Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[7.x] [Security Solution][Detections] Enable writing rule execution events to Event Log by default (#115394) #115630

Merged
merged 1 commit into from
Oct 19, 2021

Conversation

kibanamachine
Copy link
Contributor

Backports the following commits to 7.x:

…to Event Log by default (elastic#115394)

* Enable writing rule execution events to Event Log by default

* Update event log provider name according to the RFC

* Fix SavedObjectClient find method arguments

Co-authored-by: Dmitry Shevchenko <[email protected]>
@kibanamachine
Copy link
Contributor Author

💛 Build succeeded, but was flaky


Test Failures

Kibana Pipeline / general / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/text·ts.detection engine api security and spaces enabled Detection exceptions data types and operators Rule exception operators for data type text "is not" operator should filter all words using a common piece of text

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 4 times on tracked branches: https://github.com/elastic/kibana/issues/115310

[00:00:00]     │
[00:00:00]       └-: detection engine api security and spaces enabled
[00:00:00]         └-> "before all" hook in "detection engine api security and spaces enabled"
[00:00:00]         └-: 
[00:00:00]           └-> "before all" hook in ""
[00:00:00]           └-: Detection exceptions data types and operators
[00:00:00]             └-> "before all" hook in "Detection exceptions data types and operators"
[00:00:00]             └-: 
[00:00:00]               └-> "before all" hook in ""
[00:30:47]               └-: Rule exception operators for data type text
[00:30:47]                 └-> "before all" hook in "Rule exception operators for data type text"
[00:30:47]                 └-> "before all" hook in "Rule exception operators for data type text"
[00:30:47]                   │ info [x-pack/test/functional/es_archives/rule_exceptions/text] Loading "mappings.json"
[00:30:47]                   │ info [x-pack/test/functional/es_archives/rule_exceptions/text] Loading "data.json"
[00:30:47]                   │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [text] creating index, cause [api], templates [], shards [1]/[1]
[00:30:47]                   │ info [x-pack/test/functional/es_archives/rule_exceptions/text] Created index "text"
[00:30:47]                   │ debg [x-pack/test/functional/es_archives/rule_exceptions/text] "text" settings {"index":{"number_of_replicas":"1","number_of_shards":"1"}}
[00:30:47]                   │ info [x-pack/test/functional/es_archives/rule_exceptions/text] Indexed 4 docs into "text"
[00:30:47]                   │ info [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] Loading "mappings.json"
[00:30:47]                   │ info [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] Loading "data.json"
[00:30:47]                   │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [text_no_spaces] creating index, cause [api], templates [], shards [1]/[1]
[00:30:47]                   │ info [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] Created index "text_no_spaces"
[00:30:47]                   │ debg [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] "text_no_spaces" settings {"index":{"number_of_replicas":"1","number_of_shards":"1"}}
[00:30:47]                   │ info [x-pack/test/functional/es_archives/rule_exceptions/text_no_spaces] Indexed 4 docs into "text_no_spaces"
[00:30:47]                 └-: "is not" operator
[00:30:47]                   └-> "before all" hook for "will return 0 results if it cannot find what it is excluding"
[00:30:47]                   └-> will return 0 results if it cannot find what it is excluding
[00:30:47]                     └-> "before each" hook: global before each for "will return 0 results if it cannot find what it is excluding"
[00:30:47]                     └-> "before each" hook for "will return 0 results if it cannot find what it is excluding"
[00:30:47]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:30:47]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:30:47]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:30:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:30:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:30:47]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.lists-default]
[00:30:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:30:47]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.items-default]
[00:30:47]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.lists-default] for index patterns [.lists-default-*]
[00:30:47]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.items-default] for index patterns [.items-default-*]
[00:30:47]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.lists-default-000001] creating index, cause [api], templates [.lists-default], shards [1]/[1]
[00:30:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.lists-default]
[00:30:47]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.items-default-000001] creating index, cause [api], templates [.items-default], shards [1]/[1]
[00:30:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.lists-default]
[00:30:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.items-default]
[00:30:47]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.lists-default]
[00:30:56]                     │ proc [kibana]   log   [20:34:55.257] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:34:55.256Z","event":{"provider":"alerting","action":"execute-start","kind":"alert","category":["siem"],"start":"2021-10-19T20:34:55.256Z"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"00e621d0-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:34:51.586Z","schedule_delay":3670000000},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"00e621d0-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem"},"message":"alert execution start: \"00e621d0-311c-11ec-b055-3d33aaaee6b5\"","ecs":{"version":"1.8.0"}}
[00:30:57]                     │ proc [kibana]   log   [20:34:56.622] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:34:56.622Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":0},"rule":{"id":"00e621d0-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"status":"going to run","status_order":10}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"00e621d0-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:30:58]                     │ proc [kibana]   log   [20:34:57.630] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:34:57.630Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":1},"rule":{"id":"00e621d0-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"message":"succeeded","kibana":{"alert":{"rule":{"execution":{"status":"succeeded","status_order":0}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"00e621d0-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:30:58]                     │ proc [kibana]   log   [20:34:57.631] [info][plugins][securitySolution] [+] Finished indexing 0  signals searched between date ranges [
[00:30:58]                     │ proc [kibana]   {
[00:30:58]                     │ proc [kibana]     "to": "2021-10-19T20:34:56.635Z",
[00:30:58]                     │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:30:58]                     │ proc [kibana]     "maxSignals": 100
[00:30:58]                     │ proc [kibana]   }
[00:30:58]                     │ proc [kibana] ] name: "Signal Testing Query" id: "00e621d0-311c-11ec-b055-3d33aaaee6b5" rule id: "rule-1" signals index: ".siem-signals-default"
[00:30:58]                     │ proc [kibana]   log   [20:34:57.644] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:34:55.256Z","event":{"provider":"alerting","action":"execute","kind":"alert","category":["siem"],"start":"2021-10-19T20:34:55.256Z","outcome":"success","end":"2021-10-19T20:34:57.643Z","duration":2387000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"00e621d0-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:34:51.586Z","schedule_delay":3670000000},"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"00e621d0-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem","name":"Signal Testing Query"},"message":"alert executed: siem.signals:00e621d0-311c-11ec-b055-3d33aaaee6b5: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:30:58]                     └- ✓ pass  (11.2s)
[00:30:58]                   └-> "after each" hook for "will return 0 results if it cannot find what it is excluding"
[00:30:58]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.siem-signals-default-000001/O1FBJ-a4QGW_BZA9Dqoyjg] deleting index
[00:30:58]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.items-default]
[00:30:58]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.items-default]
[00:30:58]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing index template [.siem-signals-default]
[00:30:59]                     │ proc [kibana]   log   [20:34:58.653] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:34:58.652Z","event":{"provider":"securitySolution.ruleExecution","kind":"metric","action":"execution-metrics","sequence":2},"rule":{"id":"00e621d0-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"metrics":{"total_search_duration_ms":3.12,"total_indexing_duration_ms":0}}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"00e621d0-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:01]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.lists-default-000001/zPzGRi6PQi22Tn7py7jslA] deleting index
[00:31:01]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.items-default-000001/eOp6YUiATB-c4iaD9lqBGg] deleting index
[00:31:02]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing template [.lists-default]
[00:31:02]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing template [.items-default]
[00:31:02]                   └-> will return just 1 result we excluded
[00:31:02]                     └-> "before each" hook: global before each for "will return just 1 result we excluded"
[00:31:02]                     └-> "before each" hook for "will return just 1 result we excluded"
[00:31:02]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:31:02]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:31:02]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:31:02]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:31:02]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:31:02]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.lists-default]
[00:31:02]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:31:02]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.items-default]
[00:31:02]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.lists-default] for index patterns [.lists-default-*]
[00:31:02]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.items-default] for index patterns [.items-default-*]
[00:31:02]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.lists-default-000001] creating index, cause [api], templates [.lists-default], shards [1]/[1]
[00:31:02]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.lists-default]
[00:31:02]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.items-default-000001] creating index, cause [api], templates [.items-default], shards [1]/[1]
[00:31:02]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.items-default]
[00:31:11]                     │ proc [kibana]   log   [20:35:10.495] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:10.485Z","event":{"provider":"alerting","action":"execute-start","kind":"alert","category":["siem"],"start":"2021-10-19T20:35:10.485Z"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:35:06.738Z","schedule_delay":3747000000},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem"},"message":"alert execution start: \"09ec01f0-311c-11ec-b055-3d33aaaee6b5\"","ecs":{"version":"1.8.0"}}
[00:31:13]                     │ proc [kibana]   log   [20:35:12.782] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:12.781Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":0},"rule":{"id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"status":"going to run","status_order":10}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:14]                     │ proc [kibana]   log   [20:35:13.796] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:13.795Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":1},"rule":{"id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"message":"succeeded","kibana":{"alert":{"rule":{"execution":{"status":"succeeded","status_order":0}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:14]                     │ proc [kibana]   log   [20:35:13.796] [info][plugins][securitySolution] [+] Finished indexing 1  signals searched between date ranges [
[00:31:14]                     │ proc [kibana]   {
[00:31:14]                     │ proc [kibana]     "to": "2021-10-19T20:35:12.786Z",
[00:31:14]                     │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:31:14]                     │ proc [kibana]     "maxSignals": 100
[00:31:14]                     │ proc [kibana]   }
[00:31:14]                     │ proc [kibana] ] name: "Signal Testing Query" id: "09ec01f0-311c-11ec-b055-3d33aaaee6b5" rule id: "rule-1" signals index: ".siem-signals-default"
[00:31:14]                     │ proc [kibana]   log   [20:35:13.808] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:10.485Z","event":{"provider":"alerting","action":"execute","kind":"alert","category":["siem"],"start":"2021-10-19T20:35:10.485Z","outcome":"success","end":"2021-10-19T20:35:13.808Z","duration":3323000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:35:06.738Z","schedule_delay":3747000000},"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem","name":"Signal Testing Query"},"message":"alert executed: siem.signals:09ec01f0-311c-11ec-b055-3d33aaaee6b5: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:31:15]                     └- ✓ pass  (12.5s)
[00:31:15]                   └-> "after each" hook for "will return just 1 result we excluded"
[00:31:15]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.siem-signals-default-000001/WTl1BSIjSR2sKBOqhCp_NQ] deleting index
[00:31:15]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.lists-default]
[00:31:15]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.items-default]
[00:31:15]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.lists-default]
[00:31:15]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.items-default]
[00:31:15]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing index template [.siem-signals-default]
[00:31:15]                     │ proc [kibana]   log   [20:35:14.813] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:14.812Z","event":{"provider":"securitySolution.ruleExecution","kind":"metric","action":"execution-metrics","sequence":2},"rule":{"id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"metrics":{"total_search_duration_ms":25.689999999999998,"total_indexing_duration_ms":4.95}}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"09ec01f0-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:18]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.lists-default-000001/SgJadOAXRAG4B_Me02LZKQ] deleting index
[00:31:18]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.items-default-000001/vU7pyrLYRN2tDhnlWjWrKg] deleting index
[00:31:18]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing template [.lists-default]
[00:31:18]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing template [.items-default]
[00:31:18]                   └-> will return 0 results if we exclude two text
[00:31:18]                     └-> "before each" hook: global before each for "will return 0 results if we exclude two text"
[00:31:18]                     └-> "before each" hook for "will return 0 results if we exclude two text"
[00:31:18]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:31:18]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:31:18]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:31:18]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:31:18]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.lists-default]
[00:31:18]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.items-default]
[00:31:18]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.lists-default] for index patterns [.lists-default-*]
[00:31:18]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.items-default] for index patterns [.items-default-*]
[00:31:18]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:31:18]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.lists-default-000001] creating index, cause [api], templates [.lists-default], shards [1]/[1]
[00:31:18]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:31:18]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.lists-default]
[00:31:18]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.items-default-000001] creating index, cause [api], templates [.items-default], shards [1]/[1]
[00:31:18]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.items-default]
[00:31:26]                     │ proc [kibana]   log   [20:35:25.336] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:25.336Z","event":{"provider":"alerting","action":"execute-start","kind":"alert","category":["siem"],"start":"2021-10-19T20:35:25.336Z"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"138f0c70-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:35:22.902Z","schedule_delay":2434000000},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"138f0c70-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem"},"message":"alert execution start: \"138f0c70-311c-11ec-b055-3d33aaaee6b5\"","ecs":{"version":"1.8.0"}}
[00:31:28]                     │ proc [kibana]   log   [20:35:26.933] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:26.932Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":0},"rule":{"id":"138f0c70-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"status":"going to run","status_order":10}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"138f0c70-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:29]                     │ proc [kibana]   log   [20:35:27.944] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:27.943Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":1},"rule":{"id":"138f0c70-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"message":"succeeded","kibana":{"alert":{"rule":{"execution":{"status":"succeeded","status_order":0}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"138f0c70-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:29]                     │ proc [kibana]   log   [20:35:27.945] [info][plugins][securitySolution] [+] Finished indexing 0  signals searched between date ranges [
[00:31:29]                     │ proc [kibana]   {
[00:31:29]                     │ proc [kibana]     "to": "2021-10-19T20:35:26.936Z",
[00:31:29]                     │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:31:29]                     │ proc [kibana]     "maxSignals": 100
[00:31:29]                     │ proc [kibana]   }
[00:31:29]                     │ proc [kibana] ] name: "Signal Testing Query" id: "138f0c70-311c-11ec-b055-3d33aaaee6b5" rule id: "rule-1" signals index: ".siem-signals-default"
[00:31:29]                     │ proc [kibana]   log   [20:35:27.958] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:25.336Z","event":{"provider":"alerting","action":"execute","kind":"alert","category":["siem"],"start":"2021-10-19T20:35:25.336Z","outcome":"success","end":"2021-10-19T20:35:27.958Z","duration":2622000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"138f0c70-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:35:22.902Z","schedule_delay":2434000000},"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"138f0c70-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem","name":"Signal Testing Query"},"message":"alert executed: siem.signals:138f0c70-311c-11ec-b055-3d33aaaee6b5: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:31:29]                     └- ✓ pass  (10.4s)
[00:31:29]                   └-> "after each" hook for "will return 0 results if we exclude two text"
[00:31:29]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.siem-signals-default-000001/9BZQz0tsQRWw8tW9RaLeew] deleting index
[00:31:29]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.lists-default]
[00:31:29]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.items-default]
[00:31:29]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.lists-default]
[00:31:29]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.items-default]
[00:31:29]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing index template [.siem-signals-default]
[00:31:30]                     │ proc [kibana]   log   [20:35:28.972] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:28.971Z","event":{"provider":"securitySolution.ruleExecution","kind":"metric","action":"execution-metrics","sequence":2},"rule":{"id":"138f0c70-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"metrics":{"total_search_duration_ms":2.98,"total_indexing_duration_ms":0}}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"138f0c70-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:32]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.lists-default-000001/SPGvfw38RSS4_umArIG9wQ] deleting index
[00:31:32]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.items-default-000001/0OdXOImqSU2FNprgryfQMQ] deleting index
[00:31:32]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing template [.lists-default]
[00:31:32]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing template [.items-default]
[00:31:32]                   └-> should filter 1 single text using a single word
[00:31:32]                     └-> "before each" hook: global before each for "should filter 1 single text using a single word"
[00:31:32]                     └-> "before each" hook for "should filter 1 single text using a single word"
[00:31:32]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:31:32]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:31:32]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:31:32]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:31:32]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.lists-default]
[00:31:32]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:31:32]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.items-default]
[00:31:32]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:31:32]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.lists-default] for index patterns [.lists-default-*]
[00:31:32]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.items-default] for index patterns [.items-default-*]
[00:31:32]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.lists-default-000001] creating index, cause [api], templates [.lists-default], shards [1]/[1]
[00:31:32]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.lists-default]
[00:31:32]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.items-default-000001] creating index, cause [api], templates [.items-default], shards [1]/[1]
[00:31:32]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.lists-default]
[00:31:32]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.items-default]
[00:31:32]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.lists-default]
[00:31:41]                     │ proc [kibana]   log   [20:35:40.302] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:40.302Z","event":{"provider":"alerting","action":"execute-start","kind":"alert","category":["siem"],"start":"2021-10-19T20:35:40.302Z"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"1bfec710-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:35:37.056Z","schedule_delay":3246000000},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"1bfec710-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem"},"message":"alert execution start: \"1bfec710-311c-11ec-b055-3d33aaaee6b5\"","ecs":{"version":"1.8.0"}}
[00:31:43]                     │ proc [kibana]   log   [20:35:42.090] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:42.089Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":0},"rule":{"id":"1bfec710-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"status":"going to run","status_order":10}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"1bfec710-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:44]                     │ proc [kibana]   log   [20:35:43.101] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:43.100Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":1},"rule":{"id":"1bfec710-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"message":"succeeded","kibana":{"alert":{"rule":{"execution":{"status":"succeeded","status_order":0}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"1bfec710-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:44]                     │ proc [kibana]   log   [20:35:43.102] [info][plugins][securitySolution] [+] Finished indexing 1  signals searched between date ranges [
[00:31:44]                     │ proc [kibana]   {
[00:31:44]                     │ proc [kibana]     "to": "2021-10-19T20:35:42.094Z",
[00:31:44]                     │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:31:44]                     │ proc [kibana]     "maxSignals": 100
[00:31:44]                     │ proc [kibana]   }
[00:31:44]                     │ proc [kibana] ] name: "Signal Testing Query" id: "1bfec710-311c-11ec-b055-3d33aaaee6b5" rule id: "rule-1" signals index: ".siem-signals-default"
[00:31:44]                     │ proc [kibana]   log   [20:35:43.111] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:40.302Z","event":{"provider":"alerting","action":"execute","kind":"alert","category":["siem"],"start":"2021-10-19T20:35:40.302Z","outcome":"success","end":"2021-10-19T20:35:43.111Z","duration":2809000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"1bfec710-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:35:37.056Z","schedule_delay":3246000000},"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"1bfec710-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem","name":"Signal Testing Query"},"message":"alert executed: siem.signals:1bfec710-311c-11ec-b055-3d33aaaee6b5: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:31:44]                     └- ✓ pass  (11.4s)
[00:31:44]                   └-> "after each" hook for "should filter 1 single text using a single word"
[00:31:44]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.siem-signals-default-000001/7i3KUUy6R0GibFfavueNEw] deleting index
[00:31:44]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.items-default]
[00:31:44]                     │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.items-default]
[00:31:44]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing index template [.siem-signals-default]
[00:31:45]                     │ proc [kibana]   log   [20:35:44.118] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:44.117Z","event":{"provider":"securitySolution.ruleExecution","kind":"metric","action":"execution-metrics","sequence":2},"rule":{"id":"1bfec710-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"metrics":{"total_search_duration_ms":8.24,"total_indexing_duration_ms":3.41}}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"1bfec710-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:47]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.lists-default-000001/0rx9nIoBQxCbz055-XX6gA] deleting index
[00:31:47]                     │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.items-default-000001/beH1MIbrTb-qe0PGcMWLgw] deleting index
[00:31:47]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing template [.lists-default]
[00:31:47]                     │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing template [.items-default]
[00:31:47]                   └-> should filter all words using a common piece of text
[00:31:47]                     └-> "before each" hook: global before each for "should filter all words using a common piece of text"
[00:31:47]                     └-> "before each" hook for "should filter all words using a common piece of text"
[00:31:47]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:31:47]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:31:47]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:31:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:31:47]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.lists-default]
[00:31:47]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.items-default]
[00:31:47]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.lists-default] for index patterns [.lists-default-*]
[00:31:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:31:47]                       │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding template [.items-default] for index patterns [.items-default-*]
[00:31:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:31:47]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.lists-default-000001] creating index, cause [api], templates [.lists-default], shards [1]/[1]
[00:31:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.lists-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.lists-default]
[00:31:47]                       │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.items-default-000001] creating index, cause [api], templates [.items-default], shards [1]/[1]
[00:31:47]                       │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.items-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.items-default]
[00:31:56]                     │ proc [kibana]   log   [20:35:55.345] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:55.344Z","event":{"provider":"alerting","action":"execute-start","kind":"alert","category":["siem"],"start":"2021-10-19T20:35:55.344Z"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"2506f120-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:35:52.202Z","schedule_delay":3142000000},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"2506f120-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem"},"message":"alert execution start: \"2506f120-311c-11ec-b055-3d33aaaee6b5\"","ecs":{"version":"1.8.0"}}
[00:31:58]                     │ proc [kibana]   log   [20:35:57.268] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:57.261Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":0},"rule":{"id":"2506f120-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"kibana":{"alert":{"rule":{"execution":{"status":"going to run","status_order":10}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"2506f120-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:59]                     │ proc [kibana]   log   [20:35:58.256] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:58.255Z","event":{"provider":"securitySolution.ruleExecution","kind":"event","action":"status-change","sequence":1},"rule":{"id":"2506f120-311c-11ec-b055-3d33aaaee6b5","name":"Signal Testing Query","category":"siem.signals"},"message":"succeeded","kibana":{"alert":{"rule":{"execution":{"status":"succeeded","status_order":0}}},"space_ids":["default"],"saved_objects":[{"rel":"primary","type":"alert","id":"2506f120-311c-11ec-b055-3d33aaaee6b5"}],"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"ecs":{"version":"1.8.0"}}
[00:31:59]                     │ proc [kibana]   log   [20:35:58.256] [info][plugins][securitySolution] [+] Finished indexing 4  signals searched between date ranges [
[00:31:59]                     │ proc [kibana]   {
[00:31:59]                     │ proc [kibana]     "to": "2021-10-19T20:35:57.294Z",
[00:31:59]                     │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:31:59]                     │ proc [kibana]     "maxSignals": 100
[00:31:59]                     │ proc [kibana]   }
[00:31:59]                     │ proc [kibana] ] name: "Signal Testing Query" id: "2506f120-311c-11ec-b055-3d33aaaee6b5" rule id: "rule-1" signals index: ".siem-signals-default"
[00:31:59]                     │ proc [kibana]   log   [20:35:58.268] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:35:55.344Z","event":{"provider":"alerting","action":"execute","kind":"alert","category":["siem"],"start":"2021-10-19T20:35:55.344Z","outcome":"success","end":"2021-10-19T20:35:58.267Z","duration":2923000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"2506f120-311c-11ec-b055-3d33aaaee6b5","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:35:52.202Z","schedule_delay":3142000000},"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"2506f120-311c-11ec-b055-3d33aaaee6b5","license":"basic","category":"siem.signals","ruleset":"siem","name":"Signal Testing Query"},"message":"alert executed: siem.signals:2506f120-311c-11ec-b055-3d33aaaee6b5: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:31:59]                     └- ✖ fail: detection engine api security and spaces enabled  Detection exceptions data types and operators  Rule exception operators for data type text "is not" operator should filter all words using a common piece of text
[00:31:59]                     │       Error: expected [] to sort of equal [ 'word four', 'word one', 'word three', 'word two' ]
[00:31:59]                     │       + expected - actual
[00:31:59]                     │ 
[00:31:59]                     │       -[]
[00:31:59]                     │       +[
[00:31:59]                     │       +  "word four"
[00:31:59]                     │       +  "word one"
[00:31:59]                     │       +  "word three"
[00:31:59]                     │       +  "word two"
[00:31:59]                     │       +]
[00:31:59]                     │       
[00:31:59]                     │       at Assertion.assert (/dev/shm/workspace/parallel/13/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:31:59]                     │       at Assertion.eql (/dev/shm/workspace/parallel/13/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:31:59]                     │       at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/text.ts:349:25)
[00:31:59]                     │       at runMicrotasks (<anonymous>)
[00:31:59]                     │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:31:59]                     │       at Object.apply (/dev/shm/workspace/parallel/13/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:31:59]                     │ 
[00:31:59]                     │ 

Stack Trace

Error: expected [] to sort of equal [ 'word four', 'word one', 'word three', 'word two' ]
    at Assertion.assert (/dev/shm/workspace/parallel/13/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/13/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/text.ts:349:25)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Object.apply (/dev/shm/workspace/parallel/13/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: '[]',
  expected: '[\n  "word four"\n  "word one"\n  "word three"\n  "word two"\n]',
  showDiff: true
}

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @banderror

@kibanamachine kibanamachine merged commit fb9284a into elastic:7.x Oct 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants