Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][RAC][Cypress] Unskip some tests #117596

Merged
merged 23 commits into from
Nov 23, 2021
Merged

[Security Solution][RAC][Cypress] Unskip some tests #117596

merged 23 commits into from
Nov 23, 2021

Conversation

madirey
Copy link
Contributor

@madirey madirey commented Nov 4, 2021
edited
Loading

Summary

Critical fixes for 8.0

  • EQL alert generation: Ensures parent alert does not have a building_block_type and sets kibana.alert.original_time to the timestamp of the first event in the sequence.
  • Updates several references in the UI code to support both legacy siem.signals (for backward compatibility) and new AAD fields in alerts
  • Reenables tests that were either fixed by the above, or fixed prior to this PR. See Unskip tests for RAC rule migration #116460

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@madirey madirey added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Detection Alerts Security Detection Alerts Area Team labels Nov 4, 2021
@madirey madirey requested a review from a team as a code owner November 4, 2021 20:52
@madirey madirey changed the title [Security Solution][RAC][Cypress] [Security Solution][RAC][Cypress] Unskip tests Nov 4, 2021
@madirey madirey added the auto-backport Deprecated - use backport:version if exact versions are needed label Nov 4, 2021
@madirey madirey requested a review from a team as a code owner November 9, 2021 20:18
@madirey madirey added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Nov 10, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@madirey madirey changed the title [Security Solution][RAC][Cypress] Unskip tests [WIP][Security Solution][RAC][Cypress] Unskip tests Nov 10, 2021
@elastic elastic deleted a comment from kibanamachine Nov 16, 2021
@madirey madirey mentioned this pull request Nov 16, 2021
Closed
20 tasks
@madirey madirey changed the title [WIP][Security Solution][RAC][Cypress] Unskip tests [Security Solution][RAC][Cypress] Unskip tests Nov 16, 2021
@madirey madirey requested a review from marshallmain November 16, 2021 17:15
@madirey madirey added the v8.1.0 label Nov 16, 2021
@madirey
Copy link
Contributor Author

madirey commented Nov 18, 2021

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

merge conflict between base and head

@madirey madirey changed the title [Security Solution][RAC][Cypress] Unskip tests [Security Solution][RAC][Cypress] Unskip some tests Nov 18, 2021
ecezalp
ecezalp approved these changes Nov 18, 2021
View reviewed changes
Copy link
Contributor

@ecezalp ecezalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - left a few comments for my own understanding, code looks great

...plugins/security_solution/cypress/integration/detection_rules/event_correlation_rule.spec.ts
@@ -219,7 +219,6 @@ describe('Detection rules, sequence EQL', () => {
cy.log('ALERT_DATA_GRID', text);
expect(text).contains(this.rule.name);
expect(text).contains(this.rule.severity.toLowerCase());
expect(text).contains(this.rule.riskScore);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a particular reason we are removing the riskScore checks

...lugins/security_solution/public/common/components/event_details/investigation_guide_view.tsx
@@ -25,7 +26,7 @@ const InvestigationGuideViewComponent: React.FC<{
data: TimelineEventsDetailsItem[];
}> = ({ data }) => {
const ruleId = useMemo(() => {
const item = data.find((d) => d.field === 'signal.rule.id');
const item = data.find((d) => d.field === 'signal.rule.id' || d.field === ALERT_RULE_UUID);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we have an or here? don't we need just d.field === ALERT_RULE_UUID

x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx
[data]
);
const ruleId = useMemo(() => {
const siemSignalsRuleId = getFieldValue({ category: 'signal', field: 'signal.rule.id' }, data);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so rules continue to have signal.rule.id - does that include newly created rules in 8.0 as well?

x-pack/plugins/security_solution/public/detections/components/host_isolation/helpers.ts
: category === 'kibana'
? field.replace('kibana.alert', 'signal').replace('rule.uuid', 'rule.id')
: field;
return (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's coming together now. We keep both versions and search for each if we can't find one or the other. very interesting

...solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx
@@ -53,9 +58,12 @@ export const RenderCellValue: React.FC<EuiDataGridCellValueElementProps & CellVa
<Status data-test-subj="alert-status" status={random(0, 1) ? 'recovered' : 'active'} />
);
case ALERT_DURATION:
case 'signal.duration.us':
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be nice if the older versions were consts as well

...ck/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx
() => find({ category: 'signal', field: 'signal.rule.index' }, detailsData)?.values,
() =>
find({ category: 'signal', field: 'signal.rule.index' }, detailsData)?.values ??
find({ category: 'kibana', field: 'kibana.alert.rule.index' }, detailsData)?.values,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there an ALERT_RULE_INDEX?

...urity_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx Outdated
@@ -18,7 +18,7 @@ import {
StyledContent,
} from '../../../../common/lib/cell_actions/expanded_cell_value_actions';

const FIELDS_WITHOUT_CELL_ACTIONS = ['signal.rule.risk_score', 'signal.reason'];
const FIELDS_WITHOUT_CELL_ACTIONS = ['kibana.alert.rule.risk_score', 'kibana.alert.reason'];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting, so for the cells the data only appears with the new field name (even if it might be read from an older field)?

@madirey madirey enabled auto-merge (squash) November 18, 2021 20:36
@madirey
Copy link
Contributor Author

madirey commented Nov 18, 2021

jenkins test this

@madirey
Copy link
Contributor Author

madirey commented Nov 18, 2021

@elasticmachine merge upstream

michaelolo24
michaelolo24 approved these changes Nov 23, 2021
View reviewed changes
Copy link
Contributor

@michaelolo24 michaelolo24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with @MadameSheema. Thanks @madirey !

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Test Failures

  • [job] [logs] Security Solution Tests / Detection rules, machine learning "before each" hook for "Creates and activates a new ml rule"

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 2754 2758 +4

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 4.5MB 4.5MB +3.0KB
timelines 202.3KB 202.5KB +221.0B
total +3.2KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@madirey madirey merged commit c3484ae into elastic:main Nov 23, 2021
@kibanamachine kibanamachine mentioned this pull request Nov 23, 2021
Merged
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Nov 23, 2021
@madirey @kibanamachine
[Security Solution][RAC][Cypress] Unskip some tests (elastic#117596)
a2795e0 
* Reenable cypress tests for rules

* Indicator match is not yet passing

* Update refs

* Fix eql alert generation original_time and building_block_type

* Unskip a few more tests

* Update field names in jest tests

* Fix unit tests / cypress tests

* Have to keep this one skipped for now

* Fix some more tests?

* cleanup

* Fix translation
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
8.0

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Nov 23, 2021
@kibanamachine @madirey
[Security Solution][RAC][Cypress] Unskip some tests (#117596) (#119542)
4a94a21 
* Reenable cypress tests for rules

* Indicator match is not yet passing

* Update refs

* Fix eql alert generation original_time and building_block_type

* Unskip a few more tests

* Update field names in jest tests

* Fix unit tests / cypress tests

* Have to keep this one skipped for now

* Fix some more tests?

* cleanup

* Fix translation

Co-authored-by: Madison Caldwell <[email protected]>
@madirey madirey deleted the unskip-aad-tests branch November 29, 2021 14:08
dmlemeshko pushed a commit that referenced this pull request Nov 29, 2021
@madirey @dmlemeshko
[Security Solution][RAC][Cypress] Unskip some tests (#117596)
6f9b386 
* Reenable cypress tests for rules

* Indicator match is not yet passing

* Update refs

* Fix eql alert generation original_time and building_block_type

* Unskip a few more tests

* Update field names in jest tests

* Fix unit tests / cypress tests

* Have to keep this one skipped for now

* Fix some more tests?

* cleanup

* Fix translation
TinLe pushed a commit to TinLe/kibana that referenced this pull request Dec 22, 2021
@madirey @TinLe
[Security Solution][RAC][Cypress] Unskip some tests (elastic#117596)
bb6f309 
* Reenable cypress tests for rules

* Indicator match is not yet passing

* Update refs

* Fix eql alert generation original_time and building_block_type

* Unskip a few more tests

* Update field names in jest tests

* Fix unit tests / cypress tests

* Have to keep this one skipped for now

* Fix some more tests?

* cleanup

* Fix translation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ecezalp ecezalp ecezalp approved these changes

@michaelolo24 michaelolo24 michaelolo24 approved these changes

@marshallmain marshallmain Awaiting requested review from marshallmain

Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Detection Alerts Security Detection Alerts Area Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0 v8.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@madirey @elasticmachine @kibanamachine @kibana-ci @michaelolo24 @ecezalp @MadameSheema