 │ --
[00:22:59]                 │              "version": 1
[00:22:59]                 │            }
[00:22:59]                 │            "status": "open"
[00:22:59]                 │          }
[00:22:59]                 │       -  "user": {
[00:22:59]                 │       -    "effective": {
[00:22:59]                 │       -      "group": {
[00:22:59]                 │       -        "id": "0"
[00:22:59]                 │       -      }
[00:22:59]                 │       -      "id": "0"
[00:22:59]                 │       -    }
[00:22:59]                 │       -    "group": {
[00:22:59]                 │       -      "id": "0"
[00:22:59]                 │       -      "name": "root"
[00:22:59]                 │       -    }
[00:22:59]                 │       -    "id": "0"
[00:22:59]                 │       -    "name": "root"
[00:22:59]                 │       -    "saved": {
[00:22:59]                 │       -      "group": {
[00:22:59]                 │       -        "id": "0"
[00:22:59]                 │       -      }
[00:22:59]                 │       -      "id": "0"
[00:22:59]                 │       -    }
[00:22:59]                 │       -  }
[00:22:59]                 │        }
[00:22:59]                 │       
[00:22:59]                 │       at Assertion.assert (/dev/shm/workspace/parallel/9/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:22:59]                 │       at Assertion.eql (/dev/shm/workspace/parallel/9/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:22:59]                 │       at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts:1643:28)
[00:22:59]                 │       at runMicrotasks (<anonymous>)
[00:22:59]                 │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:22:59]                 │       at Object.apply (/dev/shm/workspace/parallel/9/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:22:59]                 │ 
[00:22:59]                 │

Stack Trace

Error: expected { '@timestamp': '2021-10-19T10:18:02.270Z',
  agent: 
   { ephemeral_id: '0010d67a-14f7-41da-be30-489fea735967',
     hostname: 'suricata-zeek-sensor-toronto',
     id: 'a1d7b39c-f898-4dbe-a761-efb61939302d',
     type: 'auditbeat',
     version: '8.0.0' },
  cloud: 
   { instance: { id: '133555295' },
     provider: 'digitalocean',
     region: 'tor1' },
  ecs: { version: '1.0.0-beta2' },
  event: 
   { action: 'existing_process',
     dataset: 'process',
     id: 'dd5a28f2-03ba-47bb-8a4d-a2a7c280b2ae',
     kind: 'signal',
     module: 'system' },
  host: 
   { architecture: 'x86_64',
     containerized: false,
     hostname: 'suricata-zeek-sensor-toronto',
     id: '8cc95778cce5407c809480e8e32ad76b',
     name: 'suricata-zeek-sensor-toronto',
     os: 
      { codename: 'bionic',
        family: 'debian',
        kernel: '4.15.0-45-generic',
        name: 'Ubuntu',
        platform: 'ubuntu',
        version: '18.04.2 LTS (Bionic Beaver)' } },
  message: 'Process kintegrityd (PID: 24) by user root is RUNNING',
  process: 
   { args: [],
     entity_id: 'a3a52b3fcb9845a56ca2e681009671f79841a70461bc2a2fc086cb73a75f5820',
     executable: '',
     name: 'kintegrityd',
     pid: 24,
     ppid: 2,
     start: '2019-02-19T07:39:13.160Z',
     working_directory: '/' },
  service: { type: 'system' },
  user: 
   { effective: { group: [Object], id: '0' },
     group: { id: '0', name: 'root' },
     id: '0',
     name: 'root',
     saved: { group: [Object], id: '0' } },
  signal: 
   { _meta: { version: 57 },
     parents: [ [Object] ],
     ancestors: [ [Object] ],
     status: 'open',
     rule: 
      { id: 'd52c3ee0-30c5-11ec-9cc7-a11162288992',
        actions: [],
        interval: '5m',
        name: 'existing_process',
        tags: [],
        enabled: true,
        created_by: 'elastic',
        updated_by: 'elastic',
        throttle: null,
        created_at: '2021-10-19T10:17:58.766Z',
        updated_at: '2021-10-19T10:17:58.914Z',
        description: 'Tests a simple query',
        risk_score: 1,
        severity: 'high',
        output_index: '.siem-signals-default',
        meta: [Object],
        rule_name_override: 'event.action',
        author: [],
        false_positives: [],
        from: '1900-01-01T00:00:00.000Z',
        rule_id: 'rule-1',
        max_signals: 100,
        risk_score_mapping: [],
        severity_mapping: [],
        threat: [],
        to: 'now',
        references: [],
        version: 1,
        exceptions_list: [],
        immutable: false,
        type: 'query',
        language: 'kuery',
        index: [Object],
        query: '*:*' },
     reason: 'event with process kintegrityd, by root on suricata-zeek-sensor-toronto created high alert existing_process.',
     depth: 1,
     parent: 
      { id: 'cBbRBmkBR346wHgnjELF',
        type: 'event',
        index: 'auditbeat-8.0.0-2019.02.19-000001',
        depth: 0 },
     original_time: '2019-02-19T17:33:09.074Z',
     original_event: 
      { action: 'existing_process',
        dataset: 'process',
        id: 'dd5a28f2-03ba-47bb-8a4d-a2a7c280b2ae',
        kind: 'state',
        module: 'system' } } } to sort of equal { '@timestamp': '2021-10-19T10:18:02.270Z',
  agent: 
   { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab',
     hostname: 'zeek-sensor-amsterdam',
     id: 'e52588e6-7aa3-4c89-a2c4-d6bc5c286db1',
     type: 'auditbeat',
     version: '8.0.0' },
  cloud: 
   { instance: { id: '133551048' },
     provider: 'digitalocean',
     region: 'ams3' },
  ecs: { version: '1.0.0-beta2' },
  event: 
   { action: 'boot',
     dataset: 'login',
     kind: 'signal',
     module: 'system',
     origin: '/var/log/wtmp' },
  host: 
   { architecture: 'x86_64',
     containerized: false,
     hostname: 'zeek-sensor-amsterdam',
     id: '2ce8b1e7d69e4a1d9c6bcddc473da9d9',
     name: 'zeek-sensor-amsterdam',
     os: 
      { codename: 'bionic',
        family: 'debian',
        kernel: '4.15.0-45-generic',
        name: 'Ubuntu',
        platform: 'ubuntu',
        version: '18.04.2 LTS (Bionic Beaver)' } },
  message: 'System boot',
  service: { type: 'system' },
  signal: 
   { _meta: { version: 57 },
     parents: [ [Object] ],
     ancestors: [ [Object] ],
     status: 'open',
     reason: 'event on zeek-sensor-amsterdam created high alert boot.',
     rule: 
      { id: 'd52c3ee0-30c5-11ec-9cc7-a11162288992',
        actions: [],
        interval: '5m',
        name: 'boot',
        tags: [],
        enabled: true,
        created_by: 'elastic',
        updated_by: 'elastic',
        throttle: null,
        created_at: '2021-10-19T10:17:58.766Z',
        updated_at: '2021-10-19T10:17:58.914Z',
        description: 'Tests a simple query',
        risk_score: 1,
        severity: 'high',
        output_index: '.siem-signals-default',
        meta: [Object],
        rule_name_override: 'event.action',
        author: [],
        false_positives: [],
        from: '1900-01-01T00:00:00.000Z',
        rule_id: 'rule-1',
        max_signals: 100,
        risk_score_mapping: [],
        severity_mapping: [],
        threat: [],
        to: 'now',
        references: [],
        version: 1,
        exceptions_list: [],
        immutable: false,
        type: 'query',
        language: 'kuery',
        index: [Object],
        query: '*:*' },
     original_time: '2019-02-19T17:33:09.074Z',
     depth: 1,
     parent: 
      { id: 'UBXOBmkBR346wHgnLP8T',
        type: 'event',
        index: 'auditbeat-8.0.0-2019.02.19-000001',
        depth: 0 },
     original_event: 
      { action: 'boot',
        dataset: 'login',
        kind: 'event',
        module: 'system',
        origin: '/var/log/wtmp' } } }
    at Assertion.assert (/dev/shm/workspace/parallel/9/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/9/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts:1643:28)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Object.apply (/dev/shm/workspace/parallel/9/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: '{\n' +
    '  "@timestamp": "2021-10-19T10:18:02.270Z"\n' +
    '  "agent": {\n' +
    '    "ephemeral_id": "0010d67a-14f7-41da-be30-489fea735967"\n' +
    '    "hostname": "suricata-zeek-sensor-toronto"\n' +
    '    "id": "a1d7b39c-f898-4dbe-a761-efb61939302d"\n' +
    '    "type": "auditbeat"\n' +
    '    "version": "8.0.0"\n' +
    '  }\n' +
    '  "cloud": {\n' +
    '    "instance": {\n' +
    '      "id": "133555295"\n' +
    '    }\n' +
    '    "provider": "digitalocean"\n' +
    '    "region": "tor1"\n' +
    '  }\n' +
    '  "ecs": {\n' +
    '    "version": "1.0.0-beta2"\n' +
    '  }\n' +
    '  "event": {\n' +
    '    "action": "existing_process"\n' +
    '    "dataset": "process"\n' +
    '    "id": "dd5a28f2-03ba-47bb-8a4d-a2a7c280b2ae"\n' +
    '    "kind": "signal"\n' +
    '    "module": "system"\n' +
    '  }\n' +
    '  "host": {\n' +
    '    "architecture": "x86_64"\n' +
    '    "containerized": false\n' +
    '    "hostname": "suricata-zeek-sensor-toronto"\n' +
    '    "id": "8cc95778cce5407c809480e8e32ad76b"\n' +
    '    "name": "suricata-zeek-sensor-toronto"\n' +
    '    "os": {\n' +
    '      "codename": "bionic"\n' +
    '      "family": "debian"\n' +
    '      "kernel": "4.15.0-45-generic"\n' +
    '      "name": "Ubuntu"\n' +
    '      "platform": "ubuntu"\n' +
    '      "version": "18.04.2 LTS (Bionic Beaver)"\n' +
    '    }\n' +
    '  }\n' +
    '  "message": "Process kintegrityd (PID: 24) by user root is RUNNING"\n' +
    '  "process": {\n' +
    '    "args": []\n' +
    '    "entity_id": "a3a52b3fcb9845a56ca2e681009671f79841a70461bc2a2fc086cb73a75f5820"\n' +
    '    "executable": ""\n' +
    '    "name": "kintegrityd"\n' +
    '    "pid": 24\n' +
    '    "ppid": 2\n' +
    '    "start": "2019-02-19T07:39:13.160Z"\n' +
    '    "working_directory": "/"\n' +
    '  }\n' +
    '  "service": {\n' +
    '    "type": "system"\n' +
    '  }\n' +
    '  "signal": {\n' +
    '    "_meta": {\n' +
    '      "version": 57\n' +
    '    }\n' +
    '    "ancestors": [\n' +
    '      {\n' +
    '        "depth": 0\n' +
    '        "id": "cBbRBmkBR346wHgnjELF"\n' +
    '        "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '        "type": "event"\n' +
    '      }\n' +
    '    ]\n' +
    '    "depth": 1\n' +
    '    "original_event": {\n' +
    '      "action": "existing_process"\n' +
    '      "dataset": "process"\n' +
    '      "id": "dd5a28f2-03ba-47bb-8a4d-a2a7c280b2ae"\n' +
    '      "kind": "state"\n' +
    '      "module": "system"\n' +
    '    }\n' +
    '    "original_time": "2019-02-19T17:33:09.074Z"\n' +
    '    "parent": {\n' +
    '      "depth": 0\n' +
    '      "id": "cBbRBmkBR346wHgnjELF"\n' +
    '      "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '      "type": "event"\n' +
    '    }\n' +
    '    "parents": [\n' +
    '      {\n' +
    '        "depth": 0\n' +
    '        "id": "cBbRBmkBR346wHgnjELF"\n' +
    '        "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '        "type": "event"\n' +
    '      }\n' +
    '    ]\n' +
    '    "reason": "event with process kintegrityd, by root on suricata-zeek-sensor-toronto created high alert existing_process."\n' +
    '    "rule": {\n' +
    '      "actions": []\n' +
    '      "author": []\n' +
    '      "created_at": "2021-10-19T10:17:58.766Z"\n' +
    '      "created_by": "elastic"\n' +
    '      "description": "Tests a simple query"\n' +
    '      "enabled": true\n' +
    '      "exceptions_list": []\n' +
    '      "false_positives": []\n' +
    '      "from": "1900-01-01T00:00:00.000Z"\n' +
    '      "id": "d52c3ee0-30c5-11ec-9cc7-a11162288992"\n' +
    '      "immutable": false\n' +
    '      "index": [\n' +
    '        "auditbeat-*"\n' +
    '      ]\n' +
    '      "interval": "5m"\n' +
    '      "language": "kuery"\n' +
    '      "max_signals": 100\n' +
    '      "meta": {\n' +
    '        "ruleNameOverridden": true\n' +
    '      }\n' +
    '      "name": "existing_process"\n' +
    '      "output_index": ".siem-signals-default"\n' +
    '      "query": "*:*"\n' +
    '      "references": []\n' +
    '      "risk_score": 1\n' +
    '      "risk_score_mapping": []\n' +
    '      "rule_id": "rule-1"\n' +
    '      "rule_name_override": "event.action"\n' +
    '      "severity": "high"\n' +
    '      "severity_mapping": []\n' +
    '      "tags": []\n' +
    '      "threat": []\n' +
    '      "throttle": [null]\n' +
    '      "to": "now"\n' +
    '      "type": "query"\n' +
    '      "updated_at": "2021-10-19T10:17:58.914Z"\n' +
    '      "updated_by": "elastic"\n' +
    '      "version": 1\n' +
    '    }\n' +
    '    "status": "open"\n' +
    '  }\n' +
    '  "user": {\n' +
    '    "effective": {\n' +
    '      "group": {\n' +
    '        "id": "0"\n' +
    '      }\n' +
    '      "id": "0"\n' +
    '    }\n' +
    '    "group": {\n' +
    '      "id": "0"\n' +
    '      "name": "root"\n' +
    '    }\n' +
    '    "id": "0"\n' +
    '    "name": "root"\n' +
    '    "saved": {\n' +
    '      "group": {\n' +
    '        "id": "0"\n' +
    '      }\n' +
    '      "id": "0"\n' +
    '    }\n' +
    '  }\n' +
    '}',
  expected: '{\n' +
    '  "@timestamp": "2021-10-19T10:18:02.270Z"\n' +
    '  "agent": {\n' +
    '    "ephemeral_id": "1b4978a0-48be-49b1-ac96-323425b389ab"\n' +
    '    "hostname": "zeek-sensor-amsterdam"\n' +
    '    "id": "e52588e6-7aa3-4c89-a2c4-d6bc5c286db1"\n' +
    '    "type": "auditbeat"\n' +
    '    "version": "8.0.0"\n' +
    '  }\n' +
    '  "cloud": {\n' +
    '    "instance": {\n' +
    '      "id": "133551048"\n' +
    '    }\n' +
    '    "provider": "digitalocean"\n' +
    '    "region": "ams3"\n' +
    '  }\n' +
    '  "ecs": {\n' +
    '    "version": "1.0.0-beta2"\n' +
    '  }\n' +
    '  "event": {\n' +
    '    "action": "boot"\n' +
    '    "dataset": "login"\n' +
    '    "kind": "signal"\n' +
    '    "module": "system"\n' +
    '    "origin": "/var/log/wtmp"\n' +
    '  }\n' +
    '  "host": {\n' +
    '    "architecture": "x86_64"\n' +
    '    "containerized": false\n' +
    '    "hostname": "zeek-sensor-amsterdam"\n' +
    '    "id": "2ce8b1e7d69e4a1d9c6bcddc473da9d9"\n' +
    '    "name": "zeek-sensor-amsterdam"\n' +
    '    "os": {\n' +
    '      "codename": "bionic"\n' +
    '      "family": "debian"\n' +
    '      "kernel": "4.15.0-45-generic"\n' +
    '      "name": "Ubuntu"\n' +
    '      "platform": "ubuntu"\n' +
    '      "version": "18.04.2 LTS (Bionic Beaver)"\n' +
    '    }\n' +
    '  }\n' +
    '  "message": "System boot"\n' +
    '  "service": {\n' +
    '    "type": "system"\n' +
    '  }\n' +
    '  "signal": {\n' +
    '    "_meta": {\n' +
    '      "version": 57\n' +
    '    }\n' +
    '    "ancestors": [\n' +
    '      {\n' +
    '        "depth": 0\n' +
    '        "id": "UBXOBmkBR346wHgnLP8T"\n' +
    '        "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '        "type": "event"\n' +
    '      }\n' +
    '    ]\n' +
    '    "depth": 1\n' +
    '    "original_event": {\n' +
    '      "action": "boot"\n' +
    '      "dataset": "login"\n' +
    '      "kind": "event"\n' +
    '      "module": "system"\n' +
    '      "origin": "/var/log/wtmp"\n' +
    '    }\n' +
    '    "original_time": "2019-02-19T17:33:09.074Z"\n' +
    '    "parent": {\n' +
    '      "depth": 0\n' +
    '      "id": "UBXOBmkBR346wHgnLP8T"\n' +
    '      "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '      "type": "event"\n' +
    '    }\n' +
    '    "parents": [\n' +
    '      {\n' +
    '        "depth": 0\n' +
    '        "id": "UBXOBmkBR346wHgnLP8T"\n' +
    '        "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '        "type": "event"\n' +
    '      }\n' +
    '    ]\n' +
    '    "reason": "event on zeek-sensor-amsterdam created high alert boot."\n' +
    '    "rule": {\n' +
    '      "actions": []\n' +
    '      "author": []\n' +
    '      "created_at": "2021-10-19T10:17:58.766Z"\n' +
    '      "created_by": "elastic"\n' +
    '      "description": "Tests a simple query"\n' +
    '      "enabled": true\n' +
    '      "exceptions_list": []\n' +
    '      "false_positives": []\n' +
    '      "from": "1900-01-01T00:00:00.000Z"\n' +
    '      "id": "d52c3ee0-30c5-11ec-9cc7-a11162288992"\n' +
    '      "immutable": false\n' +
    '      "index": [\n' +
    '        "auditbeat-*"\n' +
    '      ]\n' +
    '      "interval": "5m"\n' +
    '      "language": "kuery"\n' +
    '      "max_signals": 100\n' +
    '      "meta": {\n' +
    '        "ruleNameOverridden": true\n' +
    '      }\n' +
    '      "name": "boot"\n' +
    '      "output_index": ".siem-signals-default"\n' +
    '      "query": "*:*"\n' +
    '      "references": []\n' +
    '      "risk_score": 1\n' +
    '      "risk_score_mapping": []\n' +
    '      "rule_id": "rule-1"\n' +
    '      "rule_name_override": "event.action"\n' +
    '      "severity": "high"\n' +
    '      "severity_mapping": []\n' +
    '      "tags": []\n' +
    '      "threat": []\n' +
    '      "throttle": [null]\n' +
    '      "to": "now"\n' +
    '      "type": "query"\n' +
    '      "updated_at": "2021-10-19T10:17:58.914Z"\n' +
    '      "updated_by": "elastic"\n' +
    '      "version": 1\n' +
    '    }\n' +
    '    "status": "open"\n' +
    '  }\n' +
    '}',
  showDiff: true
}

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
discover 328.8KB 329.4KB +556.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
discover 22.3KB 22.3KB -26.0B
Unknown metric groups

References to deprecated APIs

id before after diff
discover 1794 1797 +3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @kertal

@kertal kertal added the auto-backport Deprecated - use backport:version if exact versions are needed label Oct 19, 2021
@kertal kertal merged commit 6a1af30 into elastic:master Oct 19, 2021
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Oct 19, 2021
@kertal @dimaanj @kibanamachine
[Discover] Improve doc viewer code in Discover (elastic#114759)
6f47065 
Co-authored-by: Dmitry Tomashevich <[email protected]>
@kibanamachine kibanamachine mentioned this pull request Oct 19, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

jloleysens added a commit to jloleysens/kibana that referenced this pull request Oct 19, 2021
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into reporting/add…
2781812 
…-link-to-kibana-app

* 'master' of github.com:elastic/kibana: (30 commits)
  Fix potential error from undefined (elastic#115562)
  [App Search, Crawler] Fix validation step panel padding/whitespace (elastic#115542)
  [Cases][Connectors] ServiceNow ITOM: MVP (elastic#114125)
  Change default session idle timeout to 8 hours. (elastic#115565)
  Upgrade EUI to v39.1.1 (elastic#114732)
  [App Search] Wired up organic results on Curation Suggestions view (elastic#114717)
  [i18n] remove i18n html extractor (elastic#115004)
  [Logs/Metrics UI] Add deprecated field configuration to Deprecations API (elastic#115103)
  [Transform] Add alerting rules management to Transform UI (elastic#115363)
  Update UI links to Fleet and Agent docs (elastic#115295)
  [ML] Adding ability to change data view in advanced job wizard (elastic#115191)
  Change deleteByNamespace to include legacy URL aliases (elastic#115459)
  [Unified Integrations] Remove and cleanup add data views (elastic#115424)
  [Discover] Show ignored field values (elastic#115040)
  [ML] Stop reading the ml.max_open_jobs node attribute (elastic#115524)
  [Discover] Improve doc viewer code in Discover (elastic#114759)
  [Security Solutions] Adds security detection rule actions as importable and exportable (elastic#115243)
  [Security Solution] [Platform] Migrate legacy actions whenever user interacts with the rule (elastic#115101)
  [Fleet] Add telemetry for integration cards (elastic#115413)
  🐛 Fix single percentile case when ES is returning no buckets (elastic#115214)
  ...

# Conflicts:
#	x-pack/plugins/reporting/public/management/__snapshots__/report_listing.test.tsx.snap
kibanamachine added a commit that referenced this pull request Oct 19, 2021
@kibanamachine @kertal @dimaanj
[Discover] Improve doc viewer code in Discover (#114759) (#115578)
e36abb5 
Co-authored-by: Dmitry Tomashevich <[email protected]>

Co-authored-by: Matthias Wilhelm <[email protected]>
Co-authored-by: Dmitry Tomashevich <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dimaanj dimaanj dimaanj approved these changes

@majagrubic majagrubic majagrubic approved these changes

Assignees

@kertal kertal

Labels
auto-backport Deprecated - use backport:version if exact versions are needed Feature:Discover Discover Application release_note:skip Skip the PR/issue when compiling release notes Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. v7.16.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kertal @elasticmachine @kibanamachine @majagrubic @dimaanj