Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Handle dupes when processing threshold rules #81798

Closed
wants to merge 2 commits into from
Closed

[Security Solution][Detections] Handle dupes when processing threshold rules #81798

wants to merge 2 commits into from

Conversation

madirey
Copy link
Contributor

@madirey madirey commented Oct 27, 2020
edited
Loading

Superseded by #83062

Summary

This PR makes changes to processing of threshold rules in order to prevent duplicates when evaluating thresholds over long lookback intervals. To do so, we make a best effort guess to reproduce the query from the last rule run, and ensure that any new matches still remain above the threshold, even when these previous matches are discarded.

TODO more to come...

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@madirey madirey added release_note:enhancement v8.0.0 Feature:Detection Rules Security Solution rules and Detection Engine v7.11 labels Oct 27, 2020
@madirey madirey requested review from a team as code owners October 27, 2020 15:50
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@kibanamachine
Copy link
Contributor

kibanamachine commented Oct 27, 2020
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

Creates and activates a new threshold rule.Detection rules, threshold Creates and activates a new threshold rule

Link to Jenkins

Stack Trace

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://github.com/elastic/kibana/issues/77540

AssertionError: Timed out retrying: expected '<button.euiButtonEmpty.euiButtonEmpty--text.euiFilterButton>' to have text 'Custom rules (1)', but the text was 'Custom rules (3)'
    at Context.eval (http://localhost:6111/__cypress/tests?p=cypress/integration/alerts_detection_rules_threshold.spec.ts:13513:59)
"after all" hook for "Creates and activates a new threshold rule".Detection rules, threshold "after all" hook for "Creates and activates a new threshold rule"

Link to Jenkins

Stack Trace

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

CypressError: `cy.click()` failed because it requires a DOM element.

The subject received was:

  > `undefined`

The previous command that ran was:

  > `cy.get()`

Because this error occurred during a `after all` hook we are skipping the remaining tests in the current suite: `Detection rules, threshold`

Although you have test retries enabled, we do not retry tests when `before all` or `after all` hooks fail
    at ensureElement (http://elastic:changeme@localhost:6111/__cypress/runner/cypress_runner.js:161918:24)
    at validateType (http://elastic:changeme@localhost:6111/__cypress/runner/cypress_runner.js:161758:16)
    at Object.ensureSubjectByType (http://elastic:changeme@localhost:6111/__cypress/runner/cypress_runner.js:161794:9)
    at pushSubjectAndValidate (http://elastic:changeme@localhost:6111/__cypress/runner/cypress_runner.js:170212:15)
    at Context.<anonymous> (http://elastic:changeme@localhost:6111/__cypress/runner/cypress_runner.js:170549:18)
From Your Spec Code:
    at Object../cypress/tasks/alerts_detection_rules.ts.exports.deleteRule (http://localhost:6111/__cypress/tests?p=cypress/integration/alerts_detection_rules_threshold.spec.ts:14263:40)
    at Context.eval (http://localhost:6111/__cypress/tests?p=cypress/integration/alerts_detection_rules_threshold.spec.ts:13498:34)
Creates and activates a new threshold rule.Detection rules, threshold Creates and activates a new threshold rule

Link to Jenkins

Stack Trace

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://github.com/elastic/kibana/issues/77540

AssertionError: Timed out retrying: expected '<button.euiButtonEmpty.euiButtonEmpty--text.euiFilterButton>' to have text 'Custom rules (1)', but the text was 'Custom rules (3)'
    at Context.eval (http://localhost:6111/__cypress/tests?p=cypress/integration/alerts_detection_rules_threshold.spec.ts:13513:59)

and 1 more failures, only showing the first 3.

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@timroes timroes added v7.11.0 and removed v7.11 labels Oct 29, 2020
@madirey madirey closed this Nov 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Feature:Detection Rules Security Solution rules and Detection Engine release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@madirey @kibanamachine @timroes @MindyRS