[Security Solution] Adds EQL sequence rule test #79287
Conversation
MadameSheema
requested review from
rylnd,
yctercero,
peluja1012,
dhurley14,
spong and
FrankHassanabad
MadameSheema
added
v7.10.0
v8.0.0
Team:SIEM
Team:Detections and Resp
|
Pinging @elastic/siem (Team:SIEM) |
| cy.get(ALERT_RULE_VERSION).first().should('have.text', '1'); | ||
| cy.get(ALERT_RULE_METHOD).first().should('have.text', 'eql'); | ||
| cy.get(ALERT_RULE_SEVERITY).first().should('have.text', eqlSequenceRule.severity.toLowerCase()); | ||
| cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', eqlSequenceRule.riskScore); |
There was a problem hiding this comment.
I think we should also verify that the appropriate number of sequence "building block" alerts are generated. The number of sequence "building block" alerts created should be equal to the number of events in the sequence. For example, if your rule query matches one sequence of 3 events, there should be 4 alerts created: one main alert, and 3 "building block" alerts corresponding to the events in the sequence.
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…nes/fix-description-field * 'master' of github.com:elastic/kibana: A11y tests for user page (elastic#79199) [Ingest Pipelines] Processors editor a11y focus states (elastic#79122) [Ingest pipelines] Clean up component integration tests (elastic#78838) Drilldowns in examples (elastic#75640) Storybook and Jest cleanup (elastic#79305) adds EQL sequence rule test (elastic#79287) PR template a11y checklist item improvement (elastic#79243) [Security Solution] Adding tests for dns pipeline in the endpoint package (elastic#79177) [ML] Only adjust the bounds of SMV if annotations are visible (elastic#79210) global search to ts refs (elastic#79446) [Index management] Update TemplateDeserialized interface (elastic#78913) [Telemetry] server fetcher check all collectors ready before sending (elastic#79398) [Mappings editor] Fix app crash when selecting "other" field type (elastic#79434) [`/api/stats`] Add documentation + small improvement (elastic#79330) [Discover] "View surrounding documents" encodes spaces in filters (elastic#79283) [Lens] refactor DimensionContainer and fix flyout bug (elastic#79277) # Conflicts: # x-pack/plugins/ingest_pipelines/public/application/components/pipeline_processors_editor/components/pipeline_processors_editor_item/inline_text_input.tsx # x-pack/plugins/ingest_pipelines/public/application/components/pipeline_processors_editor/components/processors_tree/components/private_tree.tsx
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
kibanamachine
added
the
backport missing
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
1 similar comment
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
6 similar comments
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
I conflicted with this missing 7.10 backport when attempting to backport #80440 to 7.10. I have included the changes here in that backport. |
kibanamachine
removed
the
backport missing
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Adds a Cypress test in order to test that an EQL rule with sequence query generates alerts.