Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][Detection Engine] Final final rule changes #56806

Merged
merged 4 commits into from
Feb 5, 2020
Merged

[SIEM][Detection Engine] Final final rule changes #56806

merged 4 commits into from
Feb 5, 2020

Conversation

FrankHassanabad
Copy link
Contributor

Summary

  • Final, final, Rule changes

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

- [ ] This was checked for cross-browser compatibility, including a check against IE11

- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support

- [ ] Documentation was added for features that require explanation or tutorials

- [ ] Unit or functional tests were updated or added to match the most common scenarios

- [ ] This was checked for keyboard-only and screenreader accessibility

For maintainers

- [ ] This was checked for breaking API changes and was labeled appropriately

- [ ] This includes a feature addition or change that requires a release note and was labeled appropriately

@FrankHassanabad FrankHassanabad self-assigned this Feb 4, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@FrankHassanabad FrankHassanabad added v7.7.0 release_note:skip Skip the PR/issue when compiling release notes labels Feb 4, 2020
randomuserid
randomuserid approved these changes Feb 4, 2020
View reviewed changes
Copy link
Contributor

@randomuserid randomuserid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes these two were cut because they did not test well.

randomuserid
randomuserid approved these changes Feb 4, 2020
View reviewed changes
Copy link
Contributor

@randomuserid randomuserid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zomg, ze rules!

@kibanamachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Test Failures

Kibana Pipeline / kibana-xpack-agent / Chrome X-Pack UI Functional Tests.x-pack/test/functional/apps/rollup_job/tsvb·js.rollup app tsvb integration create rollup tsvb

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://github.com/elastic/kibana/issues/56816

[00:00:00]       │
[00:28:29]         └-: rollup app
[00:28:29]           └-> "before all" hook
[00:29:51]           └-: tsvb integration
[00:29:51]             └-> "before all" hook
[00:29:51]             └-> "before all" hook
[00:29:51]               │ info [visualize/default] Loading "mappings.json"
[00:29:51]               │ info [visualize/default] Loading "data.json"
[00:29:51]               │ info [o.e.c.m.MetaDataDeleteIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/rA-LyRiWSQ-yjPbceNKvog] deleting index
[00:29:52]               │ info [o.e.c.m.MetaDataDeleteIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_1/XMN_yvFQTmqeQYN7mpQ9KA] deleting index
[00:29:52]               │ info [visualize/default] Deleted existing index [".kibana_2",".kibana_1"]
[00:29:52]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana] creating index, cause [api], templates [], shards [1]/[0], mappings [_doc]
[00:29:52]               │ info [visualize/default] Created index ".kibana"
[00:29:52]               │ debg [visualize/default] ".kibana" settings {"index":{"number_of_shards":"1","auto_expand_replicas":"0-1","number_of_replicas":"0"}}
[00:29:52]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [metricbeat-7] creating index, cause [auto(bulk api)], templates [], shards [1]/[1], mappings []
[00:29:52]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [metricbeat-7/9QUq8cqtTM-P6FJBBRejAA] create_mapping
[00:29:52]               │ info [visualize/default] Indexed 8 docs into ".kibana"
[00:29:52]               │ info [visualize/default] Indexed 1 docs into "metricbeat-7"
[00:29:53]               │ info Creating index .kibana_2.
[00:29:53]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]
[00:29:53]               │ info [o.e.c.r.a.AllocationService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] updating number_of_replicas to [0] for indices [.kibana_2]
[00:29:53]               │ info Reindexing .kibana to .kibana_1
[00:29:53]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_1] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]
[00:29:53]               │ info [o.e.c.r.a.AllocationService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] updating number_of_replicas to [0] for indices [.kibana_1]
[00:29:53]               │ info [o.e.t.LoggingTaskListener] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] 68878 finished with response BulkByScrollResponse[took=148.7ms,timed_out=false,sliceId=null,updated=0,created=8,deleted=0,batches=1,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[00:29:53]               │ info [o.e.c.m.MetaDataDeleteIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana/Myt6RUnGQCm3gITauURAow] deleting index
[00:29:53]               │ info Migrating .kibana_1 saved objects to .kibana_2
[00:29:54]               │ debg Migrating saved objects space:default, index-pattern:metricbeat-*, custom-space:index-pattern:metricbeat-*, index-pattern:logstash-*, custom_space:index-pattern:logstash-*, visualization:i-exist, custom_space:visualization:i-exist, query:okjpgs
[00:29:54]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:29:54]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:29:54]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:29:54]               │ info Pointing alias .kibana to .kibana_2.
[00:29:54]               │ info Finished in 895ms.
[00:29:54]               │ debg applying update to kibana config: {"accessibility:disableAnimations":true,"dateFormat:tz":"UTC"}
[00:29:54]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:29:55]             └-> create rollup tsvb
[00:29:55]               └-> "before each" hook: global before each
[00:29:55]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [rollup-source-data] creating index, cause [auto(bulk api)], templates [], shards [1]/[1], mappings []
[00:29:55]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [rollup-source-data/YY7vaLIHQxubkgnBoh9Phg] create_mapping
[00:29:55]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [rollup-target-data] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]
[00:29:55]               │ debg navigating to visualize url: http://localhost:6121/app/kibana#/visualize
[00:29:55]               │ debg Navigate to: http://localhost:6121/app/kibana#/visualize
[00:29:55]               │ info [o.e.x.r.j.RollupJobTask] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] Rollup job [tsvb-test-rollup-job-1580860173065] created.
[00:29:55]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [rollup-target-data/LvOSCCpPQT2pw_qdxCR6Ww] update_mapping [_doc]
[00:29:56]               │ debg ... sleep(700) start
[00:29:56]               │ debg browser[INFO] http://localhost:6121/app/kibana?_t=1580861970473#/visualize 350 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:29:56]               │
[00:29:56]               │ debg browser[INFO] http://localhost:6121/bundles/app/kibana/bootstrap.js 8:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:29:56]               │ debg ... sleep(700) end
[00:29:56]               │ debg returned from get, calling refresh
[00:29:56]               │ debg browser[INFO] http://localhost:6121/app/kibana?_t=1580861970473#/visualize 350 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:29:56]               │
[00:29:56]               │ debg browser[INFO] http://localhost:6121/bundles/app/kibana/bootstrap.js 8:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:29:56]               │ debg currentUrl = http://localhost:6121/app/kibana#/visualize
[00:29:56]               │          appUrl = http://localhost:6121/app/kibana#/visualize
[00:29:56]               │ debg Find.findByCssSelector('[data-test-subj="kibanaChrome"]') with timeout=60000
[00:30:01]               │ debg TestSubjects.find(kibanaChrome)
[00:30:01]               │ debg Find.findByCssSelector('[data-test-subj="kibanaChrome"]') with timeout=10000
[00:30:01]               │ debg browser[INFO] http://localhost:6121/built_assets/dlls/vendors_2.bundle.dll.js 92:138197 "INFO: 2020-02-05T00:19:34Z
[00:30:01]               │        Adding connection to http://localhost:6121/elasticsearch
[00:30:01]               │
[00:30:01]               │      "
[00:30:01]               │ debg ... sleep(501) start
[00:30:01]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:30:02]               │ debg ... sleep(501) end
[00:30:02]               │ debg in navigateTo url = http://localhost:6121/app/kibana#/visualize?_g=(refreshInterval:(pause:!t,value:0),time:(from:now-15m,to:now))
[00:30:02]               │ debg TestSubjects.exists(statusPageContainer)
[00:30:02]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="statusPageContainer"]') with timeout=2500
[00:30:04]               │ debg --- retry.tryForTime error: [data-test-subj="statusPageContainer"] is not displayed
[00:30:05]               │ debg TestSubjects.exists(newItemButton)
[00:30:05]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="newItemButton"]') with timeout=2500
[00:30:05]               │ debg TestSubjects.click(newItemButton)
[00:30:05]               │ debg Find.clickByCssSelector('[data-test-subj="newItemButton"]') with timeout=10000
[00:30:05]               │ debg Find.findByCssSelector('[data-test-subj="newItemButton"]') with timeout=10000
[00:30:05]               │ debg TestSubjects.find(visNewDialogTypes)
[00:30:05]               │ debg Find.findByCssSelector('[data-test-subj="visNewDialogTypes"]') with timeout=10000
[00:30:05]               │ debg TestSubjects.click(visType-metrics)
[00:30:05]               │ debg Find.clickByCssSelector('[data-test-subj="visType-metrics"]') with timeout=10000
[00:30:05]               │ debg Find.findByCssSelector('[data-test-subj="visType-metrics"]') with timeout=10000
[00:30:06]               │ debg isGlobalLoadingIndicatorVisible
[00:30:06]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:06]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:07]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:08]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:08]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:08]               │ debg TestSubjects.exists(tvbVisEditor)
[00:30:08]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="tvbVisEditor"]') with timeout=10000
[00:30:08]               │ debg openQuickSelectTimeMenu
[00:30:08]               │ debg TestSubjects.exists(superDatePickerQuickMenu)
[00:30:08]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="superDatePickerQuickMenu"]') with timeout=2500
[00:30:10]               │ debg --- retry.tryForTime error: [data-test-subj="superDatePickerQuickMenu"] is not displayed
[00:30:11]               │ debg opening quick select menu
[00:30:11]               │ debg TestSubjects.click(superDatePickerToggleQuickMenuButton)
[00:30:11]               │ debg Find.clickByCssSelector('[data-test-subj="superDatePickerToggleQuickMenuButton"]') with timeout=10000
[00:30:11]               │ debg Find.findByCssSelector('[data-test-subj="superDatePickerToggleQuickMenuButton"]') with timeout=10000
[00:30:11]               │ debg TestSubjects.click(superDatePickerCommonlyUsed_Last_24 hours)
[00:30:11]               │ debg Find.clickByCssSelector('[data-test-subj="superDatePickerCommonlyUsed_Last_24 hours"]') with timeout=10000
[00:30:11]               │ debg Find.findByCssSelector('[data-test-subj="superDatePickerCommonlyUsed_Last_24 hours"]') with timeout=10000
[00:30:11]               │ debg TestSubjects.find(metricTsvbTypeBtn)
[00:30:11]               │ debg Find.findByCssSelector('[data-test-subj="metricTsvbTypeBtn"]') with timeout=10000
[00:30:11]               │ debg TestSubjects.exists(tsvbMetricValue)
[00:30:11]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="tsvbMetricValue"]') with timeout=10000
[00:30:12]               │ debg TestSubjects.click(metricEditorPanelOptionsBtn)
[00:30:12]               │ debg Find.clickByCssSelector('[data-test-subj="metricEditorPanelOptionsBtn"]') with timeout=10000
[00:30:12]               │ debg Find.findByCssSelector('[data-test-subj="metricEditorPanelOptionsBtn"]') with timeout=10000
[00:30:12]               │ debg isGlobalLoadingIndicatorVisible
[00:30:12]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:12]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:14]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:14]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:14]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:14]               │ debg TestSubjects.find(metricsIndexPatternInput)
[00:30:14]               │ debg Find.findByCssSelector('[data-test-subj="metricsIndexPatternInput"]') with timeout=10000
[00:30:15]               │ debg isGlobalLoadingIndicatorVisible
[00:30:15]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:15]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:16]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:17]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:17]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:17]               │ debg TestSubjects.find(metricsIndexPatternInterval)
[00:30:17]               │ debg Find.findByCssSelector('[data-test-subj="metricsIndexPatternInterval"]') with timeout=10000
[00:30:17]               │ debg isGlobalLoadingIndicatorVisible
[00:30:17]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:17]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:19]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:19]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:19]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:19]               │ debg TestSubjects.find(metricsDropLastBucket-no)
[00:30:19]               │ debg Find.findByCssSelector('[data-test-subj="metricsDropLastBucket-no"]') with timeout=10000
[00:30:19]               │ debg isGlobalLoadingIndicatorVisible
[00:30:19]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:19]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:21]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:21]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:21]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:21]               │ debg ... sleep(3000) start
[00:30:24]               │ debg ... sleep(3000) end
[00:30:24]               │ debg Waiting up to 20000ms for rendering count to stabilize...
[00:30:24]               │ debg TestSubjects.find(visualizationLoader)
[00:30:24]               │ debg Find.findByCssSelector('[data-test-subj="visualizationLoader"]') with timeout=10000
[00:30:24]               │ debg -- firstCount=7
[00:30:24]               │ debg ... sleep(1000) start
[00:30:25]               │ debg ... sleep(1000) end
[00:30:25]               │ debg TestSubjects.find(visualizationLoader)
[00:30:25]               │ debg Find.findByCssSelector('[data-test-subj="visualizationLoader"]') with timeout=10000
[00:30:25]               │ debg -- secondCount=7
[00:30:25]               │ debg Find.findByCssSelector('.tvbVisMetric__value--primary') with timeout=10000
[00:30:25]               │ info Taking screenshot "/dev/shm/workspace/kibana/x-pack/test/functional/screenshots/failure/rollup app tsvb integration create rollup tsvb.png"
[00:30:26]               │ info Current URL is: http://localhost:6121/app/kibana#/visualize/create?type=metrics&_g=(refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(filters:!(),linked:!f,query:(language:kuery,query:%27%27),uiState:(),vis:(aggs:!(),params:(axis_formatter:number,axis_position:left,axis_scale:normal,background_color_rules:!((id:%273703ed60-47ad-11ea-a429-d763ffebc10f%27)),default_index_pattern:%27metricbeat-*%27,default_timefield:%27@timestamp%27,drop_last_bucket:0,id:%2761ca57f0-469d-11e7-af02-69e470af7417%27,index_pattern:rollup-target-data,interval:%271d%27,isModelInvalid:!f,series:!((axis_position:right,chart_type:line,color:%2368BC00,fill:0.5,formatter:number,id:%2761ca57f1-469d-11e7-af02-69e470af7417%27,line_width:1,metrics:!((id:%2761ca57f2-469d-11e7-af02-69e470af7417%27,type:count)),point_size:1,separate_axis:0,split_mode:everything,stacked:none)),show_grid:1,show_legend:1,time_field:%27%27,type:metric),title:%27%27,type:metrics))
[00:30:26]               │ info Saving page source to: /dev/shm/workspace/kibana/x-pack/test/functional/failure_debug/html/rollup app tsvb integration create rollup tsvb.html
[00:30:26]               └- ✖ fail: "rollup app tsvb integration create rollup tsvb"
[00:30:26]               │

Stack Trace

{ Error: expected '0' to sort of equal '3'
    at Assertion.assert (/dev/shm/workspace/kibana/packages/kbn-expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/kibana/packages/kbn-expect/expect.js:244:8)
    at Context.it (test/functional/apps/rollup_job/tsvb.js:90:27)
    at process._tickCallback (internal/process/next_tick.js:68:7) actual: '0', expected: '3', showDiff: true }

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@FrankHassanabad FrankHassanabad merged commit fac6873 into elastic:master Feb 5, 2020
@FrankHassanabad FrankHassanabad deleted the rule-checkins branch February 5, 2020 01:19
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this pull request Feb 5, 2020
@FrankHassanabad
[SIEM][Detection Engine] Final final rule changes (elastic#56806)
16a5c24 
## Summary

* Final, final, Rule changes

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
@FrankHassanabad FrankHassanabad mentioned this pull request Feb 5, 2020
Merged
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this pull request Feb 5, 2020
@FrankHassanabad
[SIEM][Detection Engine] Final final rule changes (elastic#56806)
2fc378c 
## Summary

* Final, final, Rule changes

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
@FrankHassanabad FrankHassanabad mentioned this pull request Feb 5, 2020
Merged
FrankHassanabad added a commit that referenced this pull request Feb 5, 2020
@FrankHassanabad
[SIEM][Detection Engine] Final final rule changes (#56806) (#56820)
6c1684b 
## Summary

* Final, final, Rule changes

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
FrankHassanabad added a commit that referenced this pull request Feb 5, 2020
@FrankHassanabad @elasticmachine
[SIEM][Detection Engine] Final final rule changes (#56806) (#56819)
dc87741 
## Summary

* Final, final, Rule changes

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
rylnd
rylnd reviewed Feb 5, 2020
View reviewed changes
.../server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json
"name": "Potential Shell via Web Server",
"query": "process.name: bash and (user.name: apache or www) and event.action:executed",
"query": "process.name: bash and user.name: (apache or www or \"wwww-data\") and event.action:executed",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@FrankHassanabad @randomuserid should this be www-data, not wwww-data?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that is a typo and IDK how that got through. IDK if we have any options at this point but either fixing it as suggested or reverting to the earlier search version without the www-data user would seem valid. If it is not too late. Thanks very much for catching this!

gmmorris added a commit to gmmorris/kibana that referenced this pull request Feb 5, 2020
@gmmorris
Merge branch 'master' into alerting/get-alert-state
a34c0cb 
* master: (23 commits)
  Properly handle password change for users authenticated with provider other than `basic`. (elastic#55206)
  Improve pull request template proposal (elastic#56756)
  Only change handlers as the element changes (elastic#56782)
  [SIEM][Detection Engine] Final final rule changes (elastic#56806)
  [SIEM][Detection Engine] critical blocker, wrong ilm policy, need to match beats ilm policy
  Move ui/agg_types in to shim data plugin (elastic#56353)
  [SIEM] Fixes Signals count spinner (elastic#56797)
  [docs] Update upgrade version path (elastic#56658)
  [Canvas] Use unique Id for Canvas Embeddables (elastic#56783)
  [Rollups] Adjust max width for job detail panel (elastic#56674)
  Prevent http client from converting our form data (elastic#56772)
  Disable creating alerts client instances when ESO plugin is using an ephemeral encryption key (elastic#56676)
  Bumps terser-webpack-plugin to 2.3.4 (elastic#56662)
  Advanced settings component registry ⇒ kibana platform plugin (elastic#55940)
  [Endpoint] EMT-67: add kql support for endpoint list (elastic#56328)
  Implement UI for Create Alert form  (elastic#55232)
  Fix: Filter pill base coloring (elastic#56761)
  fix open close signal on detail page (elastic#56757)
  [Search service] Move loadingCount to sync search strategy (elastic#56335)
  Rollup TSVB integration: Add test and fix warning text (elastic#56639)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randomuserid randomuserid randomuserid approved these changes

@rylnd rylnd rylnd left review comments

Assignees

@FrankHassanabad FrankHassanabad

Labels
release_note:skip Skip the PR/issue when compiling release notes Team:SIEM v7.6.0 v7.7.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@FrankHassanabad @elasticmachine @kibanamachine @rylnd @randomuserid