Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Discover] Change icon of saved search in open search panel and embeddable selection #93001

Conversation

kertal
Copy link
Member

@kertal kertal commented Mar 1, 2021

Summary

This PR changes the icon type of the Open search panel and embeddable selection to DiscoverApp, to align it with the icon displayed in Saved Objects management and prevent confusion with the Saved Query type. Before this PR the compass icon was displayed here (This is the icon of Saved Query)

Old:

Bildschirmfoto 2021-03-01 um 10 39 46

New:

Bildschirmfoto 2021-03-01 um 10 38 55

Embeddable Selection New:

Bildschirmfoto 2021-03-02 um 14 48 27

Fixes #93000

@kertal kertal added the Feature:Discover Discover Application label Mar 1, 2021
@kertal kertal self-assigned this Mar 1, 2021
@flash1293
Copy link
Contributor

@elasticmachine merge upstream

@flash1293 flash1293 marked this pull request as ready for review March 2, 2021 13:42
@flash1293 flash1293 requested a review from a team March 2, 2021 13:42
@flash1293 flash1293 added release_note:skip Skip the PR/issue when compiling release notes Team:Visualizations Visualization editors, elastic-charts and infrastructure v7.12.0 v7.13.0 v8.0.0 labels Mar 2, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-app (Team:KibanaApp)

Copy link
Contributor

@flash1293 flash1293 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this place has to be fixed as well:

Screenshot 2021-03-02 at 14 46 24

kertal added 2 commits March 2, 2021 14:49
…icon' of github.com:kertal/kibana into kertal-pr-2021-01-01-discover-change-open-saved-search-icon
@kertal kertal changed the title [Discover] Change icon of saved search in open search panel [Discover] Change icon of saved search in open search panel and embeddable selection Mar 2, 2021
@kertal kertal requested a review from flash1293 March 2, 2021 13:55
@kibanamachine
Copy link
Contributor

💛 Build succeeded, but was flaky


Test Failures

Kibana Pipeline / general / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching·ts.detection engine api security and spaces enabled create_threat_matching tests with auditbeat data indicator enrichment generates multiple signals with multiple matches

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 7 times on tracked branches: https://github.com/elastic/kibana/issues/93152

[00:00:00]       │
[00:00:00]         └-: detection engine api security and spaces enabled
[00:00:00]           └-> "before all" hook in "detection engine api security and spaces enabled"
[00:00:00]           └-: 
[00:00:00]             └-> "before all" hook in ""
[00:06:16]             └-: create_threat_matching
[00:06:16]               └-> "before all" hook in "create_threat_matching"
[00:06:30]               └-: tests with auditbeat data
[00:06:30]                 └-> "before all" hook for "should be able to execute and get 10 signals when doing a specific query"
[00:06:30]                 └-> should be able to execute and get 10 signals when doing a specific query
[00:06:30]                   └-> "before each" hook: global before each for "should be able to execute and get 10 signals when doing a specific query"
[00:06:30]                   └-> "before each" hook for "should be able to execute and get 10 signals when doing a specific query"
[00:06:30]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding index lifecycle policy [.siem-signals-default]
[00:06:30]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:06:30]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:06:30]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:06:30]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:06:30]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:06:30]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:06:30]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:06:30]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:06:31]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:31]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:06:31]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:06:31]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:06:36]                   │ proc [kibana]   log   [14:50:02.576] [info][plugins][securitySolution] [+] Finished indexing 88   name: "Query with a rule id" id: "8eb74c30-7b66-11eb-a587-d3f46b3ca306" rule id: "rule-1" signals index: ".siem-signals-default"
[00:06:36]                   │ proc [kibana]   log   [14:50:02.583] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T14:50:00.227Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T14:50:00.227Z","outcome":"success","end":"2021-03-02T14:50:02.582Z","duration":2355000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"8eb74c30-7b66-11eb-a587-d3f46b3ca306"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:8eb74c30-7b66-11eb-a587-d3f46b3ca306: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:06:36]                   └- ✓ pass  (5.1s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data should be able to execute and get 10 signals when doing a specific query"
[00:06:36]                 └-> "after each" hook for "should be able to execute and get 10 signals when doing a specific query"
[00:06:36]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001/Ejm0DleRTlSydCDYEPEvew] deleting index
[00:06:36]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] removing template [.siem-signals-default]
[00:06:39]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:06:39]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001/sOSjzd5NQ9OJYZAq-tdaDw] deleting index
[00:06:39]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:39]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:06:39]                 └-> should return 0 matches if the mapping does not match against anything in the mapping
[00:06:39]                   └-> "before each" hook: global before each for "should return 0 matches if the mapping does not match against anything in the mapping"
[00:06:39]                   └-> "before each" hook for "should return 0 matches if the mapping does not match against anything in the mapping"
[00:06:39]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding index lifecycle policy [.siem-signals-default]
[00:06:39]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:06:39]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:06:39]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:06:40]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:06:40]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:06:40]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:06:40]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:06:40]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:06:40]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:40]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:06:40]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:06:40]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:06:45]                   │ proc [kibana]   log   [14:50:11.670] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Query with a rule id" id: "941de580-7b66-11eb-a587-d3f46b3ca306" rule id: "rule-1" signals index: ".siem-signals-default"
[00:06:45]                   │ proc [kibana]   log   [14:50:11.683] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T14:50:09.211Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T14:50:09.211Z","outcome":"success","end":"2021-03-02T14:50:11.682Z","duration":2471000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"941de580-7b66-11eb-a587-d3f46b3ca306"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:941de580-7b66-11eb-a587-d3f46b3ca306: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:06:45]                   └- ✓ pass  (5.1s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data should return 0 matches if the mapping does not match against anything in the mapping"
[00:06:45]                 └-> "after each" hook for "should return 0 matches if the mapping does not match against anything in the mapping"
[00:06:45]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001/VxFYQshATbGm2yxOjqRUnQ] deleting index
[00:06:45]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] removing template [.siem-signals-default]
[00:06:48]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:06:48]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001/DTd0KtdmS1SL419CODhewg] deleting index
[00:06:48]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:48]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:06:48]                 └-> should return 0 signals when using an AND and one of the clauses does not have data
[00:06:48]                   └-> "before each" hook: global before each for "should return 0 signals when using an AND and one of the clauses does not have data"
[00:06:48]                   └-> "before each" hook for "should return 0 signals when using an AND and one of the clauses does not have data"
[00:06:49]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding index lifecycle policy [.siem-signals-default]
[00:06:49]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:06:49]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:06:49]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:06:49]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:06:49]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:06:49]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:06:49]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:06:49]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:06:49]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:49]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:06:49]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:06:49]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:06:54]                   │ proc [kibana]   log   [14:50:20.763] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Query with a rule id" id: "999520a0-7b66-11eb-a587-d3f46b3ca306" rule id: "rule-1" signals index: ".siem-signals-default"
[00:06:54]                   │ proc [kibana]   log   [14:50:20.778] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T14:50:18.230Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T14:50:18.230Z","outcome":"success","end":"2021-03-02T14:50:20.777Z","duration":2547000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"999520a0-7b66-11eb-a587-d3f46b3ca306"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:999520a0-7b66-11eb-a587-d3f46b3ca306: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:06:54]                   └- ✓ pass  (5.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data should return 0 signals when using an AND and one of the clauses does not have data"
[00:06:54]                 └-> "after each" hook for "should return 0 signals when using an AND and one of the clauses does not have data"
[00:06:54]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001/oNi6vwmTS_S6Vzaucz78qw] deleting index
[00:06:54]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] removing template [.siem-signals-default]
[00:06:57]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:06:57]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001/4D4u5iSGTIWmnzNSP3wVig] deleting index
[00:06:57]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:57]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:06:57]                 └-> should return 0 signals when using an AND and one of the clauses has a made up value that does not exist
[00:06:57]                   └-> "before each" hook: global before each for "should return 0 signals when using an AND and one of the clauses has a made up value that does not exist"
[00:06:57]                   └-> "before each" hook for "should return 0 signals when using an AND and one of the clauses has a made up value that does not exist"
[00:06:58]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding index lifecycle policy [.siem-signals-default]
[00:06:58]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:06:58]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:06:58]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:06:58]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:06:58]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:06:58]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:06:58]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:06:58]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:06:58]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:06:58]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:06:58]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:06:58]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:03]                   │ proc [kibana]   log   [14:50:29.853] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Query with a rule id" id: "9ef35580-7b66-11eb-a587-d3f46b3ca306" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:03]                   │ proc [kibana]   log   [14:50:29.861] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T14:50:27.219Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T14:50:27.219Z","outcome":"success","end":"2021-03-02T14:50:29.860Z","duration":2641000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"9ef35580-7b66-11eb-a587-d3f46b3ca306"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:9ef35580-7b66-11eb-a587-d3f46b3ca306: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:03]                   └- ✓ pass  (5.1s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data should return 0 signals when using an AND and one of the clauses has a made up value that does not exist"
[00:07:03]                 └-> "after each" hook for "should return 0 signals when using an AND and one of the clauses has a made up value that does not exist"
[00:07:03]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001/eSg3mT8eR3KsKhZHMbHMjg] deleting index
[00:07:03]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] removing template [.siem-signals-default]
[00:07:06]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:07:06]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001/m7vmFsGhRR25Fpf04ADWvw] deleting index
[00:07:06]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:06]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:07:06]                 └-: indicator enrichment
[00:07:06]                   └-> "before all" hook for "enriches signals with the single indicator that matched"
[00:07:06]                   └-> enriches signals with the single indicator that matched
[00:07:06]                     └-> "before each" hook: global before each for "enriches signals with the single indicator that matched"
[00:07:06]                     └-> "before each" hook for "enriches signals with the single indicator that matched"
[00:07:07]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding index lifecycle policy [.siem-signals-default]
[00:07:07]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:07:07]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:07:07]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:07:07]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:07:07]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:07:07]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:07:07]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:07]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:07:07]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:07]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:07]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:07]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:07]                     └-> "before each" hook for "enriches signals with the single indicator that matched"
[00:07:07]                       │ info [filebeat/threat_intel] Loading "mappings.json"
[00:07:07]                       │ info [filebeat/threat_intel] Loading "data.json"
[00:07:07]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001] creating index, cause [api], templates [], shards [1]/[0]
[00:07:07]                       │ info [filebeat/threat_intel] Created index "filebeat-8.0.0-2021.01.26-000001"
[00:07:07]                       │ debg [filebeat/threat_intel] "filebeat-8.0.0-2021.01.26-000001" settings {"index":{"lifecycle":{"name":"filebeat-8.0.0","rollover_alias":"filebeat-filebeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"0","number_of_shards":"1","refresh_interval":"5s"}}
[00:07:07]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/xJ8rmZ2TSs6bzgtjsrM2AA] update_mapping [_doc]
[00:07:07]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/xJ8rmZ2TSs6bzgtjsrM2AA] update_mapping [_doc]
[00:07:07]                       │ info [filebeat/threat_intel] Indexed 4 docs into "filebeat-8.0.0-2021.01.26-000001"
[00:07:12]                     │ proc [kibana]   log   [14:50:38.938] [info][plugins][securitySolution] [+] Finished indexing 2   name: "Query with a rule id" id: "a46ed660-7b66-11eb-a587-d3f46b3ca306" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:12]                     │ proc [kibana]   log   [14:50:38.950] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T14:50:36.235Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T14:50:36.236Z","outcome":"success","end":"2021-03-02T14:50:38.950Z","duration":2714000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"a46ed660-7b66-11eb-a587-d3f46b3ca306"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:a46ed660-7b66-11eb-a587-d3f46b3ca306: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:12]                     └- ✓ pass  (5.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data indicator enrichment enriches signals with the single indicator that matched"
[00:07:12]                   └-> "after each" hook for "enriches signals with the single indicator that matched"
[00:07:12]                     │ info [filebeat/threat_intel] Unloading indices from "mappings.json"
[00:07:12]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/xJ8rmZ2TSs6bzgtjsrM2AA] deleting index
[00:07:12]                     │ info [filebeat/threat_intel] Deleted existing index "filebeat-8.0.0-2021.01.26-000001"
[00:07:12]                     │ info [filebeat/threat_intel] Unloading indices from "data.json"
[00:07:12]                   └-> "after each" hook for "enriches signals with the single indicator that matched"
[00:07:12]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001/jsTp6o9LTteODSPHh4w90g] deleting index
[00:07:13]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] removing template [.siem-signals-default]
[00:07:15]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:07:15]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001/xlFsT32cR9uyGfz5KmTP-Q] deleting index
[00:07:16]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:16]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:07:16]                   └-> enriches signals with multiple indicators if several matched
[00:07:16]                     └-> "before each" hook: global before each for "enriches signals with multiple indicators if several matched"
[00:07:16]                     └-> "before each" hook for "enriches signals with multiple indicators if several matched"
[00:07:16]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding index lifecycle policy [.siem-signals-default]
[00:07:16]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:07:16]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:07:16]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:07:16]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:07:16]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:07:16]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:07:16]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:07:16]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:16]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:16]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:16]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:16]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:16]                     └-> "before each" hook for "enriches signals with multiple indicators if several matched"
[00:07:16]                       │ info [filebeat/threat_intel] Loading "mappings.json"
[00:07:16]                       │ info [filebeat/threat_intel] Loading "data.json"
[00:07:16]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001] creating index, cause [api], templates [], shards [1]/[0]
[00:07:16]                       │ info [filebeat/threat_intel] Created index "filebeat-8.0.0-2021.01.26-000001"
[00:07:16]                       │ debg [filebeat/threat_intel] "filebeat-8.0.0-2021.01.26-000001" settings {"index":{"lifecycle":{"name":"filebeat-8.0.0","rollover_alias":"filebeat-filebeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"0","number_of_shards":"1","refresh_interval":"5s"}}
[00:07:16]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/O0426T-vSv2THgcwhdtf6A] update_mapping [_doc]
[00:07:16]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/O0426T-vSv2THgcwhdtf6A] update_mapping [_doc]
[00:07:16]                       │ info [filebeat/threat_intel] Indexed 4 docs into "filebeat-8.0.0-2021.01.26-000001"
[00:07:24]                     │ proc [kibana]   log   [14:50:51.039] [info][plugins][securitySolution] [+] Finished indexing 1   name: "Query with a rule id" id: "a9dd37e0-7b66-11eb-a587-d3f46b3ca306" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:24]                     │ proc [kibana]   log   [14:50:51.049] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T14:50:48.238Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T14:50:48.238Z","outcome":"success","end":"2021-03-02T14:50:51.049Z","duration":2811000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"a9dd37e0-7b66-11eb-a587-d3f46b3ca306"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:a9dd37e0-7b66-11eb-a587-d3f46b3ca306: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:25]                     └- ✓ pass  (8.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data indicator enrichment enriches signals with multiple indicators if several matched"
[00:07:25]                   └-> "after each" hook for "enriches signals with multiple indicators if several matched"
[00:07:25]                     │ info [filebeat/threat_intel] Unloading indices from "mappings.json"
[00:07:25]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/O0426T-vSv2THgcwhdtf6A] deleting index
[00:07:25]                     │ info [filebeat/threat_intel] Deleted existing index "filebeat-8.0.0-2021.01.26-000001"
[00:07:25]                     │ info [filebeat/threat_intel] Unloading indices from "data.json"
[00:07:25]                   └-> "after each" hook for "enriches signals with multiple indicators if several matched"
[00:07:25]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001/Ih-zma7kTiyK5g0MI1LnLw] deleting index
[00:07:25]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] removing template [.siem-signals-default]
[00:07:28]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:07:28]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001/qaxzsWGuQyaXYzxGz-gjIg] deleting index
[00:07:28]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:28]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:07:28]                   └-> adds a single indicator that matched multiple fields
[00:07:28]                     └-> "before each" hook: global before each for "adds a single indicator that matched multiple fields"
[00:07:28]                     └-> "before each" hook for "adds a single indicator that matched multiple fields"
[00:07:28]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding index lifecycle policy [.siem-signals-default]
[00:07:28]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:07:28]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:07:28]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:07:28]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:07:28]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:07:28]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:07:28]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:07:28]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:28]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:28]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:28]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:28]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:28]                     └-> "before each" hook for "adds a single indicator that matched multiple fields"
[00:07:28]                       │ info [filebeat/threat_intel] Loading "mappings.json"
[00:07:28]                       │ info [filebeat/threat_intel] Loading "data.json"
[00:07:28]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001] creating index, cause [api], templates [], shards [1]/[0]
[00:07:29]                       │ info [filebeat/threat_intel] Created index "filebeat-8.0.0-2021.01.26-000001"
[00:07:29]                       │ debg [filebeat/threat_intel] "filebeat-8.0.0-2021.01.26-000001" settings {"index":{"lifecycle":{"name":"filebeat-8.0.0","rollover_alias":"filebeat-filebeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"0","number_of_shards":"1","refresh_interval":"5s"}}
[00:07:29]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/tLhxB3_BRnSSGNTvBG5YOg] update_mapping [_doc]
[00:07:29]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/tLhxB3_BRnSSGNTvBG5YOg] update_mapping [_doc]
[00:07:29]                       │ info [filebeat/threat_intel] Indexed 4 docs into "filebeat-8.0.0-2021.01.26-000001"
[00:07:37]                     │ proc [kibana]   log   [14:51:03.138] [info][plugins][securitySolution] [+] Finished indexing 1   name: "Query with a rule id" id: "b1169560-7b66-11eb-a587-d3f46b3ca306" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:37]                     │ proc [kibana]   log   [14:51:03.151] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T14:51:00.244Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T14:51:00.244Z","outcome":"success","end":"2021-03-02T14:51:03.150Z","duration":2906000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"b1169560-7b66-11eb-a587-d3f46b3ca306"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:b1169560-7b66-11eb-a587-d3f46b3ca306: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:37]                     └- ✓ pass  (8.0s) "detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data indicator enrichment adds a single indicator that matched multiple fields"
[00:07:37]                   └-> "after each" hook for "adds a single indicator that matched multiple fields"
[00:07:37]                     │ info [filebeat/threat_intel] Unloading indices from "mappings.json"
[00:07:37]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/tLhxB3_BRnSSGNTvBG5YOg] deleting index
[00:07:37]                     │ info [filebeat/threat_intel] Deleted existing index "filebeat-8.0.0-2021.01.26-000001"
[00:07:37]                     │ info [filebeat/threat_intel] Unloading indices from "data.json"
[00:07:37]                   └-> "after each" hook for "adds a single indicator that matched multiple fields"
[00:07:37]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001/U9Zg-uj1T7OkJB8lveWDRQ] deleting index
[00:07:37]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] removing template [.siem-signals-default]
[00:07:40]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:07:40]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001/mabaj4z-TUK-8C8D3Fw10w] deleting index
[00:07:40]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:40]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:07:40]                   └-> generates multiple signals with multiple matches
[00:07:40]                     └-> "before each" hook: global before each for "generates multiple signals with multiple matches"
[00:07:40]                     └-> "before each" hook for "generates multiple signals with multiple matches"
[00:07:40]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding index lifecycle policy [.siem-signals-default]
[00:07:40]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:07:40]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:07:40]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:07:40]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:07:40]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:07:40]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:07:40]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:07:40]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:07:40]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:07:40]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:07:40]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:07:40]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:07:41]                     └-> "before each" hook for "generates multiple signals with multiple matches"
[00:07:41]                       │ info [filebeat/threat_intel] Loading "mappings.json"
[00:07:41]                       │ info [filebeat/threat_intel] Loading "data.json"
[00:07:41]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001] creating index, cause [api], templates [], shards [1]/[0]
[00:07:41]                       │ info [filebeat/threat_intel] Created index "filebeat-8.0.0-2021.01.26-000001"
[00:07:41]                       │ debg [filebeat/threat_intel] "filebeat-8.0.0-2021.01.26-000001" settings {"index":{"lifecycle":{"name":"filebeat-8.0.0","rollover_alias":"filebeat-filebeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"0","number_of_shards":"1","refresh_interval":"5s"}}
[00:07:41]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/xNIuehrtQHeaqzIhQNqrsQ] update_mapping [_doc]
[00:07:41]                       │ info [o.e.c.m.MetadataMappingService] [kibana-ci-immutable-ubuntu-16-tests-xxl-1614693085433897054] [filebeat-8.0.0-2021.01.26-000001/xNIuehrtQHeaqzIhQNqrsQ] update_mapping [_doc]
[00:07:41]                       │ info [filebeat/threat_intel] Indexed 4 docs into "filebeat-8.0.0-2021.01.26-000001"
[00:07:46]                     │ proc [kibana]   log   [14:51:12.229] [info][plugins][securitySolution] [+] Finished indexing 2   name: "Query with a rule id" id: "b8448130-7b66-11eb-a587-d3f46b3ca306" rule id: "rule-1" signals index: ".siem-signals-default"
[00:07:46]                     │ proc [kibana]   log   [14:51:12.236] [info][eventLog][plugins] event logged: {"@timestamp":"2021-03-02T14:51:09.236Z","event":{"provider":"alerting","action":"execute","start":"2021-03-02T14:51:09.236Z","outcome":"success","end":"2021-03-02T14:51:12.235Z","duration":2999000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"b8448130-7b66-11eb-a587-d3f46b3ca306"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:b8448130-7b66-11eb-a587-d3f46b3ca306: 'Query with a rule id'","ecs":{"version":"1.6.0"}}
[00:07:46]                     └- ✖ fail: detection engine api security and spaces enabled  create_threat_matching tests with auditbeat data indicator enrichment generates multiple signals with multiple matches
[00:07:46]                     │       Error: expected [ { indicator: [ [Object] ] },
[00:07:46]                     │   { indicator: [ [Object], [Object], [Object] ] } ] to sort of equal [ { indicator: [ [Object] ] },
[00:07:46]                     │   { indicator: [ [Object], [Object], [Object] ] } ]
[00:07:46]                     │       + expected - actual
[00:07:46]                     │ 
[00:07:46]                     │          }
[00:07:46]                     │          {
[00:07:46]                     │            "indicator": [
[00:07:46]                     │              {
[00:07:46]                     │       -        "description": "this should match auditbeat/hosts on both port and ip"
[00:07:46]                     │       -        "first_seen": "2021-01-26T11:06:03.000Z"
[00:07:46]                     │       -        "ip": "45.115.45.3"
[00:07:46]                     │       -        "matched": {
[00:07:46]                     │       -          "atomic": "45.115.45.3"
[00:07:46]                     │       -          "field": "source.ip"
[00:07:46]                     │       -          "id": "978785"
[00:07:46]                     │       -          "index": "filebeat-8.0.0-2021.01.26-000001"
[00:07:46]                     │       -          "type": "url"
[00:07:46]                     │       -        }
[00:07:46]                     │       -        "port": 57324
[00:07:46]                     │       -        "provider": "geenensp"
[00:07:46]                     │       -        "type": "url"
[00:07:46]                     │       -      }
[00:07:46]                     │       -      {
[00:07:46]                     │                "description": "domain should match the auditbeat hosts' data's source.ip"
[00:07:46]                     │                "domain": "159.89.119.67"
[00:07:46]                     │                "first_seen": "2021-01-26T11:09:04.000Z"
[00:07:46]                     │                "matched": {
[00:07:46]                     │ --
[00:07:46]                     │                "description": "this should match auditbeat/hosts on both port and ip"
[00:07:46]                     │                "first_seen": "2021-01-26T11:06:03.000Z"
[00:07:46]                     │                "ip": "45.115.45.3"
[00:07:46]                     │                "matched": {
[00:07:46]                     │       +          "atomic": "45.115.45.3"
[00:07:46]                     │       +          "field": "source.ip"
[00:07:46]                     │       +          "id": "978785"
[00:07:46]                     │       +          "index": "filebeat-8.0.0-2021.01.26-000001"
[00:07:46]                     │       +          "type": "url"
[00:07:46]                     │       +        }
[00:07:46]                     │       +        "port": 57324
[00:07:46]                     │       +        "provider": "geenensp"
[00:07:46]                     │       +        "type": "url"
[00:07:46]                     │       +      }
[00:07:46]                     │       +      {
[00:07:46]                     │       +        "description": "this should match auditbeat/hosts on both port and ip"
[00:07:46]                     │       +        "first_seen": "2021-01-26T11:06:03.000Z"
[00:07:46]                     │       +        "ip": "45.115.45.3"
[00:07:46]                     │       +        "matched": {
[00:07:46]                     │                  "atomic": 57324
[00:07:46]                     │                  "field": "source.port"
[00:07:46]                     │                  "id": "978785"
[00:07:46]                     │                  "index": "filebeat-8.0.0-2021.01.26-000001"
[00:07:46]                     │       
[00:07:46]                     │       at Assertion.assert (/dev/shm/workspace/parallel/14/kibana/packages/kbn-expect/expect.js:100:11)
[00:07:46]                     │       at Assertion.eql (/dev/shm/workspace/parallel/14/kibana/packages/kbn-expect/expect.js:244:8)
[00:07:46]                     │       at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts:578:30)
[00:07:46]                     │       at Object.apply (/dev/shm/workspace/parallel/14/kibana/packages/kbn-test/src/functional_test_runner/lib/mocha/wrap_function.js:73:16)
[00:07:46]                     │ 
[00:07:46]                     │ 

Stack Trace

Error: expected [ { indicator: [ [Object] ] },
  { indicator: [ [Object], [Object], [Object] ] } ] to sort of equal [ { indicator: [ [Object] ] },
  { indicator: [ [Object], [Object], [Object] ] } ]
    at Assertion.assert (/dev/shm/workspace/parallel/14/kibana/packages/kbn-expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/14/kibana/packages/kbn-expect/expect.js:244:8)
    at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts:578:30)
    at Object.apply (/dev/shm/workspace/parallel/14/kibana/packages/kbn-test/src/functional_test_runner/lib/mocha/wrap_function.js:73:16) {
  actual: '[\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": "45.115.45.3"\n' +
    '          "field": "source.ip"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": 57324\n' +
    '          "field": "source.port"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    ']',
  expected: '[\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    '  {\n' +
    '    "indicator": [\n' +
    '      {\n' +
    `        "description": "domain should match the auditbeat hosts' data's source.ip"\n` +
    '        "domain": "159.89.119.67"\n' +
    '        "first_seen": "2021-01-26T11:09:04.000Z"\n' +
    '        "matched": {\n' +
    '          "atomic": "159.89.119.67"\n' +
    '          "field": "destination.ip"\n' +
    '          "id": "978783"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '        "url": {\n' +
    '          "full": "http://159.89.119.67:59600/bin.sh"\n' +
    '          "scheme": "http"\n' +
    '        }\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": "45.115.45.3"\n' +
    '          "field": "source.ip"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '      {\n' +
    '        "description": "this should match auditbeat/hosts on both port and ip"\n' +
    '        "first_seen": "2021-01-26T11:06:03.000Z"\n' +
    '        "ip": "45.115.45.3"\n' +
    '        "matched": {\n' +
    '          "atomic": 57324\n' +
    '          "field": "source.port"\n' +
    '          "id": "978785"\n' +
    '          "index": "filebeat-8.0.0-2021.01.26-000001"\n' +
    '          "type": "url"\n' +
    '        }\n' +
    '        "port": 57324\n' +
    '        "provider": "geenensp"\n' +
    '        "type": "url"\n' +
    '      }\n' +
    '    ]\n' +
    '  }\n' +
    ']',
  showDiff: true
}

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
discover 401.2KB 401.2KB +5.0B
triggersActionsUi 1.6MB 1.5MB -23.9KB
total -23.9KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
discover 79.6KB 79.6KB +5.0B
triggersActionsUi 104.0KB 104.1KB +82.0B
total +87.0B
Unknown metric groups

async chunk count

id before after diff
triggersActionsUi 41 42 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @kertal

Copy link
Contributor

@flash1293 flash1293 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and all places I found look the same now, LGTM

@kertal kertal merged commit b2b16d6 into elastic:master Mar 2, 2021
kertal added a commit to kertal/kibana that referenced this pull request Mar 2, 2021
kertal added a commit to kertal/kibana that referenced this pull request Mar 2, 2021
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 2, 2021
* master: (199 commits)
  Convert Canvas docs to MDX for use in Elastic Docs (elastic#91969)
  [Bazel] More resilient Workspace Status (elastic#93244)
  [Discover] Change icon of saved search in open search panel and embeddable selection (elastic#93001)
  [Workplace Search] Role Mappings to Kibana (elastic#93123)
  [Fleet] Use type-only imports where possible (elastic#92979)
  [Lens] Set pie chart slices sorted clockwise (elastic#92617)
  Remove ms label from CPU load on status page (elastic#92836)
  [App Search] Migrate Create Meta Engine View (elastic#92127)
  [Time to Visualize] Disable Visualize URL Tracker When Linked to OriginatingApp (elastic#92917)
  [ILM] Allow multiple searchable snapshot actions (elastic#92789)
  Improve consistency for display of management items (elastic#92694)
  skip flaky suite (elastic#93152)
  skip flaky suite (elastic#93152)
  [ILM] Refactor edit_policy client integration tests into separate feature files (elastic#92826)
  Add developer documentation about the building blocks we offer plugin developers (elastic#92743)
  [Security Solution] Case ui enhancement (elastic#91863)
  [Security Solution] [Detections] Updates warning message when no indices match provided index patterns (elastic#93094)
  Collect agent telemetry even when fleet server is disabled. (elastic#93198)
  [Lens] Fix runtime validation error message (elastic#93195)
  [Lens] Remove warning about ordinal x-domain (elastic#93049)
  ...
kertal added a commit that referenced this pull request Mar 2, 2021
kertal added a commit that referenced this pull request Mar 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Discover Discover Application release_note:skip Skip the PR/issue when compiling release notes Team:Visualizations Visualization editors, elastic-charts and infrastructure v7.12.0 v7.13.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Discover: Disambiguate saved searches and saved queries
4 participants