Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.x] [Logs/Metrics UI] Add deprecated field configuration to Deprecations API (#115103) #115633

Merged
merged 1 commit into from
Oct 19, 2021
Merged

[7.x] [Logs/Metrics UI] Add deprecated field configuration to Deprecations API (#115103) #115633

merged 1 commit into from
Oct 19, 2021

Conversation

Zacqary
Copy link
Contributor

@Zacqary Zacqary commented Oct 19, 2021

Backports the following commits to 7.x:

@Zacqary
[Logs/Metrics UI] Add deprecated field configuration to Deprecations …
4c486e1 
…API (elastic#115103)

* [Logs/Metrics UI] Add deprecated field configuration to Deprecations API

* Add correction steps

* Add unit test for source config deprecations

* Apply suggestions from code review

Co-authored-by: Chris Cowan <chris@chriscowan.us>

* Lint fix

Co-authored-by: Chris Cowan <chris@chriscowan.us>
# Conflicts:
#	x-pack/plugins/infra/server/plugin.ts
@Zacqary Zacqary enabled auto-merge (squash) October 19, 2021 19:18
@kibanamachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Test Failures

Kibana Pipeline / general / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals·ts.detection engine api security and spaces enabled Generating signals from source indexes Signals generated from events with name override field should generate signals with name_override field

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]     │
[00:00:00]       └-: detection engine api security and spaces enabled
[00:00:00]         └-> "before all" hook in "detection engine api security and spaces enabled"
[00:00:00]         └-: 
[00:00:00]           └-> "before all" hook in ""
[00:17:10]           └-: Generating signals from source indexes
[00:17:10]             └-> "before all" hook in "Generating signals from source indexes"
[00:22:21]             └-: Signals generated from events with name override field
[00:22:21]               └-> "before all" hook for "should generate signals with name_override field"
[00:22:21]               └-> "before all" hook for "should generate signals with name_override field"
[00:22:21]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Loading "mappings.json"
[00:22:21]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Loading "data.json.gz"
[00:22:21]                 │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:22:21]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:22:21]                 │ debg [x-pack/test/functional/es_archives/auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:22:21]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:22:21]                 │ info [x-pack/test/functional/es_archives/auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:22:21]               └-> should generate signals with name_override field
[00:22:21]                 └-> "before each" hook: global before each for "should generate signals with name_override field"
[00:22:21]                 └-> "before each" hook for "should generate signals with name_override field"
[00:22:21]                   │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:22:21]                   │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:22:21]                   │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:22:22]                   │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:22:22]                 └-> "before each" hook for "should generate signals with name_override field"
[00:22:22]                   │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.siem-signals-default-000001/JWcj4sgGSqOu2w0iH0KoNA] deleting index
[00:22:22]                   │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] removing index template [.siem-signals-default]
[00:22:22]                   │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [.siem-signals-default]
[00:22:22]                   │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:22:22]                   │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:22:22]                   │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:22:22]                 │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:22:22]                 │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:22:23]                 │ proc [kibana]   log   [20:24:40.152] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:24:40.151Z","event":{"provider":"alerting","action":"execute-start","kind":"alert","category":["siem"],"start":"2021-10-19T20:24:40.151Z"},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"95557840-311a-11ec-9bfb-cfca40d19b58","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:24:39.213Z","schedule_delay":938000000},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"95557840-311a-11ec-9bfb-cfca40d19b58","license":"basic","category":"siem.signals","ruleset":"siem"},"message":"alert execution start: \"95557840-311a-11ec-9bfb-cfca40d19b58\"","ecs":{"version":"1.8.0"}}
[00:22:27]                 │ proc [kibana]   log   [20:24:43.267] [info][plugins][securitySolution] [+] Finished indexing 100  signals searched between date ranges [
[00:22:27]                 │ proc [kibana]   {
[00:22:27]                 │ proc [kibana]     "to": "2021-10-19T20:24:41.246Z",
[00:22:27]                 │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:22:27]                 │ proc [kibana]     "maxSignals": 100
[00:22:27]                 │ proc [kibana]   }
[00:22:27]                 │ proc [kibana] ] name: "Signal Testing Query" id: "95557840-311a-11ec-9bfb-cfca40d19b58" rule id: "rule-1" signals index: ".siem-signals-default"
[00:22:27]                 │ proc [kibana]   log   [20:24:43.274] [info][eventLog][plugins] event logged: {"@timestamp":"2021-10-19T20:24:40.151Z","event":{"provider":"alerting","action":"execute","kind":"alert","category":["siem"],"start":"2021-10-19T20:24:40.151Z","outcome":"success","end":"2021-10-19T20:24:43.273Z","duration":3122000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"95557840-311a-11ec-9bfb-cfca40d19b58","type_id":"siem.signals"}],"task":{"scheduled":"2021-10-19T20:24:39.213Z","schedule_delay":938000000},"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"7.16.0"},"rule":{"id":"95557840-311a-11ec-9bfb-cfca40d19b58","license":"basic","category":"siem.signals","ruleset":"siem","name":"Signal Testing Query"},"message":"alert executed: siem.signals:95557840-311a-11ec-9bfb-cfca40d19b58: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:22:27]                 └- ✖ fail: detection engine api security and spaces enabled  Generating signals from source indexes Signals generated from events with name override field should generate signals with name_override field
[00:22:27]                 │       Error: expected { '@timestamp': '2021-10-19T20:24:41.371Z',
[00:22:27]                 │   agent: 
[00:22:27]                 │    { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab',
[00:22:27]                 │      hostname: 'zeek-sensor-amsterdam',
[00:22:27]                 │      id: 'e52588e6-7aa3-4c89-a2c4-d6bc5c286db1',
[00:22:27]                 │      type: 'auditbeat',
[00:22:27]                 │      version: '8.0.0' },
[00:22:27]                 │   auditd: 
[00:22:27]                 │    { data: 
[00:22:27]                 │       { acct: 'root',
[00:22:27]                 │         op: 'PAM:session_open',
[00:22:27]                 │         terminal: '/dev/pts/0' },
[00:22:27]                 │      message_type: 'user_start',
[00:22:27]                 │      result: 'success',
[00:22:27]                 │      sequence: 1390,
[00:22:27]                 │      session: '28',
[00:22:27]                 │      summary: 
[00:22:27]                 │       { actor: [Object],
[00:22:27]                 │         how: '/usr/bin/sudo',
[00:22:27]                 │         object: [Object] } },
[00:22:27]                 │   cloud: 
[00:22:27]                 │    { instance: { id: '133551048' },
[00:22:27]                 │      provider: 'digitalocean',
[00:22:27]                 │      region: 'ams3' },
[00:22:27]                 │   ecs: { version: '1.0.0-beta2' },
[00:22:27]                 │   event: 
[00:22:27]                 │    { action: 'started-session',
[00:22:27]                 │      category: 'user-login',
[00:22:27]                 │      module: 'auditd',
[00:22:27]                 │      kind: 'signal' },
[00:22:27]                 │   host: 
[00:22:27]                 │    { architecture: 'x86_64',
[00:22:27]                 │      containerized: false,
[00:22:27]                 │      hostname: 'zeek-sensor-amsterdam',
[00:22:27]                 │      id: '2ce8b1e7d69e4a1d9c6bcddc473da9d9',
[00:22:27]                 │      name: 'zeek-sensor-amsterdam',
[00:22:27]                 │      os: 
[00:22:27]                 │       { codename: 'bionic',
[00:22:27]                 │         family: 'debian',
[00:22:27]                 │         kernel: '4.15.0-45-generic',
[00:22:27]                 │         name: 'Ubuntu',
[00:22:27]                 │         platform: 'ubuntu',
[00:22:27]                 │         version: '18.04.2 LTS (Bionic Beaver)' } },
[00:22:27]                 │   process: { executable: '/usr/bin/sudo', pid: 30093 },
[00:22:27]                 │   service: { type: 'auditd' },
[00:22:27]                 │   user: 
[00:22:27]                 │    { audit: { id: '0', name: 'root' },
[00:22:27]                 │      id: '0',
[00:22:27]                 │      name: 'root' },
[00:22:27]                 │   signal: 
[00:22:27]                 │    { _meta: { version: 57 },
[00:22:27]                 │      parents: [ [Object] ],
[00:22:27]                 │      ancestors: [ [Object] ],
[00:22:27]                 │      status: 'open',
[00:22:27]                 │      rule: 
[00:22:27]                 │       { id: '95557840-311a-11ec-9bfb-cfca40d19b58',
[00:22:27]                 │         actions: [],
[00:22:27]                 │         interval: '5m',
[00:22:27]                 │         name: 'started-session',
[00:22:27]                 │         tags: [],
[00:22:27]                 │         enabled: true,
[00:22:27]                 │         created_by: 'elastic',
[00:22:27]                 │         updated_by: 'elastic',
[00:22:27]                 │         throttle: null,
[00:22:27]                 │         created_at: '2021-10-19T20:24:38.691Z',
[00:22:27]                 │         updated_at: '2021-10-19T20:24:39.216Z',
[00:22:27]                 │         description: 'Tests a simple query',
[00:22:27]                 │         risk_score: 1,
[00:22:27]                 │         severity: 'high',
[00:22:27]                 │         output_index: '.siem-signals-default',
[00:22:27]                 │         meta: [Object],
[00:22:27]                 │         rule_name_override: 'event.action',
[00:22:27]                 │         author: [],
[00:22:27]                 │         false_positives: [],
[00:22:27]                 │         from: '1900-01-01T00:00:00.000Z',
[00:22:27]                 │         rule_id: 'rule-1',
[00:22:27]                 │         max_signals: 100,
[00:22:27]                 │         risk_score_mapping: [],
[00:22:27]                 │         severity_mapping: [],
[00:22:27]                 │         threat: [],
[00:22:27]                 │         to: 'now',
[00:22:27]                 │         references: [],
[00:22:27]                 │         version: 1,
[00:22:27]                 │         exceptions_list: [],
[00:22:27]                 │         immutable: false,
[00:22:27]                 │         type: 'query',
[00:22:27]                 │         language: 'kuery',
[00:22:27]                 │         index: [Object],
[00:22:27]                 │         query: '*:*' },
[00:22:27]                 │      reason: 'user-login event by root on zeek-sensor-amsterdam created high alert started-session.',
[00:22:27]                 │      depth: 1,
[00:22:27]                 │      parent: 
[00:22:27]                 │       { id: 'PRXOBmkBR346wHgnI__7',
[00:22:27]                 │         type: 'event',
[00:22:27]                 │         index: 'auditbeat-8.0.0-2019.02.19-000001',
[00:22:27]                 │         depth: 0 },
[00:22:27]                 │      original_time: '2019-02-19T17:29:25.378Z',
[00:22:27]                 │      original_event: 
[00:22:27]                 │       { action: 'started-session',
[00:22:27]                 │         category: 'user-login',
[00:22:27]                 │         module: 'auditd' } } } to sort of equal { '@timestamp': '2021-10-19T20:24:41.371Z',
[00:22:27]                 │   agent: 
[00:22:27]                 │    { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab',
[00:22:27]                 │      hostname: 'zeek-sensor-amsterdam',
[00:22:27]                 │      id: 'e52588e6-7aa3-4c89-a2c4-d6bc5c286db1',
[00:22:27]                 │      type: 'auditbeat',
[00:22:27]                 │      version: '8.0.0' },
[00:22:27]                 │   cloud: 
[00:22:27]                 │    { instance: { id: '133551048' },
[00:22:27]                 │      provider: 'digitalocean',
[00:22:27]                 │      region: 'ams3' },
[00:22:27]                 │   ecs: { version: '1.0.0-beta2' },
[00:22:27]                 │   event: 
[00:22:27]                 │    { action: 'boot',
[00:22:27]                 │      dataset: 'login',
[00:22:27]                 │      kind: 'signal',
[00:22:27]                 │      module: 'system',
[00:22:27]                 │      origin: '/var/log/wtmp' },
[00:22:27]                 │   host: 
[00:22:27]                 │    { architecture: 'x86_64',
[00:22:27]                 │      containerized: false,
[00:22:27]                 │      hostname: 'zeek-sensor-amsterdam',
[00:22:27]                 │      id: '2ce8b1e7d69e4a1d9c6bcddc473da9d9',
[00:22:27]                 │      name: 'zeek-sensor-amsterdam',
[00:22:27]                 │      os: 
[00:22:27]                 │       { codename: 'bionic',
[00:22:27]                 │         family: 'debian',
[00:22:27]                 │         kernel: '4.15.0-45-generic',
[00:22:27]                 │         name: 'Ubuntu',
[00:22:27]                 │         platform: 'ubuntu',
[00:22:27]                 │         version: '18.04.2 LTS (Bionic Beaver)' } },
[00:22:27]                 │   message: 'System boot',
[00:22:27]                 │   service: { type: 'system' },
[00:22:27]                 │   signal: 
[00:22:27]                 │    { _meta: { version: 57 },
[00:22:27]                 │      parents: [ [Object] ],
[00:22:27]                 │      ancestors: [ [Object] ],
[00:22:27]                 │      status: 'open',
[00:22:27]                 │      reason: 'event on zeek-sensor-amsterdam created high alert boot.',
[00:22:27]                 │      rule: 
[00:22:27]                 │       { id: '95557840-311a-11ec-9bfb-cfca40d19b58',
[00:22:27]                 │         actions: [],
[00:22:27]                 │         interval: '5m',
[00:22:27]                 │         name: 'boot',
[00:22:27]                 │         tags: [],
[00:22:27]                 │         enabled: true,
[00:22:27]                 │         created_by: 'elastic',
[00:22:27]                 │         updated_by: 'elastic',
[00:22:27]                 │         throttle: null,
[00:22:27]                 │         created_at: '2021-10-19T20:24:38.691Z',
[00:22:27]                 │         updated_at: '2021-10-19T20:24:39.216Z',
[00:22:27]                 │         description: 'Tests a simple query',
[00:22:27]                 │         risk_score: 1,
[00:22:27]                 │         severity: 'high',
[00:22:27]                 │         output_index: '.siem-signals-default',
[00:22:27]                 │         meta: [Object],
[00:22:27]                 │         rule_name_override: 'event.action',
[00:22:27]                 │         author: [],
[00:22:27]                 │         false_positives: [],
[00:22:27]                 │         from: '1900-01-01T00:00:00.000Z',
[00:22:27]                 │         rule_id: 'rule-1',
[00:22:27]                 │         max_signals: 100,
[00:22:27]                 │         risk_score_mapping: [],
[00:22:27]                 │         severity_mapping: [],
[00:22:27]                 │         threat: [],
[00:22:27]                 │         to: 'now',
[00:22:27]                 │         references: [],
[00:22:27]                 │         version: 1,
[00:22:27]                 │         exceptions_list: [],
[00:22:27]                 │         immutable: false,
[00:22:27]                 │         type: 'query',
[00:22:27]                 │         language: 'kuery',
[00:22:27]                 │         index: [Object],
[00:22:27]                 │         query: '*:*' },
[00:22:27]                 │      original_time: '2019-02-19T17:29:25.378Z',
[00:22:27]                 │      depth: 1,
[00:22:27]                 │      parent: 
[00:22:27]                 │       { id: 'UBXOBmkBR346wHgnLP8T',
[00:22:27]                 │         type: 'event',
[00:22:27]                 │         index: 'auditbeat-8.0.0-2019.02.19-000001',
[00:22:27]                 │         depth: 0 },
[00:22:27]                 │      original_event: 
[00:22:27]                 │       { action: 'boot',
[00:22:27]                 │         dataset: 'login',
[00:22:27]                 │         kind: 'event',
[00:22:27]                 │         module: 'system',
[00:22:27]                 │         origin: '/var/log/wtmp' } } }
[00:22:27]                 │       + expected - actual
[00:22:27]                 │ 
[00:22:27]                 │            "id": "e52588e6-7aa3-4c89-a2c4-d6bc5c286db1"
[00:22:27]                 │            "type": "auditbeat"
[00:22:27]                 │            "version": "8.0.0"
[00:22:27]                 │          }
[00:22:27]                 │       -  "auditd": {
[00:22:27]                 │       -    "data": {
[00:22:27]                 │       -      "acct": "root"
[00:22:27]                 │       -      "op": "PAM:session_open"
[00:22:27]                 │       -      "terminal": "/dev/pts/0"
[00:22:27]                 │       -    }
[00:22:27]                 │       -    "message_type": "user_start"
[00:22:27]                 │       -    "result": "success"
[00:22:27]                 │       -    "sequence": 1390
[00:22:27]                 │       -    "session": "28"
[00:22:27]                 │       -    "summary": {
[00:22:27]                 │       -      "actor": {
[00:22:27]                 │       -        "primary": "root"
[00:22:27]                 │       -        "secondary": "root"
[00:22:27]                 │       -      }
[00:22:27]                 │       -      "how": "/usr/bin/sudo"
[00:22:27]                 │       -      "object": {
[00:22:27]                 │       -        "primary": "/dev/pts/0"
[00:22:27]                 │       -        "type": "user-session"
[00:22:27]                 │       -      }
[00:22:27]                 │       -    }
[00:22:27]                 │       -  }
[00:22:27]                 │          "cloud": {
[00:22:27]                 │            "instance": {
[00:22:27]                 │              "id": "133551048"
[00:22:27]                 │            }
[00:22:27]                 │ --
[00:22:27]                 │          "ecs": {
[00:22:27]                 │            "version": "1.0.0-beta2"
[00:22:27]                 │          }
[00:22:27]                 │          "event": {
[00:22:27]                 │       -    "action": "started-session"
[00:22:27]                 │       -    "category": "user-login"
[00:22:27]                 │       +    "action": "boot"
[00:22:27]                 │       +    "dataset": "login"
[00:22:27]                 │            "kind": "signal"
[00:22:27]                 │       -    "module": "auditd"
[00:22:27]                 │       +    "module": "system"
[00:22:27]                 │       +    "origin": "/var/log/wtmp"
[00:22:27]                 │          }
[00:22:27]                 │          "host": {
[00:22:27]                 │            "architecture": "x86_64"
[00:22:27]                 │            "containerized": false
[00:22:27]                 │ --
[00:22:27]                 │              "platform": "ubuntu"
[00:22:27]                 │              "version": "18.04.2 LTS (Bionic Beaver)"
[00:22:27]                 │            }
[00:22:27]                 │          }
[00:22:27]                 │       -  "process": {
[00:22:27]                 │       -    "executable": "/usr/bin/sudo"
[00:22:27]                 │       -    "pid": 30093
[00:22:27]                 │       -  }
[00:22:27]                 │       +  "message": "System boot"
[00:22:27]                 │          "service": {
[00:22:27]                 │       -    "type": "auditd"
[00:22:27]                 │       +    "type": "system"
[00:22:27]                 │          }
[00:22:27]                 │          "signal": {
[00:22:27]                 │            "_meta": {
[00:22:27]                 │              "version": 57
[00:22:27]                 │            }
[00:22:27]                 │            "ancestors": [
[00:22:27]                 │              {
[00:22:27]                 │                "depth": 0
[00:22:27]                 │       -        "id": "PRXOBmkBR346wHgnI__7"
[00:22:27]                 │       +        "id": "UBXOBmkBR346wHgnLP8T"
[00:22:27]                 │                "index": "auditbeat-8.0.0-2019.02.19-000001"
[00:22:27]                 │                "type": "event"
[00:22:27]                 │              }
[00:22:27]                 │            ]
[00:22:27]                 │            "depth": 1
[00:22:27]                 │            "original_event": {
[00:22:27]                 │       -      "action": "started-session"
[00:22:27]                 │       -      "category": "user-login"
[00:22:27]                 │       -      "module": "auditd"
[00:22:27]                 │       +      "action": "boot"
[00:22:27]                 │       +      "dataset": "login"
[00:22:27]                 │       +      "kind": "event"
[00:22:27]                 │       +      "module": "system"
[00:22:27]                 │       +      "origin": "/var/log/wtmp"
[00:22:27]                 │            }
[00:22:27]                 │            "original_time": "2019-02-19T17:29:25.378Z"
[00:22:27]                 │            "parent": {
[00:22:27]                 │              "depth": 0
[00:22:27]                 │       -      "id": "PRXOBmkBR346wHgnI__7"
[00:22:27]                 │       +      "id": "UBXOBmkBR346wHgnLP8T"
[00:22:27]                 │              "index": "auditbeat-8.0.0-2019.02.19-000001"
[00:22:27]                 │              "type": "event"
[00:22:27]                 │            }
[00:22:27]                 │            "parents": [
[00:22:27]                 │              {
[00:22:27]                 │                "depth": 0
[00:22:27]                 │       -        "id": "PRXOBmkBR346wHgnI__7"
[00:22:27]                 │       +        "id": "UBXOBmkBR346wHgnLP8T"
[00:22:27]                 │                "index": "auditbeat-8.0.0-2019.02.19-000001"
[00:22:27]                 │                "type": "event"
[00:22:27]                 │              }
[00:22:27]                 │            ]
[00:22:27]                 │       -    "reason": "user-login event by root on zeek-sensor-amsterdam created high alert started-session."
[00:22:27]                 │       +    "reason": "event on zeek-sensor-amsterdam created high alert boot."
[00:22:27]                 │            "rule": {
[00:22:27]                 │              "actions": []
[00:22:27]                 │              "author": []
[00:22:27]                 │              "created_at": "2021-10-19T20:24:38.691Z"
[00:22:27]                 │ --
[00:22:27]                 │              "max_signals": 100
[00:22:27]                 │              "meta": {
[00:22:27]                 │                "ruleNameOverridden": true
[00:22:27]                 │              }
[00:22:27]                 │       -      "name": "started-session"
[00:22:27]                 │       +      "name": "boot"
[00:22:27]                 │              "output_index": ".siem-signals-default"
[00:22:27]                 │              "query": "*:*"
[00:22:27]                 │              "references": []
[00:22:27]                 │              "risk_score": 1
[00:22:27]                 │ --
[00:22:27]                 │              "version": 1
[00:22:27]                 │            }
[00:22:27]                 │            "status": "open"
[00:22:27]                 │          }
[00:22:27]                 │       -  "user": {
[00:22:27]                 │       -    "audit": {
[00:22:27]                 │       -      "id": "0"
[00:22:27]                 │       -      "name": "root"
[00:22:27]                 │       -    }
[00:22:27]                 │       -    "id": "0"
[00:22:27]                 │       -    "name": "root"
[00:22:27]                 │       -  }
[00:22:27]                 │        }
[00:22:27]                 │       
[00:22:27]                 │       at Assertion.assert (/dev/shm/workspace/parallel/12/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:22:27]                 │       at Assertion.eql (/dev/shm/workspace/parallel/12/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:22:27]                 │       at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts:1643:28)
[00:22:27]                 │       at runMicrotasks (<anonymous>)
[00:22:27]                 │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:22:27]                 │       at Object.apply (/dev/shm/workspace/parallel/12/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:22:27]                 │ 
[00:22:27]                 │

Stack Trace

Error: expected { '@timestamp': '2021-10-19T20:24:41.371Z',
  agent: 
   { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab',
     hostname: 'zeek-sensor-amsterdam',
     id: 'e52588e6-7aa3-4c89-a2c4-d6bc5c286db1',
     type: 'auditbeat',
     version: '8.0.0' },
  auditd: 
   { data: 
      { acct: 'root',
        op: 'PAM:session_open',
        terminal: '/dev/pts/0' },
     message_type: 'user_start',
     result: 'success',
     sequence: 1390,
     session: '28',
     summary: 
      { actor: [Object],
        how: '/usr/bin/sudo',
        object: [Object] } },
  cloud: 
   { instance: { id: '133551048' },
     provider: 'digitalocean',
     region: 'ams3' },
  ecs: { version: '1.0.0-beta2' },
  event: 
   { action: 'started-session',
     category: 'user-login',
     module: 'auditd',
     kind: 'signal' },
  host: 
   { architecture: 'x86_64',
     containerized: false,
     hostname: 'zeek-sensor-amsterdam',
     id: '2ce8b1e7d69e4a1d9c6bcddc473da9d9',
     name: 'zeek-sensor-amsterdam',
     os: 
      { codename: 'bionic',
        family: 'debian',
        kernel: '4.15.0-45-generic',
        name: 'Ubuntu',
        platform: 'ubuntu',
        version: '18.04.2 LTS (Bionic Beaver)' } },
  process: { executable: '/usr/bin/sudo', pid: 30093 },
  service: { type: 'auditd' },
  user: 
   { audit: { id: '0', name: 'root' },
     id: '0',
     name: 'root' },
  signal: 
   { _meta: { version: 57 },
     parents: [ [Object] ],
     ancestors: [ [Object] ],
     status: 'open',
     rule: 
      { id: '95557840-311a-11ec-9bfb-cfca40d19b58',
        actions: [],
        interval: '5m',
        name: 'started-session',
        tags: [],
        enabled: true,
        created_by: 'elastic',
        updated_by: 'elastic',
        throttle: null,
        created_at: '2021-10-19T20:24:38.691Z',
        updated_at: '2021-10-19T20:24:39.216Z',
        description: 'Tests a simple query',
        risk_score: 1,
        severity: 'high',
        output_index: '.siem-signals-default',
        meta: [Object],
        rule_name_override: 'event.action',
        author: [],
        false_positives: [],
        from: '1900-01-01T00:00:00.000Z',
        rule_id: 'rule-1',
        max_signals: 100,
        risk_score_mapping: [],
        severity_mapping: [],
        threat: [],
        to: 'now',
        references: [],
        version: 1,
        exceptions_list: [],
        immutable: false,
        type: 'query',
        language: 'kuery',
        index: [Object],
        query: '*:*' },
     reason: 'user-login event by root on zeek-sensor-amsterdam created high alert started-session.',
     depth: 1,
     parent: 
      { id: 'PRXOBmkBR346wHgnI__7',
        type: 'event',
        index: 'auditbeat-8.0.0-2019.02.19-000001',
        depth: 0 },
     original_time: '2019-02-19T17:29:25.378Z',
     original_event: 
      { action: 'started-session',
        category: 'user-login',
        module: 'auditd' } } } to sort of equal { '@timestamp': '2021-10-19T20:24:41.371Z',
  agent: 
   { ephemeral_id: '1b4978a0-48be-49b1-ac96-323425b389ab',
     hostname: 'zeek-sensor-amsterdam',
     id: 'e52588e6-7aa3-4c89-a2c4-d6bc5c286db1',
     type: 'auditbeat',
     version: '8.0.0' },
  cloud: 
   { instance: { id: '133551048' },
     provider: 'digitalocean',
     region: 'ams3' },
  ecs: { version: '1.0.0-beta2' },
  event: 
   { action: 'boot',
     dataset: 'login',
     kind: 'signal',
     module: 'system',
     origin: '/var/log/wtmp' },
  host: 
   { architecture: 'x86_64',
     containerized: false,
     hostname: 'zeek-sensor-amsterdam',
     id: '2ce8b1e7d69e4a1d9c6bcddc473da9d9',
     name: 'zeek-sensor-amsterdam',
     os: 
      { codename: 'bionic',
        family: 'debian',
        kernel: '4.15.0-45-generic',
        name: 'Ubuntu',
        platform: 'ubuntu',
        version: '18.04.2 LTS (Bionic Beaver)' } },
  message: 'System boot',
  service: { type: 'system' },
  signal: 
   { _meta: { version: 57 },
     parents: [ [Object] ],
     ancestors: [ [Object] ],
     status: 'open',
     reason: 'event on zeek-sensor-amsterdam created high alert boot.',
     rule: 
      { id: '95557840-311a-11ec-9bfb-cfca40d19b58',
        actions: [],
        interval: '5m',
        name: 'boot',
        tags: [],
        enabled: true,
        created_by: 'elastic',
        updated_by: 'elastic',
        throttle: null,
        created_at: '2021-10-19T20:24:38.691Z',
        updated_at: '2021-10-19T20:24:39.216Z',
        description: 'Tests a simple query',
        risk_score: 1,
        severity: 'high',
        output_index: '.siem-signals-default',
        meta: [Object],
        rule_name_override: 'event.action',
        author: [],
        false_positives: [],
        from: '1900-01-01T00:00:00.000Z',
        rule_id: 'rule-1',
        max_signals: 100,
        risk_score_mapping: [],
        severity_mapping: [],
        threat: [],
        to: 'now',
        references: [],
        version: 1,
        exceptions_list: [],
        immutable: false,
        type: 'query',
        language: 'kuery',
        index: [Object],
        query: '*:*' },
     original_time: '2019-02-19T17:29:25.378Z',
     depth: 1,
     parent: 
      { id: 'UBXOBmkBR346wHgnLP8T',
        type: 'event',
        index: 'auditbeat-8.0.0-2019.02.19-000001',
        depth: 0 },
     original_event: 
      { action: 'boot',
        dataset: 'login',
        kind: 'event',
        module: 'system',
        origin: '/var/log/wtmp' } } }
    at Assertion.assert (/dev/shm/workspace/parallel/12/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/12/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts:1643:28)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Object.apply (/dev/shm/workspace/parallel/12/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: '{\n' +
    '  "@timestamp": "2021-10-19T20:24:41.371Z"\n' +
    '  "agent": {\n' +
    '    "ephemeral_id": "1b4978a0-48be-49b1-ac96-323425b389ab"\n' +
    '    "hostname": "zeek-sensor-amsterdam"\n' +
    '    "id": "e52588e6-7aa3-4c89-a2c4-d6bc5c286db1"\n' +
    '    "type": "auditbeat"\n' +
    '    "version": "8.0.0"\n' +
    '  }\n' +
    '  "auditd": {\n' +
    '    "data": {\n' +
    '      "acct": "root"\n' +
    '      "op": "PAM:session_open"\n' +
    '      "terminal": "/dev/pts/0"\n' +
    '    }\n' +
    '    "message_type": "user_start"\n' +
    '    "result": "success"\n' +
    '    "sequence": 1390\n' +
    '    "session": "28"\n' +
    '    "summary": {\n' +
    '      "actor": {\n' +
    '        "primary": "root"\n' +
    '        "secondary": "root"\n' +
    '      }\n' +
    '      "how": "/usr/bin/sudo"\n' +
    '      "object": {\n' +
    '        "primary": "/dev/pts/0"\n' +
    '        "type": "user-session"\n' +
    '      }\n' +
    '    }\n' +
    '  }\n' +
    '  "cloud": {\n' +
    '    "instance": {\n' +
    '      "id": "133551048"\n' +
    '    }\n' +
    '    "provider": "digitalocean"\n' +
    '    "region": "ams3"\n' +
    '  }\n' +
    '  "ecs": {\n' +
    '    "version": "1.0.0-beta2"\n' +
    '  }\n' +
    '  "event": {\n' +
    '    "action": "started-session"\n' +
    '    "category": "user-login"\n' +
    '    "kind": "signal"\n' +
    '    "module": "auditd"\n' +
    '  }\n' +
    '  "host": {\n' +
    '    "architecture": "x86_64"\n' +
    '    "containerized": false\n' +
    '    "hostname": "zeek-sensor-amsterdam"\n' +
    '    "id": "2ce8b1e7d69e4a1d9c6bcddc473da9d9"\n' +
    '    "name": "zeek-sensor-amsterdam"\n' +
    '    "os": {\n' +
    '      "codename": "bionic"\n' +
    '      "family": "debian"\n' +
    '      "kernel": "4.15.0-45-generic"\n' +
    '      "name": "Ubuntu"\n' +
    '      "platform": "ubuntu"\n' +
    '      "version": "18.04.2 LTS (Bionic Beaver)"\n' +
    '    }\n' +
    '  }\n' +
    '  "process": {\n' +
    '    "executable": "/usr/bin/sudo"\n' +
    '    "pid": 30093\n' +
    '  }\n' +
    '  "service": {\n' +
    '    "type": "auditd"\n' +
    '  }\n' +
    '  "signal": {\n' +
    '    "_meta": {\n' +
    '      "version": 57\n' +
    '    }\n' +
    '    "ancestors": [\n' +
    '      {\n' +
    '        "depth": 0\n' +
    '        "id": "PRXOBmkBR346wHgnI__7"\n' +
    '        "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '        "type": "event"\n' +
    '      }\n' +
    '    ]\n' +
    '    "depth": 1\n' +
    '    "original_event": {\n' +
    '      "action": "started-session"\n' +
    '      "category": "user-login"\n' +
    '      "module": "auditd"\n' +
    '    }\n' +
    '    "original_time": "2019-02-19T17:29:25.378Z"\n' +
    '    "parent": {\n' +
    '      "depth": 0\n' +
    '      "id": "PRXOBmkBR346wHgnI__7"\n' +
    '      "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '      "type": "event"\n' +
    '    }\n' +
    '    "parents": [\n' +
    '      {\n' +
    '        "depth": 0\n' +
    '        "id": "PRXOBmkBR346wHgnI__7"\n' +
    '        "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '        "type": "event"\n' +
    '      }\n' +
    '    ]\n' +
    '    "reason": "user-login event by root on zeek-sensor-amsterdam created high alert started-session."\n' +
    '    "rule": {\n' +
    '      "actions": []\n' +
    '      "author": []\n' +
    '      "created_at": "2021-10-19T20:24:38.691Z"\n' +
    '      "created_by": "elastic"\n' +
    '      "description": "Tests a simple query"\n' +
    '      "enabled": true\n' +
    '      "exceptions_list": []\n' +
    '      "false_positives": []\n' +
    '      "from": "1900-01-01T00:00:00.000Z"\n' +
    '      "id": "95557840-311a-11ec-9bfb-cfca40d19b58"\n' +
    '      "immutable": false\n' +
    '      "index": [\n' +
    '        "auditbeat-*"\n' +
    '      ]\n' +
    '      "interval": "5m"\n' +
    '      "language": "kuery"\n' +
    '      "max_signals": 100\n' +
    '      "meta": {\n' +
    '        "ruleNameOverridden": true\n' +
    '      }\n' +
    '      "name": "started-session"\n' +
    '      "output_index": ".siem-signals-default"\n' +
    '      "query": "*:*"\n' +
    '      "references": []\n' +
    '      "risk_score": 1\n' +
    '      "risk_score_mapping": []\n' +
    '      "rule_id": "rule-1"\n' +
    '      "rule_name_override": "event.action"\n' +
    '      "severity": "high"\n' +
    '      "severity_mapping": []\n' +
    '      "tags": []\n' +
    '      "threat": []\n' +
    '      "throttle": [null]\n' +
    '      "to": "now"\n' +
    '      "type": "query"\n' +
    '      "updated_at": "2021-10-19T20:24:39.216Z"\n' +
    '      "updated_by": "elastic"\n' +
    '      "version": 1\n' +
    '    }\n' +
    '    "status": "open"\n' +
    '  }\n' +
    '  "user": {\n' +
    '    "audit": {\n' +
    '      "id": "0"\n' +
    '      "name": "root"\n' +
    '    }\n' +
    '    "id": "0"\n' +
    '    "name": "root"\n' +
    '  }\n' +
    '}',
  expected: '{\n' +
    '  "@timestamp": "2021-10-19T20:24:41.371Z"\n' +
    '  "agent": {\n' +
    '    "ephemeral_id": "1b4978a0-48be-49b1-ac96-323425b389ab"\n' +
    '    "hostname": "zeek-sensor-amsterdam"\n' +
    '    "id": "e52588e6-7aa3-4c89-a2c4-d6bc5c286db1"\n' +
    '    "type": "auditbeat"\n' +
    '    "version": "8.0.0"\n' +
    '  }\n' +
    '  "cloud": {\n' +
    '    "instance": {\n' +
    '      "id": "133551048"\n' +
    '    }\n' +
    '    "provider": "digitalocean"\n' +
    '    "region": "ams3"\n' +
    '  }\n' +
    '  "ecs": {\n' +
    '    "version": "1.0.0-beta2"\n' +
    '  }\n' +
    '  "event": {\n' +
    '    "action": "boot"\n' +
    '    "dataset": "login"\n' +
    '    "kind": "signal"\n' +
    '    "module": "system"\n' +
    '    "origin": "/var/log/wtmp"\n' +
    '  }\n' +
    '  "host": {\n' +
    '    "architecture": "x86_64"\n' +
    '    "containerized": false\n' +
    '    "hostname": "zeek-sensor-amsterdam"\n' +
    '    "id": "2ce8b1e7d69e4a1d9c6bcddc473da9d9"\n' +
    '    "name": "zeek-sensor-amsterdam"\n' +
    '    "os": {\n' +
    '      "codename": "bionic"\n' +
    '      "family": "debian"\n' +
    '      "kernel": "4.15.0-45-generic"\n' +
    '      "name": "Ubuntu"\n' +
    '      "platform": "ubuntu"\n' +
    '      "version": "18.04.2 LTS (Bionic Beaver)"\n' +
    '    }\n' +
    '  }\n' +
    '  "message": "System boot"\n' +
    '  "service": {\n' +
    '    "type": "system"\n' +
    '  }\n' +
    '  "signal": {\n' +
    '    "_meta": {\n' +
    '      "version": 57\n' +
    '    }\n' +
    '    "ancestors": [\n' +
    '      {\n' +
    '        "depth": 0\n' +
    '        "id": "UBXOBmkBR346wHgnLP8T"\n' +
    '        "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '        "type": "event"\n' +
    '      }\n' +
    '    ]\n' +
    '    "depth": 1\n' +
    '    "original_event": {\n' +
    '      "action": "boot"\n' +
    '      "dataset": "login"\n' +
    '      "kind": "event"\n' +
    '      "module": "system"\n' +
    '      "origin": "/var/log/wtmp"\n' +
    '    }\n' +
    '    "original_time": "2019-02-19T17:29:25.378Z"\n' +
    '    "parent": {\n' +
    '      "depth": 0\n' +
    '      "id": "UBXOBmkBR346wHgnLP8T"\n' +
    '      "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '      "type": "event"\n' +
    '    }\n' +
    '    "parents": [\n' +
    '      {\n' +
    '        "depth": 0\n' +
    '        "id": "UBXOBmkBR346wHgnLP8T"\n' +
    '        "index": "auditbeat-8.0.0-2019.02.19-000001"\n' +
    '        "type": "event"\n' +
    '      }\n' +
    '    ]\n' +
    '    "reason": "event on zeek-sensor-amsterdam created high alert boot."\n' +
    '    "rule": {\n' +
    '      "actions": []\n' +
    '      "author": []\n' +
    '      "created_at": "2021-10-19T20:24:38.691Z"\n' +
    '      "created_by": "elastic"\n' +
    '      "description": "Tests a simple query"\n' +
    '      "enabled": true\n' +
    '      "exceptions_list": []\n' +
    '      "false_positives": []\n' +
    '      "from": "1900-01-01T00:00:00.000Z"\n' +
    '      "id": "95557840-311a-11ec-9bfb-cfca40d19b58"\n' +
    '      "immutable": false\n' +
    '      "index": [\n' +
    '        "auditbeat-*"\n' +
    '      ]\n' +
    '      "interval": "5m"\n' +
    '      "language": "kuery"\n' +
    '      "max_signals": 100\n' +
    '      "meta": {\n' +
    '        "ruleNameOverridden": true\n' +
    '      }\n' +
    '      "name": "boot"\n' +
    '      "output_index": ".siem-signals-default"\n' +
    '      "query": "*:*"\n' +
    '      "references": []\n' +
    '      "risk_score": 1\n' +
    '      "risk_score_mapping": []\n' +
    '      "rule_id": "rule-1"\n' +
    '      "rule_name_override": "event.action"\n' +
    '      "severity": "high"\n' +
    '      "severity_mapping": []\n' +
    '      "tags": []\n' +
    '      "threat": []\n' +
    '      "throttle": [null]\n' +
    '      "to": "now"\n' +
    '      "type": "query"\n' +
    '      "updated_at": "2021-10-19T20:24:39.216Z"\n' +
    '      "updated_by": "elastic"\n' +
    '      "version": 1\n' +
    '    }\n' +
    '    "status": "open"\n' +
    '  }\n' +
    '}',
  showDiff: true
}

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@Zacqary Zacqary merged commit 3d37afb into elastic:7.x Oct 19, 2021
@weltenwort weltenwort mentioned this pull request Nov 4, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Zacqary @kibanamachine