Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failing test: X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching·ts - detection engine api security and spaces enabled create_threat_matching tests with auditbeat data indicator enrichment generates multiple signals with multiple matches #93152

Closed
kibanamachine opened this issue Mar 2, 2021 · 21 comments
Assignees
Labels
blocker failed-test A test failure on a tracked branch, potentially flaky-test skipped-test Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0

Comments

@kibanamachine
Copy link
Contributor

kibanamachine commented Mar 2, 2021

A test failed on a tracked branch

Error: expected [ { indicator: [ [Object] ] },
  { indicator: [ [Object], [Object], [Object] ] } ] to sort of equal [ { indicator: [ [Object] ] },
  { indicator: [ [Object], [Object], [Object] ] } ]
    at Assertion.assert (/dev/shm/workspace/parallel/23/kibana/packages/kbn-expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/23/kibana/packages/kbn-expect/expect.js:244:8)
    at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts:578:30)
    at Object.apply (/dev/shm/workspace/parallel/23/kibana/packages/kbn-test/src/functional_test_runner/lib/mocha/wrap_function.js:73:16) {
  actual: '[\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": "45.115.45.3"\n' +
    '          "field": "source.ip"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": 57324\n' +
    '          "field": "source.port"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    ']',
  expected: '[\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": "45.115.45.3"\n' +
    '          "field": "source.ip"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": 57324\n' +
    '          "field": "source.port"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    ']',
  showDiff: true
}

First failure: Jenkins Build

@kibanamachine kibanamachine added the failed-test A test failure on a tracked branch, potentially flaky-test label Mar 2, 2021
@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

1 similar comment
@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

1 similar comment
@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

1 similar comment
@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

mistic added a commit that referenced this issue Mar 2, 2021
mistic added a commit that referenced this issue Mar 2, 2021
@mistic mistic added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Mar 2, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@mistic
Copy link
Member

mistic commented Mar 2, 2021

This test has been failing and looks flaky. Skipping for now.

master/8.0: b33ea36
7.x/7.13: 9eb6fb7

@legrego
Copy link
Member

legrego commented Mar 2, 2021

@mistic this test belongs to the security solutions team, not the security team. I'll reassign for triage

@legrego legrego added Team:Detections and Resp Security Detection Response Team and removed Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Mar 2, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

mistic added a commit that referenced this issue Mar 2, 2021
mistic added a commit that referenced this issue Mar 2, 2021
@mistic mistic added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Mar 2, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

gmmorris added a commit to gmmorris/kibana that referenced this issue Mar 2, 2021
…bana into task-manager/docs-monitoring

* 'task-manager/docs-monitoring' of github.com:gmmorris/kibana:
  [ILM] Allow multiple searchable snapshot actions (elastic#92789)
  Improve consistency for display of management items (elastic#92694)
  skip flaky suite (elastic#93152)
  skip flaky suite (elastic#93152)
  [ILM] Refactor edit_policy client integration tests into separate feature files (elastic#92826)
  Add developer documentation about the building blocks we offer plugin developers (elastic#92743)
  [Security Solution] Case ui enhancement (elastic#91863)
  [Security Solution] [Detections] Updates warning message when no indices match provided index patterns (elastic#93094)
  Collect agent telemetry even when fleet server is disabled. (elastic#93198)
  [Lens] Fix runtime validation error message (elastic#93195)
  [Lens] Remove warning about ordinal x-domain (elastic#93049)
  [Security Solution] Fixes the Customize Event Renderers modal by removing the EuiOverlayMask (elastic#93150)
  Cleanup Security plugin imports (elastic#93056)
  [Security Solution] - Bug fixes (elastic#92294)
  Updated doc links (elastic#92968)
  [ML] Transforms: Fixes chart histograms for runtime fields. (elastic#93028)
  [chore] Enable core's eslint rule: `@ts-expect-error` (elastic#93086)
@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

gmmorris added a commit to gmmorris/kibana that referenced this issue Mar 2, 2021
* master: (199 commits)
  Convert Canvas docs to MDX for use in Elastic Docs (elastic#91969)
  [Bazel] More resilient Workspace Status (elastic#93244)
  [Discover] Change icon of saved search in open search panel and embeddable selection (elastic#93001)
  [Workplace Search] Role Mappings to Kibana (elastic#93123)
  [Fleet] Use type-only imports where possible (elastic#92979)
  [Lens] Set pie chart slices sorted clockwise (elastic#92617)
  Remove ms label from CPU load on status page (elastic#92836)
  [App Search] Migrate Create Meta Engine View (elastic#92127)
  [Time to Visualize] Disable Visualize URL Tracker When Linked to OriginatingApp (elastic#92917)
  [ILM] Allow multiple searchable snapshot actions (elastic#92789)
  Improve consistency for display of management items (elastic#92694)
  skip flaky suite (elastic#93152)
  skip flaky suite (elastic#93152)
  [ILM] Refactor edit_policy client integration tests into separate feature files (elastic#92826)
  Add developer documentation about the building blocks we offer plugin developers (elastic#92743)
  [Security Solution] Case ui enhancement (elastic#91863)
  [Security Solution] [Detections] Updates warning message when no indices match provided index patterns (elastic#93094)
  Collect agent telemetry even when fleet server is disabled. (elastic#93198)
  [Lens] Fix runtime validation error message (elastic#93195)
  [Lens] Remove warning about ordinal x-domain (elastic#93049)
  ...
@rylnd rylnd self-assigned this Mar 2, 2021
@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

@spalger
Copy link
Contributor

spalger commented Mar 3, 2021

Attempted to fix in #93350, but that was reverted to reskip the test

@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

1 similar comment
@kibanamachine
Copy link
Contributor Author

New failure: Jenkins Build

@rylnd
Copy link
Contributor

rylnd commented Mar 25, 2021

Looks like this was (actually) closed by #94241. Backported to 7.x and 7.12 as well.

@rylnd rylnd closed this as completed Mar 25, 2021
@kibanamachine kibanamachine reopened this Oct 25, 2021
@kibanamachine
Copy link
Contributor Author

New failure: CI Build - 7.16

@mistic mistic closed this as completed Oct 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocker failed-test A test failure on a tracked branch, potentially flaky-test skipped-test Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0
Projects
None yet
Development

No branches or pull requests

6 participants